RubyGems - rack-padlock - Versions diffs - 0.0.1 - Mend

rack-padlock 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

data/README.md ADDED Viewed

@@ -0,0 +1,36 @@
+rack-padlock
+=======
+A toolkit for writing tests against rack applications that ensure all traffic on a page is secure.
+###Prerequisites
+1. You need to have a rack based application
+2. The application must have a browser based integration test suite.  I recommend capybara.
+3. Your integration tests must use HTTPS
+## Setup
+Add rack-padlock gem to your test group
+```bash
+group :test do
+  gem 'rack-padlock'
+end
+```
+Add rack-padlock middleware to your app
+```bash
+group :test do
+  gem 'rack-padlock'
+end
+```
+Please see the example application at https://github.com/joshuacronemeyer/rack-padlock-example-app
+how it works
+=======
+Please see https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

data/lib/rack/padlock/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module Rack
+  class Padlock
+    VERSION = "0.0.1"
+  end
+end

data/lib/rack/padlock.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module Rack
+  class Padlock
+    POST_BODY  = 'rack.input'.freeze
+    def initialize(app, options={})
+      default_options = {
+        :log_file => "tmp/padlock.log"
+      }
+      @app = app
+      @options = default_options.merge(options)
+    end
+    def call(env)
+      return capture_violation(env) if csp_policy_violation?(env)
+      status, headers, body = @app.call(env)
+      headers.merge!(csp_headers(env))
+      [status, headers, body]
+    end
+    private
+    def capture_violation(env)
+      violation = env[POST_BODY].read
+      PadlockFile.write(@options[:log_file], violation)
+      [200, {}, []]
+    end
+    def csp_policy_violation?(env)
+      env['PATH_INFO'] =~ /padlock_middleware\/report$/
+    end
+    def csp_headers(env)
+      host = env["HTTP_HOST"]
+      report_uri = "#{host}/padlock_middleware/report"
+      csp_header_names = %w(Content-Security-Policy-Report-Only X-Content-Security-Policy-Report-Only X-WebKit-CSP-Report-Only)
+      csp_headers = {}
+      csp_header_names.each{|name| csp_headers[name] = "default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri http://#{report_uri}"}
+      csp_headers
+    end
+    class PadlockFile
+      def self.write(file, violation)
+        ::File.open(file, 'a+') { |file| file.puts violation.strip }
+      end
+    end
+  end
+end

data/lib/rack-padlock.rb ADDED Viewed

@@ -0,0 +1,4 @@
+# Author:: Josh Cronemeyer
+# Copyright:: Copyright (c) 2013
+# License:: MIT License (http://www.opensource.org/licenses/mit-license.php)
+require 'rack/padlock'

data/lib/tasks/rack-padlock.rake ADDED Viewed

@@ -0,0 +1,23 @@
+require 'rainbow'
+PADLOCK_LOG = 'tmp/padlock.log'
+desc "Test for padlock"
+task :padlock_test => [:padlock_clean, :test] do
+  contents = File.open(PADLOCK_LOG, 'r') { |f| f.readlines }
+  if File.size? PADLOCK_LOG
+    puts "Padlock test failure: Insecure content is being loaded on the page.".foreground(:red)
+    contents.each do |line|
+      blocked_uri = line.match(/blocked-uri":"([^"]+)/)[1].foreground(:yellow)
+      violated_directive = line.match(/violated-directive":"([^"]+)/)[1].foreground(:magenta)
+      puts "Request for #{blocked_uri} has violated directive #{violated_directive}"
+    end
+    exit 1
+  else
+    puts "Padlock test success: page is secure.".foreground(:green)
+  end
+end
+desc "Clean padlock logs"
+task :padlock_clean do
+  File.truncate('tmp/padlock.log', 0) if File.exist?(PADLOCK_LOG)
+end

data/test/rack_padlock_test.rb ADDED Viewed

@@ -0,0 +1,70 @@
+require File.join(File.dirname(__FILE__), 'test_helper')
+class RackPadlockTest < MiniTest::Unit::TestCase
+  describe "Padlock middleware headers" do
+    before do
+      mock_app
+    end
+    it "sets CSP report only" do
+      get 'http://oregonhero.com/wagons/1'
+      last_response.headers['Content-Security-Policy-Report-Only'].wont_be_nil
+      last_response.headers['X-Content-Security-Policy-Report-Only'].wont_be_nil
+      last_response.headers['X-WebKit-CSP-Report-Only'].wont_be_nil
+    end
+    it "sets the report-uri to a value that will be intercepted by padlock middleware" do
+      get 'http://oregonhero.com/wagons/1', {}, 'HTTP_HOST' => "http://oregonhero.com"
+      last_response.headers['Content-Security-Policy-Report-Only'].must_match "http://oregonhero.com/padlock_middleware/report"
+    end
+  end
+  describe "Padlock captures policy violation reports" do
+    before do
+      mock_app
+    end
+    it "prevents the policy violations from going to the app" do
+      post 'http://oregonhero.com/padlock_middleware/report' do
+        "Knock, Knock"
+      end
+      last_response.status.must_equal 200
+      last_response.body.must_equal ""
+    end
+    it "doesn't interfere with other traffic" do
+      get 'http://oregonhero.com/wagons/1'
+      last_response.body.must_equal "Hello world!"
+    end
+    # TODO figure out how to set the post data so we can test we log it.
+    # it "logs policy violations to padlock logfile" do
+    #       post 'http://oregonhero.com/padlock_middleware/report', {}, {"RAW_POST_DATA" => "Knock"}
+    #       last_response.status.must_equal 200
+    #       last_response.body.must_equal ""
+    #       Rack::Padlock::PadlockFile.last_output.must_match /Knock/
+    #     end
+  end
+  class Rack::Padlock::PadlockFile
+    @@last_output = ""
+    def self.write(data)
+      @@last_output = data
+    end
+    def self.last_output
+      @@last_output
+    end
+    def self.last_output=(data)
+      @@last_output = data
+    end
+  end
+  class DummyApp
+    def call(env)
+      return [{}, {}, {}]
+    end
+  end
+end

data/test/test_helper.rb ADDED Viewed

@@ -0,0 +1,24 @@
+require 'minitest/autorun'
+require 'rack/mock'
+require 'rack/test'
+require 'rack/padlock'
+class MiniTest::Unit::TestCase
+  include Rack::Test::Methods
+  def app; Rack::Lint.new(@app); end
+  def mock_app(options = {})
+    main_app = lambda { |env|
+      request = Rack::Request.new(env)
+      headers = {'Content-Type' => "text/html"}
+      [200, headers, ['Hello world!']]
+    }
+    builder = Rack::Builder.new
+    builder.use Rack::Padlock, options
+    builder.run main_app
+    @app = builder.to_app
+  end
+end

metadata ADDED Viewed

@@ -0,0 +1,120 @@
+--- !ruby/object:Gem::Specification
+name: rack-padlock
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease:
+platform: ruby
+authors:
+- Josh Cronemeyer
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2013-02-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: &70300117186540 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70300117186540
+- !ruby/object:Gem::Dependency
+  name: rainbow
+  requirement: &70300117186000 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70300117186000
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: &70300117185120 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70300117185120
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &70300117183780 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70300117183780
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: &70300117183120 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70300117183120
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: &70300117182600 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70300117182600
+description: A Gem for testing web applications don't generate mixed secure/insecure
+  traffic. Keep that browser padlock locked!
+email: joshuacronemeyer@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/rack/padlock/version.rb
+- lib/rack/padlock.rb
+- lib/rack-padlock.rb
+- lib/tasks/rack-padlock.rake
+- README.md
+- test/rack_padlock_test.rb
+- test/test_helper.rb
+homepage: https://github.com/joshuacronemeyer/rack-padlock
+licenses: []
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 1.8.10
+signing_key:
+specification_version: 3
+summary: A Toolkit for writing tests that ensure all traffic on a page is secure.
+test_files:
+- test/rack_padlock_test.rb
+- test/test_helper.rb