From ba33fb71b36d8019931d352a2f818b4649ed96a1 Mon Sep 17 00:00:00 2001 From: Stephen von Takach Date: Thu, 7 Sep 2023 13:16:59 +1000 Subject: [PATCH] feat(sessions): add a verification cookie [PPT-870] [PPT-872] (#111) used to indicate if the user has authenticated and can access static assets --- Gemfile | 5 +- Gemfile.lock | 386 +++++++----------- README.md | 68 --- .../auth/authorities_controller.rb | 2 + app/controllers/auth/coauth_controller.rb | 24 +- app/controllers/auth/sessions_controller.rb | 37 +- app/controllers/uploads_controller.rb | 99 ----- app/helpers/current_authority_helper.rb | 22 + app/helpers/user_helper.rb | 1 + app/models/api_key.rb | 20 + app/views/auth/signups/show.html.erb | 4 +- config/credentials.yml.enc | 1 - config/initializers/condo_providers.rb | 70 ---- config/routes.rb | 4 - config/secrets.yml | 2 +- 15 files changed, 250 insertions(+), 495 deletions(-) delete mode 100644 app/controllers/uploads_controller.rb create mode 100644 app/models/api_key.rb delete mode 100644 config/credentials.yml.enc delete mode 100644 config/initializers/condo_providers.rb diff --git a/Gemfile b/Gemfile index 9642b01..cdac1d0 100644 --- a/Gemfile +++ b/Gemfile @@ -26,10 +26,6 @@ gem "omniauth-ldap2" gem "omniauth-oauth2" gem "omniauth-saml" -# Uploads (rethink update looks like a rails compatibility update) -gem "condo", git: "https://github.com/cotag/Condominios.git", branch: "rails7" -gem "condo_active_record", git: "https://github.com/cotag/condo_active_record.git" - # Model support gem "addressable" gem "bcrypt" @@ -49,6 +45,7 @@ gem "rbtrace" # Fast JSON parsing gem "yajl-ruby" +gem "multi_json" group :development, :test do # See https://guides.rubyonrails.org/debugging_rails_applications.html#debugging-with-the-debug-gem diff --git a/Gemfile.lock b/Gemfile.lock index 35e5a8d..9c445c5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,92 +1,72 @@ -GIT - remote: https://github.com/cotag/Condominios.git - revision: 4ca8b5cfd19e49d91a47a2180dae8faa8348c857 - branch: rails7 - specs: - condo (2.1.0) - fog-aws - fog-google - fog-openstack - rails - unf - -GIT - remote: https://github.com/cotag/condo_active_record.git - revision: 2b63ba1e14133f14000523bf1302e3fc4fcbfd93 - specs: - condo_active_record (2.0.0) - condo - rails - GEM remote: https://rubygems.org/ specs: - actioncable (7.0.6) - actionpack (= 7.0.6) - activesupport (= 7.0.6) + actioncable (7.0.7.2) + actionpack (= 7.0.7.2) + activesupport (= 7.0.7.2) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (7.0.6) - actionpack (= 7.0.6) - activejob (= 7.0.6) - activerecord (= 7.0.6) - activestorage (= 7.0.6) - activesupport (= 7.0.6) + actionmailbox (7.0.7.2) + actionpack (= 7.0.7.2) + activejob (= 7.0.7.2) + activerecord (= 7.0.7.2) + activestorage (= 7.0.7.2) + activesupport (= 7.0.7.2) mail (>= 2.7.1) net-imap net-pop net-smtp - actionmailer (7.0.6) - actionpack (= 7.0.6) - actionview (= 7.0.6) - activejob (= 7.0.6) - activesupport (= 7.0.6) + actionmailer (7.0.7.2) + actionpack (= 7.0.7.2) + actionview (= 7.0.7.2) + activejob (= 7.0.7.2) + activesupport (= 7.0.7.2) mail (~> 2.5, >= 2.5.4) net-imap net-pop net-smtp rails-dom-testing (~> 2.0) - actionpack (7.0.6) - actionview (= 7.0.6) - activesupport (= 7.0.6) + actionpack (7.0.7.2) + actionview (= 7.0.7.2) + activesupport (= 7.0.7.2) rack (~> 2.0, >= 2.2.4) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (7.0.6) - actionpack (= 7.0.6) - activerecord (= 7.0.6) - activestorage (= 7.0.6) - activesupport (= 7.0.6) + actiontext (7.0.7.2) + actionpack (= 7.0.7.2) + activerecord (= 7.0.7.2) + activestorage (= 7.0.7.2) + activesupport (= 7.0.7.2) globalid (>= 0.6.0) nokogiri (>= 1.8.5) - actionview (7.0.6) - activesupport (= 7.0.6) + actionview (7.0.7.2) + activesupport (= 7.0.7.2) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (7.0.6) - activesupport (= 7.0.6) + activejob (7.0.7.2) + activesupport (= 7.0.7.2) globalid (>= 0.3.6) - activemodel (7.0.6) - activesupport (= 7.0.6) - activerecord (7.0.6) - activemodel (= 7.0.6) - activesupport (= 