hanami-controller 2.0.0.alpha3 → 2.0.0.alpha4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 015e9bf69c01ea01cbdd9a27e7bf4d4cb4f8f9a98f01a14d707fd68457096006
-  data.tar.gz: 0f2c2e2569453264b41e131451caae329cfbd7d6773d50f610355f5f6fd0b62b
+  metadata.gz: 5cc85e1cc9074a18b393db3a0760c7fafb1d944914f2b755bfe0e6e6c35ee6aa
+  data.tar.gz: ea3998a90c5f6fb27c720ef400a729a3348b56e6bc5622b8ea07e64e3c2716b2
 SHA512:
-  metadata.gz: 7eb2b778608f9dd27cbf777dd00b98e079bc1ec790da5e388113d645babbc9972d10272c083e187dfafa875fe0e2387592f34fc4d48b0ff96be920d1d82c12b8
-  data.tar.gz: e1290141bb9128031b0593b1edcf2975fe5f01eadb4661fe0bf18c164f339671bf195b43f8933731cab13180b68a7141a4ce6caa01e1df9aabe3e5afb9e0c9a7
+  metadata.gz: e843265e291cd6722bf6acf0acb4fb9dc5b16216da02797713b9eb60316802a697b48102c9edf8846c174d987b14c2748f2347224571b089e5b145c229d08579
+  data.tar.gz: 0d6cea465c65077a40b41547c323c1e54613f0743f6c20bfe54265b5d5ecea7431e43e33d9e1d01c1cdcddd22eccca0b1a7e186092d99fe2751d43d80c3aa42d

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 # Hanami::Controller
 Complete, fast and testable actions for Rack
 
+## v2.0.0.alpha4 - 2021-12-07
+### Added
+- [Luca Guidi] Manage Content Security Policy (CSP) defaults and new API via `Hanami::Action::ApplicationConfiguration#content_security_policy`
+- [Tim Riley & Marc Busqué] Provide access to routes inside all application actions via `Hanami::Action::ApplicationAction#routes`
+
 ## v2.0.0.alpha3 - 2021-11-09
 ### Added
 - [Luca Guidi] Automatically include session behavior in `Hanami::Action` when sessions are enabled via Hanami application config

data/lib/hanami/action/application_action.rb

@@ -14,7 +14,7 @@ module Hanami
       def included(action_class)
         action_class.include InstanceMethods
 
-        define_initialize action_class
+        define_initialize
         configure_action action_class
         extend_behavior action_class
       end
@@ -25,20 +25,33 @@ module Hanami
 
       private
 
-      def define_initialize(action_class)
+      def define_initialize
         resolve_view = method(:resolve_paired_view)
         resolve_context = method(:resolve_view_context)
+        resolve_routes = method(:resolve_routes)
 
         define_method :initialize do |**deps|
           # Conditionally assign these to repsect any explictly auto-injected
           # dependencies provided by the class
           @view ||= deps[:view] || resolve_view.(self.class)
           @view_context ||= deps[:view_context] || resolve_context.()
+          @routes ||= deps[:routes] || resolve_routes.()
 
           super(**deps)
         end
       end
 
+      def resolve_paired_view(action_class)
+        view_identifiers = application.config.actions.view_name_inferrer.(
+          action_name: action_class.name,
+          provider: provider
+        )
+
+        view_identifiers.detect { |identifier|
+          break provider[identifier] if provider.key?(identifier)
+        }
+      end
+
       def resolve_view_context
         identifier = application.config.actions.view_context_identifier
 
@@ -49,15 +62,8 @@ module Hanami
         end
       end
 
-      def resolve_paired_view(action_class)
-        view_identifiers = application.config.actions.view_name_inferrer.(
-          action_name: action_class.name,
-          provider: provider
-        )
-
-        view_identifiers.detect { |identifier|
-          break provider[identifier] if provider.key?(identifier)
-        }
+      def resolve_routes
+        application[:routes_helper] if application.key?(:routes_helper)
       end
 
       def configure_action(action_class)
@@ -87,6 +93,7 @@ module Hanami
       module InstanceMethods
         attr_reader :view
         attr_reader :view_context
+        attr_reader :routes
 
         def build_response(**options)
           options = options.merge(view_options: method(:view_options))
@@ -101,11 +108,23 @@ module Hanami
           {request: req, response: res}
         end
 
-        # Automatically render the view, if the body hasn't been populated yet
         def finish(req, res, halted)
-          res.render(view, **req.params, **res.exposures) if view && res.body.empty?
+          res.render(view, **req.params) if render?(res)
           super
         end
+
+        # Decide whether to render the current response with the associated view.
+        # This can be overridden to enable/disable automatic rendering.
+        #
+        # @param res [Hanami::Action::Response]
+        #
+        # @return [TrueClass,FalseClass]
+        #
+        # @since 2.0.0
+        # @api public
+        def render?(res)
+          view && res.body.empty?
+        end
       end
     end
   end

data/lib/hanami/action/application_configuration/content_security_policy.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+module Hanami
+  class Action
+    class ApplicationConfiguration
+      # Configuration for Content Security Policy in Hanami applications
+      #
+      # @since 2.0.0
+      class ContentSecurityPolicy
+        # @since 2.0.0
+        # @api private
+        def initialize(&blk)
+          @policy = {
+            base_uri: "'self'",
+            child_src: "'self'",
+            connect_src: "'self'",
+            default_src: "'none'",
+            font_src: "'self'",
+            form_action: "'self'",
+            frame_ancestors: "'self'",
+            frame_src: "'self'",
+            img_src: "'self' https: data:",
+            media_src: "'self'",
+            object_src: "'none'",
+            plugin_types: "application/pdf",
+            script_src: "'self'",
+            style_src: "'self' 'unsafe-inline' https:"
+          }
+
+          blk&.(self)
+        end
+
+        # @since 2.0.0
+        # @api private
+        def initialize_copy(original_object)
+          @policy = original_object.instance_variable_get(:@policy).dup
+          super
+        end
+
+        # Get a CSP setting
+        #
+        # @param key [Symbol] the underscored name of the CPS setting
+        # @return [String,NilClass] the CSP setting, if any
+        #
+        # @since 2.0.0
+        # @api public
+        #
+        # @example
+        #   module MyApp
+        #     class Application < Hanami::Application
+        #       config.actions.content_security_policy[:base_uri] # => "'self'"
+        #     end
+        #   end
+        def [](key)
+          @policy[key]
+        end
+
+        # Set a CSP setting
+        #
+        # @param key [Symbol] the underscored name of the CPS setting
+        # @param value [String] the CSP setting value
+        #
+        # @since 2.0.0
+        # @api public
+        #
+        # @example Replace a default value
+        #   module MyApp
+        #     class Application < Hanami::Application
+        #       config.actions.content_security_policy[:plugin_types] = nil
+        #     end
+        #   end
+        #
+        # @example Append to a default value
+        #   module MyApp
+        #     class Application < Hanami::Application
+        #       config.actions.content_security_policy[:script_src] += " https://my.cdn.test"
+        #     end
+        #   end
+        def []=(key, value)
+          @policy[key] = value
+        end
+
+        # Deletes a CSP key
+        #
+        # @param key [Symbol] the underscored name of the CPS setting
+        #
+        # @since 2.0.0
+        # @api public
+        #
+        # @example
+        #   module MyApp
+        #     class Application < Hanami::Application
+        #       config.actions.content_security_policy.delete(:object_src)
+        #     end
+        #   end
+        def delete(key)
+          @policy.delete(key)
+        end
+
+        # @since 2.0.0
+        # @api private
+        def to_str
+          @policy.map do |key, value|
+            "#{dasherize(key)} #{value}"
+          end.join(";\n")
+        end
+
+        private
+
+        # @since 2.0.0
+        # @api private
+        def dasherize(key)
+          key.to_s.gsub("_", "-")
+        end
+      end
+    end
+  end
+end

data/lib/hanami/action/application_configuration.rb

@@ -2,6 +2,7 @@
 
 require_relative "application_configuration/cookies"
 require_relative "application_configuration/sessions"
+require_relative "application_configuration/content_security_policy"
 require_relative "configuration"
 require_relative "view_name_inferrer"
 
