rails-auth 2.1.4 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6d86f415a45113f3337b8446a3b5b271682c6a4d
-  data.tar.gz: 79c560e82cb196908a94b836697398af20a04ad0
+SHA256:
+  metadata.gz: c22c652d804b973313277d33b6c08dd0f3ae6389dfa0ebeaba73fd84488084b3
+  data.tar.gz: 95f4c1eab88b2ee3f8f608682690e70c8ca3a4c1b9925b537f14d33c88b91f7c
 SHA512:
-  metadata.gz: b030ade8c37b4f91fba160037f8f951ce8729884dc18fd1d6d038464b7b8a9af10bb38934d1d1f4bdf8672ef66425555abf49e12af8c603e2bf80c5dbc7e03c6
-  data.tar.gz: 0c0a1c9edd16819f0ab1ed10b5e98d734193fb14151586e2ab752088c706074fdb3d98cfa027635be16dc79bb7d3ec94c4f2e0be3de3f0252a3c0d0eb1fffab9
+  metadata.gz: a78bb6b55dd36517e9fd325f433210d3367d2aab18541507ac9feb607cdc92c4f2ce4b26df69bdd093c918b98bfc8c37c75add8ce572a0eb07025d96f2bc95f7
+  data.tar.gz: c5363dfa5f09bef450d827bdfa24226c4e080c47ff8c4b5c81da94192c834ac4d3fa97531d9dec11b5907949d249f59cf9856dd1b727f40d89b1ce2379ce60ac

data/.rubocop.yml

@@ -1,12 +1,16 @@
 AllCops:
   DisplayCopNames: true
+  TargetRubyVersion: 2.3
 
 Style/StringLiterals:
   EnforcedStyle: double_quotes
 
-Style/ModuleFunction:
+Layout/HashAlignment:
   Enabled: false
 
+Metrics/BlockLength:
+  ExcludedMethods: ['describe', 'context']
+
 Metrics/ParameterLists:
   Max: 5
   CountKeywordArgs: false
@@ -22,3 +26,12 @@ Metrics/AbcSize:
 
 Metrics/CyclomaticComplexity:
   Max: 8
+
+Naming/MethodParameterName:
+  MinNameLength: 2
+
+Style/ModuleFunction:
+  Enabled: false
+
+Style/SafeNavigation:
+  Enabled: false

data/.travis.yml

@@ -10,12 +10,15 @@ before_install:
 bundler_args: --without development
 
 rvm:
-  - 2.0.0
-  - 2.1.10
-  - 2.2.4
-  - 2.3.0
+  - 2.4
+  - 2.5
+  - 2.6
 matrix:
   include:
-    - rvm: jruby-9.0.5.0
+    - rvm: jruby
+      jdk: openjdk8
+      env: JRUBY_OPTS="--debug" # for simplecov
+    - rvm: jruby
+      jdk: openjdk11
       env: JRUBY_OPTS="--debug" # for simplecov
   fast_finish: true

data/BUG-BOUNTY.md

@@ -1,9 +1,9 @@
-Break me and win a prize!
-=========================
+Serious about security
+======================
 
 Square recognizes the important contributions the security research community
 can make. We therefore encourage reporting security issues with the code
 contained in this repository.
 
 If you believe you have discovered a security vulnerability, please follow the
-guidelines at https://hackerone.com/square-open-source
+guidelines at <https://bugcrowd.com/squareopensource>.

data/CHANGES.md

@@ -1,3 +1,19 @@
+### 2.2.0 (2019-12-05)
+
+* [#55](https://github.com/square/rails-auth/pull/55)
+  Allow dynamic injection of credentials.
+  ([@drcapulet])
+
+* [#59](https://github.com/square/rails-auth/pull/59)
+  Expose X.509 Subject Alternative Name extension
+  in the Rails::Auth::X509::Certificate and provide a convenience
+  method `spiffe_id` to expose [SPIFFE ID](https://spiffe.io).
+  ([@mbyczkowski])
+
+* [#57](https://github.com/square/rails-auth/pull/57)
+  Add support for latest versions of Ruby, JRuby and Bundler 2.
+  ([@mbyczkowski])
+
 ### 2.1.4 (2018-07-12)
 
 * [#51](https://github.com/square/rails-auth/pull/51)
@@ -184,6 +200,9 @@
 * Vaporware release to claim the "rails-auth" gem name
 
 
-[@tarcieri]: https://github.com/tarcieri
-[@ewr]: https://github.com/ewr
 [@drcapulet]: https://github.com/drcapulet
+[@ewr]: https://github.com/ewr
+[@mbyczkowski]: https://github.com/mbyczkowski
+[@nerdrew]: https://github.com/nerdrew
+[@tarcieri]: https://github.com/tarcieri
+[@yellow-beard]: https://github.com/yellow-beard

data/CONTRIBUTING.md

@@ -1,14 +1,15 @@
-### Sign the CLA
+# Contributing
 
-Any contributors to the master *rails-auth* repository must sign the
-[Individual Contributor License Agreement (CLA)]. It's a short form that covers
-our bases and makes sure you're eligible to contribute.
+If you would like to contribute code to *rails-auth* you can do so through GitHub by
+forking the repository and sending a pull request.
 
