rack-restrict_access 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e253b537840c9ba69e36d3d18e155534e6c5bbc7
+  data.tar.gz: dee32c0bc384fba84d18c5d1597b9f23234627bc
+SHA512:
+  metadata.gz: e5df594610789f4a7e777a7cc6d902c06852532c857d6fcad35e492b97406b0b7c1e88d9e6d1ae4730a595f600eac7b4dc8d80e595004e0423d2083dd49d0664
+  data.tar.gz: fce72b5f59e0dd3b3526b8331112e82f2203adc697d09ad6d1aadfb53786ef985fb3b2ded766e2148b96a4590433bf75c2ca71b11727e235bc97f7170956d433

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in rack-restrict_access.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Mainor Claros
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,177 @@
+# Rack::RestrictAccess
+
+Compares env 'REMOTE_ADDR' and 'PATH_INFO' against user-defined values to _block_ (403), _restrict_ (401 basic auth), or _allow_ access to the rack app.
+
+Intended for use in simple access control. Should not be considered a security solution.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'rack-restrict_access'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rack-restrict_access
+
+## Usage
+
+Include in application.rb
+
+```
+# /config/application.rb
+
+module ApplicationName
+  class Application < Rails::Application
+
+    ...
+
+    config.middleware.use Rack::RestrictAccess do
+      restrict do
+        all_resources!
+        # single/multiple delimited string(s), regexp(s), or array(s) of both
+        credentials ENV['RESTRICTED_ACCESS_CREDENTIALS'], :delimiter => ","
+
+      end
+
+      # single/multiple delimited string(s), regexp(s), or array(s) of both
+      allow do
+        origin_ips ENV['ALLOWED_IPS'], "0.0.0.0", /192.168.\d{1}.\d.\d{1}$/, :delimiter => ","
+      end
+    end
+
+    ...
+
+  end
+end
+```
+
+### DSL
+
+There are three kinds of filters: `block`, `restrict`, and `allow`. They apply to `resources` (site paths) and `origin_ips` (REMOTE_ADDR/IP of requester), which the user designates.
+
+#### `restrict`
+
+Enforces HTTP Authentication for items passed through a block.
+
+```
+# require login the entire site
+
+restrict do
+  all_resources!
+end
+```
+
+```
+# restrict access to the specific path "/secret-place", and paths starting with "/admin"
+
+restrict do
+  resources /^\/admin\/.*/, "/secret-place"
+  # also supports array(s) of strings/regexps
+  # use :delimiter => STRING/REGEXP for delimited strings (also applies to strings in arrays)
+end
+```
+
+```
+#restrict access to any part of the site for the follolowing IPs
+
+restrict do
+  origin_ips "192.168.1.1,192.169.9.9", :delimiter => ","  # or Regexps
+end
+```
+
+```
+#or both!
+
+restrict do
+  # block access to the specific path "/secret-place", and paths starting with "/admin"
+  resources /^\/admin\/*/, "/secret-place"
+
+  # also block access to anything for these IPs:
+  origins "192.168.1.1", "192.169.9.9"
+end
+```
+
+##### Credentials
+
+Designate one or multiple valid username/password combinations. Can be single/multiple delimited strings, hashes (where :username and :password are set to a string or regexp), or arrays of strings
+
+
+```
+restrict do
+  all_resources!
+
+  #delimiter options required if dealing with delimited strings:
+  credentials "stewie:coolwhip|brian:novel" :credentials_delimiter => ":", :credential_pair_delimiter => "|"
+
+  #delimiter options default to :credentials => "," and :credential_pair_delimiter => ";" , respectively
+
+  #or single/multiple hashes:
+  credentials :username => "admin", :password => "password123"
+end
+```
+
+#### `block`
+
+Returns _403 FORBIDDEN_ for items passed through a block. Use same as `restrict`.
+
+```
+# block all the things!
+block do
+  all_resources!
+end
+```
+
+```
+block do
+  # block access to the specific path "/secret-place", and paths starting with "/admin"
+
+  resources /^\/admin\/*/, "/secret-place"
+
+  # also supports array(s) of strings/regexps
+  # use :delimiter => STRING/REGEXP for delimited strings (also applies to strings in arrays)
+
+  # also block access to anything for these IPs:
+  origin_ips "192.168.1.1", "192.169.9.9"
+end
+
+```
+
+You may also designate a custom HTTP status code and response header, body for blocked resources
+
+```
+block do
+  all_resources!
+
+  status_code 401   #default is 403
+
+  body ["You shall not pass!"]
+  #body must respond to :each. Default is ["<h1>Forbidden</h1>"]
+end
+```
+
+#### `allow`
+
+Create exceptions for particular paths/IPs. These exceptions override `block` and `restrict` filters.
+
+```
+allow do
+  #make this path open to anyone
+  resources "/index"
+
+  #allow this ip to bypass block/basic auth
+  origin_ips "192.168.0.1"
+end
+```
+
+## Contributing
+
+1. Fork it ( http://github.com/<my-github-username>/rack-restrict_access/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/rack/restrict_access.rb

@@ -0,0 +1,313 @@
+require "rack"
+require "rack/restrict_access/version"
+
+module Rack
+  class RestrictAccess
+    def initialize(app, &blk)
+      @app = app
+      @options = {enabled: true, auth: true}
+
+      if block_given?
+        instance_eval(&blk)
+      end
+    end
+
+    def options(options_hash)
+      @options.merge!(options_hash)
+    end
+
+    def app_enabled?
+      @options[:enabled] == true
+    end
+
+    def auth_enabled?
+      @options[:auth] == true
+    end
+
+    def block(&blk)
+      filter = BlockFilter.new
+      block_filters << filter
+      filter.instance_eval(&blk)
+    end
+
+    def restrict(&blk)
+      filter = RestrictFilter.new
+      restrict_filters << filter
+      filter.instance_eval(&blk)
+    end
+
+    def allow(&blk)
+      filter = AllowFilter.new
+      allow_filters << filter
+      filter.instance_eval(&blk)
+    end
+
+    def call(env)
+      return success_response(env) unless app_enabled?
+      request = Rack::Request.new(env)
+      path = request.path
+      origin = request.ip
+
+      exception =  allow_filters.detect { |filter| filter.allows_resource?(path) || filter.allows_ip?(origin) }
+      return success_response(env) if exception
+
+      blocker = block_filters.detect { |filter| filter.blocks_resource?(path) || filter.blocks_ip?(origin) }
+      return blocked_response(blocker) if blocker
+
+      if auth_enabled?
+        restrictor = restrict_filters.detect { |filter| filter.restricts_resource?(path) || filter.restricts_ip?(origin) }
+        return restricted_response(env, restrictor) if restrictor && restrictor.credentials_count > 0
+      end
+
+      success_response(env)
+    end
+
+    private
+      def block_filters
+        @block_filters ||= []
+      end
+
+      def restrict_filters
+        @restrict_filters ||= []
+      end
+
+      def allow_filters
+        @allow_filters ||= []
+      end
+
+      def success_response(env)
+        @app.call(env)
+      end
+
+      def blocked_response(block_filter)
+        content_type = {"Content-Type" => "text/html"}
+        body = block_filter.instance_variable_get(:@body)
+        code = block_filter.instance_variable_get(:@status_code)
+        [code, content_type, body]
+      end
+
+      def restricted_response(env, restrict_filter)
+        auth = Rack::Auth::Basic.new(@app) do |uname, pass|
+          restrict_filter.credentials_match?(username: uname, password: pass)
+        end
+        auth.call(env)
+      end
+
+      class Filter
+        attr_reader :filter_type
+
+        def initialize(&blk)
+          @ips = []
+          @resources = []
+          @applies_to_all_resources = false
+
+          if block_given?
+            instance_eval(&blk)
+          end
+        end
+
+        def applies_to_resource?(requested_resource)
+          return true if @applies_to_all_resources
+          raise TypeError, requested_resource unless requested_resource.respond_to? :to_str
+          requested_resource = requested_resource.to_str
+          @resources.any? do |resource|
+            !(requested_resource =~ resource).nil?
+          end
+        end
+
+        def applies_to_ip?(remote_addr)
+          raise TypeError, remote_addr unless remote_addr.respond_to? :to_str
+          remote_addr = remote_addr.to_str
+          @ips.any? do |ip|
+            !(remote_addr =~ ip).nil?
+          end
+        end
+
+        def path_to_regexp(path)
+          if path.respond_to? :to_str
+            /^#{Regexp.escape(path)}\/?$/
+          elsif path.respond_to? :match
+            path
+          else
+            raise TypeError, path
+          end
+        end
+
+        def all_resources!
