hanami-controller 1.3.3 → 2.0.0.alpha4

data/hanami-controller.gemspec

@@ -17,13 +17,14 @@ Gem::Specification.new do |spec|
   spec.executables   = []
   spec.test_files    = spec.files.grep(%r{^(spec)/})
   spec.require_paths = ['lib']
-  spec.required_ruby_version = '>= 2.3.0'
+  spec.required_ruby_version = '>= 2.6.0'
 
   spec.add_dependency 'rack',         '~> 2.0'
-  spec.add_dependency 'hanami-utils', '~> 1.3'
+  spec.add_dependency 'hanami-utils', '~> 2.0.alpha'
+  spec.add_dependency 'dry-configurable', '~> 0.13', '>= 0.13.0'
 
   spec.add_development_dependency 'bundler',   '>= 1.6', '< 3'
   spec.add_development_dependency 'rack-test', '~> 1.0'
   spec.add_development_dependency 'rake',      '~> 13'
-  spec.add_development_dependency 'rspec',     '~> 3.7'
+  spec.add_development_dependency 'rspec',     '~> 3.9'
 end

data/lib/hanami/action/application_action.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+module Hanami
+  class Action
+    class ApplicationAction < Module
+      attr_reader :provider
+      attr_reader :application
+
+      def initialize(provider)
+        @provider = provider
+        @application = provider.respond_to?(:application) ? provider.application : Hanami.application
+      end
+
+      def included(action_class)
+        action_class.include InstanceMethods
+
+        define_initialize
+        configure_action action_class
+        extend_behavior action_class
+      end
+
+      def inspect
+        "#<#{self.class.name}[#{provider.name}]>"
+      end
+
+      private
+
+      def define_initialize
+        resolve_view = method(:resolve_paired_view)
+        resolve_context = method(:resolve_view_context)
+        resolve_routes = method(:resolve_routes)
+
+        define_method :initialize do |**deps|
+          # Conditionally assign these to repsect any explictly auto-injected
+          # dependencies provided by the class
+          @view ||= deps[:view] || resolve_view.(self.class)
+          @view_context ||= deps[:view_context] || resolve_context.()
+          @routes ||= deps[:routes] || resolve_routes.()
+
+          super(**deps)
+        end
+      end
+
+      def resolve_paired_view(action_class)
+        view_identifiers = application.config.actions.view_name_inferrer.(
+          action_name: action_class.name,
+          provider: provider
+        )
+
+        view_identifiers.detect { |identifier|
+          break provider[identifier] if provider.key?(identifier)
+        }
+      end
+
+      def resolve_view_context
+        identifier = application.config.actions.view_context_identifier
+
+        if provider.key?(identifier)
+          provider[identifier]
+        elsif application.key?(identifier)
+          application[identifier]
+        end
+      end
+
+      def resolve_routes
+        application[:routes_helper] if application.key?(:routes_helper)
+      end
+
+      def configure_action(action_class)
+        action_class.config.settings.each do |setting|
+          application_value = application.config.actions.public_send(:"#{setting}")
+          action_class.config.public_send :"#{setting}=", application_value
+        end
+      end
+
+      def extend_behavior(action_class)
+        if application.config.actions.sessions.enabled?
+          require "hanami/action/session"
+          action_class.include Hanami::Action::Session
+        end
+
+        if application.config.actions.csrf_protection
+          require "hanami/action/csrf_protection"
+          action_class.include Hanami::Action::CSRFProtection
+        end
+
+        if application.config.actions.cookies.enabled?
+          require "hanami/action/cookies"
+          action_class.include Hanami::Action::Cookies
+        end
+      end
+
+      module InstanceMethods
+        attr_reader :view
+        attr_reader :view_context
+        attr_reader :routes
+
+        def build_response(**options)
+          options = options.merge(view_options: method(:view_options))
+          super(**options)
+        end
+
+        def view_options(req, res)
+          {context: view_context&.with(**view_context_options(req, res))}.compact
+        end
+
+        def view_context_options(req, res)
+          {request: req, response: res}
+        end
+
+        def finish(req, res, halted)
+          res.render(view, **req.params) if render?(res)
+          super
+        end
+
+        # Decide whether to render the current response with the associated view.
+        # This can be overridden to enable/disable automatic rendering.
+        #
+        # @param res [Hanami::Action::Response]
+        #
+        # @return [TrueClass,FalseClass]
+        #
+        # @since 2.0.0
+        # @api public
+        def render?(res)
+          view && res.body.empty?
+        end
+      end
+    end
+  end
+end

