rack-ssl-enforcer 0.2.0 → 0.2.1

data/README.rdoc

@@ -1,38 +1,64 @@
 = Rack::SslEnforcer
 
 Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections. As of Version 0.2.0, Rack::SslEnforcer marks
-Cookies as secure and enables HSTS by default.
-
+Cookies as secure by default (HSTS must be set manually).
+Tested on Ruby 1.8.7 & 1.9.2
 
 == Installation
 
   gem install rack-ssl-enforcer
 
 
-== Usage
+== Basic Usage
 
-  require 'rack-ssl-enforcer'
+  require 'rack/ssl-enforcer'
   use Rack::SslEnforcer
 
-This will redirect all requests to SSL. Rack::SslEnforcer accepts params:
+Or, if you are using Bundler, just add this to your Gemfile:
+
+  gem 'rack-ssl-enforcer'
+
+To use Rack::SslEnforcer in your Rails application, add the following line to your application
+config file (config/application.rb for Rails3, config/environment.rb for Rails2):
+
+  config.middleware.use Rack::SslEnforcer
+
+If all you want is SSL for your whole application, you are done! However, you can specify some
+
+
+== Options
 
 You might need the :redirect_to option if the requested URL can't be determined (e.g. if using a proxy).
 
-  use Rack::SslEnforcer, :redirect_to => 'https://example.org'
-  
-You can also define specific regex patterns or paths to redirect.
-  
-  use Rack::SslEnforcer, :only => /^\/admin\//
-  use Rack::SslEnforcer, :only => "/login"
-  use Rack::SslEnforcer, :only => ["/login", /\.xml$/]
-  
-And force http for non-https path
+  config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
+
+You can also define specific regex patterns or paths or hosts to redirect.
 
-  use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
+  config.middleware.use Rack::SslEnforcer, :only => /^\/admin\//
+  config.middleware.use Rack::SslEnforcer, :only => "/login"
+  config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/]
+  config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com'
+  config.middleware.use Rack::SslEnforcer, :only_hosts => ["[www|api]\.example\.org", 'example.com']
+  config.middleware.use Rack::SslEnforcer, :except_hosts => 'help.example.com'
+  config.middleware.use Rack::SslEnforcer, :except_hosts => /[help|blog]\.example\.com$/
 
-To set HSTS expiry and subdomain inclusion (defaults: one year, true)
+Note: hosts options take precedence over the path options. See tests for examples.
 
-	use Rack::SslEnforcer, :hsts => {:expires => 500, :subdomains => false}
+Use the :strict option to force http for all requests not matching your :only specification
+
+  config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
+  config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com', :strict => true
+
+Or in the case where you have matching urls with different methods (rails restful routes: get#users post#users || get#user/:id put#user/:id) you may need to post and put to secure but redirect to http on get.
+
+  config.middleware.use Rack::SslEnforcer, :only => [/^\/users\/(.+)\/edit/], :mixed => true
+
+The above will allow you to post/put from the secure/non-secure urls keeping the original schema.
+
+To set HSTS expiry and subdomain inclusion (defaults: one year, true). Strict option disables HSTS.
+
+  config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 500, :subdomains => false }
+  config.middleware.use Rack::SslEnforcer, :hsts => true # equivalent to { :expires => 31536000, :subdomains => true }
 
 
 == TODO
@@ -47,21 +73,22 @@ To set HSTS expiry and subdomain inclusion (defaults: one year, true)
 * {Rémy Coutable}[http://github.com/rymai]
 * {Thibaud Guillaume-Gentil}[http://github.com/thibaudgg]
 * {Paul Annesley}[https://github.com/pda]
+* {Saimon Moore}[https://github.com/saimonmoore]
 
 
 == Credits
 
-Flagging cookies as secure functionality is greatly inspired by {Joshua Peek's Rack::SSL}[https://github.com/josh/rack-ssl]
+Flagging cookies as secure functionality and HSTS support is greatly inspired by {Joshua Peek's Rack::SSL}[https://github.com/josh/rack-ssl]
 
 
 == Note on Patches/Pull Requests
- 
+
 * Fork the project.
 * Make your feature addition or bug fix.
 * Add tests for it. This is important so I don't break it in a
   future version unintentionally.
 * Commit, do not mess with rakefile, version, or history.
-  (if you want to have your own version, 
+  (if you want to have your own version,
   that is fine but bump version in a commit by itself I can ignore when I pull)
 * Send me a pull request. Bonus points for topic branches.
 

data/lib/rack-ssl-enforcer.rb

@@ -0,0 +1 @@
+require 'rack/ssl-enforcer'

data/lib/rack/ssl-enforcer.rb

@@ -1,39 +1,42 @@
 module Rack
   class SslEnforcer
-    
+
     def initialize(app, options = {})
       @app, @options = app, options
     end
-    
+
     def call(env)
       @req = Rack::Request.new(env)
-      if enforce_ssl?(env)
+      if enforce_ssl?(@req)
         scheme = 'https' unless ssl_request?(env)
-      elsif ssl_request?(env) && @options[:strict]
+      elsif ssl_request?(env) && enforcement_non_ssl?(env)
         scheme = 'http'
       end
-      
+
       if scheme
-        location = @options[:redirect_to] || replace_scheme(@req, scheme).url
+        location = replace_scheme(@req, scheme).url
         body     = "<html><body>You are being <a href=\"#{location}\">redirected</a>.</body></html>"
         [301, { 'Content-Type' => 'text/html', 'Location' => location }, [body]]
       elsif ssl_request?(env)
         status, headers, body = @app.call(env)
         flag_cookies_as_secure!(headers)
-        set_hsts_headers!(headers)
+        set_hsts_headers!(headers) if @options[:hsts] && !@options[:strict]
         [status, headers, body]
       else
         @app.call(env)
       end
     end
-    
-    
+
   private
-    
+
+    def enforcement_non_ssl?(env)
+      true if @options[:strict] || @options[:mixed] && !(env['REQUEST_METHOD'] == 'PUT' || env['REQUEST_METHOD'] == 'POST')
+    end
+
     def ssl_request?(env)
       scheme(env) == 'https'
     end
-    
+
     # Fixed in rack >= 1.3
     def scheme(env)
       if env['HTTPS'] == 'on'
@@ -44,29 +47,81 @@ module Rack
         env['rack.url_scheme']
       end
     end
-    
-    def enforce_ssl?(env)
-      if @options[:only]
-        rules = [@options[:only]].flatten
-        rules.any? do |pattern|
-          if pattern.is_a?(Regexp)
-            @req.path =~ pattern
+
+    def matches?(key, pattern, req)
+      if pattern.is_a?(Regexp)
+        case key
+        when :only
+          req.path =~ pattern
+        when :except
+          req.path !~ pattern
+        when :only_hosts
+          req.host =~ pattern
+        when :except_hosts
+          req.host !~ pattern
+        end
+      else
+        case key
+        when :only
+          req.path[0,pattern.length] == pattern
+        when :except
+          req.path[0,pattern.length] != pattern
+        when :only_hosts
+          req.host == pattern
+        when :except_hosts
+          req.host != pattern
+        end
+      end
+    end
+
+    def enforce_ssl_for?(keys, req)
+      if keys.any? {|option| @options.key?(option)}
+        keys.any? do |key|
+          rules = [@options[key]].flatten.compact
+          rules.any? do |pattern|
+            matches?(key, pattern, req)
+          end
+        end
+      else
+        false
+      end
+    end
+
+    def enforce_ssl?(req)
+      path_keys = [:only, :except]
+      hosts_keys = [:only_hosts, :except_hosts]
+      if hosts_keys.any? {|option| @options.key?(option)}
+        if enforce_ssl_for?(hosts_keys, req)
+          if path_keys.any? {|option| @options.key?(option)}
+            enforce_ssl_for?(path_keys, req)
           else
-            @req.path[0,pattern.length] == pattern
+            true
           end
+        else
+          false
         end
+      elsif path_keys.any? {|option| @options.key?(option)}
+        enforce_ssl_for?(path_keys, req)
       else
         true
       end
     end
-    
+
     def replace_scheme(req, scheme)
+      if @options[:redirect_to]
+        uri = URI.split(@options[:redirect_to])
+        uri = uri[2] || uri[5]
+      else
+        uri = nil
+      end
       Rack::Request.new(req.env.merge(
         'rack.url_scheme' => scheme,
+        'HTTP_X_FORWARDED_PROTO' => scheme,
+        'HTTP_X_FORWARDED_PORT' => port_for(scheme).to_s,
         'SERVER_PORT' => port_for(scheme).to_s
-      ))
+      ).merge(uri ? {'HTTP_HOST' => uri} : {}))
     end
-    
+
     def port_for(scheme)
       scheme == 'https' ? 443 : 80
     end
@@ -83,7 +138,7 @@ module Rack
         }.join("\n")
       end
     end
-    
+
     # see http://en.wikipedia.org/wiki/Strict_Transport_Security
     def set_hsts_headers!(headers)
       opts = { :expires => 31536000, :subdomains => true }.merge(@options[:hsts] || {})
@@ -91,6 +146,6 @@ module Rack
       value += "; includeSubDomains" if opts[:subdomains]
       headers.merge!({ 'Strict-Transport-Security' => value })
     end
-    
+
   end
-end
+end

data/lib/rack/ssl-enforcer/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class SslEnforcer
-    VERSION = "0.2.0"
+    VERSION = "0.2.1"
   end
-end
+end

metadata

@@ -1,12 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack-ssl-enforcer
 version: !ruby/object:Gem::Version 
-  prerelease: false
+  hash: 21
+  prerelease: 
   segments: 
   - 0
   - 2
-  - 0
-  version: 0.2.0
+  - 1
+  version: 0.2.1
 platform: ruby
 authors: 
 - Tobias Matthies
@@ -15,7 +16,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-11-17 00:00:00 +01:00
+date: 2011-02-15 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -24,13 +25,14 @@ dependencies:
   requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
-    - - ">="
+    - - ~>
       - !ruby/object:Gem::Version 
+        hash: 19
         segments: 
         - 0
-        - 2
-        - 1
-        version: 0.2.1
+        - 3
+        - 0
+        version: 0.3.0
   type: :development
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
@@ -41,101 +43,94 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 23
         segments: 
         - 0
         - 1
-        - 3
-        version: 0.1.3
+        - 6
+        version: 0.1.6
   type: :development
   version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: guard-bundler
-  prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        version: "0"
-  type: :development
-  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
   name: bundler
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 1
         - 0
-        - 5
-        version: 1.0.5
+        - 10
+        version: 1.0.10
   type: :development
-  version_requirements: *id004
+  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
   name: test-unit
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 9
         segments: 
         - 2
         - 1
         - 1
         version: 2.1.1
   type: :development
-  version_requirements: *id005
+  version_requirements: *id004
 - !ruby/object:Gem::Dependency 
   name: shoulda
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 37
         segments: 
         - 2
         - 11
         - 3
         version: 2.11.3
   type: :development
-  version_requirements: *id006
+  version_requirements: *id005
 - !ruby/object:Gem::Dependency 
   name: rack
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement 
+  requirement: &id006 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 31
         segments: 
         - 1
         - 2
         - 0
         version: 1.2.0
   type: :development
-  version_requirements: *id007
+  version_requirements: *id006
 - !ruby/object:Gem::Dependency 
   name: rack-test
   prerelease: false
-  requirement: &id008 !ruby/object:Gem::Requirement 
+  requirement: &id007 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         - 5
         - 4
         version: 0.5.4
   type: :development
-  version_requirements: *id008
+  version_requirements: *id007
 description: Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections
 email: 
 - tm@mit2m.de
@@ -147,9 +142,9 @@ extensions: []
 extra_rdoc_files: []
 
 files: 
-- lib/rack/rack-ssl-enforcer.rb
 - lib/rack/ssl-enforcer/version.rb
 - lib/rack/ssl-enforcer.rb
+- lib/rack-ssl-enforcer.rb
 - LICENSE
 - README.rdoc
 has_rdoc: true
@@ -166,6 +161,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
@@ -174,6 +170,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 23
       segments: 
       - 1
       - 3
@@ -182,7 +179,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: rack-ssl-enforcer
-rubygems_version: 1.3.7
+rubygems_version: 1.5.0
 signing_key: 
 specification_version: 3
 summary: A simple Rack middleware to enforce SSL

data/lib/rack/rack-ssl-enforcer.rb

@@ -1 +0,0 @@
-require 'rack/ssl-enforcer'