omg-actionpack 8.0.0.alpha1

data/lib/action_dispatch/middleware/session/cache_store.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "action_dispatch/middleware/session/abstract_store"
+
+module ActionDispatch
+  module Session
+    # # Action Dispatch Session CacheStore
+    #
+    # A session store that uses an ActiveSupport::Cache::Store to store the
+    # sessions. This store is most useful if you don't store critical data in your
+    # sessions and you don't need them to live for extended periods of time.
+    #
+    # #### Options
+    # *   `cache`         - The cache to use. If it is not specified, `Rails.cache`
+    #     will be used.
+    # *   `expire_after`  - The length of time a session will be stored before
+    #     automatically expiring. By default, the `:expires_in` option of the cache
+    #     is used.
+    #
+    class CacheStore < AbstractSecureStore
+      def initialize(app, options = {})
+        @cache = options[:cache] || Rails.cache
+        options[:expire_after] ||= @cache.options[:expires_in]
+        super
+      end
+
+      # Get a session from the cache.
+      def find_session(env, sid)
+        unless sid && (session = get_session_with_fallback(sid))
+          sid, session = generate_sid, {}
+        end
+        [sid, session]
+      end
+
+      # Set a session in the cache.
+      def write_session(env, sid, session, options)
+        key = cache_key(sid.private_id)
+        if session
+          @cache.write(key, session, expires_in: options[:expire_after])
+        else
+          @cache.delete(key)
+        end
+        sid
+      end
+
+      # Remove a session from the cache.
+      def delete_session(env, sid, options)
+        @cache.delete(cache_key(sid.private_id))
+        @cache.delete(cache_key(sid.public_id))
+        generate_sid
+      end
+
+      private
+        # Turn the session id into a cache key.
+        def cache_key(id)
+          "_session_id:#{id}"
+        end
+
+        def get_session_with_fallback(sid)
+          @cache.read(cache_key(sid.private_id)) || @cache.read(cache_key(sid.public_id))
+        end
+    end
+  end
+end

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "active_support/core_ext/hash/keys"
+require "action_dispatch/middleware/session/abstract_store"
+require "rack/session/cookie"
+
+module ActionDispatch
+  module Session
+    # # Action Dispatch Session CookieStore
+    #
+    # This cookie-based session store is the Rails default. It is dramatically
+    # faster than the alternatives.
+    #
+    # Sessions typically contain at most a user ID and flash message; both fit
+    # within the 4096 bytes cookie size limit. A `CookieOverflow` exception is
+    # raised if you attempt to store more than 4096 bytes of data.
+    #
+    # The cookie jar used for storage is automatically configured to be the best
+    # possible option given your application's configuration.
+    #
+    # Your cookies will be encrypted using your application's `secret_key_base`.
+    # This goes a step further than signed cookies in that encrypted cookies cannot
+    # be altered or read by users. This is the default starting in Rails 4.
+    #
+    # Configure your session store in an initializer:
+    #
+    #     Rails.application.config.session_store :cookie_store, key: '_your_app_session'
+    #
+    # In the development and test environments your application's `secret_key_base`
+    # is generated by Rails and stored in a temporary file in
+    # `tmp/local_secret.txt`. In all other environments, it is stored encrypted in
+    # the `config/credentials.yml.enc` file.
+    #
+    # If your application was not updated to Rails 5.2 defaults, the
+    # `secret_key_base` will be found in the old `config/secrets.yml` file.
+    #
+    # Note that changing your `secret_key_base` will invalidate all existing
+    # session. Additionally, you should take care to make sure you are not relying
+    # on the ability to decode signed cookies generated by your app in external
+    # applications or JavaScript before changing it.
+    #
+    # Because CookieStore extends `Rack::Session::Abstract::Persisted`, many of the
+    # options described there can be used to customize the session cookie that is
+    # generated. For example:
+    #
+    #     Rails.application.config.session_store :cookie_store, expire_after: 14.days
+    #
+    # would set the session cookie to expire automatically 14 days after creation.
+    # Other useful options include `:key`, `:secure`, `:httponly`, and `:same_site`.
