hanami 2.2.1 → 2.3.0.beta1

data/spec/integration/web/content_security_policy_nonce_spec.rb

@@ -0,0 +1,251 @@
+# frozen_string_literal: true
+
+require "rack/test"
+
+RSpec.describe "Web / Content security policy nonce", :app_integration do
+  include Rack::Test::Methods
+
+  let(:app) { Hanami.app }
+
+  before do
+    with_directory(@dir = make_tmp_directory) do
+      write "config/routes.rb", <<~RUBY
+        module TestApp
+          class Routes < Hanami::Routes
+            get "index", to: "index"
+          end
+        end
+      RUBY
+
+      write "app/actions/index.rb", <<~RUBY
+        module TestApp
+          module Actions
+            class Index < Hanami::Action
+            end
+          end
+        end
+      RUBY
+
+      write "app/views/index.rb", <<~RUBY
+        module TestApp
+          module Views
+            class Index < Hanami::View
+              config.layout = false
+            end
+          end
+        end
+      RUBY
+
+      write "app/templates/index.html.erb", <<~HTML
+        <!DOCTYPE html>
+        <html lang="en">
+          <head>
+            <%= stylesheet_tag "app", class: "nonce-true", nonce: true %>
+            <%= stylesheet_tag "app", class: "nonce-false", nonce: false %>
+            <%= stylesheet_tag "app", class: "nonce-explicit", nonce: "explicit" %>
+            <%= stylesheet_tag "app", class: "nonce-generated" %>
+            <%= stylesheet_tag "https://example.com/app.css", class: "nonce-absolute" %>
+          </head>
+          <body>
+            <style nonce="<%= content_security_policy_nonce %>"></style>
+            <%= javascript_tag "app", class: "nonce-true", nonce: true %>
+            <%= javascript_tag "app", class: "nonce-false", nonce: false %>
+            <%= javascript_tag "app", class: "nonce-explicit", nonce: "explicit" %>
+            <%= javascript_tag "app", class: "nonce-generated" %>
+            <%= javascript_tag "https://example.com/app.js", class: "nonce-absolute" %>
+          </body>
+        </html>
+      HTML
+
+      write "package.json", <<~JSON
+        {
+          "type": "module"
+        }
+      JSON
+
+      write "config/assets.js", <<~JS
+        import * as assets from "hanami-assets";
+        await assets.run();
+      JS
+
+      write "app/assets/js/app.js", <<~JS
+        import "../css/app.css";
+      JS
+
+      write "app/assets/css/app.css", ""
+
+      before_prepare if respond_to?(:before_prepare)
+      require "hanami/prepare"
+      compile_assets!
+    end
+  end
+
+  describe "HTML request" do
+    context "CSP enabled" do
+      def before_prepare
+        write "config/app.rb", <<~RUBY
+          require "hanami"
+
+          module TestApp
+            class App < Hanami::App
+              config.actions.content_security_policy[:script_src] = "'self' 'nonce'"
+
+              config.logger.stream = File::NULL
+            end
+          end
+        RUBY
+      end
+
+      it "sets unique and per-request hanami.content_security_policy_nonce in Rack env" do
+        previous_nonces = []
+        3.times do
+          get "/index"
+          nonce = last_request.env["hanami.content_security_policy_nonce"]
+
+          expect(nonce).to match(/\A[A-Za-z0-9\-_]{22}\z/)
+          expect(previous_nonces).not_to include nonce
+
+          previous_nonces << nonce
+        end
+      end
+
+      it "accepts custom nonce generator proc without arguments" do
+        Hanami.app.config.actions.content_security_policy_nonce_generator = -> { "foobar" }
+
+        get "/index"
+
+        expect(last_request.env["hanami.content_security_policy_nonce"]).to eql("foobar")
+      end
+
+      it "accepts custom nonce generator proc with Rack request as argument" do
+        Hanami.app.config.actions.content_security_policy_nonce_generator = ->(request) { request }
+
+        get "/index"
+
+        expect(last_request.env["hanami.content_security_policy_nonce"]).to be_a(Rack::Request)
+      end
+
+      it "substitutes 'nonce' in the CSP header" do
+        get "/index"
+        nonce = last_request.env["hanami.content_security_policy_nonce"]
+
+        expect(last_response.get_header("Content-Security-Policy")).to match(/script-src 'self' 'nonce-#{nonce}'/)
+      end
+
+      it "behaves the same with explicitly added middleware" do
+        Hanami.app.config.middleware.use Hanami::Middleware::ContentSecurityPolicyNonce
+        get "/index"
+
+        expect(last_request.env["hanami.content_security_policy_nonce"]).to match(/\A[A-Za-z0-9\-_]{22}\z/)
+      end
+
+      describe "content_security_policy_nonce" do
+        it "renders the current nonce" do
+          get "/index"
+          nonce = last_request.env["hanami.content_security_policy_nonce"]
+
+          expect(last_response.body).to include(%(<style nonce="#{nonce}">))
+        end
+      end
+
+      describe "stylesheet_tag" do
+        it "renders the correct nonce unless remote URL or nonce set to false" do
+          get "/index"
+          nonce = last_request.env["hanami.content_security_policy_nonce"]
