RACK / SSO - Meetupfiles.meetup.com/437842/svrug-november-2009.pdfRACK / SSO and a little bit about...

RACK / SSOand a little bit about the Bundler

Tuesday, December 1, 2009

hello hello

COREY DONOHOE@atmos / atmos@atmos.org

i’m a software developer and open source participant for a number of yearsthis is me in hawaii last month with a much more awesome beard

ENGINE YARDTuesday, December 1, 2009

i’ve been at engineyard for 2.5 yearsdid support for the first year, now doing internal developmentwe do a lot of microapps

HANCOCK

will smith was not involved in the creation of this project

like your john hancocknot for everyone but i’m hoping to keep it ongoing as a working example

RACKTuesday, December 1, 2009

it’s what everyone is using now, rails, merb, sinatra, ramazerealizing the power of rack helped me really embrace the simplicity of sinatra

SINATRA IS AWESOME

2009 has mainly been sinatra and datamapper for usthere’s still 2 merb apps we maintain, one of them is our SSO provider

GIT://GITHUB.COM/ATMOS/HANCOCK.GIT

SINGLE SIGN ON

TRADITIONAL OPENID

user agent == browserconsumer == app using openid to authenticate clientsprovider == openid provider the consumer talks to

TRADITIONAL OPENID

no more specifying who you areno more consumer <-> provider identity negotiationno more choosing of profiles on the server

HANCOCK NEGOTIATION

by cutting those out there’s fewer redirectsmuch easier to see what portions of the openid spec are usedstill conforms to the spec so it should be easily accessible from any language

# ~/p/hancock/bin/shotgun -p PORT config.rurequire 'hancock'

DataMapper.setup(:default, "sqlite3://#{File.dirname(__FILE__)}/development.rb")DataMapper.auto_migrate!

Hancock::Consumer.create(:url => 'http://localhost:3000/sso/login', :label => 'Rails Dev', :internal => false)Hancock::Consumer.create(:url => 'http://localhost:9292/sso/login', :label => 'Rack Fans', :internal => false)Hancock::Consumer.create(:url => 'http://localhost:9393/sso/login', :label => 'Shotgun Fans', :internal => false)

class Dragon < Hancock::App get '/' do redirect '/sso/login' unless session['hancock_server_user_id'] erb "<h2>Hello <%= session_user.name %><!-- <%= session.inspect %>" endendrun Dragon

run Hancock::App

example rackup file

HANCOCK-CLIENT

there’s a client middleware for consumersmicroapps are great for spikes that can expose business valuewith something like this we can spin up microapps quickly

require File.join(File.dirname(__FILE__), 'boot')

Rails::Initializer.run do |config| config.gem 'hancock', :lib => 'hancock'

config.middleware.use Hancock::Client::Middleware do |sso| sso.sso_url = 'http://localhost:20000' end # all your other normal stuffend

hancock-client-rails

middleware like this works in rails too in versions > 2.3.xyou can either use the use keyword or the the generators for rails metal

UNDER THE HOODTuesday, December 1, 2009

it’s what everyone is using now, rails, merb, sinatra, ramazerealizing the power of rack helped me really embrace the simplicity of sinatra

HTTP://GITHUB.COM/

specific middlewareuse invokes initialize methodit can take a block

use in Sinatra

initialize arity for usefirst parameter is the middleware constantinitializing with a block can do cool things.

#!/usr/bin/env rackup

use EY::SSO do |sso| sso.only_staff!enduse EY::ContactManager

use in Rails

require File.join(File.dirname(__FILE__), 'boot')

Rails::Initializer.run do |config| config.gem 'hancock', :lib => 'hancock'

config.middleware.use Hancock::Client::Middleware do |sso| sso.sso_url = 'http://localhost:20000' end # all your other normal stuffend

config.middleware.use

# Allow the metal piece to run in isolationrequire(File.dirname(__FILE__) + "/../../config/environment") unless defined?(Rails)require 'hancock-client'

class Sso < Hancock::Client::Default disable :raise_errors set :sso_url, 'http://hancock.atmos.org/sso'end

script/generate metal sso

works fine for inheriting from Sinatra::Defaultso you can write sinatra in rails if you want :)

