RubyGems - rails-auth - Versions diffs - 1.0.0 → 1.1.0 - Mend

rails-auth 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml +4 -4
data/CHANGES.md +11 -0
data/README.md +2 -2
data/lib/rails/auth/acl/middleware.rb +1 -1
data/lib/rails/auth/credentials.rb +7 -0
data/lib/rails/auth/override.rb +29 -0
data/lib/rails/auth/rack.rb +2 -0
data/lib/rails/auth/version.rb +1 -1
data/lib/rails/auth/x509/certificate.rb +8 -0
data/lib/rails/auth/x509/filter/pem.rb +1 -1
data/spec/rails/auth/acl/middleware_spec.rb +20 -0
data/spec/rails/auth/credentials_spec.rb +20 -4
data/spec/rails/auth/x509/certificate_spec.rb +7 -0
metadata +4 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4c35439565b7bba440548903906ea7ba4e7a49db
-  data.tar.gz: 9541c01cc249006beca8f69dbc91c98f2fe4b889
+  metadata.gz: fe64cc61d2ee90c0108495d16f8ddb385c26caf2
+  data.tar.gz: 49f2318348eac65b42d60875028047bdcfe3a555
 SHA512:
-  metadata.gz: 0a8c0b5b03f2189e2c6b37b610bf90d78fab5b7f07129a149e265dd961787abe1dfc906dedd7124abab5f3ccb945b5fb18f60e778e7ef4d4f8f8ed008c249f3b
-  data.tar.gz: 1259129ae0211491d793c83ad9dd75b549e82a201cf6bcdf53afbbc3d7920a492ce9aa7fe832a8f99f48c3c771850b478dae1331bafac170e20468449d2c5f85
+  metadata.gz: 0a99e56a462666b4c6140e03f5066a6ba43b5e9707742300dc1ddcb9478b61380268d5ea604cb1cc06aaa6da34a7ae969cd22f75b85f656414bbea46f4063b13
+  data.tar.gz: eb25fca0e6a870093bc7d638fecb214594d0d3c467b7b50400c43b2dbdb1cb3e96612b7cfe9aac0c0e0656e178d094f3356923c2a157f5fca47bf7f4e75f9be5

data/CHANGES.md CHANGED Viewed

@@ -1,3 +1,13 @@
+### 1.1.0 (2016-06-23)
+* [#26](https://github.com/square/rails-auth/pull/26)
+  Make add_credential idempotent.
+  ([@ewr])
+* [#25](https://github.com/square/rails-auth/pull/25)
+  Allow outside middleware to mark a request as authorized.
+  ([@ewr])
 ### 1.0.0 (2016-05-03)
 * Initial 1.0 release!
@@ -82,3 +92,4 @@
 [@tarcieri]: https://github.com/tarcieri
+[@ewr]: https://github.com/ewr

data/README.md CHANGED Viewed

@@ -448,12 +448,12 @@ RSpec.describe "example_acl.yml", acl_spec: true do
   subject do
     Rails::Auth::ACL.from_yaml(
       File.read("/path/to/example_acl.yml"),
-      matchers: { allow_x509_subject: Rails::Auth::X509::Matcher }
+      matchers: { allow_x509_subject: Rails::Auth::X509::Matcher } # add your custom matchers too
     )
   end
   describe "/path/to/resource" do
-    it { is_expected.to     permit get_request(credentials: example_credentials) }
+    it { is_expected.to     permit get_request(certificates: example_credentials) }
     it { is_expected.not_to permit get_request) }
   end
 end

data/lib/rails/auth/acl/middleware.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module Rails
         end
         def call(env)
-          raise NotAuthorizedError, "unauthorized request" unless @acl.match(env)
+          raise NotAuthorizedError, "unauthorized request" unless Rails::Auth.authorized?(env) || @acl.match(env)
           @app.call(env)
         end
       end

data/lib/rails/auth/credentials.rb CHANGED Viewed

@@ -25,7 +25,14 @@ module Rails
       def add_credential(env, type, credential)
         credentials = env[CREDENTIALS_ENV_KEY] ||= {}
+        # Adding a credential is idempotent, so attempting to reregister
+        # the same credential should be harmless
+        return env if credentials.key?(type) && credentials[type] == credential
+        # raise if we already have a cred, but it didn't short-circuit as
+        # being == to the one supplied
         raise ArgumentError, "credential #{type} already added to request" if credentials.key?(type)
         credentials[type] = credential
         env

data/lib/rails/auth/override.rb ADDED Viewed

@@ -0,0 +1,29 @@
+module Rails
+  # Modular resource-based authentication and authorization for Rails/Rack
+  module Auth
+    # Rack environment key for marking external authorization
+    AUTHORIZED_ENV_KEY = "rails-auth.authorized".freeze
+    # Functionality allowing external middleware to override our ACL check process
+    module Override
+      # Mark a request as externally authorized. Causes ACL checks to be skipped.
+      #
+      # @param [Hash] :env Rack environment
+      #
+      def authorized!(env)
+        env[AUTHORIZED_ENV_KEY] = true
+      end
+      # Check whether a request has been externally authorized? Used to bypass
+      # ACL check.
+      #
+      # @param [Hash] :env Rack environment
+      #
+      def authorized?(env)
+        env.fetch(AUTHORIZED_ENV_KEY, false)
+      end
+    end
+    extend Override
+  end
+end

data/lib/rails/auth/rack.rb CHANGED Viewed

@@ -8,6 +8,8 @@ require "rails/auth/version"
 require "rails/auth/exceptions"
+require "rails/auth/override"
 require "rails/auth/acl"
 require "rails/auth/acl/middleware"
 require "rails/auth/acl/resource"

data/lib/rails/auth/version.rb CHANGED Viewed

@@ -3,6 +3,6 @@
 module Rails
   # Pluggable authentication and authorization for Rack/Rails
   module Auth
-    VERSION = "1.0.0".freeze
+    VERSION = "1.1.0".freeze
   end
 end

data/lib/rails/auth/x509/certificate.rb CHANGED Viewed

@@ -45,6 +45,14 @@ module Rails
             ou: ou
           }
         end
+        # Compare ourself to another object by ensuring that it has the same type
+        # and that its certificate pem is the same as ours
+        def ==(other)
+          other.is_a?(self.class) && other.certificate.to_der == certificate.to_der
+        end
+        alias eql? ==
       end
     end
   end

data/lib/rails/auth/x509/filter/pem.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Rails
         # Extract OpenSSL::X509::Certificates from Privacy Enhanced Mail (PEM) certificates
         class Pem
           def call(pem)
-            OpenSSL::X509::Certificate.new(pem).freeze
+            OpenSSL::X509::Certificate.new(pem.delete("\t")).freeze
           end
         end
       end

data/spec/rails/auth/acl/middleware_spec.rb CHANGED Viewed

@@ -21,4 +21,24 @@ RSpec.describe Rails::Auth::ACL::Middleware do
       expect { expect(middleware.call(request)) }.to raise_error(Rails::Auth::NotAuthorizedError)
     end
   end
+  context "externally authorized requests" do
+    let(:authorized) { false }
+    let(:external_middleware) do
+      Class.new do
+        def initialize(app)
+          @app = app
+        end
+        def call(env)
+          Rails::Auth.authorized!(env)
+          @app.call(env)
+        end
+      end
+    end
+    it "allows externally authorized requests" do
+      expect(external_middleware.new(middleware).call(request)[0]).to eq 200
+    end
+  end
 end

data/spec/rails/auth/credentials_spec.rb CHANGED Viewed

@@ -25,12 +25,28 @@ RSpec.describe Rails::Auth::Credentials do
       expect(Rails::Auth.credentials(example_env)[example_type]).to eq example_credential
     end
-    it "raises ArgumentError if the same type of credential is added twice" do
-      Rails::Auth.add_credential(example_env, example_type, example_credential)
+    context "when called twice for the same credential type" do
+      let(:second_credential) { double(:credential2) }
+      it "succeeds if the credentials are the same" do
+        allow(example_credential).to receive(:==).and_return(true)
-      expect do
         Rails::Auth.add_credential(example_env, example_type, example_credential)
-      end.to raise_error(ArgumentError)
+        expect do
+          Rails::Auth.add_credential(example_env, example_type, second_credential)
+        end.to_not raise_error
+      end
+      it "raises ArgumentError if the credentials are different" do
+        allow(example_credential).to receive(:==).and_return(false)
+        Rails::Auth.add_credential(example_env, example_type, example_credential)
+        expect do
+          Rails::Auth.add_credential(example_env, example_type, second_credential)
+        end.to raise_error(ArgumentError)
+      end
     end
   end
 end

data/spec/rails/auth/x509/certificate_spec.rb CHANGED Viewed

@@ -28,4 +28,11 @@ RSpec.describe Rails::Auth::X509::Certificate do
   it "knows its attributes" do
     expect(example_certificate.attributes).to eq(cn: example_cn, ou: example_ou)
   end
+  it "compares certificate objects by comparing their certificates" do
+    second_cert = OpenSSL::X509::Certificate.new(cert_path("valid.crt").read)
+    second_certificate = described_class.new(second_cert)
+    expect(example_certificate).to be_eql second_certificate
+  end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails-auth
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Tony Arcieri
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-05-03 00:00:00.000000000 Z
+date: 2016-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -87,6 +87,7 @@ files:
 - lib/rails/auth/error_page/debug_page.html.erb
 - lib/rails/auth/error_page/middleware.rb
 - lib/rails/auth/exceptions.rb
+- lib/rails/auth/override.rb
 - lib/rails/auth/rack.rb
 - lib/rails/auth/rspec.rb
 - lib/rails/auth/rspec/helper_methods.rb
@@ -143,3 +144,4 @@ signing_key:
 specification_version: 4
 summary: Modular resource-oriented authentication and authorization for Rails/Rack
 test_files: []
+has_rdoc: