RubyGems - rails-auth - Versions diffs - 1.0.0 → 1.1.0 - Mend

rails-auth 1.0.0 → 1.1.0

Files changed (14) hide show

checksums.yaml +4 -4
data/CHANGES.md +11 -0
data/README.md +2 -2
data/lib/rails/auth/acl/middleware.rb +1 -1
data/lib/rails/auth/credentials.rb +7 -0
data/lib/rails/auth/override.rb +29 -0
data/lib/rails/auth/rack.rb +2 -0
data/lib/rails/auth/version.rb +1 -1
data/lib/rails/auth/x509/certificate.rb +8 -0
data/lib/rails/auth/x509/filter/pem.rb +1 -1
data/spec/rails/auth/acl/middleware_spec.rb +20 -0
data/spec/rails/auth/credentials_spec.rb +20 -4
data/spec/rails/auth/x509/certificate_spec.rb +7 -0
metadata +4 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4c35439565b7bba440548903906ea7ba4e7a49db
-  data.tar.gz: 9541c01cc249006beca8f69dbc91c98f2fe4b889
+  metadata.gz: fe64cc61d2ee90c0108495d16f8ddb385c26caf2
+  data.tar.gz: 49f2318348eac65b42d60875028047bdcfe3a555
 SHA512:
-  metadata.gz: 0a8c0b5b03f2189e2c6b37b610bf90d78fab5b7f07129a149e265dd961787abe1dfc906dedd7124abab5f3ccb945b5fb18f60e778e7ef4d4f8f8ed008c249f3b
-  data.tar.gz: 1259129ae0211491d793c83ad9dd75b549e82a201cf6bcdf53afbbc3d7920a492ce9aa7fe832a8f99f48c3c771850b478dae1331bafac170e20468449d2c5f85
+  metadata.gz: 0a99e56a462666b4c6140e03f5066a6ba43b5e9707742300dc1ddcb9478b61380268d5ea604cb1cc06aaa6da34a7ae969cd22f75b85f656414bbea46f4063b13
+  data.tar.gz: eb25fca0e6a870093bc7d638fecb214594d0d3c467b7b50400c43b2dbdb1cb3e96612b7cfe9aac0c0e0656e178d094f3356923c2a157f5fca47bf7f4e75f9be5

data/CHANGES.md CHANGED Viewed

@@ -1,3 +1,13 @@
+### 1.1.0 (2016-06-23)
+* [#26](https://github.com/square/rails-auth/pull/26)
+  Make add_credential idempotent.
+  ([@ewr])
+* [#25](https://github.com/square/rails-auth/pull/25)
+  Allow outside middleware to mark a request as authorized.
+  ([@ewr])
 ### 1.0.0 (2016-05-03)
 * Initial 1.0 release!
@@ -82,3 +92,4 @@
 [@tarcieri]: https://github.com/tarcieri
+[@ewr]: https://github.com/ewr

data/README.md CHANGED Viewed

@@ -448,12 +448,12 @@ RSpec.describe "example_acl.yml", acl_spec: true do
   subject do
     Rails::Auth::ACL.from_yaml(
       File.read("/path/to/example_acl.yml"),
-      matchers: { allow_x509_subject: Rails::Auth::X509::Matcher }
+      matchers: { allow_x509_subject: Rails::Auth::X509::Matcher } # add your custom matchers too
     )
   end
   describe "/path/to/resource" do
-    it { is_expected.to     permit get_request(credentials: example_credentials) }
+    it { is_expected.to     permit get_request(certificates: example_credentials) }
     it { is_expected.not_to permit get_request) }
   end
 end

data/lib/rails/auth/acl/middleware.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module Rails
         end
         def call(env)
-          raise NotAuthorizedError, "unauthorized request" unless @acl.match(env)
+          raise NotAuthorizedError, "unauthorized request" unless Rails::Auth.authorized?(env) || @acl.match(env)
           @app.call(env)
         end
       end

data/lib/rails/auth/credentials.rb CHANGED Viewed

@@ -25,7 +25,14 @@ module Rails
       def add_credential(env, type, credential)
         credentials = env[CREDENTIALS_ENV_KEY] ||= {}
+        # Adding a credential is idempotent, so attempting to reregister
+        # the same credential should be harmless
+        return env if credentials.key?(type) && credentials[type] == credential
+        # raise if we already have a cred, but it didn't short-circuit as
+        # being == to the one supplied
         raise ArgumentError, "credential #{type} already added to request" if credentials.key?(type)
         credentials[type] = credential
         env

data/lib/rails/auth/override.rb ADDED Viewed

@@ -0,0 +1,29 @@
+module Rails
+  # Modular resource-based authentication and authorization for Rails/Rack
+  module Auth
+    # Rack environment key for marking external authorization
+    AUTHORIZED_ENV_KEY = "rails-auth.authorized".freeze
+    # Functionality allowing external middleware to override our ACL check process
+    module Override
+      # Mark a request as externally authorized. Causes ACL checks to be skipped.
+      #
+      # @param [Hash] :env Rack environment
+      #
+      def authorized!(env)
+        env[AUTHORIZED_ENV_KEY] = true
+      end
+      # Check whether a request has been externally authorized? Used to bypass
+      # ACL check.
+      #
+      # @param [Hash] :env Rack environment
+      #
+      def authorized?(env)
+        env.fetch(AUTHORIZED_ENV_KEY, false)
+      end
+    end
+    extend Override
+  end
+end

