rails_keycloak_authorization 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 473a44e0abf7c0db82ad24417b0e20a546219e28967dc41cdee8753a954b0c3a
+  data.tar.gz: d2d21f2d7c7c291fcfc267ed9e7b83c66684714d952341b875d46ac2db2bdad8
+SHA512:
+  metadata.gz: dccfd5e98b565f2c1da1911ab0d588b08a96a15790b0c6147e868c57b7f4f4e7fd444a9a1fa2280ccb4ca1d303d6a4601db8475931e511e2d6bcd8a0170417a7
+  data.tar.gz: f8175f8a52eb1e2bac762fe7e3ba4e2cac8ffdc322291e667901f958781c551d06920e3f80bcdb4c25f2430069e6e50f1a13f3153b5c9681117aef07d9e1a817

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright Mohammed O. Tillawy
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,139 @@
+# Rails Keycloak Authorization
+
+Rails middleware to authorize requests using [Keycloak](https://www.keycloak.org) and gem [keycloak-admin-ruby](https://github.com/looorent/keycloak-admin-ruby).
+
+This gem uses JWT token to authorize requests.
+To read more how this gem works:
+
+ * [Keycloak authorization services](https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_overview)
+ * [Policy Enforcement Point (PEP)](https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_overview)
+  
+
+For the moment it only support permission_resource_format=uri. it does not support permission_resource_format=resource.
+
+It does **not** support rails cookie-based-sessions, so it is only suitable for APIs.
+
+This gem uses regular-expression for URLs matching, so it is very powerful and flexible. 
+
+## How it works
+
+This gem is a middleware that checks if the request is authorized by Keycloak. 
+It will check if the request's token is valid and if the user has the required roles to access the requested resource.
+
+Keycloak setup for authorization has many options, the following conventions were followed building this gem:
+
+| Rails component   | Keycloak component  |
+|-------------------|---------------------|
+| Controller        | Authz Resource      |
+| Controller Action | Authz Scope         |
+| Route             | permission subject  |
+
+
+## Flow
+
+```mermaid
+sequenceDiagram
+    actor User
+    User->>Application: Request ${URL} with ${JWT_TOKEN}
+    create participant Keycloak
+    Application-->>Keycloak: is ${JWT_TOKEN} authorized for ${URL}?
+    note right of Keycloak: Keycloak will validate the token <br/> and check if the user has the required roles
+    destroy Keycloak
+    Keycloak-->>Application: ${JWT_TOKEN} is authorized for ${URL}
+    destroy Application
+    Application-->>User: Response ${URL} with ${DATA}
+```
+
+
+## Configuration
+
+In order to use this gem, you need to configure it in an initializer file. You can create a new file in `config/initializers/rails_keycloak_authorization.rb` with the following content:
+
+```ruby
+# The Keycloak realm 
+RailsKeycloakAuthorization.keycloak_realm = ENV.fetch("KEYCLOAK_AUTH_CLIENT_REALM_NAME", "dummy")
+# The client id in the realm
+RailsKeycloakAuthorization.client_id = ENV.fetch("KEYCLOAK_AUTH_CLIENT_ID", "dummy-client")
+# Keycloak server url
+RailsKeycloakAuthorization.keycloak_server_url = ENV.fetch("KEYCLOAK_SERVER_URL", "http://localhost:8080")
+# Patterns that are protected by the middleware, Array of regular-expressions.
+RailsKeycloakAuthorization.match_patterns = [
+  /^\/organizations(\.json)?/,
+  /^\/api/,
+  /internal/
+]
+```
+
+## How to easily test it?
+
+Create development environment with Keycloak and Tofu:
+ * checkout the source-code of this project
+   * `git checkout https://github.com/tillawy/rails_keycloak_authorization.git`
+   * `cd rails_keycloak_authorization`
+ * Run keycloak in a [Docker](https://docs.docker.com/get-docker/) container
+   * `cd docker`
+   * `docker-compose up`
+   * verify keycloak is running at `http://localhost:8080`, username: `admin`, password: `admin`
+ * Run tofu to setup keycloak realm & client
+   * `brew install opentofu`  
+   * `cd ../tofu` 
+   * `tofu -chdir=tofu init`
+   * `tofu -chdir=tofu apply -auto-approve` 
+
+Running the previous steps should:
+ * Start Keycloak server
+ * Create realm called: `Dummy`
+ * Create openid-client called: `dummy-client` in realm `dummy` with:
+   * client secret `dummy-client-super-secret-xxx`
+   * valid_redirect_uri `http://localhost:3000/*`
+ * Create user `test@test.com` with password `test`
+ * Create openid-client called: `keycloak-admin` in realm `master` with:
+   * client secret `keycloak-admin-client-secret-xxx`
+   * role to manager users in realm `dummy`
+
+Run the server:
+
+  `bundle exec rails s`
+
+make the first request (should fail) `Authorization Failed`:
+
+```shell
+bash test/curl/test.curl.bash
+```
+
+How let us setup Authorization:
+
+ * Open rka http://localhost:3000/rka/management/
+ * On the first tab `Rails Routes`
+ * The first route `/organizations(.:format)`, click inspect
+ * Click on `Create Resource?` to create Authz Resource for controller 
+ * Click on `Create Scope?` to create resource for controller action
+ * Click on `Attach scope index to resource` to attach the scope (action: index) to the resource (controller: organizations_controller)
+ * Select the second tab `Keycloak Policies`
+ * From the Role dropdown list select `default-roles-dummy`
+ * Click `Create`
+ * Select the third tab `Keycloak Permissions`
+ * From the Policy dropdown list select `RKA-Policy`
+ * From the Resource dropdown list select `organization_controllers`
+ * Another dropdown will appear Select Scope, select `index`
+ * Click `Create`
+
+Now let us run the test `bash test/curl/test.curl.bash` again, it should pass.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem "rails_keycloak_authorization"
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"

data/app/assets/config/rails_keycloak_authorization_manifest.js

@@ -0,0 +1 @@
+//= link_directory ../stylesheets/rails_keycloak_authorization .css

data/app/assets/stylesheets/rails_keycloak_authorization/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/concerns/rails_keycloak_authorization/with_htmx_layout.rb

@@ -0,0 +1,15 @@
+module RailsKeycloakAuthorization
+  # This concern is to explicitly force htmx layout with routes, layout=htmx
+  module WithHtmxLayout
+    extend ActiveSupport::Concern
+    included do
+      before_action do
+        if request.params[:layout] == "htmx"
+          self.class.layout "rails_keycloak_authorization/htmx"
+        else
+          self.class.layout false
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/rails_keycloak_authorization/with_keycloak_admin.rb

@@ -0,0 +1,35 @@
+module RailsKeycloakAuthorization
+  module WithKeycloakAdmin
+    extend ActiveSupport::Concern
+    included do
+      before_action :keycloak_admin_configure
+    end
+
+    private
+
+
+
+
+
+    def realm_name
+      ENV.fetch('KEYCLOAK_AUTH_CLIENT_REALM_NAME')
+    end
+
+    def openid_client
+      KeycloakAdmin.realm(realm_name).clients.find_by_client_id(ENV["KEYCLOAK_AUTH_CLIENT_ID"])
+    end
+
+    def keycloak_admin_configure
+      KeycloakAdmin.configure do |config|
+        config.use_service_account = true
+        config.server_url          = ENV["KEYCLOAK_SERVER_URL"]
+        config.server_domain       = ENV["KEYCLOAK_SERVER_DOMAIN"]
+        config.client_id           = ENV["KEYCLOAK_ADMIN_CLIENT_ID"]
+        config.client_realm_name   = ENV["KEYCLOAK_ADMIN_REALM_NAME"]
+        config.client_secret       = ENV["KEYCLOAK_ADMIN_CLIENT_SECRET"]
+        config.logger              = Rails.logger
+        config.rest_client_options = { timeout: 3, verify_ssl: Rails.env.production? }
+      end
+    end
+  end
+end

data/app/controllers/concerns/rails_keycloak_authorization/with_routes_reader.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module RailsKeycloakAuthorization
+  module WithRoutesReader
+    extend ActiveSupport::Concern
+    extend self
+
+    def available_routes
+      available_route_names.map do |name|
+        Rails.application.routes.named_routes.get(name)
+      end
+    end
+
+    def route(route_name)
+      Rails.application.routes.named_routes[route_name]
+    end
+
+    def available_route_names
+      names = Rails.application.routes.named_routes.names.filter do |route_name|
+        route_name.present? && !%w[rails action_mailbox active_storage auth root].any? { |exclude| route_name.to_s.include?(exclude) }
+      end
+      names.uniq
+    end
+  end
+end
+

data/app/controllers/rails_keycloak_authorization/application_controller.rb

@@ -0,0 +1,4 @@
+module RailsKeycloakAuthorization
+  class ApplicationController < ActionController::Base
+  end
+end

data/app/controllers/rails_keycloak_authorization/management_controller.rb

@@ -0,0 +1,9 @@
+module RailsKeycloakAuthorization
+  class ManagementController < ApplicationController
+    layout false
+
+    def index
+      render layout: "rails_keycloak_authorization/htmx"
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/permissions_controller.rb

@@ -0,0 +1,39 @@
+module RailsKeycloakAuthorization
+  class PermissionsController < ApplicationController
+    include WithKeycloakAdmin
+    include WithHtmxLayout
+    include ResourcesHelper
+
+    def index
+      @permissions = KeycloakAdminRubyAgent.list_keycloak_permissions
+      @resources = KeycloakAdminRubyAgent.list_keycloak_resources_for_controllers
+      @policies = KeycloakAdminRubyAgent.list_keycloak_policies
+    end
+
+    def resource_scopes_select
+      @resource_scopes = KeycloakAdmin
+                          .realm(realm_name)
+                          .authz_scopes(openid_client.id, params[:keycloak_resource_id])
+                          .list
+    end
+
+    def create
+      resource = KeycloakAdmin.realm(realm_name).authz_resources(openid_client.id).get(params[:keycloak_resource_id] )
+      scope = KeycloakAdmin.realm(realm_name).authz_scopes(openid_client.id, resource.id).get(params[:keycloak_scope_id])
+      KeycloakAdmin
+        .realm(realm_name)
+        .authz_permissions(openid_client.id, :scope)
+        .create!(
+          "RKA #{resource.name} #{scope.name} ",
+          "RailsKeycloakRails permission #{resource.name}",
+          "UNANIMOUS",
+          "POSITIVE",
+          [ params[:keycloak_resource_id] ],
+          [ params[:keycloak_policy_id] ],
+          [ params[:keycloak_scope_id] ],
+          "scope"
+        )
+      redirect_to permissions_path
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/policies_controller.rb

@@ -0,0 +1,19 @@
+module RailsKeycloakAuthorization
+  class PoliciesController < ApplicationController
+    include WithKeycloakAdmin
+    include WithHtmxLayout
+    include ResourcesHelper
+
+
+    def index
+      @default_policy_name = KeycloakAdminRubyAgent.policy_name
+      @policies = KeycloakAdminRubyAgent.list_keycloak_policies
+      @realm_roles = KeycloakAdminRubyAgent.list_roles
+    end
+
+    def create
+      KeycloakAdminRubyAgent.create_keycloak_policy(params[:keycloak_realm_role_id])
+      redirect_to policies_path
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/resources_controller.rb

@@ -0,0 +1,31 @@
+module RailsKeycloakAuthorization
+  class ResourcesController < ApplicationController
+    include WithKeycloakAdmin
+    include WithHtmxLayout
+    include ResourcesHelper
+    include WithRoutesReader
+
+    def create
+      KeycloakAdminRubyAgent.create_keycloak_resource(params[:route_id])
+      redirect_to resource_path(params[:route_id])
+    end
+
+    def index
+      @route_names = Rails.application.routes.named_routes.names
+      @controller_names = @route_names.map { |route_name|
+        Rails.application.routes.named_routes[route_name].defaults[:controller]
+      }.filter{|route_name|
+        !route_name.nil? && !route_name.include?("rails") && !route_name.include?("action_mailbox") && !route_name.include?("active_storage") && !route_name.include?("oauth") }.uniq
+      @resources = KeycloakAdmin.realm(realm_name).authz_resources(openid_client.id).list
+    end
+
+    def new
+      @route = route(params[:route_id])
+    end
+
+    def show
+      @route = route(params[:id])
+      @keycloak_resource = KeycloakAdminRubyAgent.keycloak_resource(@route.defaults[:controller])
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/routes_controller.rb

@@ -0,0 +1,23 @@
+module RailsKeycloakAuthorization
+  class RoutesController < ApplicationController
+    include WithKeycloakAdmin
+    include WithHtmxLayout
+    include WithRoutesReader
+
+    before_action :set_route, only: [:show]
+
+    def index
+      @routes = available_routes
+    end
+
+    def show
+    end
+
+    private
+
+
+    def set_route
+      @route = Rails.application.routes.named_routes[params[:id]]
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/scopes_controller.rb

@@ -0,0 +1,48 @@
+module RailsKeycloakAuthorization
+  class ScopesController < ApplicationController
+    include WithKeycloakAdmin
+    include WithHtmxLayout
+
+    def index
+      @scopes = KeycloakAdmin
+                  .realm(realm_name)
+                  .authz_scopes(openid_client.id, params[:keycloak_resource_id])
+                  .list
+    end
+
+    def show
+      @keycloak_scope_name = params[:keycloak_scope_name]
+      @keycloak_resource_id = params[:keycloak_resource_id]
+
+      @available_scope = KeycloakAdmin
+                          .realm(realm_name)
+                          .authz_scopes(openid_client.id)
+                          .search(params[:keycloak_scope_name])
+                          .first
+
+      @resource_scope = KeycloakAdmin
+                 .realm(realm_name)
+                 .authz_scopes(openid_client.id, params[:keycloak_resource_id])
+                 .list
+                 .detect{|s| s.name == params[:keycloak_scope_name]}
+    end
+
+    def new
+      @keycloak_scope_name = params[:keycloak_scope_name]
+      @keycloak_resource_id = params[:keycloak_resource_id]
+    end
+
+    def attach
+      keycloak_scope_name = params[:keycloak_scope_name]
+      keycloak_resource_id = params[:keycloak_resource_id]
+
+      KeycloakAdminRubyAgent.attach_scope_to_resource(keycloak_scope_name, keycloak_resource_id)
+      redirect_to scope_path("scope", keycloak_resource_id: keycloak_resource_id, keycloak_scope_name: keycloak_scope_name)
+    end
+
+    def create
+      scope = KeycloakAdminRubyAgent.create_keycloak_scope(params[:keycloak_scope_name])
+      redirect_to scope_path(scope.id, keycloak_resource_id: params[:keycloak_resource_id], keycloak_scope_name: params[:keycloak_scope_name])
+    end
+  end
+end

data/app/helpers/rails_keycloak_authorization/application_helper.rb

@@ -0,0 +1,4 @@
+module RailsKeycloakAuthorization
+  module ApplicationHelper
+  end
+end

data/app/helpers/rails_keycloak_authorization/resources_helper.rb

@@ -0,0 +1,5 @@
+module RailsKeycloakAuthorization
+  module ResourcesHelper
+
+  end
+end

data/app/jobs/rails_keycloak_authorization/application_job.rb

@@ -0,0 +1,4 @@
+module RailsKeycloakAuthorization
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/rails_keycloak_authorization/application_mailer.rb

@@ -0,0 +1,6 @@
+module RailsKeycloakAuthorization
+  class ApplicationMailer < ActionMailer::Base
+    default from: "from@example.com"
+    layout "mailer"
+  end
+end

data/app/models/rails_keycloak_authorization/application_record.rb

@@ -0,0 +1,5 @@
+module RailsKeycloakAuthorization
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/services/rails_keycloak_authorization/keycloak_admin_ruby_agent.rb

@@ -0,0 +1,145 @@
+module RailsKeycloakAuthorization
+  class KeycloakAdminRubyAgent
+    class << self
+
+      POLICY_NAME = "RKA-Policy"
+
+      def initialize
+        super
+        keycloak_admin_configure
+      end
+
+      def policy_name
+        POLICY_NAME
+      end
+
+      def list_keycloak_resources_for_controllers
+        KeycloakAdmin.realm(realm_name)
+                     .authz_resources(openid_client.id)
+                     .find_by("",
+                              resource_type_for_controller,
+                              "",
+                              "",
+                              "")
+      end
+
+      def list_keycloak_permissions
+        KeycloakAdmin.realm(realm_name)
+                     .authz_permissions(openid_client.id, "scope")
+                     .find_by(nil, nil)
+      end
+
+      def list_keycloak_policies
+        KeycloakAdmin.realm(realm_name)
+                     .authz_policies(openid_client.id, 'role')
+                     .find_by(POLICY_NAME, "role")
+      end
+
+      def create_keycloak_policy(keycloak_realm_role_id)
+        KeycloakAdmin
+          .realm(realm_name)
+          .authz_policies(openid_client.id, 'role')
+          .create!("#{POLICY_NAME}",
+                   "#{POLICY_NAME} default policy",
+                   "role",
+                   "POSITIVE",
+                   "UNANIMOUS",
+                   true,
+                   [{id: keycloak_realm_role_id, required: true}]
+          )
+      end
+
+      def list_policies
+
+      end
+
+      def list_roles
+        KeycloakAdmin.realm(realm_name).roles.list
+      end
+
+      def create_keycloak_scope(keycloak_scope_name)
+        KeycloakAdmin
+          .realm(realm_name)
+          .authz_scopes(openid_client.id)
+          .create!(
+            keycloak_scope_name,
+            "RKA #{keycloak_scope_name}",
+            ""
+          )
+      end
+
+      def create_keycloak_resource(route_id)
+        route = WithRoutesReader.route(route_id)
+        resource_name = resource_name_for(route.defaults[:controller])
+
+        KeycloakAdmin
+          .realm(realm_name)
+          .authz_resources(openid_client.id)
+          .create!(
+            resource_name,
+            resource_type_for_controller,
+            [],
+            true,
+            "RKA #{resource_name}",
+            [])
+      end
+
+      def keycloak_resource(controller_name)
+        resource_name = resource_name_for(controller_name)
+        KeycloakAdmin
+          .realm(realm_name)
+          .authz_resources(openid_client.id)
+          .find_by(resource_name,
+                   resource_type_for_controller,
+                   "",
+                   "",
+                   "")
+          .first
+      rescue
+        nil
+      end
+
+      def realm_name
+        ENV.fetch("KEYCLOAK_AUTH_CLIENT_REALM_NAME")
+      end
+
+      def openid_client
+        KeycloakAdmin
+          .realm(realm_name)
+          .clients
+          .find_by_client_id(ENV.fetch("KEYCLOAK_AUTH_CLIENT_ID"))
+      end
+
+      def resource_type_for_controller
+        type_for(openid_client.client_id)
+      end
+
+      def type_for(openid_client_id)
+        "urn:#{openid_client_id}:rka:resources:controllers"
+      end
+      def resource_name_for(controller_name)
+        "#{controller_name}_controller"
+      end
+
+      def keycloak_admin_configure
+        KeycloakAdmin.configure do |config|
+          config.use_service_account = true
+          config.server_url = ENV.fetch("KEYCLOAK_SERVER_URL")
+          config.server_domain = ENV.fetch("KEYCLOAK_SERVER_DOMAIN")
+          config.client_id = ENV.fetch("KEYCLOAK_ADMIN_CLIENT_ID")
+          config.client_realm_name = ENV.fetch("KEYCLOAK_ADMIN_REALM_NAME")
+          config.client_secret = ENV.fetch("KEYCLOAK_ADMIN_CLIENT_SECRET")
+          config.logger = Rails.logger
+          config.rest_client_options = { timeout: 5, verify_ssl: Rails.env.production? }
+        end
+      end
+    end
+
+    def self.attach_scope_to_resource(keycloak_scope_name, keycloak_resource_id)
+      KeycloakAdmin.realm(realm_name)
+                   .authz_resources(openid_client.id)
+                   .update(keycloak_resource_id, scopes: [{name: keycloak_scope_name}])
+    end
+  end
+end
+

data/app/views/layouts/rails_keycloak_authorization/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Rails Keycloak Authorization</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+  <%= stylesheet_link_tag "rails_keycloak_authorization/application", media: "all" %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/app/views/layouts/rails_keycloak_authorization/htmx.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Rails Keycloak Authorization</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+  <script src="https://unpkg.com/htmx.org@2.0.0/dist/htmx.js" integrity="sha384-Xh+GLLi0SMFPwtHQjT72aPG19QvKB8grnyRbYBNIdHWc2NkCrz65jlU7YrzO6qRp" crossorigin="anonymous"></script>
+  <script src="https://cdn.tailwindcss.com"></script>
+  <%= stylesheet_link_tag "rails_keycloak_authorization/application", media: "all" %>
+</head>
+<body hx-headers='{"X-CSRF-Token": "<%= form_authenticity_token %>"}'>
+  <%= yield %>
+</body>
+</html>