rack-profiler 0.0.5 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d84a8f5ef46d358a0da6c75940fdb9c5faf28d2c
-  data.tar.gz: 80a1d8da3c99c037717710177999f98a90d2e6d6
+  metadata.gz: ada3784e0444ea4df49d755fac6dc82e3ae30ee2
+  data.tar.gz: 7611769984c985b48d7a49cfb36750a92c000da3
 SHA512:
-  metadata.gz: 875f0998cdf03527b766fa2b9d83fa946673683fdd4842e737fa69fe8c82fb5a60fcf8767fccd0b1249f5d9354206189c364b96015fde59f4a25dcc945f73da6
-  data.tar.gz: 3c71402f03f05b104d2d5a2294ff17e4533e24b9925a75e2bc436ac1704f4be750bc7bdb04b597a581de362ddc36c5044d1870f7d6ca56bddc22bdd0579334e9
+  metadata.gz: c3d87464a4fdf2c46f2f236ff9633b042535ffdf5184fe03453d11706e77b2b2b27a9de0dfc76dfcf87308458a5d1e5aa9f11be2fc1e4ef19adf21fe721eda89
+  data.tar.gz: 62c9a482614f8be5ddde9917ac96c0f36eb278b5d7e62d479682f574b5c677a90c4f704c4ca5414e4eec802574951f3ccd2d5bfe589fd28fb03016ede66e9b61

data/README.md

@@ -55,27 +55,33 @@ require 'rack/profiler'
 use Rack::Profiler
 ```
 
+NOTE: you should not expose the profiler publicly in the production environment,
+as it may contain sensitive information. Refer to the [`authorization
+section`](#authorization) on how to protect it.
+
 ### Rails
 
 You can add the `Rack::Profiler` middleware at the beginning of your `config.ru`
 like in the Rack/Sinatra installation or insert it in the middlewares stack configuration
-in the `application.rb`:
+in your `config/environments/<env>.rb` files:
 
 ```ruby
-module YourApp
-  class Application < Rails::Application
-
-    # ...
-
-    config.middleware.insert_before Rack::Runtime, Rack::Profiler
+YourApp.configure do |config|
+  # ...
 
-  end
+  config.middleware.insert 0, Rack::Profiler
 end
 ```
 
+NOTE: you should not expose the profiler publicly in the production environment,
+as it may contain sensitive information. Refer to the [`authorization
+section`](#authorization) for on to protect it.
+
 ## Configuration
 
-You can configure `Rack::Profiler` passing a block to `use`. In the block you can subscribe to more notifications and change some defaults:
+You can configure `Rack::Profiler` passing a block to `use` (or
+`middleware.insert` in Rails configuration). In the block you can subscribe to
+more notifications and change some defaults:
 
