RubyGems - actionpack - Versions diffs - 4.2.10 → 7.2.0.rc1 - Mend

actionpack 4.2.10 → 7.2.0.rc1

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (202) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +86 -600
data/MIT-LICENSE +1 -1
data/README.rdoc +13 -14
data/lib/abstract_controller/asset_paths.rb +5 -1
data/lib/abstract_controller/base.rb +166 -136
data/lib/abstract_controller/caching/fragments.rb +149 -0
data/lib/abstract_controller/caching.rb +68 -0
data/lib/abstract_controller/callbacks.rb +126 -57
data/lib/abstract_controller/collector.rb +13 -15
data/lib/abstract_controller/deprecator.rb +9 -0
data/lib/abstract_controller/error.rb +8 -0
data/lib/abstract_controller/helpers.rb +181 -132
data/lib/abstract_controller/logger.rb +5 -1
data/lib/abstract_controller/railties/routes_helpers.rb +10 -3
data/lib/abstract_controller/rendering.rb +56 -56
data/lib/abstract_controller/translation.rb +29 -15
data/lib/abstract_controller/url_for.rb +15 -11
data/lib/abstract_controller.rb +21 -5
data/lib/action_controller/api/api_rendering.rb +18 -0
data/lib/action_controller/api.rb +154 -0
data/lib/action_controller/base.rb +219 -155
data/lib/action_controller/caching.rb +28 -68
data/lib/action_controller/deprecator.rb +9 -0
data/lib/action_controller/form_builder.rb +55 -0
data/lib/action_controller/log_subscriber.rb +35 -22
data/lib/action_controller/metal/allow_browser.rb +119 -0
data/lib/action_controller/metal/basic_implicit_render.rb +17 -0
data/lib/action_controller/metal/conditional_get.rb +259 -122
data/lib/action_controller/metal/content_security_policy.rb +86 -0
data/lib/action_controller/metal/cookies.rb +9 -5
data/lib/action_controller/metal/data_streaming.rb +87 -104
data/lib/action_controller/metal/default_headers.rb +21 -0
data/lib/action_controller/metal/etag_with_flash.rb +22 -0
data/lib/action_controller/metal/etag_with_template_digest.rb +35 -26
data/lib/action_controller/metal/exceptions.rb +71 -24
data/lib/action_controller/metal/flash.rb +26 -19
data/lib/action_controller/metal/head.rb +45 -36
data/lib/action_controller/metal/helpers.rb +80 -64
data/lib/action_controller/metal/http_authentication.rb +297 -244
data/lib/action_controller/metal/implicit_render.rb +57 -9
data/lib/action_controller/metal/instrumentation.rb +76 -64
data/lib/action_controller/metal/live.rb +238 -176
data/lib/action_controller/metal/logging.rb +22 -0
data/lib/action_controller/metal/mime_responds.rb +177 -166
data/lib/action_controller/metal/parameter_encoding.rb +84 -0
data/lib/action_controller/metal/params_wrapper.rb +145 -118
data/lib/action_controller/metal/permissions_policy.rb +38 -0
data/lib/action_controller/metal/rate_limiting.rb +62 -0
data/lib/action_controller/metal/redirecting.rb +203 -64
data/lib/action_controller/metal/renderers.rb +108 -65
data/lib/action_controller/metal/rendering.rb +216 -56
data/lib/action_controller/metal/request_forgery_protection.rb +496 -163
data/lib/action_controller/metal/rescue.rb +19 -21
data/lib/action_controller/metal/streaming.rb +179 -138
data/lib/action_controller/metal/strong_parameters.rb +1058 -382
data/lib/action_controller/metal/testing.rb +11 -17
data/lib/action_controller/metal/url_for.rb +37 -21
data/lib/action_controller/metal.rb +236 -138
data/lib/action_controller/railtie.rb +89 -11
data/lib/action_controller/railties/helpers.rb +5 -1
data/lib/action_controller/renderer.rb +161 -0
data/lib/action_controller/template_assertions.rb +13 -0
data/lib/action_controller/test_case.rb +425 -497
data/lib/action_controller.rb +44 -22
data/lib/action_dispatch/constants.rb +34 -0
data/lib/action_dispatch/deprecator.rb +9 -0
data/lib/action_dispatch/http/cache.rb +119 -63
data/lib/action_dispatch/http/content_disposition.rb +47 -0
data/lib/action_dispatch/http/content_security_policy.rb +364 -0
data/lib/action_dispatch/http/filter_parameters.rb +36 -34
data/lib/action_dispatch/http/filter_redirect.rb +24 -12
data/lib/action_dispatch/http/headers.rb +66 -31
data/lib/action_dispatch/http/mime_negotiation.rb +106 -75
data/lib/action_dispatch/http/mime_type.rb +196 -136
data/lib/action_dispatch/http/mime_types.rb +25 -7
data/lib/action_dispatch/http/parameters.rb +97 -45
data/lib/action_dispatch/http/permissions_policy.rb +187 -0
data/lib/action_dispatch/http/rack_cache.rb +6 -0
data/lib/action_dispatch/http/request.rb +299 -170
data/lib/action_dispatch/http/response.rb +311 -160
data/lib/action_dispatch/http/upload.rb +52 -23
data/lib/action_dispatch/http/url.rb +201 -125
data/lib/action_dispatch/journey/formatter.rb +110 -50
data/lib/action_dispatch/journey/gtg/builder.rb +37 -50
data/lib/action_dispatch/journey/gtg/simulator.rb +20 -17
data/lib/action_dispatch/journey/gtg/transition_table.rb +96 -36
data/lib/action_dispatch/journey/nfa/dot.rb +5 -14
data/lib/action_dispatch/journey/nodes/node.rb +100 -20
data/lib/action_dispatch/journey/parser.rb +19 -17
data/lib/action_dispatch/journey/parser.y +4 -3
data/lib/action_dispatch/journey/parser_extras.rb +14 -4
data/lib/action_dispatch/journey/path/pattern.rb +79 -63
data/lib/action_dispatch/journey/route.rb +108 -44
data/lib/action_dispatch/journey/router/utils.rb +41 -29
data/lib/action_dispatch/journey/router.rb +64 -57
data/lib/action_dispatch/journey/routes.rb +23 -21
data/lib/action_dispatch/journey/scanner.rb +28 -17
data/lib/action_dispatch/journey/visitors.rb +100 -54
data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
data/lib/action_dispatch/journey.rb +7 -5
data/lib/action_dispatch/log_subscriber.rb +25 -0
data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
data/lib/action_dispatch/middleware/assume_ssl.rb +27 -0
data/lib/action_dispatch/middleware/callbacks.rb +7 -6
data/lib/action_dispatch/middleware/cookies.rb +471 -328
data/lib/action_dispatch/middleware/debug_exceptions.rb +149 -66
data/lib/action_dispatch/middleware/debug_locks.rb +129 -0
data/lib/action_dispatch/middleware/debug_view.rb +73 -0
data/lib/action_dispatch/middleware/exception_wrapper.rb +275 -73
data/lib/action_dispatch/middleware/executor.rb +32 -0
data/lib/action_dispatch/middleware/flash.rb +143 -101
data/lib/action_dispatch/middleware/host_authorization.rb +171 -0
data/lib/action_dispatch/middleware/public_exceptions.rb +36 -27
data/lib/action_dispatch/middleware/reloader.rb +10 -92
data/lib/action_dispatch/middleware/remote_ip.rb +133 -107
data/lib/action_dispatch/middleware/request_id.rb +29 -15
data/lib/action_dispatch/middleware/server_timing.rb +78 -0
data/lib/action_dispatch/middleware/session/abstract_store.rb +49 -27
data/lib/action_dispatch/middleware/session/cache_store.rb +33 -16
data/lib/action_dispatch/middleware/session/cookie_store.rb +86 -80
data/lib/action_dispatch/middleware/session/mem_cache_store.rb +15 -3
data/lib/action_dispatch/middleware/show_exceptions.rb +66 -36
data/lib/action_dispatch/middleware/ssl.rb +134 -36
data/lib/action_dispatch/middleware/stack.rb +109 -44
data/lib/action_dispatch/middleware/static.rb +159 -90
data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +7 -24
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +36 -0
data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +46 -36
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +12 -0
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +9 -0
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +26 -7
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +3 -3
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +24 -0
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +16 -0
data/lib/action_dispatch/middleware/templates/rescues/layout.erb +139 -15
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +23 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +6 -6
data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +7 -7
