roo_on_rails 1.15.0 → 1.16.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 350514c8b5824a6829103a912a01e155aa18074f
4
- data.tar.gz: 827cb9bec23c0d69bab1e2df74024e63861853ce
3
+ metadata.gz: 6cff300e49683272e9b7624135b56e0e62ffbeda
4
+ data.tar.gz: 78b553933ddb68cc54b5082352a9faf96edccdea
5
5
  SHA512:
6
- metadata.gz: 5954c887ece5accaeaf6b9acb328ef24978f6d5673ae2ba2ae2cb8d29f0bcc83f1b55346fb500371cba87ad3e8ebeeba2f44d6b0503c96ae7c696a594e03e768
7
- data.tar.gz: 38aaf68d5cf8271b15597ba0145088f272ceb52cdbeb03602b38fb215dbf4b2220cb6d95008676bfad9062c2a4e831994b6bc1837d450fdc9366819943a701fe
6
+ metadata.gz: b9f54d9e74c746a4f920aee6769c6f97bbf31ba15c859fe42aa0c6adbf29a997a92c6b7ae9a6cb8d78867efc83b9454926e27f0bc8b5d65416de2f86d872092b
7
+ data.tar.gz: b922a04d6238856b3d956539a9b8b3f379f85932792cc78f7c6136370b0069ed0c7f6794e4df74431dfdb3ee7f856e7b51d1faa3cea05fea26bd28d626669aab
data/CHANGELOG.md CHANGED
@@ -1,6 +1,16 @@
1
1
  # HEAD
2
2
 
3
- _A description of your awesome new stuff here!_
3
+ _A description of your awesome work here!_
4
+
5
+ # v1.16.0 (2017-11-17)
6
+
7
+ Features:
8
+
9
+ - Allow SSL enforcement to be disabled via `ROO_ON_RAILS_DISABLE_SSL_ENFORCEMENT` environment variable (#82)
10
+
11
+ Bug fix:
12
+
13
+ - Ensure we can distinguish between environments' identity services (#81)
4
14
 
5
15
  # v1.15.0
6
16
 
data/README.md CHANGED
@@ -91,6 +91,14 @@ We'll insert the following middlewares into the rails stack:
91
91
  with `ROO_ON_RAILS_RACK_DEFLATE` (default: 'YES').
92
92
  4. Optional middlewares for Google Oauth2 (more below).
93
93
 
94
+
95
+ #### Disabling SSL enforcement
96
+
97
+ If you're running your application on Hopper, you'll need to turn off SSL enforcement
98
+ as we do that at edge level in Cloudflare rather than the application code itself,
99
+ which must be served over HTTP to its associated ALB, which handles SSL termination.
100
+ To do this, you can set the `ROO_ON_RAILS_DISABLE_SSL_ENFORCEMENT` to `YES`.
101
+
94
102
  ### Database configuration
95
103
 
96
104
  The database statement timeout will be set to a low value by default. Use
@@ -227,6 +235,13 @@ available:
227
235
  require 'roo_on_rails/railties/roo_identity'
228
236
  ```
229
237
 
238
+ In non-development environments you must also set the `VALID_IDENTITY_URL_PREFIXES` environment
239
+ variable to be a comma separasted list of the URL prefixes which valid JWTs come from, eg:
240
+
241
+ ```
242
+ https://deliveroo.co.uk/identity-keys/,https://identity.deliveroo.com/jwks/
243
+ ```
244
+
230
245
  Any inbound request which has a valid JWT will have the claims made available:
231
246
 
232
247
  ```ruby
@@ -6,10 +6,6 @@ module RooOnRails
6
6
  module Rack
7
7
  class PopulateEnvFromJWT
8
8
  UnacceptableKeyError = Class.new(RuntimeError)
9
- # Hardcoded URLs for valid keys per environment. These will change very infrequently.
10
- VALID_JWK_URL_PREFIXES = YAML.load(
11
- File.read(File.expand_path('../valid_identity_service_prefixes.yml', __FILE__))
12
- ).freeze
13
9
 
14
10
  def initialize(app, logger:, skip_sig_verify: true)
15
11
  @app = app
@@ -21,6 +17,11 @@ module RooOnRails
21
17
  @verify_sigs = false
22
18
  else
23
19
  @verify_sigs = true
20
+ @key_prefixes = ENV['VALID_IDENTITY_URL_PREFIXES'].split(',')
21
+
22
+ if @key_prefixes.empty?
23
+ raise "No identity service URLs have been set: ENV['VALID_IDENTITY_URL_PREFIXES']"
24
+ end
24
25
  end
25
26
  end
26
27
 
@@ -62,7 +63,6 @@ module RooOnRails
62
63
 
63
64
  def acceptable_key?(key_url)
64
65
  return false if key_url.nil?
65
- @key_prefixes ||= VALID_JWK_URL_PREFIXES[ENV['RACK_ENV']]
66
66
  @key_prefixes.any? { |acceptable| key_url.starts_with?(acceptable) }
67
67
  end
68
68
 
@@ -18,7 +18,7 @@ module RooOnRails
18
18
  ::Rack::Timeout
19
19
  )
20
20
 
21
- middleware_to_insert_before = Rails::VERSION::MAJOR < 4 ? ::ActionDispatch::Cookies : ::Rack::Head
21
+ middleware_to_insert_before = Rails::VERSION::MAJOR < 4 ? ::ActionDispatch::Cookies : ::Rack::Head
22
22
 
23
23
  # This needs to be inserted low in the stack, before Rails returns the
24
24
  # thread-current connection to the pool.
@@ -34,7 +34,8 @@ module RooOnRails
34
34
  end
35
35
 
36
36
  # Don't use SslEnforcer in test environment as it breaks Capybara
37
- unless Rails.env.test?
37
+ unless Rails.env.test? ||
38
+ ENV.fetch('ROO_ON_RAILS_DISABLE_SSL_ENFORCEMENT', '') =~ /\A(YES|TRUE|ON|1)\Z/i
38
39
  app.config.middleware.insert_before(
39
40
  middleware_to_insert_before,
40
41
  ::Rack::SslEnforcer
@@ -1,3 +1,3 @@
1
1
  module RooOnRails
2
- VERSION = '1.15.0'.freeze
2
+ VERSION = '1.16.0'.freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: roo_on_rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.15.0
4
+ version: 1.16.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Julien Letessier
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2017-11-08 00:00:00.000000000 Z
11
+ date: 2017-11-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dotenv-rails
@@ -455,7 +455,6 @@ files:
455
455
  - lib/roo_on_rails/papertrail_client.rb
456
456
  - lib/roo_on_rails/rack/populate_env_from_jwt.rb
457
457
  - lib/roo_on_rails/rack/safe_timeouts.rb
458
- - lib/roo_on_rails/rack/valid_identity_service_prefixes.yml
459
458
  - lib/roo_on_rails/railties/database.rb
460
459
  - lib/roo_on_rails/railties/env.rb
461
460
  - lib/roo_on_rails/railties/google_oauth.rb
@@ -1,6 +0,0 @@
1
- production:
2
- - https://deliveroo.co.uk/identity-keys/
3
- - https://identity.deliveroo.net/identity/keys/
4
- staging:
5
- - https://test.deliveroo.co.uk/identity-keys/
6
- - https://identity-staging.deliveroo.net/identity-keys/