 ```ruby
 use Rack::Profiler do |profiler|
@@ -88,6 +94,39 @@ use Rack::Profiler do |profiler|
 end
 ```
 
+## Authorization
+
+You typically *do not want to expose profiling publicly*, as it may contain
+sensible information about your data and app. To protect your data, the easiest
+option is to only enable the profiler in the development environment:
+
+```ruby
+if ENV['RACK_ENV'] == 'development'
+  require 'rack/profiler'
+  use Rack::Profiler
+end
+```
+
+Sometimes though, you might want to run the profiler in the production
+environment, in order to get results in a real setting (including caching and
+optimizations). In this case, you can configure your custom authorization logic,
+which can rely on the Rack env:
+
+```ruby
+use Rack::Profiler do |profiler|
+  profiler.authorize do |env|
+    # env is the Rack environment of the request. This block should return a
+    # truthy value when the request is allowed to be profiled, falsy otherwise.
+    env['rack-profiler-enabled'] == true
+  end
+end
+
+# ...then in your app:
+before do
+  env['rack-profiler-enabled'] = true if current_user.admin?
+end
+```
+
 ## Usage
 
 ### Custom steps

data/lib/rack/profiler.rb

@@ -1,12 +1,13 @@
 require "rack"
 require "rack/request"
+require "rack/auth/basic"
 require "rack/profiler/version"
 require "active_support/notifications"
 
 module Rack
   class Profiler
 
-    attr_reader :events, :backtrace_filter, :subscriptions
+    attr_reader :events, :backtrace_filter, :subscriptions, :authorizator
     attr_accessor :dashboard_path
 
     DEFAULT_SUBSCRIPTIONS = ['sql.active_record',
@@ -36,6 +37,7 @@ module Rack
     def call(env)
       @events = []
       req = Rack::Request.new(env)
+      env['rack-profiler'] = self
 
       if req.path == dashboard_path
         render_dashboard
@@ -69,6 +71,10 @@ module Rack
       @backtrace_filter = block
     end
 
+    def authorize(&block)
+      @authorizator = block
+    end
+
     private
 
     def render_profiler_results(env)
@@ -76,16 +82,16 @@ module Rack
       ActiveSupport::Notifications.instrument('rack-profiler.total_time') do
         status, headers, body = @app.call(env)
       end
-      [ 200,
-        { 'Content-Type' => 'application/json' },
-        [ { events:   events.sort_by { |event| event[:start] },
-            response: {
-            status:  status,
-            headers: headers,
-            body:    stringify_body(body)
-          }
-        }.to_json ]
-      ]
+      return [status, headers, body] unless authorized?(env)
+      results = {
+        events:   events.sort_by { |event| event[:start] },
+        response: {
+          status:  status,
+          headers: headers,
+          body:    stringify_body(body)
+        }
+      }
+      [200, { 'Content-Type' => 'application/json' }, [results.to_json]]
     end
 
     def render_dashboard
@@ -115,5 +121,9 @@ module Rack
       body.each { |part| str << part }
       str
     end
+
+    def authorized?(env)
+      @authorizator.nil? || @authorizator.call(env)
+    end
   end
 end

data/lib/rack/profiler/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Profiler
-    VERSION = "0.0.5"
+    VERSION = "1.0.0"
   end
 end

data/public/rack-profiler.html

@@ -89,7 +89,7 @@
               <option value="POST">POST</option>
               <option value="PUT">PUT</option>
               <option value="PATCH">PATCH</option>
-              <option value="OPTIONS">OPTIONS</option>
+              <option value="DELETE">DELETE</option>
             </select>
           </div>
           <div class="col-md-3">

data/spec/rack/profiler_spec.rb

@@ -34,6 +34,7 @@ describe Rack::Profiler do
     it "sets the correct defaults" do
       expect(profiler.dashboard_path).to eq('/rack-profiler')
       expect(profiler.backtrace_filter).to be_nil
+      expect(profiler.authorizator).to be_nil
       expect(profiler.subscriptions).to include(
         *Rack::Profiler::DEFAULT_SUBSCRIPTIONS
       )
@@ -118,25 +119,25 @@ describe Rack::Profiler do
 
     let(:env) do
       {
-        "PATH_INFO" => "/",
-        "QUERY_STRING" => "",
-        "REMOTE_HOST" => "localhost",
-        "REQUEST_METHOD" => "GET",
-        "REQUEST_URI" => "http://localhost:3000/",
-        "SCRIPT_NAME" => "",
-        "SERVER_NAME" => "localhost",
-        "SERVER_PORT" => "3000",
-        "SERVER_PROTOCOL" => "HTTP/1.1",
-        "HTTP_HOST" => "localhost:3000",
-        "rack.version" => [1, 2],
-        "rack.input" => StringIO.new,
-        "rack.errors" => StringIO.new,
-        "rack.multithread" => true,
+        "PATH_INFO"         => "/",
+        "QUERY_STRING"      => "",
+        "REMOTE_HOST"       => "localhost",
+        "REQUEST_METHOD"    => "GET",
+        "REQUEST_URI"       => "http://localhost:3000/",
+        "SCRIPT_NAME"       => "",
+        "SERVER_NAME"       => "localhost",
+        "SERVER_PORT"       => "3000",
+        "SERVER_PROTOCOL"   => "HTTP/1.1",
+        "HTTP_HOST"         => "localhost:3000",
+        "rack.version"      => [1, 2],
+        "rack.input"        => StringIO.new,
+        "rack.errors"       => StringIO.new,
+        "rack.multithread"  => true,
         "rack.multiprocess" => false,
-        "rack.run_once" => false,
-        "rack.url_scheme" => "http",
-        "HTTP_VERSION" => "HTTP/1.1",
-        "REQUEST_PATH" => "/"
+        "rack.run_once"     => false,
+        "rack.url_scheme"   => "http",
+        "HTTP_VERSION"      => "HTTP/1.1",
+        "REQUEST_PATH"      => "/"
       }
     end
 
@@ -146,7 +147,7 @@ describe Rack::Profiler do
       expect(profiler.events).not_to include('xxx')
     end
 
-    context "when the path is config.dashboard_path" do
+    context "when the path is dashboard_path" do
       it "renders dashboard" do
         path = ::File.expand_path('../../public/rack-profiler.html',
                                      ::File.dirname( __FILE__ ) )
@@ -193,6 +194,27 @@ describe Rack::Profiler do
           parsed_body['events'].map { |e| e['name'] }
         ).to include('rack-profiler.total_time', 'rack-profiler.step')
       end
+
+      context "when authorization is configured" do
+        before do
+          profiler.authorize { |env| env['rack-profiler-allowed'] }
+        end
+
+        it "returns the original response if the request is not authorized" do
+          response = profiler.call(env_with_param)
+          expect(response).to eq(
+            [200, { 'X-My-Header' => 'foo' }, ['hello hello']]
+          )
+        end
+
+        it "returns the profiler results if the request is authorized" do
+          status, headers, body = profiler.call(
+            env_with_param.merge('rack-profiler-allowed' => true)
+          )
+          parsed_body = JSON.parse(body.join)
+          expect(parsed_body).to have_key('events')
+        end
+      end
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-profiler
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 1.0.0
 platform: ruby
 authors:
 - Luca Ongaro
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-28 00:00:00.000000000 Z
+date: 2015-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack