rails-auth 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +7 -0
- data/README.md +119 -3
- data/lib/rails/auth.rb +3 -0
- data/lib/rails/auth/acl.rb +6 -8
- data/lib/rails/auth/acl/matchers/allow_all.rb +0 -3
- data/lib/rails/auth/controller_methods.rb +20 -0
- data/lib/rails/auth/credentials.rb +2 -0
- data/lib/rails/auth/version.rb +1 -1
- data/spec/rails/auth/controller_methods_spec.rb +25 -0
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 98e7a606fb32ef7873566d049507dae530d17dc5
|
4
|
+
data.tar.gz: 3944a0e2f6d940b3e2dd64404ab96dab88a6be29
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 396fa09d53a3fc2d646e0b3822ecb40867de7010cd54bac5ab052a98fa0a05593b82fd7bcc870ebebd69420f866d3ccb1218990317b148223f2caebe9d48a047
|
7
|
+
data.tar.gz: 3e5ab68b0a75a8b1ef877c31a26f692bea39dcc4cfcd751fbb3fe9b5ea8ac9ee9d0d2056b7c09bf64b3ab64d1cead82507adb890a72186a845fc6078357dd7b6
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,10 @@
|
|
1
|
+
### 0.2.0 (2016-03-11)
|
2
|
+
|
3
|
+
* [#10](https://github.com/square/rails-auth/pull/10)
|
4
|
+
Add Rails::Auth::ControllerMethods and #credentials method for accessing
|
5
|
+
rails-auth.credentials from a Rails controller.
|
6
|
+
([@tarcieri])
|
7
|
+
|
1
8
|
### 0.1.0 (2016-02-10)
|
2
9
|
|
3
10
|
* [#6](https://github.com/square/rails-auth/pull/6):
|
data/README.md
CHANGED
@@ -21,6 +21,97 @@ Rails::Auth can be used to authenticate and authorize end users using browser
|
|
21
21
|
cookies, service-to-service requests using X.509 client certificates, or any
|
22
22
|
other clients with credentials that have proper authenticating middleware.
|
23
23
|
|
24
|
+
## Architecture
|
25
|
+
|
26
|
+
Rails::Auth makes use of multiple, independent, single-purpose middleware
|
27
|
+
classes to handle specific types of AuthN/AuthZ.
|
28
|
+
|
29
|
+
### AuthN
|
30
|
+
|
31
|
+
Rails::Auth ships with the following AuthN middleware:
|
32
|
+
|
33
|
+
* `Rails::Auth::X509::Middleware`: authenticates X.509 certificates obtained
|
34
|
+
from the Rack environment.
|
35
|
+
|
36
|
+
The goal of Rails::Auth's AuthN middleware is to authenticate *credentials*
|
37
|
+
taken from the Rack environment and place objects representing them under
|
38
|
+
the `"rails-auth.credentials"` key within the Rack environment for use by
|
39
|
+
subsequent AuthN or AuthZ middleware. The built-in support is for X.509
|
40
|
+
client certificates, but other middleware could handle authentication of
|
41
|
+
cookies or (OAuth) bearer credentials.
|
42
|
+
|
43
|
+
The intended usage is to have multiple AuthN middlewares that are capable
|
44
|
+
of extracting different types of credentials, but also allowing AuthZ
|
45
|
+
middleware to apply a single policy to all of them. It's also possible to
|
46
|
+
chain AuthN middleware together such that one credential obtained earlier
|
47
|
+
in the middleware stack is used to authenticate another (for e.g.
|
48
|
+
[channel-bound cookies]).
|
49
|
+
|
50
|
+
[channel-bound cookies]: http://www.browserauth.net/channel-bound-cookies
|
51
|
+
|
52
|
+
### AuthZ
|
53
|
+
|
54
|
+
Rails::Auth ships with one primary AuthZ middleware:
|
55
|
+
|
56
|
+
* `Rails::Auth::ACL::Middleware`: support for Access Control Lists.
|
57
|
+
|
58
|
+
Access Control Lists (ACLs) let you write a single, declarative policy for
|
59
|
+
authorization in your application. ACLs are pluggable and let you write
|
60
|
+
a single policy which can authorize access using different types of
|
61
|
+
credentials.
|
62
|
+
|
63
|
+
ACLs are a declarative approach to authorization, consolidating policies
|
64
|
+
into a single file that can be easily audited by a security team without
|
65
|
+
deep understanding of the many eccentricities of Rails. These policies
|
66
|
+
provide coarse-grained authorization based on routes (as matched by
|
67
|
+
regexes) and the credentials extracted by the AuthN middleware. However,
|
68
|
+
the do not provide AuthZ which includes specific domain objects, or
|
69
|
+
policies around them.
