rails-auth 1.3.0 → 2.0.1

data/lib/rails/auth/monitor/middleware.rb

@@ -0,0 +1,28 @@
+module Rails
+  module Auth
+    module Monitor
+      # Fires a user-specified callback which reports on authorization success
+      # or failure. Useful for logging or monitoring systems for AuthZ failures
+      class Middleware
+        def initialize(app, callback)
+          raise TypeError, "expected Proc callback, got #{callback.class}" unless callback.is_a?(Proc)
+
+          @app      = app
+          @callback = callback
+        end
+
+        def call(env)
+          begin
+            result = @app.call(env)
+          rescue Rails::Auth::NotAuthorizedError
+            @callback.call(env, false)
+            raise
+          end
+
+          @callback.call(env, true)
+          result
+        end
+      end
+    end
+  end
+end

data/lib/rails/auth/rack.rb

@@ -6,9 +6,9 @@ require "openssl"
 
 require "rails/auth/version"
 
+require "rails/auth/env"
 require "rails/auth/exceptions"
-
-require "rails/auth/override"
+require "rails/auth/helpers"
 
 require "rails/auth/acl"
 require "rails/auth/acl/middleware"
@@ -20,6 +20,8 @@ require "rails/auth/credentials/injector_middleware"
 require "rails/auth/error_page/middleware"
 require "rails/auth/error_page/debug_middleware"
 
+require "rails/auth/monitor/middleware"
+
 require "rails/auth/x509/certificate"
 require "rails/auth/x509/filter/pem"
 require "rails/auth/x509/filter/java" if defined?(JRUBY_VERSION)

data/lib/rails/auth/rspec/helper_methods.rb

@@ -3,6 +3,24 @@ module Rails
     module RSpec
       # RSpec helper methods
       module HelperMethods
+        # Credentials to be injected into the request during tests
+        def test_credentials
+          Rails.configuration.x.rails_auth.test_credentials
+        end
+
+        # Perform a test with the given credentials
+        # NOTE: Credentials will be *cleared* after the block. Nesting is not allowed.
+        def with_credentials(credentials = {})
+          raise TypeError, "expected Hash of credentials, got #{credentials.class}" unless credentials.is_a?(Hash)
+          test_credentials.clear
+
+          credentials.each do |type, value|
+            test_credentials[type.to_s] = value
+          end
+        ensure
+          test_credentials.clear
+        end
+
         # Creates an Rails::Auth::X509::Certificate instance double
         def x509_certificate(cn: nil, ou: nil)
           subject = ""
@@ -25,7 +43,7 @@ module Rails
         end
 
         Rails::Auth::ACL::Resource::HTTP_METHODS.each do |method|
-          define_method("#{method.downcase}_request") do |certificates: {}|
+          define_method("#{method.downcase}_request") do |credentials: {}|
             path = self.class.description
 
             # Warn if methods are improperly used
@@ -38,7 +56,7 @@ module Rails
               "PATH_INFO"      => self.class.description
             }
 
-            certificates.each do |type, value|
+            credentials.each do |type, value|
               Rails::Auth.add_credential(env, type.to_s, value)
             end
 

data/lib/rails/auth/version.rb

@@ -3,6 +3,6 @@
 module Rails
   # Pluggable authentication and authorization for Rack/Rails
   module Auth
-    VERSION = "1.3.0".freeze
+    VERSION = "2.0.1".freeze
   end
 end

data/lib/rails/auth/x509/matcher.rb

@@ -1,7 +1,7 @@
 module Rails
   module Auth
     module X509
-      # Predicate matcher for making assertions about X.509 certificates
+      # Matcher for making assertions about X.509 certificates
       class Matcher
         # @option options [String] cn Common Name of the subject
         # @option options [String] ou Organizational Unit of the subject

data/spec/rails/auth/acl/middleware_spec.rb

@@ -31,7 +31,8 @@ RSpec.describe Rails::Auth::ACL::Middleware do
         end
 
         def call(env)
-          Rails::Auth.authorized!(env)
+          allowed_by = "example"
+          Rails::Auth.authorized!(env, allowed_by)
           @app.call(env)
         end
       end

data/spec/rails/auth/acl/resource_spec.rb

@@ -4,8 +4,8 @@ RSpec.describe Rails::Auth::ACL::Resource do
   let(:example_path)   { "/foobar" }
   let(:another_path)   { "/baz" }
 