-### Submitting a Pull Request
+When submitting code, please make every effort to follow existing conventions
+and style in order to keep the code as readable as possible. Please also make
+sure all tests pass by running `bundle exec rspec spec`, and format your code
+according to `rubocop` rules.
 
-When you have a change you'd like to see in the master repository, send a
-[pull request]. Before we merge your request, we'll make sure you're in the list
-of people who have signed a CLA.
+Before your code can be accepted into the project you must also sign the
+Individual Contributor License Agreement.  We use [cla-assistant.io][1] and you
+will be prompted to sign once a pull request is opened.
 
-[Individual Contributor License Agreement (CLA)]: https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1
-[pull request]: https://github.com/square/rails-auth/pulls
+[1]: https://cla-assistant.io/

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source "https://rubygems.org"
 
 group :development do
@@ -5,15 +7,14 @@ group :development do
 end
 
 group :development, :test do
+  gem "activesupport", "~> 4"
+  gem "certificate_authority", require: false
+  gem "coveralls", require: false
   # Workaround for: https://github.com/bundler/bundler/pull/4650
   gem "rack", "~> 1.x"
-  gem "activesupport", "~> 4"
-
   gem "rake"
   gem "rspec"
-  gem "rubocop", "0.38.0"
-  gem "coveralls", require: false
-  gem "certificate_authority", require: false
+  gem "rubocop", "0.77.0"
 end
 
 gemspec

data/Guardfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 guard :rspec, cmd: "bundle exec rspec" do
   watch(%r{^spec/.+_spec\.rb$})
   watch(%r{^lib/(.+)\.rb$})    { |m| "spec/#{m[1]}_spec.rb" }

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
 require "rubocop/rake_task"
@@ -5,4 +7,4 @@ require "rubocop/rake_task"
 RSpec::Core::RakeTask.new(:spec)
 RuboCop::RakeTask.new
 
-task default: %w(spec rubocop)
+task default: %w[spec rubocop]

data/lib/rails/auth/acl.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Pull in default matchers
 require "rails/auth/acl/matchers/allow_all"
 
@@ -17,7 +19,9 @@ module Rails
       # @param [String] :yaml serialized YAML to load an ACL from
       def self.from_yaml(yaml, **args)
         require "yaml"
+        # rubocop:todo Security/YAMLLoad
         new(YAML.load(yaml), **args)
+        # rubocop:enable Security/YAMLLoad
       end
 
       # @param [Array<Hash>] :acl Access Control List configuration

data/lib/rails/auth/acl/matchers/allow_all.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     class ACL
@@ -7,6 +9,7 @@ module Rails
         class AllowAll
           def initialize(enabled)
             raise ArgumentError, "enabled must be true/false" unless [true, false].include?(enabled)
+
             @enabled = enabled
           end
 

data/lib/rails/auth/acl/middleware.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     class ACL
@@ -25,6 +27,7 @@ module Rails
           unless Rails::Auth.authorized?(env)
             matcher_name = @acl.match(env)
             raise NotAuthorizedError, "unauthorized request" unless matcher_name
+
             Rails::Auth.set_allowed_by(env, "matcher:#{matcher_name}")
           end
 

data/lib/rails/auth/acl/resource.rb

@@ -8,10 +8,10 @@ module Rails
         attr_reader :http_methods, :path, :host, :matchers
 
         # Valid HTTP methods
-        HTTP_METHODS = %w(GET HEAD PUT POST DELETE OPTIONS PATCH LINK UNLINK).freeze
+        HTTP_METHODS = %w[GET HEAD PUT POST DELETE OPTIONS PATCH LINK UNLINK].freeze
 
         # Options allowed for resource matchers
-        VALID_OPTIONS = %w(method path host).freeze
+        VALID_OPTIONS = %w[method path host].freeze
 
         # @option :options [String] :method HTTP method allowed ("ALL" for all methods)
         # @option :options [String] :path path to the resource (regex syntax allowed)
@@ -46,6 +46,7 @@ module Rails
         #
         def match(env)
           return nil unless match!(env)
+
           name, = @matchers.find { |_name, matcher| matcher.match(env) }
           name
         end
@@ -58,9 +59,10 @@ module Rails
         # @return [Boolean] method and path *only* match the given environment
         #
         def match!(env)
-          return false unless @http_methods.include?(env["REQUEST_METHOD".freeze])
-          return false unless @path =~ env["PATH_INFO".freeze]
-          return false unless @host.nil? || @host =~ env["HTTP_HOST".freeze]
+          return false unless @http_methods.include?(env["REQUEST_METHOD"])
+          return false unless @path =~ env["PATH_INFO"]
+          return false unless @host.nil? || @host =~ env["HTTP_HOST"]
+
           true
         end
 

data/lib/rails/auth/config_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     # Configures Rails::Auth middleware for use in a Rails application
@@ -49,6 +51,7 @@ module Rails
         end
 
         return unless monitor
+
         config.middleware.insert_before Rails::Auth::ACL::Middleware,
                                         Rails::Auth::Monitor::Middleware,
                                         monitor
@@ -68,6 +71,7 @@ module Rails
                                           Rails::Auth::ErrorPage::Middleware,
                                           page_body: Pathname(error_page).read
         when FalseClass, NilClass
+          nil
         else raise TypeError, "bad error page mode: #{mode.inspect}"
         end
       end

data/lib/rails/auth/controller_methods.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
 require "active_support/hash_with_indifferent_access"
 
