wrenchmode-rack 0.0.14 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a1c9c1343641307a9f3f8f28a6106b5162de5010
-  data.tar.gz: 2511eca006bd64b9808a819e002fcdcf7e2589d3
+  metadata.gz: 5cc24554fcc1385517b42e7911773c7077c928e9
+  data.tar.gz: 705aa08e5d6e2e207cf38da06bedd7dbe71618f6
 SHA512:
-  metadata.gz: 68935ab359e0e8208e464522e388c92959c7f5a12d03918263ed8243f5e8be7b59fb89ab9cc977450b0a6933e25078003b31f939ce35ffe18398cc6cd54adf41
-  data.tar.gz: 58379470a1a90feb0370f6187cfbf4a2bda27470a8d8dad891d4f56d43d2bffbb23c69cd7fe4f3d7e43a4e2285b56fb2d5ec1c244256fc3dbeeb240f46c84440
+  metadata.gz: 452d5505a9fd72ac64a6bd670b2bc8d5bbb5d2f947a7569ed1e1f5dae60d838258bd613080d23da193cc66ffe4f3a5c9fbc3e1fdbac0c497a1ea2dd2c1bed70e
+  data.tar.gz: 2f510452c96aa031e57bee82ab13384fde92852fe4f267892c3bb36b692a9226115d2d0ff45d6d9eaa499793b794639dabb2b10dcee03aa38a93ebcba79e78d8

data/README.md

@@ -56,7 +56,7 @@ On deployment, the wrenchmode-rack gem will automatically pick up everything it
 
 ```ruby
 # config/environments/production.rb
-config.middleware.use Wrenchmode::Rack, jwt: "your-long-jwt"
+config.middleware.insert_before 0, Wrenchmode::Rack, jwt: "your-long-jwt"
 
 # If you want to test in staging prior to deploying to production.
 # (Coming soon, still not implemented...)
@@ -75,6 +75,19 @@ Bundler.require(:default)
 use Wrenchmode::Rack, jwt: "your-long-jwt"
 ```
 
+## IP Whitelisting and Proxies (including Heroku)
+
+If you are behind a proxy (ie. you are on Heroku, Amazon ELB, nginx proxy, etc.) then you will most likely need to use the `ActionDispatch::RemoteIp` Rack middleware to correctly retrieve the client's IP address. This is included automatically for Rails, but not for vanilla Rack applications.
+
+To use Wrenchmode with a proxy, configure it as follows:
+
+```ruby
+# config/environments/production.rb
+config.middleware.insert_after ActionDispatch::RemoteIp, Wrenchmode::Rack, jwt: "your-long-jwt"
+```
+
+Note: The `jwt` option is not necessary on Heroku, as this is automatically set when you install the Add-on.
+
 ## Advanced Configuration Options
 
 You can also specify the following options to the middleware layer:
@@ -85,6 +98,8 @@ You can also specify the following options to the middleware layer:
 
 `disable_local_wrench` - (Coming soon...) Set to true if you want to disable LocalWrench mode, where the Wrenchmode page is served on your domain. Disabling it will instead force a redirect to the Wrenchmode.com domain. Note: Unless you explicitly want this behavior, it's best to leave this at the default. (Default false)
 
+`trust_remote_ip` - Set to false to ignore the IP addresses in the X-Forwarded-For header. This setting only matters for IP whitelisting. If you are behind a proxy (ie. Heroku, Amazon ELB, and many others) then this must be true for IP whitelisting to work. In addition, you must install the ActionDispatch::RemoteIp Rack layer. This is automatic if you are using Rails. (Default true)
+
 `check_delay_secs` - Change this to modify the rate at which the middleware polls Wrenchmode for updates. Unlikely that this needs anything faster than the default. (Default 5)
 
 `logging` - Set to true in order to log information from the middleware layer to your logging facility. (Default false)

data/lib/wrenchmode/rack.rb

@@ -6,7 +6,7 @@ require 'ipaddr'
 module Wrenchmode
   class Rack
     CLIENT_NAME = "wrenchmode-rack"
-    VERSION = '0.0.14'
+    VERSION = '0.1.0'
 
     # The ENV var set on Heroku where we can retrieve the JWT
     HEROKU_JWT_VAR = "WRENCHMODE_PROJECT_JWT"
@@ -31,7 +31,8 @@ module Wrenchmode
         status_path: "/api/projects/status",
         check_delay_secs: 5,
         logging: false,
-        read_timeout_secs: 3
+        read_timeout_secs: 3,
+        trust_remote_ip: true
       }.merge(opts)
 
       # The JWT can be set either explicity, or implicitly if Wrenchmode is added as a Heroku add-on
@@ -47,6 +48,7 @@ module Wrenchmode
       @read_timeout_secs = opts[:read_timeout_secs]
       @ip_whitelist = []
       @logger = nil
+      @trust_remote_ip = opts[:trust_remote_ip]
 
       @enable_reverse_proxy = false
 
@@ -81,10 +83,9 @@ module Wrenchmode
 
       should_display_wrenchmode = false
       if @switched
-        req = ::Rack::Request.new(env)
 
         should_display_wrenchmode = !@force_open
-        should_display_wrenchmode &&= !ip_whitelisted?(req)
+        should_display_wrenchmode &&= !ip_whitelisted?(env)
       end
 
       if should_display_wrenchmode
@@ -184,12 +185,22 @@ module Wrenchmode
       end
     end
 
-    def ip_whitelisted?(request)
-      return false unless request.ip
-      client_ip = IPAddr.new(request.ip)
-      @ip_whitelist.any? do |ip_address|
-        IPAddr.new(ip_address).include?(client_ip)
+    def ip_whitelisted?(env)
+      client_ips(env).any? do |client_ip|
+        @ip_whitelist.any? do |ip_address|
+          IPAddr.new(ip_address).include?(client_ip)
+        end
+      end
+    end
+
+    def client_ips(env)
+      request = ::Rack::Request.new(env)
+      ips = request.ip ? [request.ip] : []
+      if @trust_remote_ip
+        ips << env.remote_ip.to_s if env.respond_to?(:remote_ip)
+        ips << env["action_dispatch.remote_ip"].to_s if Module.const_defined?("ActionDispatch::RemoteIp") && env["action_dispatch.remote_ip"]
       end
+      ips
     end
 
     def build_update_package

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wrenchmode-rack
 version: !ruby/object:Gem::Version
-  version: 0.0.14
+  version: 0.1.0
 platform: ruby
 authors:
 - Micah Wedemeyer
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-09-04 00:00:00.000000000 Z
+date: 2016-09-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack