RubyGems - rails-auth - Versions diffs - 2.2.2 → 3.0.0 - Mend

rails-auth 2.2.2 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGES.md +12 -0
data/lib/rails/auth/config_builder.rb +0 -7
data/lib/rails/auth/version.rb +1 -1
data/lib/rails/auth/x509/middleware.rb +7 -29
data/spec/rails/auth/x509/middleware_spec.rb +9 -35
data/spec/support/create_certs.rb +0 -17
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 773018e606b80732c9e9feeba00cc583032a39ee74de25b2ccaf3e6a852f086b
-  data.tar.gz: 755f13226f84aec603eaac1ab5d21ed803aa7ac4b37e35e3e072be3b8c7a7803
+  metadata.gz: 9f5669f564b62464b0d3078ecfa58fe3732735e44c63bed361061a9f1a663249
+  data.tar.gz: cbee05f42e189e543b059d961d1b926d763d84e07c93a3637165f95eba0fe776
 SHA512:
-  metadata.gz: a900eea1969e11b56b431fab48fbe35edd4785a3d15c68ab28e0168a4289678fab7da65ed4cd136821bab93b0fce3b8ac29fb05ab02286542585bbb572d4f217
-  data.tar.gz: 55a2d4e03156e24f75db902f0c5346e756912d053b667ab4c64536902d1d443020e07be138fdc480d4dae951e73d9c55340faea88d41c7587d13f1bb11df3542
+  metadata.gz: 0be32c7166ed406dda136608370f059443a56219696c8d13a56f3978f9eca3b37b99ccf0885d4c42d13c660860be52530891d9317a2d2562f7f265d7d751ccd0
+  data.tar.gz: e1ada71b12c7732fe2aced6bb98abd11cb7b8fa665093f9faa5808b9c21bef12dd99e3070fcd2ee343acc4b377626ae885098388f85d7d9027f37e1d08d60890

data/CHANGES.md CHANGED

@@ -1,3 +1,15 @@
+### 3.0.0 (2020-08-10)
+* [#68](https://github.com/square/rails-auth/pull/68)
+  Remove `ca_file` and `require_cert` options to the config builder as we no
+  longer verify the certificate chain.
+  ([@drcapulet])
+* [#67](https://github.com/square/rails-auth/pull/67)
+  Remove `ca_file`, `require_cert`, and `truststore` options to X509 middleware
+  as we no longer verify the certificate chain.
+  ([@drcapulet])
 ### 2.2.2 (2020-07-02)
 * [#65](https://github.com/square/rails-auth/pull/65)

data/lib/rails/auth/config_builder.rb CHANGED

@@ -31,22 +31,15 @@ module Rails
       def production(
         config,
         cert_filters: nil,
-        require_cert: false,
-        ca_file: nil,
         error_page: Rails.root.join("public/403.html"),
         monitor: nil
       )
-        raise ArgumentError, "no cert_filters given but require_cert is true" if require_cert && !cert_filters
-        raise ArgumentError, "no ca_file given but cert_filters were set"     if cert_filters && !ca_file
         error_page_middleware(config, error_page)
         if cert_filters
           config.middleware.insert_before Rails::Auth::ACL::Middleware,
                                           Rails::Auth::X509::Middleware,
-                                          require_cert: require_cert,
                                           cert_filters: cert_filters,
-                                          ca_file:      ca_file,
                                           logger:       Rails.logger
         end

data/lib/rails/auth/version.rb CHANGED

@@ -3,6 +3,6 @@
 module Rails
   # Pluggable authentication and authorization for Rack/Rails
   module Auth
-    VERSION = "2.2.2"
+    VERSION = "3.0.0"
   end
 end

data/lib/rails/auth/x509/middleware.rb CHANGED

@@ -3,30 +3,20 @@
 module Rails
   module Auth
     module X509
-      # Raised when certificate verification is mandatory
-      CertificateVerifyFailed = Class.new(NotAuthorizedError)
-      # Validates X.509 client certificates and adds credential objects for valid
-      # clients to the rack environment as env["rails-auth.credentials"]["x509"]
+      # Extracts X.509 client certificates and adds credential objects to the
+      # rack environment as env["rails-auth.credentials"]["x509"]
       class Middleware
         # Create a new X.509 Middleware object
         #
-        # @param [Object]               app next app in the Rack middleware chain
-        # @param [String]               ca_file path to the CA bundle to verify client certs with
-        # @param [Hash]                 cert_filters maps Rack environment names to cert extractors
-        # @param [Logger]               logger place to log verification successes & failures
-        # @param [Boolean]              require_cert causes middleware to raise if certs are unverified
-        # @param [OpenSSL::X509::Store] truststore (optional) provide your own truststore (for e.g. CRLs)
+        # @param [Object] app next app in the Rack middleware chain
+        # @param [Hash]   cert_filters maps Rack environment names to cert extractors
+        # @param [Logger] logger place to log certificate extraction issues
         #
         # @return [Rails::Auth::X509::Middleware] new X509 middleware instance
-        def initialize(app, ca_file: nil, cert_filters: {}, logger: nil, require_cert: false, truststore: nil)
-          raise ArgumentError, "no ca_file or truststore given" unless ca_file || truststore
+        def initialize(app, cert_filters: {}, logger: nil)
           @app          = app
           @cert_filters = cert_filters
           @logger       = logger
-          @require_cert = require_cert
-          @truststore   = truststore || OpenSSL::X509::Store.new.add_file(ca_file)
           @cert_filters.each do |key, filter|
             next unless filter.is_a?(Symbol)
@@ -53,17 +43,9 @@ module Rails
             cert = extract_certificate_with_filter(filter, env[key])
             next unless cert
-            if @truststore.verify(cert)
-              log("Verified", cert)
-              return Rails::Auth::X509::Certificate.new(cert)
-            else
-              log("Verify FAILED", cert)
-              raise CertificateVerifyFailed, "verify failed: #{subject(cert)}" if @require_cert
-            end
+            return Rails::Auth::X509::Certificate.new(cert)
           end
-          raise CertificateVerifyFailed, "no client certificate in request" if @require_cert
           nil
         end
@@ -79,10 +61,6 @@ module Rails
           nil
         end
-        def log(message, cert)
-          @logger.debug("rails-auth: #{message} (#{subject(cert)})") if @logger
-        end
         def subject(cert)
           cert.subject.to_a.map { |attr, data| "#{attr}=#{data}" }.join(",")
         end

data/spec/rails/auth/x509/middleware_spec.rb CHANGED

@@ -3,41 +3,32 @@
 require "logger"
 RSpec.describe Rails::Auth::X509::Middleware do
-  let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
   let(:app)     { ->(env) { [200, env, "Hello, world!"] } }
+  let(:request) { Rack::MockRequest.env_for("https://www.example.com") }
-  let(:valid_cert_pem) { cert_path("valid.crt").read }
-  let(:bad_cert_pem)   { cert_path("invalid.crt").read }
-  let(:cert_required)  { false }
-  let(:cert_filter)    { :pem }
-  let(:example_key)    { "X-SSL-Client-Cert" }
+  let(:cert_filter) { :pem }
+  let(:cert_pem)    { cert_path("valid.crt").read }
+  let(:example_key) { "X-SSL-Client-Cert" }
   let(:middleware) do
     described_class.new(
       app,
-      logger: Logger.new(STDERR),
-      ca_file: cert_path("ca.crt").to_s,
       cert_filters: { example_key => cert_filter },
-      require_cert: cert_required
+      logger: Logger.new(STDERR)
     )
   end
   context "certificate types" do
     describe "PEM certificates" do
       it "extracts Rails::Auth::X509::Certificate from a PEM certificate in the Rack environment" do
-        _response, env = middleware.call(request.merge(example_key => valid_cert_pem))
+        _response, env = middleware.call(request.merge(example_key => cert_pem))
         credential = Rails::Auth.credentials(env).fetch("x509")
         expect(credential).to be_a Rails::Auth::X509::Certificate
       end
-      it "ignores unverified certificates" do
-        _response, env = middleware.call(request.merge(example_key => bad_cert_pem))
-        expect(Rails::Auth.credentials(env)).to be_empty
-      end
       it "normalizes abnormal whitespace" do
-        _response, env = middleware.call(request.merge(example_key => valid_cert_pem.tr("\n", "\t")))
+        _response, env = middleware.call(request.merge(example_key => cert_pem.tr("\n", "\t")))
         credential = Rails::Auth.credentials(env).fetch("x509")
         expect(credential).to be_a Rails::Auth::X509::Certificate
@@ -46,11 +37,11 @@ RSpec.describe Rails::Auth::X509::Middleware do
     # :nocov:
     describe "Java certificates" do
-      let(:example_key) { "javax.servlet.request.X509Certificate" }
       let(:cert_filter) { :java }
+      let(:example_key) { "javax.servlet.request.X509Certificate" }
       let(:java_cert) do
-        ruby_cert = OpenSSL::X509::Certificate.new(valid_cert_pem)
+        ruby_cert = OpenSSL::X509::Certificate.new(cert_pem)
         input_stream = Java::JavaIO::ByteArrayInputStream.new(ruby_cert.to_der.to_java_bytes)
         java_cert_klass = Java::JavaSecurityCert::CertificateFactory.getInstance("X.509")
         java_cert_klass.generateCertificate(input_stream)
@@ -67,21 +58,4 @@ RSpec.describe Rails::Auth::X509::Middleware do
     end
     # :nocov:
   end
-  describe "require_cert: true" do
-    let(:cert_required) { true }
-    it "functions normally for valid certificates" do
-      _response, env = middleware.call(request.merge(example_key => valid_cert_pem))
-      credential = Rails::Auth.credentials(env).fetch("x509")
-      expect(credential).to be_a Rails::Auth::X509::Certificate
-    end
-    it "raises Rails::Auth::X509::CertificateVerifyFailed for unverified certificates" do
-      expect do
-        middleware.call(request.merge(example_key => bad_cert_pem))
-      end.to raise_error Rails::Auth::X509::CertificateVerifyFailed
-    end
-  end
 end

data/spec/support/create_certs.rb CHANGED

@@ -95,20 +95,3 @@ valid_key_with_ext_path  = File.join(cert_path, "valid_with_ext.key")
 File.write valid_cert_with_ext_path, valid_cert_with_ext.to_pem
 File.write valid_key_with_ext_path,  valid_cert_with_ext.key_material.private_key.to_pem
-#
-# Create evil MitM self-signed certificate
-#
-self_signed_cert = CertificateAuthority::Certificate.new
-self_signed_cert.subject.common_name = "127.0.0.1"
-self_signed_cert.subject.organizational_unit = "ponycopter"
-self_signed_cert.serial_number.number = 2
-self_signed_cert.key_material.generate_key
-self_signed_cert.sign!
-self_signed_cert_path = File.join(cert_path, "invalid.crt")
-self_signed_key_path  = File.join(cert_path, "invalid.key")
-File.write self_signed_cert_path, self_signed_cert.to_pem
-File.write self_signed_key_path,  self_signed_cert.key_material.private_key.to_pem

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails-auth
 version: !ruby/object:Gem::Version
-  version: 2.2.2
+  version: 3.0.0
 platform: ruby
 authors:
 - Tony Arcieri
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-07-02 00:00:00.000000000 Z
+date: 2020-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack