simple_admin_auth 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0391f8fb3293ede817af3503a17a27cd4669d641
-  data.tar.gz: 1638a66408145ae410a2746be87fd984fe91b0c8
+  metadata.gz: 27de75f737bbab956042d1c494449358ceb7413d
+  data.tar.gz: 52449b62c941c6f16da25cc1ff712f5e3ee71cc7
 SHA512:
-  metadata.gz: 0b15d024b2c4afea8f61d9e4bd8e96d37e513a6594710022532fb99b1dbdb3815cb6f0fd588f8998a39bad949ffbd60161a936b5007420293c624c3558652bff
-  data.tar.gz: b0a8a7e61a84fa3baef32119f67f17af1df87cfe6da95e1843fa6d44c054b24cc51454c4816142b81ff3b22fe4c61d01cfb72bb96a0da0386e3a254129a14145
+  metadata.gz: 1ee6fa8c38fd6ff7f2463d78c3c23b8b0d78e80d081dc505033d6c61702121c5b46483d64d8b4806b1700758e9c3023ae103d324a016015d285182ccef593e75
+  data.tar.gz: 1253441ecae56dc2152ebf566bf4eb5ef185e0fff1ccfa02a15c167f8acd8ce65063fe54a3badac53ca566e31eeaa3d77c186c25120579c7f64d1e52d0908f5f

data/.travis.yml

@@ -1,8 +1,8 @@
 language: ruby
+sudo: false
 script: "bundle exec rspec"
-
 rvm:
-  - 2.1.2
+  - 2.2.4
 
 gemfile:
   - gemfiles/rack1.5.gemfile

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    simple_admin_auth (0.1.3)
+    simple_admin_auth (0.1.4)
       omniauth
       sinatra
 
@@ -43,21 +43,22 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
+    addressable (2.4.0)
     arel (6.0.0)
     builder (3.2.2)
     daemons (1.1.9)
     diff-lcs (1.2.5)
     erubis (2.7.0)
-    eventmachine (1.0.6)
-    faraday (0.9.1)
+    eventmachine (1.0.8)
+    faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
     globalid (0.3.0)
       activesupport (>= 4.1.0)
-    hashie (3.4.0)
+    hashie (3.4.3)
     hike (1.2.3)
     i18n (0.7.0)
-    json (1.8.2)
-    jwt (1.2.1)
+    json (1.8.3)
+    jwt (1.5.2)
     loofah (2.0.1)
       nokogiri (>= 1.5.9)
     mail (2.6.3)
@@ -65,7 +66,7 @@ GEM
     mime-types (2.4.3)
     mini_portile (0.6.2)
     minitest (5.5.1)
-    multi_json (1.10.1)
+    multi_json (1.11.2)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
     nokogiri (1.6.6.2)
@@ -76,18 +77,19 @@ GEM
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (~> 1.2)
-    omniauth (1.2.2)
+    omniauth (1.3.1)
       hashie (>= 1.2, < 4)
-      rack (~> 1.0)
-    omniauth-google-oauth2 (0.2.6)
-      omniauth (> 1.0)
-      omniauth-oauth2 (~> 1.1)
-    omniauth-oauth2 (1.2.0)
-      faraday (>= 0.8, < 0.10)
+      rack (>= 1.0, < 3)
+    omniauth-google-oauth2 (0.3.0)
+      addressable (~> 2.3)
+      jwt (~> 1.0)
       multi_json (~> 1.3)
+      omniauth (>= 1.1.1)
+      omniauth-oauth2 (>= 1.3.1)
+    omniauth-oauth2 (1.4.0)
       oauth2 (~> 1.0)
       omniauth (~> 1.2)
-    rack (1.6.0)
+    rack (1.6.4)
     rack-protection (1.5.3)
       rack
     rack-test (0.6.3)
@@ -130,10 +132,10 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.2.0)
     rspec-support (3.2.0)
-    sinatra (1.4.5)
+    sinatra (1.4.6)
       rack (~> 1.4)
       rack-protection (~> 1.4)
-      tilt (~> 1.3, >= 1.3.4)
+      tilt (>= 1.3, < 3)
     sprockets (2.12.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
@@ -164,3 +166,6 @@ DEPENDENCIES
   rspec
   simple_admin_auth!
   thin
+
+BUNDLED WITH
+   1.10.6

data/README.md

@@ -34,6 +34,10 @@ Create an `config/initializers/admin_auth.rb` configuring your domain:
       # The name must be `admin`
       provider :google_oauth2, 'YOUR_KEY', 'YOUR_SECRET', name: 'admin',
               access_type: 'online', hd: 'example.com', approval_prompt: 'auto'
+
+      # IMPORTANT: To restrict logins to your domain, you have to configure the
+      # required_hd. The :hd parameter for the provider is only a suggestion.
+      SimpleAdminAuth::Configuration.required_hd = 'example.com'
     end
 
