rails-auth 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +11 -0
- data/README.md +2 -2
- data/lib/rails/auth/acl/middleware.rb +1 -1
- data/lib/rails/auth/credentials.rb +7 -0
- data/lib/rails/auth/override.rb +29 -0
- data/lib/rails/auth/rack.rb +2 -0
- data/lib/rails/auth/version.rb +1 -1
- data/lib/rails/auth/x509/certificate.rb +8 -0
- data/lib/rails/auth/x509/filter/pem.rb +1 -1
- data/spec/rails/auth/acl/middleware_spec.rb +20 -0
- data/spec/rails/auth/credentials_spec.rb +20 -4
- data/spec/rails/auth/x509/certificate_spec.rb +7 -0
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fe64cc61d2ee90c0108495d16f8ddb385c26caf2
|
4
|
+
data.tar.gz: 49f2318348eac65b42d60875028047bdcfe3a555
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0a99e56a462666b4c6140e03f5066a6ba43b5e9707742300dc1ddcb9478b61380268d5ea604cb1cc06aaa6da34a7ae969cd22f75b85f656414bbea46f4063b13
|
7
|
+
data.tar.gz: eb25fca0e6a870093bc7d638fecb214594d0d3c467b7b50400c43b2dbdb1cb3e96612b7cfe9aac0c0e0656e178d094f3356923c2a157f5fca47bf7f4e75f9be5
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,13 @@
|
|
1
|
+
### 1.1.0 (2016-06-23)
|
2
|
+
|
3
|
+
* [#26](https://github.com/square/rails-auth/pull/26)
|
4
|
+
Make add_credential idempotent.
|
5
|
+
([@ewr])
|
6
|
+
|
7
|
+
* [#25](https://github.com/square/rails-auth/pull/25)
|
8
|
+
Allow outside middleware to mark a request as authorized.
|
9
|
+
([@ewr])
|
10
|
+
|
1
11
|
### 1.0.0 (2016-05-03)
|
2
12
|
|
3
13
|
* Initial 1.0 release!
|
@@ -82,3 +92,4 @@
|
|
82
92
|
|
83
93
|
|
84
94
|
[@tarcieri]: https://github.com/tarcieri
|
95
|
+
[@ewr]: https://github.com/ewr
|
data/README.md
CHANGED
@@ -448,12 +448,12 @@ RSpec.describe "example_acl.yml", acl_spec: true do
|
|
448
448
|
subject do
|
449
449
|
Rails::Auth::ACL.from_yaml(
|
450
450
|
File.read("/path/to/example_acl.yml"),
|
451
|
-
matchers: { allow_x509_subject: Rails::Auth::X509::Matcher }
|
451
|
+
matchers: { allow_x509_subject: Rails::Auth::X509::Matcher } # add your custom matchers too
|
452
452
|
)
|
453
453
|
end
|
454
454
|
|
455
455
|
describe "/path/to/resource" do
|
456
|
-
it { is_expected.to permit get_request(
|
456
|
+
it { is_expected.to permit get_request(certificates: example_credentials) }
|
457
457
|
it { is_expected.not_to permit get_request) }
|
458
458
|
end
|
459
459
|
end
|
@@ -25,7 +25,14 @@ module Rails
|
|
25
25
|
def add_credential(env, type, credential)
|
26
26
|
credentials = env[CREDENTIALS_ENV_KEY] ||= {}
|
27
27
|
|
28
|
+
# Adding a credential is idempotent, so attempting to reregister
|
29
|
+
# the same credential should be harmless
|
30
|
+
return env if credentials.key?(type) && credentials[type] == credential
|
31
|
+
|
32
|
+
# raise if we already have a cred, but it didn't short-circuit as
|
33
|
+
# being == to the one supplied
|
28
34
|
raise ArgumentError, "credential #{type} already added to request" if credentials.key?(type)
|
35
|
+
|
29
36
|
credentials[type] = credential
|
30
37
|
|
31
38
|
env
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Rails
|
2
|
+
# Modular resource-based authentication and authorization for Rails/Rack
|
3
|
+
module Auth
|
4
|
+
# Rack environment key for marking external authorization
|
5
|
+
AUTHORIZED_ENV_KEY = "rails-auth.authorized".freeze
|
6
|
+
|
7
|
+
# Functionality allowing external middleware to override our ACL check process
|
8
|
+
module Override
|
9
|
+
# Mark a request as externally authorized. Causes ACL checks to be skipped.
|
10
|
+
#
|
11
|
+
# @param [Hash] :env Rack environment
|
12
|
+
#
|
13
|
+
def authorized!(env)
