rack-allow-from 0.0.2

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/.rspec

@@ -0,0 +1 @@
+--colour

data/CHANGELOG

@@ -0,0 +1,10 @@
+2012-02-25 Philip Champon <pchampon@gmail.com>
+
+	* Added rescue for TCPSocket failure
+	* Replaced env['X-Remote-Hostname'] with env['HTTP_X_REMOTE_HOSTNAME']
+	* Better tests
+	* Better  README
+
+2012-02-24 Philip Champon <pchampon@gmail.com>
+
+	* initial version, supported as Rails middleware

data/Gemfile

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in rack-allow-from.gemspec
+gemspec
+#gem 'railties', '~>3.1.0', require: 'rails'
+#group :development do
+  #gem 'rspec'
+#end

data/README.md

@@ -0,0 +1,51 @@
+# Description
+
+Rack-allow-from is a simple piece of [Rack](https://github.com/rack/rack) middleware, which accepts connections from authorized hosts. Unauthorized hosts receive "403 Unauthorized access". Hosts are defined as IP addresses, host names, or simplistic regexes of either (ie 1.2.3.* or *.example.com). 
+
+White listed IPs are checked against `env['REMOTE_ADDR']`. White listed host names are validated against the client provided header, X-Remote-Hostname (env['HTTP_X_REMOTE_HOSTNAME']). When a host name is specified, its A record must match `env['REMOTE_ADDR']`, or the connection is rejected.
+
+This version only supports Rails 3 applications.
+
+# Configuration
+
+* Add configuration options to config/application.rb or config/environments/*.rb
+    * `config.allow_from` is defined as an array of strings
+        * the default values are `["127.0.0.1", "localhost", "*.dev"]`
+        * add hosts using this idiom `config.allow_from += ["host.name"]`, unless you know what you're doing
+        * Configuring rack-allow-from with regex characters, other than *, is not supported. You can likely use most matchers with ease, but all periods are escaped, ie `*.example.com` becomes `.*\.example\.com`
+* Acceptable array elements are IP addresses, hostnames or blobs of either
+    * `["127.0.0.1", "192.168.*", "example.com", "*.example.com"]`
+* `Rails.configuration.allow_from.empty?` will reject all requests
+* A nil `Rails.configuration.allow_from` accepts all requests
+
+The middlware is inserted during boot, using [Rails::Railtie](http://api.rubyonrails.org/classes/Rails/Railtie.html) and should appear near the top of `rake middleware`.
+
+# Examples
+
+1. Allowing an entire class C to connect to your app
+    * Assume your private network is 192.168.1.0/24 and your dev machine's IP is 192.168.1.2
+    * config/application.rb would define allow_hosts as `config.allow_hosts += ["192.168.1.*"]
+    * Boot your app, `rails s`
+    * `curl http://192.168.1.2:3000/`
+1. Allowing an entire domain to connect to your app
+    * Assume your domain is example.com, foo.example.com's A record is 192.168.1.2
+    * config/application.rb would define allow_hosts as `config.allow_hosts += ["*.example.com"]`
+    * Add `192.168.1.2 foo.example.com` to /etc/hosts
+    * Boot your app, `rails s`
+    * `curl -H "X-Remote-Hostname: foo.example.com" http://192.168.1.2:3000/`
+
+# Contributing to rack-allow-from
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet.
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it.
+* Fork the project.
+* Start a feature/bugfix branch.
+* Commit and push until you are happy with your contribution.
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+# Copyright
+
+Copyright (c) 2012 Philip Champon. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/rack-allow-from.rb

@@ -0,0 +1,4 @@
+require 'rails'
+require "rack/allow-from/middleware"
+require "rack/allow-from/railtie"
+require "rack/allow-from/version"

data/lib/rack/allow-from.rb

@@ -0,0 +1,9 @@
+require "rack/allow-from/middleware"
+require "rack/allow-from/railtie"
+require "rack/allow-from/version"
+
+module Rack
+  module AllowFrom
+
+  end
+end

data/lib/rack/allow-from/middleware.rb

@@ -0,0 +1,50 @@
+module Rack
+  module AllowFrom
+    class Middleware
+      def initialize(app)
+        @app = app
+      end
+    
+      def call(env)
+        status, headers, body = @app.call(env)
+        if valid_client?(env)
+          [status, headers, body]
+        else
+          [403, {}, ["Unauthorized access"]]
+        end
+      end
+    
+      private
+    
+      def valid_client?(env)
+        return true unless Rails.configuration.allow_from
+        r = false
+        ip = env['REMOTE_ADDR']
+        host = env['HTTP_X_REMOTE_HOSTNAME']
+        Rails.configuration.allow_from.each do |rule|
+          if ip == rule || (host == rule && valid_ip?(ip, host))
+            r = true
+          elsif ip =~ %r{#{re_sub rule}} || (host =~ %r{#{re_sub rule}} && valid_ip?(ip, host))
+            r = true
+          end
+          break if r
+        end
+        r
+      end
+    
+      def valid_ip?(ip, host)
+        require "socket"
+        ips = TCPSocket.gethostbyname(host)[3..-1]
+        ips.include?(ip)
+      rescue => e
+        #Rails.logger.debug("Rack::AllowFrom: Invalid hostname '#{host}'")
+        false
+      end
+
+      def re_sub(re)
+        re.gsub('.', '\\.').sub('*', '.*')
+      end
+
+    end
+  end
+end

data/lib/rack/allow-from/railtie.rb

@@ -0,0 +1,10 @@
+module Rack
+  module AllowFrom
+    class Railtie < Rails::Railtie
+      config.allow_from = %w(127.0.0.1 localhost *.dev)
+      initializer "rack-allow-from.configure_rails_initialization" do |app|
+        app.middleware.insert_before 0, "Rack::AllowFrom::Middleware"
+      end
+    end
+  end
+end

data/lib/rack/allow-from/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  module AllowFrom
+    VERSION = "0.0.2"
+  end
+end

data/rack-allow-from.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "rack/allow-from/version"
+
+Gem::Specification.new do |s|
+  s.name        = "rack-allow-from"
+  s.version     = Rack::AllowFrom::VERSION
+  s.authors     = ["Philip Champon"]
+  s.email       = ["pchampon@gmail.com"]
+  s.homepage    = ""
+  s.summary     = %q{Control which hosts connect to your Rails app}
+  s.description = %q{A Rack middlware which reads from a Rails configuration variable, 
+                     determining which hosts are allowed to connect to your Rails app.}
+
+  s.rubyforge_project = "rack-allow-from"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_development_dependency "rspec"
+  s.add_runtime_dependency "rails", "~> 3.1.0"
+end

data/spec/middleware_spec.rb

@@ -0,0 +1,130 @@
+require 'spec_helper'
+
+describe Rack::AllowFrom::Middleware do
+  let(:app) { 
+    a=double("app").as_null_object
+    a.stub(:call).and_return([200, {"Content-Type" => "text/plain", "Content-Length" => 0}, []])
+    a
+  }
+  let(:host_headers)  { { 'REMOTE_ADDR' => '127.0.0.1', 'HTTP_X_REMOTE_HOSTNAME' => 'foo.example.com'} }
+  let(:ip_headers)    { { 'REMOTE_ADDR' => '127.0.0.1'} }
+  subject   { Rack::AllowFrom::Middleware.new(app) }
+
+  context "#call" do
+    before do
+      TCPSocket.stub(:gethostbyname).and_return(["foo.example.com", [], 30, "::1", "127.0.0.1", "fe80::1%lo0"])
+    end
+
+    after do
+      TCPSocket.unstub(:gethostbyname)
+    end
+
+    describe "success" do
+      let(:_expected) { [200, {"Content-Type" => "text/plain", "Content-Length" => 0}, []] }
+      it "matching ips return 200" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(127.0.0.1))
+        subject.call(ip_headers).should == _expected
+      end
+      it "matching hostname return 200" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(127.0.0.1))
+        subject.call(host_headers).should == _expected
+      end
+    end
+
+    describe "failure" do
+      let(:_expected) { [403, {}, ["Unauthorized access"]] }
+
+      it "mismatched hostname return 403" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(127.0.0.2))
+        subject.call(ip_headers).should == _expected
+      end
+      it "mismatched hostname return 403" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(127.0.0.2))
+        subject.call(host_headers).should == _expected
+      end
+    end
+  end
+
+  context "#valid_ip?" do
+    it "returns true for 127.0.0.1 localhost" do
+      subject.send(:valid_ip?, "127.0.0.1", "localhost").should be_true
+    end
+    it "returns false for 127.0.0.2 localhost" do
+      subject.send(:valid_ip?, "127.0.0.2", "localhost").should be_false
+    end
+    it "returns false for invalid host names" do
+      subject.send(:valid_ip?, "127.0.0.1", "_bad.com_").should be_false
+    end
+  end
+
+  context "#valid_client?" do
+    before do
+      TCPSocket.stub(:gethostbyname).and_return(["foo.example.com", [], 30, "::1", "127.0.0.1", "fe80::1%lo0"])
+    end
+
+    after do
+      TCPSocket.unstub(:gethostbyname)
+    end
+
+    describe "success" do
+      it "accepts a nil configuration" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(nil)
+        subject.send(:valid_client?, ip_headers).should be_true
+      end
+
+      it "accepts an ip address" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(127.0.0.1))
+        subject.send(:valid_client?, ip_headers).should be_true
+      end
+
+      it "accepts an ip wildcard at the end" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(127.*))
+        subject.send(:valid_client?, ip_headers).should be_true
+      end
+
+      it "accepts an ip wildcard in the middle" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(127.0.*.1))
+        subject.send(:valid_client?, ip_headers).should be_true
+      end
+
+      it "accepts a host name" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(foo.example.com))
+        subject.send(:valid_client?, host_headers).should be_true
+      end
+
+      it "accepts a host name wildcard at the beginning" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(*.example.com))
+        subject.send(:valid_client?, host_headers).should be_true
+      end
+
+      it "accepts a hostname wildcard in the middle" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(foo.*.com))
+        subject.send(:valid_client?, host_headers).should be_true
+      end
+
+    end
+
+    describe "failure" do
+      it "rejects mismatched ip addresses" do
+        Rails.stub_chain(:configuration,:allow_from).and_return([])
+        subject.send(:valid_client?, ip_headers).should be_false
+      end
+
+      it "rejects mismatched ip addresses" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(127.0.0.2))
+        subject.send(:valid_client?, ip_headers).should be_false
+      end
+
+      it "rejects mismatched ip address wildcards" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(192.168.*))
+        subject.send(:valid_client?, ip_headers).should be_false
+      end
+
+      it "rejects mismatched hostname wildcards" do
+        Rails.stub_chain(:configuration,:allow_from).and_return(%w(*.foo.com))
+        subject.send(:valid_client?, host_headers).should be_false
+      end
+
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+require 'rails'
+require 'rack/allow-from'

metadata

@@ -0,0 +1,85 @@
+--- !ruby/object:Gem::Specification
+name: rack-allow-from
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+  prerelease: 
+platform: ruby
+authors:
+- Philip Champon
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-02-26 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &70275271308940 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70275271308940
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: &70275271308440 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *70275271308440
+description: ! "A Rack middlware which reads from a Rails configuration variable,
+  \n                     determining which hosts are allowed to connect to your Rails
+  app."
+email:
+- pchampon@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- CHANGELOG
+- Gemfile
+- README.md
+- Rakefile
+- lib/rack-allow-from.rb
+- lib/rack/allow-from.rb
+- lib/rack/allow-from/middleware.rb
+- lib/rack/allow-from/railtie.rb
+- lib/rack/allow-from/version.rb
+- rack-allow-from.gemspec
+- spec/middleware_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: rack-allow-from
+rubygems_version: 1.8.15
+signing_key: 
+specification_version: 3
+summary: Control which hosts connect to your Rails app
+test_files:
+- spec/middleware_spec.rb
+- spec/spec_helper.rb