ixtlan-core 0.6.0 → 0.6.1

data/README.md

@@ -0,0 +1,64 @@
+# Ixtlan #
+
+this gem adds more security related headers to the response for a rails3 application. mainly inspired by
+[google-gets-a-1-for-browser-security](http://www.barracudalabs.com/wordpress/index.php/2011/07/21/google-gets-a-1-for-browser-security-3/)
+and
+[HttpCaching](http://code.google.com/p/doctype/wiki/ArticleHttpCaching).
+and
+[Clickjacking](http://www.owasp.org/index.php/Clickjacking)
+
+the extra headers are
+
+* x-frame headers
+* x-content-type headers
+* x-xss-protection headers
+* caching headers
+
+the main idea is to set the default as strict as possible and the application might relax the setup here and there.
+
+## rails configuration ##
+
+in _config/application.rb_ or in one of the _config/environments/*rb_ files or in an initializer. all three x-headers can be configured here, for example
+
+    config.x_content_type_headers = :nosniff
+
+## controller configuration ##
+
+just add in your controller something like
+
+    x_xss_protection :block
+    
+## option for each *render*, *send\_file*, *send\_data* methods
+
+an example for an inline render
+
+    render :inline => 'behappy', :x_frame_headers => :deny
+    
+## possible values ##
+
+* x\_frame\_headers : `:deny, :sameorigin, :off` default `:deny`
+
+* x\_content\_type\_headers : `:nosniff, :off` default `:nosniff`
+
+* x\_xss\_protection\_headers : `:block, :disabled, :off` default `:block`
+
+## cache headers
+
+the cache headers needs to have a **current\_user**, i.e. the current\_user method of the controller needs to return a non-nil value. further the the method needs to `:get` and the response status an "ok" status,
+
+then you can use the controller configuration or the options with *render*, *send\_file* and *send\_data*.
+
+## possible values ##
+
+* `:private` : which tells not to cache or store any data except the browser memory: [no caching](http://code.google.com/p/doctype/wiki/ArticleHttpCaching#No_caching)
+
+* `:protected` : no caching but the browser: [Only the end user's browser is allowed to cache](http://code.google.com/p/doctype/wiki/ArticleHttpCaching#Only_the_end_user%27s_browser_is_allowed_to_cache)
+
+* `:public` : caching is allowed: [Both browser and proxy allowed to cache](http://code.google.com/p/doctype/wiki/ArticleHttpCaching#Both_browser_and_proxy_allowed_to_cache)
+
+* `:my_headers` : custom header method like 
+
+>     def my_headers
+        no_store = false
+        no_caching(no_store)
+      end

data/features/headers.feature

@@ -0,0 +1,12 @@
+Feature: Generators for Ixtlan Core
+
+  Scenario: Create a rails application and adding the ixtlan-core adds ixtlan generators
+    Given I create new rails application with template "headers.template" and "headers" tests
+    And I execute "rails generate scaffold user name:string --skip --migration"
+    And I execute "rake db:migrate test"
+    Then the output should contain "7 tests, 20 assertions, 0 failures, 0 errors" and "1 tests, 1 assertions, 0 failures, 0 errors"
+
+    Given me an existing rails application "headers" and "optimistic" files
+    And I execute "rails generate scaffold account name:string --skip --migration --timestamps --optimistic --modified-by user"
+    And I execute "rake db:migrate test"
+    Then the output should contain "14 tests, 30 assertions, 0 failures, 0 errors" and "2 tests, 2 assertions, 0 failures, 0 errors"

data/features/step_definitions/simple_steps.rb

@@ -0,0 +1 @@
+require 'maven/cucumber_steps'

data/lib/ixtlan/core/active_record.rb

@@ -0,0 +1,22 @@
+module Ixtlan
+  module Core
+    module ActiveRecord
+
+      def self.included(base)
+        base.class_eval do
+
+          def self.optimistic_find(updated_at, *args)
+            if updated_at
+              updated_at_date = new(:updated_at => updated_at).updated_at
+              # try different ways to use the date
+              # TODO maybe there is a nicer way ??
+              first(:conditions => ["id = ? and updated_at <= ? and updated_at >= ?", args[0], updated_at, updated_at_date - 0.001]) || first(:conditions => ["id = ? and updated_at <= ? and updated_at >= ?", args[0], updated_at_date, updated_at_date - 0.001])
+              # TODO make it work with different PKs
+            end
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/core/active_record.rb~

@@ -0,0 +1,24 @@
+module Ixtlan
+  module Core
+    module OptimisticActiveRecord
+
+      def self.included(base)
+        base.class_eval do
+
+          attr_accessor :current_user
+
+          def self.optimistic_find(updated_at, *args)
+            if updated_at
+              updated_at_date = new(:updated_at => updated_at).updated_at
+              # try different ways to use the date
+              # TODO maybe there is a nicer way ??
+              first(:conditions => ["id = ? and updated_at <= ? and updated_at >= ?", args[0], updated_at, updated_at_date - 0.001]) || first(:conditions => ["id = ? and updated_at <= ? and updated_at >= ?", args[0], updated_at_date, updated_at_date - 0.001])
+              # TODO make it work with different PKs
+            end
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/core/controllers/configuration_controller.rb~

@@ -0,0 +1,9 @@
+module Ixtlan
+  module Guard
+    module Controllers
+      module MaintenanceController
+        
+        # GET /configuration
+        # GET /configuration.xml
+        # GET /configuration.json
+        def index

data/lib/ixtlan/core/data_mapper.rb

@@ -0,0 +1,23 @@
+module Ixtlan
+  module Core
+    module DataMapper
+
+      def self.included(base)
+        base.class_eval do
+          
+          attr_accessor :current_user
+          
+          def optimistic_find(updated_at, *args)
+            if updated_at
+              updated_at = new(:updated_at => updated_at).updated_at
+              # TODO make it work with different PKs
+              first(:id => args[0], :updated_at => updated_at)
+            end
+          end
+        end
+
+      end
+
+    end
+  end
+end

data/lib/ixtlan/core/data_mapper.rb~

@@ -0,0 +1,18 @@
+module Ixtlan
+  module Core
+    module OptimisticDataMapper
+
+      def self.included(base)
+        base.class_eval do
+          def optimistic_find(updated_at, *args)
+            if updated_at
+              updated_at = new(:updated_at => updated_at).updated_at
+              # TODO make it work with different PKs
+              first(:id => args[0], :updated_at => updated_at)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/core/optimistic_active_record.rb~

@@ -0,0 +1,21 @@
+module Ixtlan
+  module Core
+    module OptimisticActiveRecord
+
+      def self.included(base)
+        base.class_eval do
+          def self.optimistic_find(updated_at, *args)
+            p updated_at
+            updated_at = new(:updated_at => updated_at).updated_at
+            # TODO make it work with different PKs
+            r = first(:conditions => ["id = ? and updated_at = ?", args[0], updated_at])
+            p args[0]
+            p updated_at
+            p r
+            r
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/core/{optimistic_data_mapper.rb → optimistic_data_mapper.rb~}

@@ -7,7 +7,7 @@ module Ixtlan
           def optimistic_find(updated_at, *args)
             updated_at = new(:updated_at => updated_at).updated_at
             # TODO make it work with different PKs
-            first(:id => args[0], :updated_at => updated_at)
+            first(:id => args[0], :updated_at => updated_at])
           end
         end
       end

data/lib/ixtlan/core/railtie.rb

@@ -3,8 +3,8 @@ require 'ixtlan/core/cache_headers'
 require 'ixtlan/core/x_frame_headers'
 require 'ixtlan/core/x_content_type_headers'
 require 'ixtlan/core/x_xss_protection_headers'
-require 'ixtlan/core/optimistic_active_record'
-require 'ixtlan/core/optimistic_data_mapper'
+require 'ixtlan/core/active_record'
+require 'ixtlan/core/data_mapper'
 require 'ixtlan/core/configuration_rack'
 require 'ixtlan/core/configuration_manager'
 module Ixtlan
@@ -63,15 +63,15 @@ module Ixtlan
         app.config.middleware.use Ixtlan::Core::ConfigurationRack
       end
       config.after_initialize do |app|
-        if defined? DataMapper
+        if defined? ::DataMapper
 
           ::DataMapper::Resource.send(:include, 
-                                      Ixtlan::Core::OptimisticDataMapper)
+                                      Ixtlan::Core::DataMapper)
 
-        elsif defined? ActiveRecord
+        elsif defined? ::ActiveRecord
 
           ::ActiveRecord::Base.send(:include, 
-                                    Ixtlan::Core::OptimisticActiveRecord)
+                                    Ixtlan::Core::ActiveRecord)
 
         end
       end

data/lib/ixtlan/core/x_content_headers.rb~

@@ -0,0 +1,32 @@
+module Ixtlan
+  module Core
+    module XFrameHeaders
+
+      protected
+
+      def x_frame_headers(mode = nil)
+        case mode || self.class.instance_variable_get(:@_x_frame_mode) || Rails.configuration.x_frame_headers
+        when :deny
+          response.headers["X-FRAME-OPTIONS"] = "DENY"
+        when :sameorigin
+          response.headers["X-FRAME-OPTIONS"] = "SAMEORIGIN"
+        when :off
+        else
+          warn "allowed values for x_frame_headers are :deny, :sameorigin, :off"
+        end
+      end
+    
+      def self.included(base)
+        base.class_eval do
+          def self.x_frame_headers(mode)
+            if(mode)
+              @_x_frame_mode = mode.to_sym
+            else
+              @_x_frame_mode = nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/core/x_content_type_headers.rb~

@@ -0,0 +1,30 @@
+module Ixtlan
+  module Core
+    module XContentHeaders
+
+      protected
+
+      def x_content_headers(mode = nil)
+        case mode || self.class.instance_variable_get(:@_x_content_headers) || Rails.configuration.x_content_headers || :nosniff
+        when :nosniff
+          response.headers["X-Content-Type-Options"] = "nosniff"
+        when :off
+        else
+          warn "allowed values for x_content_headers are :nosniff, :off"
+        end
+      end
+    
+      def self.included(base)
+        base.class_eval do
+          def self.x_content_headers(mode)
+            if(mode)
+              @_x_content_headers = mode.to_sym
+            else
+              @_x_content_headers = nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/core/x_xss_protection_headers.rb~

@@ -0,0 +1,30 @@
+module Ixtlan
+  module Core
+    module XContentHeaders
+
+      protected
+
+      def x_content_headers(mode = nil)
+        case mode || self.class.instance_variable_get(:@_x_content_headers) || Rails.configuration.x_content_headers || :nosniff
+        when :nosniff
+          response.headers["X-Content-Type-Options"] = "nosniff"
+        when :off
+        else
+          warn "allowed values for x_content_headers are :nosniff, :off"
+        end
+      end
+    
+      def self.included(base)
+        base.class_eval do
+          def self.x_content_headers(mode)
+            if(mode)
+              @_x_content_headers = mode.to_sym
+            else
+              @_x_content_headers = nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/spec/cache_headers_spec.rb~

@@ -0,0 +1,52 @@
+require 'controller'
+
+
+class MyControllerWithUser < ControllerWithUser
+  cache_headers :private
+end
+
+[:render#, :send_file, :send_data
+].each do |method|
+  describe "cache-headers using controller method #{method}" do
+    context "with simple controller" do
+      subject { ControllerWithUser.new(Object.new) }
+      
+      it 'should use default' do
+        subject.send method, :inline => "asd"
+        subject.response.headers.should == {"X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+      it 'should use given option' do
+        subject.send method, :inline => "asd", :cache_headers => :protected
+        subject.response.headers.delete("Date").should_not be_nil
+        subject.response.headers.delete("Expires").should_not be_nil
+        subject.response.headers.should == {"Cache-Control"=>"private, max-age=0", "X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+    end
+    
+    context "with controller with header configuration" do
+      subject { MyControllerWithUser.new(Object.new) }
+      
+      it 'should use configuration' do
+        subject.send method, :inline => "asd"
+        subject.response.headers.delete("Date").should_not be_nil
+        subject.response.headers.delete("Expires").should_not be_nil
+        subject.response.headers.should == {"Pragma"=>"no-cache", "Cache-Control"=>"no-cache, must-revalidate, no-store", "X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+      it 'should use given option' do
+        subject.send method, :inline => "asd", :cache_headers => :public
+        subject.response.headers.delete("Date").should_not be_nil
+        subject.response.headers.delete("Expires").should_not be_nil
+        subject.response.headers.should == {"Cache-Control"=>"private, max-age=0", "X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+    end
+    
+    context "with simple controller without user" do
+      subject { MyControllerWithUser.new }
+      
+      it 'should use default' do
+        subject.send method, :inline => "asd"
+        subject.response.headers.should == {"X-Frame-Options"=>"DENY", "X-Content-Type-Options"=>"nosniff", "X-XSS-Protection"=>"1; mode=block"}
+      end
+    end
+  end
+end

data/spec/configuration_manager_spec.rb~

@@ -0,0 +1,40 @@
+require 'ixtlan/core/configuration_manager'
+
+class ConfigModel
+
+  def self.instance
+    @instance ||= self.new
+  end
+
+  def self.after_save(method)
+    @method = method.to_sym
+  end
+
+  def self.save_method
+    @method
+  end
+
+  def save
+    sent self.class.save_method
+  end
+end
+
+describe Ixtlan::Core::ConfigurationManager do
+
+#  before :all do
+#    ConfigModel.sent :include, Ixtlan::Core::ConfigurationManager
+#  end
+
+  it "should" do
+  end
+
+  it "should register listeners and fire change events" do
+#    count = 0
+#    ConfigModel.instance.register("counter") do
+#      count += 1
+#    end
+#    ConfigModel.instance.save
+#    count.should == 1
+  end
+  
+end