hanami 2.2.0 → 2.3.0.beta1

data/lib/hanami/helpers/assets_helper.rb

@@ -2,6 +2,7 @@
 
 require "uri"
 require "hanami/view"
+require_relative "../constants"
 
 # rubocop:disable Metrics/ModuleLength
 
@@ -61,7 +62,10 @@ module Hanami
 
       # @since 0.3.0
       # @api private
-      ABSOLUTE_URL_MATCHER = URI::DEFAULT_PARSER.make_regexp
+      # TODO: we can drop the defined?-check and fallback once Ruby 3.3 becomes our minimum required version
+      ABSOLUTE_URL_MATCHER = (
+        defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::DEFAULT_PARSER
+      ).make_regexp
 
       # @since 1.1.0
       # @api private
@@ -85,7 +89,12 @@ module Hanami
       # name of the algorithm, then a hyphen, then the hash value of the file.
       # If more than one algorithm is used, they"ll be separated by a space.
       #
-      # @param source_paths [Array<String, #url>] one or more assets by name or absolute URL
+      # If the Content Security Policy uses 'nonce' and the source is not
+      # absolute, the nonce value of the current request is automatically added
+      # as an attribute. You can override this with the `nonce: false` option.
+      # See {#content_security_policy_nonce} for more.
+      #
+      # @param sources [Array<String, #url>] one or more assets by name or absolute URL
       #
       # @return [Hanami::View::HTML::SafeString] the markup
       #
@@ -136,6 +145,10 @@ module Hanami
       #
       #   # <script src="/assets/application.js" type="text/javascript" defer="defer"></script>
       #
+      # @example Disable nonce
+      #
+      #   <%= javascript_tag "application", nonce: false %>
+      #
       # @example Absolute URL
       #
       #   <%= javascript_tag "https://code.jquery.com/jquery-2.1.4.min.js" %>
@@ -154,13 +167,15 @@ module Hanami
       #
       #   # <script src="https://assets.bookshelf.org/assets/application-28a6b886de2372ee3922fcaf3f78f2d8.js"
       #   #         type="text/javascript"></script>
-      def javascript_tag(*source_paths, **options)
+      def javascript_tag(*sources, **options)
         options = options.reject { |k, _| k.to_sym == :src }
+        nonce_option = options.delete(:nonce)
 
-        _safe_tags(*source_paths) do |source|
+        _safe_tags(*sources) do |source|
           attributes = {
-            src: _typed_path(source, JAVASCRIPT_EXT),
-            type: JAVASCRIPT_MIME_TYPE
+            src: _typed_url(source, JAVASCRIPT_EXT),
+            type: JAVASCRIPT_MIME_TYPE,
+            nonce: _nonce(source, nonce_option)
           }
           attributes.merge!(options)
 
@@ -189,7 +204,12 @@ module Hanami
       # name of the algorithm, then a hyphen, then the hashed value of the file.
       # If more than one algorithm is used, they"ll be separated by a space.
       #
-      # @param source_paths [Array<String, #url>] one or more assets by name or absolute URL
+      # If the Content Security Policy uses 'nonce' and the source is not
+      # absolute, the nonce value of the current request is automatically added
+      # as an attribute. You can override this with the `nonce: false` option.
+      # See {#content_security_policy_nonce} for more.
+      #
+      # @param sources [Array<String, #url>] one or more assets by name or absolute URL
       #
       # @return [Hanami::View::HTML::SafeString] the markup
       #
@@ -214,6 +234,10 @@ module Hanami
       #   # <link href="/assets/application.css" type="text/css" rel="stylesheet">
       #   # <link href="/assets/dashboard.css" type="text/css" rel="stylesheet">
       #
+      # @example Disable nonce
+      #
+      #   <%= stylesheet_tag "application", nonce: false %>
+      #
       # @example Subresource Integrity
       #
       #   <%= stylesheet_tag "application" %>
@@ -247,19 +271,21 @@ module Hanami
       #
       #   # <link href="https://assets.bookshelf.org/assets/application-28a6b886de2372ee3922fcaf3f78f2d8.css"
       #   #       type="text/css" rel="stylesheet">
-      def stylesheet_tag(*source_paths, **options)
+      def stylesheet_tag(*sources, **options)
         options = options.reject { |k, _| k.to_sym == :href }
+        nonce_option = options.delete(:nonce)
 
