quantipay-ssl_requirement 1.1.1

data/README

@@ -0,0 +1,89 @@
+SSL Requirement
+===============
+
+SSL requirement adds a declarative way of specifying that certain actions
+should only be allowed to run under SSL, and if they're accessed without it,
+they should be redirected.
+
+Example:
+
+  class ApplicationController < ActionController::Base
+    include SslRequirement
+  end
+
+  class AccountController < ApplicationController
+    ssl_required :signup, :payment 
+    ssl_allowed :index
+    
+    def signup
+      # Non-SSL access will be redirected to SSL
+    end
+    
+    def payment
+      # Non-SSL access will be redirected to SSL
+    end
+
+    def index
+      # This action will work either with or without SSL
+    end
+
+    def other
+      # SSL access will be redirected to non-SSL
+    end
+  end
+  
+If a majority (or all) of your actions require SSL, then use ssl_exceptions instead of ssl_required.
+You can list out the actions that you do NOT want to be SSL protected. Calling ssl_exceptions without 
+any actions listed will make ALL actions SSL protected. 
+ 
+You can overwrite the protected method ssl_required? to rely on other things
+than just the declarative specification. Say, only premium accounts get SSL.
+
+For SSL domains that differ from the domain of the redirecting site, add the 
+following code to development.rb / test.rb / production.rb:
+
+# Redirects to https://secure.example.com instead of the default 
+# https://www.example.com.
+config.after_initialize do
+  SslRequirement.ssl_host = 'secure.example.com'
+end
+
+You are able to turn disable ssl redirects by adding the following environment configuration file:
+  SslRequirement.disable_ssl_check = true
+  
+P.S.: Beware when you include the SslRequirement module. At the time of
+inclusion, it'll add the before_filter that validates the declarations. Some
+times you'll want to run other before_filters before that. They should then be
+declared ahead of including this module.
+  
+SSL URL Helper
+==============
+This plugin also adds a helper a :secure option to url_for and named_routes. This property
+allows you to set a url as secure or not secure. It uses the disable_ssl_check to determine
+if the option should be ignored or not so you can develop as normal.
+
+Here is an example of creating a secure url:
+
+<%= url_for(:controller => "c", :action => "a", :secure => true) %>
+
+If disable_ssl_check returns false url_for will return the following:
+
+https://yoursite.com/c/a
+
+Furthermore, you can use the secure option in a named route to create a secure form as follows:
+
+<% form_tag session_path(:secure => true), :class => 'home_login' do -%>
+  <p>
+    <label for="name">Email</label>
+    <%= text_field_tag 'email', '', :class => 'text', :tabindex => 1 %>
+  </p>
+  <p>
+    <label for="password">Password</label>
+    <%= password_field_tag 'password', '', :class => 'text', :tabindex => 2 %>
+  </p>
+  <p>
+    <%= submit_tag "Login", :id => 'login_submit', :value => "", :alt => "Login" %>
+  </p>
+<% end -%>
+
+Copyright (c) 2005 David Heinemeier Hansson, released under the MIT license

data/VERSION.yml

@@ -0,0 +1,4 @@
+--- 
+patch: 1
+major: 1
+minor: 1

data/lib/ssl_requirement.rb

@@ -0,0 +1,90 @@
+require "#{File.dirname(__FILE__)}/url_rewriter"
+
+# Copyright (c) 2005 David Heinemeier Hansson
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+module SslRequirement
+  mattr_reader :ssl_host
+  
+  def self.ssl_host=(host)
+    @@ssl_host = host
+  end
+  
+  def self.disable_ssl_check?
+    @@disable_ssl_check ||= false
+  end
+
+  def self.disable_ssl_check=(value)
+    @@disable_ssl_check = value
+  end
+
+  module ClassMethods
+    # Specifies that the named actions requires an SSL connection to be performed (which is enforced by ensure_proper_protocol).
+    def ssl_required(*actions)
+      write_inheritable_array(:ssl_required_actions, actions)
+    end
+
+    def ssl_exceptions(*actions)
+      write_inheritable_array(:ssl_required_except_actions, actions)
+    end
+
+    def ssl_allowed(*actions)
+      write_inheritable_array(:ssl_allowed_actions, actions)
+    end
+  end
+
+  protected
+    # Returns true if the current action is supposed to run as SSL
+    def ssl_required?
+      required = (self.class.read_inheritable_attribute(:ssl_required_actions) || [])
+      except  = self.class.read_inheritable_attribute(:ssl_required_except_actions)
+
+      unless except
+        required.include?(action_name.to_sym)
+      else
+        !except.include?(action_name.to_sym)
+      end
+    end
+
+    def ssl_allowed?
+      (self.class.read_inheritable_attribute(:ssl_allowed_actions) || []).include?(action_name.to_sym)
+    end
+
+  private
+    def self.included(controller)
+      controller.extend(ClassMethods)
+      controller.before_filter(:ensure_proper_protocol)
+    end
+
+    def ensure_proper_protocol
+      return true if SslRequirement.disable_ssl_check?
+      return true if ssl_allowed?
+
+      if ssl_required? && !request.ssl?
+        redirect_to "https://" + (ssl_host || request.host) + request.request_uri
+        flash.keep
+        return false
+      elsif request.ssl? && !ssl_required?
+        redirect_to "http://" + request.host + request.request_uri
+        flash.keep
+        return false
+      end
+    end
+end

data/lib/url_rewriter.rb

@@ -0,0 +1,25 @@
+require 'action_controller/url_rewriter'
+require 'action_controller/routing/optimisations'
+
+module ActionController
+  class UrlRewriter
+    # Add a secure option to the rewrite method.
+    def rewrite_with_secure_option(options = {})
+      secure = options.delete(:secure)
+      options.merge!(:only_path => false, :protocol => secure ? 'https' : 'http') unless SslRequirement.disable_ssl_check?
+      rewrite_without_secure_option options
+    end
+    alias_method_chain :rewrite, :secure_option
+  end
+
+  module Routing
+    module Optimisation
+      class PositionalArgumentsWithAdditionalParams
+        def guard_conditions_with_secure_option
+          guard_conditions_without_secure_option + ['!args.last.has_key?(:secure)']
+        end
+        alias_method_chain :guard_conditions, :secure_option
+      end
+    end
+  end
+end

data/test/ssl_requirement_test.rb

@@ -0,0 +1,220 @@
+require 'set'
+require 'rubygems'
+require 'activesupport'
+begin
+  require 'action_controller'
+rescue LoadError
+  if ENV['ACTIONCONTROLLER_PATH'].nil?
+    abort <<MSG
+Please set the ACTIONCONTROLLER_PATH environment variable to the directory
+containing the action_controller.rb file.
+MSG
+  else
+    $LOAD_PATH.unshift ENV['ACTIONCONTROLLER_PATH']
+    begin
+      require 'action_controller'
+    rescue LoadError
+      abort "ActionController could not be found."
+    end
+  end
+end
+
+require 'action_controller/test_process'
+require 'test/unit'
+require "#{File.dirname(__FILE__)}/../lib/ssl_requirement"
+
+ActionController::Base.logger = nil
+ActionController::Routing::Routes.reload rescue nil
+
+class SslRequirementController < ActionController::Base
+  include SslRequirement
+  
+  ssl_required :a, :b
+  ssl_allowed :c
+  
+  def a
+    render :nothing => true
+  end
+  
+  def b
+    render :nothing => true
+  end
+  
+  def c
+    render :nothing => true
+  end
+  
+  def d
+    render :nothing => true
+  end
+  
+  def set_flash
+    flash[:foo] = "bar"
+  end
+end
+
+class SslExceptionController < ActionController::Base
+  include SslRequirement
+  
+  ssl_required  :a
+  ssl_exceptions :b
+  ssl_allowed :d
+    
+  def a
+    render :nothing => true
+  end
+  
+  def b
+    render :nothing => true
+  end
+  
+  def c
+    render :nothing => true
+  end
+  
+  def d
+    render :nothing => true
+  end
+  
+  def set_flash
+    flash[:foo] = "bar"
+  end
+end
+
+class SslAllActionsController < ActionController::Base
+  include SslRequirement
+  
+  ssl_exceptions
+    
+  def a
+    render :nothing => true
+  end
+  
+end
+
+class SslRequirementTest < Test::Unit::TestCase
+  def setup
+    @controller = SslRequirementController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+  end
+  
+  def test_redirect_to_https_preserves_flash
+    get :set_flash
+    get :b
+    assert_response :redirect
+    assert_equal "bar", flash[:foo]
+  end
+  
+  def test_not_redirecting_to_https_does_not_preserve_the_flash
+    get :set_flash
+    get :d
+    assert_response :success
+    assert_nil flash[:foo]
+  end
+  
+  def test_redirect_to_http_preserves_flash
+    get :set_flash
+    @request.env['HTTPS'] = "on"
+    get :d
+    assert_response :redirect
+    assert_equal "bar", flash[:foo]
+  end
+  
+  def test_not_redirecting_to_http_does_not_preserve_the_flash
+    get :set_flash
+    @request.env['HTTPS'] = "on"
+    get :a
+    assert_response :success
+    assert_nil flash[:foo]
+  end
+  
+  def test_required_without_ssl
+    assert_not_equal "on", @request.env["HTTPS"]
+    get :a
+    assert_response :redirect
+    assert_match %r{^https://}, @response.headers['Location']
+    get :b
+    assert_response :redirect
+    assert_match %r{^https://}, @response.headers['Location']
+  end
+  
+  def test_required_with_ssl
+    @request.env['HTTPS'] = "on"
+    get :a
+    assert_response :success
+    get :b
+    assert_response :success
+  end
+
+  def test_disallowed_without_ssl
+    assert_not_equal "on", @request.env["HTTPS"]
+    get :d
+    assert_response :success
+  end
+  
+  def test_ssl_exceptions_without_ssl
+    @controller = SslExceptionController.new
+    get :a
+    assert_response :redirect
+    assert_match %r{^https://}, @response.headers['Location']
+    
+    get :b
+    assert_response :success
+    
+    get :c # c is not explicity in ssl_required, but it is not listed in ssl_exceptions
+    assert_response :redirect
+    assert_match %r{^https://}, @response.headers['Location']
+  end
+    
+  def test_ssl_exceptions_with_ssl
+    @controller = SslExceptionController.new
+    @request.env['HTTPS'] = "on"
+    get :a
+    assert_response :success
+    
+    @request.env['HTTPS'] = "on"
+    get :c
+    assert_response :success
+  end
+  
+  def test_ssl_all_actions_without_ssl
+    @controller = SslAllActionsController.new
+    get :a
+    
+    assert_response :redirect
+    assert_match %r{^https://}, @response.headers['Location']
+  end
+  
+  def test_disallowed_with_ssl
+    @request.env['HTTPS'] = "on"
+    get :d
+    assert_response :redirect
+    assert_match %r{^http://}, @response.headers['Location']
+  end
+
+  def test_allowed_without_ssl
+    assert_not_equal "on", @request.env["HTTPS"]
+    get :c
+    assert_response :success
+  end
+
+  def test_allowed_with_ssl
+    @request.env['HTTPS'] = "on"
+    get :c
+    assert_response :success
+  end
+
+  def test_disable_ssl_check
+    SslRequirement.disable_ssl_check = true
+
+    assert_not_equal "on", @request.env["HTTPS"]
+    get :a
+    assert_response :success
+    get :b
+    assert_response :success
+  ensure
+    SslRequirement.disable_ssl_check = false
+  end
+  
+end

data/test/url_rewriter_test.rb

@@ -0,0 +1,77 @@
+$:.unshift(File.dirname(__FILE__) + '/../lib')
+
+require 'rubygems'
+require 'test/unit'
+require 'action_controller'
+require 'action_controller/test_process'
+
+require "ssl_requirement"
+
+# Show backtraces for deprecated behavior for quicker cleanup.
+ActiveSupport::Deprecation.debug = true
+ActionController::Base.logger = nil
+ActionController::Routing::Routes.reload rescue nil
+
+class UrlRewriterTest < Test::Unit::TestCase
+  def setup
+    @request = ActionController::TestRequest.new
+    @params = {}
+    @rewriter = ActionController::UrlRewriter.new(@request, @params)
+    
+    puts @url_rewriter.to_s
+  end
+
+  def test_rewrite_secure_false
+    SslRequirement.disable_ssl_check = false
+    assert_equal('http://test.host/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a', :secure => false)
+    )
+    assert_equal('http://test.host/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a', :secure => false, :only_path => true)
+    )
+    
+    SslRequirement.disable_ssl_check = true
+    assert_equal('http://test.host/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a', :secure => false)
+    )
+    assert_equal('/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a', :secure => false, :only_path => true)
+    )
+  end
+  
+  def test_rewrite_secure_true
+    SslRequirement.disable_ssl_check = false
+    assert_equal('https://test.host/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a', :secure => true)
+    )
+    assert_equal('https://test.host/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a', :secure => true, :only_path => true)
+    )
+    
+    SslRequirement.disable_ssl_check = true
+    assert_equal('http://test.host/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a', :secure => true)
+    )
+    assert_equal('/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a', :secure => true, :only_path => true)
+    )
+  end
+  
+  def test_rewrite_secure_not_specified
+    SslRequirement.disable_ssl_check = false
+    assert_equal('http://test.host/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a')
+    )
+    assert_equal('/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a', :only_path => true)
+    )
+    
+    SslRequirement.disable_ssl_check = true
+    assert_equal('http://test.host/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a')
+    )
+    assert_equal('/c/a',
+      @rewriter.rewrite(:controller => 'c', :action => 'a', :only_path => true)
+    )
+  end
+end

metadata

@@ -0,0 +1,69 @@
+--- !ruby/object:Gem::Specification 
+name: quantipay-ssl_requirement
+version: !ruby/object:Gem::Version 
+  version: 1.1.1
+platform: ruby
+authors: 
+- RailsJedi
+- David Heinemeier Hansson
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-02-19 00:00:00 -08:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rails
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "2.1"
+    version: 
+description: SSL requirement adds a declarative way of specifying that certain actions should only be allowed to run under SSL, and if they're accessed without it, they should be redirected.
+email: railsjedi@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README
+files: 
+- VERSION.yml
+- lib/ssl_requirement.rb
+- lib/url_rewriter.rb
+- test/ssl_requirement_test.rb
+- test/url_rewriter_test.rb
+- README
+has_rdoc: true
+homepage: http://github.com/tbmcmullen/ssl_requirement
+post_install_message: 
+rdoc_options: 
+- --main
+- README
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: Allow controller actions to force SSL on specific parts of the site.
+test_files: []
+