rails-auth 0.0.0 → 0.0.1

data/spec/rails/auth/rspec/matchers/acl_matchers_spec.rb

@@ -0,0 +1,20 @@
+RSpec.describe "RSpec ACL matchers", acl_spec: true do
+  let(:example_principal) { x509_principal_hash(ou: "ponycopter") }
+  let(:another_principal) { x509_principal_hash(ou: "derpderp") }
+
+  subject do
+    Rails::Auth::ACL.from_yaml(
+      fixture_path("example_acl.yml").read,
+      matchers: {
+        allow_x509_subject: Rails::Auth::X509::Matcher,
+        allow_claims:       ClaimsPredicate
+      }
+    )
+  end
+
+  describe "/baz/quux" do
+    it { is_expected.to permit get_request(principals: example_principal) }
+    it { is_expected.not_to permit get_request(principals: another_principal) }
+    it { is_expected.not_to permit get_request }
+  end
+end

data/spec/rails/auth/x509/matcher_spec.rb

@@ -0,0 +1,21 @@
+RSpec.describe Rails::Auth::X509::Matcher do
+  let(:example_cert)      { OpenSSL::X509::Certificate.new(cert_path("valid.crt").read) }
+  let(:example_principal) { Rails::Auth::X509::Principal.new(example_cert) }
+
+  let(:example_ou) { "ponycopter" }
+  let(:another_ou) { "somethingelse" }
+
+  let(:example_env) do
+    { Rails::Auth::PRINCIPALS_ENV_KEY => { "x509" => example_principal } }
+  end
+
+  it "matches against a valid Rails::Auth::X509::Principal" do
+    predicate = described_class.new(ou: example_ou)
+    expect(predicate.match(example_env)).to eq true
+  end
+
+  it "doesn't match if the subject mismatches" do
+    predicate = described_class.new(ou: another_ou)
+    expect(predicate.match(example_env)).to eq false
+  end
+end

data/spec/rails/auth/x509/middleware_spec.rb

@@ -0,0 +1,74 @@
+require "logger"
+
+RSpec.describe Rails::Auth::X509::Middleware do
+  let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
+  let(:app)     { ->(env) { [200, env, "Hello, world!"] } }
+
+  let(:valid_cert_pem) { cert_path("valid.crt").read }
+  let(:bad_cert_pem)   { cert_path("invalid.crt").read }
+  let(:cert_required)  { false }
+  let(:cert_filter)    { :pem }
+  let(:example_key)    { "X-SSL-Client-Cert" }
+
+  let(:middleware) do
+    described_class.new(
+      app,
+      logger: Logger.new(STDERR),
+      ca_file: cert_path("ca.crt").to_s,
+      cert_filters: { example_key => cert_filter },
+      require_cert: cert_required
+    )
+  end
+
+  context "certificate types" do
+    describe "PEM certificates" do
+      it "extracts Rails::Auth::Principal::X509 from a PEM certificate in the Rack environment" do
+        _response, env = middleware.call(request.merge(example_key => valid_cert_pem))
+
+        principal = Rails::Auth.principals(env).fetch("x509")
+        expect(principal).to be_a Rails::Auth::X509::Principal
+      end
+
+      it "ignores unverified certificates" do
+        _response, env = middleware.call(request.merge(example_key => bad_cert_pem))
+        expect(Rails::Auth.principals(env)).to be_empty
+      end
+    end
+
+    describe "Java certificates" do
+      let(:example_key) { "javax.servlet.request.X509Certificate" }
+      let(:cert_filter) { :java }
+
+      let(:java_cert) do
+        ruby_cert = OpenSSL::X509::Certificate.new(valid_cert_pem)
+        Java::SunSecurityX509::X509CertImpl.new(ruby_cert.to_der.to_java_bytes)
+      end
+
+      it "extracts Rails::Auth::Principal::X509 from a Java::SunSecurityX509::X509CertImpl" do
+        skip "JRuby only" unless defined?(JRUBY_VERSION)
+
+        _response, env = middleware.call(request.merge(example_key => java_cert))
+
+        principal = Rails::Auth.principals(env).fetch("x509")
+        expect(principal).to be_a Rails::Auth::X509::Principal
+      end
+    end
+  end
+
+  describe "require_cert: true" do
+    let(:cert_required) { true }
+
+    it "functions normally for valid certificates" do
+      _response, env = middleware.call(request.merge(example_key => valid_cert_pem))
+
+      principal = Rails::Auth.principals(env).fetch("x509")
+      expect(principal).to be_a Rails::Auth::X509::Principal
+    end
+
+    it "raises Rails::Auth::X509::CertificateVerifyFailed for unverified certificates" do
+      expect do
+        middleware.call(request.merge(example_key => bad_cert_pem))
+      end.to raise_error Rails::Auth::X509::CertificateVerifyFailed
+    end
+  end
+end

data/spec/rails/auth/x509/principal_spec.rb

@@ -0,0 +1,27 @@
+RSpec.describe Rails::Auth::X509::Principal do
+  let(:example_cert)      { OpenSSL::X509::Certificate.new(cert_path("valid.crt").read) }
+  let(:example_principal) { described_class.new(example_cert) }
+
+  let(:example_cn) { "127.0.0.1" }
+  let(:example_ou) { "ponycopter" }
+
+  describe "#[]" do
+    it "allows access to subject components via strings" do
+      expect(example_principal["CN"]).to eq example_cn
+      expect(example_principal["OU"]).to eq example_ou
+    end
+
+    it "allows access to subject components via symbols" do
+      expect(example_principal[:cn]).to eq example_cn
+      expect(example_principal[:ou]).to eq example_ou
+    end
+  end
+
+  it "knows its #cn" do
+    expect(example_principal.cn).to eq example_cn
+  end
+
+  it "knows its #ou" do
+    expect(example_principal.ou).to eq example_ou
+  end
+end

data/spec/rails/auth_spec.rb

@@ -0,0 +1,5 @@
+RSpec.describe Rails::Auth do
+  it "has a version number" do
+    expect(Rails::Auth::VERSION).not_to be nil
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,23 @@
+$LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
+require "rails/auth"
+require "rails/auth/rspec"
+require "support/create_certs"
+require "support/claims_predicate"
+require "pathname"
+
+RSpec.configure(&:disable_monkey_patching!)
+
+def cert_path(name)
+  Pathname.new(File.expand_path("../../tmp/certs", __FILE__)).join(name)
+end
+
+def fixture_path(*args)
+  Pathname.new(File.expand_path("../fixtures", __FILE__)).join(*args)
+end
+
+def env_for(method, path)
+  {
+    "REQUEST_METHOD" => method.to_s.upcase,
+    "REQUEST_PATH"   => path
+  }
+end

data/spec/support/claims_predicate.rb

@@ -0,0 +1,11 @@
+# An additional predicate class for tests
+class ClaimsPredicate
+  def initialize(options)
+    @options = options
+  end
+
+  def match(_env)
+    # Pretend like our principal is in the "example" group
+    @options["group"] == "example"
+  end
+end

data/spec/support/create_certs.rb

@@ -0,0 +1,59 @@
+require "certificate_authority"
+require "fileutils"
+
+cert_path = File.expand_path("../../../tmp/certs", __FILE__)
+FileUtils.mkdir_p(cert_path)
+
+#
+# Create CA certificate
+#
+
+ca = CertificateAuthority::Certificate.new
+
+ca.subject.common_name  = "cacertificate.com"
+ca.serial_number.number = 1
+ca.key_material.generate_key
+ca.signing_entity = true
+
+ca.sign! "extensions" => { "keyUsage" => { "usage" => %w(critical keyCertSign) } }
+
+ca_cert_path = File.join(cert_path, "ca.crt")
+ca_key_path  = File.join(cert_path, "ca.key")
+
+File.write ca_cert_path, ca.to_pem
+File.write ca_key_path,  ca.key_material.private_key.to_pem
+
+#
+# Valid client certificate
+#
+
+valid_cert = CertificateAuthority::Certificate.new
+valid_cert.subject.common_name = "127.0.0.1"
+valid_cert.subject.organizational_unit = "ponycopter"
+valid_cert.serial_number.number = 2
+valid_cert.key_material.generate_key
+valid_cert.parent = ca
+valid_cert.sign!
+
+valid_cert_path = File.join(cert_path, "valid.crt")
+valid_key_path  = File.join(cert_path, "valid.key")
+
+File.write valid_cert_path, valid_cert.to_pem
+File.write valid_key_path,  valid_cert.key_material.private_key.to_pem
+
+#
+# Create evil MitM self-signed certificate
+#
+
+self_signed_cert = CertificateAuthority::Certificate.new
+self_signed_cert.subject.common_name = "127.0.0.1"
+self_signed_cert.subject.organizational_unit = "ponycopter"
+self_signed_cert.serial_number.number = 2
+self_signed_cert.key_material.generate_key
+self_signed_cert.sign!
+
+self_signed_cert_path = File.join(cert_path, "invalid.crt")
+self_signed_key_path  = File.join(cert_path, "invalid.key")
+
+File.write self_signed_cert_path, self_signed_cert.to_pem
+File.write self_signed_key_path,  self_signed_cert.key_material.private_key.to_pem

metadata

@@ -1,78 +1,115 @@
 --- !ruby/object:Gem::Specification
 name: rails-auth
 version: !ruby/object:Gem::Version
-  version: 0.0.0
+  version: 0.0.1
 platform: ruby
 authors:
 - Tony Arcieri
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-01-04 00:00:00.000000000 Z
+date: 2016-01-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.11'
-  type: :development
+        version: '0'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.11'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '1.10'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '1.10'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
-description: An exciting gem awaits this name really soon now!
+        version: '10.0'
+description: A plugin-based framework for supporting multiple authentication and authorization
+  systems in Rails/Rack apps. Supports resource-oriented route-by-route access control
+  lists with TLS authentication.
 email:
-- bascule@gmail.com
+- tonyarcieri@squareup.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- ".rubocop.yml"
 - ".travis.yml"
+- CONDUCT.md
+- CONTRIBUTING.md
 - Gemfile
+- Guardfile
+- LICENSE
 - README.md
 - Rakefile
-- bin/console
-- bin/setup
 - lib/rails/auth.rb
+- lib/rails/auth/acl.rb
+- lib/rails/auth/acl/matchers/allow_all.rb
+- lib/rails/auth/acl/middleware.rb
+- lib/rails/auth/acl/resource.rb
+- lib/rails/auth/exceptions.rb
+- lib/rails/auth/principals.rb
+- lib/rails/auth/rack.rb
+- lib/rails/auth/rspec.rb
+- lib/rails/auth/rspec/helper_methods.rb
+- lib/rails/auth/rspec/matchers/acl_matchers.rb
 - lib/rails/auth/version.rb
+- lib/rails/auth/x509/filter/java.rb
+- lib/rails/auth/x509/filter/pem.rb
+- lib/rails/auth/x509/matcher.rb
+- lib/rails/auth/x509/middleware.rb
+- lib/rails/auth/x509/principal.rb
 - rails-auth.gemspec
-homepage: 
-licenses: []
-metadata: {}
+- spec/fixtures/example_acl.yml
+- spec/rails/auth/acl/matchers/allow_all_spec.rb
+- spec/rails/auth/acl/middleware_spec.rb
+- spec/rails/auth/acl/resource_spec.rb
+- spec/rails/auth/acl_spec.rb
+- spec/rails/auth/principals_spec.rb
+- spec/rails/auth/rspec/helper_methods_spec.rb
+- spec/rails/auth/rspec/matchers/acl_matchers_spec.rb
+- spec/rails/auth/x509/matcher_spec.rb
+- spec/rails/auth/x509/middleware_spec.rb
+- spec/rails/auth/x509/principal_spec.rb
+- spec/rails/auth_spec.rb
+- spec/spec_helper.rb
+- spec/support/claims_predicate.rb
+- spec/support/create_certs.rb
+homepage: https://github.com/square/rails-auth/
+licenses:
+- Apache-2.0
+metadata:
+  allowed_push_host: https://rubygems.org
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -81,7 +118,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -92,6 +129,5 @@ rubyforge_project:
 rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
-summary: Placeholder for an upcoming gem. Stay tuned!
+summary: Modular resource-oriented authentication and authorization for Rails/Rack
 test_files: []
-has_rdoc: 

data/bin/console

@@ -1,14 +0,0 @@
-#!/usr/bin/env ruby
-
-require "bundler/setup"
-require "rails/auth"
-
-# You can add fixtures and/or initialization code here to make experimenting
-# with your gem easier. You can also use a different console, if you like.
-
-# (If you use this, don't forget to add pry to your Gemfile!)
-# require "pry"
-# Pry.start
-
-require "irb"
-IRB.start

data/bin/setup

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here