-        _safe_tags(*source_paths) do |source_path|
+        _safe_tags(*sources) do |source|
           attributes = {
-            href: _typed_path(source_path, STYLESHEET_EXT),
+            href: _typed_url(source, STYLESHEET_EXT),
             type: STYLESHEET_MIME_TYPE,
-            rel: STYLESHEET_REL
+            rel: STYLESHEET_REL,
+            nonce: _nonce(source, nonce_option)
           }
           attributes.merge!(options)
 
           if _context.assets.subresource_integrity? || attributes.include?(:integrity)
-            attributes[:integrity] ||= _subresource_integrity_value(source_path, STYLESHEET_EXT)
+            attributes[:integrity] ||= _subresource_integrity_value(source, STYLESHEET_EXT)
             attributes[:crossorigin] ||= CROSSORIGIN_ANONYMOUS
           end
 
@@ -626,7 +652,7 @@ module Hanami
       #
       # If CDN mode is on, it returns the absolute URL of the asset.
       #
-      # @param source_path [String, #url] the asset name or asset object
+      # @param source [String, #url] the asset name or asset object
       #
       # @return [String] the asset path
       #
@@ -665,42 +691,71 @@ module Hanami
       #   <%= asset_url "application.js" %>
       #
       #   # "https://assets.bookshelf.org/assets/application-28a6b886de2372ee3922fcaf3f78f2d8.js"
-      def asset_url(source_path)
-        return source_path.url if source_path.respond_to?(:url)
-        return source_path if _absolute_url?(source_path)
+      def asset_url(source)
+        return source.url if source.respond_to?(:url)
+        return source if _absolute_url?(source)
 
-        _context.assets[source_path].url
+        _context.assets[source].url
+      end
+
+      # Random per request nonce value for Content Security Policy (CSP) rules.
+      #
+      # If the `Hanami::Middleware::ContentSecurityPolicyNonce` middleware is
+      # in use, this helper returns the nonce value for the current request
+      # or `nil` otherwise.
+      #
+      # For this policy to work in the browser, you have to add the `'nonce'`
+      # placeholder to the script and/or style source policy rule. It will be
+      # substituted by the current nonce value like `'nonce-A12OggyZ'.
+      #
+      # @return [String, nil] nonce value of the current request
+      #
+      # @since x.x.x
+      #
+      # @example App configuration
+      #
+      #   config.middleware.use Hanami::Middleware::ContentSecurityPolicyNonce
+      #   config.actions.content_security_policy[:script_src] = "'self' 'nonce'"
+      #   config.actions.content_security_policy[:style_src] = "'self' 'nonce'"
+      #
+      # @example View helper
+      #
+      #   <script nonce="<%= content_security_policy_nonce %>">
+      def content_security_policy_nonce
+        return unless _context.request?
+
+        _context.request.env[CONTENT_SECURITY_POLICY_NONCE_REQUEST_KEY]
       end
 
       private
 
       # @since 2.1.0
       # @api private
-      def _safe_tags(*source_paths, &blk)
+      def _safe_tags(*sources, &blk)
         ::Hanami::View::HTML::SafeString.new(
-          source_paths.map(&blk).join(NEW_LINE_SEPARATOR)
+          sources.map(&blk).join(NEW_LINE_SEPARATOR)
         )
       end
 
       # @since 2.1.0
       # @api private
-      def _typed_path(source, ext)
+      def _typed_url(source, ext)
         source = "#{source}#{ext}" if source.is_a?(String) && _append_extension?(source, ext)
         asset_url(source)
       end
 
       # @api private
-      def _subresource_integrity_value(source_path, ext)
-        return if _absolute_url?(source_path)
+      def _subresource_integrity_value(source, ext)
+        return if _absolute_url?(source)
 
-        source_path = "#{source_path}#{ext}" unless /#{Regexp.escape(ext)}\z/.match?(source_path)
-        _context.assets[source_path].sri
+        source = "#{source}#{ext}" unless /#{Regexp.escape(ext)}\z/.match?(source)
+        _context.assets[source].sri
       end
 
       # @since 2.1.0
       # @api private
       def _absolute_url?(source)
-        ABSOLUTE_URL_MATCHER.match(source)
+        ABSOLUTE_URL_MATCHER.match?(source.respond_to?(:url) ? source.url : source)
       end
 
       # @since 1.2.0
@@ -711,6 +766,18 @@ module Hanami
         _context.assets.crossorigin?(source)
       end
 
+      # @since x.x.x
+      # @api private
+      def _nonce(source, nonce_option)
+        if nonce_option == false
+          nil
+        elsif nonce_option == true || (nonce_option.nil? && !_absolute_url?(source))
+          content_security_policy_nonce
+        else
+          nonce_option
+        end
+      end
+
       # @since 2.1.0
       # @api private
       def _source_options(src, options, &blk)

data/lib/hanami/middleware/content_security_policy_nonce.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "rack"
+require "securerandom"
+require_relative "../constants"
+
+module Hanami
+  module Middleware
+    # Generates a random per request nonce value like `mSMnSwfVZVe+LyQy1SPCGw==`, stores it as
+    # `"hanami.content_security_policy_nonce"` in the Rack environment, and replaces all occurrences
+    # of `'nonce'` in the `Content-Security-Policy header with the actual nonce value for the
+    # request, e.g. `'nonce-mSMnSwfVZVe+LyQy1SPCGw=='`.
+    #
+    # @see Hanami::Middleware::ContentSecurityPolicyNonce
+    #
+    # @api private
+    # @since x.x.x
+    class ContentSecurityPolicyNonce
+      # @api private
+      # @since x.x.x
+      def initialize(app)
+        @app = app
+      end
+
+      # @api private
+      # @since x.x.x
+      def call(env)
+        return @app.call(env) unless Hanami.app.config.actions.content_security_policy?
+
+        args = nonce_generator.arity == 1 ? [Rack::Request.new(env)] : []
+        request_nonce = nonce_generator.call(*args)
+
+        env[CONTENT_SECURITY_POLICY_NONCE_REQUEST_KEY] = request_nonce
+
+        _, headers, _ = response = @app.call(env)
+
+        headers["Content-Security-Policy"] = sub_nonce(headers["Content-Security-Policy"], request_nonce)
+
+        response
+      end
+
+      private
+
+      def nonce_generator
+        Hanami.app.config.actions.content_security_policy_nonce_generator
+      end
+
+      def sub_nonce(string, nonce)
+        string&.gsub("'nonce'", "'nonce-#{nonce}'")
+      end
+    end
+  end
+end

data/lib/hanami/slice.rb

@@ -729,7 +729,9 @@ module Hanami
       # @api public
       # @since 2.0.0
       def routes
-        @routes ||= load_routes
+        return @routes if instance_variable_defined?(:@routes)
+
+        @routes = load_routes
       end
 
       # Returns the slice's router, if or nil if no routes are defined.
@@ -925,7 +927,7 @@ module Hanami
         # Check here for the `routes` definition only, not `router` itself, because the
         # `router` requires the slice to be prepared before it can be loaded, and at this
         # point we're still in the process of preparing.
-        if routes
+        if routes?
           require_relative "providers/routes"
           register_provider(:routes, source: Providers::Routes)
         end
@@ -954,9 +956,10 @@ module Hanami
       end
 
       def prepare_autoloader
-        # Component dirs are automatically pushed to the autoloader by dry-system's
-        # zeitwerk plugin. This method adds other dirs that are not otherwise configured
-        # as component dirs.
+        autoloader.tag = "hanami.slices.#{slice_name.to_s}"
+
+        # Component dirs are automatically pushed to the autoloader by dry-system's zeitwerk plugin.
+        # This method adds other dirs that are not otherwise configured as component dirs.
 
         # Everything in the slice root can be autoloaded except `config/` and `slices/`,
         # which are framework-managed directories
@@ -977,11 +980,19 @@ module Hanami
         slices.freeze
       end
 
+      def routes?
+        return false unless Hanami.bundled?("hanami-router")
+
+        return true if namespace.const_defined?(ROUTES_CLASS_NAME)
+
+        root.join("#{ROUTES_PATH}#{RB_EXT}").file?
+      end
+
       def load_routes
         return false unless Hanami.bundled?("hanami-router")
 
         if root.directory?
-          routes_require_path = File.join(root, ROUTES_PATH)
+          routes_require_path = root.join(ROUTES_PATH).to_s
 
           begin
             require_relative "./routes"
@@ -1050,6 +1061,11 @@ module Hanami
             if config.actions.sessions.enabled?
               use(*config.actions.sessions.middleware)
             end
+
+            if config.actions.content_security_policy && # rubocop:disable Style/SafeNavigation
+               config.actions.content_security_policy.nonce?
+              use(*config.actions.content_security_policy.middleware)
+            end
           end
 
           if Hanami.bundled?("hanami-assets") && config.assets.serve

data/lib/hanami/slice_registrar.rb

@@ -5,7 +5,7 @@ require_relative "constants"
 module Hanami
   # @api private
   class SliceRegistrar
-    VALID_SLICE_NAME_RE = /^[a-z][a-z0-9_]+$/
+    VALID_SLICE_NAME_RE = /^[a-z][a-z0-9_]*$/
     SLICE_DELIMITER = CONTAINER_KEY_DELIMITER
 
     attr_reader :parent, :slices

data/lib/hanami/version.rb

@@ -7,7 +7,7 @@ module Hanami
   # @api private
   module Version
     # @api public
-    VERSION = "2.2.0"
+    VERSION = "2.3.0.beta1"
 
     # @since 0.9.0
     # @api private

data/lib/hanami.rb

@@ -138,7 +138,15 @@ module Hanami
     end
   end
 
-  # Returns the Hanami app environment as loaded from the `HANAMI_ENV` environment variable.
+  # Returns the Hanami app environment as determined from the environment.
+  #
+  # Checks the following environment variables in order:
+  #
+  # - `HANAMI_ENV`
+  # - `APP_ENV`
+  # - `RACK_ENV`
+  #
+  # Defaults to `:development` if no environment variable is set.
   #
   # @example
   #   Hanami.env # => :development
@@ -148,7 +156,7 @@ module Hanami
   # @api public
   # @since 2.0.0
   def self.env(e: ENV)
-    e.fetch("HANAMI_ENV") { e.fetch("RACK_ENV", "development") }.to_sym
+    (e["HANAMI_ENV"] || e["APP_ENV"] || e["RACK_ENV"] || :development).to_sym
   end
 
   # Returns true if {.env} matches any of the given names

data/spec/integration/assets/cross_slice_assets_helpers_spec.rb

@@ -123,7 +123,6 @@ RSpec.describe "Cross-slice assets via helpers", :app_integration do
     compile_assets!
 
     output = Admin::Slice["views.posts.show"].call.to_s
-
     expect(output).to match(%r{<link href="/assets/app-[A-Z0-9]{8}.css" type="text/css" rel="stylesheet">})
     expect(output).to match(%r{<script src="/assets/app-[A-Z0-9]{8}.js" type="text/javascript"></script>})
   end

data/spec/integration/assets/serve_static_assets_spec.rb

@@ -62,7 +62,7 @@ RSpec.describe "Serve Static Assets", :app_integration do
       get "/assets/../../config/app.rb"
 
       expect(last_response.status).to eq(404)
-      expect(last_response.body).to match(/Not Found/i)
+      expect(last_response.body).to match("Hanami::Router::NotFoundError")
     end
   end
 

