ixtlan-core 0.5.0 → 0.6.0

data/lib/ixtlan/core/cache_headers.rb

@@ -9,7 +9,7 @@ module Ixtlan
       # Pragma: no-cache
       # Cache-control: no-cache, must-revalidate
       def no_caching(no_store = true)
-        if cachable_response?
+        if cacheable_response?
           response.headers["Date"] = timestamp
           response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
           response.headers["Pragma"] = "no-cache"
@@ -21,7 +21,7 @@ module Ixtlan
       # Expires: Fri, 01 Jan 1990 00:00:00 GMT
       # Cache-control: private, max-age=<1dayInSeconds>
       def only_browser_can_cache(no_store = false, max_age_in_seconds = 0)
-        if cachable_response?
+        if cacheable_response?
           response.headers["Date"] = timestamp
           response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 UTC"
           response.headers["Cache-Control"] = "private, max-age=#{max_age_in_seconds}" + (", no-store" if no_store).to_s
@@ -32,7 +32,7 @@ module Ixtlan
       # Expires: <ServerCurrentDate + 1month>
       # Cache-control: public, max-age=<1month>
       def allow_browser_and_proxy_to_cache(no_store = false, max_age_in_seconds = 0)
-        if cachable_response?
+        if cacheable_response?
           now = Time.now
           response.headers["Date"] = timestamp(now)
           response.headers["Expires"] = timestamp(now + max_age_in_seconds)
@@ -40,9 +40,9 @@ module Ixtlan
         end
       end
 
-      def cache_headers
-        if(respond_to?(:current_user) && current_user)
-          mode = self.class.instance_variable_get(:@_cache_mode)
+      def cache_headers(mode = nil)
+        if respond_to?(:current_user) && send(:current_user)
+          mode ||= self.class.instance_variable_get(:@_cache_headers)
           case mode
           when :private
             no_caching(self.class.instance_variable_get(:@no_store))
@@ -50,6 +50,7 @@ module Ixtlan
             only_browser_can_cache(self.class.instance_variable_get(:@no_store))
           when :public
             allow_browser_and_proxy_to_cache(self.class.instance_variable_get(:@no_store))
+          when :off
           else
             send mode if mode
           end
@@ -60,7 +61,7 @@ module Ixtlan
         base.class_eval do
           def self.cache_headers(mode = nil, no_store = true)
             if(mode)
-              @_cache_mode = mode.to_sym
+              @_cache_headers = mode.to_sym
             end
             @no_store = no_store
           end
@@ -68,7 +69,7 @@ module Ixtlan
       end
 
       private
-      def cachable_response?
+      def cacheable_response?
         request.method.to_s.downcase == "get" &&
           [200, 203, 206, 300, 301].member?(response.status)
       end

data/lib/ixtlan/core/extra_headers.rb

@@ -6,22 +6,27 @@ module Ixtlan
         base.class_eval do
           alias :render_old :render
           def render(*args, &block)
-            cache_headers
-            x_frame_headers
+            _extra_header(*args)
             render_old(*args, &block)
           end
           alias :send_file_old :send_file
           def send_file(*args)
-            cache_headers
-            x_frame_headers
+            _extra_header(*args)
             send_file_old(*args)
           end
           alias :send_data_old :send_data
           def send_data(*args)
-            cache_headers
-            x_frame_headers
+            _extra_header(*args)
             send_file_old(*args)
           end
+          private
+          def _extra_header(*args)
+            opt = (args[0].is_a?(Hash) ? args[0] : args[1]) || {}
+            cache_headers(opt[:cache_headers])
+            x_frame_headers(opt[:x_frame_headers])
+            x_content_type_headers(opt[:x_content_type_headers])
+            x_xss_protection_headers(opt[:x_xss_protection_headers])
+          end
         end
       end
     end

data/lib/ixtlan/core/railtie.rb

@@ -1,6 +1,8 @@
 require 'ixtlan/core/extra_headers'
 require 'ixtlan/core/cache_headers'
 require 'ixtlan/core/x_frame_headers'
+require 'ixtlan/core/x_content_type_headers'
+require 'ixtlan/core/x_xss_protection_headers'
 require 'ixtlan/core/optimistic_active_record'
 require 'ixtlan/core/optimistic_data_mapper'
 require 'ixtlan/core/configuration_rack'
@@ -40,9 +42,8 @@ module Ixtlan
 
       config.before_configuration do |app|
         app.config.class.class_eval do
-          attr_accessor :x_frame_headers
+          attr_accessor :x_frame_headers, :x_content_type_headers, :x_xss_protection_headers
         end
-        app.config.x_frame_headers = :deny
       end
 
       config.before_initialize do |app|
@@ -55,6 +56,8 @@ module Ixtlan
         end
         ::ActionController::Base.send(:include, Ixtlan::Core::ExtraHeaders)
         ::ActionController::Base.send(:include, Ixtlan::Core::XFrameHeaders)
+        ::ActionController::Base.send(:include, Ixtlan::Core::XContentTypeHeaders)
+        ::ActionController::Base.send(:include, Ixtlan::Core::XXssProtectionHeaders)
         ::ActionController::Base.send(:include, Ixtlan::Core::CacheHeaders)
 
         app.config.middleware.use Ixtlan::Core::ConfigurationRack

data/lib/ixtlan/core/x_content_type_headers.rb

@@ -0,0 +1,30 @@
+module Ixtlan
+  module Core
+    module XContentTypeHeaders
+
+      protected
+
+      def x_content_type_headers(mode = nil)
+        case mode || self.class.instance_variable_get(:@_x_content_type_headers) || Rails.configuration.x_content_type_headers || :nosniff
+        when :nosniff
+          response.headers["X-Content-Type-Options"] = "nosniff"
+        when :off
+        else
+          warn "allowed values for x_content_type_headers are :nosniff, :off"
+        end
+      end
+    
+      def self.included(base)
+        base.class_eval do
+          def self.x_content_type_headers(mode)
+            if(mode)
+              @_x_content_type_headers = mode.to_sym
+            else
+              @_x_content_type_headers = nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/core/x_frame_headers.rb

@@ -4,22 +4,25 @@ module Ixtlan
 
       protected
 
-      def x_frame_headers
-        case self.class.instance_variable_get(:@_x_frame_mode) || Rails.configuration.x_frame_headers
+      def x_frame_headers(mode = nil)
+        case mode || self.class.instance_variable_get(:@_x_frame_headers) || Rails.configuration.x_frame_headers || :deny
         when :deny
-          response.headers["X-FRAME-OPTIONS"] = "DENY"
+          response.headers["X-Frame-Options"] = "DENY"
         when :sameorigin
-          response.headers["X-FRAME-OPTIONS"] = "SAMEORIGIN"
+          response.headers["X-Frame-Options"] = "SAMEORIGIN"
+        when :off
+        else
+          warn "allowed values for x_frame_headers are :deny, :sameorigin, :off"
         end
       end
-
+    
       def self.included(base)
         base.class_eval do
           def self.x_frame_headers(mode)
             if(mode)
-              @_x_frame_mode = mode.to_sym
+              @_x_frame_headers = mode.to_sym
             else
-              @_x_frame_mode = nil
+              @_x_frame_headers = nil
             end
           end
         end

data/lib/ixtlan/core/x_xss_protection_headers.rb

@@ -0,0 +1,32 @@
+module Ixtlan
+  module Core
+    module XXssProtectionHeaders
+
+      protected
+
+      def x_xss_protection_headers(mode = nil)
+        case mode || self.class.instance_variable_get(:@_x_xss_protection_headers) || Rails.configuration.x_xss_protection_headers || :block
+        when :disabled
+          response.headers["X-XSS-Protection"] = "0"
+        when :block
+          response.headers["X-XSS-Protection"] = "1; mode=block"
+        when :off
+        else
+          warn "allowed values for x_xss_protection_headers are :nocheck, :block, :off"
+        end
+      end
+    
+      def self.included(base)
+        base.class_eval do
+          def self.x_xss_protection_headers(mode)
+            if(mode)
+              @_x_xss_protection_headers = mode.to_sym
+            else
+              @_x_xss_protection_headers = nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/spec/cache_headers_spec.rb

@@ -0,0 +1,51 @@
+require 'controller'
+
+
+class MyControllerWithUser < ControllerWithUser
+  cache_headers :private
+end
+
+[:render, :send_file, :send_data].each do |method|
+  describe "cache-headers using controller method #{method}" do
+    context "with simple controller" do
+      subject { ControllerWithUser.new(Object.new) }
+      
+      it 'should use default' do
+        subject.send method, :inline => "asd"
+        subject.response.headers.should == {"X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+      it 'should use given option' do
+        subject.send method, :inline => "asd", :cache_headers => :protected
+        subject.response.headers.delete("Date").should_not be_nil
+        subject.response.headers.delete("Expires").should_not be_nil
+        subject.response.headers.should == {"Cache-Control"=>"private, max-age=0", "X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+    end
+    
+    context "with controller with header configuration" do
+      subject { MyControllerWithUser.new(Object.new) }
+      
+      it 'should use configuration' do
+        subject.send method, :inline => "asd"
+        subject.response.headers.delete("Date").should_not be_nil
+        subject.response.headers.delete("Expires").should_not be_nil
+        subject.response.headers.should == {"Pragma"=>"no-cache", "Cache-Control"=>"no-cache, must-revalidate, no-store", "X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+      it 'should use given option' do
+        subject.send method, :inline => "asd", :cache_headers => :public
+        subject.response.headers.delete("Date").should_not be_nil
+        subject.response.headers.delete("Expires").should_not be_nil
+        subject.response.headers.should == {"Cache-Control"=>"public, max-age=0, no-store", "X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+    end
+    
+    context "with simple controller without user" do
+      subject { MyControllerWithUser.new }
+      
+      it 'should use default' do
+        subject.send method, :inline => "asd"
+        subject.response.headers.should == {"X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+    end
+  end
+end

data/spec/controller.rb

@@ -0,0 +1,78 @@
+require 'ixtlan/core/extra_headers'
+require 'ixtlan/core/cache_headers'
+require 'ixtlan/core/x_frame_headers'
+require 'ixtlan/core/x_content_type_headers'
+require 'ixtlan/core/x_xss_protection_headers'
+
+class Controller
+  
+  def render(*args, &block)
+    @render = args if args.size > 0
+    @render
+  end
+  def send_file(*args, &block)
+    @send_file = args if args.size > 0
+    @send_file
+  end
+  def send_data(*args, &block)
+    @send_data = args if args.size > 0
+    @send_data
+  end
+
+  include Ixtlan::Core::ExtraHeaders
+  include Ixtlan::Core::XFrameHeaders
+  include Ixtlan::Core::XContentTypeHeaders
+  include Ixtlan::Core::XXssProtectionHeaders
+  include Ixtlan::Core::CacheHeaders
+
+  def response
+    unless @response
+      @response = Object.new
+
+      def @response.headers
+        @headers ||= {}
+      end
+      def @response.status(st = nil)
+        @status = st if st
+        @status
+      end
+    end
+    @response
+  end
+
+  def request
+    unless @request
+      @request = Object.new
+      def @request.method(m = nil)
+        @method = m if m
+        @method
+      end
+    end
+    @request
+  end
+
+end
+
+class ControllerWithUser < Controller
+
+  def initialize(user = nil, status = 200, method = :get)
+    @user = user
+    request.method method
+    response.status status
+  end
+  def current_user
+    @user
+  end
+
+end
+
+class Rails
+
+  class Config
+    attr_accessor :x_content_type_headers, :x_frame_headers , :x_xss_protection_headers, :cache_headers
+  end
+
+  def self.configuration
+    @config ||= Config.new
+  end
+end

data/spec/x_headers_spec.rb

@@ -0,0 +1,74 @@
+require 'controller'
+
+shared_examples 'a X-Headers' do
+
+  it 'should be able to switch off' do
+    subject.send method, :inline => "asd", :x_frame_headers => :off, :x_content_type_headers => :off, :x_xss_protection_headers => :off
+    subject.response.headers.should == {}
+  end
+
+end
+
+class MyController < Controller
+  x_frame_headers :sameorigin
+  x_content_type_headers :off
+  x_xss_protection_headers :disabled
+end
+
+[:render, :send_file, :send_data].each do |method|
+  describe "x-headers using controller method #{method}" do
+    context "with simple controller" do
+      before do
+        Rails.configuration.x_frame_headers = nil
+        Rails.configuration.x_content_type_headers = nil
+        Rails.configuration.x_xss_protection_headers = nil
+      end
+      subject { Controller.new }
+      
+      it 'should use default' do
+        subject.send method, :inline => "asd"
+        subject.response.headers.should == {"X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+      
+      it_behaves_like "a X-Headers" do
+        let(:method) { method }
+      end
+    end
+    
+    context "with controller with header configuration" do
+      before do
+        Rails.configuration.x_frame_headers = nil
+        Rails.configuration.x_content_type_headers = nil
+        Rails.configuration.x_xss_protection_headers = nil
+      end
+      subject { MyController.new }
+      
+      it 'should use configuration' do
+        subject.send method, :inline => "asd"
+        subject.response.headers.should == {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"0"}
+      end
+      
+      it_behaves_like "a X-Headers" do
+        let(:method) { method }
+      end
+    end
+    
+    context "with simple controller with rails configuration" do
+      before do
+        Rails.configuration.x_frame_headers = :sameorigin
+        Rails.configuration.x_content_type_headers = :off
+        Rails.configuration.x_xss_protection_headers = :disabled
+      end
+      subject { Controller.new }
+      
+      it 'should use configuration' do
+        subject.send method, :inline => "asd"
+        subject.response.headers.should == {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"0"}
+      end
+      
+      it_behaves_like "a X-Headers" do
+        let(:method) { method }
+      end
+    end
+  end
+end

metadata

@@ -2,7 +2,7 @@
 name: ixtlan-core
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors: 
   - mkristian
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-08-06 00:00:00 +05:30
+date: 2011-09-05 00:00:00 +05:30
 default_executable: 
 dependencies: 
   - !ruby/object:Gem::Dependency 
@@ -28,50 +28,61 @@ dependencies:
     type: :runtime
     version_requirements: *id001
   - !ruby/object:Gem::Dependency 
-    name: rails
+    name: ixtlan-generators
     prerelease: false
     requirement: &id002 !ruby/object:Gem::Requirement 
       none: false
       requirements: 
         - - "="
           - !ruby/object:Gem::Version 
-            version: 3.0.9
+            version: 0.1.0
     type: :development
     version_requirements: *id002
   - !ruby/object:Gem::Dependency 
-    name: rspec
+    name: rails
     prerelease: false
     requirement: &id003 !ruby/object:Gem::Requirement 
       none: false
       requirements: 
         - - "="
           - !ruby/object:Gem::Version 
-            version: 2.6.0
+            version: 3.0.9
     type: :development
     version_requirements: *id003
   - !ruby/object:Gem::Dependency 
-    name: cucumber
+    name: rspec
     prerelease: false
     requirement: &id004 !ruby/object:Gem::Requirement 
       none: false
       requirements: 
         - - "="
           - !ruby/object:Gem::Version 
-            version: 0.9.4
+            version: 2.6.0
     type: :development
     version_requirements: *id004
   - !ruby/object:Gem::Dependency 
-    name: ruby-maven
+    name: cucumber
     prerelease: false
     requirement: &id005 !ruby/object:Gem::Requirement 
       none: false
       requirements: 
         - - "="
           - !ruby/object:Gem::Version 
-            version: 0.8.3.0.3.0.28.3
+            version: 0.9.4
     type: :development
     version_requirements: *id005
-description: base for some gems related to protect privacy and increase security along some other utils
+  - !ruby/object:Gem::Dependency 
+    name: ruby-maven
+    prerelease: false
+    requirement: &id006 !ruby/object:Gem::Requirement 
+      none: false
+      requirements: 
+        - - "="
+          - !ruby/object:Gem::Version 
+            version: 0.8.3.0.3.0.28.3
+    type: :development
+    version_requirements: *id006
+description: cache header control, dynamic configuration, and optimistic find on model via updated_at timestamp
 email: 
   - m.kristian@web.de
 executables: []
@@ -115,10 +126,15 @@ files:
   - lib/ixtlan/core/configuration_rack.rb
   - lib/ixtlan/core/optimistic_active_record.rb
   - lib/ixtlan/core/extra_headers.rb
+  - lib/ixtlan/core/x_content_type_headers.rb
   - lib/ixtlan/core/cache_headers.rb
+  - lib/ixtlan/core/x_xss_protection_headers.rb
   - lib/ixtlan/core/railtie.rb
   - lib/ixtlan/core/configuration_manager.rb
   - lib/ixtlan/core/controllers/configuration_controller.rb
+  - spec/controller.rb
+  - spec/cache_headers_spec.rb
+  - spec/x_headers_spec.rb
   - spec/configuration_manager_spec.rb
 has_rdoc: true
 homepage: http://github.com/mkristian/ixtlan-core
@@ -127,7 +143,7 @@ licenses:
 post_install_message: 
 rdoc_options: 
   - --main
-  - README.textile
+  - README.md
 require_paths: 
   - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
@@ -148,6 +164,8 @@ rubyforge_project:
 rubygems_version: 1.5.1
 signing_key: 
 specification_version: 3
-summary: cache header control, dynamic configuration, and rails generator templates
+summary: cache header control, dynamic configuration, and optimistic find on model via updated_at timestamp
 test_files: 
+  - spec/cache_headers_spec.rb
+  - spec/x_headers_spec.rb
   - spec/configuration_manager_spec.rb