+    class CookieStore < AbstractSecureStore
+      class SessionId < DelegateClass(Rack::Session::SessionId)
+        attr_reader :cookie_value
+
+        def initialize(session_id, cookie_value = {})
+          super(session_id)
+          @cookie_value = cookie_value
+        end
+      end
+
+      DEFAULT_SAME_SITE = proc { |request| request.cookies_same_site_protection } # :nodoc:
+
+      def initialize(app, options = {})
+        options[:cookie_only] = true
+        options[:same_site] = DEFAULT_SAME_SITE if !options.key?(:same_site)
+        super
+      end
+
+      def delete_session(req, session_id, options)
+        new_sid = generate_sid unless options[:drop]
+        # Reset hash and Assign the new session id
+        req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid.public_id } : {})
+        new_sid
+      end
+
+      def load_session(req)
+        stale_session_check! do
+          data = unpacked_cookie_data(req)
+          data = persistent_session_id!(data)
+          [Rack::Session::SessionId.new(data["session_id"]), data]
+        end
+      end
+
+      private
+        def extract_session_id(req)
+          stale_session_check! do
+            sid = unpacked_cookie_data(req)["session_id"]
+            sid && Rack::Session::SessionId.new(sid)
+          end
+        end
+
+        def unpacked_cookie_data(req)
+          req.fetch_header("action_dispatch.request.unsigned_session_cookie") do |k|
+            v = stale_session_check! do
+              if data = get_cookie(req)
+                data.stringify_keys!
+              end
+              data || {}
+            end
+            req.set_header k, v
+          end
+        end
+
+        def persistent_session_id!(data, sid = nil)
+          data ||= {}
+          data["session_id"] ||= sid || generate_sid.public_id
+          data
+        end
+
+        def write_session(req, sid, session_data, options)
+          session_data["session_id"] = sid.public_id
+          SessionId.new(sid, session_data)
+        end
+
+        def set_cookie(request, session_id, cookie)
+          cookie_jar(request)[@key] = cookie
+        end
+
+        def get_cookie(req)
+          cookie_jar(req)[@key]
+        end
+
+        def cookie_jar(request)
+          request.cookie_jar.signed_or_encrypted
+        end
+    end
+  end
+end

data/lib/action_dispatch/middleware/session/mem_cache_store.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "action_dispatch/middleware/session/abstract_store"
+begin
+  require "rack/session/dalli"
+rescue LoadError => e
+  warn "You don't have dalli installed in your application. Please add it to your Gemfile and run bundle install"
+  raise e
+end
+
+module ActionDispatch
+  module Session
+    # # Action Dispatch Session MemCacheStore
+    #
+    # A session store that uses MemCache to implement storage.
+    #
+    # #### Options
+    # *   `expire_after`  - The length of time a session will be stored before
+    #     automatically expiring.
+    #
+    class MemCacheStore < Rack::Session::Dalli
+      include Compatibility
+      include StaleSessionCheck
+      include SessionObject
+
+      def initialize(app, options = {})
+        options[:expire_after] ||= options[:expires]
+        super
+      end
+    end
+  end
+end

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "action_dispatch/middleware/exception_wrapper"
+
+module ActionDispatch
+  # # Action Dispatch ShowExceptions
+  #
+  # This middleware rescues any exception returned by the application and calls an
+  # exceptions app that will wrap it in a format for the end user.
+  #
+  # The exceptions app should be passed as a parameter on initialization of
+  # `ShowExceptions`. Every time there is an exception, `ShowExceptions` will
+  # store the exception in `env["action_dispatch.exception"]`, rewrite the
+  # `PATH_INFO` to the exception status code, and call the Rack app.
+  #
+  # In Rails applications, the exceptions app can be configured with
+  # `config.exceptions_app`, which defaults to ActionDispatch::PublicExceptions.
+  #
+  # If the application returns a response with the `X-Cascade` header set to
+  # `"pass"`, this middleware will send an empty response as a result with the
+  # correct status code. If any exception happens inside the exceptions app, this
+  # middleware catches the exceptions and returns a failsafe response.
+  class ShowExceptions
+    def initialize(app, exceptions_app)
+      @app = app
+      @exceptions_app = exceptions_app
+    end
+
+    def call(env)
+      @app.call(env)
+    rescue Exception => exception
+      request = ActionDispatch::Request.new env
+      backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
+      wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
+      request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
+      request.set_header "action_dispatch.report_exception", !wrapper.rescue_response?
