honkster-rack-ssl-enforcer 0.2.2.1

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Tobias Matthies
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,111 @@
+= Rack::SslEnforcer
+
+Rack::SslEnforcer is a simple Rack middleware to enforce SSL connections. As of Version 0.2.0, Rack::SslEnforcer marks
+Cookies as secure by default (HSTS must be set manually).
+
+Tested on Ruby 1.8.7, 1.9.2, REE, JRuby and Rubinius.
+
+== Installation
+
+  gem install rack-ssl-enforcer
+
+
+== Basic Usage
+
+  require 'rack/ssl-enforcer'
+  use Rack::SslEnforcer
+
+Or, if you are using Bundler, just add this to your Gemfile:
+
+  gem 'rack-ssl-enforcer'
+
+To use Rack::SslEnforcer in your Rails application, add the following line to your application
+config file (<tt>config/application.rb</tt> for Rails 3, <tt>config/environment.rb</tt> for Rails 2):
+
+  config.middleware.use Rack::SslEnforcer
+
+If all you want is SSL for your whole application, you are done! However, you can specify some
+
+
+== Options
+
+You might need the :redirect_to option if the requested URL can't be determined (e.g. if using a proxy).
+
+  config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
+
+You can also define specific regex patterns or paths or hosts to redirect.
+
+  config.middleware.use Rack::SslEnforcer, :only => /^\/admin\//
+  config.middleware.use Rack::SslEnforcer, :only => "/login"
+  config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/]
+  config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com'
+  config.middleware.use Rack::SslEnforcer, :only_hosts => [/[www|api]\.example\.org$/, 'example.com']
+  config.middleware.use Rack::SslEnforcer, :except_hosts => 'help.example.com'
+  config.middleware.use Rack::SslEnforcer, :except_hosts => /[help|blog]\.example\.com$/
+
+Note: hosts options take precedence over the path options. See tests for examples.
+
+Use the :strict option to force http for all requests not matching your :only specification
+
+  config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
+  config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com', :strict => true
+
+Or in the case where you have matching urls with different methods (Rails RESTful routes: get#users post#users || get#user/:id put#user/:id) you may need to post and put to secure but redirect to http on get.
+
+  config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/}], :mixed => true
+
+The above will allow you to post/put from the secure/non-secure urls keeping the original schema.
+
+To set HSTS expiry and subdomain inclusion (defaults: one year, true). Strict option disables HSTS.
+
+  config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 500, :subdomains => false }
+  config.middleware.use Rack::SslEnforcer, :hsts => true # equivalent to { :expires => 31536000, :subdomains => true }
+
+Finally you might want to share a cookie based session between http and https.
+This is not possible by default with Rack::SslEnforcer for security reasons.
+See: [http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking]
+
+Nevertheless, you can set the option :force_secure_cookies to false in order to be able to share a cookie based session between http and https:
+
+  config.middleware.use Rack::SslEnforcer, :only => "/login", :force_secure_cookies => false
+
+But be aware that if you do so, you have to make sure that the content of you cookie is encoded.
+This can be done using a coder with Rack::Session::Cookie.
+See: [https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42]
+
+
+== TODO
+
+* Add configuration option to specify local http / https ports
+* Cleanup tests
+
+
+== Contributors
+
+* {Dan Mayer}[http://github.com/danmayer]
+* {Rémy Coutable}[http://github.com/rymai]
+* {Thibaud Guillaume-Gentil}[http://github.com/thibaudgg]
+* {Paul Annesley}[https://github.com/pda]
+* {Saimon Moore}[https://github.com/saimonmoore]
+
+
+== Credits
+
+Flagging cookies as secure functionality and HSTS support is greatly inspired by {Joshua Peek's Rack::SSL}[https://github.com/josh/rack-ssl]
+
+
+== Note on Patches/Pull Requests
+
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version,
+  that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+
+== Copyright
+
+Copyright (c) 2010 Tobias Matthies. See LICENSE for details.

data/lib/rack-ssl-enforcer.rb

@@ -0,0 +1 @@
+require 'rack/ssl-enforcer'

data/lib/rack/ssl-enforcer.rb

@@ -0,0 +1,174 @@
+module Rack
+  class SslEnforcer
+
+    # Warning: If you set the option force_secure_cookies to false, make sure that your cookies
+    #  are encoded and that you understand the consequences (see documentation)
+    def initialize(app, options={})
+      default_options = {
+        :redirect_to => nil,
+        :only => nil,
+        :only_hosts => nil,
+        :except => nil,
+        :except_hosts => nil,
+        :strict => false,
+        :mixed => false,
+        :hsts => nil,
+        :http_port => nil,
+        :https_port => nil,
+        :force_secure_cookies => true
+      }
+      @app, @options = app, default_options.merge(options)
+    end
+
+    def call(env)
+      @req = Rack::Request.new(env)
+      if enforce_ssl?(@req)
+        scheme = 'https' unless ssl_request?(env)
+      elsif ssl_request?(env) && enforcement_non_ssl?(env)
+        scheme = 'http'
+      end
+
+      if scheme
+        location = replace_scheme(@req, scheme).url
+        body     = "<html><body>You are being <a href=\"#{location}\">redirected</a>.</body></html>"
+        [301, { 'Content-Type' => 'text/html', 'Location' => location }, [body]]
+      elsif ssl_request?(env)
+        status, headers, body = @app.call(env)
+        flag_cookies_as_secure!(headers) if @options[:force_secure_cookies]
+        set_hsts_headers!(headers) if @options[:hsts] && !@options[:strict]
+        [status, headers, body]
+      else
+        @app.call(env)
+      end
+    end
+
+  private
+
+    def enforcement_non_ssl?(env)
+      true if @options[:strict] || @options[:mixed] && !(env['REQUEST_METHOD'] == 'PUT' || env['REQUEST_METHOD'] == 'POST')
+    end
+
+    def ssl_request?(env)
+      scheme(env) == 'https'
+    end
+
+    # Fixed in rack >= 1.3
+    def scheme(env)
+      if env['HTTPS'] == 'on'
+        'https'
+      elsif env['HTTP_X_FORWARDED_PROTO']
+        env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
+      else
+        env['rack.url_scheme']
+      end
+    end
+
+    def matches?(key, pattern, req)
+      if pattern.is_a?(Regexp)
+        case key
+        when :only
+          req.path =~ pattern
+        when :except
+          req.path !~ pattern
+        when :only_hosts
+          req.host =~ pattern
+        when :except_hosts
+          req.host !~ pattern
+        end
+      else
+        case key
+        when :only
+          req.path[0,pattern.length] == pattern
+        when :except
+          req.path[0,pattern.length] != pattern
+        when :only_hosts
+          req.host == pattern
+        when :except_hosts
+          req.host != pattern
+        end
+      end
+    end
+
+    def enforce_ssl_for?(keys, req)
+      if keys.any? { |option| @options[option] }
+        keys.any? do |key|
+          rules = [@options[key]].flatten.compact
+          unless rules.empty?
+            rules.send(key == :except_hosts || key == :except ? "all?" : "any?") do |pattern|
+              matches?(key, pattern, req)
+            end
+          end
+        end
+      else
+        false
+      end
+    end
+
+    def enforce_ssl?(req)
+      path_keys = [:only, :except]
+      hosts_keys = [:only_hosts, :except_hosts]
+      if hosts_keys.any? { |option| @options[option] }
+        if enforce_ssl_for?(hosts_keys, req)
+          if path_keys.any? { |option| @options[option] }
+            enforce_ssl_for?(path_keys, req)
+          else
+            true
+          end
+        else
+          false
+        end
+      elsif path_keys.any? { |option| @options[option] }
+        enforce_ssl_for?(path_keys, req)
+      else
+        true
+      end
+    end
+
+    def replace_scheme(req, scheme)
+      if @options[:redirect_to]
+        uri = URI.split(@options[:redirect_to])
+        uri = uri[2] || uri[5]
+      else
+        uri = nil
+      end
+      Rack::Request.new(req.env.merge(
+        'rack.url_scheme' => scheme,
+        'HTTP_X_FORWARDED_PROTO' => scheme,
+        'HTTP_X_FORWARDED_PORT' => port_for(scheme).to_s,
+        'SERVER_PORT' => port_for(scheme).to_s
+      ).merge(uri ? {'HTTP_HOST' => uri} : {}))
+    end
+
+    def port_for(scheme)
+      if scheme == 'https'
+        @options[:https_port] || 443
+      else
+        @options[:http_port] || 80
+      end
+    end
+
+    # see http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking
+    def flag_cookies_as_secure!(headers)
+      if cookies = headers['Set-Cookie']
+        # Support Rails 2.3 / Rack 1.1 arrays as headers
+        unless cookies.is_a?(Array)
+          cookies = cookies.split("\n")
+        end
+
+        headers['Set-Cookie'] = cookies.map do |cookie|
+          cookie !~ / secure;/ ? "#{cookie}; secure" : cookie
+        end.join("\n")
+      end
+    end
+
+    # see http://en.wikipedia.org/wiki/Strict_Transport_Security
+    def set_hsts_headers!(headers)
+      opts = { :expires => 31536000, :subdomains => true }
+      opts.merge!(@options[:hsts])
+      value  = "max-age=#{opts[:expires]}"
+      value += "; includeSubDomains" if opts[:subdomains]
+      headers.merge!({ 'Strict-Transport-Security' => value })
+    end
+
+  end
+end

data/lib/rack/ssl-enforcer/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  class SslEnforcer
+    VERSION = "0.2.2.1"
+  end
+end

metadata

@@ -0,0 +1,139 @@
+--- !ruby/object:Gem::Specification 
+name: honkster-rack-ssl-enforcer
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 0.2.2.1
+platform: ruby
+authors: 
+- Tobias Matthies
+- Thibaud Guillaume-Gentil
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-07-27 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: bundler
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: "1.0"
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: guard
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 0.3.3
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: guard-test
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: "0.2"
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: test-unit
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: "2.2"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: shoulda
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 2.11.3
+  type: :development
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
+  name: rack
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 1.2.0
+  type: :development
+  version_requirements: *id006
+- !ruby/object:Gem::Dependency 
+  name: rack-test
+  prerelease: false
+  requirement: &id007 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 0.5.4
+  type: :development
+  version_requirements: *id007
+description: Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections
+email: 
+- tm@mit2m.de
+- thibaud@thibaud.me
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/rack-ssl-enforcer.rb
+- lib/rack/ssl-enforcer/version.rb
+- lib/rack/ssl-enforcer.rb
+- LICENSE
+- README.rdoc
+has_rdoc: true
+homepage: http://github.com/tobmatth/rack-ssl-enforcer
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: 1.3.6
+requirements: []
+
+rubyforge_project: rack-ssl-enforcer
+rubygems_version: 1.5.2
+signing_key: 
+specification_version: 3
+summary: A simple Rack middleware to enforce SSL
+test_files: []
+