Default to closed by basic auth when not configured

rails · Dec 2, 2024 · 4dbf868 · 4dbf868
1 parent 6bf8b30
commit 4dbf868
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 14 deletions.
diff --git a/app/controllers/concerns/mission_control/jobs/basic_authentication.rb b/app/controllers/concerns/mission_control/jobs/basic_authentication.rb
@@ -0,0 +1,33 @@
+module MissionControl::Jobs::BasicAuthentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :authenticate_by_http_basic
+  end
+
+  private
+    def authenticate_by_http_basic
+      if http_basic_authentication_enabled?
+        if http_basic_authentication_configured?
+          http_basic_authenticate_or_request_with(**http_basic_authentication_credentials)
+        else
+          head :unauthorized
+        end
+      end
+    end
+
+    def http_basic_authentication_enabled?
+      MissionControl::Jobs.http_basic_auth_enabled
+    end
+
+    def http_basic_authentication_configured?
+      http_basic_authentication_credentials.values.all?(&:present?)
+    end
+
+    def http_basic_authentication_credentials
+      {
+        name: MissionControl::Jobs.http_basic_auth_user,
+        password: MissionControl::Jobs.http_basic_auth_password
+      }.transform_values(&:presence)
+    end
+end
diff --git a/app/controllers/mission_control/jobs/application_controller.rb b/app/controllers/mission_control/jobs/application_controller.rb
@@ -9,18 +9,11 @@ class MissionControl::Jobs::ApplicationController < MissionControl::Jobs.base_co
   helper MissionControl::Jobs::ApplicationHelper unless self < MissionControl::Jobs::ApplicationHelper
   helper Importmap::ImportmapTagsHelper unless self < Importmap::ImportmapTagsHelper
 
+  include MissionControl::Jobs::BasicAuthentication
   include MissionControl::Jobs::ApplicationScoped, MissionControl::Jobs::NotFoundRedirections
   include MissionControl::Jobs::AdapterFeatures
 
-  before_action :http_auth
-
   private
-    def http_auth
-      name = MissionControl::Jobs.http_auth_user.presence
-      password = MissionControl::Jobs.http_auth_password.presence
-      http_basic_authenticate_or_request_with(name:, password:) if name && password
-    end
-
     def default_url_options
       { server_id: MissionControl::Jobs::Current.server }
     end

diff --git a/lib/mission_control/jobs.rb b/lib/mission_control/jobs.rb
@@ -26,8 +26,8 @@ module Jobs
 
     mattr_accessor :importmap, default: Importmap::Map.new
 
-    mattr_accessor :http_auth_user
-    mattr_accessor :http_auth_password
-    mattr_accessor :http_auth_enabled, default: true
+    mattr_accessor :http_basic_auth_user
+    mattr_accessor :http_basic_auth_password
+    mattr_accessor :http_basic_auth_enabled, default: true
   end
 end
diff --git a/lib/mission_control/jobs/engine.rb b/lib/mission_control/jobs/engine.rb
@@ -30,9 +30,9 @@ class Engine < ::Rails::Engine
         end
       end
 
-      initializer "mission_control-jobs.http_auth" do |app|
-        config.mission_control.jobs.http_auth_user = app.credentials.dig(:mission_control, :http_auth_user),
-        config.mission_control.jobs.http_auth_password = app.credentials.dig(:mission_control, :http_auth_password)
+      initializer "mission_control-jobs.http_basic_auth" do |app|
+        config.mission_control.jobs.http_basic_auth_user = app.credentials.dig(:mission_control, :http_basic_auth_user),
+        config.mission_control.jobs.http_basic_auth_password = app.credentials.dig(:mission_control, :http_basic_auth_password)
       end
 
       initializer "mission_control-jobs.active_job.extensions" do

diff --git a/test/dummy/config/environments/test.rb b/test/dummy/config/environments/test.rb
@@ -51,6 +51,8 @@
 
   config.solid_queue.connects_to = { database: { writing: :queue } }
 
+  config.mission_control.jobs.http_basic_auth_enabled = false
+
   # Silence Solid Queue logging
   config.solid_queue.logger = ActiveSupport::Logger.new(nil)
 end
diff --git a/test/mission_control/jobs/basic_authentication_test.rb b/test/mission_control/jobs/basic_authentication_test.rb
@@ -0,0 +1,47 @@
+require "test_helper"
+
+class MissionControl::Jobs::BasicAuthenticationTest < ActionDispatch::IntegrationTest
+  test "unconfigured basic auth is closed" do
+    with_http_basic_auth do
+      get mission_control_jobs.application_queues_url(@application), headers: auth_headers("dev", "secret")
+      assert_response :unauthorized
+    end
+  end
+
+  test "fail to authenticate without credentials" do
+    with_http_basic_auth(user: "dev", password: "secret") do
+      get mission_control_jobs.application_queues_url(@application)
+      assert_response :unauthorized
+    end
+  end
+
+  test "fail to authenticate with wrong credentials" do
+    with_http_basic_auth(user: "dev", password: "secret") do
+      get mission_control_jobs.application_queues_url(@application), headers: auth_headers("dev", "wrong")
+      assert_response :unauthorized
+    end
+  end
+
+  test "authenticate with correct credentials" do
+    with_http_basic_auth(user: "dev", password: "secret") do
+      get mission_control_jobs.application_queues_url(@application), headers: auth_headers("dev", "secret")
+      assert_response :ok
+    end
+  end
+
+  private
+    def with_http_basic_auth(enabled: true, user: nil, password: nil)
+      previous_enabled, MissionControl::Jobs.http_basic_auth_enabled = MissionControl::Jobs.http_basic_auth_enabled, enabled
+      previous_user, MissionControl::Jobs.http_basic_auth_user = MissionControl::Jobs.http_basic_auth_user, user
+      previous_password, MissionControl::Jobs.http_basic_auth_password = MissionControl::Jobs.http_basic_auth_password, password
+      yield
+    ensure
+      MissionControl::Jobs.http_basic_auth_enabled = previous_enabled
+      MissionControl::Jobs.http_basic_auth_user = previous_user
+      MissionControl::Jobs.http_basic_auth_password = previous_password
+    end
+
+    def auth_headers(user, password)
+      { Authorization: ActionController::HttpAuthentication::Basic.encode_credentials(user, password) }
+    end
+end