lib/rails/auth/x509/middleware.rb in rails-auth-2.2.2 vs lib/rails/auth/x509/middleware.rb in rails-auth-3.0.0

@@ -1,34 +1,24 @@
 # frozen_string_literal: true
 
 module Rails
   module Auth
     module X509
-      # Raised when certificate verification is mandatory
-      CertificateVerifyFailed = Class.new(NotAuthorizedError)
-
-      # Validates X.509 client certificates and adds credential objects for valid
-      # clients to the rack environment as env["rails-auth.credentials"]["x509"]
+      # Extracts X.509 client certificates and adds credential objects to the
+      # rack environment as env["rails-auth.credentials"]["x509"]
       class Middleware
         # Create a new X.509 Middleware object
         #
-        # @param [Object]               app next app in the Rack middleware chain
-        # @param [String]               ca_file path to the CA bundle to verify client certs with
-        # @param [Hash]                 cert_filters maps Rack environment names to cert extractors
-        # @param [Logger]               logger place to log verification successes & failures
-        # @param [Boolean]              require_cert causes middleware to raise if certs are unverified
-        # @param [OpenSSL::X509::Store] truststore (optional) provide your own truststore (for e.g. CRLs)
+        # @param [Object] app next app in the Rack middleware chain
+        # @param [Hash]   cert_filters maps Rack environment names to cert extractors
+        # @param [Logger] logger place to log certificate extraction issues
         #
         # @return [Rails::Auth::X509::Middleware] new X509 middleware instance
-        def initialize(app, ca_file: nil, cert_filters: {}, logger: nil, require_cert: false, truststore: nil)
-          raise ArgumentError, "no ca_file or truststore given" unless ca_file || truststore
-
+        def initialize(app, cert_filters: {}, logger: nil)
           @app          = app
           @cert_filters = cert_filters
           @logger       = logger
-          @require_cert = require_cert
-          @truststore   = truststore || OpenSSL::X509::Store.new.add_file(ca_file)
 
           @cert_filters.each do |key, filter|
             next unless filter.is_a?(Symbol)
 
             # Convert snake_case to CamelCase
@@ -51,21 +41,13 @@
         def extract_credential(env)
           @cert_filters.each do |key, filter|
             cert = extract_certificate_with_filter(filter, env[key])
             next unless cert
 
-            if @truststore.verify(cert)
-              log("Verified", cert)
-              return Rails::Auth::X509::Certificate.new(cert)
-            else
-              log("Verify FAILED", cert)
-              raise CertificateVerifyFailed, "verify failed: #{subject(cert)}" if @require_cert
-            end
+            return Rails::Auth::X509::Certificate.new(cert)
           end
 
-          raise CertificateVerifyFailed, "no client certificate in request" if @require_cert
-
           nil
         end
 
         def extract_certificate_with_filter(filter, raw_cert)
           case raw_cert
@@ -75,13 +57,9 @@
 
           filter.call(raw_cert)
         rescue StandardError => e
           @logger.debug("rails-auth: Certificate error: #{e.class}: #{e.message}") if @logger
           nil
-        end
-
-        def log(message, cert)
-          @logger.debug("rails-auth: #{message} (#{subject(cert)})") if @logger
         end
 
         def subject(cert)
           cert.subject.to_a.map { |attr, data| "#{attr}=#{data}" }.join(",")
         end