@@ -19,10 +20,18 @@ module Hanami
       setting :view_name_inferrer, default: ViewNameInferrer
       setting :view_name_inference_base, default: "views"
 
-      def initialize(*)
-        super
+      attr_accessor :content_security_policy
+
+      def initialize(*, **options)
+        super()
 
         @base_configuration = Configuration.new
+        @content_security_policy = ContentSecurityPolicy.new do |csp|
+          if assets_server_url = options[:assets_server_url]
+            csp[:script_src] += " #{assets_server_url}"
+            csp[:style_src] += " #{assets_server_url}"
+          end
+        end
 
         configure_defaults
       end
@@ -31,6 +40,10 @@ module Hanami
         # A nil value for `csrf_protection` means it has not been explicitly configured
         # (neither true nor false), so we can default it to whether sessions are enabled
         self.csrf_protection = sessions.enabled? if csrf_protection.nil?
+
+        if self.content_security_policy
+          self.default_headers["Content-Security-Policy"] = self.content_security_policy.to_str
+        end
       end
 
       # Returns the list of available settings
@@ -55,22 +68,7 @@ module Hanami
         self.default_headers = {
           "X-Frame-Options" => "DENY",
           "X-Content-Type-Options" => "nosniff",
-          "X-XSS-Protection" => "1; mode=block",
-          "Content-Security-Policy" => \
-            "base-uri 'self'; " \
-            "child-src 'self'; " \
-            "connect-src 'self'; " \
-            "default-src 'none'; " \
-            "font-src 'self'; " \
-            "form-action 'self'; " \
-            "frame-ancestors 'self'; " \
-            "frame-src 'self'; " \
-            "img-src 'self' https: data:; " \
-            "media-src 'self'; " \
-            "object-src 'none'; " \
-            "plugin-types application/pdf; " \
-            "script-src 'self'; " \
-            "style-src 'self' 'unsafe-inline' https:"
+          "X-XSS-Protection" => "1; mode=block"
         }
       end
 

data/lib/hanami/action/response.rb

@@ -76,7 +76,7 @@ module Hanami
       end
 
       def render(view, **options)
-        self.body = view.(**view_options.(request, self), **options).to_str
+        self.body = view.(**view_options.(request, self), **exposures.merge(options)).to_str
       end
 
       def format=(args)

data/lib/hanami/action/standalone_action.rb

@@ -559,7 +559,6 @@ module Hanami
         # @api private
         # @abstract
         #
-        # @see Hanami::Action::Callable#finish
         # @see Hanami::Action::Session#finish
         # @see Hanami::Action::Cookies#finish
         # @see Hanami::Action::Cache#finish

data/lib/hanami/controller/version.rb

@@ -3,6 +3,6 @@ module Hanami
     # Defines the version
     #
     # @since 0.1.0
-    VERSION = '2.0.0.alpha3'.freeze
+    VERSION = '2.0.0.alpha4'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hanami-controller
 version: !ruby/object:Gem::Version
-  version: 2.0.0.alpha3
+  version: 2.0.0.alpha4
 platform: ruby
 authors:
 - Luca Guidi
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-11-09 00:00:00.000000000 Z
+date: 2021-12-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -134,6 +134,7 @@ files:
 - lib/hanami/action.rb
 - lib/hanami/action/application_action.rb
 - lib/hanami/action/application_configuration.rb
+- lib/hanami/action/application_configuration/content_security_policy.rb
 - lib/hanami/action/application_configuration/cookies.rb
 - lib/hanami/action/application_configuration/sessions.rb
 - lib/hanami/action/base_params.rb
@@ -181,7 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.2.29
 signing_key:
 specification_version: 4
 summary: Complete, fast and testable actions for Rack and Hanami