RubyGems - dwaite-cookiejar - Versions diffs - 0.1.3 → 0.2.0 - Mend

dwaite-cookiejar 0.1.3 → 0.2.0

Files changed (9) hide show

data/lib/cookiejar.rb +0 -1
data/lib/cookiejar/cookie.rb +52 -225
data/lib/cookiejar/cookie_validation.rb +271 -0
data/lib/cookiejar/jar.rb +120 -57
data/test/cookie_test.rb +23 -223
data/test/cookie_validation_test.rb +235 -0
data/test/jar_test.rb +89 -4
metadata +6 -4
data/lib/cookiejar/cookie_common.rb +0 -14

data/lib/cookiejar.rb CHANGED Viewed

@@ -1,3 +1,2 @@
-require 'cookiejar/cookie_common'
 require 'cookiejar/cookie'
 require 'cookiejar/jar'

data/lib/cookiejar/cookie.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 require 'time'
 require 'uri'
-require 'cookiejar/cookie_common'
+require 'cookiejar/cookie_validation'
 module CookieJar
@@ -10,28 +10,6 @@ module CookieJar
   # Specifically, the 'domain' and 'path' values may be set to defaults
   # based on the requested resource that resulted in the cookie being set.
   class Cookie
-    module PATTERN
-      include URI::REGEXP::PATTERN
-      TOKEN = '[^(),\/<>@;:\\\"\[\]?={}\s]*'
-      VALUE1 = "([^;]*)"
-      IPADDR = "#{IPV4ADDR}|#{IPV6ADDR}"
-      BASE_HOSTNAME = "(?:#{DOMLABEL}\\.)(?:((?:(?:#{DOMLABEL}\\.)+(?:#{TOPLABEL}\\.?))|local))"
-      # QUOTED_PAIR = "\\\\[\\x00-\\x7F]"
-      # LWS = "\\r\\n(?:[ \\t]+)"
-      # TEXT="[\\t\\x20-\\x7E\\x80-\\xFF]|(?:#{LWS})"
-      # QDTEXT="[\\t\\x20-\\x21\\x23-\\x7E\\x80-\\xFF]|(?:#{LWS})"
-      # QUOTED_TEXT = "\\\"((?:#{QDTEXT}|#{QUOTED_PAIR})*)\\\""
-      # VALUE2 = "(#{TOKEN})|#{QUOTED_TEXT}"
-    end
-    BASE_HOSTNAME = /#{PATTERN::BASE_HOSTNAME}/
-    BASE_PATH = /\A((?:[^\/?#]*\/)*)/
-    IPADDR = /\A#{PATTERN::IPADDR}\Z/
-    # HDN = /\A#{PATTERN::HOSTNAME}\Z/
-    # TOKEN = /\A#{PATTERN::TOKEN}\Z/
-    # TWO_DOT_DOMAINS = /\A\.(com|edu|net|mil|gov|int|org)\Z/
     # The mandatory name and value of the cookie
     attr_reader :name, :value
@@ -74,111 +52,29 @@ module CookieJar
       end
     end
-    def expired?
+    def is_expired?
       expires_at != nil && Time.now > expires_at
     end
+    def is_session?
+      @expiry == nil
+    end
     # Create a cookie based on an absolute URI and the string value of a
     # 'Set-Cookie' header.
     def self.from_set_cookie request_uri, set_cookie_value
-      args = { }
-      params=set_cookie_value.split /;\s*/
-      params.each do |param|
-        result = PARAM1.match param
-        if !result
-          raise InvalidCookieError.new "Invalid cookie parameter in cookie '#{set_cookie_value}'"
-        end
-        key = result[1].downcase.to_sym
-        keyvalue = result[2]
-        case key
-        when :expires
-          args[:expires_at] = Time.parse keyvalue
-        when :domain
-          args[:domain] = keyvalue
-        when :path
-          args[:path] = keyvalue
-        when :secure
-          args[:secure] = true
-        when :httponly
-          args[:http_only] = true
-        else
-          args[:name] = result[1]
-          args[:value] = keyvalue
-        end
-      end
-      args[:domain] = determine_cookie_domain request_uri, args[:domain]
-      args[:path] = determine_cookie_path request_uri, args[:path]
-      args[:version] = 0
+      args = CookieJar::CookieValidation.parse_set_cookie set_cookie_value
+      args[:domain] = CookieJar::CookieValidation.determine_cookie_domain request_uri, args[:domain]
+      args[:path] = CookieJar::CookieValidation.determine_cookie_path request_uri, args[:path]
       cookie = Cookie.new args
-      validate_cookie request_uri, cookie
+      CookieJar::CookieValidation.validate_cookie request_uri, cookie
       cookie
     end
     def to_s
-      %^"#{name}=#{value}#{if domain then "; domain=#{domain}" end}#{if expiry then "; expiry=#{expiry}" end}#{if path then "; path=#{path}" end}#{if secure then "; secure" end }#{if http_only then "; HTTPOnly" end}^
+      "#{name}=#{value}"
     end
-    # Check whether a cookie meets all of the rules to be created, based on
-    # its internal settings and the URI it came from.
-    #
-    # returns true on success, but will raise an InvalidCookieError on failure
-    # with an appropriate error message
-    def self.validate_cookie request_uri, cookie
-      uri = request_uri.is_a?(URI) ? request_uri : URI.parse(request_uri)
-      request_host = effective_host uri.host
-      request_path = uri.path
-      request_secure = (uri.scheme == 'https')
-      cookie_host = cookie.domain
-      cookie_path = cookie.path
-      errors = []
-      # From RFC 2965, Section 3.3.2 Rejecting Cookies
-      # A user agent rejects (SHALL NOT store its information) if the
-      # Version attribute is missing. Note that the legacy Set-Cookie
-      # directive will result in an implicit version 0.
-      unless cookie.version
-        errors << "Version missing"
-      end
-      # The value for the Path attribute is not a prefix of the request-URI
-      unless request_path.start_with? cookie_path
-        errors << "Path is not a prefix of the request uri path"
-      end
-      unless cookie_host =~ IPADDR || #is an IPv4 or IPv6 address
-        cookie_host =~ /.\../ || #contains an embedded dot
-        cookie_host == '.local' #is the domain cookie for local addresses
-        errors << "Domain format is illegal"
-      end
-      # The effective host name that derives from the request-host does
-      # not domain-match the Domain attribute.
-      #
-      # The request-host is a HDN (not IP address) and has the form HD,
-      # where D is the value of the Domain attribute, and H is a string
-      # that contains one or more dots.
-      effective_host = effective_host uri
-      unless domains_match effective_host, cookie_host
-        errors << "Domain is inappropriate based on request URI hostname"
-      end
-      # The Port attribute has a "port-list", and the request-port was
-      # not in the list.
-      unless cookie.ports.nil? || cookie.ports.length != 0
-        unless cookie.ports.find_index uri.port
-          errors << "Ports list does not contain request URI port"
-        end
-      end
-      raise InvalidCookieError.new errors unless errors.empty?
-      # Note: 'secure' is not explicitly defined as an SSL channel, and no
-      # test is defined around validity and the 'secure' attribute
-      true
-    end
     # Return true if (given a URI, a cookie object and other options) a cookie
     # should be sent to a host. Note that this currently ignores domain.
     #
@@ -190,127 +86,58 @@ module CookieJar
       path_match   = uri.path.start_with? @path
       secure_match = !(@secure && uri.scheme == 'http')
       script_match = !(script && @http_only)
-      expiry_match = !expired?
+      expiry_match = !is_expired?
       path_match && secure_match && script_match && expiry_match
     end
-    # Compute the base of a path.
