rails-auth 2.2.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c22c652d804b973313277d33b6c08dd0f3ae6389dfa0ebeaba73fd84488084b3
-  data.tar.gz: 95f4c1eab88b2ee3f8f608682690e70c8ca3a4c1b9925b537f14d33c88b91f7c
+  metadata.gz: ebb7b8700e3c8719cdb65a37efa8e1234b79a35a43fba6dffcb9d427cbf9e2e7
+  data.tar.gz: 46e21ea3735dde1cf16c1242ca1117288bce5a4c4ef5cf0f3669e890fecc5124
 SHA512:
-  metadata.gz: a78bb6b55dd36517e9fd325f433210d3367d2aab18541507ac9feb607cdc92c4f2ce4b26df69bdd093c918b98bfc8c37c75add8ce572a0eb07025d96f2bc95f7
-  data.tar.gz: c5363dfa5f09bef450d827bdfa24226c4e080c47ff8c4b5c81da94192c834ac4d3fa97531d9dec11b5907949d249f59cf9856dd1b727f40d89b1ce2379ce60ac
+  metadata.gz: fcec7e972d73c52fdcaeef22da67dee25849efaddbf254964b3e73f5179e849ef1bd32e80c1f6520f5502884f27811c0b6bb66278923da67320b38cdfd42464b
+  data.tar.gz: 12a93fbdbfc37c44da69bdbb8b163554dd145364627fb689b5acc530a4ec176f6ac5ee2fa0b502ab594a998ce0fad8664e111aafdd268e0f04571f942d9ce6e1

data/.github/workflows/jruby.yml

@@ -0,0 +1,31 @@
+name: CI - JRuby
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java-version:
+          - 8
+          - 11
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Java
+      uses: actions/setup-java@v2
+      with:
+        distribution: temurin
+        java-version: ${{ matrix.java-version }}
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        bundler-cache: true
+        ruby-version: jruby
+    - name: Run tests
+      run: bundle exec rake

data/.github/workflows/mri.yml

@@ -0,0 +1,27 @@
+name: CI - MRI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version:
+          - 2.6
+          - 2.7
+          - 3.0
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        bundler-cache: true
+        ruby-version: ${{ matrix.ruby-version }}
+    - name: Run tests
+      run: bundle exec rake

data/CHANGES.md

@@ -1,3 +1,33 @@
+### 3.1.0 (2021-10-26)
+
+* [#70](https://github.com/square/rails-auth/pull/70)
+  Support URL-encoded PEMs to support new Puma header requirements.
+  ([@drcapulet])
+
+### 3.0.0 (2020-08-10)
+
+* [#68](https://github.com/square/rails-auth/pull/68)
+  Remove `ca_file` and `require_cert` options to the config builder as we no
+  longer verify the certificate chain.
+  ([@drcapulet])
+
+* [#67](https://github.com/square/rails-auth/pull/67)
+  Remove `ca_file`, `require_cert`, and `truststore` options to X509 middleware
+  as we no longer verify the certificate chain.
+  ([@drcapulet])
+
+### 2.2.2 (2020-07-02)
+
+* [#65](https://github.com/square/rails-auth/pull/65)
+  Fix error when passing `truststore` instead of `ca_file` to X509 middleware.
+  ([@drcapulet])
+
+### 2.2.1 (2020-01-08)
+
+* [#63](https://github.com/square/rails-auth/pull/63)
+  Fix `FrozenError` in `permit` matcher description.
+  ([@drcapulet])
+
 ### 2.2.0 (2019-12-05)
 
 * [#55](https://github.com/square/rails-auth/pull/55)

data/lib/rails/auth/config_builder.rb

@@ -31,22 +31,15 @@ module Rails
       def production(
         config,
         cert_filters: nil,
-        require_cert: false,
-        ca_file: nil,
         error_page: Rails.root.join("public/403.html"),
         monitor: nil
       )
-        raise ArgumentError, "no cert_filters given but require_cert is true" if require_cert && !cert_filters
-        raise ArgumentError, "no ca_file given but cert_filters were set"     if cert_filters && !ca_file
-
         error_page_middleware(config, error_page)
 
         if cert_filters
           config.middleware.insert_before Rails::Auth::ACL::Middleware,
                                           Rails::Auth::X509::Middleware,
-                                          require_cert: require_cert,
                                           cert_filters: cert_filters,
-                                          ca_file:      ca_file,
                                           logger:       Rails.logger
         end
 

data/lib/rails/auth/rack.rb

@@ -24,6 +24,7 @@ require "rails/auth/monitor/middleware"
 
 require "rails/auth/x509/certificate"
 require "rails/auth/x509/filter/pem"
+require "rails/auth/x509/filter/pem_urlencoded"
 require "rails/auth/x509/filter/java" if defined?(JRUBY_VERSION)
 require "rails/auth/x509/matcher"
 require "rails/auth/x509/middleware"

data/lib/rails/auth/rspec/matchers/acl_matchers.rb

@@ -6,9 +6,9 @@ RSpec::Matchers.define(:permit) do |env|
     credentials = Rails::Auth.credentials(env)
     message     = "allow #{method}s by "
 
-    return message << "unauthenticated clients" if credentials.count.zero?
+    return message + "unauthenticated clients" if credentials.count.zero?
 
-    message << credentials.values.map(&:inspect).join(", ")
+    message + credentials.values.map(&:inspect).join(", ")
   end
 
   match { |acl| acl.match(env) }

data/lib/rails/auth/version.rb

@@ -3,6 +3,6 @@
 module Rails
   # Pluggable authentication and authorization for Rack/Rails
   module Auth
-    VERSION = "2.2.0"
+    VERSION = "3.1.0"
   end
 end

data/lib/rails/auth/x509/filter/pem_urlencoded.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Rails
+  module Auth
+    module X509
+      module Filter
+        # Extract OpenSSL::X509::Certificates from Privacy Enhanced Mail (PEM) certificates
+        # that are URL encoded ($ssl_client_escaped_cert from Nginx).
+        class PemUrlencoded < Pem
+          def call(encoded_pem)
+            super(URI.decode_www_form_component(encoded_pem))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rails/auth/x509/middleware.rb

@@ -3,29 +3,20 @@
 module Rails
   module Auth
     module X509
-      # Raised when certificate verification is mandatory
-      CertificateVerifyFailed = Class.new(NotAuthorizedError)
-
-      # Validates X.509 client certificates and adds credential objects for valid
-      # clients to the rack environment as env["rails-auth.credentials"]["x509"]
+      # Extracts X.509 client certificates and adds credential objects to the
+      # rack environment as env["rails-auth.credentials"]["x509"]
       class Middleware
         # Create a new X.509 Middleware object
         #
-        # @param [Object]               app next app in the Rack middleware chain
-        # @param [Hash]                 cert_filters maps Rack environment names to cert extractors
-        # @param [String]               ca_file path to the CA bundle to verify client certs with
-        # @param [OpenSSL::X509::Store] truststore (optional) provide your own truststore (for e.g. CRLs)
-        # @param [Boolean]              require_cert causes middleware to raise if certs are unverified
+        # @param [Object] app next app in the Rack middleware chain
+        # @param [Hash]   cert_filters maps Rack environment names to cert extractors
+        # @param [Logger] logger place to log certificate extraction issues
         #
         # @return [Rails::Auth::X509::Middleware] new X509 middleware instance
-        def initialize(app, cert_filters: {}, ca_file: nil, truststore: nil, require_cert: false, logger: nil)
-          raise ArgumentError, "no ca_file given" unless ca_file
-
+        def initialize(app, cert_filters: {}, logger: nil)
           @app          = app
-          @logger       = logger
-          @truststore   = truststore || OpenSSL::X509::Store.new.add_file(ca_file)
-          @require_cert = require_cert
           @cert_filters = cert_filters
+          @logger       = logger
 
           @cert_filters.each do |key, filter|
             next unless filter.is_a?(Symbol)
@@ -52,17 +43,9 @@ module Rails
             cert = extract_certificate_with_filter(filter, env[key])
             next unless cert
 
