merb-core 0.9.5 → 0.9.6

data/lib/merb-core/dispatch/session.rb

@@ -1,19 +1,63 @@
+require 'merb-core/dispatch/session/container'
+require 'merb-core/dispatch/session/store_container'
+
 module Merb
-  
+
+  class Config
+
+    # List of all session_stores taken from :session_stores or :session_store
+    def self.session_stores
+      @session_stores ||= begin
+        config_stores = Array(
+          Merb::Config[:session_stores] || Merb::Config[:session_store]
+        )
+        config_stores.map { |name| name.to_sym }
+      end
+    end
+
+  end
+
+  # The Merb::Session module gets mixed into Merb::SessionContainer to allow
+  # app-level functionality (usually found in app/models/merb/session.rb)
+  module Session
+  end
+
   module SessionMixin
-    # Sets the session id cookie, along with the correct
-    # expiry and domain -- used for new or reset sessions
-    def set_session_id_cookie(key)
-      options = {}
-      options[:value] = key
-      options[:expires] = Time.now + _session_expiry if _session_expiry > 0
-      options[:domain] = _session_cookie_domain if _session_cookie_domain
-      cookies[_session_id_key] = options
+
+    # Raised when no suitable session store has been setup.
+    class NoSessionContainer < StandardError; end
+
+    # Raised when storing more data than the available space reserved.
+    class SessionOverflow < StandardError; end
+
+    # Session configuration options:
+    #
+    # :session_id_key           The key by which a session value/id is
+    #                           retrieved; defaults to _session_id
+    #
+    # :session_expiry           When to expire the session cookie;
+    #                           defaults to 2 weeks
+    #
+    # :session_secret_key       A secret string which is used to sign/validate
+    #                           session data; min. 16 chars
+    #
+    # :default_cookie_domain    The default domain to write cookies for.
+
+    def self.included(base)
+      # Register a callback to finalize sessions - needs to run before the cookie
+      # callback extracts Set-Cookie headers from request.cookies.
+      base._after_dispatch_callbacks.unshift lambda { |c| c.request.finalize_session }
     end
 
-    @_finalize_session_exception_callbacks = []
-    @_persist_exception_callbacks = []
-    
+    # ==== Parameters
+    # session_store<String>:: The type of session store to access.
+    #
+    # ==== Returns
+    # SessionContainer:: The session that was extracted from the request object.
+    def session(session_store = nil) request.session(session_store) end
+
+    # Module methods
+
     # ==== Returns
     # String:: A random 32 character string for use as a unique session ID.
     def rand_uuid
@@ -34,45 +78,127 @@ module Merb
       @_new_cookie = true
     end
 
-    # Adds a callback to the list of callbacks run when
-    # exception is raised on session finalization, so
-    # you can recover.
-    #
-    # See session mixins documentation for details on
-    # session finalization.
-    #
-    # ==== Params
-    # &block::
-    #   A block to be added to the callbacks that will be executed
-    #   if there's exception on session finalization.
-    def finalize_session_exception_callbacks(&block)
-      if block_given?
-        @_finalize_session_exception_callbacks << block
-      else
-        @_finalize_session_exception_callbacks
-      end
+    def needs_new_cookie?
+      @_new_cookie
     end
 
-    # Adds a callback to the list of callbacks run when
-    # exception is raised on session persisting, so
-    # you can recover.
-    #
-    # See session mixins documentation for details on
-    # session persisting.
-    #
-    # ==== Params
-    # &block::
-    #   A block to be added to the callbacks that will be executed
-    #   if there's exception on session persisting.
-    def persist_exception_callbacks(&block)
-      if block_given?
-        @_persist_exception_callbacks << block
-      else
-        @_persist_exception_callbacks
+    module_function :rand_uuid, :needs_new_cookie!, :needs_new_cookie?
+
+    module RequestMixin
+
+      def self.included(base)
+        base.extend ClassMethods
+
+        # Keep track of all known session store types.
+        base.cattr_accessor :registered_session_types
+        base.registered_session_types = Dictionary.new
+        base.class_inheritable_accessor :_session_id_key, :_session_secret_key,
+                                        :_session_expiry
+
+        base._session_id_key        = Merb::Config[:session_id_key] || '_session_id'
+        base._session_expiry        = Merb::Config[:session_expiry] || Merb::Const::WEEK * 2
+        base._session_secret_key    = Merb::Config[:session_secret_key]
+      end
+
+      module ClassMethods
+
+        # ==== Parameters
+        # name<~to_sym>:: Name of the session type to register.
+        # class_name<String>:: The corresponding class name.
+        #
+        # === Notres
+        # This is automatically called when Merb::SessionContainer is subclassed.
+        def register_session_type(name, class_name)
+          self.registered_session_types[name.to_sym] = class_name
+        end
+
+      end
+
+      # The default session store type.
+      def default_session_store
+        Merb::Config[:session_store] && Merb::Config[:session_store].to_sym
+      end
+
+      # ==== Returns
+      # Hash:: All active session stores by type.
+      def session_stores
+        @session_stores ||= {}
+      end
+
+      # ==== Parameters
+      # session_store<String>:: The type of session store to access,
+      # defaults to default_session_store.
+      #
+      # === Notes
+      # If no suitable session store type is given, it defaults to
+      # cookie-based sessions.
+      def session(session_store = nil)
+        session_store ||= default_session_store
+        if class_name = self.class.registered_session_types[session_store]
+          session_stores[session_store] ||= Object.full_const_get(class_name).setup(self)
+        elsif fallback = self.class.registered_session_types.keys.first
+          Merb.logger.warn "Session store not found, '#{session_store}'."
+          Merb.logger.warn "Defaulting to #{fallback} sessions."
+          session(fallback)
+        else
+          Merb.logger.error "Can't use sessions because no session store is available."
+          raise NoSessionContainer, "No session store configured."
+        end
       end
+
+      # ==== Parameters
+      # new_session<Merb::SessionContainer>:: A session store instance.
+      #
+      # === Notes
+      # The session is assigned internally by its session_store_type key.
+      def session=(new_session)
+        if self.session?(new_session.class.session_store_type)
+          original_session_id = self.session(new_session.class.session_store_type).session_id
+          if new_session.session_id != original_session_id
+            set_session_id_cookie(new_session.session_id)
+          end
+        end
+        session_stores[new_session.class.session_store_type] = new_session
+      end
+
+      # Whether a session has been setup
+      def session?(session_store = nil)
+        (session_store ? [session_store] : session_stores).any? do |type, store|
+          store.is_a?(Merb::SessionContainer)
+        end
+      end
+
+      # Teardown and/or persist the current sessions.
+      def finalize_session
+        session_stores.each { |name, store| store.finalize(self) }
+      end
+      alias :finalize_sessions :finalize_session
+
+      # Assign default cookie values
+      def default_cookies
+        defaults = {}
+        if route && route.allow_fixation? && params.key?(_session_id_key)
+          Merb.logger.info("Fixated session id: #{_session_id_key}")
+          defaults[_session_id_key] = params[_session_id_key]
+        end
+        defaults
+      end
+
+      # ==== Parameters
+      # value<String>:: The value of the session cookie; either the session id or the actual encoded data.
+      def set_session_cookie_value(value)
+        options = {}
+        options[:expires] = Time.now + _session_expiry
+        cookies.set_cookie(_session_id_key, value, options)
+      end
+      alias :set_session_id_cookie :set_session_cookie_value
+
+      # ==== Returns
+      # String:: The value of the session cookie; either the session id or the actual encoded data.
+      def session_cookie_value
+        cookies[_session_id_key]
+      end
+      alias :session_id :session_cookie_value
     end
-    
-    module_function :rand_uuid, :needs_new_cookie!, :finalize_session_exception_callbacks, :persist_exception_callbacks
   end
-
 end

data/lib/merb-core/rack/middleware/conditional_get.rb

@@ -5,18 +5,24 @@ module Merb
       def call(env)
         status, headers, body = @app.call(env)
 
