rails-auth 2.1.2 → 2.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 53175b906593724848fe6edf409ec1ae4587be25
-  data.tar.gz: 22fc25df91e79d8fa2930644ca29db47c3f7270a
+SHA256:
+  metadata.gz: 773018e606b80732c9e9feeba00cc583032a39ee74de25b2ccaf3e6a852f086b
+  data.tar.gz: 755f13226f84aec603eaac1ab5d21ed803aa7ac4b37e35e3e072be3b8c7a7803
 SHA512:
-  metadata.gz: b25632b4984227bce11e227e4842595b7be966819876c3a2dc0d67f05b77b65e76917b788dc179b1c4aa7a4473766aab2d43de0e3958d98ed33f97877bc9796a
-  data.tar.gz: 0c584823d4fa31db393742b56a1511a9c7628caf01d6773c6b98a72491e7f6a731cd77b6245031db409f275adf840d987eaa57242c19cd8b63754d9e32614d18
+  metadata.gz: a900eea1969e11b56b431fab48fbe35edd4785a3d15c68ab28e0168a4289678fab7da65ed4cd136821bab93b0fce3b8ac29fb05ab02286542585bbb572d4f217
+  data.tar.gz: 55a2d4e03156e24f75db902f0c5346e756912d053b667ab4c64536902d1d443020e07be138fdc480d4dae951e73d9c55340faea88d41c7587d13f1bb11df3542

data/.rubocop.yml

@@ -1,12 +1,16 @@
 AllCops:
   DisplayCopNames: true
+  TargetRubyVersion: 2.3
 
 Style/StringLiterals:
   EnforcedStyle: double_quotes
 
-Style/ModuleFunction:
+Layout/HashAlignment:
   Enabled: false
 
+Metrics/BlockLength:
+  ExcludedMethods: ['describe', 'context']
+
 Metrics/ParameterLists:
   Max: 5
   CountKeywordArgs: false
@@ -22,3 +26,12 @@ Metrics/AbcSize:
 
 Metrics/CyclomaticComplexity:
   Max: 8
+
+Naming/MethodParameterName:
+  MinNameLength: 2
+
+Style/ModuleFunction:
+  Enabled: false
+
+Style/SafeNavigation:
+  Enabled: false

data/.travis.yml

@@ -10,12 +10,15 @@ before_install:
 bundler_args: --without development
 
 rvm:
-  - 2.0.0
-  - 2.1.10
-  - 2.2.4
-  - 2.3.0
+  - 2.4
+  - 2.5
+  - 2.6
 matrix:
   include:
-    - rvm: jruby-9.0.5.0
+    - rvm: jruby
+      jdk: openjdk8
+      env: JRUBY_OPTS="--debug" # for simplecov
+    - rvm: jruby
+      jdk: openjdk11
       env: JRUBY_OPTS="--debug" # for simplecov
   fast_finish: true

data/BUG-BOUNTY.md

@@ -1,9 +1,9 @@
-Break me and win a prize!
-=========================
+Serious about security
+======================
 
 Square recognizes the important contributions the security research community
 can make. We therefore encourage reporting security issues with the code
 contained in this repository.
 
 If you believe you have discovered a security vulnerability, please follow the
-guidelines at https://hackerone.com/square-open-source
+guidelines at <https://bugcrowd.com/squareopensource>.

data/CHANGES.md

@@ -1,3 +1,43 @@
+### 2.2.2 (2020-07-02)
+
+* [#65](https://github.com/square/rails-auth/pull/65)
+  Fix error when passing `truststore` instead of `ca_file` to X509 middleware.
+  ([@drcapulet])
+
+### 2.2.1 (2020-01-08)
+
+* [#63](https://github.com/square/rails-auth/pull/63)
+  Fix `FrozenError` in `permit` matcher description.
+  ([@drcapulet])
+
+### 2.2.0 (2019-12-05)
+
+* [#55](https://github.com/square/rails-auth/pull/55)
+  Allow dynamic injection of credentials.
+  ([@drcapulet])
+
+* [#59](https://github.com/square/rails-auth/pull/59)
+  Expose X.509 Subject Alternative Name extension
+  in the Rails::Auth::X509::Certificate and provide a convenience
+  method `spiffe_id` to expose [SPIFFE ID](https://spiffe.io).
+  ([@mbyczkowski])
+
+* [#57](https://github.com/square/rails-auth/pull/57)
+  Add support for latest versions of Ruby, JRuby and Bundler 2.
+  ([@mbyczkowski])
+
+### 2.1.4 (2018-07-12)
+
+* [#51](https://github.com/square/rails-auth/pull/51)
+  Fix bug in `permit` custom matcher so that a description is rendered.
+  ([@yellow-beard])
+
+### 2.1.3 (2017-08-04)
+
+* [#44](https://github.com/square/rails-auth/pull/44)
+  Normalize abnormal whitespace in PEM certificates for Passenger 5.
+  ([@drcapulet])
+
 ### 2.1.2 (2017-01-27)
 
 * [#42](https://github.com/square/rails-auth/pull/42)
@@ -172,6 +212,9 @@
 * Vaporware release to claim the "rails-auth" gem name
 
 
-[@tarcieri]: https://github.com/tarcieri
-[@ewr]: https://github.com/ewr
 [@drcapulet]: https://github.com/drcapulet
+[@ewr]: https://github.com/ewr
+[@mbyczkowski]: https://github.com/mbyczkowski
+[@nerdrew]: https://github.com/nerdrew
+[@tarcieri]: https://github.com/tarcieri
+[@yellow-beard]: https://github.com/yellow-beard

data/CONTRIBUTING.md

@@ -1,14 +1,15 @@
-### Sign the CLA
+# Contributing
 
-Any contributors to the master *rails-auth* repository must sign the
-[Individual Contributor License Agreement (CLA)]. It's a short form that covers
-our bases and makes sure you're eligible to contribute.
+If you would like to contribute code to *rails-auth* you can do so through GitHub by
+forking the repository and sending a pull request.
 
-### Submitting a Pull Request
+When submitting code, please make every effort to follow existing conventions
+and style in order to keep the code as readable as possible. Please also make
+sure all tests pass by running `bundle exec rspec spec`, and format your code
+according to `rubocop` rules.
 
-When you have a change you'd like to see in the master repository, send a
-[pull request]. Before we merge your request, we'll make sure you're in the list
-of people who have signed a CLA.
+Before your code can be accepted into the project you must also sign the
+Individual Contributor License Agreement.  We use [cla-assistant.io][1] and you
+will be prompted to sign once a pull request is opened.
 
-[Individual Contributor License Agreement (CLA)]: https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1
-[pull request]: https://github.com/square/rails-auth/pulls
+[1]: https://cla-assistant.io/

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source "https://rubygems.org"
 
 group :development do
@@ -5,15 +7,14 @@ group :development do
 end
 
 group :development, :test do
+  gem "activesupport", "~> 4"
+  gem "certificate_authority", require: false
+  gem "coveralls", require: false
   # Workaround for: https://github.com/bundler/bundler/pull/4650
   gem "rack", "~> 1.x"
-  gem "activesupport", "~> 4"
-
   gem "rake"
   gem "rspec"
-  gem "rubocop", "0.38.0"
-  gem "coveralls", require: false
-  gem "certificate_authority", require: false
+  gem "rubocop", "0.77.0"
 end
 
 gemspec

data/Guardfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 guard :rspec, cmd: "bundle exec rspec" do
   watch(%r{^spec/.+_spec\.rb$})
   watch(%r{^lib/(.+)\.rb$})    { |m| "spec/#{m[1]}_spec.rb" }

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
 require "rubocop/rake_task"
@@ -5,4 +7,4 @@ require "rubocop/rake_task"
 RSpec::Core::RakeTask.new(:spec)
 RuboCop::RakeTask.new
 
-task default: %w(spec rubocop)
+task default: %w[spec rubocop]

data/lib/rails/auth/acl.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Pull in default matchers
 require "rails/auth/acl/matchers/allow_all"
 
@@ -17,7 +19,9 @@ module Rails
       # @param [String] :yaml serialized YAML to load an ACL from
       def self.from_yaml(yaml, **args)
         require "yaml"
+        # rubocop:todo Security/YAMLLoad
         new(YAML.load(yaml), **args)
+        # rubocop:enable Security/YAMLLoad
       end
 