-    def self.cookie_base_path path
-      path = path.is_a?(URI) ? path.path : path
-      BASE_PATH.match(path)[1]
-    end
-    # Processes cookie path data using the following rules:
-    # Paths are separated by '/' characters, and accepted values are truncated
-    # to the last '/' character. If no path is specified in the cookie, a path
-    # value will be taken from the request URI which was used for the site.
-    #
-    # Note that this will not attempt to detect a mismatch of the request uri domain
-    # and explicitly specified cookie path
-    def self.determine_cookie_path request_uri, cookie_path
-      uri = request_uri.is_a?(URI) ? request_uri : URI.parse(request_uri)
-      cookie_path = cookie_path.is_a?(Cookie) ? cookie_path.path : cookie_path
-      if cookie_path == nil || cookie_path.empty?
-        cookie_path = cookie_base_path uri.path
-      end
-      cookie_path
-    end
-    # Given a URI, compute the relevant search domains for pre-existing
-    # cookies. This includes all the valid dotted forms for a named or IP
-    # domains.
-    def self.compute_search_domains request_uri
-      uri = request_uri.is_a?(URI) ? request_uri : URI.parse(request_uri)
-      host = effective_host uri
-      result = [host]
-      if host !~ IPADDR
-        result << ".#{host}"
+    def to_json *a
+      result = {
+        :json_class => self.class.name,
+        :name => @name,
+        :value => @value,
+        :domain => @domain,
+        :path => @path,
+        :created_at => @created_at
+      }
+      {
+        :expiry => @expiry,
+        :secure => (true if @secure),
+        :http_only => (true if @http_only),
+        :version => (@version if version != 0),
+        :comment => @comment,
+        :comment_url => @comment_url,
+        :discard => (true if @discard),
+        :ports => @ports
+      }.each do |name, value|
+        result[name] = value if value
       end
-      base = hostname_reach host
-      if base
-        result << ".#{base}"
-      end
-      result
+      result.to_json(*a)
     end
-    # Processes cookie domain data using the following rules:
-    # Domains strings of the form .foo.com match 'foo.com' and all immediate
-    # subdomains of 'foo.com'. Domain strings specified of the form 'foo.com' are
-    # modified to '.foo.com', and as such will still apply to subdomains.
-    #
-    # Cookies without an explicit domain will have their domain value taken directly
-    # from the URL, and will _NOT_ have any leading dot applied. For example, a request
-    # to http://foo.com/ will cause an entry for 'foo.com' to be created - which applies
-    # to foo.com but no subdomain.
-    #
-    # Note that this will not attempt to detect a mismatch of the request uri domain
-    # and explicitly specified cookie domain
-    def self.determine_cookie_domain request_uri, cookie_domain
-      uri = request_uri.is_a?(URI) ? request_uri : URI.parse(request_uri)
-      domain = cookie_domain.is_a?(Cookie) ? cookie_domain.domain : cookie_domain
-      if domain == nil || domain.empty?
-        domain = effective_host uri.host
-      else
-        domain = domain.downcase
-        if domain =~ IPADDR || domain.start_with?('.')
-          domain
-        else
-          ".#{domain}"
-        end
+    def self.json_create o
+      params = o.inject({}) do |hash, (key, value)|
+        hash[key.to_sym] = value
+        hash
       end
-    end
-    # Compute the effective host (RFC 2965, section 1)
-    # [host] a string or URI.
