rails-auth 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 80fe77f1e603f206962d83d87f214d2f57e1dee9
-  data.tar.gz: 1c3eb52e07760479ad2254428bce28527b4deab4
+  metadata.gz: 91890f235f52285df442021821f7cafe571d159d
+  data.tar.gz: 317be3357a00fe49de1e6f6e35e143887c6cd8ab
 SHA512:
-  metadata.gz: 18bdd7c51f0aa9844b0f7305f3a4455e93a6e3830722633924d433dd95ec608cd45354195007ca26a7020e9eb433f82ff8630a9bfe0b8b3a7a000f4024cb8bb9
-  data.tar.gz: 4d3b4b5146d98fbd5335944bbb5bba3a233f886b325430058415e4e5ca6961f273dfb9cd80744e8f0ccd839d4a12c1779b208cb6864f2df819be9fa1a2d511cc
+  metadata.gz: 5d922c273e1ea6bcc90c9dbd7b4c46a44e4d26f350162ecc48cfd5b9412b98242f5ce51a4191729a68c9d86d83bee0879c4e7c407393b8bff309ee30be0cc7bb
+  data.tar.gz: 50c8da3ad9fada2f4347f42090e685103b851771f58d61d14e3d4939937a062017fdf107c57c4ede0ef4c2f392f5b0522c08f493e516c486e6682a2672939c74

data/.rubocop.yml

@@ -15,4 +15,7 @@ Metrics/MethodLength:
   Max: 25
 
 Metrics/AbcSize:
-  Max: 20
+  Max: 25
+
+Metrics/CyclomaticComplexity:
+  Max: 8

data/CHANGES.md

@@ -1,3 +1,13 @@
+### 0.4.0 (2016-03-14)
+
+* [#14](https://github.com/square/rails-auth/pull/14)
+  Support for optionally matching hostnames in ACL resources.
+  ([@tarcieri])
+
+* [#13](https://github.com/square/rails-auth/pull/13)
+  Add #attributes method to matchers and X.509 certs.
+  ([@tarcieri])
+
 ### 0.3.0 (2016-03-12)
 
 * [#12](https://github.com/square/rails-auth/pull/12)

data/README.md

@@ -216,6 +216,9 @@ Resources are defined by the following constraints:
 * **path**: A regular expression to match the path. `\A` and `\z` are added by
   default to the beginning and end of the regex to ensure the entire path and
   not a substring is matched.
+* **host** (optional): a regular expression to match the `Host:` header passed
+  by the client. Useful if your app services traffic for more than one hostname
+  and you'd like to restrict ACLs by host.
 
 Once you've defined an ACL, you'll need to create a corresponding ACL object
 in Ruby and a middleware to authorize requests using that ACL. Add the

data/lib/rails/auth/acl/matchers/allow_all.rb

@@ -13,6 +13,13 @@ module Rails
           def match(_env)
             @enabled
           end
+
+          # Generates inspectable attributes for debugging
+          #
+          # @return [true, false] is the matcher enabled?
+          def attributes
+            @enabled
+          end
         end
       end
     end

data/lib/rails/auth/acl/resource.rb

@@ -5,13 +5,13 @@ module Rails
     class ACL
       # Rules for a particular route
       class Resource
-        attr_reader :http_methods, :path, :predicates
+        attr_reader :http_methods, :path, :host, :predicates
 
         # Valid HTTP methods
         HTTP_METHODS = %w(GET HEAD PUT POST DELETE OPTIONS PATCH LINK UNLINK).freeze
 
         # Options allowed for resource matchers
-        VALID_OPTIONS = %w(method path).freeze
+        VALID_OPTIONS = %w(method path host).freeze
 
         # @option :options [String] :method HTTP method allowed ("ALL" for all methods)
         # @option :options [String] :path path to the resource (regex syntax allowed)
@@ -25,9 +25,16 @@ module Rails
             raise ParseError, "unrecognized key in ACL resource: #{extra_keys.first}"
           end
 
-          @http_methods = extract_methods(options["method"])
-          @path         = /\A#{options.fetch("path")}\z/
+          methods = options["method"] || raise(ParseError, "no 'method' key in resource: #{options.inspect}")
+          path    = options["path"]   || raise(ParseError, "no 'path' key in resource: #{options.inspect}")
+
+          @http_methods = extract_methods(methods)
+          @path         = /\A#{path}\z/
           @predicates   = predicates.freeze
+
+          # Unlike method and path, host is optional
+          host = options["host"]
+          @host = /\A#{host}\z/ if host
         end
 
         # Match this resource against the given Rack environment, checking all
@@ -38,20 +45,21 @@ module Rails
         # @return [Boolean] resource and predicates match the given request
         #
         def match(env)
-          return false unless match_method_and_path(env)
+          return false unless match!(env)
           @predicates.any? { |_name, predicate| predicate.match(env) }
         end
 
-        # Match *only* the request method/path against the given Rack environment.
+        # Match *only* the request method/path/host against the given Rack environment.
         # Predicates are NOT checked.
         #
         # @param [Hash] :env Rack environment
         #
         # @return [Boolean] method and path *only* match the given environment
         #
-        def match_method_and_path(env)
+        def match!(env)
           return false unless @http_methods.nil? || @http_methods.include?(env["REQUEST_METHOD".freeze])
           return false unless @path =~ env["REQUEST_PATH".freeze]
+          return false unless @host.nil? || @host =~ env["HTTP_HOST".freeze]
           true
         end
 

data/lib/rails/auth/acl.rb

@@ -61,7 +61,7 @@ module Rails
       # @return [Array<Rails::Auth::ACL::Resource>] matching resources
       #
       def matching_resources(env)
-        @resources.find_all { |resource| resource.match_method_and_path(env) }
+        @resources.find_all { |resource| resource.match!(env) }
       end
 
       private

data/lib/rails/auth/version.rb

@@ -3,6 +3,6 @@
 module Rails
   # Pluggable authentication and authorization for Rack/Rails
   module Auth
-    VERSION = "0.3.0".freeze
+    VERSION = "0.4.0".freeze
   end
 end

data/lib/rails/auth/x509/certificate.rb

@@ -35,6 +35,16 @@ module Rails
           @subject["OU".freeze]
         end
         alias organizational_unit ou
+
+        # Generates inspectable attributes for debugging
+        #
+        # @return [Hash] hash containing parts of the certificate subject (cn, ou)
+        def attributes
+          {
+            cn: cn,
+            ou: ou
+          }
+        end
       end
     end
   end

data/lib/rails/auth/x509/matcher.rb

@@ -6,7 +6,7 @@ module Rails
         # @option options [String] cn Common Name of the subject
         # @option options [String] ou Organizational Unit of the subject
         def initialize(options)
-          @options = options
+          @options = options.freeze
         end
 
         # @param [Hash] env Rack environment
@@ -16,6 +16,13 @@ module Rails
 
           @options.all? { |name, value| certificate[name] == value }
         end
+
+        # Generates inspectable attributes for debugging
+        #
+        # @return [Hash] hash containing parts of the certificate subject to match (cn, ou)
+        def attributes
+          @options
+        end
       end
     end
   end

data/spec/rails/auth/acl/matchers/allow_all_spec.rb

@@ -1,5 +1,5 @@
 RSpec.describe Rails::Auth::ACL::Matchers::AllowAll do
-  let(:predicate)   { described_class.new(enabled) }
+  let(:matcher)     { described_class.new(enabled) }
   let(:example_env) { env_for(:get, "/") }
 
   describe "#initialize" do
@@ -17,7 +17,7 @@ RSpec.describe Rails::Auth::ACL::Matchers::AllowAll do
       let(:enabled) { true }
 
       it "allows all requests" do
-        expect(predicate.match(example_env)).to eq true
+        expect(matcher.match(example_env)).to eq true
       end
     end
 
@@ -25,8 +25,13 @@ RSpec.describe Rails::Auth::ACL::Matchers::AllowAll do
       let(:enabled) { false }
 
       it "rejects all requests" do
-        expect(predicate.match(example_env)).to eq false
+        expect(matcher.match(example_env)).to eq false
       end
     end
   end
+
+  it "knows its attributes" do
+    matcher = described_class.new(true)
+    expect(matcher.attributes).to eq true
+  end
 end

data/spec/rails/auth/acl/resource_spec.rb

@@ -4,13 +4,6 @@ RSpec.describe Rails::Auth::ACL::Resource do
   let(:example_path)   { "/foobar" }
   let(:another_path)   { "/baz" }
 
-  let(:example_options) do
-    {
-      "method" => example_method,
-      "path"   => example_path
-    }
-  end
-
   let(:example_predicates) { { "example" => double(:predicate, match: predicate_matches) } }
   let(:example_resource)   { described_class.new(example_options, example_predicates) }
   let(:example_env)        { env_for(example_method, example_path) }
@@ -57,49 +50,96 @@ RSpec.describe Rails::Auth::ACL::Resource do
     end
   end
 
-  describe "#match" do
-    context "with matching predicates and method/path" do
-      let(:predicate_matches) { true }
+  context "without a host specified" do
+    let(:example_options) do
+      {
+        "method" => example_method,
+        "path"   => example_path
+      }
+    end
 
-      it "matches against a valid resource" do
-        expect(example_resource.match(example_env)).to eq true
+    describe "#match" do
+      context "with matching predicates and method/path" do
+        let(:predicate_matches) { true }
+
+        it "matches against a valid resource" do
+          expect(example_resource.match(example_env)).to eq true
+        end
       end
-    end
 
-    context "without matching predicates" do
-      let(:predicate_matches) { false }
+      context "without matching predicates" do
+        let(:predicate_matches) { false }
 
-      it "doesn't match against a valid resource" do
-        expect(example_resource.match(example_env)).to eq false
+        it "doesn't match against a valid resource" do
+          expect(example_resource.match(example_env)).to eq false
+        end
+      end
+
+      context "without a method/path match" do
+        let(:predicate_matches) { true }
+
+        it "doesn't match" do
+          env = env_for(another_method, example_path)
+          expect(example_resource.match(env)).to eq false
+        end
       end
     end
 
-    context "without a method/path match" do
-      let(:predicate_matches) { true }
+    describe "#match!" do
+      let(:predicate_matches) { false }
+
+      it "matches against all methods if specified" do
+        resource = described_class.new(example_options.merge("method" => "ALL"), example_predicates)
+        expect(resource.match!(example_env)).to eq true
+      end
 
-      it "doesn't match" do
+      it "doesn't match if the method mismatches" do
         env = env_for(another_method, example_path)
-        expect(example_resource.match(env)).to eq false
+        expect(example_resource.match!(env)).to eq false
+      end
+
+      it "doesn't match if the path mismatches" do
+        env = env_for(example_method, another_path)
+        expect(example_resource.match!(env)).to eq false
       end
     end
   end
 
-  describe "#match_method_and_path" do
-    let(:predicate_matches) { false }
-
-    it "matches against all methods if specified" do
-      resource = described_class.new(example_options.merge("method" => "ALL"), example_predicates)
-      expect(resource.match_method_and_path(example_env)).to eq true
+  context "with a host specified" do
+    let(:example_host) { "www.example.com" }
+    let(:bogus_host)   { "www.trololol.com" }
+    let(:predicate_matches) { true }
+
+    let(:example_options) do
+      {
+        "method" => example_method,
+        "path"   => example_path,
+        "host"   => example_host
+      }
     end
 
-    it "doesn't match if the method mismatches" do
-      env = env_for(another_method, example_path)
-      expect(example_resource.match_method_and_path(env)).to eq false
+    describe "#match" do
+      it "matches if the host matches" do
+        example_env["HTTP_HOST"] = example_host
+        expect(example_resource.match(example_env)).to eq true
+      end
+
+      it "doesn't match if the host mismatches" do
+        example_env["HTTP_HOST"] = bogus_host
+        expect(example_resource.match(example_env)).to eq false
+      end
     end
 
-    it "doesn't match if the path mismatches" do
-      env = env_for(example_method, another_path)
-      expect(example_resource.match_method_and_path(env)).to eq false
+    describe "#match!" do
+      it "matches if the host matches" do
+        example_env["HTTP_HOST"] = example_host
+        expect(example_resource.match(example_env)).to eq true
+      end
+
+      it "doesn't match if the host mismatches" do
+        example_env["HTTP_HOST"] = bogus_host
+        expect(example_resource.match(example_env)).to eq false
+      end
     end
   end
 end

data/spec/rails/auth/x509/certificate_spec.rb

@@ -24,4 +24,8 @@ RSpec.describe Rails::Auth::X509::Certificate do
   it "knows its #ou" do
     expect(example_certificate.ou).to eq example_ou
   end
+
+  it "knows its attributes" do
+    expect(example_certificate.attributes).to eq(cn: example_cn, ou: example_ou)
+  end
 end

data/spec/rails/auth/x509/matcher_spec.rb

@@ -9,13 +9,20 @@ RSpec.describe Rails::Auth::X509::Matcher do
     { Rails::Auth::CREDENTIALS_ENV_KEY => { "x509" => example_certificate } }
   end
 
-  it "matches against a valid Rails::Auth::X509::Credential" do
-    matcher = described_class.new(ou: example_ou)
-    expect(matcher.match(example_env)).to eq true
+  describe "#match" do
+    it "matches against a valid Rails::Auth::X509::Credential" do
+      matcher = described_class.new(ou: example_ou)
+      expect(matcher.match(example_env)).to eq true
+    end
+
+    it "doesn't match if the subject mismatches" do
+      matcher = described_class.new(ou: another_ou)
+      expect(matcher.match(example_env)).to eq false
+    end
   end
 
-  it "doesn't match if the subject mismatches" do
-    matcher = described_class.new(ou: another_ou)
-    expect(matcher.match(example_env)).to eq false
+  it "knows its attributes" do
+    matcher = described_class.new(ou: example_ou)
+    expect(matcher.attributes).to eq(ou: example_ou)
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails-auth
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Tony Arcieri
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-03-13 00:00:00.000000000 Z
+date: 2016-03-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -141,4 +141,3 @@ signing_key:
 specification_version: 4
 summary: Modular resource-oriented authentication and authorization for Rails/Rack
 test_files: []
-has_rdoc: