roo_on_rails 1.15.0 → 1.16.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6cff300e49683272e9b7624135b56e0e62ffbeda
|
|
4
|
+
data.tar.gz: 78b553933ddb68cc54b5082352a9faf96edccdea
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b9f54d9e74c746a4f920aee6769c6f97bbf31ba15c859fe42aa0c6adbf29a997a92c6b7ae9a6cb8d78867efc83b9454926e27f0bc8b5d65416de2f86d872092b
|
|
7
|
+
data.tar.gz: b922a04d6238856b3d956539a9b8b3f379f85932792cc78f7c6136370b0069ed0c7f6794e4df74431dfdb3ee7f856e7b51d1faa3cea05fea26bd28d626669aab
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,16 @@
|
|
|
1
1
|
# HEAD
|
|
2
2
|
|
|
3
|
-
_A description of your awesome
|
|
3
|
+
_A description of your awesome work here!_
|
|
4
|
+
|
|
5
|
+
# v1.16.0 (2017-11-17)
|
|
6
|
+
|
|
7
|
+
Features:
|
|
8
|
+
|
|
9
|
+
- Allow SSL enforcement to be disabled via `ROO_ON_RAILS_DISABLE_SSL_ENFORCEMENT` environment variable (#82)
|
|
10
|
+
|
|
11
|
+
Bug fix:
|
|
12
|
+
|
|
13
|
+
- Ensure we can distinguish between environments' identity services (#81)
|
|
4
14
|
|
|
5
15
|
# v1.15.0
|
|
6
16
|
|
data/README.md
CHANGED
|
@@ -91,6 +91,14 @@ We'll insert the following middlewares into the rails stack:
|
|
|
91
91
|
with `ROO_ON_RAILS_RACK_DEFLATE` (default: 'YES').
|
|
92
92
|
4. Optional middlewares for Google Oauth2 (more below).
|
|
93
93
|
|
|
94
|
+
|
|
95
|
+
#### Disabling SSL enforcement
|
|
96
|
+
|
|
97
|
+
If you're running your application on Hopper, you'll need to turn off SSL enforcement
|
|
98
|
+
as we do that at edge level in Cloudflare rather than the application code itself,
|
|
99
|
+
which must be served over HTTP to its associated ALB, which handles SSL termination.
|
|
100
|
+
To do this, you can set the `ROO_ON_RAILS_DISABLE_SSL_ENFORCEMENT` to `YES`.
|
|
101
|
+
|
|
94
102
|
### Database configuration
|
|
95
103
|
|
|
96
104
|
The database statement timeout will be set to a low value by default. Use
|
|
@@ -227,6 +235,13 @@ available:
|
|
|
227
235
|
require 'roo_on_rails/railties/roo_identity'
|
|
228
236
|
```
|
|
229
237
|
|
|
238
|
+
In non-development environments you must also set the `VALID_IDENTITY_URL_PREFIXES` environment
|
|
239
|
+
variable to be a comma separasted list of the URL prefixes which valid JWTs come from, eg:
|
|
240
|
+
|
|
241
|
+
```
|
|
242
|
+
https://deliveroo.co.uk/identity-keys/,https://identity.deliveroo.com/jwks/
|
|
243
|
+
```
|
|
244
|
+
|
|
230
245
|
Any inbound request which has a valid JWT will have the claims made available:
|
|
231
246
|
|
|
232
247
|
```ruby
|
|
@@ -6,10 +6,6 @@ module RooOnRails
|
|
|
6
6
|
module Rack
|
|
7
7
|
class PopulateEnvFromJWT
|
|
8
8
|
UnacceptableKeyError = Class.new(RuntimeError)
|
|
9
|
-
# Hardcoded URLs for valid keys per environment. These will change very infrequently.
|
|
10
|
-
VALID_JWK_URL_PREFIXES = YAML.load(
|
|
11
|
-
File.read(File.expand_path('../valid_identity_service_prefixes.yml', __FILE__))
|
|
12
|
-
).freeze
|
|
13
9
|
|
|
14
10
|
def initialize(app, logger:, skip_sig_verify: true)
|
|
15
11
|
@app = app
|
|
@@ -21,6 +17,11 @@ module RooOnRails
|
|
|
21
17
|
@verify_sigs = false
|
|
22
18
|
else
|
|
23
19
|
@verify_sigs = true
|
|
20
|
+
@key_prefixes = ENV['VALID_IDENTITY_URL_PREFIXES'].split(',')
|
|
21
|
+
|
|
22
|
+
if @key_prefixes.empty?
|
|
23
|
+
raise "No identity service URLs have been set: ENV['VALID_IDENTITY_URL_PREFIXES']"
|
|
24
|
+
end
|
|
24
25
|
end
|
|
25
26
|
end
|
|
26
27
|
|
|
@@ -62,7 +63,6 @@ module RooOnRails
|
|
|
62
63
|
|
|
63
64
|
def acceptable_key?(key_url)
|
|
64
65
|
return false if key_url.nil?
|
|
65
|
-
@key_prefixes ||= VALID_JWK_URL_PREFIXES[ENV['RACK_ENV']]
|
|
66
66
|
@key_prefixes.any? { |acceptable| key_url.starts_with?(acceptable) }
|
|
67
67
|
end
|
|
68
68
|
|
|
@@ -18,7 +18,7 @@ module RooOnRails
|
|
|
18
18
|
::Rack::Timeout
|
|
19
19
|
)
|
|
20
20
|
|
|
21
|
-
middleware_to_insert_before = Rails::VERSION::MAJOR < 4 ? ::ActionDispatch::Cookies : ::Rack::Head
|
|
21
|
+
middleware_to_insert_before = Rails::VERSION::MAJOR < 4 ? ::ActionDispatch::Cookies : ::Rack::Head
|
|
22
22
|
|
|
23
23
|
# This needs to be inserted low in the stack, before Rails returns the
|
|
24
24
|
# thread-current connection to the pool.
|
|
@@ -34,7 +34,8 @@ module RooOnRails
|
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
# Don't use SslEnforcer in test environment as it breaks Capybara
|
|
37
|
-
unless Rails.env.test?
|
|
37
|
+
unless Rails.env.test? ||
|
|
38
|
+
ENV.fetch('ROO_ON_RAILS_DISABLE_SSL_ENFORCEMENT', '') =~ /\A(YES|TRUE|ON|1)\Z/i
|
|
38
39
|
app.config.middleware.insert_before(
|
|
39
40
|
middleware_to_insert_before,
|
|
40
41
|
::Rack::SslEnforcer
|
data/lib/roo_on_rails/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: roo_on_rails
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.16.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Julien Letessier
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-11-
|
|
11
|
+
date: 2017-11-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dotenv-rails
|
|
@@ -455,7 +455,6 @@ files:
|
|
|
455
455
|
- lib/roo_on_rails/papertrail_client.rb
|
|
456
456
|
- lib/roo_on_rails/rack/populate_env_from_jwt.rb
|
|
457
457
|
- lib/roo_on_rails/rack/safe_timeouts.rb
|
|
458
|
-
- lib/roo_on_rails/rack/valid_identity_service_prefixes.yml
|
|
459
458
|
- lib/roo_on_rails/railties/database.rb
|
|
460
459
|
- lib/roo_on_rails/railties/env.rb
|
|
461
460
|
- lib/roo_on_rails/railties/google_oauth.rb
|