rails-auth 2.1.2 → 2.2.2

data/lib/rails/auth/installed_constraint.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     # Rails constraint to make sure the ACLs have been installed

data/lib/rails/auth/monitor/middleware.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module Monitor

data/lib/rails/auth/rack.rb

@@ -27,3 +27,4 @@ require "rails/auth/x509/filter/pem"
 require "rails/auth/x509/filter/java" if defined?(JRUBY_VERSION)
 require "rails/auth/x509/matcher"
 require "rails/auth/x509/middleware"
+require "rails/auth/x509/subject_alt_name_extension"

data/lib/rails/auth/rspec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "rails/auth/rspec/helper_methods"
 require "rails/auth/rspec/matchers/acl_matchers"
 

data/lib/rails/auth/rspec/helper_methods.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module RSpec
@@ -12,6 +14,7 @@ module Rails
         # NOTE: Credentials will be *cleared* after the block. Nesting is not allowed.
         def with_credentials(credentials = {})
           raise TypeError, "expected Hash of credentials, got #{credentials.class}" unless credentials.is_a?(Hash)
+
           test_credentials.clear
 
           credentials.each do |type, value|
@@ -24,8 +27,8 @@ module Rails
         # Creates an Rails::Auth::X509::Certificate instance double
         def x509_certificate(cn: nil, ou: nil)
           subject = ""
-          subject << "CN=#{cn}" if cn
-          subject << "OU=#{ou}" if ou
+          subject += "CN=#{cn}" if cn
+          subject += "OU=#{ou}" if ou
 
           instance_double(Rails::Auth::X509::Certificate, subject, cn: cn, ou: ou).tap do |certificate|
             allow(certificate).to receive(:[]) do |key|
@@ -47,9 +50,7 @@ module Rails
             path = self.class.description
 
             # Warn if methods are improperly used
-            unless path.chars[0] == "/"
-              raise ArgumentError, "expected #{path} to start with '/'"
-            end
+            raise ArgumentError, "expected #{path} to start with '/'" unless path.chars[0] == "/"
 
             env = {
               "REQUEST_METHOD" => method,

data/lib/rails/auth/rspec/matchers/acl_matchers.rb

@@ -1,12 +1,14 @@
+# frozen_string_literal: true
+
 RSpec::Matchers.define(:permit) do |env|
   description do
     method      = env["REQUEST_METHOD"]
     credentials = Rails::Auth.credentials(env)
     message     = "allow #{method}s by "
 
-    return message << "unauthenticated clients" if credentials.count.zero?
+    return message + "unauthenticated clients" if credentials.count.zero?
 
-    message << credentials.values.map(&:inspect).join(", ")
+    message + credentials.values.map(&:inspect).join(", ")
   end
 
   match { |acl| acl.match(env) }

data/lib/rails/auth/version.rb

@@ -3,6 +3,6 @@
 module Rails
   # Pluggable authentication and authorization for Rack/Rails
   module Auth
-    VERSION = "2.1.2".freeze
+    VERSION = "2.2.2"
   end
 end

data/lib/rails/auth/x509/certificate.rb

@@ -18,7 +18,8 @@ module Rails
           @certificate.subject.to_a.each do |name, data, _type|
             @subject[name.freeze] = data.freeze
           end
-
+          @subject_alt_names = SubjectAltNameExtension.new(certificate)
+          @subject_alt_names.freeze
           @subject.freeze
         end
 
@@ -27,23 +28,52 @@ module Rails
         end
 
         def cn
-          @subject["CN".freeze]
+          @subject["CN"]
         end
         alias common_name cn
 
+        def dns_names
+          @subject_alt_names.dns_names
+        end
+
+        def ips
+          @subject_alt_names.ips
+        end
+
         def ou
-          @subject["OU".freeze]
+          @subject["OU"]
         end
         alias organizational_unit ou
 
