RubyGems - proxy_authentication - Versions diffs - 0.0.4 - Mend

proxy_authentication 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6b2be32c03d684e55f8f79667693aa29b49bc889
+  data.tar.gz: deac0c0703ba178036555364cab6d2c7a22cee1b
+SHA512:
+  metadata.gz: e96d2557e4fee2f2817f2ab85944591456fff06b91835e5eb892463694805a11667834b4c79350e0ff0dfee04562f1f4f34d40f17ab76dd7a24ae8baea33fa85
+  data.tar.gz: 91867ff95fbd785c90da9d5415b615c4f2c3ee0113f2eb1d32585ce5195190e23428e516f56da42e2b0f887749d971cb25f50d729a94d21591045c099fa5a9a0

data/MIT-LICENSE ADDED

@@ -0,0 +1,20 @@
+Copyright 2015 Jesús Dugarte
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile ADDED

@@ -0,0 +1,34 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+require 'rdoc/task'
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ProxyAuthentication'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+Bundler::GemHelper.install_tasks
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+task default: :test

data/lib/proxy_authentication.rb ADDED

@@ -0,0 +1,68 @@
+require 'warden'
+require 'proxy_authentication/helpers'
+require 'proxy_authentication/authentication_cipher'
+module ProxyAuthentication
+  mattr_accessor :user_class
+  @@user_class = 'User'
+  mattr_accessor :redirect_to_if_authentication_failed
+  @@redirect_to_if_authentication_failed = nil
+  mattr_accessor :secret_key
+  @@secret_key = nil
+  mattr_accessor :validate_with_block
+  @@validate_with_block = nil
+  class << self
+    def setup
+      setup_warden
+      include_helpers
+      yield self if block_given?
+    end
+    def validate_with &block
+      @@validate_with_block = block
+    end
+    private
+    def setup_warden
+      insert_warden_middleware
+      define_warden_strategy
+    end
+    def insert_warden_middleware
+      Rails.configuration.middleware.insert_before ActionDispatch::ParamsParser, Warden::Manager do |manager|
+        manager.default_strategies :proxy_authentication_via_token
+        manager.serialize_into_session { |user| ProxyAuthentication::AuthenticationCipher.encode user }
+        manager.serialize_from_session { |hash| ProxyAuthentication::AuthenticationCipher.decode hash }
+      end
+    end
+    def define_warden_strategy
+      Warden::Strategies.add(:proxy_authentication_via_token) do
+        def valid?
+          params['u'].present? && env['action_controller.instance'].present?
+        end
+        def authenticate!
+          rails_request = env['action_controller.instance'].request
+          user = ProxyAuthentication::AuthenticationCipher.decode params['u'].to_s, rails_request
+          user.present? ? success!(user) : fail
+        end
+      end
+    end
+    def include_helpers
+      ActionController::Base.send :include, ::ProxyAuthentication::Helpers
+    end
+  end
+end

data/lib/proxy_authentication/authentication_cipher.rb ADDED

@@ -0,0 +1,59 @@
+require 'proxy_authentication/cipher'
+module ProxyAuthentication
+  module AuthenticationCipher
+    extend self
+    def encode user, request = nil
+      data = request_info(request) << user.to_authentication_hash.to_json
+      Cipher.encode_data_as_url_token data
+    end
+    def decode token, request = nil
+      data = Cipher.decode_data_from_url_token token
+      return nil if data.nil? || !valid_request?(data, request)
+      extract_user data.last
+    end
+    private
+    def request_info request
+      [
+        ip(request.try(:remote_ip)),
+        Time.now.to_i,
+      ]
+    end
+    # TODO: add validation for the time of the request
+    # e.g. only consider a request valid if it was generated in the last 15 minutes
+    def valid_request? data, request
+      return true if request.nil?
+      return validate_with_block(data, request) if ProxyAuthentication.validate_with_block.present?
+      ip(request.remote_ip) == ip(data.first)
+    end
+    def ip value
+      return 'localhost' if %w[ localhost 127.0.0.1 ::1 ].include?(value)
+      value
+    end
+    def extract_user data
+      hash = JSON.parse data
+      klass = ProxyAuthentication.user_class.to_s.classify.constantize
+      klass.from_authentication_hash hash
+    end
+    def validate_with_block data, request
+      arguments = {
+        ip:   data.first,
+        time: Time.at(data.second.to_i),
+        user: extract_user(data.last),
+      }
+      ProxyAuthentication.validate_with_block.call ip(request.remote_ip), arguments
+    end
+  end
+end

data/lib/proxy_authentication/cipher.rb ADDED

@@ -0,0 +1,64 @@
+module ProxyAuthentication
+  module Cipher
+    extend self
+    def encode_data_as_url_token data, separator = "\n"
+      data   = data.join separator
+      string = [ data, signature_for(data) ].join separator
+      Base64.urlsafe_encode64 string
+    end
+    def decode_data_from_url_token token_base64, separator = "\n"
+      raw_data = decode64 token_base64
+      return nil if raw_data.nil?
+      data = raw_data.split separator
+      actual_signature   = data.pop
+      expected_signature = signature_for data.join(separator)
+      return nil if actual_signature != expected_signature
+      data
+    end
+    private
+    def signature_for string
+      OpenSSL::HMAC.hexdigest OpenSSL::Digest::SHA1.new, secret_key, string
+    end
+    def decode64 token_base64
+      Base64.urlsafe_decode64 token_base64
+    rescue ArgumentError => exception
+      return nil if exception.message =~ /invalid base64/
+      raise exception
+    end
+    def secret_key
+      ProxyAuthentication.secret_key || Rails.application.secrets.secret_key_base
+    end
+  end
+end
+# Backport Base64.urlsafe_[en|de]code64 methods to ruby 1.8
+# https://gist.github.com/phallstrom/1397972
+if RUBY_VERSION < '1.9'
+  begin
+    require 'base64'
+  rescue LoadError
+  end
+  if defined? ::Base64
+    module ::Base64
+      def self.urlsafe_encode64(bin)
+        [bin].pack("m0").tr("+/", "-_")
+      end
+      def self.urlsafe_decode64(str)
+        str.tr("-_", "+/").unpack("m0").first
+      end
+    end
+  end
+end

data/lib/proxy_authentication/helpers.rb ADDED

@@ -0,0 +1,31 @@
+module ProxyAuthentication
+  module Helpers
+    def self.included mod
+      mod.helper_method :current_user, :user_signed_in?
+    end
+    def current_user
+      @current_user ||= warden.user
+    end
+    def user_signed_in?
+      !!current_user
+    end
+    private
+    def authenticate_user_from_token!
+      warden.logout if warden.authenticated? && params['u'].present?
+      warden.authenticate
+      redirect_to ProxyAuthentication.redirect_to_if_authentication_failed if warden.unauthenticated?
+    end
+    def warden
+      request.env['warden']
+    end
+  end
+end

data/lib/proxy_authentication/test_helpers.rb ADDED

@@ -0,0 +1,44 @@
+# Based on Kentaro Imai's code:
+# http://kentaroimai.com/articles/1-controller-test-helpers-for-warden
+module ProxyAuthentication
+  module TestHelpers
+    def self.included base
+      base.class_eval do
+        setup :setup_controller_for_warden, :warden if respond_to? :setup
+      end
+    end
+    def sign_in user
+      warden.instance_variable_get(:@users).delete :default
+      warden.session_serializer.store user, :default
+    end
+    def sign_out
+      @controller.instance_variable_set :@current_user, nil
+      user = warden.instance_variable_get(:@users).delete :default
+      warden.session_serializer.delete :default, user
+    end
+    private
+    # We need to setup the environment variables and the response in the controller
+    def setup_controller_for_warden
+      @request.env['action_controller.instance'] = @controller
+    end
+    # Quick access to Warden::Proxy (memoized at setup)
+    def warden
+      @warden ||= new_warden_proxy
+    end
+    def new_warden_proxy
+      manager = Warden::Manager.new nil, &Rails.application.config.middleware.detect { |m| m.name == 'Warden::Manager'}.block
+      @request.env['warden'] = Warden::Proxy.new @request.env, manager
+    end
+  end
+end

data/lib/proxy_authentication/version.rb ADDED

@@ -0,0 +1,3 @@
+module ProxyAuthentication
+  VERSION = "0.0.4"
+end

data/lib/tasks/proxy_authentication_tasks.rake ADDED

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :proxy_authentication do
+#   # Task goes here
+# end