-    #
-    # Has the added additional logic of searching for interior dots specifically, and
-    # matches colons to prevent .local being suffixed on IPv6 addresses
-    def self.effective_host host
-      hostname = host.is_a?(URI) ? host.host : host
-      hostname = hostname.downcase
-      if /.[\.:]./.match(hostname) || hostname == '.local'
-        hostname
+      params[:version] ||= 0
+      params[:created_at] = Time.parse params[:created_at]
+      if params[:expiry].is_a? String
+        params[:expires_at] = Time.parse params[:expiry]
       else
-        hostname + '.local'
+        params[:max_age] = params[:expiry]
       end
-    end
-    # Compare a base domain against the base domain to see if they match, or
-    # if the base domain is reachable
-    def self.domains_match tested_domain,base_domain
-      return true if (tested_domain == base_domain || ".#{tested_domain}" == base_domain)
-      lhs = effective_host tested_domain
-      rhs = effective_host base_domain
-      lhs == rhs || ".#{lhs}" == rhs || hostname_reach(lhs) == rhs || ".#{hostname_reach lhs}" == rhs
+      params.delete :expiry
+      self.new params
     end
-    # Compute the reach of a hostname (RFC 2965, section 1)
-    # Determines the next highest superdomain, or nil if none valid
-    def self.hostname_reach hostname
-      host = hostname.is_a?(URI) ? hostname.host : hostname
-      host = host.downcase
-      match = BASE_HOSTNAME.match host
-      if match
-        match[1]
-      end
+    def self.compute_search_domains request_uri
+      CookieValidation.compute_search_domains request_uri
     end
   protected
-    PARAM1 = /\A(#{PATTERN::TOKEN})(?:=#{PATTERN::VALUE1})?\Z/
-    # PARAM2 = /\A(#{PATTERN::TOKEN})(?:=#{PATTERN::VALUE2})?\Z/
-    def initialize *params
-      case params.length
-      when 1
-        args = params[0]
-      when 2
-        args = {:name => params[0], :value => params[1], :version => 0}
-      else
-        raise ArgumentError.new "wrong number of arguments (expected 1 or 2)"
-      end
+    def initialize args
-      @created_at = Time.now
+      @created_at   = args[:created_at] || Time.now
       @domain       = args[:domain]
-      @expiry       = args[:max_age]   || args[:expires_at] || nil
+      @expiry       = args[:max_age]   || args[:expires_at]
       @path         = args[:path]
       @secure       = args[:secure]    || false
       @http_only    = args[:http_only] || false
@@ -327,4 +154,4 @@ module CookieJar
       end
     end
   end
-end
+end

data/lib/cookiejar/cookie_validation.rb ADDED Viewed

@@ -0,0 +1,271 @@
+module CookieJar
+  # Represents all cookie validation errors
+  class InvalidCookieError < StandardError
+    attr_reader :messages
+    def initialize message
+     if message.is_a? Array
+       @messages = message
+       message = message.join ', '
+     end
+     super(message)
+    end
+  end
+  # Contains logic to parse and validate cookie headers
+  module CookieValidation
+    module PATTERN
+      include URI::REGEXP::PATTERN
+      TOKEN = '[^(),\/<>@;:\\\"\[\]?={}\s]*'
+      VALUE1 = "([^;]*)"
+      IPADDR = "#{IPV4ADDR}|#{IPV6ADDR}"
+      BASE_HOSTNAME = "(?:#{DOMLABEL}\\.)(?:((?:(?:#{DOMLABEL}\\.)+(?:#{TOPLABEL}\\.?))|local))"
+      # QUOTED_PAIR = "\\\\[\\x00-\\x7F]"
+      # LWS = "\\r\\n(?:[ \\t]+)"
+      # TEXT="[\\t\\x20-\\x7E\\x80-\\xFF]|(?:#{LWS})"
+      # QDTEXT="[\\t\\x20-\\x21\\x23-\\x7E\\x80-\\xFF]|(?:#{LWS})"
+      # QUOTED_TEXT = "\\\"((?:#{QDTEXT}|#{QUOTED_PAIR})*)\\\""
+      # VALUE2 = "(#{TOKEN})|#{QUOTED_TEXT}"
+    end
+    BASE_HOSTNAME = /#{PATTERN::BASE_HOSTNAME}/
+    BASE_PATH = /\A((?:[^\/?#]*\/)*)/
+    IPADDR = /\A#{PATTERN::IPADDR}\Z/
+    HDN = /\A#{PATTERN::HOSTNAME}\Z/
+    TOKEN = /\A#{PATTERN::TOKEN}\Z/
+    PARAM1 = /\A(#{PATTERN::TOKEN})(?:=#{PATTERN::VALUE1})?\Z/
+    # PARAM2 = /\A(#{PATTERN::TOKEN})(?:=#{PATTERN::VALUE2})?\Z/
+    # TWO_DOT_DOMAINS = /\A\.(com|edu|net|mil|gov|int|org)\Z/
+    # Converts the input object to a URI (if not already a URI)
+    def self.to_uri request_uri
+      (request_uri.is_a? URI)? request_uri : (URI.parse request_uri)
+    end
+    # Converts an input cookie or uri to a string representing the path.
+    # Assume strings are already paths
+    def self.to_path uri_or_path
+      if (uri_or_path.is_a? URI) || (uri_or_path.is_a? Cookie)
+        uri_or_path.path
+      else
+        uri_or_path
+      end
+    end
+    # Converts an input cookie or uri to a string representing the domain.
+    # Assume strings are already domains
+    def self.to_domain uri_or_domain
+      if uri_or_domain.is_a? URI
+        uri_or_domain.host
+      elsif uri_or_domain.is_a? Cookie
+        uri_or_domain.domain
+      else
+        uri_or_domain
+      end
+    end
+    # Compare a tested domain against the base domain to see if they match, or
+    # if the base domain is reachable.
+    #
+    # returns the effective_host on success, nil on failure
+    def self.domains_match tested_domain, base_domain
+      base = effective_host base_domain
+      search_domains = compute_search_domains_for_host base
+      result = search_domains.find do |domain|
+        domain == tested_domain
+      end
+    end
+    # Compute the reach of a hostname (RFC 2965, section 1)
+    # Determines the next highest superdomain, or nil if none valid
+    def self.hostname_reach hostname
+      host = to_domain hostname
+      host = host.downcase
+      match = BASE_HOSTNAME.match host
+      if match
+        match[1]
+      end
+    end
+    # Compute the base of a path.
+    def self.cookie_base_path path
+      BASE_PATH.match(to_path path)[1]
+    end
+    # Processes cookie path data using the following rules:
+    # Paths are separated by '/' characters, and accepted values are truncated
+    # to the last '/' character. If no path is specified in the cookie, a path
+    # value will be taken from the request URI which was used for the site.
+    #
+    # Note that this will not attempt to detect a mismatch of the request uri domain
+    # and explicitly specified cookie path
+    def self.determine_cookie_path request_uri, cookie_path
+      uri = to_uri request_uri
+      cookie_path = to_path cookie_path
+      if cookie_path == nil || cookie_path.empty?
+        cookie_path = cookie_base_path uri.path
+      end
+      cookie_path
+    end
+    # Given a URI, compute the relevant search domains for pre-existing
+    # cookies. This includes all the valid dotted forms for a named or IP
+    # domains.
+    def self.compute_search_domains request_uri
+      uri = to_uri request_uri
+      host = uri.host
+      compute_search_domains_for_host host
+    end
+    # Given a host, compute the relevant search domains for pre-existing
+    # cookies
+    def self.compute_search_domains_for_host host
+      host = effective_host host
+      result = [host]
+      unless host =~ IPADDR
+        result << ".#{host}"
+        base = hostname_reach host
+        if base
+          result << ".#{base}"
+        end
+      end
+      result
+    end
+    # Processes cookie domain data using the following rules:
+    # Domains strings of the form .foo.com match 'foo.com' and all immediate
+    # subdomains of 'foo.com'. Domain strings specified of the form 'foo.com' are
+    # modified to '.foo.com', and as such will still apply to subdomains.
+    #
+    # Cookies without an explicit domain will have their domain value taken directly
+    # from the URL, and will _NOT_ have any leading dot applied. For example, a request
+    # to http://foo.com/ will cause an entry for 'foo.com' to be created - which applies
+    # to foo.com but no subdomain.