       # @param [Array<Hash>] :acl Access Control List configuration

data/lib/rails/auth/acl/matchers/allow_all.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     class ACL
@@ -7,6 +9,7 @@ module Rails
         class AllowAll
           def initialize(enabled)
             raise ArgumentError, "enabled must be true/false" unless [true, false].include?(enabled)
+
             @enabled = enabled
           end
 

data/lib/rails/auth/acl/middleware.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     class ACL
@@ -25,6 +27,7 @@ module Rails
           unless Rails::Auth.authorized?(env)
             matcher_name = @acl.match(env)
             raise NotAuthorizedError, "unauthorized request" unless matcher_name
+
             Rails::Auth.set_allowed_by(env, "matcher:#{matcher_name}")
           end
 

data/lib/rails/auth/acl/resource.rb

@@ -8,10 +8,10 @@ module Rails
         attr_reader :http_methods, :path, :host, :matchers
 
         # Valid HTTP methods
-        HTTP_METHODS = %w(GET HEAD PUT POST DELETE OPTIONS PATCH LINK UNLINK).freeze
+        HTTP_METHODS = %w[GET HEAD PUT POST DELETE OPTIONS PATCH LINK UNLINK].freeze
 
         # Options allowed for resource matchers
-        VALID_OPTIONS = %w(method path host).freeze
+        VALID_OPTIONS = %w[method path host].freeze
 
         # @option :options [String] :method HTTP method allowed ("ALL" for all methods)
         # @option :options [String] :path path to the resource (regex syntax allowed)
@@ -46,6 +46,7 @@ module Rails
         #
         def match(env)
           return nil unless match!(env)
+
           name, = @matchers.find { |_name, matcher| matcher.match(env) }
           name
         end
@@ -58,9 +59,10 @@ module Rails
         # @return [Boolean] method and path *only* match the given environment
         #
         def match!(env)
-          return false unless @http_methods.include?(env["REQUEST_METHOD".freeze])
-          return false unless @path =~ env["PATH_INFO".freeze]
-          return false unless @host.nil? || @host =~ env["HTTP_HOST".freeze]
+          return false unless @http_methods.include?(env["REQUEST_METHOD"])
+          return false unless @path =~ env["PATH_INFO"]
+          return false unless @host.nil? || @host =~ env["HTTP_HOST"]
+
           true
         end
 

data/lib/rails/auth/config_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     # Configures Rails::Auth middleware for use in a Rails application
@@ -11,7 +13,7 @@ module Rails
           matchers: matchers
         )
 
-        config.middleware.use Rails::Auth::ACL::Middleware, acl: config.x.acl
+        config.middleware.use Rails::Auth::ACL::Middleware, acl: config.x.rails_auth.acl
       end
 
       # Development configuration (i.e. config/environments/development.rb)
@@ -49,6 +51,7 @@ module Rails
         end
 
         return unless monitor
+
         config.middleware.insert_before Rails::Auth::ACL::Middleware,
                                         Rails::Auth::Monitor::Middleware,
                                         monitor
@@ -68,6 +71,7 @@ module Rails
                                           Rails::Auth::ErrorPage::Middleware,
                                           page_body: Pathname(error_page).read
         when FalseClass, NilClass
+          nil
         else raise TypeError, "bad error page mode: #{mode.inspect}"
         end
       end

data/lib/rails/auth/controller_methods.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
 require "active_support/hash_with_indifferent_access"
 
+# rubocop:disable Naming/MemoizedInstanceVariableName
 module Rails
   module Auth
     # Convenience methods designed to be included in an ActionController::Base subclass
@@ -18,3 +21,4 @@ module Rails
     end
   end
 end
+# rubocop:enable Naming/MemoizedInstanceVariableName

data/lib/rails/auth/credentials.rb

@@ -10,7 +10,7 @@ module Rails
       extend Forwardable
       include Enumerable
 