+
+      if wrapper.show?(request)
+        render_exception(request.dup, wrapper)
+      else
+        raise exception
+      end
+    end
+
+    private
+      def render_exception(request, wrapper)
+        status = wrapper.status_code
+        request.set_header "action_dispatch.original_path", request.path_info
+        request.set_header "action_dispatch.original_request_method", request.raw_request_method
+        fallback_to_html_format_if_invalid_mime_type(request)
+        request.path_info = "/#{status}"
+        request.request_method = "GET"
+        response = @exceptions_app.call(request.env)
+        response[1][Constants::X_CASCADE] == "pass" ? pass_response(status) : response
+      rescue Exception => failsafe_error
+        $stderr.puts "Error during failsafe response: #{failsafe_error}\n  #{failsafe_error.backtrace * "\n  "}"
+
+        [500, { Rack::CONTENT_TYPE => "text/plain; charset=utf-8" },
+          ["500 Internal Server Error\n" \
+          "If you are the administrator of this website, then please read this web " \
+          "application's log file and/or the web server's log file to find out what " \
+          "went wrong."]]
+      end
+
+      def fallback_to_html_format_if_invalid_mime_type(request)
+        # If the MIME type for the request is invalid then the @exceptions_app may not
+        # be able to handle it. To make it easier to handle, we switch to HTML.
+        begin
+          request.content_mime_type
+        rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+          request.set_header "CONTENT_TYPE", "text/html"
+        end
+
+        begin
+          request.formats
+        rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+          request.set_header "HTTP_ACCEPT", "text/html"
+        end
+      end
+
+      def pass_response(status)
+        [status, { Rack::CONTENT_TYPE => "text/html; charset=#{Response.default_charset}",
+                  Rack::CONTENT_LENGTH => "0" }, []]
+      end
+  end
+end

data/lib/action_dispatch/middleware/ssl.rb

@@ -0,0 +1,180 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionDispatch
+  # # Action Dispatch SSL
+  #
+  # This middleware is added to the stack when `config.force_ssl = true`, and is
+  # passed the options set in `config.ssl_options`. It does three jobs to enforce
+  # secure HTTP requests:
+  #
+  # 1.  **TLS redirect**: Permanently redirects `http://` requests to `https://`
+  #     with the same URL host, path, etc. Enabled by default. Set
+  #     `config.ssl_options` to modify the destination URL:
+  #
+  #         config.ssl_options = { redirect: { host: "secure.widgets.com", port: 8080 }`
+  #
+  #     Or set `redirect: false` to disable redirection.
+  #
+  #     Requests can opt-out of redirection with `exclude`:
+  #
+  #         config.ssl_options = { redirect: { exclude: -> request { /healthcheck/.match?(request.path) } } }
+  #
+  #     Cookies will not be flagged as secure for excluded requests.
+  #
+  #     When proxying through a load balancer that terminates SSL, the forwarded
+  #     request will appear as though it's HTTP instead of HTTPS to the application.
+  #     This makes redirects and cookie security target HTTP instead of HTTPS.
+  #     To make the server assume that the proxy already terminated SSL, and
+  #     that the request really is HTTPS, set `config.assume_ssl` to `true`:
+  #
+  #         config.assume_ssl = true
+  #
+  # 2.  **Secure cookies**: Sets the `secure` flag on cookies to tell browsers
+  #     they must not be sent along with `http://` requests. Enabled by default.
+  #     Set `config.ssl_options` with `secure_cookies: false` to disable this
+  #     feature.
+  #
+  # 3.  **HTTP Strict Transport Security (HSTS)**: Tells the browser to remember
+  #     this site as TLS-only and automatically redirect non-TLS requests. Enabled
+  #     by default. Configure `config.ssl_options` with `hsts: false` to disable.
+  #
+  #     Set `config.ssl_options` with `hsts: { ... }` to configure HSTS:
+  #
+  #     *   `expires`: How long, in seconds, these settings will stick. The
+  #         minimum required to qualify for browser preload lists is 1 year.
+  #         Defaults to 2 years (recommended).
+  #
+  #     *   `subdomains`: Set to `true` to tell the browser to apply these
+  #         settings to all subdomains. This protects your cookies from
+  #         interception by a vulnerable site on a subdomain. Defaults to `true`.
+  #
+  #     *   `preload`: Advertise that this site may be included in browsers'
+  #         preloaded HSTS lists. HSTS protects your site on every visit *except
+  #         the first visit* since it hasn't seen your HSTS header yet. To close
+  #         this gap, browser vendors include a baked-in list of HSTS-enabled
+  #         sites. Go to https://hstspreload.org to submit your site for
+  #         inclusion. Defaults to `false`.
+  #
+  #
+  #     To turn off HSTS, omitting the header is not enough. Browsers will
+  #     remember the original HSTS directive until it expires. Instead, use the
+  #     header to tell browsers to expire HSTS immediately. Setting `hsts: false`
+  #     is a shortcut for `hsts: { expires: 0 }`.
+  #
+  class SSL
+    # :stopdoc: Default to 2 years as recommended on hstspreload.org.
+    HSTS_EXPIRES_IN = 63072000
+
+    PERMANENT_REDIRECT_REQUEST_METHODS = %w[GET HEAD] # :nodoc:
+
+    def self.default_hsts_options
+      { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
+    end
+
+    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, ssl_default_redirect_status: nil)
+      @app = app
+
+      @redirect = redirect
+
+      @exclude = @redirect && @redirect[:exclude] || proc { !@redirect }
+      @secure_cookies = secure_cookies
+
+      @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
+      @ssl_default_redirect_status = ssl_default_redirect_status
+    end
+
+    def call(env)
+      request = Request.new env
+
+      if request.ssl?
+        @app.call(env).tap do |status, headers, body|
+          set_hsts_header! headers
+          flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request)
+        end
+      else
+        return redirect_to_https request unless @exclude.call(request)
+        @app.call(env)
+      end
+    end
+
+    private
+      def set_hsts_header!(headers)
+        headers[Constants::STRICT_TRANSPORT_SECURITY] ||= @hsts_header
+      end
+
+      def normalize_hsts_options(options)
+        case options
+        # Explicitly disabling HSTS clears the existing setting from browsers by setting
+        # expiry to 0.
+        when false
+          self.class.default_hsts_options.merge(expires: 0)
+        # Default to enabled, with default options.
+        when nil, true
+          self.class.default_hsts_options
+        else
+          self.class.default_hsts_options.merge(options)
+        end
+      end
+
+      # https://tools.ietf.org/html/rfc6797#section-6.1
+      def build_hsts_header(hsts)
+        value = +"max-age=#{hsts[:expires].to_i}"
+        value << "; includeSubDomains" if hsts[:subdomains]
+        value << "; preload" if hsts[:preload]
+        value
+      end
+
+      def flag_cookies_as_secure!(headers)
+        cookies = headers[Rack::SET_COOKIE]
+        return unless cookies
+
+        if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3")
+          cookies = cookies.split("\n")
+          headers[Rack::SET_COOKIE] = cookies.map { |cookie|
+            if !/;\s*secure\s*(;|$)/i.match?(cookie)
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          }.join("\n")
+        else
+          headers[Rack::SET_COOKIE] = Array(cookies).map do |cookie|
+            if !/;\s*secure\s*(;|$)/i.match?(cookie)
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          end
+        end
+      end
+
+      def redirect_to_https(request)
+        [ @redirect.fetch(:status, redirection_status(request)),
+          { Rack::CONTENT_TYPE => "text/html; charset=utf-8",
+            Constants::LOCATION => https_location_for(request) },
+          (@redirect[:body] || []) ]
+      end
+
+      def redirection_status(request)
+        if PERMANENT_REDIRECT_REQUEST_METHODS.include?(request.raw_request_method)
+          301 # Issue a permanent redirect via a GET request.
+        elsif @ssl_default_redirect_status
+          @ssl_default_redirect_status
+        else
+          307 # Issue a fresh request redirect to preserve the HTTP method.
+        end
+      end
+
+      def https_location_for(request)
+        host = @redirect[:host] || request.host
+        port = @redirect[:port] || request.port
+
+        location = +"https://#{host}"
+        location << ":#{port}" if port != 80 && port != 443
+        location << request.fullpath
+        location
+      end
+  end
+end

data/lib/action_dispatch/middleware/stack.rb

@@ -0,0 +1,194 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "active_support/inflector/methods"
+require "active_support/dependencies"
+
+module ActionDispatch
+  # # Action Dispatch MiddlewareStack
+  #
+  # Read more about [Rails middleware
+  # stack](https://guides.rubyonrails.org/rails_on_rack.html#action-dispatcher-middleware-stack)
+  # in the guides.
