-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restore TRUSTED_PROXIES
behavior for Rails 5
#1690
Conversation
e5977d3
to
4ab00bf
Compare
TRUSTED_PROXIES
behavior for Rails 5TRUSTED_PROXIES
behavior for Rails 5
b513144
to
8fe3269
Compare
lib/conjur/trusted_proxy_filter.rb
Outdated
|
||
def env_trusted_proxies | ||
@env['TRUSTED_PROXIES'] | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'd just inline this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah... I wish there was a better way to configure code climate for this. Inlining was my default, but code climate didn't like that "@env['TRUSTED_PROXIES']
is called twice."
I'll inline again and add the exception comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me although I'd still like to move unit testing the object directly for the matrix tests, per our previous convo. Were you planning to do that in a different PR?
It's not a blocker though since these tests are still readable and straightforward. Though I really don't like the rspec convention whereby a function call with 3 parameters becomes 3 let
statements followed by an include_examples
to "call the function". May not be worth the effort of changing. Wdyt?
I'm torn on this. On one hand, I agree that the layers of unit tests would be the more proper way to do this. On the other hand, I do still have concerns about the fidelity of the tests, considering how mutable the ActiveDispatch::Request is as it passes through the Rack/Rails pipeline. I really do want the subject of these tests to be that request pipeline, rather than only the I am willing to explore that refactor, but I do think that's better suited as a follow up PR. The ROI at this moment of that refactor seems low compared to the ROI of finishing the client IP sourcing document (which depends on this regression fix) on these points: A) These tests do clearly communicate what the expected outcomes are for the inputs we care about. I created the issue here: #1696. If there is an epic for the overall spec refactor you discussed during our team meeting Wednesday. I think this would be very appropriate in that epic.
I agree with you, and I'd like to hear your suggestions for how to do it better.
What do you think? Do any of those stand out as a clear improvement over the current code? Do you have any other suggestions I haven't considered yet? |
@micahlee: Are you planning on covering the use |
I'm not sure if this PR is where you want this discussion, rather than on the dap-wiki PR, but the existing draft includes this as a reference discussion. Jason's PR includes this in a tutorial/guide format (although I now see he's removed Conjur OSS from his doc). It would be helpful to know more specifically what gaps there are that need to be filled for allowing this to be officially documented. You can see my current "to do" list on the PR description here. If Jason does not intend to cover OSS configuration of |
@micahlee: Actually, I forgot that @jvanderhoof was already working on this PR: https://github.com/cyberark/dap-wiki/pull/87. Maybe that could serve to document this feature. Could you take a look? |
|
d617e05
to
9a932e9
Compare
@jonahx , this is still ready for your re-review when you're able. I added one more fixup commit today to re-used a shared method to create the test access token that I added in #1698 I've left the fixups as separate commits to make the updates easier to review. Once you've had a chance to look at them, I'll squash them back down. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add a note at the top of the test file to the effect of your comments here:
6ba43db
to
ecf75b9
Compare
for Rails 5. This replaces the implementation previously provided by the `conjur-rack` gem. This commit also adds rspec tests that verify the expected `request.ip` with the given scenarios for `REMOTE_ADDR`, `TRUSTED_PROXIES`, and `X-Forwarded-For`.
ecf75b9
to
e115374
Compare
Code Climate has analyzed commit e115374 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 86.2% (0.1% change). View more on Code Climate. |
What does this PR do?
This PR re-implements the
TRUSTED_PROXIES
Rack IP filter for Rails 5. This replaces the implementation previously provided by theconjur-rack
gem for Rails 4.This PR also adds rspec tests that verify the expected
request.ip
with the given scenarios forREMOTE_ADDR
,TRUSTED_PROXIES
, andX-Forwarded-For
.What ticket does this PR close?
Connected to #1689
Checklists
Change log
Test coverage
Documentation
README
s) were updated in this PR, and/or there is a follow-on issue to update docs, orTODO:
request.ip
behaviorconjur-rack
fortrusted_proxy?
Issue: Remove
Rack:Request#trusted_proxy?
monkey patch conjur-rack#21