-        # set Date header using RFC1123 date format as specified by HTTP
-        # RFC2616 section 3.3.1.
-        if etag = headers['ETag']
-          status = 304 if etag == env[Merb::Const::HTTP_IF_NONE_MATCH]
-        end
-
-        if last_modified = headers[Merb::Const::LAST_MODIFIED]
-          status = 304 if last_modified == env[Merb::Const::HTTP_IF_MODIFIED_SINCE]
+        if document_not_modified?(env, headers)
+          status = 304
+          body = ""
+          # set Date header using RFC1123 date format as specified by HTTP
+          # RFC2616 section 3.3.1.
         end
         
         [status, headers, body]
       end
+    
+    private
+      def document_not_modified?(env, headers)
+        if etag = headers[Merb::Const::ETAG]
+          etag == env[Merb::Const::HTTP_IF_NONE_MATCH]
+        elsif last_modified = headers[Merb::Const::LAST_MODIFIED]
+          last_modified == env[Merb::Const::HTTP_IF_MODIFIED_SINCE]
+        end
+      end
     end
     
   end

data/lib/merb-core/rack/middleware/csrf.rb

@@ -0,0 +1,73 @@
+require 'digest/md5'
+
+module Merb
+  module Rack
+
+    class Csrf < Merb::Rack::Middleware
+      HTML_TYPES = %w(text/html application/xhtml+xml)
+      POST_FORM_RE = Regexp.compile('(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', Regexp::IGNORECASE)
+      ERROR_MSG = '<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>'.freeze
+
+      def call(env)
+        status, header, body = @app.call(env)
+
+        if env[Merb::Const::REQUEST_METHOD] == Merb::Const::GET
+          body = process_response(body) if valid_content_type?(header[Merb::Const::CONTENT_TYPE])
+        elsif env[Merb::Const::REQUEST_METHOD] == Merb::Const::POST
+          status, body = process_request(env, status, body)
+        end
+
+        [status, header, body]
+      end
+
+      private
+      def process_request(env, status, body)
+        session_id = Merb::Config[:session_id_key]
+        csrf_token = _make_token(session_id)
+
+        request_csrf_token = env['csrf_authentication_token']
+
+        unless csrf_token == request_csrf_token
+          exception = Merb::ControllerExceptions::Forbidden.new(ERROR_MSG)
+          status = exception.status
+          body = exception.message
+
+          return [status, body]
+        end
+
+        return [status, body]
+      end
+
+      def process_response(body)
+        session_id = Merb::Config[:session_id_key]
+        csrf_token = _make_token(session_id)
+
+        if csrf_token
+          modified_body = ''
+          body.scan(POST_FORM_RE) do |match|
+            modified_body << add_csrf_field($~, csrf_token)
+          end
+
+          body = modified_body
+        end
+
+        body
+      end
+
+      def add_csrf_field(match, csrf_token)
+        modified_body = match.pre_match
+        modified_body << match.to_s
+        modified_body << "<div style='display: none;'><input type='hidden' id='csrf_authentication_token' name='csrf_authentication_token' value='#{csrf_token}' /></div>"
+        modified_body << match.post_match
+      end
+
+      def valid_content_type?(content_type)
+        HTML_TYPES.include?(content_type.split(';').first)
+      end
+
+      def _make_token(session_id)
+        Digest::MD5.hexdigest(Merb::Config[:session_secret_key] + session_id)
+      end
+    end
+  end
+end

data/lib/merb-core/rack.rb

@@ -20,5 +20,6 @@ module Merb
     autoload :Tracer,              'merb-core/rack/middleware/tracer'
     autoload :ContentLength,       'merb-core/rack/middleware/content_length'
     autoload :ConditionalGet,      'merb-core/rack/middleware/conditional_get'
+    autoload :Csrf,                'merb-core/rack/middleware/csrf'
   end # Rack
 end # Merb

data/lib/merb-core/script.rb

@@ -0,0 +1,112 @@
+module Merb
+  module ScriptHelpers
+    
+    # Adapt rubygems - shortcut for setup_local_gems that figures out the
+    # local gem path to use.
+    def setup_local_gems!(rootdir = nil)
+      if bundled? && local_gems = setup_local_gems(File.join(rootdir || merb_root, 'gems'))
+        if local_gems.is_a?(Array)
+          puts "Using local gems in addition to system gems..."
+          if verbose?
+            puts "Found #{local_gems.length} local gems:"
+            local_gems.each { |name| puts "- #{name}" }
+          end
+        elsif local_gems
+          puts "Using MiniGems to locate local/system gems..."
+        end
+      elsif use_minigems?
+        puts "Using MiniGems to locate system gems..."
+      else
+        puts "Using system gems..."
+      end
+    end
+    
+    # Adapt rubygems - because the /usr/bin/merb script already setup merb-core loadpaths
+    # from the system-wide rubygem paths. The code below will make sure local gems always
+    # get precedence over system gems and resolves any conflicts that may arise.
+    #
+    # Only native Gem methods are used to handle the internal logic transparently.
+    # These methods are proved either by minigems or standard rubygems.
+    #
+    # Note: currently the Kernel.load_dependency method will always load local gems.
+    def setup_local_gems(gems_path)
+      if File.directory?(gems_path)
+        if use_minigems?
+          # Reset all loaded system gems - replace with local gems
+          Gem.clear_paths
+          Gem.path.unshift(gems_path)
+          return true
+        else
+          # Remember originally loaded system gems and create a lookup of gems to load paths  
+          system_gemspecs = Gem.cache.gems
+          system_load_paths = extract_gem_load_paths(system_gemspecs)
+          
+          # Reset all loaded system gems - replace with local gems
+          Gem.clear_paths
+          Gem.path.unshift(gems_path)
+          Gem.cache.load_gems_in(File.join(gems_path, "specifications"))
+          
+          # Collect any local gems we're going to use
+          local_gems = Gem.cache.map { |name, spec| name }
+          
+          # Create a lookup of gems to load paths for all local gems
+          local_load_paths = extract_gem_load_paths(Gem.cache.gems)
+          
+          # Filter out local gems from the originally loaded system gems to prevent conflicts
+          active_system_gems = []
+          system_gemspecs.each do |name, spec|
+            active_system_gems << spec unless local_load_paths[spec.name]
+          end
+          
+          # Re-add the system gems - conflicts with local gems have been avoided
+          Gem.cache.add_specs(*active_system_gems)
+          
+          # Add local paths to LOAD_PATH - remove overlapping system gem paths
+          local_load_paths.each do |name, paths|
+            $LOAD_PATH.unshift(*paths)
+            $LOAD_PATH.replace($LOAD_PATH - system_load_paths[name] || [])
+          end
+          return local_gems
+        end
+      end
+    end
+    
+    # Figure out the merb root or default to current directory
+    def merb_root
+      root_key = %w[-m --merb-root].detect { |o| ARGV.index(o) }
+      root = ARGV[ARGV.index(root_key) + 1] if root_key
+      root.to_a.empty? ? Dir.getwd : root
+    end
+    
+    # See if we're running merb locally - enabled by default
+    # The ENV variables are considered for Rakefile usage.
+    def bundled?
+      enabled  = ENV.key?("BUNDLE")    || %w[-B --bundle].detect { |o| ARGV.index(o) }
+      disabled = ENV.key?("NO_BUNDLE") || %w[--no-bundle].detect { |o| ARGV.index(o) }
+      enabled || !disabled
+    end
+    
+    # Add some extra feedback if verbose is enabled
+    def verbose?
+      %w[-V --verbose].detect { |o| ARGV.index(o) }
+    end
+    
+    # Whether minigems has been loaded instead of the full rubygems
+    def use_minigems?
+      Gem.respond_to?(:minigems?) && Gem.minigems?
+    end
+    
+    # Helper method to extract a Hash lookup of gem name to load paths
+    def extract_gem_load_paths(source_index)
+      source_index.inject({}) do |load_paths, (name, spec)|
+        require_paths = spec.require_paths
+        require_paths << spec.bindir unless spec.executables.empty?
+        load_paths[spec.name] = require_paths.map do |path| 
+          File.join(spec.full_gem_path, path)
+        end
+        load_paths
+      end
+    end
+    
+  end
+end

data/lib/merb-core/server.rb

@@ -50,6 +50,7 @@ module Merb
           puts "Running bootloaders..." if Merb::Config[:verbose]
           BootLoader.run
           puts "Starting Rack adapter..." if Merb::Config[:verbose]
+          Merb.logger.info! "Starting Merb server listening at #{Merb::Config[:host]}:#{port}"
           Merb.adapter.start(Merb::Config.to_hash)
         end
       end
@@ -103,6 +104,7 @@ module Merb
             end
           end
         ensure
+          Merb.started = false
           exit
         end
       end