7.0.6) - activestorage (7.0.6) - actionpack (= 7.0.6) - activejob (= 7.0.6) - activerecord (= 7.0.6) - activesupport (= 7.0.6) + activemodel (7.0.7.2) + activesupport (= 7.0.7.2) + activerecord (7.0.7.2) + activemodel (= 7.0.7.2) + activesupport (= 7.0.7.2) + activestorage (7.0.7.2) + actionpack (= 7.0.7.2) + activejob (= 7.0.7.2) + activerecord (= 7.0.7.2) + activesupport (= 7.0.7.2) marcel (~> 1.0) mini_mime (>= 1.1.0) - activesupport (7.0.6) + activesupport (7.0.7.2) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) tzinfo (~> 2.0) - addressable (2.8.4) + addressable (2.8.5) public_suffix (>= 2.0.2, < 6.0) bcrypt (3.1.19) bindex (0.8.1) @@ -110,7 +90,6 @@ GEM debug (1.8.0) irb (>= 1.5.0) reline (>= 0.3.1) - declarative (0.0.20) doorkeeper (5.6.6) railties (>= 5) doorkeeper-jwt (0.4.1) @@ -118,90 +97,26 @@ GEM email_validator (2.2.4) activemodel erubi (1.12.0) - excon (0.100.0) faraday (2.7.10) faraday-net_http (>= 2.0, < 3.1) ruby2_keywords (>= 0.0.4) faraday-net_http (3.0.2) ffi (1.15.5) - fog-aws (3.19.0) - fog-core (~> 2.1) - fog-json (~> 1.1) - fog-xml (~> 0.1) - fog-core (2.2.4) - builder - excon (~> 0.71) - formatador (~> 0.2) - mime-types - fog-google (1.21.1) - addressable (>= 2.7.0) - fog-core (< 2.3) - fog-json (~> 1.2) - fog-xml (~> 0.1.0) - google-apis-compute_v1 (~> 0.53) - google-apis-dns_v1 (~> 0.28) - google-apis-iamcredentials_v1 (~> 0.15) - google-apis-monitoring_v3 (~> 0.37) - google-apis-pubsub_v1 (~> 0.30) - google-apis-sqladmin_v1beta4 (~> 0.38) - google-apis-storage_v1 (>= 0.19, < 1) - google-cloud-env (~> 1.2) - fog-json (1.2.0) - fog-core - multi_json (~> 1.10) - fog-openstack (1.1.0) - fog-core (~> 2.1) - fog-json (>= 1.0) - fog-xml (0.1.4) - fog-core - nokogiri (>= 1.5.11, < 2.0.0) - formatador (0.3.0) - globalid (1.1.0) - activesupport (>= 5.0) - google-apis-compute_v1 (0.73.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-core (0.11.0) - addressable (~> 2.5, >= 2.5.1) - googleauth (>= 0.16.2, < 2.a) - httpclient (>= 2.8.1, < 3.a) - mini_mime (~> 1.0) - representable (~> 3.0) - retriable (>= 2.0, < 4.a) - rexml - webrick - google-apis-dns_v1 (0.32.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-iamcredentials_v1 (0.17.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-monitoring_v3 (0.47.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-pubsub_v1 (0.40.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-sqladmin_v1beta4 (0.52.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-storage_v1 (0.23.0) - google-apis-core (>= 0.11.0, < 2.a) - google-cloud-env (1.6.0) - faraday (>= 0.17.3, < 3.0) - google-protobuf (3.21.12) - googleapis-common-protos-types (1.6.0) - google-protobuf (~> 3.14) - googleauth (1.6.0) - faraday (>= 0.17.3, < 3.a) - jwt (>= 1.4, < 3.0) - memoist (~> 0.16) - multi_json (~> 1.11) - os (>= 0.9, < 2.0) - signet (>= 0.16, < 2.a) + globalid (1.2.1) + activesupport (>= 6.1) + google-protobuf (3.24.3) + google-protobuf (3.24.3-x86_64-linux) + googleapis-common-protos-types (1.8.0) + google-protobuf (~> 3.18) hashie (5.0.0) - httpclient (2.8.3) i18n (1.14.1) concurrent-ruby (~> 1.0) io-console (0.6.0) - irb (1.7.3) - reline (>= 0.3.6) + irb (1.8.1) + rdoc + reline (>= 0.3.8) jwt (2.7.1) - lograge (0.12.0) + lograge (0.13.0) actionpack (>= 4) activesupport (>= 4) railties (>= 4) @@ -217,18 +132,15 @@ GEM net-smtp marcel (1.0.2) matrix (0.4.2) - memoist (0.16.2) method_source (1.0.0) - mime-types (3.4.1) - mime-types-data (~> 3.2015) - mime-types-data (3.2023.0218.1) - mini_mime (1.1.2) - minitest (5.18.1) + mini_mime (1.1.5) + mini_portile2 (2.8.4) + minitest (5.20.0) mono_logger (1.1.2) - msgpack (1.7.1) + msgpack (1.7.2) multi_json (1.15.0) multi_xml (0.6.0) - net-imap (0.3.6) + net-imap (0.3.7) date net-protocol net-ldap (0.18.0) @@ -239,9 +151,10 @@ GEM net-smtp (0.3.3) net-protocol nio4r (2.5.9) - nokogiri (1.15.3-aarch64-linux) + nokogiri (1.15.4) + mini_portile2 (~> 2.8.2) racc (~> 1.4) - nokogiri (1.15.3-x86_64-linux) + nokogiri (1.15.4-x86_64-linux) racc (~> 1.4) oauth2 (2.0.9) faraday (>= 0.17.3, < 3.0) @@ -264,14 +177,14 @@ GEM omniauth-saml (1.10.3) omniauth (~> 1.3, >= 1.3.2) ruby-saml (~> 1.9) - opentelemetry-api (1.1.0) - opentelemetry-common (0.19.7) + opentelemetry-api (1.2.2) + opentelemetry-common (0.20.0) opentelemetry-api (~> 1.0) - opentelemetry-exporter-otlp (0.25.0) - google-protobuf (~> 3.19) + opentelemetry-exporter-otlp (0.26.1) + google-protobuf (~> 3.14) googleapis-common-protos-types (~> 1.3) opentelemetry-api (~> 1.1) - opentelemetry-common (~> 0.19.6) + opentelemetry-common (~> 0.20) opentelemetry-sdk (~> 1.2) opentelemetry-semantic_conventions opentelemetry-instrumentation-action_pack (0.7.0) @@ -282,20 +195,20 @@ GEM opentelemetry-api (~> 1.0) opentelemetry-instrumentation-active_support (~> 0.1) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-active_job (0.5.1) + opentelemetry-instrumentation-active_job (0.5.2) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) opentelemetry-instrumentation-active_model_serializers (0.20.1) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-active_record (0.6.1) + opentelemetry-instrumentation-active_record (0.6.2) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) ruby2_keywords opentelemetry-instrumentation-active_support (0.4.1) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-all (0.39.1) + opentelemetry-instrumentation-all (0.40.0) opentelemetry-instrumentation-active_model_serializers (~> 0.20.1) opentelemetry-instrumentation-aws_sdk (~> 0.4.1) opentelemetry-instrumentation-bunny (~> 0.20.1) @@ -307,6 +220,7 @@ GEM opentelemetry-instrumentation-faraday (~> 0.23.1) opentelemetry-instrumentation-grape (~> 0.1.3) opentelemetry-instrumentation-graphql (~> 0.26.2) + opentelemetry-instrumentation-gruf (~> 0.1.0) opentelemetry-instrumentation-http (~> 0.23.1) opentelemetry-instrumentation-http_client (~> 0.22.1) opentelemetry-instrumentation-koala (~> 0.20.1) @@ -328,10 +242,10 @@ GEM opentelemetry-instrumentation-sidekiq (~> 0.24.1) opentelemetry-instrumentation-sinatra (~> 0.23.1) opentelemetry-instrumentation-trilogy (~> 0.56.1) - opentelemetry-instrumentation-aws_sdk (0.4.1) + opentelemetry-instrumentation-aws_sdk (0.4.2) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-base (0.22.1) + opentelemetry-instrumentation-base (0.22.2) opentelemetry-api (~> 1.0) opentelemetry-registry (~> 0.1) opentelemetry-instrumentation-bunny (0.20.1) @@ -340,42 +254,45 @@ GEM opentelemetry-instrumentation-concurrent_ruby (0.21.1) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-dalli (0.24.1) + opentelemetry-instrumentation-dalli (0.24.2) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) opentelemetry-instrumentation-delayed_job (0.20.1) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-ethon (0.21.1) + opentelemetry-instrumentation-ethon (0.21.2) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-excon (0.21.1) + opentelemetry-instrumentation-excon (0.21.2) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-faraday (0.23.1) + opentelemetry-instrumentation-faraday (0.23.2) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-grape (0.1.3) - opentelemetry-api (~> 1.1.0) + opentelemetry-instrumentation-grape (0.1.4) + opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) opentelemetry-instrumentation-rack (~> 0.21) - opentelemetry-instrumentation-graphql (0.26.2) + opentelemetry-instrumentation-graphql (0.26.6) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) + opentelemetry-instrumentation-gruf (0.1.0) + opentelemetry-api (>= 1.0.0) + opentelemetry-instrumentation-base (~> 0.22.1) opentelemetry-instrumentation-http (0.23.1) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-http_client (0.22.1) + opentelemetry-instrumentation-http_client (0.22.2) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-koala (0.20.1) + opentelemetry-instrumentation-koala (0.20.2) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) opentelemetry-instrumentation-lmdb (0.22.1) opentelemetry-api (~> 1.0) @@ -383,25 +300,25 @@ GEM opentelemetry-instrumentation-mongo (0.22.1) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-mysql2 (0.24.2) + opentelemetry-instrumentation-mysql2 (0.24.3) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-net_http (0.22.1) + opentelemetry-instrumentation-net_http (0.22.2) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-pg (0.25.2) + opentelemetry-instrumentation-pg (0.25.3) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-que (0.6.1) + opentelemetry-instrumentation-que (0.6.2) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) opentelemetry-instrumentation-racecar (0.2.1) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-rack (0.23.2) + opentelemetry-instrumentation-rack (0.23.4) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) opentelemetry-instrumentation-rails (0.27.1) opentelemetry-api (~> 1.0) @@ -414,86 +331,87 @@ GEM opentelemetry-instrumentation-rake (0.2.1) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-rdkafka (0.3.1) + opentelemetry-instrumentation-rdkafka (0.3.2) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-redis (0.25.1) + opentelemetry-instrumentation-redis (0.25.3) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-resque (0.4.1) + opentelemetry-instrumentation-resque (0.4.2) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-restclient (0.22.1) + opentelemetry-instrumentation-restclient (0.22.2) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-ruby_kafka (0.20.1) + opentelemetry-instrumentation-ruby_kafka (0.20.2) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-sidekiq (0.24.1) + opentelemetry-instrumentation-sidekiq (0.24.4) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) - opentelemetry-instrumentation-sinatra (0.23.1) + opentelemetry-instrumentation-sinatra (0.23.2) opentelemetry-api (~> 1.0) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20.0) opentelemetry-instrumentation-base (~> 0.22.1) opentelemetry-instrumentation-rack (~> 0.21) - opentelemetry-instrumentation-trilogy (0.56.1) + opentelemetry-instrumentation-trilogy (0.56.3) opentelemetry-api (~> 1.0) opentelemetry-instrumentation-base (~> 0.22.1) opentelemetry-semantic_conventions (>= 1.8.0) opentelemetry-registry (0.3.0) opentelemetry-api (~> 1.1) - opentelemetry-sdk (1.2.1) + opentelemetry-sdk (1.3.0) opentelemetry-api (~> 1.1) - opentelemetry-common (~> 0.19.3) + opentelemetry-common (~> 0.20) opentelemetry-registry (~> 0.2) opentelemetry-semantic_conventions opentelemetry-semantic_conventions (1.10.0) opentelemetry-api (~> 1.0) - optimist (3.0.1) - os (1.1.4) - pg (1.5.3) + optimist (3.1.0) + pg (1.5.4) pry (0.14.2) coderay (~> 1.1) method_source (~> 1.0) pry-rails (0.3.9) pry (>= 0.10.4) + psych (5.1.0) + stringio public_suffix (5.0.3) - puma (6.3.0) + puma (6.3.1) nio4r (~> 2.0) pyu-ruby-sasl (0.0.3.3) racc (1.7.1) - rack (2.2.7) + rack (2.2.8) rack-test (2.1.0) rack (>= 1.3) - rails (7.0.6) - actioncable (= 7.0.6) - actionmailbox (= 7.0.6) - actionmailer (= 7.0.6) - actionpack (= 7.0.6) - actiontext (= 7.0.6) - actionview (= 7.0.6) - activejob (= 7.0.6) - activemodel (= 7.0.6) - activerecord (= 7.0.6) - activestorage (= 7.0.6) - activesupport (= 7.0.6) + rails (7.0.7.2) + actioncable (= 7.0.7.2) + actionmailbox (= 7.0.7.2) + actionmailer (= 7.0.7.2) + actionpack (= 7.0.7.2) + actiontext (= 7.0.7.2) + actionview (= 7.0.7.2) + activejob (= 7.0.7.2) + activemodel (= 7.0.7.2) + activerecord (= 7.0.7.2) + activestorage (= 7.0.7.2) + activesupport (= 7.0.7.2) bundler (>= 1.15.0) - railties (= 7.0.6) - rails-dom-testing (2.1.1) + railties (= 7.0.7.2) + rails-dom-testing (2.2.0) activesupport (>= 5.0.0) minitest nokogiri (>= 1.6) rails-html-sanitizer (1.6.0) loofah (~> 2.21) nokogiri (~> 1.14) - railties (7.0.6) - actionpack (= 7.0.6) - activesupport (= 7.0.6) + railties (7.0.7.2) + actionpack (= 7.0.7.2) + activesupport (= 7.0.7.2) method_source rake (>= 12.2) thor (~> 1.0) @@ -503,21 +421,18 @@ GEM ffi (>= 1.0.6) msgpack (>= 0.4.3) optimist (>= 3.0.0) - redis (5.0.6) + rdoc (6.5.0) + psych (>= 4.0.0) + redis (5.0.7) redis-client (>= 0.9.0) - redis-client (0.14.1) + redis-client (0.17.0) connection_pool regexp_parser (2.8.1) - reline (0.3.6) + reline (0.3.8) io-console (~> 0.5) - representable (3.2.0) - declarative (< 0.1.0) - trailblazer-option (>= 0.1.1, < 0.2.0) - uber (< 0.2.0) request_store (1.5.1) rack (>= 1.4) - retriable (3.1.2) - rexml (3.2.5) + rexml (3.2.6) ruby-saml (1.15.0) nokogiri (>= 1.13.10) rexml @@ -528,47 +443,37 @@ GEM rexml (~> 3.2, >= 3.2.5) rubyzip (>= 1.2.2, < 3.0) websocket (~> 1.0) - sentry-ruby (5.10.0) + sentry-ruby (5.11.0) concurrent-ruby (~> 1.0, >= 1.0.2) - signet (0.17.0) - addressable (~> 2.8) - faraday (>= 0.17.5, < 3.a) - jwt (>= 1.5, < 3.0) - multi_json (~> 1.10) snaky_hash (2.0.1) hashie version_gem (~> 1.1, >= 1.1.1) + stringio (3.0.8) thor (1.2.2) timeout (0.4.0) - trailblazer-option (0.1.2) tzinfo (2.0.6) concurrent-ruby (~> 1.0) - uber (0.1.0) - unf (0.1.4) - unf_ext - unf_ext (0.0.8.2) version_gem (1.1.3) - web-console (4.2.0) + web-console (4.2.1) actionview (>= 6.0.0) activemodel (>= 6.0.0) bindex (>= 0.4.0) railties (>= 6.0.0) - webdrivers (5.2.0) + webdrivers (5.3.1) nokogiri (~> 1.6) rubyzip (>= 1.3.0) - selenium-webdriver (~> 4.0) - webrick (1.8.1) + selenium-webdriver (~> 4.0, < 4.11) websocket (1.2.9) - websocket-driver (0.7.5) + websocket-driver (0.7.6) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) xpath (3.2.0) nokogiri (~> 1.8) yajl-ruby (1.4.3) - zeitwerk (2.6.8) + zeitwerk (2.6.11) PLATFORMS - aarch64-linux + ruby x86_64-linux DEPENDENCIES @@ -576,8 +481,6 @@ DEPENDENCIES bcrypt bootsnap capybara - condo! - condo_active_record! debug doorkeeper (~> 5.6) doorkeeper-jwt @@ -586,6 +489,7 @@ DEPENDENCIES lograge logstash-event mono_logger + multi_json net-imap net-pop net-smtp diff --git a/README.md b/README.md index d61a1da..7a467cf 100644 --- a/README.md +++ b/README.md @@ -25,78 +25,10 @@ RAILS_ENV=production # Disable forced SSL COAUTH_NO_SSL=true -# File Uploads -DEFAULT_BUCKET=bucketname - -# Default upload location (Amazon configured if S3_KEY set) -# recommended to configure via the Authority internals settings -S3_KEY= -S3_SECRET= -S3_REGION=ap-southeast-2 - # Serving static files (true if set to anything) RAILS_SERVE_STATIC_FILES= ``` -## File upload configuration - -Add these keys to the Authority internals config - -* `"storage_bucket": "placeos_uploads_bucket"` - -### Amazon - -```yaml -"storage": { - "name": "AmazonS3", - "access_id": "", - "secret_key": "", - "location": "us-east-1" -} -``` - -### Google - -```yaml -"storage": { - "name": "GoogleCloudStorage", - "access_id": "", - "secret_key": "", - "location": "na" # US or Europe -} -``` - -### OpenStack or RackSpace Cloud - -```yaml -"storage": { - "name": "OpenStackSwift", - "username": "admin:admin", - "secret_key": "", - "temp_url_key": "", - "auth_url": "https://identity.api.rackspacecloud.com/v2.0/tokens", - "auth_url": "https://swift.domain.com/auth/v1.0", - # Location can be dallas, london, sydney, hong_kong for rackspace - "location": "https://storage101.dfw1.clouddrive.com", - "storage_url": "account_name", - "scheme": "https" # or http (update the above urls) -} -``` - -### Microsoft Azure - -currently disabled due to gem requirement clashes - -```yaml -"storage": { - "name": "MicrosoftAzure", - "account_name": "", - "access_key": "", - # optional defaults to {account_name}.blob.core.windows.net - "blob_host": nil -} -``` - ## Authentication Flow ### Server to server diff --git a/app/controllers/auth/authorities_controller.rb b/app/controllers/auth/authorities_controller.rb index 6b5cdab..d5dc01b 100644 --- a/app/controllers/auth/authorities_controller.rb +++ b/app/controllers/auth/authorities_controller.rb @@ -11,11 +11,13 @@ def current auth = authority.as_json(except: %i[created_at internals]) auth[:version] = "v2.0.0" auth[:session] = signed_in? + begin access_token = doorkeeper_token if access_token access_token.revoke_previous_refresh_token! auth[:token_valid] = true + configure_asset_access else auth[:token_valid] = false end diff --git a/app/controllers/auth/coauth_controller.rb b/app/controllers/auth/coauth_controller.rb index 1cf3f1f..67434fc 100644 --- a/app/controllers/auth/coauth_controller.rb +++ b/app/controllers/auth/coauth_controller.rb @@ -1,5 +1,6 @@ # frozen_string_literal: true +require "openssl" require "securerandom" module Auth @@ -8,7 +9,7 @@ class CoauthController < ApplicationController include CurrentAuthorityHelper Rails.application.config.force_ssl = true - USE_SSL = Rails.application.config.force_ssl + USE_SSL = true def success_path "/login_success.html" @@ -42,17 +43,32 @@ def redirect_continue(path) def new_session(user) @current_user = user + + # default is 1 day (timeout in minutes) + session_valid = (current_authority.internals["session_timeout"] || "1440").to_i.minutes.from_now + value = { value: { id: user.id, - expires: 1.day.from_now.to_i + expires: session_valid.to_i }, + expires: session_valid, secure: USE_SSL, httponly: true, same_site: :none, path: "/auth" # only sent to calls at this path } cookies.encrypted[:user] = value + + # prevent SSO redirect at nginx layer + configure_asset_access + end + + # Is the API key valid? + def api_key_valid?(api_key) + !!ApiKey.find_key!(api_key) + rescue + false end def store_social(uid, provider) @@ -60,8 +76,9 @@ def store_social(uid, provider) value: { uid: uid, provider: provider, - expires: 1.hour.from_now.to_i + expires: 20.minutes.from_now.to_i }, + expires: 20.minutes, secure: USE_SSL, httponly: true, path: "/auth" # only sent to calls at this path @@ -79,6 +96,7 @@ def set_continue(path) value = { value: path, + expires: 20.minutes, httponly: true, secure: USE_SSL, same_site: :none, diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb index f945f11..2420913 100644 --- a/app/controllers/auth/sessions_controller.rb +++ b/app/controllers/auth/sessions_controller.rb @@ -3,6 +3,7 @@ require "net/http" require "uri" require "set" +require 'cgi' module Auth class SessionsController < CoauthController @@ -12,8 +13,40 @@ class SessionsController < CoauthController def new details = params.permit(:provider, :continue, :id) remove_session - set_continue(details[:continue]) - uri = "/auth/#{details[:provider]}" + continue_uri = details[:continue] + + # check for x-api-keys + # if they exist and are valid (making a request to rest-api to confirm) + # then configure a long lasting verified cookie + if continue_uri + parsed_uri = URI.parse(continue_uri) + query_params = parsed_uri.query + + if query_params + continue_params = URI.decode_www_form(query_params).to_h + + api_key = continue_params["api-key"] || continue_params["x-api-key"] + if api_key && api_key_valid?(api_key) + configure_asset_access + redirect_continue(continue_uri) { "/" } + return + end + end + end + + provider = details[:provider] + auth_id = details[:id] + + # use default login if URI not provided + if !provider.presence || !auth_id.presence + authority = current_authority + login_uri = authority.login_url + redirect_to authority.login_url.gsub("{{url}}", continue_uri), status: :see_other + return + end + + set_continue(continue_uri) + uri = "/auth/#{provider}" # Support generic auth sources uri = "#{uri}?id=#{details[:id]}" if details[:id] diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb deleted file mode 100644 index 6bb64aa..0000000 --- a/app/controllers/uploads_controller.rb +++ /dev/null @@ -1,99 +0,0 @@ -# frozen_string_literal: true - -require "set" - -class UploadsController < ApplicationController - include Condo - include CurrentAuthorityHelper - - before_action :check_authenticated - - protected - - # before filter auth checks - # See ./config/initializers/doorkeeper for JWT format - def check_authenticated - payload, _header = get_jwt - if payload - head(:forbidden) if (request.host != payload["aud"]) && Rails.env.production? - else - head(:unauthorized) - end - end - - # - # This is a request for the current user_id - # We forward it to our current user method - condo_callback :resident_id do - payload, _header = get_jwt - payload["sub"] - end - - # - # Database entry needs to be updated here - # We'll mark it as ready for processing - condo_callback :upload_complete do |upload| - upload.remove_entry - true - # TODO: We should mark the upload as complete and ready for processing - # We can time stamp with last processed to ensure processing - - # Remove if already converting - # next - end - - # - # We need to mark an upload for processing - # We then delete from the cloud before removing the database entry - condo_callback :destroy_upload do |upload| - current_residence.destroy(upload) - upload.remove_entry - - # return true to indicate successful update - true - end - - # If we want to filter certain file types in the future - # SUPPORTED = Set.new(['.png']) - # condo_callback :pre_validation do - # if SUPPORTED.include? File.extname(@upload[:file_name]).downcase - # true - # else - # [false, {errors: {file_name: 'is not a supported file type'}}] - # end - # end - - # # - # # Should return the bucket name for the current user - # # Bucket should be created as a background user - condo_callback :bucket_name do - current_authority.get_bucket - end - - condo_callback :select_residence do |_config, _resident_id, _upload| - current_authority.get_storage - end - - # - # The name of the file when saved on the cloud storage system - condo_callback :object_key do |upload| - "#{request.host}/#{Time.now.to_f.to_s.sub(".", "")}#{rand(1000)}#{File.extname(upload[:file_name])}" - end - - # Defined here: https://github.com/cotag/Condominios/blob/5d1b297853e89c91afadcfeb48ab3f09ccff28b5/lib/condo.rb#L111 - # Mime types set here: https://github.com/cotag/Condominios/blob/5d1b297853e89c91afadcfeb48ab3f09ccff28b5/lib/condo/strata/amazon_s3.rb#L101 - # and https://github.com/cotag/Condominios/blob/5d1b297853e89c91afadcfeb48ab3f09ccff28b5/lib/condo/strata/open_stack_swift.rb#L122 - condo_callback :object_options do |_upload_object| - file_mime = params[:file_mime].presence - if file_mime - { - permissions: :public, - headers: { - "Content-Type" => file_mime - } - } - else - {permissions: :public} - end - end -end diff --git a/app/helpers/current_authority_helper.rb b/app/helpers/current_authority_helper.rb index 87f7c19..0ccddf6 100644 --- a/app/helpers/current_authority_helper.rb +++ b/app/helpers/current_authority_helper.rb @@ -1,7 +1,29 @@ # frozen_string_literal: true +require "openssl" +require "securerandom" + module CurrentAuthorityHelper def current_authority @current_authority ||= Authority.find_by_domain(request.host) end + + SECRET = Rails.application.secrets.secret_key_base + + def configure_asset_access + session_valid = 20.years.from_now + + data = SecureRandom.hex(8) + digest = OpenSSL::Digest.new('sha256') + hmac = OpenSSL::HMAC.hexdigest(digest, SECRET, data) + + cookies[:verified] = { + value: "#{data}.#{hmac}", + expires: session_valid, + secure: true, + httponly: true, + same_site: :none, + path: "/" + } + end end diff --git a/app/helpers/user_helper.rb b/app/helpers/user_helper.rb index fe03e7d..8eaba88 100644 --- a/app/helpers/user_helper.rb +++ b/app/helpers/user_helper.rb @@ -2,6 +2,7 @@ module UserHelper def remove_session + cookies.delete(:verified, path: "/") cookies.delete(:user, path: "/auth") cookies.delete(:social, path: "/auth") cookies.delete(:continue, path: "/auth") diff --git a/app/models/api_key.rb b/app/models/api_key.rb new file mode 100644 index 0000000..c1338ca --- /dev/null +++ b/app/models/api_key.rb @@ -0,0 +1,20 @@ +require 'openssl' + +class ApiKey < ApplicationRecord + self.table_name = "api_key" + + def self.find_key!(token) + id, secret = token.split('.', 2) + + model = self.find(id) + + # Same error as being unable to find the model + digest = OpenSSL::Digest.new('sha512') + hmac = OpenSSL::HMAC.hexdigest(digest, secret, id) + if model.secret != hmac + raise "invalid API key" + end + + model + end +end diff --git a/app/views/auth/signups/show.html.erb b/app/views/auth/signups/show.html.erb index 0fcc136..1f1116a 100644 --- a/app/views/auth/signups/show.html.erb +++ b/app/views/auth/signups/show.html.erb @@ -3,12 +3,12 @@
- Error + An authentication error occurred. Please re-authenticate
diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc deleted file mode 100644 index 7406d13..0000000 --- a/config/credentials.yml.enc +++ /dev/null @@ -1 +0,0 @@ -U/Zf6NS1OVbqQZdZk2JaCb5MzBLYGOJ6RWnv+thPnkgn1ZQnxRfhIWozAHFA92/pYn9OX0WW9J/1dwA4QzkgPrIPu+Ym3N4AsKhhTCx7WcEVsH+o/l8Pu+O2f4kArMP+cyJ6ShUtT+n13J1IunUeCLwpv1ExVTi+Gd8VzGkZJY7HMVw+yMgQlykuzB6OkbYvSo6XiDk/9F18zNL9FPf1ggqbKIYy7VZGc/yky/rZQ1NajuQdOKPV/3Bs13DZ5wtmSeGGt0jh8A6Pz//SxSbYpq0=--EQpAIvGAe2IfvrWR--pHFRZSjPazZpNmBbsnEwlg== \ No newline at end of file diff --git a/config/initializers/condo_providers.rb b/config/initializers/condo_providers.rb deleted file mode 100644 index 19cd2d3..0000000 --- a/config/initializers/condo_providers.rb +++ /dev/null @@ -1,70 +0,0 @@ -# frozen_string_literal: true - -# -# Define the various storage providers you would like to upload to here. -# Amazon S3 and Google are the only fully featured providers -# -# NOTE:: The first definition is treated as the default. -# It is possible to dynamically set the provider from the controller without configuring anything here -# => http://www.elastician.com/2009/12/comprehensive-list-of-aws-endpoints.html -# - -# Microsoft Azure -# opts = { -# :account_name => ENV['AZURE_ACCOUNT'], -# :access_key => ENV['AZURE_SECRET'] -# } -# Condo::Configuration.add_residence(:MicrosoftAzure, opts) - -# Excon.defaults[:ssl_verify_peer] = false -# Condo::Configuration.add_residence(:OpenStackSwift, { -# username: 'admin:admin', -# secret_key: 'changeme', -# storage_url: 'AUTH_admin', -# auth_url: 'https://swift.domain.com/auth/v1.0', -# location: 'https://swift.domain.com', -# temp_url_key: 'zy14opzraEcjcAUTruOidDoZ6UInjNHLfMNNc60WA', -# bucket_name: 'cotag', -# scheme: 'https' #or http (update the above two urls) -# }) - -# -# Enable if you would like to use this provider -# -# Condo::Configuration.add_residence(:GoogleCloudStorage, { -# :access_id => ENV['GOOGLE_KEY'], -# :secret_key => ENV['GOOGLE_SECRET'] -# }) - -# -# Enable this if you would like to use v2 of Google's storage API (https://developers.google.com/storage/docs/accesscontrol#Signed-URLs) -# => Convert cert to PEM: openssl pkcs12 -in file/name.p12 - nodes -nocerts > out/put.pem -# => NOTE:: The password is: notasecret -# -# Condo::Configuration.add_residence(:GoogleCloudStorage, { -# :access_id => ENV['GOOGLE_KEY'], # Service account email -# :secret_key => File.read('google.pem'), # Private key in pem format (don't use this location ;) -# :api => 2 -# }) - -# Excon.defaults[:ssl_verify_peer] = false -# Condo::Configuration.add_residence(:OpenStackSwift, { -# :username => ENV['RACKS_KEY'], -# -# # This is the API key -# :secret_key => ENV['RACKS_SECRET'], -# -# # Something like (MossoCloudFS_abf330f5-5f4e-48be-9993-b5dxxxxxx) -# # Basically your account identifier -# :storage_url => ENV['RACKS_STORAGE_URL'], -# :temp_url_key => ENV['RACKS_TEMP_URL_KEY'] -# }) - -# AWS S3 bucket permissions will need to be set: https://docs.google.com/document/d/1zd5kCB0QH7GmVSnyjVRscILn5l-r_Xp_hvV4Vv9v9Ig/edit# -if ENV["S3_KEY"] - Condo::Configuration.add_residence(:AmazonS3, { - access_id: ENV["S3_KEY"], - secret_key: ENV["S3_SECRET"], - location: ENV["S3_REGION"] || "ap-southeast-2" - }) -end diff --git a/config/routes.rb b/config/routes.rb index 0cea82a..fe9f438 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -20,8 +20,4 @@ get "/authority", to: "auth/authorities#current" end - - scope "/api/files/v1/" do - resources :uploads, only: %i[index create new update] - end end diff --git a/config/secrets.yml b/config/secrets.yml index f3bd7bc..2a5d0dc 100644 --- a/config/secrets.yml +++ b/config/secrets.yml @@ -11,7 +11,7 @@ # if you're sharing your code publicly. development: - secret_key_base: 543fb68b2d592546583b1b982fb99381bad5c6fc7784fa0e95631413440cd4b854d795e5f3cc7069de53f9193c4c599f56615f01e74231b8ff4d31aa851398cc + secret_key_base: <%= ENV["SECRET_KEY_BASE"] %> test: secret_key_base: 84b04ea4259542f36591dd3279d857e6942df1515658a0938f047742ec588c350b0cb675b43995a689a0379b08975bb7c7d95783dfc547ab7a8eb1fcca093b3f