+# rubocop:disable Naming/MemoizedInstanceVariableName
 module Rails
   module Auth
     # Convenience methods designed to be included in an ActionController::Base subclass
@@ -18,3 +21,4 @@ module Rails
     end
   end
 end
+# rubocop:enable Naming/MemoizedInstanceVariableName

data/lib/rails/auth/credentials.rb

@@ -18,6 +18,7 @@ module Rails
 
       def initialize(credentials = {})
         raise TypeError, "expected Hash, got #{credentials.class}" unless credentials.is_a?(Hash)
+
         @credentials = credentials
       end
 
@@ -25,6 +26,7 @@ module Rails
         return if @credentials.key?(type) && @credentials[type] == value
         raise TypeError, "expected String for type, got #{type.class}" unless type.is_a?(String)
         raise AlreadyAuthorizedError, "credential '#{type}' has already been set" if @credentials.key?(type)
+
         @credentials[type] = value
       end
 

data/lib/rails/auth/credentials/injector_middleware.rb

@@ -1,9 +1,12 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     class Credentials
       # A middleware for injecting an arbitrary credentials hash into the Rack environment
       # This is intended for development and testing purposes where you would like to
-      # simulate a given X.509 certificate being used in a request or user logged in
+      # simulate a given X.509 certificate being used in a request or user logged in.
+      # The credentials argument should either be a hash or a proc that returns one.
       class InjectorMiddleware
         def initialize(app, credentials)
           @app = app
@@ -11,7 +14,8 @@ module Rails
         end
 
         def call(env)
-          env[Rails::Auth::Env::CREDENTIALS_ENV_KEY] = @credentials
+          credentials = @credentials.respond_to?(:call) ? @credentials.call(env) : @credentials
+          env[Rails::Auth::Env::CREDENTIALS_ENV_KEY] = credentials
           @app.call(env)
         end
       end

data/lib/rails/auth/env.rb

@@ -5,13 +5,13 @@ module Rails
     # Wrapper for Rack environments with Rails::Auth helpers
     class Env
       # Rack environment key for marking external authorization
-      AUTHORIZED_ENV_KEY = "rails-auth.authorized".freeze
+      AUTHORIZED_ENV_KEY = "rails-auth.authorized"
 
       # Rack environment key for storing what allowed the request
-      ALLOWED_BY_ENV_KEY = "rails-auth.allowed-by".freeze
+      ALLOWED_BY_ENV_KEY = "rails-auth.allowed-by"
 
       # Rack environment key for all rails-auth credentials
-      CREDENTIALS_ENV_KEY = "rails-auth.credentials".freeze
+      CREDENTIALS_ENV_KEY = "rails-auth.credentials"
 
       attr_reader :allowed_by, :credentials
 
@@ -44,6 +44,7 @@ module Rails
       def allowed_by=(allowed_by)
         raise AlreadyAuthorizedError, "already allowed by #{@allowed_by.inspect}" if @allowed_by
         raise TypeError, "expected String for allowed_by, got #{allowed_by.class}" unless allowed_by.is_a?(String)
+
         @allowed_by = allowed_by
       end
 

data/lib/rails/auth/error_page/debug_middleware.rb

@@ -26,7 +26,7 @@ module Rails
 
           @app = app
           @acl = acl
-          @erb = ERB.new(File.read(File.expand_path("../debug_page.html.erb", __FILE__))).freeze
+          @erb = ERB.new(File.read(File.expand_path("debug_page.html.erb", __dir__))).freeze
         end
 
         def call(env)

data/lib/rails/auth/error_page/middleware.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module ErrorPage
@@ -32,6 +34,7 @@ module Rails
           accept_format = env["HTTP_ACCEPT"]
           return :json if accept_format && accept_format.downcase.start_with?("application/json")
           return :json if env["PATH_INFO"] && env["PATH_INFO"].end_with?(".json")
+
           nil
         end
       end

data/lib/rails/auth/exceptions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     # Base class of all Rails::Auth errors

data/lib/rails/auth/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   # Modular resource-based authentication and authorization for Rails/Rack
   module Auth

data/lib/rails/auth/installed_constraint.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     # Rails constraint to make sure the ACLs have been installed

data/lib/rails/auth/monitor/middleware.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module Monitor

data/lib/rails/auth/rack.rb

@@ -27,3 +27,4 @@ require "rails/auth/x509/filter/pem"
 require "rails/auth/x509/filter/java" if defined?(JRUBY_VERSION)
 require "rails/auth/x509/matcher"
 require "rails/auth/x509/middleware"
+require "rails/auth/x509/subject_alt_name_extension"

data/lib/rails/auth/rspec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "rails/auth/rspec/helper_methods"
 require "rails/auth/rspec/matchers/acl_matchers"
 

data/lib/rails/auth/rspec/helper_methods.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module RSpec
@@ -12,6 +14,7 @@ module Rails
         # NOTE: Credentials will be *cleared* after the block. Nesting is not allowed.
         def with_credentials(credentials = {})
           raise TypeError, "expected Hash of credentials, got #{credentials.class}" unless credentials.is_a?(Hash)
+
           test_credentials.clear
 
           credentials.each do |type, value|
@@ -24,8 +27,8 @@ module Rails
         # Creates an Rails::Auth::X509::Certificate instance double
         def x509_certificate(cn: nil, ou: nil)
           subject = ""
-          subject << "CN=#{cn}" if cn
-          subject << "OU=#{ou}" if ou
+          subject += "CN=#{cn}" if cn
+          subject += "OU=#{ou}" if ou
 
           instance_double(Rails::Auth::X509::Certificate, subject, cn: cn, ou: ou).tap do |certificate|
             allow(certificate).to receive(:[]) do |key|
@@ -47,9 +50,7 @@ module Rails
             path = self.class.description
 
             # Warn if methods are improperly used
-            unless path.chars[0] == "/"
-              raise ArgumentError, "expected #{path} to start with '/'"
-            end
+            raise ArgumentError, "expected #{path} to start with '/'" unless path.chars[0] == "/"
 
             env = {
               "REQUEST_METHOD" => method,

data/lib/rails/auth/rspec/matchers/acl_matchers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec::Matchers.define(:permit) do |env|
   description do
     method      = env["REQUEST_METHOD"]

data/lib/rails/auth/version.rb

@@ -3,6 +3,6 @@
 module Rails
   # Pluggable authentication and authorization for Rack/Rails
   module Auth
-    VERSION = "2.1.4".freeze
+    VERSION = "2.2.0"
   end
 end

data/lib/rails/auth/x509/certificate.rb

@@ -18,7 +18,8 @@ module Rails
           @certificate.subject.to_a.each do |name, data, _type|
             @subject[name.freeze] = data.freeze
           end
-
+          @subject_alt_names = SubjectAltNameExtension.new(certificate)
+          @subject_alt_names.freeze
           @subject.freeze
         end
 
@@ -27,23 +28,52 @@ module Rails
         end
 
         def cn
-          @subject["CN".freeze]
+          @subject["CN"]
         end
         alias common_name cn
 
+        def dns_names
+          @subject_alt_names.dns_names
+        end
+
+        def ips
+          @subject_alt_names.ips
+        end
+
         def ou
-          @subject["OU".freeze]
+          @subject["OU"]
         end
         alias organizational_unit ou
 
+        def uris
+          @subject_alt_names.uris
+        end
+
+        # According to the SPIFFE standard only one SPIFFE ID can exist in the URI
+        # SAN:
+        # (https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md#2-spiffe-id)
+        #
+        # @return [String, nil] string containing SPIFFE ID if one is present
+        #         in the certificate
+        def spiffe_id
+          uris.detect { |uri| uri.start_with?("spiffe://") }
+        end
+
         # Generates inspectable attributes for debugging
         #
         # @return [Hash] hash containing parts of the certificate subject (cn, ou)
+        #         and subject alternative name extension (uris, dns_names) as well
+        #         as SPIFFE ID (spiffe_id), which is just a convenience since those
+        #         are already included in the uris
         def attributes
           {
             cn: cn,
-            ou: ou
-          }
+            dns_names: dns_names,
+            ips: ips,
+            ou: ou,
+            spiffe_id: spiffe_id,
+            uris: uris
+          }.reject { |_, v| v.nil? || v.empty? }
         end
 
         # Compare ourself to another object by ensuring that it has the same type

data/lib/rails/auth/x509/filter/java.rb

@@ -1,23 +1,15 @@
-require "java"
-require "stringio"
+# frozen_string_literal: true
 
 module Rails
   module Auth
     module X509
       module Filter
-        # Extract OpenSSL::X509::Certificates from Java's sun.security.x509.X509CertImpl
+        # Extract OpenSSL::X509::Certificates from java.security.cert.Certificate
         class Java
           def call(certs)
-            return unless certs
-            OpenSSL::X509::Certificate.new(extract_der(certs[0])).freeze
-          end
-
-          private
+            return if certs.nil? || certs.empty?
 