+          @applies_to_all_resources = true
+        end
+
+        def resources(*paths)
+          options = paths.pop if paths.last.is_a? Hash
+          options ||= {}
+          delimiter = options.fetch(:delimiter, false)
+
+          concat_new_attributes(args: paths, ivar: @resources) do |path|
+            path = path.split(delimiter) if delimiter && path.is_a?(String)
+            if path.is_a? Array
+              path.map! { |pt| path_to_regexp(pt) }
+            else
+              path_to_regexp(path)
+            end
+          end
+        end
+
+        def ip_to_regexp(ip)
+          if ip.respond_to? :to_str
+            /^#{Regexp.escape(ip)}$/
+          elsif ip.respond_to? :match
+            ip
+          else
+            raise TypeError, ip
+          end
+        end
+
+        def origin_ips(*ips)
+          options = ips.pop if ips.last.is_a? Hash
+          options ||= {}
+          delimiter = options.fetch(:delimiter, false)
+
+          concat_new_attributes(args: ips, ivar: @ips) do |ip|
+            ip = ip.split(delimiter) if delimiter && ip.is_a?(String)
+            if ip.is_a? Array
+              ip.map! { |addr| ip_to_regexp(addr) }
+            else
+              ip_to_regexp(ip)
+            end
+          end
+        end
+
+        private
+          def concat_new_attributes(options, &blk)
+            args = options.fetch(:args, [])
+            ivar = options.fetch(:ivar, nil)
+            raise ArgumentError, "Missing :ivar option" unless ivar
+            values_to_save = args.flatten.map do |arg|
+              blk.call(arg)
+            end.flatten
+            ivar.concat(values_to_save)
+          end
+      end
+
+      class AllowFilter < Filter
+        def allows_resource?(resource)
+          applies_to_resource?(resource)
+        end
+
+        def allows_ip?(ip)
+          applies_to_ip?(ip)
+        end
+      end
+
+      class BlockFilter < Filter
+        def initialize
+          @status_code = 403
+          @body = ["<h1>Forbidden</h1>"]
+          super
+        end
+
+        def body(enumerable)
+          raise ArgumentError, "Body must respond to #each" unless enumerable.respond_to? :each
+          @body = enumerable
+        end
+
+        def status_code(int)
+          @status_code = int.to_i
+        end
+
+        def blocks_resource?(path)
+          applies_to_resource?(path)
+        end
+
+        def blocks_ip?(ip)
+          applies_to_ip?(ip)
+        end
+      end
+
+      class RestrictFilter < Filter
+        def initialize
+          @credentials = []
+          super
+        end
+
+        def restricts_resource?(path)
+          applies_to_resource?(path)
+        end
+
+        def restricts_ip?(ip)
+          applies_to_ip?(ip)
+        end
+
+        def credentials(*creds)
+          if !creds.first.is_a?(Hash) && creds.last.is_a?(Hash)
+            options = creds.pop
+          end
+          options ||= {}
+
+          concat_new_attributes(args: creds, ivar: @credentials) do |credential_pair|
+            if credential_pair.is_a? Hash
+              creds_from_hash(credential_pair)
+            elsif credential_pair.is_a? String
+              creds_from_string(credential_pair, options)
+            elsif credential_pair.is_a? Array
+              creds_from_array(credential_pair, options)
+            end
+          end
+        end
+
+        def credentials_match?(creds_hash)
+          @credentials.any? do |saved_hash|
+            saved_u = saved_hash[:username]
+            saved_p = saved_hash[:password]
+            given_u = creds_hash[:username]
+            given_p = creds_hash[:password]
+            !(given_u =~ saved_u).nil? && !(given_p =~ saved_p).nil?
+          end
+        end
+
+        def credentials_count
+          @credentials.length
+        end
+
+        private
+          def cred_to_regexp(cred)
+            if cred.respond_to? :to_str
+              /^#{Regexp.escape(cred)}$/
+            elsif cred.respond_to? :match
+              cred
+            else
+              raise TypeError, cred
+            end
+          end
+
+          def creds_from_hash(hash)
+            {
+              username: cred_to_regexp(hash[:username]),
+              password: cred_to_regexp(hash[:password])
+            }
+          end
+
+          def creds_from_array(array)
+            array.map do |el|
+              creds_from_string(el, options)
+            end
+          end
+
+          def creds_from_string(string, options = {})
+            string = string.to_str
+            credentials_delimiter = options.fetch(:credentials_delimiter, ',')
+            credential_pair_delimiter = options.fetch(:credential_pair_delimiter, ';')
+            creds = string.split(credential_pair_delimiter)
+            creds.map do |str|
+              cred_pair = str.split(credentials_delimiter)
+              {
+                username: cred_to_regexp(cred_pair[0]),
+                password: cred_to_regexp(cred_pair[1])
+              }
+            end
+          end
+      end
+
+  end
+end
+