-  let(:example_predicates) { { "example" => double(:predicate, match: predicate_matches) } }
-  let(:example_resource)   { described_class.new(example_options, example_predicates) }
+  let(:example_matchers) { { "example" => double(:matcher, match: matcher_matches) } }
+  let(:example_resource)   { described_class.new(example_options, example_matchers) }
   let(:example_env)        { env_for(example_method, example_path) }
 
   describe "#initialize" do
@@ -59,37 +59,37 @@ RSpec.describe Rails::Auth::ACL::Resource do
     end
 
     describe "#match" do
-      context "with matching predicates and method/path" do
-        let(:predicate_matches) { true }
+      context "with matching matchers and method/path" do
+        let(:matcher_matches) { true }
 
         it "matches against a valid resource" do
-          expect(example_resource.match(example_env)).to eq true
+          expect(example_resource.match(example_env)).to eq "example"
         end
       end
 
-      context "without matching predicates" do
-        let(:predicate_matches) { false }
+      context "without matching matchers" do
+        let(:matcher_matches) { false }
 
         it "doesn't match against a valid resource" do
-          expect(example_resource.match(example_env)).to eq false
+          expect(example_resource.match(example_env)).to eq nil
         end
       end
 
       context "without a method/path match" do
-        let(:predicate_matches) { true }
+        let(:matcher_matches) { true }
 
         it "doesn't match" do
           env = env_for(another_method, example_path)
-          expect(example_resource.match(env)).to eq false
+          expect(example_resource.match(env)).to eq nil
         end
       end
     end
 
     describe "#match!" do
-      let(:predicate_matches) { false }
+      let(:matcher_matches) { false }
 
       it "matches against all methods if specified" do
-        resource = described_class.new(example_options.merge("method" => "ALL"), example_predicates)
+        resource = described_class.new(example_options.merge("method" => "ALL"), example_matchers)
         expect(resource.match!(example_env)).to eq true
       end
 
@@ -108,7 +108,7 @@ RSpec.describe Rails::Auth::ACL::Resource do
   context "with a host specified" do
     let(:example_host) { "www.example.com" }
     let(:bogus_host)   { "www.trololol.com" }
-    let(:predicate_matches) { true }
+    let(:matcher_matches) { true }
 
     let(:example_options) do
       {
@@ -121,24 +121,24 @@ RSpec.describe Rails::Auth::ACL::Resource do
     describe "#match" do
       it "matches if the host matches" do
         example_env["HTTP_HOST"] = example_host
-        expect(example_resource.match(example_env)).to eq true
+        expect(example_resource.match(example_env)).to eq "example"
       end
 
       it "doesn't match if the host mismatches" do
         example_env["HTTP_HOST"] = bogus_host
-        expect(example_resource.match(example_env)).to eq false
+        expect(example_resource.match(example_env)).to eq nil
       end
     end
 
     describe "#match!" do
       it "matches if the host matches" do
         example_env["HTTP_HOST"] = example_host
-        expect(example_resource.match(example_env)).to eq true
+        expect(example_resource.match(example_env)).to eq "example"
       end
 
       it "doesn't match if the host mismatches" do
         example_env["HTTP_HOST"] = bogus_host
-        expect(example_resource.match(example_env)).to eq false
+        expect(example_resource.match(example_env)).to eq nil
       end
     end
   end

data/spec/rails/auth/acl_spec.rb

@@ -19,9 +19,9 @@ RSpec.describe Rails::Auth::ACL do
 
   describe "#match" do
     it "matches routes against the ACL" do
-      expect(example_acl.match(env_for(:get, "/"))).to eq true
-      expect(example_acl.match(env_for(:get, "/foo/bar/baz"))).to eq true
-      expect(example_acl.match(env_for(:get, "/_admin"))).to eq false
+      expect(example_acl.match(env_for(:get, "/"))).to eq "allow_all"
+      expect(example_acl.match(env_for(:get, "/foo/bar/baz"))).to eq "allow_claims"
+      expect(example_acl.match(env_for(:get, "/_admin"))).to eq nil
     end
   end
 

data/spec/rails/auth/credentials/injector_middleware_spec.rb

@@ -6,6 +6,6 @@ RSpec.describe Rails::Auth::Credentials::InjectorMiddleware do
 
   it "overrides rails-auth credentials in the rack environment" do
     _response, env = middleware.call(request)
-    expect(env[Rails::Auth::CREDENTIALS_ENV_KEY]).to eq credentials
+    expect(env[Rails::Auth::Env::CREDENTIALS_ENV_KEY]).to eq credentials
   end
 end

data/spec/rails/auth/credentials_spec.rb

@@ -1,52 +1,31 @@
 RSpec.describe Rails::Auth::Credentials do
-  describe "#credentials" do
-    let(:example_type)        { "example" }
-    let(:example_credentials) { { example_type => double(:credential) } }
+  let(:rack_env) { Rack::MockRequest.env_for("https://www.example.com") }
 
-    let(:example_env) do
-      env_for(:get, "/").tap do |env|
-        env[Rails::Auth::CREDENTIALS_ENV_KEY] = example_credentials
-      end
-    end
+  let(:example_cn) { "127.0.0.1" }
+  let(:example_ou) { "ponycopter" }
 
-    it "extracts credentials from Rack environments" do
-      expect(Rails::Auth.credentials(example_env)).to eq example_credentials
-    end
-  end
+  let(:example_credential_type)  { "x509" }
+  let(:example_credential_value) { instance_double(Rails::Auth::X509::Certificate, cn: example_cn, ou: example_ou) }
 
-  describe "#add_credential" do
-    let(:example_type)       { "example" }
-    let(:example_credential) { double(:credential) }
-    let(:example_env)        { env_for(:get, "/") }
+  subject(:credentials) { described_class.new(example_credential_type => example_credential_value) }
 
-    it "adds credentials to a Rack environment" do
-      expect(Rails::Auth.credentials(example_env)[example_type]).to be_nil
-      Rails::Auth.add_credential(example_env, example_type, example_credential)
-      expect(Rails::Auth.credentials(example_env)[example_type]).to eq example_credential
+  describe ".from_rack_env" do
+    it "initializes from a Rack environment" do
+      expect(described_class.from_rack_env(rack_env)).to be_a described_class
     end
+  end
 
-    context "when called twice for the same credential type" do
-      let(:second_credential) { double(:credential2) }
-
-      it "succeeds if the credentials are the same" do
-        allow(example_credential).to receive(:==).and_return(true)
-
-        Rails::Auth.add_credential(example_env, example_type, example_credential)
-
-        expect do
-          Rails::Auth.add_credential(example_env, example_type, second_credential)
-        end.to_not raise_error
-      end
-
-      it "raises ArgumentError if the credentials are different" do
-        allow(example_credential).to receive(:==).and_return(false)
-
-        Rails::Auth.add_credential(example_env, example_type, example_credential)
+  describe "[]" do
+    it "allows hash-like access to credentials" do
+      expect(credentials[example_credential_type]).not_to be_blank
+    end
+  end
 
-        expect do
-          Rails::Auth.add_credential(example_env, example_type, second_credential)
-        end.to raise_error(ArgumentError)
-      end
+  describe "[]=" do
+    it "raises AlreadyAuthorizedError if credential has already been set" do
+      expect do
+        credentials[example_credential_type] = example_credential_value
+      end.to raise_error(Rails::Auth::AlreadyAuthorizedError)
     end
   end
 end

data/spec/rails/auth/env_spec.rb

@@ -0,0 +1,31 @@
+RSpec.describe Rails::Auth::Env do
+  let(:rack_env)          { Rack::MockRequest.env_for("https://www.example.com") }
+  let(:example_authority) { "some-authority" }
+
+  subject(:example_env) { described_class.new(rack_env) }
+
+  it "stores authorization state in the Rack environment" do
+    expect(example_env).not_to be_authorized
+    expect(example_env.to_rack.key?(described_class::AUTHORIZED_ENV_KEY)).to eq false
+    expect(example_env.to_rack.key?(described_class::ALLOWED_BY_ENV_KEY)).to eq false
+
+    example_env.authorize(example_authority)
+    expect(example_env).to be_authorized
+    expect(example_env.to_rack[described_class::AUTHORIZED_ENV_KEY]).to eq true
+    expect(example_env.to_rack[described_class::ALLOWED_BY_ENV_KEY]).to eq example_authority
+  end
+
+  it "stores authorizers in the Rack environment" do
+    expect(example_env.allowed_by).to be_nil
+    expect(example_env.to_rack.key?(described_class::ALLOWED_BY_ENV_KEY)).to eq false
+
+    example_env.allowed_by = example_authority
+    expect(example_env.allowed_by).to eq example_authority
+    expect(example_env.to_rack[described_class::ALLOWED_BY_ENV_KEY]).to eq example_authority
+  end
+
+  # TODO: this could probably be a bit more extensive
+  it "stores credentials in the Rack enviroment" do
+    expect(example_env.credentials).to be_a Rails::Auth::Credentials
+  end
+end

data/spec/rails/auth/monitor/middleware_spec.rb

@@ -0,0 +1,39 @@
+RSpec.describe Rails::Auth::Monitor::Middleware do
+  let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
+
+  describe "access granted" do
+    let(:code) { 200 }
+    let(:app)  { ->(env) { [code, env, "Hello, world!"] } }
+
+    it "fires the callback with the env and true" do
+      callback_fired = false
+
+      middleware = described_class.new(app, lambda do |env, success|
+        callback_fired = true
+        expect(env).to be_a Hash
+        expect(success).to eq true
+      end)
+
+      response = middleware.call(request)
+      expect(callback_fired).to eq true
+      expect(response.first).to eq code
+    end
+  end
+
+  describe "access denied" do
+    let(:app) { ->(_env) { raise(Rails::Auth::NotAuthorizedError, "not authorized!") } }
+
+    it "renders the error page" do
+      callback_fired = false
+
+      middleware = described_class.new(app, lambda do |env, success|
+        callback_fired = true
+        expect(env).to be_a Hash
+        expect(success).to eq false
+      end)
+
+      expect { middleware.call(request) }.to raise_error(Rails::Auth::NotAuthorizedError)
+      expect(callback_fired).to eq true
+    end
+  end
+end

data/spec/rails/auth/rspec/helper_methods_spec.rb

@@ -1,7 +1,33 @@
+require "ostruct"
+
 RSpec.describe Rails::Auth::RSpec::HelperMethods, acl_spec: true do
   let(:example_cn) { "127.0.0.1" }
   let(:example_ou) { "ponycopter" }
 
+  before do
+    credentials   = {}
+    rails_auth    = double("config", test_credentials: credentials)
+    x_config      = double("config", rails_auth: rails_auth)
+    configuration = double("config", x: x_config)
+
+    allow(Rails).to receive(:configuration).and_return(configuration)
+  end
+
+  describe "#with_credentials" do
+    let(:example_credential_type)  { :x509 }
+    let(:example_credential_value) { x509_certificate(cn: example_cn, ou: example_ou) }
+
+    it "sets credentials in the Rails config" do
+      expect(test_credentials[example_credential_type]).to be_nil
+
+      with_credentials(example_credential_type => example_credential_value) do
+        expect(test_credentials[example_credential_type]).to be example_credential_value
+      end
+
+      expect(test_credentials[example_credential_type]).to be_nil
+    end
+  end
+
   describe "#x509_certificate" do
     subject { x509_certificate(cn: example_cn, ou: example_ou) }
 

data/spec/rails/auth/rspec/matchers/acl_matchers_spec.rb

@@ -13,8 +13,8 @@ RSpec.describe "RSpec ACL matchers", acl_spec: true do
   end
 
   describe "/baz/quux" do
-    it { is_expected.to permit get_request(certificates: example_certificate) }
-    it { is_expected.not_to permit get_request(certificates: another_certificate) }
+    it { is_expected.to permit get_request(credentials: example_certificate) }
+    it { is_expected.not_to permit get_request(credentials: another_certificate) }
     it { is_expected.not_to permit get_request }
   end
 end

data/spec/rails/auth/x509/matcher_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe Rails::Auth::X509::Matcher do
   let(:another_ou) { "somethingelse" }
 
   let(:example_env) do
-    { Rails::Auth::CREDENTIALS_ENV_KEY => { "x509" => example_certificate } }
+    { Rails::Auth::Env::CREDENTIALS_ENV_KEY => { "x509" => example_certificate } }
   end
 
   describe "#match" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails-auth
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Tony Arcieri
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-07-16 00:00:00.000000000 Z
+date: 2016-07-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -80,14 +80,17 @@ files:
 - lib/rails/auth/acl/matchers/allow_all.rb
 - lib/rails/auth/acl/middleware.rb
 - lib/rails/auth/acl/resource.rb
+- lib/rails/auth/config_builder.rb
 - lib/rails/auth/controller_methods.rb
 - lib/rails/auth/credentials.rb
 - lib/rails/auth/credentials/injector_middleware.rb
+- lib/rails/auth/env.rb
 - lib/rails/auth/error_page/debug_middleware.rb
 - lib/rails/auth/error_page/debug_page.html.erb
 - lib/rails/auth/error_page/middleware.rb
 - lib/rails/auth/exceptions.rb
-- lib/rails/auth/override.rb
+- lib/rails/auth/helpers.rb
+- lib/rails/auth/monitor/middleware.rb
 - lib/rails/auth/rack.rb
 - lib/rails/auth/rspec.rb
 - lib/rails/auth/rspec/helper_methods.rb
@@ -107,8 +110,10 @@ files:
 - spec/rails/auth/controller_methods_spec.rb
 - spec/rails/auth/credentials/injector_middleware_spec.rb
 - spec/rails/auth/credentials_spec.rb
+- spec/rails/auth/env_spec.rb
 - spec/rails/auth/error_page/debug_middleware_spec.rb
 - spec/rails/auth/error_page/middleware_spec.rb
+- spec/rails/auth/monitor/middleware_spec.rb
 - spec/rails/auth/rspec/helper_methods_spec.rb
 - spec/rails/auth/rspec/matchers/acl_matchers_spec.rb
 - spec/rails/auth/x509/certificate_spec.rb