data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +9 -9
data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +4 -4
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +7 -4
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +125 -93
data/lib/action_dispatch/railtie.rb +44 -16
data/lib/action_dispatch/request/session.rb +159 -69
data/lib/action_dispatch/request/utils.rb +97 -23
data/lib/action_dispatch/routing/endpoint.rb +11 -2
data/lib/action_dispatch/routing/inspector.rb +195 -106
data/lib/action_dispatch/routing/mapper.rb +1338 -955
data/lib/action_dispatch/routing/polymorphic_routes.rb +234 -201
data/lib/action_dispatch/routing/redirection.rb +78 -51
data/lib/action_dispatch/routing/route_set.rb +460 -374
data/lib/action_dispatch/routing/routes_proxy.rb +36 -12
data/lib/action_dispatch/routing/url_for.rb +172 -124
data/lib/action_dispatch/routing.rb +159 -158
data/lib/action_dispatch/system_test_case.rb +206 -0
data/lib/action_dispatch/system_testing/browser.rb +84 -0
data/lib/action_dispatch/system_testing/driver.rb +85 -0
data/lib/action_dispatch/system_testing/server.rb +33 -0
data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +164 -0
data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +23 -0
data/lib/action_dispatch/testing/assertion_response.rb +48 -0
data/lib/action_dispatch/testing/assertions/response.rb +71 -39
data/lib/action_dispatch/testing/assertions/routing.rb +228 -103
data/lib/action_dispatch/testing/assertions.rb +9 -6
data/lib/action_dispatch/testing/integration.rb +486 -306
data/lib/action_dispatch/testing/request_encoder.rb +60 -0
data/lib/action_dispatch/testing/test_helpers/page_dump_helper.rb +35 -0
data/lib/action_dispatch/testing/test_process.rb +35 -22
data/lib/action_dispatch/testing/test_request.rb +29 -34
data/lib/action_dispatch/testing/test_response.rb +48 -15
data/lib/action_dispatch.rb +82 -40
data/lib/action_pack/gem_version.rb +8 -4
data/lib/action_pack/version.rb +6 -2
data/lib/action_pack.rb +21 -18
metadata +146 -56
data/lib/action_controller/caching/fragments.rb +0 -103
data/lib/action_controller/metal/force_ssl.rb +0 -97
data/lib/action_controller/metal/hide_actions.rb +0 -40
data/lib/action_controller/metal/rack_delegation.rb +0 -32
data/lib/action_controller/middleware.rb +0 -39
data/lib/action_controller/model_naming.rb +0 -12
data/lib/action_dispatch/http/parameter_filter.rb +0 -72
data/lib/action_dispatch/journey/backwards.rb +0 -5
data/lib/action_dispatch/journey/nfa/builder.rb +0 -76
data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -163
data/lib/action_dispatch/journey/router/strexp.rb +0 -27
data/lib/action_dispatch/middleware/params_parser.rb +0 -60
data/lib/action_dispatch/middleware/templates/rescues/_source.erb +0 -27
data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
data/lib/action_dispatch/testing/assertions/tag.rb +0 -3

data/lib/action_dispatch/middleware/ssl.rb CHANGED Viewed

@@ -1,72 +1,170 @@
+# frozen_string_literal: true
+# :markup: markdown
 module ActionDispatch
+  # # Action Dispatch SSL
+  #
+  # This middleware is added to the stack when `config.force_ssl = true`, and is
+  # passed the options set in `config.ssl_options`. It does three jobs to enforce
+  # secure HTTP requests:
+  #
+  # 1.  **TLS redirect**: Permanently redirects `http://` requests to `https://`
+  #     with the same URL host, path, etc. Enabled by default. Set
+  #     `config.ssl_options` to modify the destination URL (e.g. `redirect: {
+  #     host: "secure.widgets.com", port: 8080 }`), or set `redirect: false` to
+  #     disable this feature.
+  #
+  #     Requests can opt-out of redirection with `exclude`:
+  #
+  #         config.ssl_options = { redirect: { exclude: -> request { /healthcheck/.match?(request.path) } } }
+  #
+  #     Cookies will not be flagged as secure for excluded requests.
+  #
+  # 2.  **Secure cookies**: Sets the `secure` flag on cookies to tell browsers
+  #     they must not be sent along with `http://` requests. Enabled by default.
+  #     Set `config.ssl_options` with `secure_cookies: false` to disable this
+  #     feature.
+  #
+  # 3.  **HTTP Strict Transport Security (HSTS)**: Tells the browser to remember
+  #     this site as TLS-only and automatically redirect non-TLS requests. Enabled
+  #     by default. Configure `config.ssl_options` with `hsts: false` to disable.
+  #
+  #     Set `config.ssl_options` with `hsts: { ... }` to configure HSTS:
+  #
+  #     *   `expires`: How long, in seconds, these settings will stick. The
+  #         minimum required to qualify for browser preload lists is 1 year.
+  #         Defaults to 2 years (recommended).
+  #
+  #     *   `subdomains`: Set to `true` to tell the browser to apply these
+  #         settings to all subdomains. This protects your cookies from
+  #         interception by a vulnerable site on a subdomain. Defaults to `true`.
+  #
+  #     *   `preload`: Advertise that this site may be included in browsers'
+  #         preloaded HSTS lists. HSTS protects your site on every visit *except
+  #         the first visit* since it hasn't seen your HSTS header yet. To close
+  #         this gap, browser vendors include a baked-in list of HSTS-enabled
+  #         sites. Go to https://hstspreload.org to submit your site for
+  #         inclusion. Defaults to `false`.
+  #
+  #
+  #     To turn off HSTS, omitting the header is not enough. Browsers will
+  #     remember the original HSTS directive until it expires. Instead, use the
+  #     header to tell browsers to expire HSTS immediately. Setting `hsts: false`
+  #     is a shortcut for `hsts: { expires: 0 }`.
+  #
   class SSL
-    YEAR = 31536000
+    # :stopdoc: Default to 2 years as recommended on hstspreload.org.
+    HSTS_EXPIRES_IN = 63072000
+    PERMANENT_REDIRECT_REQUEST_METHODS = %w[GET HEAD] # :nodoc:
     def self.default_hsts_options
-      { :expires => YEAR, :subdomains => false }
+      { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
     end
-    def initialize(app, options = {})
+    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, ssl_default_redirect_status: nil)
       @app = app
-      @hsts = options.fetch(:hsts, {})
-      @hsts = {} if @hsts == true
-      @hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
+      @redirect = redirect
+      @exclude = @redirect && @redirect[:exclude] || proc { !@redirect }
+      @secure_cookies = secure_cookies
-      @host    = options[:host]
-      @port    = options[:port]
+      @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
+      @ssl_default_redirect_status = ssl_default_redirect_status
     end
     def call(env)
-      request = Request.new(env)
+      request = Request.new env
       if request.ssl?
-        status, headers, body = @app.call(env)
-        headers.reverse_merge!(hsts_headers)
-        flag_cookies_as_secure!(headers)
-        [status, headers, body]
+        @app.call(env).tap do |status, headers, body|
+          set_hsts_header! headers
+          flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request)
+        end
       else
-        redirect_to_https(request)
+        return redirect_to_https request unless @exclude.call(request)
+        @app.call(env)
       end
     end
     private
-      def redirect_to_https(request)
-        host = @host || request.host
-        port = @port || request.port
-        location = "https://#{host}"
-        location << ":#{port}" if port != 80
-        location << request.fullpath
-        headers = { 'Content-Type' => 'text/html', 'Location' => location }
-        [301, headers, []]
+      def set_hsts_header!(headers)
+        headers[Constants::STRICT_TRANSPORT_SECURITY] ||= @hsts_header
       end
-      # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
-      def hsts_headers
-        if @hsts
-          value = "max-age=#{@hsts[:expires].to_i}"
-          value += "; includeSubDomains" if @hsts[:subdomains]
-          { 'Strict-Transport-Security' => value }
+      def normalize_hsts_options(options)
+        case options
+        # Explicitly disabling HSTS clears the existing setting from browsers by setting
+        # expiry to 0.
+        when false
+          self.class.default_hsts_options.merge(expires: 0)
+        # Default to enabled, with default options.
+        when nil, true
+          self.class.default_hsts_options
         else
-          {}
+          self.class.default_hsts_options.merge(options)
         end
       end
+      # https://tools.ietf.org/html/rfc6797#section-6.1
+      def build_hsts_header(hsts)
+        value = +"max-age=#{hsts[:expires].to_i}"
+        value << "; includeSubDomains" if hsts[:subdomains]
+        value << "; preload" if hsts[:preload]
+        value
+      end
       def flag_cookies_as_secure!(headers)
-        if cookies = headers['Set-Cookie']
-          cookies = cookies.split("\n")
+        cookies = headers[Rack::SET_COOKIE]
+        return unless cookies
-          headers['Set-Cookie'] = cookies.map { |cookie|
-            if cookie !~ /;\s*secure\s*(;|$)/i
+        if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3")
+          cookies = cookies.split("\n")
+          headers[Rack::SET_COOKIE] = cookies.map { |cookie|
+            if !/;\s*secure\s*(;|$)/i.match?(cookie)
               "#{cookie}; secure"
             else
               cookie
             end
           }.join("\n")
+        else
+          headers[Rack::SET_COOKIE] = Array(cookies).map do |cookie|
+            if !/;\s*secure\s*(;|$)/i.match?(cookie)
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          end
         end
       end
+      def redirect_to_https(request)
+        [ @redirect.fetch(:status, redirection_status(request)),
+          { Rack::CONTENT_TYPE => "text/html; charset=utf-8",
+            Constants::LOCATION => https_location_for(request) },
+          (@redirect[:body] || []) ]
+      end
+      def redirection_status(request)
+        if PERMANENT_REDIRECT_REQUEST_METHODS.include?(request.raw_request_method)
+          301 # Issue a permanent redirect via a GET request.
+        elsif @ssl_default_redirect_status
+          @ssl_default_redirect_status
+        else
+          307 # Issue a fresh request redirect to preserve the HTTP method.
+        end
+      end
+      def https_location_for(request)
+        host = @redirect[:host] || request.host
+        port = @redirect[:port] || request.port
+        location = +"https://#{host}"
+        location << ":#{port}" if port != 80 && port != 443
+        location << request.fullpath
+        location
+      end
   end
 end

data/lib/action_dispatch/middleware/stack.rb CHANGED Viewed

@@ -1,52 +1,71 @@
+# frozen_string_literal: true
+# :markup: markdown
 require "active_support/inflector/methods"
 require "active_support/dependencies"
 module ActionDispatch
+  # # Action Dispatch MiddlewareStack
+  #
+  # Read more about [Rails middleware
+  # stack](https://guides.rubyonrails.org/rails_on_rack.html#action-dispatcher-middleware-stack)
+  # in the guides.
   class MiddlewareStack
     class Middleware
-      attr_reader :args, :block, :name, :classcache
-      def initialize(klass_or_name, *args, &block)
-        @klass = nil
-        if klass_or_name.respond_to?(:name)
-          @klass = klass_or_name
-          @name  = @klass.name
-        else
-          @name  = klass_or_name.to_s
-        end
+      attr_reader :args, :block, :klass
-        @classcache = ActiveSupport::Dependencies::Reference
-        @args, @block = args, block
+      def initialize(klass, args, block)
+        @klass = klass
+        @args  = args
+        @block = block
       end
-      def klass
-        @klass || classcache[@name]
-      end
+      def name; klass.name; end
       def ==(middleware)
         case middleware
         when Middleware
           klass == middleware.klass
-        when Class
+        when Module
           klass == middleware
-        else
-          normalize(@name) == normalize(middleware)
         end
       end
       def inspect
-        klass.to_s
+        if klass.is_a?(Module)
+          klass.to_s
+        else
+          klass.class.to_s
+        end
       end
       def build(app)
         klass.new(app, *args, &block)
       end
-    private
+      def build_instrumented(app)
+        InstrumentationProxy.new(build(app), inspect)
+      end
+    end
+    # This class is used to instrument the execution of a single middleware. It
+    # proxies the `call` method transparently and instruments the method call.
+    class InstrumentationProxy
+      EVENT_NAME = "process_middleware.action_dispatch"
+      def initialize(middleware, class_name)
+        @middleware = middleware
-      def normalize(object)
-        object.to_s.strip.sub(/^::/, '')
+        @payload = {
+          middleware: class_name,
+        }
+      end
+      def call(env)
+        ActiveSupport::Notifications.instrument(EVENT_NAME, @payload) do
+          @middleware.call(env)
+        end
       end
     end
@@ -59,8 +78,8 @@ module ActionDispatch
       yield(self) if block_given?
     end
-    def each
-      @middlewares.each { |x| yield x }
+    def each(&block)
+      @middlewares.each(&block)
     end
     def size
@@ -75,20 +94,20 @@ module ActionDispatch
       middlewares[i]
     end
-    def unshift(*args, &block)
-      middleware = self.class::Middleware.new(*args, &block)
-      middlewares.unshift(middleware)
+    def unshift(klass, *args, &block)
+      middlewares.unshift(build_middleware(klass, args, block))
     end
+    ruby2_keywords(:unshift)
     def initialize_copy(other)
       self.middlewares = other.middlewares.dup
     end
-    def insert(index, *args, &block)
+    def insert(index, klass, *args, &block)
       index = assert_index(index, :before)
-      middleware = self.class::Middleware.new(*args, &block)
-      middlewares.insert(index, middleware)
+      middlewares.insert(index, build_middleware(klass, args, block))
     end
+    ruby2_keywords(:insert)
     alias_method :insert_before, :insert
@@ -96,34 +115,80 @@ module ActionDispatch
       index = assert_index(index, :after)
       insert(index + 1, *args, &block)
     end
+    ruby2_keywords(:insert_after)
     def swap(target, *args, &block)
       index = assert_index(target, :before)
       insert(index, *args, &block)
       middlewares.delete_at(index + 1)
     end
+    ruby2_keywords(:swap)
+    # Deletes a middleware from the middleware stack.
+    #
+    # Returns the array of middlewares not including the deleted item, or returns
+    # nil if the target is not found.
     def delete(target)
-      middlewares.delete target
+      middlewares.reject! { |m| m.name == target.name }
     end
-    def use(*args, &block)
-      middleware = self.class::Middleware.new(*args, &block)
-      middlewares.push(middleware)
+    # Deletes a middleware from the middleware stack.
+    #
+    # Returns the array of middlewares not including the deleted item, or raises
+    # `RuntimeError` if the target is not found.
+    def delete!(target)
+      delete(target) || (raise "No such middleware to remove: #{target.inspect}")
     end
-    def build(app = nil, &block)
-      app ||= block
-      raise "MiddlewareStack#build requires an app" unless app
-      middlewares.freeze.reverse.inject(app) { |a, e| e.build(a) }
+    def move(target, source)
+      source_index = assert_index(source, :before)
+      source_middleware = middlewares.delete_at(source_index)
+      target_index = assert_index(target, :before)
+      middlewares.insert(target_index, source_middleware)
     end
-  protected
+    alias_method :move_before, :move
+    def move_after(target, source)
+      source_index = assert_index(source, :after)
+      source_middleware = middlewares.delete_at(source_index)
-    def assert_index(index, where)
-      i = index.is_a?(Integer) ? index : middlewares.index(index)
-      raise "No such middleware to insert #{where}: #{index.inspect}" unless i
-      i
+      target_index = assert_index(target, :after)
+      middlewares.insert(target_index + 1, source_middleware)
+    end
+    def use(klass, *args, &block)
+      middlewares.push(build_middleware(klass, args, block))
+    end
+    ruby2_keywords(:use)
+    def build(app = nil, &block)
+      instrumenting = ActiveSupport::Notifications.notifier.listening?(InstrumentationProxy::EVENT_NAME)
+      middlewares.freeze.reverse.inject(app || block) do |a, e|
+        if instrumenting
+          e.build_instrumented(a)
+        else
+          e.build(a)
+        end
+      end
     end
+    private
+      def assert_index(index, where)
+        i = index.is_a?(Integer) ? index : index_of(index)
+        raise "No such middleware to insert #{where}: #{index.inspect}" unless i
+        i
+      end
+      def build_middleware(klass, args, block)
+        Middleware.new(klass, args, block)
+      end
+      def index_of(klass)
+        middlewares.index do |m|
+          m.name == klass.name
+        end
+      end
   end
 end