RubyGems - proxy_authentication - Versions diffs - 0.0.4 - Mend

proxy_authentication 0.0.4

Files changed (95) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6b2be32c03d684e55f8f79667693aa29b49bc889
+  data.tar.gz: deac0c0703ba178036555364cab6d2c7a22cee1b
+SHA512:
+  metadata.gz: e96d2557e4fee2f2817f2ab85944591456fff06b91835e5eb892463694805a11667834b4c79350e0ff0dfee04562f1f4f34d40f17ab76dd7a24ae8baea33fa85
+  data.tar.gz: 91867ff95fbd785c90da9d5415b615c4f2c3ee0113f2eb1d32585ce5195190e23428e516f56da42e2b0f887749d971cb25f50d729a94d21591045c099fa5a9a0

data/MIT-LICENSE ADDED

@@ -0,0 +1,20 @@
+Copyright 2015 Jesús Dugarte
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile ADDED

@@ -0,0 +1,34 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+require 'rdoc/task'
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ProxyAuthentication'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+Bundler::GemHelper.install_tasks
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+task default: :test

data/lib/proxy_authentication.rb ADDED

@@ -0,0 +1,68 @@
+require 'warden'
+require 'proxy_authentication/helpers'
+require 'proxy_authentication/authentication_cipher'
+module ProxyAuthentication
+  mattr_accessor :user_class
+  @@user_class = 'User'
+  mattr_accessor :redirect_to_if_authentication_failed
+  @@redirect_to_if_authentication_failed = nil
+  mattr_accessor :secret_key
+  @@secret_key = nil
+  mattr_accessor :validate_with_block
+  @@validate_with_block = nil
+  class << self
+    def setup
+      setup_warden
+      include_helpers
+      yield self if block_given?
+    end
+    def validate_with &block
+      @@validate_with_block = block
+    end
+    private
+    def setup_warden
+      insert_warden_middleware
+      define_warden_strategy
+    end
+    def insert_warden_middleware
+      Rails.configuration.middleware.insert_before ActionDispatch::ParamsParser, Warden::Manager do |manager|
+        manager.default_strategies :proxy_authentication_via_token
+        manager.serialize_into_session { |user| ProxyAuthentication::AuthenticationCipher.encode user }
+        manager.serialize_from_session { |hash| ProxyAuthentication::AuthenticationCipher.decode hash }
+      end
+    end
+    def define_warden_strategy
+      Warden::Strategies.add(:proxy_authentication_via_token) do
+        def valid?
+          params['u'].present? && env['action_controller.instance'].present?
+        end
+        def authenticate!
+          rails_request = env['action_controller.instance'].request
+          user = ProxyAuthentication::AuthenticationCipher.decode params['u'].to_s, rails_request
+          user.present? ? success!(user) : fail
+        end
+      end
+    end
+    def include_helpers
+      ActionController::Base.send :include, ::ProxyAuthentication::Helpers
+    end
+  end
+end

data/lib/proxy_authentication/authentication_cipher.rb ADDED

@@ -0,0 +1,59 @@
+require 'proxy_authentication/cipher'
+module ProxyAuthentication
+  module AuthenticationCipher
+    extend self
+    def encode user, request = nil
+      data = request_info(request) << user.to_authentication_hash.to_json
+      Cipher.encode_data_as_url_token data
+    end
+    def decode token, request = nil
+      data = Cipher.decode_data_from_url_token token
+      return nil if data.nil? || !valid_request?(data, request)
+      extract_user data.last
+    end
+    private
+    def request_info request
+      [
+        ip(request.try(:remote_ip)),
+        Time.now.to_i,
+      ]
+    end
+    # TODO: add validation for the time of the request
+    # e.g. only consider a request valid if it was generated in the last 15 minutes
+    def valid_request? data, request
+      return true if request.nil?
+      return validate_with_block(data, request) if ProxyAuthentication.validate_with_block.present?
+      ip(request.remote_ip) == ip(data.first)
+    end
+    def ip value
+      return 'localhost' if %w[ localhost 127.0.0.1 ::1 ].include?(value)
+      value
+    end
+    def extract_user data
+      hash = JSON.parse data
+      klass = ProxyAuthentication.user_class.to_s.classify.constantize
+      klass.from_authentication_hash hash
+    end
+    def validate_with_block data, request
+      arguments = {
+        ip:   data.first,
+        time: Time.at(data.second.to_i),
+        user: extract_user(data.last),
+      }
+      ProxyAuthentication.validate_with_block.call ip(request.remote_ip), arguments
+    end
+  end
+end

data/lib/proxy_authentication/cipher.rb ADDED

@@ -0,0 +1,64 @@
+module ProxyAuthentication
+  module Cipher
+    extend self
+    def encode_data_as_url_token data, separator = "\n"
+      data   = data.join separator
+      string = [ data, signature_for(data) ].join separator
+      Base64.urlsafe_encode64 string
+    end
+    def decode_data_from_url_token token_base64, separator = "\n"
+      raw_data = decode64 token_base64
+      return nil if raw_data.nil?
+      data = raw_data.split separator
+      actual_signature   = data.pop
+      expected_signature = signature_for data.join(separator)
+      return nil if actual_signature != expected_signature
+      data
+    end
+    private
+    def signature_for string
+      OpenSSL::HMAC.hexdigest OpenSSL::Digest::SHA1.new, secret_key, string
+    end
+    def decode64 token_base64
+      Base64.urlsafe_decode64 token_base64
+    rescue ArgumentError => exception
+      return nil if exception.message =~ /invalid base64/
+      raise exception
+    end
+    def secret_key
+      ProxyAuthentication.secret_key || Rails.application.secrets.secret_key_base
+    end
+  end
+end
+# Backport Base64.urlsafe_[en|de]code64 methods to ruby 1.8
+# https://gist.github.com/phallstrom/1397972
+if RUBY_VERSION < '1.9'
+  begin
+    require 'base64'
+  rescue LoadError
+  end
+  if defined? ::Base64
+    module ::Base64
+      def self.urlsafe_encode64(bin)
+        [bin].pack("m0").tr("+/", "-_")
+      end
+      def self.urlsafe_decode64(str)
+        str.tr("-_", "+/").unpack("m0").first
+      end
+    end
+  end
+end

data/lib/proxy_authentication/helpers.rb ADDED

@@ -0,0 +1,31 @@
+module ProxyAuthentication
+  module Helpers
+    def self.included mod
+      mod.helper_method :current_user, :user_signed_in?
+    end
+    def current_user
+      @current_user ||= warden.user
+    end
+    def user_signed_in?
+      !!current_user
+    end
+    private
+    def authenticate_user_from_token!
+      warden.logout if warden.authenticated? && params['u'].present?
+      warden.authenticate
+      redirect_to ProxyAuthentication.redirect_to_if_authentication_failed if warden.unauthenticated?
+    end
+    def warden
+      request.env['warden']
+    end
+  end
+end

data/lib/proxy_authentication/test_helpers.rb ADDED

@@ -0,0 +1,44 @@
+# Based on Kentaro Imai's code:
+# http://kentaroimai.com/articles/1-controller-test-helpers-for-warden
+module ProxyAuthentication
+  module TestHelpers
+    def self.included base
+      base.class_eval do
+        setup :setup_controller_for_warden, :warden if respond_to? :setup
+      end
+    end
+    def sign_in user
+      warden.instance_variable_get(:@users).delete :default
+      warden.session_serializer.store user, :default
+    end
+    def sign_out
+      @controller.instance_variable_set :@current_user, nil
+      user = warden.instance_variable_get(:@users).delete :default
+      warden.session_serializer.delete :default, user
+    end
+    private
+    # We need to setup the environment variables and the response in the controller
+    def setup_controller_for_warden
+      @request.env['action_controller.instance'] = @controller
+    end
+    # Quick access to Warden::Proxy (memoized at setup)
+    def warden
+      @warden ||= new_warden_proxy
+    end
+    def new_warden_proxy
+      manager = Warden::Manager.new nil, &Rails.application.config.middleware.detect { |m| m.name == 'Warden::Manager'}.block
+      @request.env['warden'] = Warden::Proxy.new @request.env, manager
+    end
+  end
+end

data/lib/proxy_authentication/version.rb ADDED

@@ -0,0 +1,3 @@
+module ProxyAuthentication
+  VERSION = "0.0.4"
+end

data/lib/tasks/proxy_authentication_tasks.rake ADDED

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :proxy_authentication do
+#   # Task goes here
+# end

data/test/authentication_cipher_test.rb ADDED

@@ -0,0 +1,83 @@
+require 'test_helper'
+class AuthenticationCipherTest < ActiveSupport::TestCase
+  test "user remains the same" do
+    token = ProxyAuthentication::AuthenticationCipher.encode user
+    assert_equal user, ProxyAuthentication::AuthenticationCipher.decode(token)
+  end
+  test "if no validation block is provided, returns something if the ip addresses are the same" do
+    request = ActionDispatch::Request.new 'REMOTE_ADDR' => '1.2.3.4'
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, request
+    decoded = ProxyAuthentication::AuthenticationCipher.decode token, request
+    assert_not_nil decoded
+  end
+  test "if no validation block is provided, returns nil if the ip addresses are different" do
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, ActionDispatch::Request.new('REMOTE_ADDR' => '1.2.3.4')
+    decoded = ProxyAuthentication::AuthenticationCipher.decode token, ActionDispatch::Request.new('REMOTE_ADDR' => '0.0.0.0')
+    assert_nil decoded
+  end
+  test "call the validation block, if provided" do
+    validation_block = -> {}
+    validation_block.expects :call
+    ProxyAuthentication.validate_with &validation_block
+    request = ActionDispatch::Request.new 'REMOTE_ADDR' => '1.2.3.4'
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, request
+    ProxyAuthentication::AuthenticationCipher.decode token, request
+    ProxyAuthentication.validate_with
+  end
+  test "call the validation block with the request information" do
+    validation_block = lambda {}
+    time = Time.now
+    ip   = '1.2.3.4'
+    arguments = {
+      ip:   ip,
+      time: Time.at(time.to_i),
+      user: user,
+    }
+    Time.stubs(:now).returns(time)
+    validation_block.expects(:call).with(ip, arguments)
+    ProxyAuthentication.validate_with &validation_block
+    request = ActionDispatch::Request.new 'REMOTE_ADDR' => ip
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, request
+    ProxyAuthentication::AuthenticationCipher.decode token, request
+    ProxyAuthentication.validate_with
+  end
+  test "returns nil if the validation block return false" do
+    validation_block = lambda { |*| false }
+    ProxyAuthentication.validate_with &validation_block
+    request = ActionDispatch::Request.new 'REMOTE_ADDR' => '1.2.3.4'
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, request
+    decoded = ProxyAuthentication::AuthenticationCipher.decode token, request
+    ProxyAuthentication.validate_with
+    assert_nil decoded
+  end
+  test "returns something if the validation block return true" do
+    validation_block = lambda { |*| true }
+    ProxyAuthentication.validate_with &validation_block
+    request = ActionDispatch::Request.new 'REMOTE_ADDR' => '1.2.3.4'
+    token   = ProxyAuthentication::AuthenticationCipher.encode user, request
+    decoded = ProxyAuthentication::AuthenticationCipher.decode token, request
+    ProxyAuthentication.validate_with
+    assert_not_nil decoded
+  end
+  private
+  def user
+    @user = User.new 1, 'User', 'user@example.com'
+  end
+end

data/test/authentication_controller_test.rb ADDED

@@ -0,0 +1,72 @@
+require 'test_helper'
+class AuthenticationControllerTest < ActionController::TestCase
+  tests HomeController
+  test "accesing root without authenticating a user redirects to sign in" do
+    get :show
+    assert_redirection_to_sign_in
+  end
+  test "accesing root with a valid authentication hash signs in the user" do
+    token = ProxyAuthentication::AuthenticationCipher.encode user, request
+    get :show, u: token
+    assert_successful_sign_in
+  end
+  test "accesing root with a authentication hash from a different ip address redirects to sign in" do
+    token = ProxyAuthentication::AuthenticationCipher.encode user, ActionDispatch::Request.new('REMOTE_ADDR' => '1.2.3.4')
+    get :show, u: token
+    assert_redirection_to_sign_in
+  end
+  test "accesing root with an invalid authentication hash redirects to sign in" do
+    get :show, u: 'not a valid hash'
+    assert_redirection_to_sign_in
+  end
+  test "accesing root after a valid session was created doesn't require sign in" do
+    sign_in user
+    get :show
+    assert_successful_sign_in
+  end
+  test "accesing root with a valid authentication hash after a valid session was created should change the current user" do
+    sign_in user
+    other_user = User.new 2, 'Other User', 'other_user@example.com'
+    token = ProxyAuthentication::AuthenticationCipher.encode other_user, request
+    get :show, u: token
+    assert_equal other_user.id, @controller.current_user.id
+  end
+  private
+  def user
+    @user = User.new 1, 'User', 'user@example.com'
+  end
+  def assert_redirection_to_sign_in
+    assert_response :redirect
+    assert_redirected_to ProxyAuthentication.redirect_to_if_authentication_failed
+    refute @controller.user_signed_in?
+    assert_nil @controller.current_user
+  end
+  def assert_successful_sign_in
+    assert_response :success
+    assert @controller.user_signed_in?
+    assert_not_nil @controller.current_user
+  end
+end