|
70
|
+
|
71
|
+
## Comparison to other Rails/Rack auth libraries/frameworks
|
72
|
+
|
73
|
+
Below is a comparison of how Rails::Auth relates to the existing landscape
|
74
|
+
of Rails AuthN and AuthZ libraries. These are grouped into two different
|
75
|
+
categories: libraries Rails::Auth replaces, and libraries with which
|
76
|
+
Rails::Auth can be used in a complimentary fashion.
|
77
|
+
|
78
|
+
### Replaces:
|
79
|
+
|
80
|
+
* [Warden]: Uses a single "opinionated" Rack middleware providing
|
81
|
+
user-centric authentication and methods that allow controllers
|
82
|
+
to imperatively interrogate the authentication context for
|
83
|
+
authorization purposes. By comparison Rails::Auth is not prescriptive
|
84
|
+
and much more flexible about credential types (supporting credentials
|
85
|
+
for both user and service clients) and uses declarative authorization
|
86
|
+
policies in the form of ACLs.
|
87
|
+
|
88
|
+
* [Devise]: A mature, flexible, expansive framework primarily intended
|
89
|
+
for user authentication. Some of the same caveats as Warden apply,
|
90
|
+
however Devise provides a framework for modeling users within a Rails
|
91
|
+
app along with common authentication flows, making it somewhat
|
92
|
+
orthogonal to what Rails::Auth provides. Rails::Auth is designed to
|
93
|
+
easily support [claims-based identity] systems where user identity
|
94
|
+
is outsourced to a separate microservice.
|
95
|
+
|
96
|
+
### Compliments:
|
97
|
+
|
98
|
+
* [Pundit]: Domain object-centric fine-grained authorization using clean
|
99
|
+
object-oriented APIs. Pundit makes authorization decisions around particular
|
100
|
+
objects based on policy objects and contexts. Rails::Auth's credentials
|
101
|
+
can be used as a powerful policy context for Pundit.
|
102
|
+
|
103
|
+
* [CanCanCan]: a continuation of the popular CanCan AuthZ library after a
|
104
|
+
period of neglect. Uses a more DSL-like approach to AuthZ than Pundit,
|
105
|
+
but provides many facilities similar to Pundit for domain object-centric
|
106
|
+
AuthZ.
|
107
|
+
|
108
|
+
[Warden]: https://github.com/hassox/warden/wiki
|
109
|
+
[Devise]: https://github.com/plataformatec/devise
|
110
|
+
[Pundit]: https://github.com/elabs/pundit
|
111
|
+
[CanCanCan]: https://github.com/CanCanCommunity/cancancan
|
112
|
+
|
113
|
+
[claims-based identity]: https://en.wikipedia.org/wiki/Claims-based_identity
|
114
|
+
|
24
115
|
## Installation
|
25
116
|
|
26
117
|
Add this line to your application's Gemfile:
|
@@ -51,13 +142,38 @@ Rails::Auth ships with the following middleware:
|
|
51
142
|
|
52
143
|
Documentation of these middleware and how to use them is provided below.
|
53
144
|
|
145
|
+
|
146
|
+
### Controller Methods
|
147
|
+
|
148
|
+
Rails::Auth includes a module of helper methods you can use from Rails
|
149
|
+
controllers. Include them like so:
|
150
|
+
|
151
|
+
```ruby
|
152
|
+
class ApplicationController < ActionController::Base
|
153
|
+
include Rails::Auth::ControllerMethods
|
154
|
+
|
155
|
+
def x509_certificate_ou
|
156
|
+
credentials[:x509].try(:ou)
|
157
|
+
end
|
158
|
+
|
159
|
+
def current_username
|
160
|
+
# Note: Rails::Auth doesn't provide a middleware to extract this, it's
|
161
|
+
# just an example of how you could use it with your own claims-based
|
162
|
+
# identity system.
|
163
|
+
credentials[:identity_claims].try(:username)
|
164
|
+
end
|
165
|
+
end
|
166
|
+
```
|
167
|
+
|
168
|
+
This defines the following methods:
|
169
|
+
|
170
|
+
* `#credentials`: obtain a HashWithIndifferentAccess containing all of the
|
171
|
+
credentials that Rails::Auth has extracted using its AuthN middleware.
|
172
|
+
|
54
173
|
### Access Control Lists (ACLs)
|
55
174
|
|
56
175
|
ACLs are the main tool Rails::Auth provides for AuthZ. ACLs use a set of
|
57
176
|
route-by-route matchers to control access to particular resources.
|
58
|
-
Unlike some Rails AuthZ frameworks, this gem grants/denies access to
|
59
|
-
controller actions, rather than helping you provide different content to
|
60
|
-
different roles or varying the parameters allowed in, say, an update action.
|
61
177
|
|
62
178
|
Rails::Auth encourages the use of YAML files for storing ACL definitions,
|
63
179
|
although the use of YAML is not mandatory and the corresponding object
|
data/lib/rails/auth.rb
CHANGED
data/lib/rails/auth/acl.rb
CHANGED
@@ -1,16 +1,14 @@
|
|
1
|
+
# Pull in default predicate matchers
|
2
|
+
require "rails/auth/acl/matchers/allow_all"
|
3
|
+
|
1
4
|
module Rails
|
2
5
|
module Auth
|
3
6
|
# Route-based access control lists
|
4
7
|
class ACL
|
5
8
|
# Predicate matchers available by default in ACLs
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
# Pull in default predicate matchers
|
11
|
-
require "rails/auth/acl/matchers/allow_all"
|
12
|
-
|
13
|
-
DEFAULT_MATCHERS.freeze
|
9
|
+
DEFAULT_MATCHERS = {
|
10
|
+
allow_all: Matchers::AllowAll
|
11
|
+
}.freeze
|
14
12
|
|
15
13
|
# Create a Rails::Auth::ACL from a YAML representation of an ACL
|
16
14
|
#
|
@@ -0,0 +1,20 @@
|
|
1
|
+
require "active_support/hash_with_indifferent_access"
|
2
|
+
|
3
|
+
module Rails
|
4
|
+
module Auth
|
5
|
+
# Convenience methods designed to be included in an ActionController::Base subclass
|
6
|
+
# Recommended use: include in ApplicationController
|
7
|
+
module ControllerMethods
|
8
|
+
# Obtain credentials for the current request
|
9
|
+
#
|
10
|
+
# @return [HashWithIndifferentAccess] credentials extracted from the environment
|
11
|
+
#
|
12
|
+
def credentials
|
13
|
+
@_rails_auth_credentials ||= begin
|
14
|
+
creds = Rails::Auth.credentials(request.env)
|
15
|
+
HashWithIndifferentAccess.new(creds).freeze
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
data/lib/rails/auth/version.rb
CHANGED
@@ -0,0 +1,25 @@
|
|
1
|
+
RSpec.describe Rails::Auth::ControllerMethods do
|
2
|
+
let(:controller_class) do
|
3
|
+
Class.new do
|
4
|
+
attr_reader :request
|
5
|
+
|
6
|
+
def initialize(env)
|
7
|
+
@request = OpenStruct.new(env: env)
|
8
|
+
end
|
9
|
+
|
10
|
+
include Rails::Auth::ControllerMethods
|
11
|
+
end
|
12
|
+
end
|
13
|
+
|
14
|
+
describe "#credentials" do
|
15
|
+
let(:example_credential_type) { "x509" }
|
16
|
+
let(:example_credential_value) { instance_double(Rails::Auth::X509::Certificate) }
|
17
|
+
|
18
|
+
let(:example_env) { Rails::Auth.add_credential({}, example_credential_type, example_credential_value) }
|
19
|
+
let(:example_controller) { controller_class.new(example_env) }
|
20
|
+
|
21
|
+
it "extracts credentials from the Rack environment" do
|
22
|
+
expect(example_controller.credentials[example_credential_type.to_sym]).to eq example_credential_value
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails-auth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tony Arcieri
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-03-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -79,6 +79,7 @@ files:
|
|
79
79
|
- lib/rails/auth/acl/matchers/allow_all.rb
|
80
80
|
- lib/rails/auth/acl/middleware.rb
|
81
81
|
- lib/rails/auth/acl/resource.rb
|
82
|
+
- lib/rails/auth/controller_methods.rb
|
82
83
|
- lib/rails/auth/credentials.rb
|
83
84
|
- lib/rails/auth/error_page/middleware.rb
|
84
85
|
- lib/rails/auth/exceptions.rb
|
@@ -98,6 +99,7 @@ files:
|
|
98
99
|
- spec/rails/auth/acl/middleware_spec.rb
|
99
100
|
- spec/rails/auth/acl/resource_spec.rb
|
100
101
|
- spec/rails/auth/acl_spec.rb
|
102
|
+
- spec/rails/auth/controller_methods_spec.rb
|
101
103
|
- spec/rails/auth/credentials_spec.rb
|
102
104
|
- spec/rails/auth/error_page/middleware_spec.rb
|
103
105
|
- spec/rails/auth/rspec/helper_methods_spec.rb
|