rails-auth 2.1.3 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 04accd9068297df63d222180e00d66bb5a3cdc24
-  data.tar.gz: 36dba8c9eee4957f1defe679ae9d98ceba53393f
+SHA256:
+  metadata.gz: 9f5669f564b62464b0d3078ecfa58fe3732735e44c63bed361061a9f1a663249
+  data.tar.gz: cbee05f42e189e543b059d961d1b926d763d84e07c93a3637165f95eba0fe776
 SHA512:
-  metadata.gz: 790da2f08086cee1fd8719fff050e18e7cfc1301fb12483c327d117c0875bdc945fe404d7040a184f28dd69c352803b525acd720f94b8f7920f550776d950371
-  data.tar.gz: 4f6d90c4d94195cc5b42cd0f783d64168aa045178bea6ac6e646cbf80e221bc0668a9400358271449e570fe8358592ae7ae2d84897771da583c2a45592325426
+  metadata.gz: 0be32c7166ed406dda136608370f059443a56219696c8d13a56f3978f9eca3b37b99ccf0885d4c42d13c660860be52530891d9317a2d2562f7f265d7d751ccd0
+  data.tar.gz: e1ada71b12c7732fe2aced6bb98abd11cb7b8fa665093f9faa5808b9c21bef12dd99e3070fcd2ee343acc4b377626ae885098388f85d7d9027f37e1d08d60890

data/.rubocop.yml

@@ -1,12 +1,16 @@
 AllCops:
   DisplayCopNames: true
+  TargetRubyVersion: 2.3
 
 Style/StringLiterals:
   EnforcedStyle: double_quotes
 
-Style/ModuleFunction:
+Layout/HashAlignment:
   Enabled: false
 
+Metrics/BlockLength:
+  ExcludedMethods: ['describe', 'context']
+
 Metrics/ParameterLists:
   Max: 5
   CountKeywordArgs: false
@@ -22,3 +26,12 @@ Metrics/AbcSize:
 
 Metrics/CyclomaticComplexity:
   Max: 8
+
+Naming/MethodParameterName:
+  MinNameLength: 2
+
+Style/ModuleFunction:
+  Enabled: false
+
+Style/SafeNavigation:
+  Enabled: false

data/.travis.yml

@@ -10,12 +10,15 @@ before_install:
 bundler_args: --without development
 
 rvm:
-  - 2.0.0
-  - 2.1.10
-  - 2.2.4
-  - 2.3.0
+  - 2.4
+  - 2.5
+  - 2.6
 matrix:
   include:
-    - rvm: jruby-9.0.5.0
+    - rvm: jruby
+      jdk: openjdk8
+      env: JRUBY_OPTS="--debug" # for simplecov
+    - rvm: jruby
+      jdk: openjdk11
       env: JRUBY_OPTS="--debug" # for simplecov
   fast_finish: true

data/BUG-BOUNTY.md

@@ -1,9 +1,9 @@
-Break me and win a prize!
-=========================
+Serious about security
+======================
 
 Square recognizes the important contributions the security research community
 can make. We therefore encourage reporting security issues with the code
 contained in this repository.
 
 If you believe you have discovered a security vulnerability, please follow the
-guidelines at https://hackerone.com/square-open-source
+guidelines at <https://bugcrowd.com/squareopensource>.

data/CHANGES.md

@@ -1,3 +1,49 @@
+### 3.0.0 (2020-08-10)
+
+* [#68](https://github.com/square/rails-auth/pull/68)
+  Remove `ca_file` and `require_cert` options to the config builder as we no
+  longer verify the certificate chain.
+  ([@drcapulet])
+
+* [#67](https://github.com/square/rails-auth/pull/67)
+  Remove `ca_file`, `require_cert`, and `truststore` options to X509 middleware
+  as we no longer verify the certificate chain.
+  ([@drcapulet])
+
+### 2.2.2 (2020-07-02)
+
+* [#65](https://github.com/square/rails-auth/pull/65)
+  Fix error when passing `truststore` instead of `ca_file` to X509 middleware.
+  ([@drcapulet])
+
+### 2.2.1 (2020-01-08)
+
+* [#63](https://github.com/square/rails-auth/pull/63)
+  Fix `FrozenError` in `permit` matcher description.
+  ([@drcapulet])
+
+### 2.2.0 (2019-12-05)
+
+* [#55](https://github.com/square/rails-auth/pull/55)
+  Allow dynamic injection of credentials.
+  ([@drcapulet])
+
+* [#59](https://github.com/square/rails-auth/pull/59)
+  Expose X.509 Subject Alternative Name extension
+  in the Rails::Auth::X509::Certificate and provide a convenience
+  method `spiffe_id` to expose [SPIFFE ID](https://spiffe.io).
+  ([@mbyczkowski])
+
+* [#57](https://github.com/square/rails-auth/pull/57)
+  Add support for latest versions of Ruby, JRuby and Bundler 2.
+  ([@mbyczkowski])
+
+### 2.1.4 (2018-07-12)
+
+* [#51](https://github.com/square/rails-auth/pull/51)
+  Fix bug in `permit` custom matcher so that a description is rendered.
+  ([@yellow-beard])
+
 ### 2.1.3 (2017-08-04)
 
 * [#44](https://github.com/square/rails-auth/pull/44)
@@ -178,6 +224,9 @@
 * Vaporware release to claim the "rails-auth" gem name
 
 
-[@tarcieri]: https://github.com/tarcieri
-[@ewr]: https://github.com/ewr
 [@drcapulet]: https://github.com/drcapulet
+[@ewr]: https://github.com/ewr
+[@mbyczkowski]: https://github.com/mbyczkowski
+[@nerdrew]: https://github.com/nerdrew
+[@tarcieri]: https://github.com/tarcieri
+[@yellow-beard]: https://github.com/yellow-beard

data/CONTRIBUTING.md

@@ -1,14 +1,15 @@
-### Sign the CLA
+# Contributing
 
-Any contributors to the master *rails-auth* repository must sign the
-[Individual Contributor License Agreement (CLA)]. It's a short form that covers
-our bases and makes sure you're eligible to contribute.
+If you would like to contribute code to *rails-auth* you can do so through GitHub by
+forking the repository and sending a pull request.
 
-### Submitting a Pull Request
+When submitting code, please make every effort to follow existing conventions
+and style in order to keep the code as readable as possible. Please also make
+sure all tests pass by running `bundle exec rspec spec`, and format your code
+according to `rubocop` rules.
 
-When you have a change you'd like to see in the master repository, send a
-[pull request]. Before we merge your request, we'll make sure you're in the list
-of people who have signed a CLA.
+Before your code can be accepted into the project you must also sign the
+Individual Contributor License Agreement.  We use [cla-assistant.io][1] and you
+will be prompted to sign once a pull request is opened.
 
-[Individual Contributor License Agreement (CLA)]: https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1
-[pull request]: https://github.com/square/rails-auth/pulls
+[1]: https://cla-assistant.io/

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source "https://rubygems.org"
 
 group :development do
@@ -5,15 +7,14 @@ group :development do
 end
 
 group :development, :test do
+  gem "activesupport", "~> 4"
+  gem "certificate_authority", require: false
+  gem "coveralls", require: false
   # Workaround for: https://github.com/bundler/bundler/pull/4650
   gem "rack", "~> 1.x"
-  gem "activesupport", "~> 4"
-
   gem "rake"
   gem "rspec"
-  gem "rubocop", "0.38.0"
-  gem "coveralls", require: false
-  gem "certificate_authority", require: false
+  gem "rubocop", "0.77.0"
 end
 
 gemspec

data/Guardfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 guard :rspec, cmd: "bundle exec rspec" do
   watch(%r{^spec/.+_spec\.rb$})
   watch(%r{^lib/(.+)\.rb$})    { |m| "spec/#{m[1]}_spec.rb" }

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
 require "rubocop/rake_task"
@@ -5,4 +7,4 @@ require "rubocop/rake_task"
 RSpec::Core::RakeTask.new(:spec)
 RuboCop::RakeTask.new
 
-task default: %w(spec rubocop)
+task default: %w[spec rubocop]

data/lib/rails/auth/acl.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Pull in default matchers
 require "rails/auth/acl/matchers/allow_all"
 
@@ -17,7 +19,9 @@ module Rails
       # @param [String] :yaml serialized YAML to load an ACL from
       def self.from_yaml(yaml, **args)
         require "yaml"
+        # rubocop:todo Security/YAMLLoad
         new(YAML.load(yaml), **args)
+        # rubocop:enable Security/YAMLLoad
       end
 
       # @param [Array<Hash>] :acl Access Control List configuration

data/lib/rails/auth/acl/matchers/allow_all.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     class ACL
@@ -7,6 +9,7 @@ module Rails
         class AllowAll
           def initialize(enabled)
             raise ArgumentError, "enabled must be true/false" unless [true, false].include?(enabled)
+
             @enabled = enabled
           end
 

data/lib/rails/auth/acl/middleware.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     class ACL
@@ -25,6 +27,7 @@ module Rails
           unless Rails::Auth.authorized?(env)
             matcher_name = @acl.match(env)
             raise NotAuthorizedError, "unauthorized request" unless matcher_name
+
             Rails::Auth.set_allowed_by(env, "matcher:#{matcher_name}")
           end
 

data/lib/rails/auth/acl/resource.rb

@@ -8,10 +8,10 @@ module Rails
         attr_reader :http_methods, :path, :host, :matchers
 
         # Valid HTTP methods
-        HTTP_METHODS = %w(GET HEAD PUT POST DELETE OPTIONS PATCH LINK UNLINK).freeze
+        HTTP_METHODS = %w[GET HEAD PUT POST DELETE OPTIONS PATCH LINK UNLINK].freeze
 
         # Options allowed for resource matchers
-        VALID_OPTIONS = %w(method path host).freeze
+        VALID_OPTIONS = %w[method path host].freeze
 
         # @option :options [String] :method HTTP method allowed ("ALL" for all methods)
         # @option :options [String] :path path to the resource (regex syntax allowed)
@@ -46,6 +46,7 @@ module Rails
         #
         def match(env)
           return nil unless match!(env)
+
           name, = @matchers.find { |_name, matcher| matcher.match(env) }
           name
         end
@@ -58,9 +59,10 @@ module Rails
         # @return [Boolean] method and path *only* match the given environment
         #
         def match!(env)
-          return false unless @http_methods.include?(env["REQUEST_METHOD".freeze])
-          return false unless @path =~ env["PATH_INFO".freeze]
-          return false unless @host.nil? || @host =~ env["HTTP_HOST".freeze]
+          return false unless @http_methods.include?(env["REQUEST_METHOD"])
+          return false unless @path =~ env["PATH_INFO"]
+          return false unless @host.nil? || @host =~ env["HTTP_HOST"]
+
           true
         end
 

data/lib/rails/auth/config_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     # Configures Rails::Auth middleware for use in a Rails application
@@ -11,7 +13,7 @@ module Rails
           matchers: matchers
         )
 
-        config.middleware.use Rails::Auth::ACL::Middleware, acl: config.x.acl
+        config.middleware.use Rails::Auth::ACL::Middleware, acl: config.x.rails_auth.acl
       end
 
       # Development configuration (i.e. config/environments/development.rb)
@@ -29,26 +31,20 @@ module Rails
       def production(
         config,
         cert_filters: nil,
-        require_cert: false,
-        ca_file: nil,
         error_page: Rails.root.join("public/403.html"),
         monitor: nil
       )
-        raise ArgumentError, "no cert_filters given but require_cert is true" if require_cert && !cert_filters
-        raise ArgumentError, "no ca_file given but cert_filters were set"     if cert_filters && !ca_file
-
         error_page_middleware(config, error_page)
 
         if cert_filters
           config.middleware.insert_before Rails::Auth::ACL::Middleware,
                                           Rails::Auth::X509::Middleware,
-                                          require_cert: require_cert,
                                           cert_filters: cert_filters,
-                                          ca_file:      ca_file,
                                           logger:       Rails.logger
         end
 
         return unless monitor
+
         config.middleware.insert_before Rails::Auth::ACL::Middleware,
                                         Rails::Auth::Monitor::Middleware,
                                         monitor
@@ -68,6 +64,7 @@ module Rails
                                           Rails::Auth::ErrorPage::Middleware,
                                           page_body: Pathname(error_page).read
         when FalseClass, NilClass
+          nil
         else raise TypeError, "bad error page mode: #{mode.inspect}"
         end
       end

data/lib/rails/auth/controller_methods.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
 require "active_support/hash_with_indifferent_access"
 
+# rubocop:disable Naming/MemoizedInstanceVariableName
 module Rails
   module Auth
     # Convenience methods designed to be included in an ActionController::Base subclass
@@ -18,3 +21,4 @@ module Rails
     end
   end
 end
+# rubocop:enable Naming/MemoizedInstanceVariableName

data/lib/rails/auth/credentials.rb

@@ -10,7 +10,7 @@ module Rails
       extend Forwardable
       include Enumerable
 
-      def_delegators :@credentials, :fetch, :empty?, :key?, :each, :to_hash
+      def_delegators :@credentials, :fetch, :empty?, :key?, :each, :to_hash, :values
 
       def self.from_rack_env(env)
         new(env.fetch(Rails::Auth::Env::CREDENTIALS_ENV_KEY, {}))
@@ -18,6 +18,7 @@ module Rails
 
       def initialize(credentials = {})
         raise TypeError, "expected Hash, got #{credentials.class}" unless credentials.is_a?(Hash)
+
         @credentials = credentials
       end
 
@@ -25,6 +26,7 @@ module Rails
         return if @credentials.key?(type) && @credentials[type] == value
         raise TypeError, "expected String for type, got #{type.class}" unless type.is_a?(String)
         raise AlreadyAuthorizedError, "credential '#{type}' has already been set" if @credentials.key?(type)
+
         @credentials[type] = value
       end
 

data/lib/rails/auth/credentials/injector_middleware.rb

@@ -1,9 +1,12 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     class Credentials
       # A middleware for injecting an arbitrary credentials hash into the Rack environment
       # This is intended for development and testing purposes where you would like to
-      # simulate a given X.509 certificate being used in a request or user logged in
+      # simulate a given X.509 certificate being used in a request or user logged in.
+      # The credentials argument should either be a hash or a proc that returns one.
       class InjectorMiddleware
         def initialize(app, credentials)
           @app = app
@@ -11,7 +14,8 @@ module Rails
         end
 
         def call(env)
-          env[Rails::Auth::Env::CREDENTIALS_ENV_KEY] = @credentials
+          credentials = @credentials.respond_to?(:call) ? @credentials.call(env) : @credentials
+          env[Rails::Auth::Env::CREDENTIALS_ENV_KEY] = credentials
           @app.call(env)
         end
       end

data/lib/rails/auth/env.rb

@@ -5,13 +5,13 @@ module Rails
     # Wrapper for Rack environments with Rails::Auth helpers
     class Env
       # Rack environment key for marking external authorization
-      AUTHORIZED_ENV_KEY = "rails-auth.authorized".freeze
+      AUTHORIZED_ENV_KEY = "rails-auth.authorized"
 
       # Rack environment key for storing what allowed the request
-      ALLOWED_BY_ENV_KEY = "rails-auth.allowed-by".freeze
+      ALLOWED_BY_ENV_KEY = "rails-auth.allowed-by"
 
       # Rack environment key for all rails-auth credentials
-      CREDENTIALS_ENV_KEY = "rails-auth.credentials".freeze
+      CREDENTIALS_ENV_KEY = "rails-auth.credentials"
 
       attr_reader :allowed_by, :credentials
 
@@ -44,6 +44,7 @@ module Rails
       def allowed_by=(allowed_by)
         raise AlreadyAuthorizedError, "already allowed by #{@allowed_by.inspect}" if @allowed_by
         raise TypeError, "expected String for allowed_by, got #{allowed_by.class}" unless allowed_by.is_a?(String)
+
         @allowed_by = allowed_by
       end
 

data/lib/rails/auth/error_page/debug_middleware.rb

@@ -26,7 +26,7 @@ module Rails
 
           @app = app
           @acl = acl
-          @erb = ERB.new(File.read(File.expand_path("../debug_page.html.erb", __FILE__))).freeze
+          @erb = ERB.new(File.read(File.expand_path("debug_page.html.erb", __dir__))).freeze
         end
 
         def call(env)

data/lib/rails/auth/error_page/middleware.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module ErrorPage
@@ -32,6 +34,7 @@ module Rails
           accept_format = env["HTTP_ACCEPT"]
           return :json if accept_format && accept_format.downcase.start_with?("application/json")
           return :json if env["PATH_INFO"] && env["PATH_INFO"].end_with?(".json")
+
           nil
         end
       end