Gatekeeper

Gatekeeper can connect any Rack-compatible application to a Hot Ink SSO server. It allows you to easily verify the identity of a user against Hot Ink’s user information database. It makes some basic information about the user available to your application.

Gatekeeper is largely a rewrite of Hancock-Client (github.com/atmos/hancock-client). The functionality is different but the spirit is the same.

Installation

This is the easy part.

gem install gatekeeper --source http://gemcutter.org

Using Gatekeeper

Gatekeeper is implemented in Sinatra, but it can authenticate any Rack-based application. That could be Rails, Sinatra, Rack whatever. You’ll be surprised how easy it is.

Simply add the following into your Rack stack, by simply placing it directly into your Sinatra app as middleware, or if you’re building a Rack app, add it to your stack in config.ru:

use Rack::Session::Cookie
use Gatekeeper::Middleware do |sso|
  sso.sso_url = "http://your_sso_server.net/sso"
end

Be sure to use the session middleware when building a Rack app, or to enable :sessions when using Sinatra. Gatekeeper relies on sessions to store authentication information. Also be sure to include the correct SSO server URL.

With Rails

When using Gatekeeper with Rails, you should create a ‘metal’ Sinatra app to keep it in, then implement it as show above. It’s pretty easy, just run script/generate metal sso. Inside, you should have:

require(File.dirname(__FILE__) + "/../../config/environment") unless defined?(Rails)
require 'sinatra/base'
require 'logger'

class Sso < Sinatra::Base
  use Gatekeeper::Middleware do |sso|
    sso.sso_url = "http://your_sso_server.net/sso"
  end
end

When using Rails, you should be sure not to enable sessions in your Sinatra metal. Rails takes care of the session. If you re-enable, you’ll overwrite what Rails has already found and your authentication will not work

In your app

Gatekeeper puts the received user details in a hash accessible using session. Things are a little more convenient using the helpers. To do that, simply include Gatekeeper::Helpers::Authentication in your app. You can then use the following methods:

  • current_user

    Will return nil or the current user’s id, depending on whether or not the user is logged in.

  • is_admin?

    Is this user a Hot Ink admin? You may have some tasks that only admin users can do.

  • is_manager_of?(hotink_account_id)

    Will return true if the user is a manager of the account who’s id you passed in.

Your app can use a simple require_user method as a before filter to ensure that users are logged in, the most basic of which could look like this:

def require_user
 unless current_user
   redirect_to "/sso/login?return_to=#{request.request_uri}"
   false # if you're using this as a Rails before filter, return false 
 end
end

Note on Patches/Pull Requests

  • Fork the project.

  • Make your feature addition or bug fix.

  • Add specs for it. This is important so I don’t break it in a future version unintentionally.

  • Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)

  • Send me a pull request. Bonus points for topic branches.

Copyright © 2010 Chris Dinn. See LICENSE for details.