data/lib/hanami/action/application_configuration/content_security_policy.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+module Hanami
+  class Action
+    class ApplicationConfiguration
+      # Configuration for Content Security Policy in Hanami applications
+      #
+      # @since 2.0.0
+      class ContentSecurityPolicy
+        # @since 2.0.0
+        # @api private
+        def initialize(&blk)
+          @policy = {
+            base_uri: "'self'",
+            child_src: "'self'",
+            connect_src: "'self'",
+            default_src: "'none'",
+            font_src: "'self'",
+            form_action: "'self'",
+            frame_ancestors: "'self'",
+            frame_src: "'self'",
+            img_src: "'self' https: data:",
+            media_src: "'self'",
+            object_src: "'none'",
+            plugin_types: "application/pdf",
+            script_src: "'self'",
+            style_src: "'self' 'unsafe-inline' https:"
+          }
+
+          blk&.(self)
+        end
+
+        # @since 2.0.0
+        # @api private
+        def initialize_copy(original_object)
+          @policy = original_object.instance_variable_get(:@policy).dup
+          super
+        end
+
+        # Get a CSP setting
+        #
+        # @param key [Symbol] the underscored name of the CPS setting
+        # @return [String,NilClass] the CSP setting, if any
+        #
+        # @since 2.0.0
+        # @api public
+        #
+        # @example
+        #   module MyApp
+        #     class Application < Hanami::Application
+        #       config.actions.content_security_policy[:base_uri] # => "'self'"
+        #     end
+        #   end
+        def [](key)
+          @policy[key]
+        end
+
+        # Set a CSP setting
+        #
+        # @param key [Symbol] the underscored name of the CPS setting
+        # @param value [String] the CSP setting value
+        #
+        # @since 2.0.0
+        # @api public
+        #
+        # @example Replace a default value
+        #   module MyApp
+        #     class Application < Hanami::Application
+        #       config.actions.content_security_policy[:plugin_types] = nil
+        #     end
+        #   end
+        #
+        # @example Append to a default value
+        #   module MyApp
+        #     class Application < Hanami::Application
+        #       config.actions.content_security_policy[:script_src] += " https://my.cdn.test"
+        #     end
+        #   end
+        def []=(key, value)
+          @policy[key] = value
+        end
+
+        # Deletes a CSP key
+        #
+        # @param key [Symbol] the underscored name of the CPS setting
+        #
+        # @since 2.0.0
+        # @api public
+        #
+        # @example
+        #   module MyApp
+        #     class Application < Hanami::Application
+        #       config.actions.content_security_policy.delete(:object_src)
+        #     end
+        #   end
+        def delete(key)
+          @policy.delete(key)
+        end
+
+        # @since 2.0.0
+        # @api private
+        def to_str
+          @policy.map do |key, value|
+            "#{dasherize(key)} #{value}"
+          end.join(";\n")
+        end
+
+        private
+
+        # @since 2.0.0
+        # @api private
+        def dasherize(key)
+          key.to_s.gsub("_", "-")
+        end
+      end
+    end
+  end
+end

data/lib/hanami/action/application_configuration/cookies.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Hanami
+  class Action
+    class ApplicationConfiguration
+      # Wrapper for application-level configuration of HTTP cookies for Hanami actions.
+      # This decorates the hash of cookie options that is otherwise directly configurable
+      # on actions, and adds the `enabled?` method to allow `ApplicationAction` to
+      # determine whether to include the `Action::Cookies` module.
+      #
+      # @since 2.0.0
+      class Cookies
+        attr_reader :options
+
+        def initialize(options)
+          @options = options
+        end
+
+        def enabled?
+          !options.nil?
+        end
+
+        def to_h
+          options.to_h
+        end
+      end
+    end
+  end
+end

data/lib/hanami/action/application_configuration/sessions.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require "dry/core/constants"
+require "hanami/utils/string"
+require "hanami/utils/class"
+
+module Hanami
+  class Action
+    class ApplicationConfiguration
+      # Configuration for HTTP sessions in Hanami actions
+      #
+      # @since 2.0.0
+      class Sessions
+        attr_reader :storage, :options
+
+        def initialize(storage = nil, *options)
+          @storage = storage
+          @options = options
+        end
+
+        def enabled?
+          !storage.nil?
+        end
+
+        def middleware
+          return [] if !enabled?
+
+          [[storage_middleware, options]]
+        end
+
+        private
+
+        def storage_middleware
+          require_storage
+
+          name = Utils::String.classify(storage)
+          Utils::Class.load!(name, ::Rack::Session)
+        end
+
+        def require_storage
+          require "rack/session/#{storage}"
+        end
+      end
+    end
+  end
+end

data/lib/hanami/action/application_configuration.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require_relative "application_configuration/cookies"
+require_relative "application_configuration/sessions"
+require_relative "application_configuration/content_security_policy"
+require_relative "configuration"
+require_relative "view_name_inferrer"
+
+module Hanami
+  class Action
+    class ApplicationConfiguration
+      include Dry::Configurable
+
+      setting :cookies, default: {}, constructor: -> options { Cookies.new(options) }
+      setting :sessions, constructor: proc { |storage, *options| Sessions.new(storage, *options) }
+      setting :csrf_protection
+
+      setting :name_inference_base, default: "actions"
+      setting :view_context_identifier, default: "view.context"
+      setting :view_name_inferrer, default: ViewNameInferrer
+      setting :view_name_inference_base, default: "views"
+
+      attr_accessor :content_security_policy
+
+      def initialize(*, **options)
+        super()
+
+        @base_configuration = Configuration.new
+        @content_security_policy = ContentSecurityPolicy.new do |csp|
+          if assets_server_url = options[:assets_server_url]
+            csp[:script_src] += " #{assets_server_url}"
+            csp[:style_src] += " #{assets_server_url}"
+          end
+        end
+
+        configure_defaults
+      end
+
+      def finalize!
+        # A nil value for `csrf_protection` means it has not been explicitly configured
+        # (neither true nor false), so we can default it to whether sessions are enabled
+        self.csrf_protection = sessions.enabled? if csrf_protection.nil?
+
+        if self.content_security_policy
+          self.default_headers["Content-Security-Policy"] = self.content_security_policy.to_str
+        end
+      end
+
+      # Returns the list of available settings
+      #
+      # @return [Set]
+      #
+      # @since 2.0.0
+      # @api private
+      def settings
+        base_configuration.settings + self.class.settings
+      end
+
+      private
+
+      attr_reader :base_configuration
+
+      # Apply defaults for base configuration settings
+      def configure_defaults
+        self.default_request_format = :html
+        self.default_response_format = :html
+
+        self.default_headers = {
+          "X-Frame-Options" => "DENY",
+          "X-Content-Type-Options" => "nosniff",
+          "X-XSS-Protection" => "1; mode=block"
+        }
+      end
+
+      def method_missing(name, *args, &block)
+        if config.respond_to?(name)
+          config.public_send(name, *args, &block)
+        elsif base_configuration.respond_to?(name)
+          base_configuration.public_send(name, *args, &block)
+        else
+          super
+        end
+      end
+
+      def respond_to_missing?(name, _incude_all = false)
+        config.respond_to?(name) || base_configuration.respond_to?(name) || super
+      end
+    end
+  end
+end

data/lib/hanami/action/base_params.rb

@@ -2,7 +2,7 @@ require 'rack/request'
 require 'hanami/utils/hash'
 
 module Hanami
-  module Action
+  class Action
     class BaseParams
       # The key that returns raw input from the Rack env
       #
@@ -173,7 +173,7 @@ module Hanami
       def _router_params(fallback = {})
         env.fetch(ROUTER_PARAMS) do
           if session = fallback.delete(RACK_SESSION) # rubocop:disable Lint/AssignmentInCondition
-            fallback[RACK_SESSION] = Utils::Hash.new(session).symbolize!.to_hash
+            fallback[RACK_SESSION] = Utils::Hash.deep_symbolize(session)
           end
 
           fallback

data/lib/hanami/action/cache/cache_control.rb

@@ -1,7 +1,7 @@
 require 'hanami/action/cache/directives'
 
 module Hanami
-  module Action
+  class Action
     module Cache
       # Module with Cache-Control logic
       #
@@ -37,7 +37,7 @@ module Hanami
           def cache_control_directives
             @cache_control_directives || Object.new.tap do |null_object|
               def null_object.headers
-                Hash.new
+                ::Hash.new
               end
             end
           end
@@ -49,9 +49,9 @@ module Hanami
         # @api private
         #
         # @see Hanami::Action#finish
-        def finish
+        def finish(_, res, _)
+          res.headers.merge!(self.class.cache_control_directives.headers) unless res.headers.include? HEADER
           super
-          headers.merge!(self.class.cache_control_directives.headers) unless headers.include? HEADER
         end
 
         # Class which stores CacheControl values

data/lib/hanami/action/cache/conditional_get.rb

@@ -1,5 +1,7 @@
+require "hanami/utils/blank"
+
 module Hanami
-  module Action
+  class Action
     module Cache
       # @since 0.3.0
       # @api private

data/lib/hanami/action/cache/directives.rb

@@ -1,5 +1,5 @@
 module Hanami
-  module Action
+  class Action
     module Cache
       # Cache-Control directives which have values
       #

data/lib/hanami/action/cache/expires.rb

@@ -1,7 +1,7 @@
 require 'hanami/action/cache/cache_control'
 
 module Hanami
-  module Action
+  class Action
     module Cache
       # Module with Expires logic
       #
@@ -49,9 +49,9 @@ module Hanami
         # @api private
         #
         # @see Hanami::Action#finish
-        def finish
+        def finish(_, res, _)
+          res.headers.merge!(self.class.expires_directives.headers) unless res.headers.include? HEADER
           super
-          headers.merge!(self.class.expires_directives.headers) unless headers.include? HEADER
         end
 
         # Class which stores Expires directives

data/lib/hanami/action/cache.rb

@@ -3,7 +3,7 @@ require 'hanami/action/cache/expires'
 require 'hanami/action/cache/conditional_get'
 
