http-security 0.1.0

data/lib/http/security/headers/public_key_pins_report_only.rb

@@ -0,0 +1,10 @@
+require 'http/security/headers/public_key_pins'
+
+module HTTP
+  module Security
+    module Headers
+      class PublicKeyPinsReportOnly < PublicKeyPins
+      end
+    end
+  end
+end

data/lib/http/security/headers/set_cookie.rb

@@ -0,0 +1,75 @@
+module HTTP
+  module Security
+    module Headers
+      class SetCookie
+
+        include Enumerable
+
+        # @return [Array<Cookie>]
+        attr_reader :cookies
+
+        class Cookie
+
+          attr_reader :cookie
+
+          attr_reader :path
+
+          attr_reader :domain
+
+          attr_reader :expires
+
+          def initialize(directives={})
+            @cookie    = directives[:cookie]
+            @path      = directives[:path]
+            @domain    = directives[:domain]
+            @expires   = directives[:expires]
+            @secure    = directives[:secure]
+            @http_only = directives[:http_only]
+          end
+
+          def name
+            @cookie.keys.first
+          end
+
+          def value
+            @cookie.values.first
+          end
+
+          def secure?
+            !!@secure
+          end
+
+          def http_only?
+            !!@http_only
+          end
+
+          def to_s
+            str = "#{name}=#{value}"
+
+            str << "; Path=#{@path}"                if @path
+            str << "; Domain=#{@domain}"            if @domain
+            str << "; Expires=#{@expires.httpdate}" if @expires
+            str << "; Secure"                       if @secure
+            str << "; HttpOnly"                     if @http_only
+
+            return str
+          end
+
+        end
+
+        def initialize(cookies=[])
+          @cookies = cookies.map { |cookie| Cookie.new(cookie) }
+        end
+
+        def each(&block)
+          @cookies.each(&block)
+        end
+
+        def to_s
+          @cookies.map(&:to_s).join(', ')
+        end
+
+      end
+    end
+  end
+end

data/lib/http/security/headers/strict_transport_security.rb

@@ -0,0 +1,29 @@
+module HTTP
+  module Security
+    module Headers
+      class StrictTransportSecurity
+
+        attr_reader :max_age
+
+        def initialize(directives={})
+          @max_age             = directives[:max_age]
+          @include_sub_domains = directives[:includesubdomains]
+        end
+
+        def include_sub_domains?
+          !!@include_sub_domains
+        end
+
+        def to_s
+          directives = []
+
+          directives << "max-age=#{@max_age}" if @max_age
+          directives << "includeSubDomains"   if @include_sub_domains
+
+          return directives.join('; ')
+        end
+
+      end
+    end
+  end
+end

data/lib/http/security/headers/x_content_type_options.rb

@@ -0,0 +1,24 @@
+module HTTP
+  module Security
+    module Headers
+      class XContentTypeOptions
+
+        def initialize(directives={})
+          @no_sniff = directives[:nosniff]
+        end
+
+        def no_sniff?
+          !!@no_sniff
+        end
+
+        def to_s
+          str = ''
+          str << "nosniff" if @no_sniff
+
+          return str
+        end
+
+      end
+    end
+  end
+end

data/lib/http/security/headers/x_frame_options.rb

@@ -0,0 +1,39 @@
+module HTTP
+  module Security
+    module Headers
+      class XFrameOptions
+
+        attr_reader :allow_from
+
+        def initialize(directives={})
+          @deny        = directives[:deny]
+          @same_origin = directives[:sameorigin]
+          @allow_from  = directives[:allow_from]
+          @allow_all   = directives[:allowall]
+        end
+
+        def deny?
+          !!@deny
+        end
+
+        def same_origin?
+          !!@same_origin
+        end
+
+        def allow_all?
+          !!@allow_all
+        end
+
+        def to_s
+          if    @deny        then 'DENY'
+          elsif @same_origin then 'SAMEORIGIN'
+          elsif @allow_from  then "ALLOW-FROM #{@allow_from}"
+          elsif @allow_all   then 'ALLOWALL'
+          else                    ''
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/http/security/headers/x_permitted_cross_domain_policies.rb

@@ -0,0 +1,47 @@
+module HTTP
+  module Security
+    module Headers
+      class XPermittedCrossDomainPolicies
+
+        def initialize(directives={})
+          @none            = directives[:none]
+          @master_only     = directives[:master_only]
+          @by_content_type = directives[:by_content_type]
+          @by_ftp_filename = directives[:by_ftp_filename]
+          @all             = directives[:all]
+        end
+
+        def none?
+          !!@none
+        end
+
+        def master_only?
+          !!@master_only
+        end
+
+        def by_content_type?
+          !!@by_content_type
+        end
+
+        def by_ftp_filename?
+          !!@by_ftp_filename
+        end
+
+        def all?
+          !!@all
+        end
+
+        def to_s
+          if    @none            then 'none'
+          elsif @master_only     then 'master-only'
+          elsif @by_content_type then 'by-content-type'
+          elsif @by_ftp_filename then 'by-ftp-filename'
+          elsif @all             then 'all'
+          else                        ''
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/http/security/headers/x_xss_protection.rb