map is a way to ‘mount’ applicationswe use it for everyday kinds of things

helpers do def url(path) request.script_name + path endend

#!/usr/bin/env rackup

require File.dirname(__FILE__) + '/lib/setup'require 'gateway/app'require 'migration/app'

use Rack::Static, :urls => ["/css", "/img", "/js"], :root => "public"

map "/gateway/" do use EY::SSO run Gateway::Append

map "/migration/" do use Rack::ShowExceptions if ENV["RACK_ENV"] == "production" use EY::SSO do |sso| sso.only_staff! end end run Migration::Append

map "/" do app = lambda do |env| [404, {"Content-Type" => "text/plain", "Content-Length" => "9"}, ["Not found"]] end run append

two separate apps, Migration::App and Gateway::App working fine together on subdir mappings

PROBLEMS

http://www.flickr.com/photos/northover/3022796561/

FRAGILE

most fragile point is our integration with our CRM system, salesforcewe have datamapper models but keeping things in sync proves to be crazywe use hoptoad and are diligent about resolving any exceptions we receive

CONFUSING

usability and accessibility can easily be neglected, users get confusednot being able to get every system on to something centralized leads to more confusionif you’re going to go this route spend a chunk of time on the UX

TESTING

how does SSO really behave today, will it behave that way tomorrow?providing a decent client API makes it easy to test, provide mocks instead of vice versamake it trivial to test so people actually do, cuts down on support

ADAPTERS MAKE IT EASY

adapters allow us to pick the backend we want to test at any timewe don’t write tests to do a full integration test, we just flip a switch to turn on a different adapterthis allows us to iterate quickly on in memory mocks and run everything when the feature works

SECURITY

sessions are cookie sessions, so they’re difficult to expire on consumersthere is https, the consumer whitelist allows and communicates over https :)single sign out sucks because it requires a shared domain cookie

YAY, COOKIE SESSIONS

THE BUNDLERTuesday, December 1, 2009

how to deploy your new baby and ensure it’ll play well with othersthis is how we manage lots of apps dependencies in a repeatable mannerthink merb’s bundling that actually works.

THE BUNDLERTuesday, December 1, 2009

people can and will do crazy shit with rubygems.it’s available on github under the wycats usercarl lerche has done a tremendous job keeping all of the insanity in order

DEPLOYING AN APP

gem 'rack_hoptoad', '>=0.0.3'gem 'sinatra', '~>0.9.4', :require_as => 'sinatra/base'gem 'rest-client', :require_as => 'rest_client'gem 'json'gem 'dm-core'gem 'dm-validations'gem 'do_sqlite3'

only :test do gem 'rake' gem 'rspec', :require_as => %w(spec) gem 'rcov' gem 'bundler', '>=0.5.0' gem 'cucumber' gem 'webrat', '~>0.5.0' gem 'rack-test', '~>0.5.0', :require_as => 'rack/test' gem 'fakeweb', '>=1.2.5' gem 'ParseTree', '>=3.0.4', :require_as => 'parse_tree' gem 'randexp', '>=0.1.4'end

disable_system_gems

# vim:ft=ruby

specify the gems you need required at runtime in a global scopeall of your normal gem version hacks work as expectedawkward requires can be handled easily as an array or single string

BIN_PATH

gem 'sinatra', '~>0.9.0', :require_as => [ ]gem 'haml', '~>2.2.0', :require_as => [ ]gem 'do_sqlite3', '~>0.9.12', :require_as => [ ]gem 'dm-validations', '~>0.9.11', :require_as => [ ]gem 'dm-timestamps', '~>0.9.11', :require_as => [ ]gem 'dm-types', '~>0.9.11', :require_as => [ ]gem 'ruby-openid', '~>2.1.7', :require_as => [ ]gem 'guid', '~>0.1.1', :require_as => [ ]gem 'rack-contrib', '~>0.9.2', :require_as => [ ]gem 'json', :require_as => [ ]

only :test do gem 'rack-test', '~>0.5.0', :require_as => 'rack/test' gem 'webrat', '~>0.5.0' gem 'rspec', '~>1.2.9', :require_as => 'spec' gem 'rake' gem 'rcov' gem 'cucumber' gem 'dm-aggregates', '~>0.9.11' gem 'dm-sweatshop', '~>0.9.11' gem 'randexp' gem 'ParseTree', :require_as => 'parse_tree' gem 'bundler', '>=0.6.0'end

bin_path 'gbin'disable_system_gems

note the bin_path stuff, lots of gems distribute executables in bin, gbin stands for gem bindouble check how you’re bundling executables in your gems, you could easily overwrite your system rake.

DISABLE_SYSTEM_GEMS

turns out to be very useful as there won’t be any system gem conflictskeeps each application nice, local and repeatably deployed.

SPEC/SPEC_HELPER.RB

Bundler.require_env(:test)require File.join(File.dirname(__FILE__), '..', 'lib', 'myapp')require 'pp'

DataMapper.setup(:default, 'sqlite3://:memory:')DataMapper.auto_migrate!

Spec::Runner.configure do |config| config.include(Rack::Test::Methods) def app MyApp.app endend

explicitly call Bundler.require_env(:test) to include that ‘only’ block from beforerequire your application and all is well.

CONFIG.RU

Bundler.require_envrequire File.expand_path(File.join(File.dirname(__FILE__), 'lib', 'my_app'))

DataMapper.setup(:default, 'sqlite3://:memory:')DataMapper.auto_migrate!

run MyApp.app

using Bundler.require_env sets you up perfectlyit runs fine under passengerother executables should be used from the bin_path directorytring

DEPLOYING A GEM

specify the gems you need required at runtime in a global scope but don’t require themyour application code should require them and cause bad deployments.

YOUR RAKE FILE

require 'rake/gempackagetask'require 'rubygems/specification'require 'date'require 'bundler'

spec = Gem::Specification.new do |s| ...

manifest = Bundler::Environment.load(File.dirname(__FILE__) + '/Gemfile') manifest.dependencies.each do |d| next if d.only && d.only.include?('test') s.add_dependency(d.name, d.version) endend

you can require the bundler and use your manifest file to gem dependenciesthis way you only maintain it in one spotyou could also do development dependencies if you’d like

IDENTITY

http://www.flickr.com/photos/dullhunk/3953605716/

lots of other realms of identity involved to really get it all right.

IDENTITY

http://www.flickr.com/photos/dullhunk/3953605716/

security + authentication + information

IDENTITY

http://www.xmlgrrl.com/blog/2009/10/02/a-venn-of-identity-in-web-services-now-with-oauth/

a slightly updated version uses oauth, we do a similar thing with the oauth provider.our next wave is to take advantage of

THANKS SO MUCH!

QUESTIONS?

COMMENTS?

RACK / SSO - Meetupfiles.meetup.com/437842/svrug-november-2009.pdfRACK / SSO and a little bit about...

Documents

O365/Outlook Integration with SSO - view.zendesk.com · O365/Outlook Integration with SSO FAQs Can we utilize SSO without the O365/Outlook integration and vice versa? • SSO and

SSO Configer Multi

Nfs With Sso

Single Sign-On Instructions (SSO) - State of · PDF fileSingle Sign-On Instructions (SSO) Registration for the SSO Step 1: Registration to Single Sign-On (SSO) Skip this section if

Design Considerations for Integrated Features · DesignConsiderationsforIntegratedFeatures •SingleSign-On(SSO)Considerations,onpage1 Single Sign-On (SSO)Considerations TheSingleSign-on(SSO

Shibboleth SSO & Drupal

Informe Bodega sso

SonicWall™ SSO API · 2020. 9. 24. · SSO API Reference Guide SSO Overview 1 3 SSO Overview This document specifies the external application program interface (API) for third party

Tririga sso

AppScaler SSO Active Directory GuideAppScaler SSO Active Directory Guide Add one SSO Profile for AAA Server To add one SSO Profile for AAA Server: Login webUI navigate to SLB -> Profiles

ARKANSAS SSO Procedures Manualardot.gov/public_transportation/Arkansas SSO Procedures Manual 4-… · ARKANSAS SSO PROCEDURES MANUAL. Adopted: April 19, 2018 . DOCUMENT PURPOSE This

Sso Admin Enu

SSO FileNet Sg247675

Generic SSO

Single Sign-On (SSO) Single Sign-On (SSO) Strong Authentication

Ssl Sso Check

Gestion Sso

SSO Case Study

What is SSO?

K8s rbac-sso