-      def_delegators :@credentials, :fetch, :empty?, :key?, :each, :to_hash
+      def_delegators :@credentials, :fetch, :empty?, :key?, :each, :to_hash, :values
 
       def self.from_rack_env(env)
         new(env.fetch(Rails::Auth::Env::CREDENTIALS_ENV_KEY, {}))
@@ -18,6 +18,7 @@ module Rails
 
       def initialize(credentials = {})
         raise TypeError, "expected Hash, got #{credentials.class}" unless credentials.is_a?(Hash)
+
         @credentials = credentials
       end
 
@@ -25,6 +26,7 @@ module Rails
         return if @credentials.key?(type) && @credentials[type] == value
         raise TypeError, "expected String for type, got #{type.class}" unless type.is_a?(String)
         raise AlreadyAuthorizedError, "credential '#{type}' has already been set" if @credentials.key?(type)
+
         @credentials[type] = value
       end
 

data/lib/rails/auth/credentials/injector_middleware.rb

@@ -1,9 +1,12 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     class Credentials
       # A middleware for injecting an arbitrary credentials hash into the Rack environment
       # This is intended for development and testing purposes where you would like to
-      # simulate a given X.509 certificate being used in a request or user logged in
+      # simulate a given X.509 certificate being used in a request or user logged in.
+      # The credentials argument should either be a hash or a proc that returns one.
       class InjectorMiddleware
         def initialize(app, credentials)
           @app = app
@@ -11,7 +14,8 @@ module Rails
         end
 
         def call(env)
-          env[Rails::Auth::Env::CREDENTIALS_ENV_KEY] = @credentials
+          credentials = @credentials.respond_to?(:call) ? @credentials.call(env) : @credentials
+          env[Rails::Auth::Env::CREDENTIALS_ENV_KEY] = credentials
           @app.call(env)
         end
       end

data/lib/rails/auth/env.rb

@@ -5,13 +5,13 @@ module Rails
     # Wrapper for Rack environments with Rails::Auth helpers
     class Env
       # Rack environment key for marking external authorization
-      AUTHORIZED_ENV_KEY = "rails-auth.authorized".freeze
+      AUTHORIZED_ENV_KEY = "rails-auth.authorized"
 
       # Rack environment key for storing what allowed the request
-      ALLOWED_BY_ENV_KEY = "rails-auth.allowed-by".freeze
+      ALLOWED_BY_ENV_KEY = "rails-auth.allowed-by"
 
       # Rack environment key for all rails-auth credentials
-      CREDENTIALS_ENV_KEY = "rails-auth.credentials".freeze
+      CREDENTIALS_ENV_KEY = "rails-auth.credentials"
 
       attr_reader :allowed_by, :credentials
 
@@ -44,6 +44,7 @@ module Rails
       def allowed_by=(allowed_by)
         raise AlreadyAuthorizedError, "already allowed by #{@allowed_by.inspect}" if @allowed_by
         raise TypeError, "expected String for allowed_by, got #{allowed_by.class}" unless allowed_by.is_a?(String)
+
         @allowed_by = allowed_by
       end
 

data/lib/rails/auth/error_page/debug_middleware.rb

@@ -26,7 +26,7 @@ module Rails
 
           @app = app
           @acl = acl
-          @erb = ERB.new(File.read(File.expand_path("../debug_page.html.erb", __FILE__))).freeze
+          @erb = ERB.new(File.read(File.expand_path("debug_page.html.erb", __dir__))).freeze
         end
 
         def call(env)

data/lib/rails/auth/error_page/middleware.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module ErrorPage
@@ -32,6 +34,7 @@ module Rails
           accept_format = env["HTTP_ACCEPT"]
           return :json if accept_format && accept_format.downcase.start_with?("application/json")
           return :json if env["PATH_INFO"] && env["PATH_INFO"].end_with?(".json")
+
           nil
         end
       end

data/lib/rails/auth/exceptions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     # Base class of all Rails::Auth errors

data/lib/rails/auth/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   # Modular resource-based authentication and authorization for Rails/Rack
   module Auth
@@ -24,7 +26,7 @@ module Rails
 
     # Mark what authorized the request in the Rack environment
     #
-    # @param [Hash] :env Rack environment
+    # @param [Hash] :rack_env Rack environment
     # @param [String] :allowed_by what allowed this request
     def set_allowed_by(rack_env, allowed_by)
       Env.new(rack_env).tap do |env|