+        def uris
+          @subject_alt_names.uris
+        end
+
+        # According to the SPIFFE standard only one SPIFFE ID can exist in the URI
+        # SAN:
+        # (https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md#2-spiffe-id)
+        #
+        # @return [String, nil] string containing SPIFFE ID if one is present
+        #         in the certificate
+        def spiffe_id
+          uris.detect { |uri| uri.start_with?("spiffe://") }
+        end
+
         # Generates inspectable attributes for debugging
         #
         # @return [Hash] hash containing parts of the certificate subject (cn, ou)
+        #         and subject alternative name extension (uris, dns_names) as well
+        #         as SPIFFE ID (spiffe_id), which is just a convenience since those
+        #         are already included in the uris
         def attributes
           {
             cn: cn,
-            ou: ou
-          }
+            dns_names: dns_names,
+            ips: ips,
+            ou: ou,
+            spiffe_id: spiffe_id,
+            uris: uris
+          }.reject { |_, v| v.nil? || v.empty? }
         end
 
         # Compare ourself to another object by ensuring that it has the same type

data/lib/rails/auth/x509/filter/java.rb

@@ -1,23 +1,15 @@
-require "java"
-require "stringio"
+# frozen_string_literal: true
 
 module Rails
   module Auth
     module X509
       module Filter
-        # Extract OpenSSL::X509::Certificates from Java's sun.security.x509.X509CertImpl
+        # Extract OpenSSL::X509::Certificates from java.security.cert.Certificate
         class Java
           def call(certs)
-            return unless certs
-            OpenSSL::X509::Certificate.new(extract_der(certs[0])).freeze
-          end
-
-          private
+            return if certs.nil? || certs.empty?
 
-          def extract_der(cert)
-            stringio = StringIO.new
-            cert.derEncode(stringio.to_outputstream)
-            stringio.string
+            OpenSSL::X509::Certificate.new(certs[0].get_encoded).freeze
           end
         end
       end

data/lib/rails/auth/x509/filter/pem.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module X509
@@ -5,7 +7,14 @@ module Rails
         # Extract OpenSSL::X509::Certificates from Privacy Enhanced Mail (PEM) certificates
         class Pem
           def call(pem)
-            OpenSSL::X509::Certificate.new(pem.delete("\t")).freeze
+            # Normalize the whitespace in the certificate to the exact format
+            # certificates are normally formatted in otherwise parsing with fail
+            # with a 'nested asn1 error'. split(" ") handles sequential whitespace
+            # characters like \t, \n, and space.
+            OpenSSL::X509::Certificate.new(pem.split(" ").instance_eval do
+              [[self[0], self[1]].join(" "), self[2...-2], [self[-2], self[-1]].join(" ")]
+                .flatten.join("\n")
+            end).freeze
           end
         end
       end

data/lib/rails/auth/x509/matcher.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module X509

data/lib/rails/auth/x509/middleware.rb

@@ -12,20 +12,21 @@ module Rails
         # Create a new X.509 Middleware object
         #
         # @param [Object]               app next app in the Rack middleware chain
-        # @param [Hash]                 cert_filters maps Rack environment names to cert extractors
         # @param [String]               ca_file path to the CA bundle to verify client certs with
-        # @param [OpenSSL::X509::Store] truststore (optional) provide your own truststore (for e.g. CRLs)
+        # @param [Hash]                 cert_filters maps Rack environment names to cert extractors
+        # @param [Logger]               logger place to log verification successes & failures
         # @param [Boolean]              require_cert causes middleware to raise if certs are unverified
+        # @param [OpenSSL::X509::Store] truststore (optional) provide your own truststore (for e.g. CRLs)
         #
         # @return [Rails::Auth::X509::Middleware] new X509 middleware instance
-        def initialize(app, cert_filters: {}, ca_file: nil, truststore: nil, require_cert: false, logger: nil)
-          raise ArgumentError, "no ca_file given" unless ca_file
+        def initialize(app, ca_file: nil, cert_filters: {}, logger: nil, require_cert: false, truststore: nil)
+          raise ArgumentError, "no ca_file or truststore given" unless ca_file || truststore
 
           @app          = app
+          @cert_filters = cert_filters
           @logger       = logger
-          @truststore   = truststore || OpenSSL::X509::Store.new.add_file(ca_file)
           @require_cert = require_cert
-          @cert_filters = cert_filters
+          @truststore   = truststore || OpenSSL::X509::Store.new.add_file(ca_file)
 
           @cert_filters.each do |key, filter|
             next unless filter.is_a?(Symbol)
@@ -40,7 +41,7 @@ module Rails
 
         def call(env)
           credential = extract_credential(env)
-          Rails::Auth.add_credential(env, "x509".freeze, credential.freeze) if credential
+          Rails::Auth.add_credential(env, "x509", credential.freeze) if credential
 
           @app.call(env)
         end
@@ -62,6 +63,7 @@ module Rails
           end
 
           raise CertificateVerifyFailed, "no client certificate in request" if @require_cert
+
           nil
         end
 
@@ -72,8 +74,8 @@ module Rails
           end
 
           filter.call(raw_cert)
-        rescue => ex
-          @logger.debug("rails-auth: Certificate error: #{ex.class}: #{ex.message}") if @logger
+        rescue StandardError => e
+          @logger.debug("rails-auth: Certificate error: #{e.class}: #{e.message}") if @logger
           nil
         end
 

data/lib/rails/auth/x509/subject_alt_name_extension.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Rails
+  module Auth
+    module X509
+      # Provides convenience methods for subjectAltName extension of X.509 certificates
+      class SubjectAltNameExtension
+        attr_reader :dns_names, :ips, :uris
+
+        DNS_REGEX = /^DNS:/i.freeze
+        IP_REGEX  = /^IP( Address)?:/i.freeze
+        URI_REGEX = /^URI:/i.freeze
+
+        def initialize(certificate)
+          unless certificate.is_a?(OpenSSL::X509::Certificate)
+            raise TypeError, "expecting OpenSSL::X509::Certificate, got #{certificate.class}"
+          end
+
+          extension = certificate.extensions.detect { |ext| ext.oid == "subjectAltName" }
+          values = (extension&.value&.split(",") || []).map(&:strip)
+
+          @dns_names = values.grep(DNS_REGEX) { |v| v.sub(DNS_REGEX, "") }.freeze
+          @ips = values.grep(IP_REGEX) { |v| v.sub(IP_REGEX, "") }.freeze
+          @uris = values.grep(URI_REGEX) { |v| v.sub(URI_REGEX, "") }.freeze
+        end
+      end
+    end
+  end
+end

data/rails-auth.gemspec

@@ -1,5 +1,6 @@
-# coding: utf-8
-lib = File.expand_path("../lib", __FILE__)
+# frozen_string_literal: true
+
+lib = File.expand_path("lib", __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "rails/auth/version"
 
@@ -25,10 +26,10 @@ Gem::Specification.new do |spec|
   spec.bindir        = "exe"
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.0.0"
+  spec.required_ruby_version = ">= 2.3.0"
 
   spec.add_runtime_dependency "rack"
 
-  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "bundler", ">= 1.10", "< 3"
   spec.add_development_dependency "rake", "~> 10.0"
 end

data/spec/rails/auth/acl/matchers/allow_all_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ACL::Matchers::AllowAll do
   let(:matcher)     { described_class.new(enabled) }
   let(:example_env) { env_for(:get, "/") }

data/spec/rails/auth/acl/middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "logger"
 
 RSpec.describe Rails::Auth::ACL::Middleware do

data/spec/rails/auth/acl/resource_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ACL::Resource do
   let(:example_method) { "GET" }
   let(:another_method) { "POST" }

data/spec/rails/auth/acl_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ACL do
   let(:example_config) { fixture_path("example_acl.yml").read }
 

data/spec/rails/auth/controller_methods_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ControllerMethods do
   let(:controller_class) do
     Class.new do