 module Hanami
-  module Action
+  class Action
     # Cache type API
     #
     # @since 0.3.0
@@ -26,144 +26,6 @@ module Hanami
           include CacheControl, Expires
         end
       end
-
-      protected
-
-      # Specify response freshness policy for HTTP caches (Cache-Control header).
-      # Any number of non-value directives (:public, :private, :no_cache,
-      # :no_store, :must_revalidate, :proxy_revalidate) may be passed along with
-      # a Hash of value directives (:max_age, :min_stale, :s_max_age).
-      #
-      # See RFC 2616 / 14.9 for more on standard cache control directives:
-      # http://tools.ietf.org/html/rfc2616#section-14.9.1
-      #
-      # @param values [Array<Symbols, Hash>] mapped to cache_control directives
-      # @option values [Symbol] :public
-      # @option values [Symbol] :private
-      # @option values [Symbol] :no_cache
-      # @option values [Symbol] :no_store
-      # @option values [Symbol] :must_validate
-      # @option values [Symbol] :proxy_revalidate
-      # @option values [Hash] :max_age
-      # @option values [Hash] :min_stale
-      # @option values [Hash] :s_max_age
-      #
-      # @return void
-      #
-      # @since 0.3.0
-      #
-      # @example
-      #   require 'hanami/controller'
-      #   require 'hanami/action/cache'
-      #
-      #   class Show
-      #     include Hanami::Action
-      #     include Hanami::Action::Cache
-      #
-      #     def call(params)
-      #       # ...
-      #
-      #       # set Cache-Control directives
-      #       cache_control :public, max_age: 900, s_maxage: 86400
-      #
-      #       # overwrite previous Cache-Control directives
-      #       cache_control :private, :no_cache, :no_store
-      #
-      #       => Cache-Control: private, no-store, max-age=900
-      #
-      #     end
-      #   end
-      def cache_control(*values)
-        cache_control = CacheControl::Directives.new(*values)
-        headers.merge!(cache_control.headers)
-      end
-
-      # Set the Expires header and Cache-Control/max-age directive. Amount
-      # can be an integer number of seconds in the future or a Time object
-      # indicating when the response should be considered "stale". The remaining
-      # "values" arguments are passed to the #cache_control helper:
-      #
-      # @param amount [Integer,Time] number of seconds or point in time
-      # @param values [Array<Symbols>] mapped to cache_control directives
-      #
-      # @return void
-      #
-      # @since 0.3.0
-      #
-      # @example
-      #   require 'hanami/controller'
-      #   require 'hanami/action/cache'
-      #
-      #   class Show
-      #     include Hanami::Action
-      #     include Hanami::Action::Cache
-      #
-      #     def call(params)
-      #       # ...
-      #
-      #       # set Cache-Control directives and Expires
-      #       expires 900, :public
-      #
-      #       # overwrite Cache-Control directives and Expires
-      #       expires 300, :private, :no_cache, :no_store
-      #
-      #       => Expires: Thu, 26 Jun 2014 12:00:00 GMT
-      #       => Cache-Control: private, no-cache, no-store max-age=300
-      #
-      #     end
-      #   end
-      def expires(amount, *values)
-        expires = Expires::Directives.new(amount, *values)
-        headers.merge!(expires.headers)
-      end
-
-      # Set the etag, last_modified, or both headers on the response
-      # and halts a 304 Not Modified if the request is still fresh
-      # respecting IfNoneMatch and IfModifiedSince request headers
-      #
-      # @param options [Hash]
-      # @option options [Integer] :etag for testing IfNoneMatch conditions
-      # @option options [Date] :last_modified for testing IfModifiedSince conditions
-      #
-      # @return void
-      #
-      # @since 0.3.0
-      #
-      # @example
-      #   require 'hanami/controller'
-      #   require 'hanami/action/cache'
-      #
-      #   class Show
-      #     include Hanami::Action
-      #     include Hanami::Action::Cache
-      #
-      #     def call(params)
-      #       # ...
-      #
-      #       # set etag response header and halt 304
-      #       # if request matches IF_NONE_MATCH header
-      #       fresh etag: @resource.updated_at.to_i
-      #
-      #       # set last_modified response header and halt 304
-      #       # if request matches IF_MODIFIED_SINCE
-      #       fresh last_modified: @resource.updated_at
-      #
-      #       # set etag and last_modified response header,
-      #       # halt 304 if request matches IF_MODIFIED_SINCE
-      #       # and IF_NONE_MATCH
-      #       fresh last_modified: @resource.updated_at
-      #
-      #     end
-      #   end
-      def fresh(options)
-        conditional_get = ConditionalGet.new(@_env, options)
-
-        headers.merge!(conditional_get.headers)
-
-        conditional_get.fresh? do
-          halt 304
-        end
-      end
     end
   end
 end