+  class MiddlewareStack
+    class Middleware
+      attr_reader :args, :block, :klass
+
+      def initialize(klass, args, block)
+        @klass = klass
+        @args  = args
+        @block = block
+      end
+
+      def name; klass.name; end
+
+      def ==(middleware)
+        case middleware
+        when Middleware
+          klass == middleware.klass
+        when Module
+          klass == middleware
+        end
+      end
+
+      def inspect
+        if klass.is_a?(Module)
+          klass.to_s
+        else
+          klass.class.to_s
+        end
+      end
+
+      def build(app)
+        klass.new(app, *args, &block)
+      end
+
+      def build_instrumented(app)
+        InstrumentationProxy.new(build(app), inspect)
+      end
+    end
+
+    # This class is used to instrument the execution of a single middleware. It
+    # proxies the `call` method transparently and instruments the method call.
+    class InstrumentationProxy
+      EVENT_NAME = "process_middleware.action_dispatch"
+
+      def initialize(middleware, class_name)
+        @middleware = middleware
+
+        @payload = {
+          middleware: class_name,
+        }
+      end
+
+      def call(env)
+        ActiveSupport::Notifications.instrument(EVENT_NAME, @payload) do
+          @middleware.call(env)
+        end
+      end
+    end
+
+    include Enumerable
+
+    attr_accessor :middlewares
+
+    def initialize(*args)
+      @middlewares = []
+      yield(self) if block_given?
+    end
+
+    def each(&block)
+      @middlewares.each(&block)
+    end
+
+    def size
+      middlewares.size
+    end
+
+    def last
+      middlewares.last
+    end
+
+    def [](i)
+      middlewares[i]
+    end
+
+    def unshift(klass, *args, &block)
+      middlewares.unshift(build_middleware(klass, args, block))
+    end
+    ruby2_keywords(:unshift)
+
+    def initialize_copy(other)
+      self.middlewares = other.middlewares.dup
+    end
+
+    def insert(index, klass, *args, &block)
+      index = assert_index(index, :before)
+      middlewares.insert(index, build_middleware(klass, args, block))
+    end
+    ruby2_keywords(:insert)
+
+    alias_method :insert_before, :insert
+
+    def insert_after(index, *args, &block)
+      index = assert_index(index, :after)
+      insert(index + 1, *args, &block)
+    end
+    ruby2_keywords(:insert_after)
+
+    def swap(target, *args, &block)
+      index = assert_index(target, :before)
+      insert(index, *args, &block)
+      middlewares.delete_at(index + 1)
+    end
+    ruby2_keywords(:swap)
+
+    # Deletes a middleware from the middleware stack.
+    #
+    # Returns the array of middlewares not including the deleted item, or returns
+    # nil if the target is not found.
+    def delete(target)
+      middlewares.reject! { |m| m.name == target.name }
+    end
+
+    # Deletes a middleware from the middleware stack.
+    #
+    # Returns the array of middlewares not including the deleted item, or raises
+    # `RuntimeError` if the target is not found.
+    def delete!(target)
+      delete(target) || (raise "No such middleware to remove: #{target.inspect}")
+    end
+
+    def move(target, source)
+      source_index = assert_index(source, :before)
+      source_middleware = middlewares.delete_at(source_index)
+
+      target_index = assert_index(target, :before)
+      middlewares.insert(target_index, source_middleware)
+    end
+
+    alias_method :move_before, :move
+
+    def move_after(target, source)
+      source_index = assert_index(source, :after)
+      source_middleware = middlewares.delete_at(source_index)
+
+      target_index = assert_index(target, :after)
+      middlewares.insert(target_index + 1, source_middleware)
+    end
+
+    def use(klass, *args, &block)
+      middlewares.push(build_middleware(klass, args, block))
+    end
+    ruby2_keywords(:use)
+
+    def build(app = nil, &block)
+      instrumenting = ActiveSupport::Notifications.notifier.listening?(InstrumentationProxy::EVENT_NAME)
+      middlewares.freeze.reverse.inject(app || block) do |a, e|
+        if instrumenting
+          e.build_instrumented(a)
+        else
+          e.build(a)
+        end
+      end
+    end
+
+    private
+      def assert_index(index, where)
+        i = index.is_a?(Integer) ? index : index_of(index)
+        raise "No such middleware to insert #{where}: #{index.inspect}" unless i
+        i
+      end
+
+      def build_middleware(klass, args, block)
+        Middleware.new(klass, args, block)
+      end
+
+      def index_of(klass)
+        middlewares.index do |m|
+          m.name == klass.name
+        end
+      end
+  end
+end