data/lib/merb-core/tasks/merb_rake_helper.rb

@@ -9,4 +9,29 @@ end
 
 def install_home
   ENV['GEM_HOME'] ? "-i #{ENV['GEM_HOME']}" : ""
+end
+
+def install_command(gem_name, gem_version, options = '--no-update-sources --no-rdoc --no-ri')
+  options << " -i #{ENV['GEM_DIR']}" if ENV['GEM_DIR']
+  %{#{sudo} gem install #{install_home} --local pkg/#{gem_name}-#{gem_version}.gem #{options}}
+end
+
+def dev_install_command(gem_name, gem_version, options = '--no-update-sources --no-rdoc --no-ri')
+  options << ' --development'
+  install_command(gem_name, gem_version, options)
+end
+
+def jinstall_command(gem_name, gem_version, options = '--no-update-sources --no-rdoc --no-ri')
+  options << " -i #{ENV['GEM_DIR']}" if ENV['GEM_DIR']
+  %{#{sudo} jruby -S gem install #{install_home} --local pkg/#{gem_name}-#{gem_version}.gem #{options}}
+end
+
+def dev_jinstall_command(gem_name, gem_version, options = '--no-update-sources --no-rdoc --no-ri')
+  options << ' --development'
+  jinstall_command(gem_name, gem_version, options)
+end
+
+def uninstall_command(gem_name, options = '')
+  options << " -i #{ENV['GEM_DIR']}" if ENV['GEM_DIR']
+  %{#{sudo} gem uninstall #{gem_name} #{options}}
 end

data/lib/merb-core/test/helpers/request_helper.rb

@@ -42,6 +42,23 @@ module Merb
         }) unless defined?(DEFAULT_ENV)
       end
 
+      # CookieJar keeps track of cookies in a simple Mash.
+      class CookieJar < Mash
+        
+        # ==== Parameters
+        # request<Merb::Request, Merb::FakeRequest>:: The controller request.
+        def update_from_request(request)
+          request.cookies.each do |key, value|
+            if value.blank?
+              self.delete(key)
+            else
+              self[key] = Merb::Request.unescape(value)
+            end
+          end
+        end
+        
+      end
+
       # ==== Parameters
       # env<Hash>:: A hash of environment keys to be merged into the default list.
       # opt<Hash>:: A hash of options (see below).
@@ -100,7 +117,27 @@ module Merb
         params = merge_controller_and_action(controller_klass, action, params)
         dispatch_request(build_request(params, env), controller_klass, action.to_s, &blk)
       end
-
+      
+      # Keep track of cookie values in CookieJar within the context of the
+      # block; you need to set this up for secific controllers.
+      #
+      # ==== Parameters
+      # *controller_classes:: Controller classes to operate on in the context of the block.
+      # &blk:: The context to operate on; optionally accepts the cookie jar as an argument.
+      def with_cookies(*controller_classes, &blk)
+        cookie_jar = CookieJar.new
+        before_cb = lambda { |c| c.cookies.update(cookie_jar) }
+        after_cb  = lambda { |c| cookie_jar.update_from_request(c.request) }
+        controller_classes.each do |klass|
+          klass._before_dispatch_callbacks << before_cb
+          klass._after_dispatch_callbacks  << after_cb
+        end
+        blk.arity == 1 ? blk.call(cookie_jar) : blk.call
+        controller_classes.each do |klass|
+          klass._before_dispatch_callbacks.delete before_cb
+          klass._after_dispatch_callbacks.delete after_cb
+        end
+      end
 
       # Dispatches an action to the given class and using HTTP Basic Authentication
       # This bypasses the router and is suitable for unit testing of controllers.
@@ -297,7 +334,7 @@ module Merb
       # The workhorse for the dispatch*to helpers.
       #
       # ==== Parameters
-      # request<Merb::Test::FakeRequest, Merb::Request>::
+      # request<Merb::Test::RequestHelper::FakeRequest, Merb::Request>::
       #   A request object that has been setup for testing.
       # controller_klass<Merb::Controller>::
       #   The class object off the controller to dispatch the action to.
@@ -328,7 +365,7 @@ module Merb
       # Checks to see that a request is routable.
       #
       # ==== Parameters
-      # request<Merb::Test::FakeRequest, Merb::Request>::
+      # request<Merb::Test::RequestHelper::FakeRequest, Merb::Request>::
       #   The request object to inspect.
       #
       # ==== Raises

data/lib/merb-core/test/run_specs.rb

@@ -9,7 +9,8 @@ require 'benchmark'
 # spec_cmd<~to_s>:: The spec command. Defaults to "spec".
 # run_opts<String>:: Options to pass to spec commands, for instance,
 #                    if you want to use profiling formatter.
-def run_specs(globs, spec_cmd='spec', run_opts = "-c")
+# except<Array[String]>:: File paths to skip.
+def run_specs(globs, spec_cmd='spec', run_opts = "-c", except = [])
   require "optparse"
   require "spec"
   globs = globs.is_a?(Array) ? globs : [globs]
@@ -17,7 +18,7 @@ def run_specs(globs, spec_cmd='spec', run_opts = "-c")
 
   time = Benchmark.measure do
     globs.each do |glob|
-      Dir[glob].each do |spec|
+      (Dir[glob] - except).each do |spec|
         STDOUT.puts "\n\nRunning #{spec}...\n"
         response = Open3.popen3("#{spec_cmd} #{File.expand_path(spec)} #{run_opts}") do |i,o,e|
           while out = o.gets
@@ -45,4 +46,4 @@ def run_specs(globs, spec_cmd='spec', run_opts = "-c")
   puts "#{examples} examples, #{failures} failures, #{errors} errors, #{pending} pending, #{sprintf("suite run in %3.3f seconds", time.real)}"
   # TODO: we need to report pending examples all together
   print "\e[0m"
-end
+end

data/lib/merb-core/vendor/facets/inflect.rb

@@ -1,5 +1,3 @@
-module Language
-
 module English
 
   # = English Nouns Number Inflection.
@@ -26,12 +24,12 @@ module English
       #
       # Here we define erratum/errata exception case:
       #
-      # Language::English::Inflector.word "erratum", "errata"
+      # English::Inflect.word "erratum", "errata"
       #
       # In case singular and plural forms are the same omit
       # second argument on call:
       #
-      # Language::English::Inflector.word 'information'
+      # English::Inflect.word 'information'
       def word(singular, plural=nil)
         plural = singular unless plural
         singular_word(singular, plural)
@@ -88,7 +86,7 @@ module English
       #   capitalized (Man => Men)      #
       # ==== Examples
       # Once the following rule is defined:
-      # Language::English::Inflector.rule 'y', 'ies'
+      # English::Inflect.rule 'y', 'ies'
       #
       # You can see the following results:
       # irb> "fly".plural
@@ -113,7 +111,7 @@ module English
       #
       # ==== Examples
       # Once the following rule is defined:
-      # Language::English::Inflector.singular_rule 'o', 'oes'
+      # English::Inflect.singular_rule 'o', 'oes'
       #
       # You can see the following results:
       # irb> "heroes".singular
@@ -132,7 +130,7 @@ module English
       #
       # ==== Examples
       # Once the following rule is defined:
-      # Language::English::Inflector.singular_rule 'fe', 'ves'
+      # English::Inflect.singular_rule 'fe', 'ves'
       #
       # You can see the following results:
       # irb> "wife".plural
@@ -331,15 +329,14 @@ module English
 
   end
 end
-end
 
 class String
   def singular
-    Language::English::Inflect.singular(self)
+    English::Inflect.singular(self)
   end
   alias_method(:singularize, :singular)
   def plural
-    Language::English::Inflect.plural(self)
+    English::Inflect.plural(self)
   end
   alias_method(:pluralize, :plural)
 end

data/lib/merb-core/version.rb

@@ -1,5 +1,5 @@
 module Merb
-  VERSION = '0.9.5' unless defined?(Merb::VERSION)
+  VERSION = '0.9.6' unless defined?(Merb::VERSION)
 
   # Merb::RELEASE meanings:
   # 'dev'   : unreleased