-          def extract_der(cert)
-            stringio = StringIO.new
-            cert.derEncode(stringio.to_outputstream)
-            stringio.string
+            OpenSSL::X509::Certificate.new(certs[0].get_encoded).freeze
           end
         end
       end

data/lib/rails/auth/x509/filter/pem.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module X509

data/lib/rails/auth/x509/matcher.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rails
   module Auth
     module X509

data/lib/rails/auth/x509/middleware.rb

@@ -40,7 +40,7 @@ module Rails
 
         def call(env)
           credential = extract_credential(env)
-          Rails::Auth.add_credential(env, "x509".freeze, credential.freeze) if credential
+          Rails::Auth.add_credential(env, "x509", credential.freeze) if credential
 
           @app.call(env)
         end
@@ -62,6 +62,7 @@ module Rails
           end
 
           raise CertificateVerifyFailed, "no client certificate in request" if @require_cert
+
           nil
         end
 
@@ -72,8 +73,8 @@ module Rails
           end
 
           filter.call(raw_cert)
-        rescue => ex
-          @logger.debug("rails-auth: Certificate error: #{ex.class}: #{ex.message}") if @logger
+        rescue StandardError => e
+          @logger.debug("rails-auth: Certificate error: #{e.class}: #{e.message}") if @logger
           nil
         end
 

data/lib/rails/auth/x509/subject_alt_name_extension.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Rails
+  module Auth
+    module X509
+      # Provides convenience methods for subjectAltName extension of X.509 certificates
+      class SubjectAltNameExtension
+        attr_reader :dns_names, :ips, :uris
+
+        DNS_REGEX = /^DNS:/i.freeze
+        IP_REGEX  = /^IP( Address)?:/i.freeze
+        URI_REGEX = /^URI:/i.freeze
+
+        def initialize(certificate)
+          unless certificate.is_a?(OpenSSL::X509::Certificate)
+            raise TypeError, "expecting OpenSSL::X509::Certificate, got #{certificate.class}"
+          end
+
+          extension = certificate.extensions.detect { |ext| ext.oid == "subjectAltName" }
+          values = (extension&.value&.split(",") || []).map(&:strip)
+
+          @dns_names = values.grep(DNS_REGEX) { |v| v.sub(DNS_REGEX, "") }.freeze
+          @ips = values.grep(IP_REGEX) { |v| v.sub(IP_REGEX, "") }.freeze
+          @uris = values.grep(URI_REGEX) { |v| v.sub(URI_REGEX, "") }.freeze
+        end
+      end
+    end
+  end
+end

data/rails-auth.gemspec

@@ -1,5 +1,6 @@
-# coding: utf-8
-lib = File.expand_path("../lib", __FILE__)
+# frozen_string_literal: true
+
+lib = File.expand_path("lib", __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "rails/auth/version"
 
@@ -25,10 +26,10 @@ Gem::Specification.new do |spec|
   spec.bindir        = "exe"
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.0.0"
+  spec.required_ruby_version = ">= 2.3.0"
 
   spec.add_runtime_dependency "rack"
 
-  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "bundler", ">= 1.10", "< 3"
   spec.add_development_dependency "rake", "~> 10.0"
 end

data/spec/rails/auth/acl/matchers/allow_all_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ACL::Matchers::AllowAll do
   let(:matcher)     { described_class.new(enabled) }
   let(:example_env) { env_for(:get, "/") }

data/spec/rails/auth/acl/middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "logger"
 
 RSpec.describe Rails::Auth::ACL::Middleware do

data/spec/rails/auth/acl/resource_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ACL::Resource do
   let(:example_method) { "GET" }
   let(:another_method) { "POST" }

data/spec/rails/auth/acl_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ACL do
   let(:example_config) { fixture_path("example_acl.yml").read }
 

data/spec/rails/auth/controller_methods_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ControllerMethods do
   let(:controller_class) do
     Class.new do

data/spec/rails/auth/credentials/injector_middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::Credentials::InjectorMiddleware do
   let(:request)     { Rack::MockRequest.env_for("https://www.example.com") }
   let(:app)         { ->(env) { [200, env, "Hello, world!"] } }
@@ -8,4 +10,17 @@ RSpec.describe Rails::Auth::Credentials::InjectorMiddleware do
     _response, env = middleware.call(request)
     expect(env[Rails::Auth::Env::CREDENTIALS_ENV_KEY]).to eq credentials
   end
+
+  context "with a proc for credentials" do
+    let(:credentials_proc) { instance_double(Proc) }
+    let(:middleware)       { described_class.new(app, credentials_proc) }
+
+    it "overrides rails-auth credentials in the rack environment" do
+      expect(credentials_proc).to receive(:call).with(request).and_return(credentials)
+
+      _response, env = middleware.call(request)
+
+      expect(env[Rails::Auth::Env::CREDENTIALS_ENV_KEY]).to eq credentials
+    end
+  end
 end

data/spec/rails/auth/credentials_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::Credentials do
   let(:rack_env) { Rack::MockRequest.env_for("https://www.example.com") }
 

data/spec/rails/auth/env_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::Env do
   let(:rack_env)          { Rack::MockRequest.env_for("https://www.example.com") }
   let(:example_authority) { "some-authority" }

data/spec/rails/auth/error_page/debug_middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ErrorPage::DebugMiddleware do
   let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
 

data/spec/rails/auth/error_page/middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::ErrorPage::Middleware do
   let(:request)    { Rack::MockRequest.env_for("https://www.example.com") }
   let(:error_page) { "<h1> Unauthorized!!! </h1>" }

data/spec/rails/auth/monitor/middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::Monitor::Middleware do
   let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
 

data/spec/rails/auth/rspec/helper_methods_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "ostruct"
 
 RSpec.describe Rails::Auth::RSpec::HelperMethods, acl_spec: true do

data/spec/rails/auth/rspec/matchers/acl_matchers_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe "RSpec ACL matchers", acl_spec: true do
   let(:example_certificate) { x509_certificate_hash(ou: "ponycopter") }
   let(:another_certificate) { x509_certificate_hash(ou: "derpderp") }

data/spec/rails/auth/x509/certificate_spec.rb

@@ -1,38 +1,121 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::X509::Certificate do
   let(:example_cert) { OpenSSL::X509::Certificate.new(cert_path("valid.crt").read) }
+  let(:example_cert_with_extension) { OpenSSL::X509::Certificate.new(cert_path("valid_with_ext.crt").read) }
   let(:example_certificate) { described_class.new(example_cert) }
+  let(:example_certificate_with_extension) { described_class.new(example_cert_with_extension) }
 
   let(:example_cn) { "127.0.0.1" }
+  let(:example_dns_names) { %w[example.com exemplar.com somethingelse.com] }
+  let(:example_ips) { %w[0.0.0.0 127.0.0.1 192.168.1.1] }
   let(:example_ou) { "ponycopter" }
+  let(:example_spiffe) { "spiffe://example.com/exemplar" }
+  let(:example_uris) { [example_spiffe, "https://www.example.com/page1", "https://www.example.com/page2"] }
+
+  describe "without extensions" do
+    describe "#[]" do
+      it "allows access to subject components via strings" do
+        expect(example_certificate["CN"]).to eq example_cn
+        expect(example_certificate["OU"]).to eq example_ou
+      end
 
-  describe "#[]" do
-    it "allows access to subject components via strings" do
-      expect(example_certificate["CN"]).to eq example_cn
-      expect(example_certificate["OU"]).to eq example_ou
+      it "allows access to subject components via symbols" do
+        expect(example_certificate[:cn]).to eq example_cn
+        expect(example_certificate[:ou]).to eq example_ou
+      end
     end
 
-    it "allows access to subject components via symbols" do
-      expect(example_certificate[:cn]).to eq example_cn
-      expect(example_certificate[:ou]).to eq example_ou
+    it "knows its #cn" do
+      expect(example_certificate.cn).to eq example_cn
     end
-  end
 
-  it "knows its #cn" do
-    expect(example_certificate.cn).to eq example_cn
-  end
+    it "has no #dns_names" do
+      expect(example_certificate.dns_names).to be_empty
+    end
 
-  it "knows its #ou" do
-    expect(example_certificate.ou).to eq example_ou
-  end
+    it "has no #ips" do
+      expect(example_certificate.ips).to be_empty
+    end
+
+    it "knows its #ou" do
+      expect(example_certificate.ou).to eq example_ou
+    end
 
-  it "knows its attributes" do
-    expect(example_certificate.attributes).to eq(cn: example_cn, ou: example_ou)
+    it "has no #uris" do
+      expect(example_certificate.uris).to be_empty
+    end
+
+    it "has no #spiffe_id" do
+      expect(example_certificate.spiffe_id).to be_nil
+    end
+
+    it "knows its attributes" do
+      expect(example_certificate.attributes).to eq(cn: example_cn, ou: example_ou)
+    end
+
+    it "compares certificate objects by comparing their certificates" do
+      second_cert = OpenSSL::X509::Certificate.new(cert_path("valid.crt").read)
+      second_certificate = described_class.new(second_cert)
+
+      expect(example_certificate).to be_eql second_certificate
+    end
   end
 
-  it "compares certificate objects by comparing their certificates" do
-    second_cert = OpenSSL::X509::Certificate.new(cert_path("valid.crt").read)
-    second_certificate = described_class.new(second_cert)
+  describe "with extensions" do
+    describe "#[]" do
+      it "allows access to subject components via strings" do
+        expect(example_certificate_with_extension["CN"]).to eq example_cn
+        expect(example_certificate_with_extension["OU"]).to eq example_ou
+      end
 
-    expect(example_certificate).to be_eql second_certificate
+      it "allows access to subject components via symbols" do
+        expect(example_certificate_with_extension[:cn]).to eq example_cn
+        expect(example_certificate_with_extension[:ou]).to eq example_ou
+      end
+    end
+
+    it "knows its #cn" do
+      expect(example_certificate_with_extension.cn).to eq example_cn
+    end
+
+    it "knows its #dns_names" do
+      expect(example_certificate_with_extension.dns_names).to eq example_dns_names
+    end
+
+    it "knows its #ips" do
+      expect(example_certificate_with_extension.ips).to eq example_ips
+    end
+
+    it "knows its #ou" do
+      expect(example_certificate_with_extension.ou).to eq example_ou
+    end
+
+    it "knows its #spiffe_id" do
+      expect(example_certificate_with_extension.spiffe_id).to eq example_spiffe
+    end
+
+    it "knows its #uris" do
+      expect(example_certificate_with_extension.uris).to eq example_uris
+    end
+
+    it "knows its attributes" do
+      expected_attrs = {
+        cn: example_cn,
+        dns_names: example_dns_names,
+        ips: example_ips,
+        ou: example_ou,
+        spiffe_id: example_spiffe,
+        uris: example_uris
+      }
+      expect(example_certificate_with_extension.attributes).to eq(expected_attrs)
+    end
+
+    it "compares certificate objects by comparing their certificates" do
+      second_cert = OpenSSL::X509::Certificate.new(cert_path("valid_with_ext.crt").read)
+      second_certificate = described_class.new(second_cert)
+
+      expect(example_certificate_with_extension).to be_eql second_certificate
+    end
   end
 end

data/spec/rails/auth/x509/matcher_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::X509::Matcher do
   let(:example_cert)        { OpenSSL::X509::Certificate.new(cert_path("valid.crt").read) }
   let(:example_certificate) { Rails::Auth::X509::Certificate.new(example_cert) }

data/spec/rails/auth/x509/middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "logger"
 
 RSpec.describe Rails::Auth::X509::Middleware do
@@ -49,10 +51,12 @@ RSpec.describe Rails::Auth::X509::Middleware do
 
       let(:java_cert) do
         ruby_cert = OpenSSL::X509::Certificate.new(valid_cert_pem)
-        Java::SunSecurityX509::X509CertImpl.new(ruby_cert.to_der.to_java_bytes)
+        input_stream = Java::JavaIO::ByteArrayInputStream.new(ruby_cert.to_der.to_java_bytes)
+        java_cert_klass = Java::JavaSecurityCert::CertificateFactory.getInstance("X.509")
+        java_cert_klass.generateCertificate(input_stream)
       end
 
-      it "extracts Rails::Auth::Credential::X509 from a Java::SunSecurityX509::X509CertImpl" do
+      it "extracts Rails::Auth::Credential::X509 from a java.security.cert.Certificate" do
         skip "JRuby only" unless defined?(JRUBY_VERSION)
 
         _response, env = middleware.call(request.merge(example_key => [java_cert]))

data/spec/rails/auth/x509/subject_alt_name_extension_spec.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+RSpec.describe Rails::Auth::X509::SubjectAltNameExtension do
+  let(:example_cert) { OpenSSL::X509::Certificate.new(cert_path("valid.crt").read) }
+  let(:example_cert_with_extension) { OpenSSL::X509::Certificate.new(cert_path("valid_with_ext.crt").read) }
+  let(:extension_for_cert) { described_class.new(example_cert) }
+  let(:extension_for_cert_with_san) { described_class.new(example_cert_with_extension) }
+  let(:example_dns_names) { %w[example.com exemplar.com somethingelse.com] }
+  let(:example_ips) { %w[0.0.0.0 127.0.0.1 192.168.1.1] }
+  let(:example_uris) { %w[spiffe://example.com/exemplar https://www.example.com/page1 https://www.example.com/page2] }
+
+  describe "for cert without extensions" do
+    it "returns no DNS names" do
+      expect(extension_for_cert.dns_names).to be_empty
+    end
+
+    it "returns no IPs" do
+      expect(extension_for_cert.ips).to be_empty
+    end
+
+    it "returns no URIs" do
+      expect(extension_for_cert.uris).to be_empty
+    end
+  end
+
+  describe "for cert with extensions" do
+    it "knows its DNS names" do
+      expect(extension_for_cert_with_san.dns_names).to eq example_dns_names
+    end
+
+    it "knows its IPs" do
+      expect(extension_for_cert_with_san.ips).to eq example_ips
+    end
+
+    it "knows its URIs" do
+      expect(extension_for_cert_with_san.uris).to eq example_uris
+    end
+  end
+end

data/spec/rails/auth_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth do
   it "has a version number" do
     expect(Rails::Auth::VERSION).not_to be nil

data/spec/spec_helper.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 require "coveralls"
 Coveralls.wear!
 