|
14
|
+
env[AUTHORIZED_ENV_KEY] = true
|
15
|
+
end
|
16
|
+
|
17
|
+
# Check whether a request has been externally authorized? Used to bypass
|
18
|
+
# ACL check.
|
19
|
+
#
|
20
|
+
# @param [Hash] :env Rack environment
|
21
|
+
#
|
22
|
+
def authorized?(env)
|
23
|
+
env.fetch(AUTHORIZED_ENV_KEY, false)
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
extend Override
|
28
|
+
end
|
29
|
+
end
|
data/lib/rails/auth/rack.rb
CHANGED
data/lib/rails/auth/version.rb
CHANGED
@@ -45,6 +45,14 @@ module Rails
|
|
45
45
|
ou: ou
|
46
46
|
}
|
47
47
|
end
|
48
|
+
|
49
|
+
# Compare ourself to another object by ensuring that it has the same type
|
50
|
+
# and that its certificate pem is the same as ours
|
51
|
+
def ==(other)
|
52
|
+
other.is_a?(self.class) && other.certificate.to_der == certificate.to_der
|
53
|
+
end
|
54
|
+
|
55
|
+
alias eql? ==
|
48
56
|
end
|
49
57
|
end
|
50
58
|
end
|
@@ -21,4 +21,24 @@ RSpec.describe Rails::Auth::ACL::Middleware do
|
|
21
21
|
expect { expect(middleware.call(request)) }.to raise_error(Rails::Auth::NotAuthorizedError)
|
22
22
|
end
|
23
23
|
end
|
24
|
+
|
25
|
+
context "externally authorized requests" do
|
26
|
+
let(:authorized) { false }
|
27
|
+
let(:external_middleware) do
|
28
|
+
Class.new do
|
29
|
+
def initialize(app)
|
30
|
+
@app = app
|
31
|
+
end
|
32
|
+
|
33
|
+
def call(env)
|
34
|
+
Rails::Auth.authorized!(env)
|
35
|
+
@app.call(env)
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
it "allows externally authorized requests" do
|
41
|
+
expect(external_middleware.new(middleware).call(request)[0]).to eq 200
|
42
|
+
end
|
43
|
+
end
|
24
44
|
end
|
@@ -25,12 +25,28 @@ RSpec.describe Rails::Auth::Credentials do
|
|
25
25
|
expect(Rails::Auth.credentials(example_env)[example_type]).to eq example_credential
|
26
26
|
end
|
27
27
|
|
28
|
-
|
29
|
-
|
28
|
+
context "when called twice for the same credential type" do
|
29
|
+
let(:second_credential) { double(:credential2) }
|
30
|
+
|
31
|
+
it "succeeds if the credentials are the same" do
|
32
|
+
allow(example_credential).to receive(:==).and_return(true)
|
30
33
|
|
31
|
-
expect do
|
32
34
|
Rails::Auth.add_credential(example_env, example_type, example_credential)
|
33
|
-
|
35
|
+
|
36
|
+
expect do
|
37
|
+
Rails::Auth.add_credential(example_env, example_type, second_credential)
|
38
|
+
end.to_not raise_error
|
39
|
+
end
|
40
|
+
|
41
|
+
it "raises ArgumentError if the credentials are different" do
|
42
|
+
allow(example_credential).to receive(:==).and_return(false)
|
43
|
+
|
44
|
+
Rails::Auth.add_credential(example_env, example_type, example_credential)
|
45
|
+
|
46
|
+
expect do
|
47
|
+
Rails::Auth.add_credential(example_env, example_type, second_credential)
|
48
|
+
end.to raise_error(ArgumentError)
|
49
|
+
end
|
34
50
|
end
|
35
51
|
end
|
36
52
|
end
|
@@ -28,4 +28,11 @@ RSpec.describe Rails::Auth::X509::Certificate do
|
|
28
28
|
it "knows its attributes" do
|
29
29
|
expect(example_certificate.attributes).to eq(cn: example_cn, ou: example_ou)
|
30
30
|
end
|
31
|
+
|
32
|
+
it "compares certificate objects by comparing their certificates" do
|
33
|
+
second_cert = OpenSSL::X509::Certificate.new(cert_path("valid.crt").read)
|
34
|
+
second_certificate = described_class.new(second_cert)
|
35
|
+
|
36
|
+
expect(example_certificate).to be_eql second_certificate
|
37
|
+
end
|
31
38
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails-auth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tony Arcieri
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-06-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -87,6 +87,7 @@ files:
|
|
87
87
|
- lib/rails/auth/error_page/debug_page.html.erb
|
88
88
|
- lib/rails/auth/error_page/middleware.rb
|
89
89
|
- lib/rails/auth/exceptions.rb
|
90
|
+
- lib/rails/auth/override.rb
|
90
91
|
- lib/rails/auth/rack.rb
|
91
92
|
- lib/rails/auth/rspec.rb
|
92
93
|
- lib/rails/auth/rspec/helper_methods.rb
|
@@ -143,3 +144,4 @@ signing_key:
|
|
143
144
|
specification_version: 4
|
144
145
|
summary: Modular resource-oriented authentication and authorization for Rails/Rack
|
145
146
|
test_files: []
|
147
|
+
has_rdoc:
|