 If you would like to white list emails in your domain add the following:
@@ -66,6 +70,10 @@ Sample config.ru:
         # The name must be `admin`.
         provider :google_oauth2, 'YOUR_KEY (client id)', 'YOUR_SECRET', name: 'admin',
             access_type: 'online', hd: 'yourdomain.com', approval_prompt: 'auto'
+
+        # IMPORTANT: To restrict logins to your domain, you have to configure the
+        # required_hd. The :hd parameter for the provider is only a suggestion.
+        SimpleAdminAuth::Configuration.required_hd = 'yourdomain.com'
       end
 
 

data/config.ru

@@ -18,12 +18,21 @@ app = Rack::Builder.new do
     # You need to create a key for your app on https://code.google.com/apis/console/
     provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], name: 'admin',
         access_type: 'online', hd: ENV['ADMIN_DOMAIN'], approval_prompt: 'auto'
+
+    SimpleAdminAuth::Configuration.required_hd = ENV['ADMIN_DOMAIN']
   end
 
   map "/admin" do
     # This middleware only allows signed-in users to access this app.
     use SimpleAdminAuth::RequireAdmin
-    run lambda { |env| [200, {'Content-Type' => 'text/html'}, ['<p>Welcome, you have been authenticated!</p> <p><a href="/auth/admin/logout">Sign Out</a></p>']] }
+    run lambda { |env|
+      body = <<-HTML
+        <p>Welcome, you have been authenticated!</p>
+        <p><a href="/auth/admin/logout">Sign Out</a></p>
+        <p>Details: #{Rack::Utils.escape_html(env['rack.session']['admin_user'].inspect)}</p>
+      HTML
+      [200, {'Content-Type' => 'text/html'}, [body]]
+    }
   end
 
   map "/" do

data/gemfiles/rack1.5.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    simple_admin_auth (0.1.3)
+    simple_admin_auth (0.1.4)
       omniauth
       sinatra
 
@@ -10,7 +10,7 @@ GEM
   specs:
     daemons (1.1.9)
     diff-lcs (1.2.4)
-    eventmachine (1.0.3)
+    eventmachine (1.0.8)
     faraday (0.8.7)
       multipart-post (~> 1.1)
     hashie (2.0.4)
@@ -48,10 +48,10 @@ GEM
     rspec-expectations (2.13.0)
       diff-lcs (>= 1.1.3, < 2.0)
     rspec-mocks (2.13.1)
-    sinatra (1.4.5)
+    sinatra (1.4.6)
       rack (~> 1.4)
       rack-protection (~> 1.4)
-      tilt (~> 1.3, >= 1.3.4)
+      tilt (>= 1.3, < 3)
     thin (1.5.1)
       daemons (>= 1.0.9)
       eventmachine (>= 0.12.6)
@@ -69,3 +69,6 @@ DEPENDENCIES
   rspec
   simple_admin_auth!
   thin
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/rack1.6.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    simple_admin_auth (0.1.3)
+    simple_admin_auth (0.1.4)
       omniauth
       sinatra
 
@@ -10,7 +10,7 @@ GEM
   specs:
     daemons (1.1.9)
     diff-lcs (1.2.5)
-    eventmachine (1.0.6)
+    eventmachine (1.0.8)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
     hashie (3.4.0)
@@ -54,10 +54,10 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.2.0)
     rspec-support (3.2.0)
-    sinatra (1.4.5)
+    sinatra (1.4.6)
       rack (~> 1.4)
       rack-protection (~> 1.4)
-      tilt (~> 1.3, >= 1.3.4)
+      tilt (>= 1.3, < 3)
     thin (1.6.3)
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0)
@@ -75,3 +75,6 @@ DEPENDENCIES
   rspec
   simple_admin_auth!
   thin
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/rails3.2.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    simple_admin_auth (0.1.3)
+    simple_admin_auth (0.1.4)
       omniauth
       sinatra
 
@@ -40,7 +40,7 @@ GEM
     daemons (1.1.9)
     diff-lcs (1.2.4)
     erubis (2.7.0)
-    eventmachine (1.0.3)
+    eventmachine (1.0.8)
     faraday (0.8.7)
       multipart-post (~> 1.1)
     hashie (2.0.4)
@@ -48,7 +48,7 @@ GEM
     httpauth (0.2.0)
     i18n (0.6.1)
     journey (1.0.4)
-    json (1.7.7)
+    json (1.8.3)
     jwt (0.1.8)
       multi_json (>= 1.5)
     mail (2.5.3)
@@ -109,10 +109,10 @@ GEM
     rspec-expectations (2.13.0)
       diff-lcs (>= 1.1.3, < 2.0)
     rspec-mocks (2.13.1)
-    sinatra (1.4.5)
+    sinatra (1.4.6)
       rack (~> 1.4)
       rack-protection (~> 1.4)
-      tilt (~> 1.3, >= 1.3.4)
+      tilt (>= 1.3, < 3)
     sprockets (2.2.2)
       hike (~> 1.2)
       multi_json (~> 1.0)
@@ -140,3 +140,6 @@ DEPENDENCIES
   rspec
   simple_admin_auth!
   thin
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/rails4.0.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    simple_admin_auth (0.1.3)
+    simple_admin_auth (0.1.4)
       omniauth
       sinatra
 
@@ -37,7 +37,7 @@ GEM
     daemons (1.1.9)
     diff-lcs (1.2.5)
     erubis (2.7.0)
-    eventmachine (1.0.3)
+    eventmachine (1.0.8)
     faraday (0.9.0)
       multipart-post (>= 1.2, < 3)
     hashie (3.3.1)
@@ -101,10 +101,10 @@ GEM
     rspec-mocks (3.1.0)
       rspec-support (~> 3.1.0)
     rspec-support (3.1.0)
-    sinatra (1.4.5)
+    sinatra (1.4.6)
       rack (~> 1.4)
       rack-protection (~> 1.4)
-      tilt (~> 1.3, >= 1.3.4)
+      tilt (>= 1.3, < 3)
     sprockets (2.12.2)
       hike (~> 1.2)
       multi_json (~> 1.0)
@@ -137,3 +137,6 @@ DEPENDENCIES
   rspec
   simple_admin_auth!
   thin
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/rails4.1.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    simple_admin_auth (0.1.3)
+    simple_admin_auth (0.1.4)
       omniauth
       sinatra
 
@@ -39,13 +39,13 @@ GEM
     daemons (1.1.9)
     diff-lcs (1.2.5)
     erubis (2.7.0)
-    eventmachine (1.0.3)
+    eventmachine (1.0.8)
     faraday (0.9.0)
       multipart-post (>= 1.2, < 3)
     hashie (3.3.1)
     hike (1.2.3)
     i18n (0.6.11)
-    json (1.8.1)
+    json (1.8.3)
     jwt (1.0.0)
     mail (2.5.4)
       mime-types (~> 1.16)
@@ -106,10 +106,10 @@ GEM
     rspec-mocks (3.1.0)
       rspec-support (~> 3.1.0)
     rspec-support (3.1.0)
-    sinatra (1.4.5)
+    sinatra (1.4.6)
       rack (~> 1.4)
       rack-protection (~> 1.4)
-      tilt (~> 1.3, >= 1.3.4)
+      tilt (>= 1.3, < 3)
     sprockets (2.12.2)
       hike (~> 1.2)
       multi_json (~> 1.0)
@@ -143,3 +143,6 @@ DEPENDENCIES
   rspec
   simple_admin_auth!
   thin
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/rails4.2.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    simple_admin_auth (0.1.3)
+    simple_admin_auth (0.1.4)
       omniauth
       sinatra
 
@@ -48,7 +48,7 @@ GEM
     daemons (1.1.9)
     diff-lcs (1.2.5)
     erubis (2.7.0)
-    eventmachine (1.0.6)
+    eventmachine (1.0.8)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
     globalid (0.3.0)
@@ -56,7 +56,7 @@ GEM
     hashie (3.4.0)
     hike (1.2.3)
     i18n (0.7.0)
-    json (1.8.2)
+    json (1.8.3)
     jwt (1.2.1)
     loofah (2.0.1)
       nokogiri (>= 1.5.9)
@@ -130,10 +130,10 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.2.0)
     rspec-support (3.2.0)
-    sinatra (1.4.5)
+    sinatra (1.4.6)
       rack (~> 1.4)
       rack-protection (~> 1.4)
-      tilt (~> 1.3, >= 1.3.4)
+      tilt (>= 1.3, < 3)
     sprockets (2.12.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
@@ -164,3 +164,6 @@ DEPENDENCIES
   rspec
   simple_admin_auth!
   thin
+
+BUNDLED WITH
+   1.10.6

data/lib/simple_admin_auth/application.rb

@@ -15,6 +15,20 @@ module SimpleAdminAuth
     get_or_post '/admin/callback' do
       auth_hash = request.env['omniauth.auth']
 
+      unless SimpleAdminAuth::Configuration.required_hd.nil?
+        hd = nil
+        if auth_hash.extra && auth_hash.extra.id_info
+          hd = auth_hash.extra.id_info.hd
+        end
+
+        if hd != SimpleAdminAuth::Configuration.required_hd
+          # Hosted domain doesn't match
+          throw(:halt, [401, "Not authorized\n"])
+        end
+
+      end
+
+
       session[:admin_user] = auth_hash['info']
 
       return_url = session[:admin_login_return_url] || '/'

data/lib/simple_admin_auth/configuration.rb

@@ -2,6 +2,8 @@ module SimpleAdminAuth
   class Configuration
     class << self
        attr_accessor :email_white_list
+       # Set this to require a specific hosted domain (google oauth2 only)
+       attr_accessor :required_hd
      end
   end
-end
+end

data/lib/simple_admin_auth/version.rb

@@ -1,3 +1,3 @@
 module SimpleAdminAuth
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

data/spec/integration_examples.rb

@@ -1,5 +1,13 @@
 shared_examples "integration" do
 
+  before(:each) do
+    OmniAuth.config.add_mock(:admin, {:uid => '12345', info: {email: 'foo@bar.com'}})
+  end
+
+  after(:each) do
+    SimpleAdminAuth::Configuration.required_hd = nil
+  end
+
   it "should get the unprotected index page" do
     get '/'
     last_response.status.should == 200
@@ -41,4 +49,62 @@ shared_examples "integration" do
     last_request.url.should =~ /\/protected\/test$/
     last_response.should be_ok
   end
-end
+
+  it "should fail when required hd is not present" do
+    SimpleAdminAuth::Configuration.required_hd = 'example.org'
+
+    get '/protected/test'
+    # Redirect to login page
+    follow_redirect!
+
+    # Click the login button
+    get '/auth/admin'
+    last_response.status.should == 302
+    follow_redirect!
+
+    # Mock strategy immediately redirects to the callback
+    last_request.url.should =~ /auth\/admin\/callback$/
+    last_response.status.should == 401
+  end
+
+  it "should login if the required hd is present" do
+    SimpleAdminAuth::Configuration.required_hd = 'example.org'
+    OmniAuth.config.add_mock(:admin, {:uid => '12345', info: {email: 'foo@bar.com'}, extra: {id_info: {hd: 'example.org'}}})
+    get '/protected/test'
+    # Redirect to login page
+    follow_redirect!
+
+    # Click the login button
+    get '/auth/admin'
+    last_response.status.should == 302
+    follow_redirect!
+
+    # Mock strategy immediately redirects to the callback
+    last_request.url.should =~ /auth\/admin\/callback$/
+    follow_redirect!
+
+    # We should be redirected back to the original page
+    last_request.url.should =~ /\/protected\/test$/
+    last_response.should be_ok
+  end
+
+  it "should fail when required hd is wrong" do
+    # email matches, but the returnd hd doesn't.
+    SimpleAdminAuth::Configuration.required_hd = 'bar.com'
+    OmniAuth.config.add_mock(:admin, {:uid => '12345', info: {email: 'foo@bar.com'}, extra: {id_info: {hd: 'example.org'}}})
+
+    get '/protected/test'
+    # Redirect to login page
+    follow_redirect!
+
+    # Click the login button
+    get '/auth/admin'
+    last_response.status.should == 302
+    follow_redirect!
+
+    # Mock strategy immediately redirects to the callback
+    last_request.url.should =~ /auth\/admin\/callback$/
+    last_response.status.should == 401
+  end
+
+end

data/spec/spec_helper.rb

@@ -12,5 +12,4 @@ RSpec.configure do |conf|
   end
 end
 
-OmniAuth.config.add_mock(:admin, {:uid => '12345', info:{ email: 'foo@bar.com'}})
 OmniAuth.config.test_mode = true

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: simple_admin_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Ralf Kistner
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-02-04 00:00:00.000000000 Z
+date: 2016-01-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -105,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: Simple admin authentication using Google Apps