data/spec/rails/auth/credentials/injector_middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::Credentials::InjectorMiddleware do
   let(:request)     { Rack::MockRequest.env_for("https://www.example.com") }
   let(:app)         { ->(env) { [200, env, "Hello, world!"] } }
@@ -8,4 +10,17 @@ RSpec.describe Rails::Auth::Credentials::InjectorMiddleware do
     _response, env = middleware.call(request)
     expect(env[Rails::Auth::Env::CREDENTIALS_ENV_KEY]).to eq credentials
   end
+
+  context "with a proc for credentials" do
+    let(:credentials_proc) { instance_double(Proc) }
+    let(:middleware)       { described_class.new(app, credentials_proc) }
+
+    it "overrides rails-auth credentials in the rack environment" do
+      expect(credentials_proc).to receive(:call).with(request).and_return(credentials)
+
+      _response, env = middleware.call(request)
+
+      expect(env[Rails::Auth::Env::CREDENTIALS_ENV_KEY]).to eq credentials
+    end
+  end
 end

data/spec/rails/auth/credentials_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::Credentials do
   let(:rack_env) { Rack::MockRequest.env_for("https://www.example.com") }
 

data/spec/rails/auth/env_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::Env do
   let(:rack_env)          { Rack::MockRequest.env_for("https://www.example.com") }
   let(:example_authority) { "some-authority" }

data/spec/rails/auth/error_page/debug_middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ErrorPage::DebugMiddleware do
   let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
 

data/spec/rails/auth/error_page/middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ErrorPage::Middleware do
   let(:request)    { Rack::MockRequest.env_for("https://www.example.com") }
   let(:error_page) { "<h1> Unauthorized!!! </h1>" }

data/spec/rails/auth/monitor/middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::Monitor::Middleware do
   let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
 

data/spec/rails/auth/rspec/helper_methods_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "ostruct"
 
 RSpec.describe Rails::Auth::RSpec::HelperMethods, acl_spec: true do

data/spec/rails/auth/rspec/matchers/acl_matchers_spec.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 RSpec.describe "RSpec ACL matchers", acl_spec: true do
-  let(:example_certificate) { x509_certificate_hash(ou: "ponycopter") }
   let(:another_certificate) { x509_certificate_hash(ou: "derpderp") }
+  let(:example_certificate) { x509_certificate_hash(ou: "ponycopter") }
 
   subject do
     Rails::Auth::ACL.from_yaml(
@@ -16,5 +18,14 @@ RSpec.describe "RSpec ACL matchers", acl_spec: true do
     it { is_expected.to permit get_request(credentials: example_certificate) }
     it { is_expected.not_to permit get_request(credentials: another_certificate) }
     it { is_expected.not_to permit get_request }
+
+    it "has the correct description" do
+      expect(permit(get_request(credentials: example_certificate)).description)
+        .to eq('allow GETs by #<InstanceDouble(Rails::Auth::X509::Certificate) "OU=ponycopter">')
+      expect(permit(get_request(credentials: another_certificate)).description)
+        .to eq('allow GETs by #<InstanceDouble(Rails::Auth::X509::Certificate) "OU=derpderp">')
+      expect(permit(get_request).description)
+        .to eq("allow GETs by unauthenticated clients")
+    end
   end
 end

data/spec/rails/auth/x509/certificate_spec.rb

@@ -1,38 +1,121 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::X509::Certificate do
   let(:example_cert) { OpenSSL::X509::Certificate.new(cert_path("valid.crt").read) }
+  let(:example_cert_with_extension) { OpenSSL::X509::Certificate.new(cert_path("valid_with_ext.crt").read) }
   let(:example_certificate) { described_class.new(example_cert) }
+  let(:example_certificate_with_extension) { described_class.new(example_cert_with_extension) }
 
   let(:example_cn) { "127.0.0.1" }
+  let(:example_dns_names) { %w[example.com exemplar.com somethingelse.com] }
+  let(:example_ips) { %w[0.0.0.0 127.0.0.1 192.168.1.1] }
   let(:example_ou) { "ponycopter" }
+  let(:example_spiffe) { "spiffe://example.com/exemplar" }
+  let(:example_uris) { [example_spiffe, "https://www.example.com/page1", "https://www.example.com/page2"] }
+
+  describe "without extensions" do
+    describe "#[]" do
+      it "allows access to subject components via strings" do
+        expect(example_certificate["CN"]).to eq example_cn
+        expect(example_certificate["OU"]).to eq example_ou
+      end
 
-  describe "#[]" do
-    it "allows access to subject components via strings" do
-      expect(example_certificate["CN"]).to eq example_cn
-      expect(example_certificate["OU"]).to eq example_ou
+      it "allows access to subject components via symbols" do
+        expect(example_certificate[:cn]).to eq example_cn
+        expect(example_certificate[:ou]).to eq example_ou
+      end
     end
 
-    it "allows access to subject components via symbols" do
-      expect(example_certificate[:cn]).to eq example_cn
-      expect(example_certificate[:ou]).to eq example_ou
+    it "knows its #cn" do
+      expect(example_certificate.cn).to eq example_cn
     end
-  end
 
-  it "knows its #cn" do
-    expect(example_certificate.cn).to eq example_cn
-  end
+    it "has no #dns_names" do
+      expect(example_certificate.dns_names).to be_empty
+    end
 
-  it "knows its #ou" do
-    expect(example_certificate.ou).to eq example_ou
-  end
+    it "has no #ips" do
+      expect(example_certificate.ips).to be_empty
+    end
+
+    it "knows its #ou" do
+      expect(example_certificate.ou).to eq example_ou
+    end
 
-  it "knows its attributes" do
-    expect(example_certificate.attributes).to eq(cn: example_cn, ou: example_ou)
+    it "has no #uris" do
+      expect(example_certificate.uris).to be_empty
+    end
+
+    it "has no #spiffe_id" do
+      expect(example_certificate.spiffe_id).to be_nil
+    end
+
+    it "knows its attributes" do
+      expect(example_certificate.attributes).to eq(cn: example_cn, ou: example_ou)
+    end
+
+    it "compares certificate objects by comparing their certificates" do
+      second_cert = OpenSSL::X509::Certificate.new(cert_path("valid.crt").read)
+      second_certificate = described_class.new(second_cert)
+
+      expect(example_certificate).to be_eql second_certificate
+    end
   end
 
-  it "compares certificate objects by comparing their certificates" do
-    second_cert = OpenSSL::X509::Certificate.new(cert_path("valid.crt").read)
-    second_certificate = described_class.new(second_cert)
+  describe "with extensions" do
+    describe "#[]" do
+      it "allows access to subject components via strings" do
+        expect(example_certificate_with_extension["CN"]).to eq example_cn
+        expect(example_certificate_with_extension["OU"]).to eq example_ou
+      end
 
-    expect(example_certificate).to be_eql second_certificate
+      it "allows access to subject components via symbols" do
+        expect(example_certificate_with_extension[:cn]).to eq example_cn
+        expect(example_certificate_with_extension[:ou]).to eq example_ou
+      end
+    end
+
+    it "knows its #cn" do
+      expect(example_certificate_with_extension.cn).to eq example_cn
+    end
+
+    it "knows its #dns_names" do
+      expect(example_certificate_with_extension.dns_names).to eq example_dns_names
+    end
+
+    it "knows its #ips" do
+      expect(example_certificate_with_extension.ips).to eq example_ips
+    end
+
+    it "knows its #ou" do
+      expect(example_certificate_with_extension.ou).to eq example_ou
+    end
+
+    it "knows its #spiffe_id" do
+      expect(example_certificate_with_extension.spiffe_id).to eq example_spiffe
+    end
+
+    it "knows its #uris" do
+      expect(example_certificate_with_extension.uris).to eq example_uris
+    end
+
+    it "knows its attributes" do
+      expected_attrs = {
+        cn: example_cn,
+        dns_names: example_dns_names,
+        ips: example_ips,
+        ou: example_ou,
+        spiffe_id: example_spiffe,
+        uris: example_uris
+      }
+      expect(example_certificate_with_extension.attributes).to eq(expected_attrs)
+    end
+
+    it "compares certificate objects by comparing their certificates" do
+      second_cert = OpenSSL::X509::Certificate.new(cert_path("valid_with_ext.crt").read)
+      second_certificate = described_class.new(second_cert)
+
+      expect(example_certificate_with_extension).to be_eql second_certificate
+    end
   end
 end