-            if @truststore.verify(cert)
-              log("Verified", cert)
-              return Rails::Auth::X509::Certificate.new(cert)
-            else
-              log("Verify FAILED", cert)
-              raise CertificateVerifyFailed, "verify failed: #{subject(cert)}" if @require_cert
-            end
+            return Rails::Auth::X509::Certificate.new(cert)
           end
 
-          raise CertificateVerifyFailed, "no client certificate in request" if @require_cert
-
           nil
         end
 
@@ -78,10 +61,6 @@ module Rails
           nil
         end
 
-        def log(message, cert)
-          @logger.debug("rails-auth: #{message} (#{subject(cert)})") if @logger
-        end
-
         def subject(cert)
           cert.subject.to_a.map { |attr, data| "#{attr}=#{data}" }.join(",")
         end

data/spec/rails/auth/rspec/matchers/acl_matchers_spec.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 RSpec.describe "RSpec ACL matchers", acl_spec: true do
-  let(:example_certificate) { x509_certificate_hash(ou: "ponycopter") }
   let(:another_certificate) { x509_certificate_hash(ou: "derpderp") }
+  let(:example_certificate) { x509_certificate_hash(ou: "ponycopter") }
 
   subject do
     Rails::Auth::ACL.from_yaml(
@@ -18,5 +18,14 @@ RSpec.describe "RSpec ACL matchers", acl_spec: true do
     it { is_expected.to permit get_request(credentials: example_certificate) }
     it { is_expected.not_to permit get_request(credentials: another_certificate) }
     it { is_expected.not_to permit get_request }
+
+    it "has the correct description" do
+      expect(permit(get_request(credentials: example_certificate)).description)
+        .to eq('allow GETs by #<InstanceDouble(Rails::Auth::X509::Certificate) "OU=ponycopter">')
+      expect(permit(get_request(credentials: another_certificate)).description)
+        .to eq('allow GETs by #<InstanceDouble(Rails::Auth::X509::Certificate) "OU=derpderp">')
+      expect(permit(get_request).description)
+        .to eq("allow GETs by unauthenticated clients")
+    end
   end
 end

data/spec/rails/auth/x509/middleware_spec.rb

@@ -3,41 +3,32 @@
 require "logger"
 
 RSpec.describe Rails::Auth::X509::Middleware do
-  let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
   let(:app)     { ->(env) { [200, env, "Hello, world!"] } }
+  let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
 
-  let(:valid_cert_pem) { cert_path("valid.crt").read }
-  let(:bad_cert_pem)   { cert_path("invalid.crt").read }
-  let(:cert_required)  { false }
-  let(:cert_filter)    { :pem }
-  let(:example_key)    { "X-SSL-Client-Cert" }
+  let(:cert_filter) { :pem }
+  let(:cert_pem)    { cert_path("valid.crt").read }
+  let(:example_key) { "X-SSL-Client-Cert" }
 
   let(:middleware) do
     described_class.new(
       app,
-      logger: Logger.new(STDERR),
-      ca_file: cert_path("ca.crt").to_s,
       cert_filters: { example_key => cert_filter },
-      require_cert: cert_required
+      logger: Logger.new(STDERR)
     )
   end
 
   context "certificate types" do
     describe "PEM certificates" do
       it "extracts Rails::Auth::X509::Certificate from a PEM certificate in the Rack environment" do
-        _response, env = middleware.call(request.merge(example_key => valid_cert_pem))
+        _response, env = middleware.call(request.merge(example_key => cert_pem))
 
         credential = Rails::Auth.credentials(env).fetch("x509")
         expect(credential).to be_a Rails::Auth::X509::Certificate
       end
 
-      it "ignores unverified certificates" do
-        _response, env = middleware.call(request.merge(example_key => bad_cert_pem))
-        expect(Rails::Auth.credentials(env)).to be_empty
-      end
-
       it "normalizes abnormal whitespace" do
-        _response, env = middleware.call(request.merge(example_key => valid_cert_pem.tr("\n", "\t")))
+        _response, env = middleware.call(request.merge(example_key => cert_pem.tr("\n", "\t")))
 
         credential = Rails::Auth.credentials(env).fetch("x509")
         expect(credential).to be_a Rails::Auth::X509::Certificate
@@ -46,11 +37,11 @@ RSpec.describe Rails::Auth::X509::Middleware do
 
