prx_auth-rails 3.0.1 → 4.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +4 -1
- data/app/controllers/prx_auth/rails/sessions_controller.rb +13 -3
- data/app/views/prx_auth/rails/sessions/show.html.erb +4 -1
- data/lib/prx_auth/rails/configuration.rb +26 -17
- data/lib/prx_auth/rails/ext/controller.rb +7 -3
- data/lib/prx_auth/rails/railtie.rb +0 -6
- data/lib/prx_auth/rails/version.rb +1 -1
- data/lib/prx_auth/rails.rb +28 -2
- data/test/prx_auth/rails/configuration_test.rb +21 -19
- data/test/prx_auth/rails/ext/controller_test.rb +13 -6
- data/test/prx_auth/rails/sessions_controller_test.rb +2 -0
- data/test/prx_auth/rails_test.rb +64 -0
- metadata +8 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d46435a82e0473d353a1f1849bfcedfb4db925e5a1bce443a8043ca948bfda69
|
4
|
+
data.tar.gz: b867f26410a93aee077e2bad3515b2fb9fb0ee4a9499cbb6bdaef9287639c158
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 308dd3bc5e3eacf014613bac983b097d677f823d60185eb76303345d698f1096e2fa7e24ad74b2f7bf5a2eef4a3222a9bf9ec51a28c1d82698bad48de8d500ad
|
7
|
+
data.tar.gz: b2bf8e7fe515a27e970a4612b7075564366f0a0270c62dca1602e6d51d1dceb7ffe4d5e2143927126bb02b4335bcd09dac501f950c5511cf456c4ffaa309cd42
|
data/README.md
CHANGED
@@ -46,7 +46,10 @@ In your rails app, add a file to config/initializers called
|
|
46
46
|
PrxAuth::Rails.configure do |config|
|
47
47
|
|
48
48
|
# enables automatic installation of token parser middleware
|
49
|
-
config.install_middleware =
|
49
|
+
config.install_middleware = true # default: true
|
50
|
+
|
51
|
+
# set the ID host
|
52
|
+
config.id_host = 'id.staging.prx.tech' # default: id.prx.org
|
50
53
|
|
51
54
|
# automatically adds namespace to all scoped queries, e.g. .authorized?(:foo) will be treated
|
52
55
|
# as .authorized?(:my_great_ns, :foo). Has no impact on unscoped queries.
|
@@ -10,19 +10,29 @@ module PrxAuth::Rails
|
|
10
10
|
before_action :set_after_sign_in_path
|
11
11
|
|
12
12
|
ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'
|
13
|
+
DEFAULT_SCOPES = 'openid apps'
|
13
14
|
|
14
15
|
def new
|
15
16
|
config = PrxAuth::Rails.configuration
|
16
17
|
|
18
|
+
scope =
|
19
|
+
if config.prx_scope.present?
|
20
|
+
"#{DEFAULT_SCOPES} #{config.prx_scope}"
|
21
|
+
else
|
22
|
+
DEFAULT_SCOPES
|
23
|
+
end
|
24
|
+
|
17
25
|
id_auth_params = {
|
18
26
|
client_id: config.prx_client_id,
|
19
27
|
nonce: fetch_nonce,
|
20
28
|
response_type: 'id_token token',
|
21
|
-
scope:
|
29
|
+
scope: scope,
|
22
30
|
prompt: 'necessary'
|
23
31
|
}
|
24
32
|
|
25
|
-
|
33
|
+
url = '//' + config.id_host + '/authorize?' + id_auth_params.to_query
|
34
|
+
|
35
|
+
redirect_to url, allow_other_host: true
|
26
36
|
end
|
27
37
|
|
28
38
|
def show
|
@@ -44,7 +54,7 @@ module PrxAuth::Rails
|
|
44
54
|
redirect_to after_sign_in_path_for(current_user)
|
45
55
|
else
|
46
56
|
clear_nonce!
|
47
|
-
redirect_to auth_error_sessions_path(error: '
|
57
|
+
redirect_to auth_error_sessions_path(error: params[:error] || 'unknown_error')
|
48
58
|
end
|
49
59
|
end
|
50
60
|
|
@@ -2,6 +2,7 @@
|
|
2
2
|
<%= form_for(:sessions, :url => PrxAuth::Rails::Engine.routes.url_helpers.sessions_path) do |f| %>
|
3
3
|
<%= hidden_field_tag :access_token, '', id: 'access-token-field' %>
|
4
4
|
<%= hidden_field_tag :id_token, '', id: 'id-token-field' %>
|
5
|
+
<%= hidden_field_tag :error, '', id: 'error-field' %>
|
5
6
|
<%= f.submit id: 'sessions-form-submit' %>
|
6
7
|
<% end %>
|
7
8
|
</div>
|
@@ -23,14 +24,16 @@
|
|
23
24
|
}
|
24
25
|
|
25
26
|
window.addEventListener("load", () => {
|
26
|
-
var idToken = document.querySelector("#id-token-field");
|
27
27
|
var accessToken = document.querySelector("#access-token-field");
|
28
|
+
var idToken = document.querySelector("#id-token-field");
|
29
|
+
var error = document.querySelector("#error-field");
|
28
30
|
var submit = document.querySelector("input#sessions-form-submit[type=submit]");
|
29
31
|
|
30
32
|
var hashParams = parseURLFragment();
|
31
33
|
|
32
34
|
accessToken.value = hashParams['access_token'];
|
33
35
|
idToken.value = hashParams['id_token'];
|
36
|
+
error.value = hashParams['error'];
|
34
37
|
|
35
38
|
submit.click();
|
36
39
|
});
|
@@ -2,27 +2,36 @@ class PrxAuth::Rails::Configuration
|
|
2
2
|
attr_accessor :install_middleware,
|
3
3
|
:namespace,
|
4
4
|
:prx_client_id,
|
5
|
-
:
|
5
|
+
:prx_scope,
|
6
|
+
:id_host,
|
7
|
+
:cert_path
|
6
8
|
|
9
|
+
DEFAULT_ID_HOST = 'id.prx.org'
|
10
|
+
DEFAULT_CERT_PATH = 'api/v1/certs'
|
7
11
|
|
8
12
|
def initialize
|
9
13
|
@install_middleware = true
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
else
|
15
|
-
klass.parent_name
|
16
|
-
end
|
17
|
-
klass_name = if parent_name.present?
|
18
|
-
parent_name
|
19
|
-
else
|
20
|
-
klass.name
|
21
|
-
end
|
14
|
+
@prx_client_id = nil
|
15
|
+
@prx_scope = nil
|
16
|
+
@id_host = DEFAULT_ID_HOST
|
17
|
+
@cert_path = DEFAULT_CERT_PATH
|
22
18
|
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
19
|
+
# infer default namespace from app name
|
20
|
+
@namespace =
|
21
|
+
if defined?(::Rails)
|
22
|
+
klass = ::Rails.application.class
|
23
|
+
parent_name = if ::Rails::VERSION::MAJOR >= 6
|
24
|
+
klass.module_parent_name
|
25
|
+
else
|
26
|
+
klass.parent_name
|
27
|
+
end
|
28
|
+
klass_name = if parent_name.present?
|
29
|
+
parent_name
|
30
|
+
else
|
31
|
+
klass.name
|
32
|
+
end
|
33
|
+
|
34
|
+
klass_name.underscore.intern
|
35
|
+
end
|
27
36
|
end
|
28
37
|
end
|
@@ -52,7 +52,10 @@ module PrxAuth
|
|
52
52
|
end
|
53
53
|
|
54
54
|
def current_user_info
|
55
|
-
session[PRX_USER_INFO_SESSION_KEY] ||=
|
55
|
+
session[PRX_USER_INFO_SESSION_KEY] ||= begin
|
56
|
+
info = fetch_userinfo
|
57
|
+
info.slice('name', 'preferred_username', 'email', 'image_href', 'apps')
|
58
|
+
end
|
56
59
|
end
|
57
60
|
|
58
61
|
def current_user_name
|
@@ -87,7 +90,7 @@ module PrxAuth
|
|
87
90
|
end
|
88
91
|
|
89
92
|
def account_name_for(account_id)
|
90
|
-
account_for(account_id).try(:[],
|
93
|
+
account_for(account_id).try(:[], 'name')
|
91
94
|
end
|
92
95
|
|
93
96
|
def account_for(account_id)
|
@@ -107,7 +110,8 @@ module PrxAuth
|
|
107
110
|
missing = ids - session[PRX_ACCOUNT_MAPPING_SESSION_KEY].keys
|
108
111
|
if missing.present?
|
109
112
|
fetch_accounts(missing).each do |account|
|
110
|
-
|
113
|
+
minimal = account.slice('name', 'type')
|
114
|
+
session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account['id']] = minimal
|
111
115
|
end
|
112
116
|
end
|
113
117
|
|
@@ -7,11 +7,5 @@ module PrxAuth::Rails
|
|
7
7
|
config.to_prepare do
|
8
8
|
ApplicationController.send(:include, PrxAuth::Rails::Controller)
|
9
9
|
end
|
10
|
-
|
11
|
-
initializer 'prx_auth.insert_middleware' do |app|
|
12
|
-
if PrxAuth::Rails.configuration.install_middleware
|
13
|
-
app.config.middleware.insert_after Rack::Head, Rack::PrxAuth
|
14
|
-
end
|
15
|
-
end
|
16
10
|
end
|
17
11
|
end
|
data/lib/prx_auth/rails.rb
CHANGED
@@ -6,10 +6,36 @@ require "prx_auth/rails/engine" if defined?(Rails)
|
|
6
6
|
module PrxAuth
|
7
7
|
module Rails
|
8
8
|
class << self
|
9
|
-
attr_accessor :configuration
|
9
|
+
attr_accessor :configuration, :installed_middleware
|
10
10
|
|
11
11
|
def configure
|
12
|
-
yield configuration
|
12
|
+
yield configuration if block_given?
|
13
|
+
|
14
|
+
# only install from first call to configure block
|
15
|
+
if configuration.install_middleware && !installed_middleware
|
16
|
+
install_middleware!
|
17
|
+
self.installed_middleware = true
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
def install_middleware!(app = nil)
|
22
|
+
app ||= ::Rails.application if defined?(::Rails)
|
23
|
+
|
24
|
+
return false unless app
|
25
|
+
|
26
|
+
# guess protocol from host
|
27
|
+
host = configuration.id_host
|
28
|
+
path = configuration.cert_path
|
29
|
+
protocol =
|
30
|
+
if host.include?('localhost') || host.include?('127.0.0.1')
|
31
|
+
'http'
|
32
|
+
else
|
33
|
+
'https'
|
34
|
+
end
|
35
|
+
|
36
|
+
app.middleware.insert_after Rack::Head, Rack::PrxAuth,
|
37
|
+
cert_location: "#{protocol}://#{host}/#{path}",
|
38
|
+
issuer: host
|
13
39
|
end
|
14
40
|
end
|
15
41
|
|
@@ -4,33 +4,35 @@ describe PrxAuth::Rails::Configuration do
|
|
4
4
|
|
5
5
|
subject { PrxAuth::Rails::Configuration.new }
|
6
6
|
|
7
|
-
it 'initializes with
|
8
|
-
assert subject.
|
7
|
+
it 'initializes with defaults' do
|
8
|
+
assert subject.install_middleware
|
9
|
+
assert_nil subject.prx_client_id
|
10
|
+
assert_nil subject.prx_scope
|
11
|
+
assert_equal 'id.prx.org', subject.id_host
|
12
|
+
assert_equal 'api/v1/certs', subject.cert_path
|
9
13
|
end
|
10
14
|
|
11
|
-
it '
|
12
|
-
|
13
|
-
PrxAuth::Rails.configure do |config|
|
14
|
-
config.namespace = :new_test
|
15
|
-
end
|
16
|
-
|
17
|
-
assert PrxAuth::Rails.configuration.namespace == :new_test
|
18
|
-
end
|
15
|
+
it 'infers the default namespace from the rails app name' do
|
16
|
+
assert_equal :dummy, subject.namespace
|
19
17
|
end
|
20
18
|
|
21
|
-
it '
|
22
|
-
PrxAuth::Rails.stub(:configuration, subject) do
|
23
|
-
assert PrxAuth::Rails.configuration.install_middleware
|
24
|
-
end
|
25
|
-
end
|
26
|
-
|
27
|
-
it 'allows overriding of the middleware automatic installation' do
|
19
|
+
it 'is updated by the prxauth configure block' do
|
28
20
|
PrxAuth::Rails.stub(:configuration, subject) do
|
29
21
|
PrxAuth::Rails.configure do |config|
|
30
22
|
config.install_middleware = false
|
23
|
+
config.prx_client_id = 'some-id'
|
24
|
+
config.prx_scope = 'appname:*'
|
25
|
+
config.id_host = 'id.prx.blah'
|
26
|
+
config.cert_path = 'cert/path'
|
27
|
+
config.namespace = :new_test
|
31
28
|
end
|
32
|
-
|
33
|
-
assert !PrxAuth::Rails.configuration.install_middleware
|
34
29
|
end
|
30
|
+
|
31
|
+
refute subject.install_middleware
|
32
|
+
assert_equal 'some-id', subject.prx_client_id
|
33
|
+
assert_equal 'appname:*', subject.prx_scope
|
34
|
+
assert_equal 'id.prx.blah', subject.id_host
|
35
|
+
assert_equal 'cert/path', subject.cert_path
|
36
|
+
assert_equal :new_test, subject.namespace
|
35
37
|
end
|
36
38
|
end
|
@@ -71,7 +71,7 @@ module PrxAuth::Rails::Ext
|
|
71
71
|
to_return(status: 200, body: JSON.generate(body))
|
72
72
|
|
73
73
|
assert session[@user_info_key] == nil
|
74
|
-
assert_equal @controller.current_user_info, body
|
74
|
+
assert_equal @controller.current_user_info, body.slice('name', 'apps')
|
75
75
|
refute session[@user_info_key] == nil
|
76
76
|
assert_equal @controller.current_user_name, 'Some Username'
|
77
77
|
assert_equal @controller.current_user_apps, {'PRX Publish' => 'https://publish.prx.test'}
|
@@ -117,15 +117,18 @@ module PrxAuth::Rails::Ext
|
|
117
117
|
three = {'id' => 3, 'type' => 'GroupAccount', 'name' => 'Three'}
|
118
118
|
body = {'_embedded' => {'prx:items' => [one, three]}}
|
119
119
|
|
120
|
+
min_one = one.slice('name', 'type')
|
121
|
+
min_three = three.slice('name', 'type')
|
122
|
+
|
120
123
|
id_host = PrxAuth::Rails.configuration.id_host
|
121
124
|
stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=1,2,3").
|
122
125
|
to_return(status: 200, body: JSON.generate(body))
|
123
126
|
|
124
127
|
assert_nil session[@account_mapping_key]
|
125
|
-
assert_equal @controller.accounts_for([1, 2, 3]), [
|
128
|
+
assert_equal @controller.accounts_for([1, 2, 3]), [min_one, nil, min_three]
|
126
129
|
refute_nil session[@account_mapping_key]
|
127
|
-
assert_equal @controller.account_for(1),
|
128
|
-
assert_equal @controller.account_for(3),
|
130
|
+
assert_equal @controller.account_for(1), min_one
|
131
|
+
assert_equal @controller.account_for(3), min_three
|
129
132
|
assert_equal @controller.account_name_for(1), 'One'
|
130
133
|
assert_equal @controller.account_name_for(3), 'Three'
|
131
134
|
end
|
@@ -152,12 +155,16 @@ module PrxAuth::Rails::Ext
|
|
152
155
|
session[@account_mapping_key] = {1 => one, 3 => three}
|
153
156
|
body = {'_embedded' => {'prx:items' => [two]}}
|
154
157
|
|
158
|
+
min_one = one.slice('name', 'type')
|
159
|
+
min_two = two.slice('name', 'type')
|
160
|
+
min_three = three.slice('name', 'type')
|
161
|
+
|
155
162
|
id_host = PrxAuth::Rails.configuration.id_host
|
156
163
|
stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2").
|
157
164
|
to_return(status: 200, body: JSON.generate(body))
|
158
165
|
|
159
|
-
assert_equal @controller.accounts_for([1, 2, 3]), [
|
160
|
-
assert_equal @controller.account_for(2),
|
166
|
+
assert_equal @controller.accounts_for([1, 2, 3]), [min_one, min_two, min_three]
|
167
|
+
assert_equal @controller.account_for(2), min_two
|
161
168
|
assert_equal @controller.account_name_for(2), 'Two'
|
162
169
|
end
|
163
170
|
end
|
@@ -82,6 +82,7 @@ module PrxAuth::Rails
|
|
82
82
|
|
83
83
|
test 'should respond with redirect to the auth error page / code if the nonce does not match' do
|
84
84
|
@controller.stub(:validate_token, @stub_claims) do
|
85
|
+
@token_params[:error] = 'verification_failed'
|
85
86
|
session[@nonce_session_key] = 'nonce-does-not-match'
|
86
87
|
post :create, params: @token_params, format: :json
|
87
88
|
assert response.code == '302'
|
@@ -105,6 +106,7 @@ module PrxAuth::Rails
|
|
105
106
|
@controller.stub(:id_claims, @stub_claims) do
|
106
107
|
@controller.stub(:access_claims, @stub_claims.merge('sub' => '444')) do
|
107
108
|
|
109
|
+
@token_params[:error] = 'verification_failed'
|
108
110
|
session[@nonce_session_key] = '123'