-$LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
+$LOAD_PATH.unshift File.expand_path("../lib", __dir__)
 require "rails/auth"
 require "rails/auth/rspec"
 require "support/create_certs"
@@ -11,11 +13,11 @@ require "pathname"
 RSpec.configure(&:disable_monkey_patching!)
 
 def cert_path(name)
-  Pathname.new(File.expand_path("../../tmp/certs", __FILE__)).join(name)
+  Pathname.new(File.expand_path("../tmp/certs", __dir__)).join(name)
 end
 
 def fixture_path(*args)
-  Pathname.new(File.expand_path("../fixtures", __FILE__)).join(*args)
+  Pathname.new(File.expand_path("fixtures", __dir__)).join(*args)
 end
 
 def env_for(method, path, host = "127.0.0.1")

data/spec/support/claims_matcher.rb

@@ -1,4 +1,6 @@
 # A strawman matcher for claims-based credentials for use in tests
+# frozen_string_literal: true
+
 class ClaimsMatcher
   def initialize(options)
     @options = options

data/spec/support/create_certs.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 require "certificate_authority"
 require "fileutils"
 
-cert_path = File.expand_path("../../../tmp/certs", __FILE__)
+cert_path = File.expand_path("../../tmp/certs", __dir__)
 FileUtils.mkdir_p(cert_path)
 
 #
@@ -15,7 +17,7 @@ ca.serial_number.number = 1
 ca.key_material.generate_key
 ca.signing_entity = true
 
-ca.sign! "extensions" => { "keyUsage" => { "usage" => %w(critical keyCertSign) } }
+ca.sign! "extensions" => { "keyUsage" => { "usage" => %w[critical keyCertSign] } }
 
 ca_cert_path = File.join(cert_path, "ca.crt")
 ca_key_path  = File.join(cert_path, "ca.key")
@@ -41,6 +43,59 @@ valid_key_path  = File.join(cert_path, "valid.key")
 File.write valid_cert_path, valid_cert.to_pem
 File.write valid_key_path,  valid_cert.key_material.private_key.to_pem
 
+#
+# Valid client certificate with extensions
+#
+
+valid_cert_with_ext = CertificateAuthority::Certificate.new
+valid_cert_with_ext.subject.common_name = "127.0.0.1"
+valid_cert_with_ext.subject.organizational_unit = "ponycopter"
+valid_cert_with_ext.serial_number.number = 3
+valid_cert_with_ext.key_material.generate_key
+signing_profile = {
+  "extensions" => {
+    "basicConstraints" => {
+      "ca" => false
+    },
+    "crlDistributionPoints" => {
+      "uri" => "http://notme.com/other.crl"
+    },
+    "subjectKeyIdentifier" => {},
+    "authorityKeyIdentifier" => {},
+    "authorityInfoAccess" => {
+      "ocsp" => %w[http://youFillThisOut/ocsp/]
+    },
+    "keyUsage" => {
+      "usage" => %w[digitalSignature keyEncipherment dataEncipherment]
+    },
+    "extendedKeyUsage" => {
+      "usage" => %w[serverAuth clientAuth]
+    },
+    "subjectAltName" => {
+      "uris" => %w[spiffe://example.com/exemplar https://www.example.com/page1 https://www.example.com/page2],
+      "ips" => %w[0.0.0.0 127.0.0.1 192.168.1.1],
+      "dns_names" => %w[example.com exemplar.com somethingelse.com]
+    },
+    "certificatePolicies" => {
+      "policy_identifier" => "1.3.5.8",
+      "cps_uris" => %w[http://my.host.name/ http://my.your.name/],
+      "user_notice" => {
+        "explicit_text" => "Explicit Text Here",
+        "organization" => "Organization name",
+        "notice_numbers" => "1,2,3,4"
+      }
+    }
+  }
+}
+valid_cert_with_ext.parent = ca
+valid_cert_with_ext.sign!(signing_profile)
+
+valid_cert_with_ext_path = File.join(cert_path, "valid_with_ext.crt")
+valid_key_with_ext_path  = File.join(cert_path, "valid_with_ext.key")
+
+File.write valid_cert_with_ext_path, valid_cert_with_ext.to_pem
+File.write valid_key_with_ext_path,  valid_cert_with_ext.key_material.private_key.to_pem
+
 #
 # Create evil MitM self-signed certificate
 #

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails-auth
 version: !ruby/object:Gem::Version
-  version: 2.1.4
+  version: 2.2.0
 platform: ruby
 authors:
 - Tony Arcieri
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-07-17 00:00:00.000000000 Z
+date: 2019-12-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -28,16 +28,22 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -102,6 +108,7 @@ files:
 - lib/rails/auth/x509/filter/pem.rb
 - lib/rails/auth/x509/matcher.rb
 - lib/rails/auth/x509/middleware.rb
+- lib/rails/auth/x509/subject_alt_name_extension.rb
 - rails-auth.gemspec
 - spec/fixtures/example_acl.yml
 - spec/rails/auth/acl/matchers/allow_all_spec.rb
@@ -120,6 +127,7 @@ files:
 - spec/rails/auth/x509/certificate_spec.rb
 - spec/rails/auth/x509/matcher_spec.rb
 - spec/rails/auth/x509/middleware_spec.rb
+- spec/rails/auth/x509/subject_alt_name_extension_spec.rb
 - spec/rails/auth_spec.rb
 - spec/spec_helper.rb
 - spec/support/claims_matcher.rb
@@ -137,15 +145,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.0.0
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Modular resource-oriented authentication and authorization for Rails/Rack