roo_on_rails 1.6.0 → 1.7.0

data/gemfiles/rails_5.gemfile

@@ -5,6 +5,7 @@ source "https://rubygems.org"
 gem "guard"
 gem "guard-rspec"
 gem "appraisal"
+gem "webmock"
 gem "pg"
 gem "sqlite3"
 gem "rails", "~> 5.0.0"

data/gemfiles/rails_5.gemfile.lock

@@ -1,13 +1,16 @@
 PATH
   remote: ..
   specs:
-    roo_on_rails (1.6.0)
+    roo_on_rails (1.7.0)
       dogstatsd-ruby
       dotenv-rails (~> 2.1)
+      faraday
+      faraday_middleware
       hashie (~> 3.4)
       hirefire-resource
       newrelic_rpm
       octokit
+      omniauth-google-oauth2
       platform-api (~> 2.0)
       rack-ssl-enforcer
       rack-timeout
@@ -70,6 +73,8 @@ GEM
     coderay (1.1.1)
     concurrent-ruby (1.0.5)
     connection_pool (2.2.1)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
     diff-lcs (1.3)
     docile (1.1.5)
     dogstatsd-ruby (3.0.0)
@@ -81,6 +86,8 @@ GEM
     excon (0.57.1)
     faraday (0.12.1)
       multipart-post (>= 1.2, < 3)
+    faraday_middleware (0.11.0.1)
+      faraday (>= 0.7.4, < 1.0)
     ffi (1.9.18)
     formatador (0.2.5)
     globalid (0.4.0)
@@ -99,7 +106,8 @@ GEM
       guard (~> 2.1)
       guard-compat (~> 1.1)
       rspec (>= 2.99.0, < 4.0)
-    hashie (3.5.5)
+    hashdiff (0.3.4)
+    hashie (3.5.6)
     heroics (0.0.23)
       erubis (~> 2.0)
       excon
@@ -107,6 +115,7 @@ GEM
     hirefire-resource (0.4.2)
     i18n (0.8.4)
     json (2.1.0)
+    jwt (1.5.6)
     listen (3.1.5)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
@@ -125,6 +134,7 @@ GEM
     minitest (5.10.2)
     moneta (0.8.1)
     multi_json (1.12.1)
+    multi_xml (0.6.0)
     multipart-post (2.0.0)
     nenv (0.3.0)
     newrelic_rpm (4.2.0.334)
@@ -134,8 +144,25 @@ GEM
     notiffany (0.1.1)
       nenv (~> 0.1)
       shellany (~> 0.0)
+    oauth2 (1.4.0)
+      faraday (>= 0.8, < 0.13)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
     octokit (4.7.0)
       sawyer (~> 0.8.0, >= 0.5.3)
+    omniauth (1.6.1)
+      hashie (>= 3.4.6, < 3.6.0)
+      rack (>= 1.6.2, < 3)
+    omniauth-google-oauth2 (0.5.0)
+      jwt (~> 1.5)
+      multi_json (~> 1.3)
+      omniauth (>= 1.1.1)
+      omniauth-oauth2 (>= 1.3.1)
+    omniauth-oauth2 (1.4.0)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
     pg (0.21.0)
     platform-api (2.1.0)
       heroics (~> 0.0.23)
@@ -197,6 +224,7 @@ GEM
       rspec-support (~> 3.6.0)
     rspec-support (3.6.0)
     ruby_dep (1.5.0)
+    safe_yaml (1.0.4)
     sawyer (0.8.1)
       addressable (>= 2.3.5, < 2.6)
       faraday (~> 0.8, < 1.0)
@@ -225,6 +253,10 @@ GEM
     tzinfo (1.2.3)
       thread_safe (~> 0.1)
     url (0.3.2)
+    webmock (3.0.1)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
     websocket-driver (0.6.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.2)
@@ -241,6 +273,7 @@ DEPENDENCIES
   memfs
   pg
   pry-byebug
+  rack-test
   rails (~> 5.0.0)
   rake (~> 10.0)
   roo_on_rails!
@@ -248,6 +281,7 @@ DEPENDENCIES
   simplecov
   sqlite3
   thor (~> 0.19)
+  webmock
 
 BUNDLED WITH
    1.14.6

data/gemfiles/rails_5_1.gemfile

@@ -5,6 +5,7 @@ source "https://rubygems.org"
 gem "guard"
 gem "guard-rspec"
 gem "appraisal"
+gem "webmock"
 gem "pg"
 gem "sqlite3"
 gem "rails", "~> 5.1"

data/gemfiles/rails_5_1.gemfile.lock

@@ -1,13 +1,16 @@
 PATH
   remote: ..
   specs:
-    roo_on_rails (1.6.0)
+    roo_on_rails (1.7.0)
       dogstatsd-ruby
       dotenv-rails (~> 2.1)
+      faraday
+      faraday_middleware
       hashie (~> 3.4)
       hirefire-resource
       newrelic_rpm
       octokit
+      omniauth-google-oauth2
       platform-api (~> 2.0)
       rack-ssl-enforcer
       rack-timeout
@@ -70,6 +73,8 @@ GEM
     coderay (1.1.1)
     concurrent-ruby (1.0.5)
     connection_pool (2.2.1)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
     diff-lcs (1.3)
     docile (1.1.5)
     dogstatsd-ruby (3.0.0)
@@ -82,6 +87,8 @@ GEM
     excon (0.57.1)
     faraday (0.12.1)
       multipart-post (>= 1.2, < 3)
+    faraday_middleware (0.11.0.1)
+      faraday (>= 0.7.4, < 1.0)
     ffi (1.9.18)
     formatador (0.2.5)
     globalid (0.4.0)
@@ -100,7 +107,8 @@ GEM
       guard (~> 2.1)
       guard-compat (~> 1.1)
       rspec (>= 2.99.0, < 4.0)
-    hashie (3.5.5)
+    hashdiff (0.3.4)
+    hashie (3.5.6)
     heroics (0.0.23)
       erubis (~> 2.0)
       excon
@@ -108,6 +116,7 @@ GEM
     hirefire-resource (0.4.2)
     i18n (0.8.4)
     json (2.1.0)
+    jwt (1.5.6)
     listen (3.1.5)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
@@ -126,6 +135,7 @@ GEM
     minitest (5.10.2)
     moneta (0.8.1)
     multi_json (1.12.1)
+    multi_xml (0.6.0)
     multipart-post (2.0.0)
     nenv (0.3.0)
     newrelic_rpm (4.2.0.334)
@@ -135,8 +145,25 @@ GEM
     notiffany (0.1.1)
       nenv (~> 0.1)
       shellany (~> 0.0)
+    oauth2 (1.4.0)
+      faraday (>= 0.8, < 0.13)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
     octokit (4.7.0)
       sawyer (~> 0.8.0, >= 0.5.3)
+    omniauth (1.6.1)
+      hashie (>= 3.4.6, < 3.6.0)
+      rack (>= 1.6.2, < 3)
+    omniauth-google-oauth2 (0.5.0)
+      jwt (~> 1.5)
+      multi_json (~> 1.3)
+      omniauth (>= 1.1.1)
+      omniauth-oauth2 (>= 1.3.1)
+    omniauth-oauth2 (1.4.0)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
     pg (0.21.0)
     platform-api (2.1.0)
       heroics (~> 0.0.23)
@@ -198,6 +225,7 @@ GEM
       rspec-support (~> 3.6.0)
     rspec-support (3.6.0)
     ruby_dep (1.5.0)
+    safe_yaml (1.0.4)
     sawyer (0.8.1)
       addressable (>= 2.3.5, < 2.6)
       faraday (~> 0.8, < 1.0)
@@ -226,6 +254,10 @@ GEM
     tzinfo (1.2.3)
       thread_safe (~> 0.1)
     url (0.3.2)
+    webmock (3.0.1)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
     websocket-driver (0.6.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.2)
@@ -242,6 +274,7 @@ DEPENDENCIES
   memfs
   pg
   pry-byebug
+  rack-test
   rails (~> 5.1)
   rake (~> 10.0)
   roo_on_rails!
@@ -249,6 +282,7 @@ DEPENDENCIES
   simplecov
   sqlite3
   thor (~> 0.19)
+  webmock
 
 BUNDLED WITH
    1.14.6

data/lib/roo_on_rails.rb

@@ -11,4 +11,5 @@ if defined?(Rails)
   require 'roo_on_rails/railties/http'
   require 'roo_on_rails/railties/sidekiq'
   require 'roo_on_rails/railties/rake_tasks'
+  require 'roo_on_rails/railties/google_auth'
 end

data/lib/roo_on_rails/checks/environment.rb

@@ -6,6 +6,8 @@ require 'roo_on_rails/checks/heroku/app_exists'
 require 'roo_on_rails/checks/sidekiq/settings'
 require 'roo_on_rails/checks/heroku/drains_metrics'
 require 'roo_on_rails/checks/documentation/playbook'
+require 'roo_on_rails/checks/google_oauth/initializer'
+require 'roo_on_rails/checks/papertrail/all'
 
 module RooOnRails
   module Checks
@@ -15,6 +17,8 @@ module RooOnRails
       requires Heroku::PrebootEnabled
       requires Sidekiq::Settings
       requires Documentation::Playbook
+      requires GoogleOauth::Initializer
+      requires Papertrail::All
 
       def call
         # nothing to do

data/lib/roo_on_rails/checks/google_oauth/_template.rb

@@ -0,0 +1,49 @@
+# Google Oauth initializer, generated by RooOnRails
+
+require 'roo_on_rails/rack/google_oauth'
+
+Rails.application.config.middleware.use RooOnRails::Rack::GoogleOauth do |env|
+  # This is your auth strategy.
+  # Here you're supposed to do something with the OAuth payload and
+  # return a valid Rack response.
+
+  # A simple and insecure example:
+  #
+  require 'digest/md5'
+  auth_data = env['omniauth.auth']
+  naive_token = Digest::MD5.hexdigest(auth_data.info.email.downcase)
+  expires_in = Time.current + 60 * 60 * 24
+  headers = { 'Location' => '/' }
+  Rack::Utils.set_cookie_header!(headers, 'naive_auth_cookie', {
+    value: naive_token, expires: expires_in, path: '/'
+  })
+  [302, headers, ['You are being redirecred to /']]
+
+  # You can also hand it over to a Rails controller action, where the
+  # OAuth payload will be available in `request.env['omniauth.auth']`.
+  # If you do this, the controller will take care of returning a valid
+  # response for Rack.
+  #
+  # This is the recommenced approach as it makes it easier to use
+  # Rails encrypted cookies and other security features.
+  #
+  # For example:
+  # MyAuthController.action(:login).call(env)
+end
+
+# What to do in case of failure.
+# Must be a 302 redirect.
+# It can invoke a Rails controller action
+#
+OmniAuth.config.on_failure = proc do |env|
+  error = env['omniauth.error']           # e.g. #<OmniAuth::Strategies::OAuth2::CallbackError: OmniAuth::Strategies::OAuth2::CallbackError>
+  details = error.message                 # e.g. "invalid_hd | Invalid Hosted Domain"
+  error_type = env['omniauth.error.type'] # e.g. :invalid_credentials
+
+  Rails.logger.info("[RooOnRails] Login failed (#{error_type}): #{details}")
+
+  # To use a rails controller;
+  # MyAuthController.action(:login_failed).call(env)
+
+  [302, { 'Location' => '/' }, ['']]
+end

data/lib/roo_on_rails/checks/google_oauth/initializer.rb

@@ -0,0 +1,43 @@
+require 'roo_on_rails/config'
+require 'roo_on_rails/checks/base'
+require 'fileutils'
+
+module RooOnRails
+  module Checks
+    module GoogleOauth
+      class Initializer < Base
+        LOCATION = 'config/initializers/google_oauth.rb'.freeze
+
+        def intro
+          'Google Oauth protection'
+        end
+
+        def call
+          if RooOnRails::Config.google_auth_enabled?
+            check_initializer
+          else
+            pass 'Google Oauth is not enabled. Doing nothing'
+          end
+        end
+
+        def fix
+          FileUtils.cp(template, LOCATION)
+        end
+
+        private
+
+        def check_initializer
+          if File.exist? LOCATION
+            pass 'Google Oauth initializer is present. Doing nothing.'
+          else
+            fail! 'Google Oauth is enabled but the initializer is missing.'
+          end
+        end
+
+        def template
+          File.join(__dir__, '_template.rb')
+        end
+      end
+    end
+  end
+end

data/lib/roo_on_rails/checks/papertrail/all.rb

@@ -0,0 +1,21 @@
+require 'roo_on_rails/checks/env_specific'
+require 'roo_on_rails/checks/papertrail/system_named'
+
+module RooOnRails
+  module Checks
+    module Papertrail
+      # Wrapper for Papertrail setup checks.
+      class All < EnvSpecific
+        requires SystemNamed
+
+        def intro
+          "Checking for Papertrail setup in #{bold env}..."
+        end
+
+        def call
+          pass 'all Papertrail checks passed'
+        end
+      end
+    end
+  end
+end

data/lib/roo_on_rails/checks/papertrail/drain_exists.rb

@@ -0,0 +1,64 @@
+require 'roo_on_rails/checks/env_specific'
+require 'roo_on_rails/checks/heroku/token'
+require 'roo_on_rails/checks/heroku/app_exists'
+require 'roo_on_rails/checks/papertrail/log_destination_exists'
+
+module RooOnRails
+  module Checks
+    module Papertrail
+      # Check if a Heroku app is setup to a log drain to Papertrail
+      #
+      # Input context
+      # - heroku.api_client: a connected PlatformAPI client
+      # - heroku.app.{env}: an app name.
+      # - papertrail.dest.host, .port
+      #
+      # Output context:
+      # - papertrail.system_name.{env}: the drain token for this app, aka.
+      #   "system name" in Papertrail. Looks like "d.{uuid}".
+      class DrainExists < EnvSpecific
+        requires Heroku::Token
+        requires Heroku::AppExists
+        requires LogDestinationExists
+
+        def intro
+          "Checking for Papertrail drain on #{bold app_name}..."
+        end
+
+        def call
+          # find the PT drain
+          data = client.log_drain.list(app_name).
+                 select { |h| h['url'] =~ /papertrailapp/ }
+          fail! 'no Papertrail drain found' if data.empty?
+          fail! 'multiple Papertrail drains found' if data.length > 1
+
+          data = data.first
+          fail! "app is draining to #{data['url']} instead of #{papertrail_url}" if data['url'] != papertrail_url
+
+          pass "found drain setup with token #{data['token']}"
+          context.papertrail.system_name![env] = data['token']
+        end
+
+        def fix
+          client.log_drain.create(app_name, url: papertrail_url)
+        end
+
+        private
+
+        def app_name
+          context.heroku.app[env]
+        end
+
+        def client
+          context.heroku.api_client
+        end
+
+        def papertrail_url
+          format 'syslog+tls://%s:%s',
+                 context.papertrail.dest.host,
+                 context.papertrail.dest.port
+        end
+      end
+    end
+  end
+end