|
109
111
|
post :create, params: @token_params, format: :json
|
110
112
|
|
@@ -0,0 +1,64 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'pry'
|
3
|
+
|
4
|
+
describe PrxAuth::Rails do
|
5
|
+
|
6
|
+
subject { PrxAuth::Rails }
|
7
|
+
|
8
|
+
it 'gets a configuration' do
|
9
|
+
assert_equal :test_app, subject.configuration.namespace
|
10
|
+
assert_equal '1234', subject.configuration.prx_client_id
|
11
|
+
assert_equal 'id.prx.test', subject.configuration.id_host
|
12
|
+
assert_equal 'api/v1/certs', subject.configuration.cert_path
|
13
|
+
end
|
14
|
+
|
15
|
+
it 'installs and configures prx_auth middleware' do
|
16
|
+
mw = MiniTest::Mock.new
|
17
|
+
mw.expect :insert_after, nil do |c1, c2, cert_location:, issuer:|
|
18
|
+
assert_equal Rack::Head, c1
|
19
|
+
assert_equal Rack::PrxAuth, c2
|
20
|
+
assert_equal 'https://id.prx.test/api/v1/certs', cert_location
|
21
|
+
assert_equal 'id.prx.test', issuer
|
22
|
+
end
|
23
|
+
|
24
|
+
app = MiniTest::Mock.new
|
25
|
+
app.expect :middleware, mw
|
26
|
+
|
27
|
+
subject.install_middleware!(app)
|
28
|
+
mw.verify
|
29
|
+
end
|
30
|
+
|
31
|
+
it 'installs middleware after configuration' do
|
32
|
+
called = false
|
33
|
+
spy = -> { called = true }
|
34
|
+
|
35
|
+
PrxAuth::Rails.stub(:install_middleware!, spy) do
|
36
|
+
PrxAuth::Rails.installed_middleware = false
|
37
|
+
|
38
|
+
PrxAuth::Rails.configure do |config|
|
39
|
+
config.install_middleware = true
|
40
|
+
end
|
41
|
+
|
42
|
+
assert PrxAuth::Rails.installed_middleware
|
43
|
+
end
|
44
|
+
|
45
|
+
assert called
|
46
|
+
end
|
47
|
+
|
48
|
+
it 'allows overriding of the middleware automatic installation' do
|
49
|
+
called = false
|
50
|
+
spy = -> { called = true }
|
51
|
+
|
52
|
+
PrxAuth::Rails.stub(:install_middleware!, spy) do
|
53
|
+
PrxAuth::Rails.installed_middleware = false
|
54
|
+
|
55
|
+
PrxAuth::Rails.configure do |config|
|
56
|
+
config.install_middleware = false
|
57
|
+
end
|
58
|
+
|
59
|
+
refute PrxAuth::Rails.installed_middleware
|
60
|
+
end
|
61
|
+
|
62
|
+
refute called
|
63
|
+
end
|
64
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: prx_auth-rails
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 4.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chris Rhoden
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: actionpack
|
@@ -265,12 +265,13 @@ files:
|
|
265
265
|
- test/prx_auth/rails/ext/controller_test.rb
|
266
266
|
- test/prx_auth/rails/sessions_controller_test.rb
|
267
267
|
- test/prx_auth/rails/token_test.rb
|
268
|
+
- test/prx_auth/rails_test.rb
|
268
269
|
- test/test_helper.rb
|
269
270
|
homepage: https://github.com/PRX/prx_auth-rails
|
270
271
|
licenses:
|
271
272
|
- MIT
|
272
273
|
metadata: {}
|
273
|
-
post_install_message:
|
274
|
+
post_install_message:
|
274
275
|
rdoc_options: []
|
275
276
|
require_paths:
|
276
277
|
- lib
|
@@ -285,8 +286,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
285
286
|
- !ruby/object:Gem::Version
|
286
287
|
version: '0'
|
287
288
|
requirements: []
|
288
|
-
rubygems_version: 3.
|
289
|
-
signing_key:
|
289
|
+
rubygems_version: 3.3.3
|
290
|
+
signing_key:
|
290
291
|
specification_version: 4
|
291
292
|
summary: Rails integration for next generation PRX Authorization system.
|
292
293
|
test_files:
|
@@ -351,4 +352,5 @@ test_files:
|
|
351
352
|
- test/prx_auth/rails/ext/controller_test.rb
|
352
353
|
- test/prx_auth/rails/sessions_controller_test.rb
|
353
354
|
- test/prx_auth/rails/token_test.rb
|
355
|
+
- test/prx_auth/rails_test.rb
|
354
356
|
- test/test_helper.rb
|