data/lib/rails/auth/rack.rb CHANGED Viewed

@@ -8,6 +8,8 @@ require "rails/auth/version"
 require "rails/auth/exceptions"
+require "rails/auth/override"
 require "rails/auth/acl"
 require "rails/auth/acl/middleware"
 require "rails/auth/acl/resource"

data/lib/rails/auth/version.rb CHANGED Viewed

@@ -3,6 +3,6 @@
 module Rails
   # Pluggable authentication and authorization for Rack/Rails
   module Auth
-    VERSION = "1.0.0".freeze
+    VERSION = "1.1.0".freeze
   end
 end

data/lib/rails/auth/x509/certificate.rb CHANGED Viewed

@@ -45,6 +45,14 @@ module Rails
             ou: ou
           }
         end
+        # Compare ourself to another object by ensuring that it has the same type
+        # and that its certificate pem is the same as ours
+        def ==(other)
+          other.is_a?(self.class) && other.certificate.to_der == certificate.to_der
+        end
+        alias eql? ==
       end
     end
   end

data/lib/rails/auth/x509/filter/pem.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Rails
         # Extract OpenSSL::X509::Certificates from Privacy Enhanced Mail (PEM) certificates
         class Pem
           def call(pem)
-            OpenSSL::X509::Certificate.new(pem).freeze
+            OpenSSL::X509::Certificate.new(pem.delete("\t")).freeze
           end
         end
       end

data/spec/rails/auth/acl/middleware_spec.rb CHANGED Viewed

@@ -21,4 +21,24 @@ RSpec.describe Rails::Auth::ACL::Middleware do
       expect { expect(middleware.call(request)) }.to raise_error(Rails::Auth::NotAuthorizedError)
     end
   end
+  context "externally authorized requests" do
+    let(:authorized) { false }
+    let(:external_middleware) do
+      Class.new do
+        def initialize(app)
+          @app = app
+        end
+        def call(env)
+          Rails::Auth.authorized!(env)
+          @app.call(env)
+        end
+      end
+    end
+    it "allows externally authorized requests" do
+      expect(external_middleware.new(middleware).call(request)[0]).to eq 200
+    end
+  end
 end

data/spec/rails/auth/credentials_spec.rb CHANGED Viewed

@@ -25,12 +25,28 @@ RSpec.describe Rails::Auth::Credentials do
       expect(Rails::Auth.credentials(example_env)[example_type]).to eq example_credential
     end
-    it "raises ArgumentError if the same type of credential is added twice" do
-      Rails::Auth.add_credential(example_env, example_type, example_credential)
+    context "when called twice for the same credential type" do
+      let(:second_credential) { double(:credential2) }
+      it "succeeds if the credentials are the same" do
+        allow(example_credential).to receive(:==).and_return(true)
-      expect do
         Rails::Auth.add_credential(example_env, example_type, example_credential)
-      end.to raise_error(ArgumentError)
+        expect do
+          Rails::Auth.add_credential(example_env, example_type, second_credential)
+        end.to_not raise_error
+      end
+      it "raises ArgumentError if the credentials are different" do
+        allow(example_credential).to receive(:==).and_return(false)
+        Rails::Auth.add_credential(example_env, example_type, example_credential)
+        expect do
+          Rails::Auth.add_credential(example_env, example_type, second_credential)
+        end.to raise_error(ArgumentError)
+      end
     end
   end
 end

data/spec/rails/auth/x509/certificate_spec.rb CHANGED Viewed

@@ -28,4 +28,11 @@ RSpec.describe Rails::Auth::X509::Certificate do
   it "knows its attributes" do
     expect(example_certificate.attributes).to eq(cn: example_cn, ou: example_ou)
   end
+  it "compares certificate objects by comparing their certificates" do
+    second_cert = OpenSSL::X509::Certificate.new(cert_path("valid.crt").read)
+    second_certificate = described_class.new(second_cert)
+    expect(example_certificate).to be_eql second_certificate
+  end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails-auth
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Tony Arcieri
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-05-03 00:00:00.000000000 Z
+date: 2016-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -87,6 +87,7 @@ files:
 - lib/rails/auth/error_page/debug_page.html.erb
 - lib/rails/auth/error_page/middleware.rb
 - lib/rails/auth/exceptions.rb
+- lib/rails/auth/override.rb
 - lib/rails/auth/rack.rb
 - lib/rails/auth/rspec.rb
 - lib/rails/auth/rspec/helper_methods.rb
@@ -143,3 +144,4 @@ signing_key:
 specification_version: 4
 summary: Modular resource-oriented authentication and authorization for Rails/Rack
 test_files: []
+has_rdoc: