rack-ssl-enforcer 0.2.5 → 0.2.6

data/README.md

@@ -1,4 +1,4 @@
-# Rack::SslEnforcer [![Build Status](https://secure.travis-ci.org/tobmatth/rack-ssl-enforcer.png?branch=master)](http://travis-ci.org/tobmatth/rack-ssl-enforcer)
+# Rack::SslEnforcer [![Build Status](https://travis-ci.org/tobmatth/rack-ssl-enforcer.png?branch=master)](https://travis-ci.org/tobmatth/rack-ssl-enforcer)
 
 Rack::SslEnforcer is a simple Rack middleware to enforce SSL connections. As of Version 0.2.0, Rack::SslEnforcer marks
 Cookies as secure by default (HSTS must be set manually).
@@ -7,7 +7,7 @@ Tested against Ruby 1.8.7, 1.9.2, 1.9.3, ruby-head, REE and the latest versions
 
 ## Installation
 
-The simplest way to install Rack::SslEnforcer is to use [Bundler](http://gembundler.com/).
+The simplest way to install Rack::SslEnforcer is to use [Bundler](http://gembundler.com).
 
 Add Rack::SslEnforcer to your `Gemfile`:
 
@@ -20,23 +20,24 @@ Add Rack::SslEnforcer to your `Gemfile`:
 In order for Rack::SslEnforcer to properly work it has to be at the top
 of the Rack Middleware.
 
-Using `enable :session` will place Rack::Session::Cookie before Rack::Ssl::Enforcer 
+Using `enable :session` will place Rack::Session::Cookie before Rack::Ssl::Enforcer
 and will prevent Rack::Ssl::Enforcer from marking cookies as secure.
 
 To fix this issue do not use `enable :sessions` instead add the
-Rack::Session::Cookie middleware after Rack::Ssl::Enforcer.  
+Rack::Session::Cookie middleware after Rack::Ssl::Enforcer.
 
 Eg:
 
-    use Rack::SslEnforcer 
-    set :session_secret, 'asdfa2342923422f1adc05c837fa234230e3594b93824b00e930ab0fb94b'
-  
-    #Enable sinatra sessions
-    use Rack::Session::Cookie, :key => '_rack_session',
-                               :path => '/',
-                               :expire_after => 2592000, # In seconds
-                               :secret => session_secret
-
+```ruby
+use Rack::SslEnforcer
+set :session_secret, 'asdfa2342923422f1adc05c837fa234230e3594b93824b00e930ab0fb94b'
+
+#Enable sinatra sessions
+use Rack::Session::Cookie, :key => '_rack_session',
+                           :path => '/',
+                           :expire_after => 2592000, # In seconds
+                           :secret => settings.session_secret
+```
 
 ## Basic Usage
 
@@ -72,7 +73,7 @@ config.middleware.use Rack::SslEnforcer, :only_hosts => [/[secure|admin]\.exampl
 
 ### Path constraints
 
-You can enforce SSL connections only for certain paths with `:only`, or prevent certain paths from being forced to SSL with `:except`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+You can enforce SSL connections only for certain paths with `:only`, prevent certain paths from being forced to SSL with `:except`, or - if you don't care how certain paths are accessed - ignore them with `:ignore`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
 
 ```ruby
 config.middleware.use Rack::SslEnforcer, :only => '/login'
@@ -81,6 +82,11 @@ config.middleware.use Rack::SslEnforcer, :only => '/login'
 config.middleware.use Rack::SslEnforcer, :only => %r{^/admin/}
 
 config.middleware.use Rack::SslEnforcer, :except => ['/demo', %r{^/public/}]
+
+config.middleware.use Rack::SslEnforcer, :ignore => '/assets'
+
+# You can also combine multiple constraints
+config.middleware.use Rack::SslEnforcer, :only => '/cart', :ignore => %r{/assets}, :strict => true
 ```
 
 ### Method constraints
@@ -97,6 +103,35 @@ config.middleware.use Rack::SslEnforcer, :except_methods => ['GET', 'HEAD']
 
 Note: The `:hosts` constraint takes precedence over the `:path` constraint. Please see the tests for examples.
 
+
+### Environment constraints
+
+You can enforce SSL connections only for certain environments with `:only_environments` or prevent certain environments from being forced to SSL with `:except_environments`.
+Environment constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :except_environments => 'development'
+
+config.middleware.use Rack::SslEnforcer, :except_environments => /^[0-9a-f]+_local$/i
+
+config.middleware.use Rack::SslEnforcer, :only_environments => ['production', /^QA/]
+```
+
+Note: The `:environments` constraint requires one the following environment variables to be set: `RACK_ENV`, `RAILS_ENV`, `ENV`.
+
+### User agent constraints
+
+You can enforce SSL connections only for certain user agents with `:only_agents` or prevent certain user agents from being forced to SSL with `:except_agents`.
+User agent constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :except_agents => 'Googlebot'
+
+config.middleware.use Rack::SslEnforcer, :except_agents => /[Googlebot|bingbot]/
+
+config.middleware.use Rack::SslEnforcer, :only_agents => ['test-secu-bot', /custom-crawler[0-9a-f]/]
+```
+
 ### Force-redirection to non-SSL connection if constraint is not matched
 
 Use the `:strict` option to force non-SSL connection for all requests not matching the constraints you set. Examples:
@@ -137,6 +172,14 @@ You might need the `:redirect_to` option if the requested URL can't be determine
 config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
 ```
 
+### Redirect with specific HTTP status code
+
+By default it redirects with HTTP status code 301(Moved Permanently). Sometimes you might need to redirect with different HTTP status code:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_code => 302
+```
+
 ### Custom HTTP port
 
 If you're using a different port than the default (80) for HTTP, you can specify it with the `:http_port` option:
@@ -167,6 +210,19 @@ config.middleware.use Rack::SslEnforcer, :only => "/login", :force_secure_cookie
 But be aware that if you do so, you have to make sure that the content of you cookie is encoded.
 This can be done using a coder with [Rack::Session::Cookie](https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42).
 
+### Running code before redirect
+
+You may want to run some code before rack-ssl-enforcer forces a redirect.  This code could do something like log that a redirect was done, or if this is used in a Rails app, keeping the flash when redirecting:
+
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => '/login', :before_redirect => Proc.new {
+  #keep flash on redirect
+  @request.session[:flash].keep if !@request.session.nil? && @request.session.key?('flash') && !@request.session['flash'].empty?
+}
+```
+
+
 ## Deployment
 
 If you run your application behind a proxy (e.g. Nginx) you may need to do some configuration on that side. If you don't you may experience an infinite redirect loop.
@@ -195,13 +251,9 @@ This makes sure that Rack::SslEnforcer knows it's being accessed over SSL. Just
 
 * Cleanup tests
 
-## Contributors
+#### Contributors
 
-* [Dan Mayer](http://github.com/danmayer)
-* [Rémy Coutable](http://github.com/rymai)
-* [Thibaud Guillaume-Gentil](http://github.com/thibaudgg)
-* [Paul Annesley](https://github.com/pda)
-* [Saimon Moore](https://github.com/saimonmoore)
+[https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors](https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors)
 
 ## Credits
 
@@ -217,4 +269,4 @@ Flagging cookies as secure functionality and HSTS support is greatly inspired by
 
 ## Copyright
 
-Copyright (c) 2010-2012 Tobias Matthies. See LICENSE for details.
+Copyright (c) 2010-2013 Tobias Matthies. See [LICENSE](https://github.com/tobmatth/rack-ssl-enforcer/blob/master/LICENSE) for details.

data/lib/rack/ssl-enforcer.rb

@@ -5,9 +5,11 @@ module Rack
   class SslEnforcer
 
     CONSTRAINTS_BY_TYPE = {
-      :hosts   => [:only_hosts, :except_hosts],
-      :path    => [:only, :except],
-      :methods => [:only_methods, :except_methods]
+      :hosts        => [:only_hosts, :except_hosts],
+      :agents       => [:only_agents, :except_agents],
+      :path         => [:only, :except],
+      :methods      => [:only_methods, :except_methods],
+      :environments => [:only_environments, :except_environments]
     }
 
     # Warning: If you set the option force_secure_cookies to false, make sure that your cookies
@@ -15,14 +17,18 @@ module Rack
     def initialize(app, options={})
       default_options = {
         :redirect_to          => nil,
+        :redirect_code        => nil,
         :strict               => false,
         :mixed                => false,
         :hsts                 => nil,
         :http_port            => nil,
         :https_port           => nil,
-        :force_secure_cookies => true
+        :force_secure_cookies => true,
+        :before_redirect      => nil
       }
-      CONSTRAINTS_BY_TYPE.values.each { |constraint| default_options[constraint] = nil }
+      CONSTRAINTS_BY_TYPE.values.each do |constraints|
+        constraints.each { |constraint| default_options[constraint] = nil }
+      end
 
       @app, @options = app, default_options.merge(options)
     end
@@ -39,7 +45,8 @@ module Rack
       end
 
       if redirect_required?
-        modify_location_and_redirect
+        call_before_redirect
+        modify_location_and_redirect 
       elsif ssl_request?
         status, headers, body = @app.call(env)
         flag_cookies_as_secure!(headers) if @options[:force_secure_cookies]
@@ -51,7 +58,7 @@ module Rack
     end
 
   private
-  
+
     def redirect_required?
       scheme_mismatch? || host_mismatch?
     end
@@ -66,31 +73,35 @@ module Rack
         false
       end
     end
-    
+
     def scheme_mismatch?
       @scheme && @scheme != current_scheme
     end
-    
+
     def host_mismatch?
       destination_host && destination_host != @request.host
     end
-    
+
+    def call_before_redirect
+       @options[:before_redirect].call unless @options[:before_redirect].nil?
+    end
+
     def modify_location_and_redirect
       location = "#{current_scheme}://#{@request.host}#{@request.fullpath}"
       location = replace_scheme(location, @scheme)
       location = replace_host(location, @options[:redirect_to])
       redirect_to(location)
     end
-    
+
     def redirect_to(location)
       body = "<html><body>You are being <a href=\"#{location}\">redirected</a>.</body></html>"
-      [301, { 'Content-Type' => 'text/html', 'Location' => location }, [body]]
+      [@options[:redirect_code] || 301, { 'Content-Type' => 'text/html', 'Location' => location }, [body]]
     end
 
     def ssl_request?
       current_scheme == 'https'
     end
-    
+
     def destination_host
       if @options[:redirect_to]
         host_parts = URI.split(@options[:redirect_to])
@@ -100,7 +111,7 @@ module Rack
 
     # Fixed in rack >= 1.3
     def current_scheme
-      if @request.env['HTTPS'] == 'on'
+      if @request.env['HTTPS'] == 'on' || @request.env['HTTP_X_SSL_REQUEST'] == 'on'
         'https'
       elsif @request.env['HTTP_X_FORWARDED_PROTO']
         @request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
@@ -116,7 +127,7 @@ module Rack
       else
         provided_keys.all? do |key|
           rules = [@options[key]].flatten.compact
-          rules.send([:except_hosts, :except].include?(key) ? :all? : :any?) do |rule|
+          rules.send([:except_hosts, :except_agents, :except_environments, :except].include?(key) ? :all? : :any?) do |rule|
             SslEnforcerConstraint.new(key, rule, @request).matches?
           end
         end
@@ -135,24 +146,24 @@ module Rack
 
     def replace_scheme(uri, scheme)
       return uri if not scheme_mismatch?
-      
+
       port = adjust_port_to(scheme)
       uri_parts = URI.split(uri)
       uri_parts[3] = port unless port.nil?
       uri_parts[0] = scheme
       URI::HTTP.new(*uri_parts).to_s
     end
-    
+
     def replace_host(uri, host)
       return uri unless host_mismatch?
-      
+
       host_parts = URI.split(host)
       new_host = host_parts[2] || host_parts[5]
       uri_parts = URI.split(uri)
       uri_parts[2] = new_host
       URI::HTTPS.new(*uri_parts).to_s
     end
-    
+
     def adjust_port_to(scheme)
       if scheme == 'https'
         @options[:https_port] if @options[:https_port] && @options[:https_port] != URI::HTTPS.default_port
@@ -170,7 +181,7 @@ module Rack
         end
 
         headers['Set-Cookie'] = cookies.map do |cookie|
-          cookie !~ / secure;/ ? "#{cookie}; secure" : cookie
+          cookie !~ /(^|;\s)secure($|;)/ ? "#{cookie}; secure" : cookie
         end.join("\n")
       end
     end

data/lib/rack/ssl-enforcer/constraint.rb

@@ -11,12 +11,12 @@ class SslEnforcerConstraint
     else
       result = tested_string.send(operator, @rule)
     end
-    
+
     negate_result? ? !result : result
   end
 
 private
-  
+
   def negate_result?
     @name.to_s =~ /except/
   end
@@ -31,6 +31,10 @@ private
       @request.host
     when /methods/
       @request.request_method
+    when /environments/
+      ENV["RACK_ENV"] || ENV["RAILS_ENV"] || ENV["ENV"]
+    when /agents/
+      @request.user_agent
     else
       @request.path
     end

data/lib/rack/ssl-enforcer/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class SslEnforcer
-    VERSION = "0.2.5"
+    VERSION = "0.2.6"
   end
 end

metadata

@@ -1,112 +1,105 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: rack-ssl-enforcer
-version: !ruby/object:Gem::Version 
-  hash: 29
+version: !ruby/object:Gem::Version
+  version: 0.2.6
   prerelease: 
-  segments: 
-  - 0
-  - 2
-  - 5
-  version: 0.2.5
 platform: ruby
-authors: 
+authors:
 - Tobias Matthies
 - Thibaud Guillaume-Gentil
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2012-11-14 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2013-09-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: bundler
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 15
-        segments: 
-        - 1
-        - 0
-        version: "1.0"
+      - !ruby/object:Gem::Version
+        version: '1.0'
   type: :development
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: test-unit
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 5
-        segments: 
-        - 2
-        - 3
-        version: "2.3"
+      - !ruby/object:Gem::Version
+        version: '2.3'
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: shoulda
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 37
-        segments: 
-        - 2
-        - 11
-        - 3
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: shoulda
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
         version: 2.11.3
   type: :development
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: rack
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 31
-        segments: 
-        - 1
-        - 2
-        - 0
+      - !ruby/object:Gem::Version
+        version: 2.11.3
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
         version: 1.2.0
   type: :development
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: rack-test
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        - 5
-        - 4
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
         version: 0.5.4
   type: :development
-  version_requirements: *id005
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.5.4
 description: Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections
-email: 
-- tm@mit2m.de
+email:
+- tm@mit2m.d
 - thibaud@thibaud.me
 executables: []
-
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
+files:
 - lib/rack/ssl-enforcer/constraint.rb
 - lib/rack/ssl-enforcer/version.rb
 - lib/rack/ssl-enforcer.rb
@@ -115,38 +108,29 @@ files:
 - README.md
 homepage: http://github.com/tobmatth/rack-ssl-enforcer
 licenses: []
-
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
       - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+      hash: 1004214355
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 23
-      segments: 
-      - 1
-      - 3
-      - 6
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
       version: 1.3.6
 requirements: []
-
 rubyforge_project: rack-ssl-enforcer
-rubygems_version: 1.8.24
+rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
 summary: A simple Rack middleware to enforce SSL
 test_files: []
-