+
+          expect(last_response.body).to include(%(<link href="/assets/app-KUHJPSX7.css" type="text/css" rel="stylesheet" nonce="#{nonce}" class="nonce-true">))
+          expect(last_response.body).to include(%(<link href="/assets/app-KUHJPSX7.css" type="text/css" rel="stylesheet" class="nonce-false">))
+          expect(last_response.body).to include(%(<link href="/assets/app-KUHJPSX7.css" type="text/css" rel="stylesheet" nonce="explicit" class="nonce-explicit">))
+          expect(last_response.body).to include(%(<link href="/assets/app-KUHJPSX7.css" type="text/css" rel="stylesheet" nonce="#{nonce}" class="nonce-generated">))
+          expect(last_response.body).to include(%(<link href="https://example.com/app.css" type="text/css" rel="stylesheet" class="nonce-absolute">))
+        end
+      end
+
+      describe "javascript_tag" do
+        it "renders the correct nonce unless remote URL or nonce set to false" do
+          get "/index"
+          nonce = last_request.env["hanami.content_security_policy_nonce"]
+
+          expect(last_response.body).to include(%(<script src="/assets/app-LSLFPUMX.js" type="text/javascript" nonce="#{nonce}" class="nonce-true"></script>))
+          expect(last_response.body).to include(%(<script src="/assets/app-LSLFPUMX.js" type="text/javascript" class="nonce-false"></script>))
+          expect(last_response.body).to include(%(<script src="/assets/app-LSLFPUMX.js" type="text/javascript" nonce="explicit" class="nonce-explicit"></script>))
+          expect(last_response.body).to include(%(<script src="/assets/app-LSLFPUMX.js" type="text/javascript" nonce="#{nonce}" class="nonce-generated"></script>))
+          expect(last_response.body).to include(%(<script src="https://example.com/app.js" type="text/javascript" class="nonce-absolute"></script>))
+        end
+      end
+    end
+
+    context "CSP disabled" do
+      def before_prepare
+        write "config/app.rb", <<~RUBY
+          require "hanami"
+
+          module TestApp
+            class App < Hanami::App
+              config.actions.content_security_policy = false
+
+              config.logger.stream = File::NULL
+            end
+          end
+        RUBY
+      end
+
+      it "does not set hanami.content_security_policy_nonce in Rack env" do
+        get "/index"
+
+        expect(last_request.env).to_not have_key "hanami.content_security_policy_nonce"
+      end
+
+      it "does not produce a CSP header" do
+        get "/index"
+
+        expect(last_response.headers).to_not have_key "Content-Security-Policy"
+      end
+
+      it "disables the content_security_policy_nonce helper" do
+        get "/index"
+
+        expect(last_response.body).to match(/<style nonce="">/)
+      end
+
+      it "behaves the same with explicitly added middleware" do
+        Hanami.app.config.middleware.use Hanami::Middleware::ContentSecurityPolicyNonce
+        get "/index"
+
+        expect(last_response.headers).to_not have_key "Content-Security-Policy"
+      end
+
+      describe "content_security_policy_nonce" do
+        it "renders nothing" do
+          get "/index"
+
+          expect(last_response.body).to include(%(<style nonce="">))
+        end
+      end
+
+      describe "stylesheet_tag" do
+        it "renders the correct explicit nonce only" do
+          get "/index"
+
+          expect(last_response.body).to include(%(<link href="/assets/app-KUHJPSX7.css" type="text/css" rel="stylesheet" class="nonce-true">))
+          expect(last_response.body).to include(%(<link href="/assets/app-KUHJPSX7.css" type="text/css" rel="stylesheet" class="nonce-false">))
+          expect(last_response.body).to include(%(<link href="/assets/app-KUHJPSX7.css" type="text/css" rel="stylesheet" nonce="explicit" class="nonce-explicit">))
+          expect(last_response.body).to include(%(<link href="/assets/app-KUHJPSX7.css" type="text/css" rel="stylesheet" class="nonce-generated">))
+          expect(last_response.body).to include(%(<link href="https://example.com/app.css" type="text/css" rel="stylesheet" class="nonce-absolute">))
+        end
+      end
+
+      describe "javascript_tag" do
+        it "renders the correct explicit nonce only" do
+          get "/index"
+
+          expect(last_response.body).to include(%(<script src="/assets/app-LSLFPUMX.js" type="text/javascript" class="nonce-true"></script>))
+          expect(last_response.body).to include(%(<script src="/assets/app-LSLFPUMX.js" type="text/javascript" class="nonce-false"></script>))
+          expect(last_response.body).to include(%(<script src="/assets/app-LSLFPUMX.js" type="text/javascript" nonce="explicit" class="nonce-explicit"></script>))
+          expect(last_response.body).to include(%(<script src="/assets/app-LSLFPUMX.js" type="text/javascript" class="nonce-generated"></script>))
+          expect(last_response.body).to include(%(<script src="https://example.com/app.js" type="text/javascript" class="nonce-absolute"></script>))
+        end
+      end
+    end
+  end
+end

data/spec/support/app_integration.rb

@@ -118,7 +118,8 @@ RSpec.configure do |config|
     Hanami.instance_variable_set(:@_bundled, {})
     Hanami.remove_instance_variable(:@_app) if Hanami.instance_variable_defined?(:@_app)
 
-    # Clear cached DB gateways across slices
+    # Disconnect and clear cached DB gateways across slices
+    Hanami::Providers::DB.cache.values.map(&:disconnect)
     Hanami::Providers::DB.cache.clear
 
     $LOAD_PATH.replace(@load_paths)

data/spec/unit/hanami/config/actions/content_security_policy_spec.rb

@@ -28,6 +28,7 @@ RSpec.describe Hanami::Config::Actions, "#content_security_policy" do
       ].join(";")
 
       expect(content_security_policy.to_s).to eq(expected)
+      expect(content_security_policy.nonce?).to be(false)
     end
   end
 
@@ -68,6 +69,12 @@ RSpec.describe Hanami::Config::Actions, "#content_security_policy" do
       expect(content_security_policy[:a_custom_key]).to eq("foo")
       expect(content_security_policy.to_s).to match("a-custom-key foo")
     end
+
+    it "uses 'nonce' in value" do
+      content_security_policy[:javascript_src] = "'self' 'nonce'"
+
+      expect(content_security_policy.nonce?).to be(true)
+    end
   end
 
   context "with CSP enabled" do

data/spec/unit/hanami/config/console_spec.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require "hanami/config"
+
+RSpec.describe Hanami::Config, "#console" do
+  let(:config) { described_class.new(app_name: app_name, env: :development) }
+  let(:app_name) { "MyApp::App" }
+
+  subject(:console) { config.console }
+
+  it "is a full console configuration" do
+    is_expected.to be_an_instance_of(Hanami::Config::Console)
+
+    is_expected.to respond_to(:engine)
+    is_expected.to respond_to(:include)
+    is_expected.to respond_to(:extensions)
+  end
+
+  it "can be finalized" do
+    is_expected.to respond_to(:finalize!)
+  end
+end

data/spec/unit/hanami/env_spec.rb

@@ -3,30 +3,27 @@
 RSpec.describe Hanami, ".env" do
   subject { described_class.env(e: env) }
 
-  context "HANAMI_ENV in ENV" do
-    let(:env) { {"HANAMI_ENV" => "test"} }
+  context "HANAMI_ENV, APP_ENV and RACK_ENV in ENV" do
+    let(:env) { { "HANAMI_ENV" => "test", "APP_ENV" => "development", "RACK_ENV" => "production" } }
 
     it "is the value of HANAMI_ENV" do
       is_expected.to eq(:test)
     end
   end
 
-  context "RACK_ENV in ENV" do
-    let(:env) { {"HANAMI_ENV" => "test"} }
+  context "APP_ENV and RACK_ENV in ENV" do
+    let(:env) { {"APP_ENV" => "development", "RACK_ENV" => "production" } }
 
-    it "is the value of RACK_ENV" do
-      is_expected.to eq(:test)
+    it "is the value of APP_ENV" do
+      is_expected.to eq(:development)
     end
   end
 
-  context "both HANAMI_ENV and RACK_ENV in ENV" do
-    let(:env) do
-      {"HANAMI_ENV" => "test",
-       "RACK_ENV" => "production"}
-    end
+  context "RACK_ENV in ENV" do
+    let(:env) { { "RACK_ENV" => "production" } }
 
-    it "is the value of HANAMI_ENV" do
-      is_expected.to eq(:test)
+    it "is the value of RACK_ENV" do
+      is_expected.to eq(:production)
     end
   end
 

data/spec/unit/hanami/slice_spec.rb

@@ -65,6 +65,24 @@ RSpec.describe Hanami::Slice, :app_integration do
       expect { Class.new(described_class).prepare }
         .to raise_error Hanami::SliceLoadError, /Slice must have a class name/
     end
+
+    it "does not allow special characters in slice names" do
+      expect { Hanami.app.register_slice(:'test_$lice') }
+        .to raise_error(ArgumentError, /must be lowercase alphanumeric text and underscores only/)
+    end
+
+    it "does not allow uppercase characters in slice names" do
+      expect { Hanami.app.register_slice(:TEST_slice) }
+        .to raise_error(ArgumentError, /must be lowercase alphanumeric text and underscores only/)
+    end
+
+    it "allows lowercase alphanumeric text and underscores only" do
+      expect { Hanami.app.register_slice(:test_slice) }.not_to raise_error
+    end
+
+    it "allows single character slice names" do
+      expect { Hanami.app.register_slice(:t) }.not_to raise_error
+    end
   end
 
   describe ".source_path" do

data/spec/unit/hanami/version_spec.rb

@@ -2,6 +2,6 @@
 
 RSpec.describe "Hanami::VERSION" do
   it "returns current version" do
-    expect(Hanami::VERSION).to eq("2.2.1")
+    expect(Hanami::VERSION).to eq("2.3.0.beta1")
   end
 end

data/spec/unit/hanami/web/rack_logger_spec.rb

@@ -53,10 +53,17 @@ RSpec.describe Hanami::Web::RackLogger do
       stream.rewind
       actual = stream.read
 
-      expect(actual).to eql(<<~LOG)
-        [#{app_name}] [INFO] [#{time}] #{verb} #{status} #{elapsed}µs #{ip} #{path} #{content_length}
-          {"user"=>{"password"=>"[FILTERED]"}}
-      LOG
+      if RUBY_VERSION < "3.4"
+        expect(actual).to eql(<<~LOG)
+          [#{app_name}] [INFO] [#{time}] #{verb} #{status} #{elapsed}µs #{ip} #{path} #{content_length}
+            {"user"=>{"password"=>"[FILTERED]"}}
+        LOG
+      else
+        expect(actual).to eql(<<~LOG)
+          [#{app_name}] [INFO] [#{time}] #{verb} #{status} #{elapsed}µs #{ip} #{path} #{content_length}
+            {"user" => {"password" => "[FILTERED]"}}
+        LOG
+      end
     end
 
     context "ip" do

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: hanami
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.3.0.beta1
 platform: ruby
 authors:
 - Luca Guidi
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-13 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -168,14 +167,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.1
+        version: 2.3.0.beta1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.1
+        version: 2.3.0.beta1
 - !ruby/object:Gem::Dependency
   name: hanami-utils
   requirement: !ruby/object:Gem::Requirement
@@ -218,6 +217,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.6'
+- !ruby/object:Gem::Dependency
+  name: rack-session
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -238,14 +251,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -282,6 +295,7 @@ files:
 - lib/hanami/config/actions/cookies.rb
 - lib/hanami/config/actions/sessions.rb
 - lib/hanami/config/assets.rb
+- lib/hanami/config/console.rb
 - lib/hanami/config/db.rb
 - lib/hanami/config/logger.rb
 - lib/hanami/config/null_config.rb
@@ -310,6 +324,7 @@ files:
 - lib/hanami/helpers/form_helper/form_builder.rb
 - lib/hanami/helpers/form_helper/values.rb
 - lib/hanami/middleware/assets.rb
+- lib/hanami/middleware/content_security_policy_nonce.rb
 - lib/hanami/middleware/public_errors_app.rb
 - lib/hanami/middleware/render_errors.rb
 - lib/hanami/port.rb
@@ -432,6 +447,7 @@ files:
 - spec/integration/view/parts/default_rendering_spec.rb
 - spec/integration/view/slice_configuration_spec.rb
 - spec/integration/view/views_spec.rb
+- spec/integration/web/content_security_policy_nonce_spec.rb
 - spec/integration/web/render_detailed_errors_spec.rb
 - spec/integration/web/render_errors_spec.rb
 - spec/integration/web/welcome_view_spec.rb
@@ -440,10 +456,6 @@ files:
 - spec/support/coverage.rb
 - spec/support/matchers.rb
 - spec/support/rspec.rb
-- spec/support/shared_examples/cli/generate/app.rb
-- spec/support/shared_examples/cli/generate/migration.rb
-- spec/support/shared_examples/cli/generate/model.rb
-- spec/support/shared_examples/cli/new.rb
 - spec/unit/hanami/config/actions/content_security_policy_spec.rb
 - spec/unit/hanami/config/actions/cookies_spec.rb
 - spec/unit/hanami/config/actions/csrf_protection_spec.rb
@@ -451,6 +463,7 @@ files:
 - spec/unit/hanami/config/actions/sessions_spec.rb
 - spec/unit/hanami/config/actions_spec.rb
 - spec/unit/hanami/config/base_url_spec.rb
+- spec/unit/hanami/config/console_spec.rb
 - spec/unit/hanami/config/db_spec.rb
 - spec/unit/hanami/config/inflector_spec.rb
 - spec/unit/hanami/config/logger_spec.rb
@@ -488,7 +501,6 @@ licenses:
 metadata:
   rubygems_mfa_required: 'true'
   allowed_push_host: https://rubygems.org
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -503,8 +515,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: The web, with simplicity
 test_files:
@@ -593,6 +604,7 @@ test_files:
 - spec/integration/view/parts/default_rendering_spec.rb
 - spec/integration/view/slice_configuration_spec.rb
 - spec/integration/view/views_spec.rb
+- spec/integration/web/content_security_policy_nonce_spec.rb
 - spec/integration/web/render_detailed_errors_spec.rb
 - spec/integration/web/render_errors_spec.rb
 - spec/integration/web/welcome_view_spec.rb
@@ -601,10 +613,6 @@ test_files:
 - spec/support/coverage.rb
 - spec/support/matchers.rb
 - spec/support/rspec.rb
-- spec/support/shared_examples/cli/generate/app.rb
-- spec/support/shared_examples/cli/generate/migration.rb
-- spec/support/shared_examples/cli/generate/model.rb
-- spec/support/shared_examples/cli/new.rb
 - spec/unit/hanami/config/actions/content_security_policy_spec.rb
 - spec/unit/hanami/config/actions/cookies_spec.rb
 - spec/unit/hanami/config/actions/csrf_protection_spec.rb
@@ -612,6 +620,7 @@ test_files:
 - spec/unit/hanami/config/actions/sessions_spec.rb
 - spec/unit/hanami/config/actions_spec.rb
 - spec/unit/hanami/config/base_url_spec.rb
+- spec/unit/hanami/config/console_spec.rb
 - spec/unit/hanami/config/db_spec.rb
 - spec/unit/hanami/config/inflector_spec.rb
 - spec/unit/hanami/config/logger_spec.rb