rails-auth 2.2.2 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 773018e606b80732c9e9feeba00cc583032a39ee74de25b2ccaf3e6a852f086b
4
- data.tar.gz: 755f13226f84aec603eaac1ab5d21ed803aa7ac4b37e35e3e072be3b8c7a7803
3
+ metadata.gz: 9f5669f564b62464b0d3078ecfa58fe3732735e44c63bed361061a9f1a663249
4
+ data.tar.gz: cbee05f42e189e543b059d961d1b926d763d84e07c93a3637165f95eba0fe776
5
5
  SHA512:
6
- metadata.gz: a900eea1969e11b56b431fab48fbe35edd4785a3d15c68ab28e0168a4289678fab7da65ed4cd136821bab93b0fce3b8ac29fb05ab02286542585bbb572d4f217
7
- data.tar.gz: 55a2d4e03156e24f75db902f0c5346e756912d053b667ab4c64536902d1d443020e07be138fdc480d4dae951e73d9c55340faea88d41c7587d13f1bb11df3542
6
+ metadata.gz: 0be32c7166ed406dda136608370f059443a56219696c8d13a56f3978f9eca3b37b99ccf0885d4c42d13c660860be52530891d9317a2d2562f7f265d7d751ccd0
7
+ data.tar.gz: e1ada71b12c7732fe2aced6bb98abd11cb7b8fa665093f9faa5808b9c21bef12dd99e3070fcd2ee343acc4b377626ae885098388f85d7d9027f37e1d08d60890
data/CHANGES.md CHANGED
@@ -1,3 +1,15 @@
1
+ ### 3.0.0 (2020-08-10)
2
+
3
+ * [#68](https://github.com/square/rails-auth/pull/68)
4
+ Remove `ca_file` and `require_cert` options to the config builder as we no
5
+ longer verify the certificate chain.
6
+ ([@drcapulet])
7
+
8
+ * [#67](https://github.com/square/rails-auth/pull/67)
9
+ Remove `ca_file`, `require_cert`, and `truststore` options to X509 middleware
10
+ as we no longer verify the certificate chain.
11
+ ([@drcapulet])
12
+
1
13
  ### 2.2.2 (2020-07-02)
2
14
 
3
15
  * [#65](https://github.com/square/rails-auth/pull/65)
@@ -31,22 +31,15 @@ module Rails
31
31
  def production(
32
32
  config,
33
33
  cert_filters: nil,
34
- require_cert: false,
35
- ca_file: nil,
36
34
  error_page: Rails.root.join("public/403.html"),
37
35
  monitor: nil
38
36
  )
39
- raise ArgumentError, "no cert_filters given but require_cert is true" if require_cert && !cert_filters
40
- raise ArgumentError, "no ca_file given but cert_filters were set" if cert_filters && !ca_file
41
-
42
37
  error_page_middleware(config, error_page)
43
38
 
44
39
  if cert_filters
45
40
  config.middleware.insert_before Rails::Auth::ACL::Middleware,
46
41
  Rails::Auth::X509::Middleware,
47
- require_cert: require_cert,
48
42
  cert_filters: cert_filters,
49
- ca_file: ca_file,
50
43
  logger: Rails.logger
51
44
  end
52
45
 
@@ -3,6 +3,6 @@
3
3
  module Rails
4
4
  # Pluggable authentication and authorization for Rack/Rails
5
5
  module Auth
6
- VERSION = "2.2.2"
6
+ VERSION = "3.0.0"
7
7
  end
8
8
  end
@@ -3,30 +3,20 @@
3
3
  module Rails
4
4
  module Auth
5
5
  module X509
6
- # Raised when certificate verification is mandatory
7
- CertificateVerifyFailed = Class.new(NotAuthorizedError)
8
-
9
- # Validates X.509 client certificates and adds credential objects for valid
10
- # clients to the rack environment as env["rails-auth.credentials"]["x509"]
6
+ # Extracts X.509 client certificates and adds credential objects to the
7
+ # rack environment as env["rails-auth.credentials"]["x509"]
11
8
  class Middleware
12
9
  # Create a new X.509 Middleware object
13
10
  #
14
- # @param [Object] app next app in the Rack middleware chain
15
- # @param [String] ca_file path to the CA bundle to verify client certs with
16
- # @param [Hash] cert_filters maps Rack environment names to cert extractors
17
- # @param [Logger] logger place to log verification successes & failures
18
- # @param [Boolean] require_cert causes middleware to raise if certs are unverified
19
- # @param [OpenSSL::X509::Store] truststore (optional) provide your own truststore (for e.g. CRLs)
11
+ # @param [Object] app next app in the Rack middleware chain
12
+ # @param [Hash] cert_filters maps Rack environment names to cert extractors
13
+ # @param [Logger] logger place to log certificate extraction issues
20
14
  #
21
15
  # @return [Rails::Auth::X509::Middleware] new X509 middleware instance
22
- def initialize(app, ca_file: nil, cert_filters: {}, logger: nil, require_cert: false, truststore: nil)
23
- raise ArgumentError, "no ca_file or truststore given" unless ca_file || truststore
24
-
16
+ def initialize(app, cert_filters: {}, logger: nil)
25
17
  @app = app
26
18
  @cert_filters = cert_filters
27
19
  @logger = logger
28
- @require_cert = require_cert
29
- @truststore = truststore || OpenSSL::X509::Store.new.add_file(ca_file)
30
20
 
31
21
  @cert_filters.each do |key, filter|
32
22
  next unless filter.is_a?(Symbol)
@@ -53,17 +43,9 @@ module Rails
53
43
  cert = extract_certificate_with_filter(filter, env[key])
54
44
  next unless cert
55
45
 
56
- if @truststore.verify(cert)
57
- log("Verified", cert)
58
- return Rails::Auth::X509::Certificate.new(cert)
59
- else
60
- log("Verify FAILED", cert)
61
- raise CertificateVerifyFailed, "verify failed: #{subject(cert)}" if @require_cert
62
- end
46
+ return Rails::Auth::X509::Certificate.new(cert)
63
47
  end
64
48
 
65
- raise CertificateVerifyFailed, "no client certificate in request" if @require_cert
66
-
67
49
  nil
68
50
  end
69
51
 
@@ -79,10 +61,6 @@ module Rails
79
61
  nil
80
62
  end
81
63
 
82
- def log(message, cert)
83
- @logger.debug("rails-auth: #{message} (#{subject(cert)})") if @logger
84
- end
85
-
86
64
  def subject(cert)
87
65
  cert.subject.to_a.map { |attr, data| "#{attr}=#{data}" }.join(",")
88
66
  end
@@ -3,41 +3,32 @@
3
3
  require "logger"
4
4
 
5
5
  RSpec.describe Rails::Auth::X509::Middleware do
6
- let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
7
6
  let(:app) { ->(env) { [200, env, "Hello, world!"] } }
7
+ let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
8
8
 
9
- let(:valid_cert_pem) { cert_path("valid.crt").read }
10
- let(:bad_cert_pem) { cert_path("invalid.crt").read }
11
- let(:cert_required) { false }
12
- let(:cert_filter) { :pem }
13
- let(:example_key) { "X-SSL-Client-Cert" }
9
+ let(:cert_filter) { :pem }
10
+ let(:cert_pem) { cert_path("valid.crt").read }
11
+ let(:example_key) { "X-SSL-Client-Cert" }
14
12
 
15
13
  let(:middleware) do
16
14
  described_class.new(
17
15
  app,
18
- logger: Logger.new(STDERR),
19
- ca_file: cert_path("ca.crt").to_s,
20
16
  cert_filters: { example_key => cert_filter },
21
- require_cert: cert_required
17
+ logger: Logger.new(STDERR)
22
18
  )
23
19
  end
24
20
 
25
21
  context "certificate types" do
26
22
  describe "PEM certificates" do
27
23
  it "extracts Rails::Auth::X509::Certificate from a PEM certificate in the Rack environment" do
28
- _response, env = middleware.call(request.merge(example_key => valid_cert_pem))
24
+ _response, env = middleware.call(request.merge(example_key => cert_pem))
29
25
 
30
26
  credential = Rails::Auth.credentials(env).fetch("x509")
31
27
  expect(credential).to be_a Rails::Auth::X509::Certificate
32
28
  end
33
29
 
34
- it "ignores unverified certificates" do
35
- _response, env = middleware.call(request.merge(example_key => bad_cert_pem))
36
- expect(Rails::Auth.credentials(env)).to be_empty
37
- end
38
-
39
30
  it "normalizes abnormal whitespace" do
40
- _response, env = middleware.call(request.merge(example_key => valid_cert_pem.tr("\n", "\t")))
31
+ _response, env = middleware.call(request.merge(example_key => cert_pem.tr("\n", "\t")))
41
32
 
42
33
  credential = Rails::Auth.credentials(env).fetch("x509")
43
34
  expect(credential).to be_a Rails::Auth::X509::Certificate
@@ -46,11 +37,11 @@ RSpec.describe Rails::Auth::X509::Middleware do
46
37
 
47
38
  # :nocov:
48
39
  describe "Java certificates" do
49
- let(:example_key) { "javax.servlet.request.X509Certificate" }
50
40
  let(:cert_filter) { :java }
41
+ let(:example_key) { "javax.servlet.request.X509Certificate" }
51
42
 
52
43
  let(:java_cert) do
53
- ruby_cert = OpenSSL::X509::Certificate.new(valid_cert_pem)
44
+ ruby_cert = OpenSSL::X509::Certificate.new(cert_pem)
54
45
  input_stream = Java::JavaIO::ByteArrayInputStream.new(ruby_cert.to_der.to_java_bytes)
55
46
  java_cert_klass = Java::JavaSecurityCert::CertificateFactory.getInstance("X.509")
56
47
  java_cert_klass.generateCertificate(input_stream)
@@ -67,21 +58,4 @@ RSpec.describe Rails::Auth::X509::Middleware do
67
58
  end
68
59
  # :nocov:
69
60
  end
70
-
71
- describe "require_cert: true" do
72
- let(:cert_required) { true }
73
-
74
- it "functions normally for valid certificates" do
75
- _response, env = middleware.call(request.merge(example_key => valid_cert_pem))
76
-
77
- credential = Rails::Auth.credentials(env).fetch("x509")
78
- expect(credential).to be_a Rails::Auth::X509::Certificate
79
- end
80
-
81
- it "raises Rails::Auth::X509::CertificateVerifyFailed for unverified certificates" do
82
- expect do
83
- middleware.call(request.merge(example_key => bad_cert_pem))
84
- end.to raise_error Rails::Auth::X509::CertificateVerifyFailed
85
- end
86
- end
87
61
  end
@@ -95,20 +95,3 @@ valid_key_with_ext_path = File.join(cert_path, "valid_with_ext.key")
95
95
 
96
96
  File.write valid_cert_with_ext_path, valid_cert_with_ext.to_pem
97
97
  File.write valid_key_with_ext_path, valid_cert_with_ext.key_material.private_key.to_pem
98
-
99
- #
100
- # Create evil MitM self-signed certificate
101
- #
102
-
103
- self_signed_cert = CertificateAuthority::Certificate.new
104
- self_signed_cert.subject.common_name = "127.0.0.1"
105
- self_signed_cert.subject.organizational_unit = "ponycopter"
106
- self_signed_cert.serial_number.number = 2
107
- self_signed_cert.key_material.generate_key
108
- self_signed_cert.sign!
109
-
110
- self_signed_cert_path = File.join(cert_path, "invalid.crt")
111
- self_signed_key_path = File.join(cert_path, "invalid.key")
112
-
113
- File.write self_signed_cert_path, self_signed_cert.to_pem
114
- File.write self_signed_key_path, self_signed_cert.key_material.private_key.to_pem
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-auth
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.2
4
+ version: 3.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tony Arcieri
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-07-02 00:00:00.000000000 Z
11
+ date: 2020-08-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack