workarea-basic_auth 1.1.1

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+View this plugin's code of conduct here:
+
+<https://github.com/workarea-commerce/workarea/blob/master/CODE_OF_CONDUCT.md>

data/CONTRIBUTING.md

@@ -0,0 +1,3 @@
+View this plugin's contribution guidelines here:
+
+<https://github.com/workarea-commerce/workarea/blob/master/CONTRIBUTING.md>

data/Gemfile

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gemspec
+
+gem 'workarea'

data/LICENSE

@@ -0,0 +1,52 @@
+WebLinc
+Business Source License
+
+Licensor: WebLinc Corporation, 22 S. 3rd Street, 2nd Floor, Philadelphia PA 19106
+
+Licensed Work: Workarea Commerce Platform
+               The Licensed Work is (c) 2019 WebLinc Corporation
+
+Additional Use Grant:
+                      You may make production use of the Licensed Work without an additional license agreement with WebLinc so long as you do not use the Licensed Work for a Commerce Service.
+
+                      A "Commerce Service" is a commercial offering that allows third parties (other than your employees and contractors) to access the functionality of the Licensed Work by creating or managing commerce functionality, the products, taxonomy, assets and/or content of which are controlled by such third parties. 
+
+                      For information about obtaining an additional license agreement with WebLinc, contact licensing@workarea.com.
+
+Change Date: 2019-08-20
+
+Change License: Version 2.0 or later of the GNU General Public License as published by the Free Software Foundation
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative works, redistribute, and make non-production use of the Licensed Work. The Licensor may make an Additional Use Grant, above, permitting limited production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly available distribution of a specific version of the Licensed Work under this License, whichever comes first, the Licensor hereby grants you rights under the terms of the Change License, and the rights granted in the paragraph above terminate.
+
+If your use of the Licensed Work does not comply with the requirements currently in effect as described in this License, you must purchase a commercial license from the Licensor, its affiliated entities, or authorized resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works of the Licensed Work, are subject to this License. This License applies separately for each version of the Licensed Work and the Change Date may vary for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy of the Licensed Work. If you receive the Licensed Work in original or modified form from a third party, the terms and conditions set forth in this License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically terminate your rights under this License for the current and all other versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of Licensor or its affiliates (provided that you may use a trademark or logo of Licensor as expressly required by this License). TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE. MariaDB hereby grants you permission to use this License’s text to license your works and to refer to it using the trademark "Business Source License" as long as you comply with the Covenants of Licensor below.
+
+Covenants of Licensor
+In consideration of the right to use this License’s text and the "Business Source License" name and trademark, Licensor covenants to MariaDB, and to all other recipients of the licensed work to be provided by Licensor:
+
+To specify as the Change License the GPL Version 2.0 or any later version, or a license that is compatible with GPL Version 2.0 or a later version, where "compatible" means that software provided under the Change License can be included in a program with software provided under GPL Version 2.0 or a later version. Licensor may specify additional Change Licenses without limitation.
+
+To either: (a) specify an additional grant of rights to use that does not impose any additional restriction on the right granted in this License, as the Additional Use Grant; or (b) insert the text "None."
+
+To specify a Change Date.
+
+Not to modify this License in any other way.
+
+Notice
+The Business Source License (this document, or the "License") is not an Open Source license. However, the Licensed Work will eventually be made available under an Open Source License, as stated in this License.
+
+For more information on the use of the Business Source License generally, please visit the Adopting and Developing Business Source License FAQ.
+
+License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved. "Business Source License" is a trademark of MariaDB Corporation Ab.

data/README.md

@@ -0,0 +1,105 @@
+Workarea Basic Auth
+================================================================================
+
+A Workarea Commerce plugin that adds middleware to enable HTTP Basic Auth for the Workarea Commerce platform, preventing undesired traffic (like bots) on staging and QA environments.
+
+Getting Started
+--------------------------------------------------------------------------------
+
+Add the gem to your application's Gemfile:
+
+```ruby
+# ...
+gem 'workarea-basic_auth'
+# ...
+```
+
+Update your application's bundle.
+
+```bash
+cd path/to/application
+bundle
+```
+
+Configuration
+--------------------------------------------------------------------------------
+
+By default, `workarea-basic-auth` is disabled. To require basic authentication for routes in your application, set the following properties in `Workarea.config`:
+
+```ruby
+Workarea.configure do |config|
+  config.basic_auth.enabled = true
+  config.basic_auth.user = 'my_username'
+  config.basic_auth.pass = 'my_password'
+  config.basic_auth.protect_routes.add('/products')
+  config.basic_auth.protect_routes.add('/categories')
+  config.basic_auth.protect_routes.add('/contact')
+  config.basic_auth.exclude_routes.add('/api*')
+  config.basic_auth.exclude_routes.add('/products/my-sweet-product')
+end
+```
+
+The configuration above will require HTTP basic auth for all routes and HTTP methods other than those that start with `/api` or `/products/my-sweet-product`.
+
+### Excluding Assets
+
+Need to exclude assets from http basic auth?
+
+```ruby
+Workarea.configure do |config|
+  config.basic_auth.enabled = true
+  config.basic_auth.user = 'my_username'
+  config.basic_auth.pass = 'my_password'
+  config.basic_auth.exclude_routes.add('/assets/*')
+end
+```
+
+
+### Excluding routes based off HTTP method
+
+You can also specify protecting or excluding protection of routes for specific
+HTTP methods:
+
+```ruby
+Workarea.configure do |config|
+  config.basic_auth.enabled = true
+  config.basic_auth.user = 'my_username'
+  config.basic_auth.pass = 'my_password'
+  config.basic_auth.protect_routes.add('/login', :post, :option)
+  config.basic_auth.protect_routes.add('/contact', :put)
+end
+```
+
+The configuration above will require HTTP basic auth when sending a
+`POST` or `OPTION` request to `/login` or a `PUT` request to `/contact`.
+
+### Excluding routes based off a Proc
+
+Sometimes you may run into a case where path/method just won't cut it. You can
+pass a protect or exclude route a proc that will be passed a Rack::Request object.
+Anytime the proc returns true, that path will match for either protection or exclusion.
+
+For example, in order to allow the AWS ElasticLoadBalancer the ability to check
+an instances health, we exclude basic auth protection from any request where the
+User Agent contains 'ELB-HealthChecker':
+
+```ruby
+Workarea.configure do |config|
+  config.basic_auth.enabled = true
+  config.basic_auth.user = 'my_username'
+  config.basic_auth.pass = 'my_password'
+  config.basic_auth.exclude_routes.add('/*', ->(request) {
+    request.env['HTTP_USER_AGENT'].include?('ELB-HealthChecker')
+  })
+end
+```
+
+Workarea Commerce Documentation
+--------------------------------------------------------------------------------
+
+See [https://developer.workarea.com](https://developer.workarea.com) for Workarea Commerce documentation.
+
+License
+--------------------------------------------------------------------------------
+
+Workarea Basic Auth is released under the [Business Software License](LICENSE)

data/Rakefile

@@ -0,0 +1,60 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'BasicAuth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../test/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+load 'rails/tasks/statistics.rake'
+load 'workarea/changelog.rake'
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+task default: :test
+
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+require 'workarea/basic_auth/version'
+
+desc "Release version #{Workarea::BasicAuth::VERSION} of the gem"
+task :release do
+  host = "https://#{ENV['BUNDLE_GEMS__WEBLINC__COM']}@gems.weblinc.com"
+
+  #Rake::Task['workarea:changelog'].execute
+  #system 'git add CHANGELOG.md'
+  #system 'git commit -m "Update CHANGELOG"'
+  #system 'git push origin HEAD'
+
+  system "git tag -a v#{Workarea::BasicAuth::VERSION} -m 'Tagging #{Workarea::BasicAuth::VERSION}'"
+  system 'git push --tags'
+
+  system "gem build workarea-basic_auth.gemspec"
+  system "gem push workarea-basic_auth-#{Workarea::BasicAuth::VERSION}.gem"
+  system "gem push workarea-basic_auth-#{Workarea::BasicAuth::VERSION}.gem --host #{host}"
+  system "rm workarea-basic_auth-#{Workarea::BasicAuth::VERSION}.gem"
+end
+
+desc 'Run the JavaScript tests'
+ENV['TEASPOON_RAILS_ENV'] = File.expand_path('../test/dummy/config/environment', __FILE__)
+task teaspoon: 'app:teaspoon'
+
+desc 'Start a server at http://localhost:3000/teaspoon for JavaScript tests'
+task :teaspoon_server do
+  Dir.chdir("test/dummy")
+  teaspoon_env = File.expand_path('../test/teaspoon_env.rb', __FILE__)
+  system "RAILS_ENV=test TEASPOON_ENV=#{teaspoon_env} rails s"
+end

data/bin/rails

@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails gems
+# installed from the root of your application.
+
+ENGINE_ROOT = File.expand_path("../..", __FILE__)
+ENGINE_PATH = File.expand_path("../../lib/basic_auth/engine", __FILE__)
+APP_PATH = File.expand_path('../test/dummy/config/application', __dir__)
+
+# Set up gems listed in the Gemfile.
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile", __FILE__)
+require "bundler/setup" if File.exist?(ENV["BUNDLE_GEMFILE"])
+
+require 'action_controller/railtie'
+require 'action_view/railtie'
+require 'action_mailer/railtie'
+require 'rails/test_unit/railtie'
+require 'sprockets/railtie'
+require 'teaspoon-mocha'
+
+require 'rails/engine/commands'

data/config/initializers/access_control.rb

@@ -0,0 +1,23 @@
+Workarea.configure do |config|
+  basic_auth = ActiveSupport::Configurable::Configuration.new
+  basic_auth.enabled = false
+
+  basic_auth.protect_routes = Workarea::BasicAuth::SimpleRouteSet.new
+  basic_auth.exclude_routes = Workarea::BasicAuth::SimpleRouteSet.new
+
+  basic_auth.exclude_routes.add("/*", ->(request) {
+    request.env["HTTP_USER_AGENT"].to_s.include?("ELB-HealthChecker")
+  })
+
+  basic_auth.protect_routes.add("/*")
+  basic_auth.exclude_routes.add("/api*")
+  basic_auth.exclude_routes.add("/assets/*")
+  basic_auth.exclude_routes.add("/media/*")
+  basic_auth.exclude_routes.add("/product_images/*")
+
+  basic_auth.whitelisted_ips = Rack::Attack::ALERT_LOGIC_IP_ADDRESSES
+
+  Workarea.config.basic_auth = basic_auth
+
+  Rails.application.config.middleware.insert_before 0, Workarea::BasicAuth::Middleware
+end

data/lib/tasks/basic_auth_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :basic_auth do
+#   # Task goes here
+# end

data/lib/workarea/basic_auth.rb

@@ -0,0 +1,23 @@
+require "rack"
+require "workarea"
+require "workarea/admin"
+require "workarea/storefront"
+require "workarea/basic_auth/engine"
+require "workarea/basic_auth/version"
+
+module Workarea
+  module BasicAuth
+    def self.enabled?
+      config.enabled
+    end
+
+    def self.config
+      Workarea.config.basic_auth
+    end
+  end
+end
+
+require "workarea/basic_auth/path"
+require "workarea/basic_auth/simple_route_set"
+require "workarea/basic_auth/middleware"
+require "workarea/basic_auth/railtie"

data/lib/workarea/basic_auth/engine.rb

@@ -0,0 +1,8 @@
+module Workarea
+  module BasicAuth
+    class Engine < ::Rails::Engine
+      include Workarea::Plugin
+      isolate_namespace Workarea::BasicAuth
+    end
+  end
+end

data/lib/workarea/basic_auth/middleware.rb

@@ -0,0 +1,82 @@
+require "rack/auth/abstract/handler"
+require "rack/auth/abstract/request"
+
+module Workarea
+  module BasicAuth
+    class Middleware < Rack::Auth::AbstractHandler
+      def initialize(app)
+        @app = app
+        @realm = "workarea-basic-auth"
+        @authenticator = Proc.new do |user, pass|
+          (Workarea.config.basic_auth.user == user &&
+           Workarea.config.basic_auth.pass == pass)
+        end
+      end
+
+      def call(env)
+        return @app.call(env) unless Workarea::BasicAuth.enabled?
+
+        auth = Middleware::Request.new(env)
+
+        return @app.call(env) unless auth.required?
+        return unauthorized   unless auth.provided?
+        return bad_request    unless auth.basic?
+        return unauthorized   unless valid?(auth)
+
+        env["REMOTE_USER"] = auth.username
+        @app.call(env)
+      end
+
+      private
+
+        def challenge
+          'Basic realm="%s"' % realm
+        end
+
+        def valid?(auth)
+          @authenticator.call(*auth.credentials)
+        end
+
+        class Request < Rack::Auth::AbstractRequest
+          def required?
+            !ip_whitelisted? && path_is_protected?
+          end
+
+          def path_is_protected?
+            return false if excluded_routes.matches?(request)
+            protected_routes.matches?(request)
+          end
+
+          def ip_whitelisted?
+            whitelisted_ips.any? { |ip| ip.include?(request.ip) }
+          end
+
+          def basic?
+            "basic" == scheme
+          end
+
+          def credentials
+            @credentials ||= params.unpack("m*").first.split(/:/, 2)
+          end
+
+          def username
+            credentials.first
+          end
+
+          private
+
+            def protected_routes
+              Workarea.config.basic_auth.protect_routes
+            end
+
+            def excluded_routes
+              Workarea.config.basic_auth.exclude_routes
+            end
+
+            def whitelisted_ips
+              Workarea.config.basic_auth.whitelisted_ips
+            end
+        end
+    end
+  end
+end

data/lib/workarea/basic_auth/path.rb

@@ -0,0 +1,37 @@
+module Workarea
+  module BasicAuth
+    class Path
+      attr_reader :regexp
+
+      def initialize(string, *http_methods)
+        path = Regexp.escape(string).gsub('\*', ".*?")
+        @regexp = Regexp.new("^#{path}$", true)
+
+        if http_methods && http_methods.first.is_a?(Proc)
+          @proc = http_methods.first
+        end
+
+        @http_methods = http_methods
+      end
+
+      def matches?(request)
+        path_matches?(request) && request_matches?(request)
+      end
+
+      private
+
+        def path_matches?(request)
+          !@regexp.match(request.path_info).nil?
+        end
+
+        def request_matches?(request)
+          if @proc
+            @proc.call(request)
+          else
+            method = request.env["REQUEST_METHOD"].downcase.to_sym
+            @http_methods.empty? || @http_methods.include?(method)
+          end
+        end
+    end
+  end
+end