Contents

# frozen_string_literal: true

require 'rails/auth/rack'

module BoltServer
  class ACL < Rails::Auth::ErrorPage::Middleware
    class X509Matcher
      def initialize(options)
        @options = options.freeze
      end

      def match(env)
        certificate = Rails::Auth::X509::Certificate.new(env['puma.peercert'])
        # This can be extended fairly easily to search OpenSSL::X509::Certificate#extensions for subjectAltNames.
        @options.all? { |name, value| certificate[name] == value }
      end
    end

    def initialize(app, allowlist)
      acls = []
      allowlist.each do |entry|
        acls << {
          'resources' => [
            {
              'method' => 'ALL',
              'path' => '/.*'
            }
          ],
          'allow_x509_subject' => {
            'cn' => entry
          }
        }
      end
      acl = Rails::Auth::ACL.new(acls, matchers: { allow_x509_subject: X509Matcher })
      mid = Rails::Auth::ACL::Middleware.new(app, acl: acl)
      super(mid, page_body: 'Access denied')
    end
  end
end

Version data entries

56 entries across 56 versions & 1 rubygems

Version	Path
bolt-4.0.0	lib/bolt_server/acl.rb
bolt-3.29.0	lib/bolt_server/acl.rb
bolt-3.28.0	lib/bolt_server/acl.rb
bolt-3.27.4	lib/bolt_server/acl.rb
bolt-3.27.2	lib/bolt_server/acl.rb
bolt-3.27.1	lib/bolt_server/acl.rb
bolt-3.26.2	lib/bolt_server/acl.rb
bolt-3.26.1	lib/bolt_server/acl.rb
bolt-3.25.0	lib/bolt_server/acl.rb
bolt-3.24.0	lib/bolt_server/acl.rb
bolt-3.23.1	lib/bolt_server/acl.rb
bolt-3.23.0	lib/bolt_server/acl.rb
bolt-3.22.1	lib/bolt_server/acl.rb
bolt-3.22.0	lib/bolt_server/acl.rb
bolt-3.21.0	lib/bolt_server/acl.rb
bolt-3.20.0	lib/bolt_server/acl.rb
bolt-3.19.0	lib/bolt_server/acl.rb
bolt-3.18.0	lib/bolt_server/acl.rb
bolt-3.17.0	lib/bolt_server/acl.rb
bolt-3.16.1	lib/bolt_server/acl.rb