data/spec/integration/container/autoloader_spec.rb

@@ -70,11 +70,13 @@ RSpec.describe "App autoloader", :app_integration do
       expect(NonApp::Thing).to be
 
       expect(TestApp::NBAJam::GetThatOuttaHere).to be
+      expect(TestApp::App.autoloader.tag).to eq("hanami.app.test_app")
 
       expect(Admin::Slice["operations.create_game"]).to be_an_instance_of(Admin::Operations::CreateGame)
       expect(Admin::Slice["operations.create_game"].call).to be_an_instance_of(Admin::Entities::Game)
 
       expect(Admin::Entities::Quarter).to be
+      expect(Admin::Slice.autoloader.tag).to eq("hanami.slices.admin")
     end
   end
 end

data/spec/integration/db/db_spec.rb

@@ -10,7 +10,7 @@ RSpec.describe "DB", :app_integration do
     ENV.replace(@env)
   end
 
-  it "sets up ROM and reigsters relations" do
+  it "sets up ROM and registers relations" do
     with_tmp_directory(Dir.mktmpdir) do
       write "config/app.rb", <<~RUBY
         require "hanami"

data/spec/integration/db/logging_spec.rb

@@ -235,4 +235,67 @@ RSpec.describe "DB / Logging", :app_integration do
       end
     end
   end
+
+  describe "in production" do
+    it "logs SQL queries" do
+      with_tmp_directory(Dir.mktmpdir) do
+        write "config/app.rb", <<~RUBY
+          require "hanami"
+
+          module TestApp
+            class App < Hanami::App
+            end
+          end
+        RUBY
+
+        write "app/relations/posts.rb", <<~RUBY
+          module TestApp
+            module Relations
+              class Posts < Hanami::DB::Relation
+                schema :posts, infer: true
+              end
+            end
+          end
+        RUBY
+
+        ENV["DATABASE_URL"] = "sqlite::memory"
+        ENV["HANAMI_ENV"] = "production"
+
+        require "hanami/setup"
+
+        logger_stream = StringIO.new
+        Hanami.app.config.logger.stream = logger_stream
+
+        require "hanami/prepare"
+
+        Hanami.app.prepare :db
+
+        # Manually run a migration and add a test record
+        gateway = Hanami.app["db.gateway"]
+        migration = gateway.migration do
+          change do
+            create_table :posts do
+              primary_key :id
+              column :title, :text, null: false
+            end
+
+            create_table :authors do
+              primary_key :id
+            end
+          end
+        end
+        migration.apply(gateway, :up)
+        gateway.connection.execute("INSERT INTO posts (title) VALUES ('Together breakfast')")
+
+        relation = Hanami.app["relations.posts"]
+        expect(relation.select(:title).to_a).to eq [{:title=>"Together breakfast"}]
+
+        logger_stream.rewind
+        log_lines = logger_stream.read.split("\n")
+
+        expect(log_lines.length).to eq 1
+        expect(log_lines.first).to match /Loaded :sqlite in \d+ms SELECT `posts`.`title` FROM `posts` ORDER BY `posts`.`id`/
+      end
+    end
+  end
 end

data/spec/integration/db/repo_spec.rb

@@ -114,6 +114,13 @@ RSpec.describe "DB / Repo", :app_integration do
         end
       RUBY
 
+      write "app/repo.rb", <<~RUBY
+        module TestApp
+          class Repo < Hanami::DB::Repo
+          end
+        end
+      RUBY
+
       ENV["DATABASE_URL"] = "sqlite::memory"
 
       write "slices/admin/db/struct.rb", <<~RUBY
@@ -137,7 +144,7 @@ RSpec.describe "DB / Repo", :app_integration do
 
       write "slices/admin/repo.rb", <<~RUBY
         module Admin
-          class Repo < Hanami::DB::Repo
+          class Repo < TestApp::Repo
           end
         end
       RUBY
@@ -172,7 +179,7 @@ RSpec.describe "DB / Repo", :app_integration do
 
       write "slices/main/repo.rb", <<~RUBY
         module Main
-          class Repo < Hanami::DB::Repo
+          class Repo < TestApp::Repo
           end
         end
       RUBY
@@ -186,6 +193,15 @@ RSpec.describe "DB / Repo", :app_integration do
         end
       RUBY
 
+      write "slices/main/repositories/post_repository.rb", <<~RUBY
+        module Main
+          module Repositories
+            class PostRepository < Repo
+            end
+          end
+        end
+      RUBY
+
       require "hanami/prepare"
 
       Admin::Slice.prepare :db
@@ -204,12 +220,81 @@ RSpec.describe "DB / Repo", :app_integration do
       migration.apply(gateway, :up)
       gateway.connection.execute("INSERT INTO posts (title) VALUES ('Together breakfast')")
 
+      expect(Admin::Slice["repos.post_repo"].root).to eql Admin::Slice["relations.posts"]
       expect(Admin::Slice["repos.post_repo"].posts).to eql Admin::Slice["relations.posts"]
       expect(Admin::Slice["repos.post_repo"].posts.by_pk(1).one!.class).to be < Admin::Structs::Post
 
       expect(Main::Slice["repos.post_repo"].posts).to eql Main::Slice["relations.posts"]
+      expect(Main::Slice["repositories.post_repository"].posts).to eql Main::Slice["relations.posts"]
       # Slice struct namespace used even when no concrete struct classes are defined
       expect(Main::Slice["repos.post_repo"].posts.by_pk(1).one!.class).to be < Main::Structs::Post
     end
   end
+
+  specify "repos resolve registered container dependencies with Deps[]" do
+    with_tmp_directory(Dir.mktmpdir) do
+      write "config/app.rb", <<~RUBY
+        require "hanami"
+
+        module TestApp
+          class App < Hanami::App
+            Hanami.app.register("dependency") { -> { "Hello dependency!" } }
+          end
+        end
+      RUBY
+
+      write "app/repo.rb", <<~RUBY
+        module TestApp
+          class Repo < Hanami::DB::Repo
+          end
+        end
+      RUBY
+
+      write "app/relations/posts.rb", <<~RUBY
+        module TestApp
+          module Relations
+            class Posts < Hanami::DB::Relation
+              schema :posts, infer: true
+            end
+          end
+        end
+      RUBY
+
+      write "app/repos/post_repo.rb", <<~RUBY
+        module TestApp
+          module Repos
+            class PostRepo < Repo
+              include Deps["dependency"]
+
+              def test
+                dependency.call
+              end
+
+            end
+          end
+        end
+      RUBY
+
+      ENV["DATABASE_URL"] = "sqlite::memory"
+
+      require "hanami/prepare"
+
+      Hanami.app.prepare :db
+
+      # Manually run a migration and add a test record
+      gateway = Hanami.app["db.gateway"]
+      migration = gateway.migration do
+        change do
+          create_table :posts do
+            primary_key :id
+            column :title, :text, null: false
+          end
+        end
+      end
+      migration.apply(gateway, :up)
+
+      repo = Hanami.app["repos.post_repo"]
+      expect(repo.test).to eq "Hello dependency!"
+    end
+  end
 end

data/spec/integration/logging/exception_logging_spec.rb

@@ -73,7 +73,12 @@ RSpec.describe "Logging / Exception logging", :app_integration do
       expect(logs.lines.length).to be > 10
       expect(logs).to match %r{GET 500 \d+(µs|ms) 127.0.0.1 /}
       expect(logs).to include("unhandled (TestApp::Actions::Test::UnhandledError)")
-      expect(logs).to include("app/actions/test.rb:7:in `handle'")
+
+      if RUBY_VERSION < "3.4"
+        expect(logs).to include("app/actions/test.rb:7:in `handle'")
+      else
+        expect(logs).to include("app/actions/test.rb:7:in 'TestApp::Actions::Test#handle'")
+      end
     end
 
     it "re-raises the exception" do