@@ -0,0 +1,34 @@
+module HTTP
+  module Security
+    module Headers
+      class XXSSProtection
+
+        attr_reader :mode
+
+        attr_reader :report
+
+        def initialize(directives={})
+          @enabled = directives[:enabled]
+          @mode    = directives[:mode]
+          @report  = directives[:report]
+        end
+
+        def enabled?
+          !!@enabled
+        end
+
+        def to_s
+          str = if @enabled then '1'
+                else             '0'
+                end
+
+          str << "; mode=#{@mode}"     if @mode
+          str << "; report=#{@report}" if @report
+
+          return str
+        end
+
+      end
+    end
+  end
+end

data/lib/http/security/http_date.rb

@@ -0,0 +1,13 @@
+require 'date'
+
+module HTTP
+  module Security
+    class HTTPDate < Date
+
+      def to_s
+        httpdate
+      end
+
+    end
+  end
+end

data/lib/http/security/malformed_header.rb

@@ -0,0 +1,33 @@
+module HTTP
+  module Security
+    class MalformedHeader
+
+      # Raw value of the header.
+      #
+      # @return [String]
+      attr_reader :value
+
+      # Cause of the parser failure.
+      #
+      # @return [Parslet::Cause]
+      attr_reader :cause
+
+      #
+      # Initializes the malformed header.
+      #
+      # @param [String] value
+      #   The raw header value.
+      #
+      # @param [Parslet::Cause] cause
+      #   The cause of the parser failure.
+      #
+      def initialize(value,cause)
+        @value = value
+        @cause = cause
+      end
+
+      alias value to_s
+
+    end
+  end
+end

data/lib/http/security/parsers.rb

@@ -0,0 +1,14 @@
+require 'http/security/parsers/cache_control'
+require 'http/security/parsers/content_security_policy'
+require 'http/security/parsers/content_security_policy_report_only'
+require 'http/security/parsers/expires'
+require 'http/security/parsers/pragma'
+require 'http/security/parsers/public_key_pins'
+require 'http/security/parsers/public_key_pins_report_only'
+require 'http/security/parsers/strict_transport_security'
+require 'http/security/parsers/set_cookie'
+require 'http/security/parsers/public_key_pins'
+require 'http/security/parsers/x_content_type_options'
+require 'http/security/parsers/x_frame_options'
+require 'http/security/parsers/x_permitted_cross_domain_policies'
+require 'http/security/parsers/x_xss_protection'

data/lib/http/security/parsers/cache_control.rb

@@ -0,0 +1,62 @@
+require 'http/security/parsers/parser'
+
+module HTTP
+  module Security
+    module Parsers
+      class CacheControl < Parser
+        # Cache-Control
+        # Syntax:
+        # Cache-Control   = "Cache-Control" ":" 1#cache-directive
+        # cache-directive = cache-response-directive
+        #  cache-response-directive =
+        #        "public"                               ; Section 14.9.1
+        #      | "private" [ "=" <"> 1#field-name <"> ] ; Section 14.9.1
+        #      | "no-cache" [ "=" <"> 1#field-name <"> ]; Section 14.9.1
+        #      | "no-store"                             ; Section 14.9.2
+        #      | "no-transform"                         ; Section 14.9.5
+        #      | "must-revalidate"                      ; Section 14.9.4
+        #      | "proxy-revalidate"                     ; Section 14.9.4
+        #      | "max-age" "=" delta-seconds            ; Section 14.9.3
+        #      | "s-maxage" "=" delta-seconds           ; Section 14.9.3
+        #      | cache-extension                        ; Section 14.9.6
+        # cache-extension = token [ "=" ( token | quoted-string ) ]
+        rule(:cache_control) do
+          (
+            cache_control_values >> (comma >> cache_control_values).repeat
+          ).as(:directives)
+        end
+        root :cache_control
+
+        rule(:cache_control_values) do
+            cc_public       |
+            cc_private      |
+            no_cache        |
+            no_store        |
+            no_transform    |
+            must_revalidate |
+            max_age         |
+            s_maxage        |
+            only_if_cached  |
+            header_extension
+        end
+
+        #"private" [ "=" <"> 1#field-name <"> ];
+        rule(:cc_public) do
+          stri("public").as(:key) >> (equals >> field_name.as(:value)).maybe
+        end
+
+        #"private" [ "=" <"> 1#field-name <"> ];
+        rule(:cc_private) do
+          stri("private").as(:key) >> (equals >> field_name.as(:value)).maybe
+        end
+
+        field_directive_rule :no_cache, 'no-cache'
+        directive_rule :no_store, 'no-store'
+        directive_rule :no_transform, 'no-transform'
+        directive_rule :must_revalidate, 'must-revalidate'
+        directive_rule :only_if_cached, 'only-if-cached'
+
+      end
+    end
+  end
+end

data/lib/http/security/parsers/content_security_policy.rb

@@ -0,0 +1,128 @@
+require 'http/security/parsers/parser'
+
+module HTTP
+  module Security
+    module Parsers
+      class ContentSecurityPolicy < Parser
+        # Content-Security-Policy
+        # Syntax:
+        # Content-Security-Policy =
+        # policy-token    = [ directive-token *( ";" [ directive-token ] ) ]
+        # directive-token = *WSP [ directive-name [ WSP directive-value ] ]
+        # directive-name  = 1*( ALPHA / DIGIT / "-" )
+        # directive-value = *( WSP / <VCHAR except ";" and ","> )
+        #
+        # Parsing Policies:
+        # To parse the policy policy, the user agent MUST use an algorithm equivalent to the following:
+        #   1. Let the set of directives be the empty set.
+        #   2. For each non-empty token returned by strictly splitting the string policy on the character U+003B SEMICOLON (;):
+        #     1. Skip whitespace.
+        #     2. Collect a sequence of characters that are not space characters. The collected characters are the directive name.
+        #     3. If there are characters remaining in token, skip ahead exactly one character (which must be a space character).
+        #     4. The remaining characters in token (if any) are the directive value.
+        #     5. If the set of directives already contains a directive whose name is a case insensitive match for directive name,
+        #        ignore this instance of the directive and continue to the next token.
+        #     6. Add a directive to the set of directives with name directive name and value directive value.
+        #   3. Return the set of directives.
+        rule(:csp_pattern) do
+          (
+            csp_entry >> ( str(";") >> wsp >> csp_entry ).repeat(0) >> semicolon.maybe
+          ).as(:directives)
+        end
+        root :csp_pattern
+
+        rule(:csp_entry) do
+          (csp_directive.as(:key) >> wsp >> source_list.as(:value)) |
+          report_uri                                                 |
+          sandbox
+        end
+
+        rule(:csp_directive) do
+          stri("default-src") |
+          stri("script-src")  |
+          stri("object-src")  |
+          stri("style-src")   |
+          stri("img-src")     |
+          stri("media-src")   |
+          stri("frame-src")   |
+          stri("font-src")    |
+          stri("connect-src")
+        end
+
+        # Source list
+        # Syntax:
+        # source-list       = *WSP [ source-expression *( 1*WSP source-expression ) *WSP ]
+        #                   / *WSP "'none'" *WSP
+        # source-expression = scheme-source / host-source / keyword-source
+        # scheme-source     = scheme ":"
+        # host-source       = [ scheme "://" ] host [ port ]
+        # ext-host-source   = host-source "/" *( <VCHAR except ";" and ","> )
+        #                   ; ext-host-source is reserved for future use.
+        # keyword-source    = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
+        # scheme            = <scheme production from RFC 3986>
+        # host              = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
+        # host-char         = ALPHA / DIGIT / "-"
+        # port              = ":" ( 1*DIGIT / "*" )
+        rule(:source_list) do
+          (wsp? >> stri("'none'") >> wsp?) |
+          (wsp? >> source_expression >> (wsp >> source_expression).repeat(0))
+        end
+
+        rule(:source_expression) do
+          scheme_source | host_source | keyword_source
+        end
+
+        rule(:csp_vchar) do
+          match["\x20-\x2b"]                     |
+          match["#{Regexp.escape("\x2d")}-\x3a"] |
+          match["\x3c-\x7f"]
+        end
+
+        rule(:scheme_source) do
+          (scheme >> str("://")).absent? >> scheme >> str(":")
+        end
+
+        rule(:host_source) do
+          (scheme >> str("://")).maybe >> csp_host >> port.maybe
+        end
+
+        rule(:csp_host) do
+          (str("*.").maybe >> host_char.repeat(1) >> ( str(".") >> host_char.repeat(1) ).repeat(0)) |
+          str("*")
+        end
+
+        rule(:host_char) do
+          alnum | str("-")
+        end
+
+        rule(:keyword_source) do
+          stri("'self'") | stri("'unsafe-inline'") | stri("'unsafe-eval'")
+        end
+
+        rule(:port) do
+          str(":") >> digits.as(:port)
+        end
+
+        rule(:ext_host_source) do
+          (scheme >> str("://")).maybe >> csp_host >> ext_host_source.maybe >> port.maybe
+        end
+
+        # report-uri
+        # directive-name    = "report-uri"
+        # directive-value   = uri-reference *( 1*WSP uri-reference )
+        # uri-reference     = <URI-reference from RFC 3986>
+        rule(:report_uri) do
+          stri("report-uri").as(:key) >> wsp.repeat(1) >> (uri >> (wsp.repeat(1) >> uri).repeat(0)).as(:values)
+        end
+
+        # sandbox (Optional)
+        # directive-name    = "sandbox"
+        # directive-value   = token *( 1*WSP token )
+        # token             = <token from RFC 2616>
+        rule(:sandbox) do
+          stri("sandbox").as(:key) >> wsp.repeat(1) >> (token >> (wsp.repeat(1) >> token).repeat(0)).as(:value)
+        end
+      end
+    end
+  end
+end