+    #
+    # Note that this will not attempt to detect a mismatch of the request uri domain
+    # and explicitly specified cookie domain
+    def self.determine_cookie_domain request_uri, cookie_domain
+      uri = to_uri request_uri
+      domain = to_domain cookie_domain
+      if domain == nil || domain.empty?
+        domain = effective_host uri.host
+      else
+        domain = domain.downcase
+        if domain =~ IPADDR || domain.start_with?('.')
+          domain
+        else
+          ".#{domain}"
+        end
+      end
+    end
+    # Compute the effective host (RFC 2965, section 1)
+    # [host] a string or URI.
+    #
+    # Has the added additional logic of searching for interior dots specifically, and
+    # matches colons to prevent .local being suffixed on IPv6 addresses
+    def self.effective_host host_or_uri
+      hostname = to_domain host_or_uri
+      hostname = hostname.downcase
+      if /.[\.:]./.match(hostname) || hostname == '.local'
+        hostname
+      else
+        hostname + '.local'
+      end
+    end
+    # Check whether a cookie meets all of the rules to be created, based on
+    # its internal settings and the URI it came from.
+    #
+    # returns true on success, but will raise an InvalidCookieError on failure
+    # with an appropriate error message
+    def self.validate_cookie request_uri, cookie
+      uri = to_uri request_uri
+      request_host = effective_host uri.host
+      request_path = uri.path
+      request_secure = (uri.scheme == 'https')
+      cookie_host = cookie.domain
+      cookie_path = cookie.path
+      errors = []
+      # From RFC 2965, Section 3.3.2 Rejecting Cookies
+      # A user agent rejects (SHALL NOT store its information) if the
+      # Version attribute is missing. Note that the legacy Set-Cookie
+      # directive will result in an implicit version 0.
+      unless cookie.version
+        errors << "Version missing"
+      end
+      # The value for the Path attribute is not a prefix of the request-URI
+      unless request_path.start_with? cookie_path
+        errors << "Path is not a prefix of the request uri path"
+      end
+      unless cookie_host =~ IPADDR || #is an IPv4 or IPv6 address
+        cookie_host =~ /.\../ || #contains an embedded dot
+        cookie_host == '.local' #is the domain cookie for local addresses
+        errors << "Domain format is illegal"
+      end
+      # The effective host name that derives from the request-host does
+      # not domain-match the Domain attribute.
+      #
+      # The request-host is a HDN (not IP address) and has the form HD,
+      # where D is the value of the Domain attribute, and H is a string
+      # that contains one or more dots.
+      unless domains_match cookie_host, uri
+        errors << "Domain is inappropriate based on request URI hostname"
+      end
+      # The Port attribute has a "port-list", and the request-port was
+      # not in the list.
+      unless cookie.ports.nil? || cookie.ports.length != 0
+        unless cookie.ports.find_index uri.port
+          errors << "Ports list does not contain request URI port"
+        end
+      end
+      raise InvalidCookieError.new errors unless errors.empty?
+      # Note: 'secure' is not explicitly defined as an SSL channel, and no
+      # test is defined around validity and the 'secure' attribute
+      true
+    end
+    def self.parse_set_cookie set_cookie_value
+      args = { }
+      params=set_cookie_value.split /;\s*/
+      params.each do |param|
+        result = PARAM1.match param
+        if !result
+          raise InvalidCookieError.new "Invalid cookie parameter in cookie '#{set_cookie_value}'"
+        end
+        key = result[1].downcase.to_sym
+        keyvalue = result[2]
+        case key
+        when :expires
+          args[:expires_at] = Time.parse keyvalue
+        when :domain
+          args[:domain] = keyvalue
+        when :path
+          args[:path] = keyvalue
+        when :secure
+          args[:secure] = true
+        when :httponly
+          args[:http_only] = true
+        else
+          args[:name] = result[1]
+          args[:value] = keyvalue
+        end
+      end
+      args[:version] = 0
+      args
+    end
+  end
+end