rack-padlock 0.0.1

data/README.md

@@ -0,0 +1,36 @@
+rack-padlock
+=======
+
+A toolkit for writing tests against rack applications that ensure all traffic on a page is secure.
+
+###Prerequisites
+
+1. You need to have a rack based application
+2. The application must have a browser based integration test suite.  I recommend capybara.
+3. Your integration tests must use HTTPS
+
+## Setup
+
+Add rack-padlock gem to your test group
+
+```bash
+group :test do
+  gem 'rack-padlock'
+end
+```
+
+Add rack-padlock middleware to your app
+
+```bash
+group :test do
+  gem 'rack-padlock'
+end
+```
+
+Please see the example application at https://github.com/joshuacronemeyer/rack-padlock-example-app
+
+how it works
+=======
+
+
+Please see https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

data/lib/rack/padlock/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  class Padlock
+    VERSION = "0.0.1"
+  end
+end

data/lib/rack/padlock.rb

@@ -0,0 +1,48 @@
+module Rack
+  class Padlock
+    POST_BODY  = 'rack.input'.freeze
+    
+    def initialize(app, options={})
+      default_options = {
+        :log_file => "tmp/padlock.log"
+      }
+      @app = app
+      @options = default_options.merge(options)
+    end
+
+    def call(env)
+      return capture_violation(env) if csp_policy_violation?(env)
+      status, headers, body = @app.call(env)
+      headers.merge!(csp_headers(env))
+      [status, headers, body]
+    end
+  
+    private
+  
+    def capture_violation(env)
+      violation = env[POST_BODY].read
+      PadlockFile.write(@options[:log_file], violation)
+      [200, {}, []]
+    end
+  
+    def csp_policy_violation?(env)
+      env['PATH_INFO'] =~ /padlock_middleware\/report$/
+    end
+  
+    def csp_headers(env)
+      host = env["HTTP_HOST"]
+      report_uri = "#{host}/padlock_middleware/report"
+      csp_header_names = %w(Content-Security-Policy-Report-Only X-Content-Security-Policy-Report-Only X-WebKit-CSP-Report-Only)
+      csp_headers = {}
+      csp_header_names.each{|name| csp_headers[name] = "default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri http://#{report_uri}"}
+      csp_headers
+    end
+    
+    class PadlockFile
+      def self.write(file, violation)
+        ::File.open(file, 'a+') { |file| file.puts violation.strip }
+      end
+    end
+    
+  end
+end

data/lib/rack-padlock.rb

@@ -0,0 +1,4 @@
+# Author:: Josh Cronemeyer
+# Copyright:: Copyright (c) 2013
+# License:: MIT License (http://www.opensource.org/licenses/mit-license.php)
+require 'rack/padlock'

data/lib/tasks/rack-padlock.rake

@@ -0,0 +1,23 @@
+require 'rainbow'
+PADLOCK_LOG = 'tmp/padlock.log'
+
+desc "Test for padlock"
+task :padlock_test => [:padlock_clean, :test] do
+  contents = File.open(PADLOCK_LOG, 'r') { |f| f.readlines }
+  if File.size? PADLOCK_LOG
+    puts "Padlock test failure: Insecure content is being loaded on the page.".foreground(:red)
+    contents.each do |line|
+      blocked_uri = line.match(/blocked-uri":"([^"]+)/)[1].foreground(:yellow)
+      violated_directive = line.match(/violated-directive":"([^"]+)/)[1].foreground(:magenta)
+      puts "Request for #{blocked_uri} has violated directive #{violated_directive}"
+    end
+    exit 1
+  else
+    puts "Padlock test success: page is secure.".foreground(:green)
+  end
+end
+
+desc "Clean padlock logs"
+task :padlock_clean do
+  File.truncate('tmp/padlock.log', 0) if File.exist?(PADLOCK_LOG)
+end

data/test/rack_padlock_test.rb

@@ -0,0 +1,70 @@
+require File.join(File.dirname(__FILE__), 'test_helper')
+
+class RackPadlockTest < MiniTest::Unit::TestCase
+  
+  describe "Padlock middleware headers" do
+    before do
+      mock_app
+    end
+    
+    it "sets CSP report only" do
+      get 'http://oregonhero.com/wagons/1'
+      last_response.headers['Content-Security-Policy-Report-Only'].wont_be_nil
+      last_response.headers['X-Content-Security-Policy-Report-Only'].wont_be_nil
+      last_response.headers['X-WebKit-CSP-Report-Only'].wont_be_nil
+    end
+    
+    it "sets the report-uri to a value that will be intercepted by padlock middleware" do
+      get 'http://oregonhero.com/wagons/1', {}, 'HTTP_HOST' => "http://oregonhero.com"
+      last_response.headers['Content-Security-Policy-Report-Only'].must_match "http://oregonhero.com/padlock_middleware/report"
+    end
+  end
+  
+  describe "Padlock captures policy violation reports" do
+    before do
+      mock_app
+    end
+    
+    it "prevents the policy violations from going to the app" do
+      post 'http://oregonhero.com/padlock_middleware/report' do 
+        "Knock, Knock" 
+      end
+      last_response.status.must_equal 200
+      last_response.body.must_equal ""
+    end
+    
+    it "doesn't interfere with other traffic" do
+      get 'http://oregonhero.com/wagons/1'
+      last_response.body.must_equal "Hello world!"
+    end
+    
+    # TODO figure out how to set the post data so we can test we log it.
+    # it "logs policy violations to padlock logfile" do
+    #       post 'http://oregonhero.com/padlock_middleware/report', {}, {"RAW_POST_DATA" => "Knock"}
+    #       last_response.status.must_equal 200
+    #       last_response.body.must_equal ""
+    #       Rack::Padlock::PadlockFile.last_output.must_match /Knock/
+    #     end
+  end
+  
+  class Rack::Padlock::PadlockFile
+    @@last_output = ""
+    def self.write(data)
+      @@last_output = data
+    end
+    
+    def self.last_output
+      @@last_output
+    end
+    
+    def self.last_output=(data)
+      @@last_output = data
+    end
+  end
+  
+  class DummyApp
+    def call(env)
+      return [{}, {}, {}]
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,24 @@
+require 'minitest/autorun'
+require 'rack/mock'
+require 'rack/test'
+require 'rack/padlock'
+
+class MiniTest::Unit::TestCase
+  include Rack::Test::Methods
+
+  def app; Rack::Lint.new(@app); end
+
+  def mock_app(options = {})
+    main_app = lambda { |env|
+      request = Rack::Request.new(env)
+      headers = {'Content-Type' => "text/html"}
+      [200, headers, ['Hello world!']]
+    }
+
+    builder = Rack::Builder.new
+    builder.use Rack::Padlock, options
+    builder.run main_app
+    @app = builder.to_app
+  end
+
+end

metadata

@@ -0,0 +1,120 @@
+--- !ruby/object:Gem::Specification
+name: rack-padlock
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Josh Cronemeyer
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-02-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: &70300117186540 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70300117186540
+- !ruby/object:Gem::Dependency
+  name: rainbow
+  requirement: &70300117186000 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70300117186000
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: &70300117185120 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70300117185120
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &70300117183780 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70300117183780
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: &70300117183120 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70300117183120
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: &70300117182600 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70300117182600
+description: A Gem for testing web applications don't generate mixed secure/insecure
+  traffic. Keep that browser padlock locked!
+email: joshuacronemeyer@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/rack/padlock/version.rb
+- lib/rack/padlock.rb
+- lib/rack-padlock.rb
+- lib/tasks/rack-padlock.rake
+- README.md
+- test/rack_padlock_test.rb
+- test/test_helper.rb
+homepage: https://github.com/joshuacronemeyer/rack-padlock
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: A Toolkit for writing tests that ensure all traffic on a page is secure.
+test_files:
+- test/rack_padlock_test.rb
+- test/test_helper.rb