http-headers-verifier 0.0.4 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: efe4065f681747d629f8b0a89709e10cb16b9f7299f42cf5722e5e9faafe41fc
-  data.tar.gz: 9d90369303ceed997df5422d16b8999b23e04940b239ca1266212b1e42f3ef3c
+  metadata.gz: 8402eadfa491beb1ee890ba08d7c8634e3123e7afe641f4c67a6e6e69addc704
+  data.tar.gz: 44ae5406a60518423958d3d014da79ef5d4f88ae4d5ead52ff75a7ec1db96dd1
 SHA512:
-  metadata.gz: 15d3c78df3be4541b8800cbbc2317c7cbc877aceea8457aa2c89f869d5843116cdf15c08dea649668ce491a2522fbeeb3a564f1047477b0b3ca0f47adabac4d6
-  data.tar.gz: 4ace0055eaa94f03c104ffd1ff69a7b7fc4a245234732ff016488b50adff301b1316f50df83b2ea51a59e0c47aa327b3da4b498ac31bdf6650b7b1a48d09393e
+  metadata.gz: 1854d83ae3747570eecfb29111eea335e824a80dedbab08d952502b11af88cda5b0ec356c34954c9902a11c28d68edad89ad31106b251eeb128b3d737f3c03a3
+  data.tar.gz: 431f739312da4d44e001224baf15d7838686ad124819fc6e8d93ac608341beeeb35c267889bff13426dcb4b9e275b0452b9b07fa847517cf88d00e6d9e4fc0de

data/.gitignore

@@ -7,6 +7,7 @@
 /spec/reports/
 /tmp/
 
+headers-rules-*.*
 # rspec failure tracking
 .rspec_status
 *.gem

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    http-headers-verifier (0.0.3)
+    http-headers-verifier (1.0.1)
       typhoeus (~> 1.4)
 
 GEM

data/README.md

@@ -3,28 +3,13 @@
 [![Gem Version](https://badge.fury.io/rb/http-headers-verifier.svg)](https://badge.fury.io/rb/http-headers-verifier)
 [![Build Status](https://travis-ci.org/AvnerCohen/http-headers-verifier.svg?branch=master)](https://travis-ci.org/AvnerCohen/http-headers-verifier)
 
-Verify a pre-defined HTTP headers configurations.
+Assertation framework for http-headers on top of live endpoints, Verify a pre-defined HTTP headers configurations.
+
 Unlike some other similar projects, this is not meant to enforce best practices, instead it is meant to define policies on top of headers and enforce them.
 As a side effect, this means you can define specific OWASP (for example) best practices and verify them, but unlike testing for best practices, this is inteneded to verify an expected headers configuration behavior.
 
 Relevant use cases are for example when updating nginx/caddy configuration or when moving from one web-server to another and expecting to maintain a specific set of header config.
 
-## Installation
-
-Add this line to your application's Gemfile:
-
-```ruby
-gem 'http-headers-verifier'
-```
-
-And then execute:
-
-    $ bundle
-
-Or install it yourself as:
-
-    $ gem install http-headers-verifier
-
 ### Usage
 
 ```sh
@@ -65,6 +50,22 @@ Starting verification of policies default, hs-default, hs-production:
 😱  Failed !
 ```
 
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'http-headers-verifier'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install http-headers-verifier
+
 
 ### Configuration
 

data/exe/http-headers-verifier.rb

@@ -15,15 +15,16 @@ if ARGV.length != 3 && ARGV.length != 2
     exit 2
 end
 
-policy_arg, url, verbose = ARGV
+policy_arg, @url, verbose = ARGV
 @policies = policy_arg.split(',')
 
 HttpHeadersUtils.verbose = !verbose.nil?
 
-actual_headers = Typhoeus.get(url, timeout: HTTP_TIMEOUT_IN_SECONDS, followlocation: true).headers
+request_results = Typhoeus.get(@url, timeout: HTTP_TIMEOUT_IN_SECONDS, followlocation: true)
+actual_headers = request_results.headers
 
 def verify_headers!(actual_headers, rules)
-    puts "Testing url: #{url}"
+    puts "Testing url: #{@url}"
     puts "Starting verification of policies #{HttpHeadersUtils.bold(@policies.join(", "))}:"
     errors = []
     checked_already = Set.new
@@ -64,12 +65,18 @@ end
 def read_policies!(policy_files_names)
     settings = {headers: [], ignored_headers: [], cookie_attr: {}, headers_to_avoid: []}
     policy_files_names.each do |policy_name|
-        policy_data = YAML.load_file("./#{FILE_NAME_PREFIX}#{policy_name}.yml")
-        
-        settings[:headers].push(policy_data['headers']) unless policy_data['headers'].nil?
-        settings[:ignored_headers].push(policy_data['ignored_headers']) unless policy_data['ignored_headers'].nil?
-        settings[:cookie_attr].merge!(policy_data['cookie_attr']) unless policy_data['cookie_attr'].nil?
-        settings[:headers_to_avoid].push(policy_data['headers_to_avoid'])  unless policy_data['headers_to_avoid'].nil?
+        file_name = "./#{FILE_NAME_PREFIX}#{policy_name}.yml"
+        if File.exist?(file_name) 
+            policy_data = YAML.load_file(file_name)
+            settings[:headers].push(policy_data['headers']) unless policy_data['headers'].nil?
+            settings[:ignored_headers].push(policy_data['ignored_headers']) unless policy_data['ignored_headers'].nil?
+            settings[:cookie_attr].merge!(policy_data['cookie_attr']) unless policy_data['cookie_attr'].nil?
+            settings[:headers_to_avoid].push(policy_data['headers_to_avoid'])  unless policy_data['headers_to_avoid'].nil?
+        else
+            puts "💔  Misconfiguration, file #{file_name}, does not exist."
+            exit 1
+        end
+
     end
 
     settings[:headers].flatten!
@@ -80,7 +87,10 @@ def read_policies!(policy_files_names)
 end
 
 
-if verify_headers!(actual_headers, read_policies!(@policies))
+if request_results.return_code != :ok
+    puts "🤕  Request to url #{@url} failed - #{request_results.return_code}, bailing out. "
+    exit 0
+elsif verify_headers!(actual_headers, read_policies!(@policies))
     puts "😎  Success !"
     exit 0
 else

data/lib/http_headers_validations.rb

@@ -9,13 +9,13 @@ module HttpHeadersValidations
     end
 
     def self.assert_expected_header(expected_header, expected_value, actual_value)
-        if (expected_value.is_a?(Regexp) && actual_value.match?(expected_value)) ||
+        if (!actual_value.nil? && expected_value.is_a?(Regexp) && actual_value.match?(expected_value)) ||
             (expected_value.to_s == actual_value.to_s)
             failed = false
             text = "Expected Header '#{expected_header}' matched!"
         else
             failed = true
-            text = "Expected Header '#{HttpHeadersUtils.bold(expected_header)}' failed! '#{expected_value}' was '#{actual_value}'."
+            text = "Expected Header '#{HttpHeadersUtils.bold(expected_header)}' failed! '#{expected_value}' #{HttpHeadersUtils.bold('was')} '#{actual_value}'."
         end
         icon = failed ? "🛑" : "🍏"
 
@@ -37,7 +37,7 @@ module HttpHeadersValidations
         else
             icon = "⚠️"
             failed = false
-            text = "Warning: Extra Header '#{HttpHeadersUtils.bold(actual_header)}' with value '#{actual_value}' wasn't unexpected."
+            text = "Warning: Extra Header '#{HttpHeadersUtils.bold(actual_header)}' with value '#{actual_value}' was unexpected."
         end
 
         report(text, failed, icon)

data/lib/version.rb

@@ -1,3 +1,3 @@
 module HttpHeadersVerifier
-    VERSION = "0.0.4"
-end
+    VERSION = "1.0.1"
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: http-headers-verifier
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 1.0.1
 platform: ruby
 authors:
 - Avner Cohen
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-07-28 00:00:00.000000000 Z
+date: 2020-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -122,7 +122,7 @@ metadata:
   homepage_uri: https://github.com/AvnerCohen/http-headers-verifier
   source_code_uri: https://github.com/AvnerCohen/http-headers-verifier
   bug_tracker_uri: https://github.com/AvnerCohen/http-headers-verifier/issues
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -137,8 +137,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Verify a pre-defined HTTP headers configurations.
 test_files: []