data/test/authentication_cipher_test.rb ADDED

@@ -0,0 +1,83 @@
+require 'test_helper'
+class AuthenticationCipherTest < ActiveSupport::TestCase
+  test "user remains the same" do
+    token = ProxyAuthentication::AuthenticationCipher.encode user
+    assert_equal user, ProxyAuthentication::AuthenticationCipher.decode(token)
+  end
+  test "if no validation block is provided, returns something if the ip addresses are the same" do
+    request = ActionDispatch::Request.new 'REMOTE_ADDR' => '1.2.3.4'
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, request
+    decoded = ProxyAuthentication::AuthenticationCipher.decode token, request
+    assert_not_nil decoded
+  end
+  test "if no validation block is provided, returns nil if the ip addresses are different" do
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, ActionDispatch::Request.new('REMOTE_ADDR' => '1.2.3.4')
+    decoded = ProxyAuthentication::AuthenticationCipher.decode token, ActionDispatch::Request.new('REMOTE_ADDR' => '0.0.0.0')
+    assert_nil decoded
+  end
+  test "call the validation block, if provided" do
+    validation_block = -> {}
+    validation_block.expects :call
+    ProxyAuthentication.validate_with &validation_block
+    request = ActionDispatch::Request.new 'REMOTE_ADDR' => '1.2.3.4'
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, request
+    ProxyAuthentication::AuthenticationCipher.decode token, request
+    ProxyAuthentication.validate_with
+  end
+  test "call the validation block with the request information" do
+    validation_block = lambda {}
+    time = Time.now
+    ip   = '1.2.3.4'
+    arguments = {
+      ip:   ip,
+      time: Time.at(time.to_i),
+      user: user,
+    }
+    Time.stubs(:now).returns(time)
+    validation_block.expects(:call).with(ip, arguments)
+    ProxyAuthentication.validate_with &validation_block
+    request = ActionDispatch::Request.new 'REMOTE_ADDR' => ip
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, request
+    ProxyAuthentication::AuthenticationCipher.decode token, request
+    ProxyAuthentication.validate_with
+  end
+  test "returns nil if the validation block return false" do
+    validation_block = lambda { |*| false }
+    ProxyAuthentication.validate_with &validation_block
+    request = ActionDispatch::Request.new 'REMOTE_ADDR' => '1.2.3.4'
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, request
+    decoded = ProxyAuthentication::AuthenticationCipher.decode token, request
+    ProxyAuthentication.validate_with
+    assert_nil decoded
+  end
+  test "returns something if the validation block return true" do
+    validation_block = lambda { |*| true }
+    ProxyAuthentication.validate_with &validation_block
+    request = ActionDispatch::Request.new 'REMOTE_ADDR' => '1.2.3.4'
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, request
+    decoded = ProxyAuthentication::AuthenticationCipher.decode token, request
+    ProxyAuthentication.validate_with
+    assert_not_nil decoded
+  end
+  private
+  def user
+    @user = User.new 1, 'User', 'user@example.com'
+  end
+end

data/test/authentication_controller_test.rb ADDED

@@ -0,0 +1,72 @@
+require 'test_helper'
+class AuthenticationControllerTest < ActionController::TestCase
+  tests HomeController
+  test "accesing root without authenticating a user redirects to sign in" do
+    get :show
+    assert_redirection_to_sign_in
+  end
+  test "accesing root with a valid authentication hash signs in the user" do
+    token = ProxyAuthentication::AuthenticationCipher.encode user, request
+    get :show, u: token
+    assert_successful_sign_in
+  end
+  test "accesing root with a authentication hash from a different ip address redirects to sign in" do
+    token = ProxyAuthentication::AuthenticationCipher.encode user, ActionDispatch::Request.new('REMOTE_ADDR' => '1.2.3.4')
+    get :show, u: token
+    assert_redirection_to_sign_in
+  end
+  test "accesing root with an invalid authentication hash redirects to sign in" do
+    get :show, u: 'not a valid hash'
+    assert_redirection_to_sign_in
+  end
+  test "accesing root after a valid session was created doesn't require sign in" do
+    sign_in user
+    get :show
+    assert_successful_sign_in
+  end
+  test "accesing root with a valid authentication hash after a valid session was created should change the current user" do
+    sign_in user
+    other_user = User.new 2, 'Other User', 'other_user@example.com'
+    token = ProxyAuthentication::AuthenticationCipher.encode other_user, request
+    get :show, u: token
+    assert_equal other_user.id, @controller.current_user.id
+  end
+  private
+  def user
+    @user = User.new 1, 'User', 'user@example.com'
+  end
+  def assert_redirection_to_sign_in
+    assert_response :redirect
+    assert_redirected_to ProxyAuthentication.redirect_to_if_authentication_failed
+    refute @controller.user_signed_in?
+    assert_nil @controller.current_user
+  end
+  def assert_successful_sign_in
+    assert_response :success
+    assert @controller.user_signed_in?
+    assert_not_nil @controller.current_user
+  end
+end