     # :nocov:
     describe "Java certificates" do
-      let(:example_key) { "javax.servlet.request.X509Certificate" }
       let(:cert_filter) { :java }
+      let(:example_key) { "javax.servlet.request.X509Certificate" }
 
       let(:java_cert) do
-        ruby_cert = OpenSSL::X509::Certificate.new(valid_cert_pem)
+        ruby_cert = OpenSSL::X509::Certificate.new(cert_pem)
         input_stream = Java::JavaIO::ByteArrayInputStream.new(ruby_cert.to_der.to_java_bytes)
         java_cert_klass = Java::JavaSecurityCert::CertificateFactory.getInstance("X.509")
         java_cert_klass.generateCertificate(input_stream)
@@ -67,21 +58,4 @@ RSpec.describe Rails::Auth::X509::Middleware do
     end
     # :nocov:
   end
-
-  describe "require_cert: true" do
-    let(:cert_required) { true }
-
-    it "functions normally for valid certificates" do
-      _response, env = middleware.call(request.merge(example_key => valid_cert_pem))
-
-      credential = Rails::Auth.credentials(env).fetch("x509")
-      expect(credential).to be_a Rails::Auth::X509::Certificate
-    end
-
-    it "raises Rails::Auth::X509::CertificateVerifyFailed for unverified certificates" do
-      expect do
-        middleware.call(request.merge(example_key => bad_cert_pem))
-      end.to raise_error Rails::Auth::X509::CertificateVerifyFailed
-    end
-  end
 end

data/spec/support/create_certs.rb

@@ -95,20 +95,3 @@ valid_key_with_ext_path  = File.join(cert_path, "valid_with_ext.key")
 
 File.write valid_cert_with_ext_path, valid_cert_with_ext.to_pem
 File.write valid_key_with_ext_path,  valid_cert_with_ext.key_material.private_key.to_pem
-
-#
-# Create evil MitM self-signed certificate
-#
-
-self_signed_cert = CertificateAuthority::Certificate.new
-self_signed_cert.subject.common_name = "127.0.0.1"
-self_signed_cert.subject.organizational_unit = "ponycopter"
-self_signed_cert.serial_number.number = 2
-self_signed_cert.key_material.generate_key
-self_signed_cert.sign!
-
-self_signed_cert_path = File.join(cert_path, "invalid.crt")
-self_signed_key_path  = File.join(cert_path, "invalid.key")
-
-File.write self_signed_cert_path, self_signed_cert.to_pem
-File.write self_signed_key_path,  self_signed_cert.key_material.private_key.to_pem

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails-auth
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 3.1.0
 platform: ruby
 authors:
 - Tony Arcieri
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-12-05 00:00:00.000000000 Z
+date: 2021-10-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -67,10 +67,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/jruby.yml"
+- ".github/workflows/mri.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - BUG-BOUNTY.md
 - CHANGES.md
 - CONDUCT.md
@@ -106,6 +107,7 @@ files:
 - lib/rails/auth/x509/certificate.rb
 - lib/rails/auth/x509/filter/java.rb
 - lib/rails/auth/x509/filter/pem.rb
+- lib/rails/auth/x509/filter/pem_urlencoded.rb
 - lib/rails/auth/x509/matcher.rb
 - lib/rails/auth/x509/middleware.rb
 - lib/rails/auth/x509/subject_alt_name_extension.rb
@@ -152,7 +154,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Modular resource-oriented authentication and authorization for Rails/Rack

data/.travis.yml

@@ -1,24 +0,0 @@
-language: ruby
-sudo: false
-branches:
-  only:
-    - master
-
-before_install:
-  - gem install bundler
-
-bundler_args: --without development
-
-rvm:
-  - 2.4
-  - 2.5
-  - 2.6
-matrix:
-  include:
-    - rvm: jruby
-      jdk: openjdk8
-      env: JRUBY_OPTS="--debug" # for simplecov
-    - rvm: jruby
-      jdk: openjdk11
-      env: JRUBY_OPTS="--debug" # for simplecov
-  fast_finish: true