rack 1.1.6 → 1.6.9

data/test/spec_server.rb

@@ -0,0 +1,167 @@
+require 'rack'
+require 'rack/server'
+require 'tempfile'
+require 'socket'
+require 'open-uri'
+
+describe Rack::Server do
+
+  def app
+    lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['success']] }
+  end
+
+  def with_stderr
+    old, $stderr = $stderr, StringIO.new
+    yield $stderr
+  ensure
+    $stderr = old
+  end
+
+  it "overrides :config if :app is passed in" do
+    server = Rack::Server.new(:app => "FOO")
+    server.app.should.equal "FOO"
+  end
+
+  should "prefer to use :builder when it is passed in" do
+    server = Rack::Server.new(:builder => "run lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['success']] }")
+    server.app.class.should.equal Proc
+    Rack::MockRequest.new(server.app).get("/").body.to_s.should.equal 'success'
+  end
+
+  should "allow subclasses to override middleware" do
+    server = Class.new(Rack::Server).class_eval { def middleware; Hash.new [] end; self }
+    server.middleware['deployment'].should.not.equal []
+    server.new(:app => 'foo').middleware['deployment'].should.equal []
+  end
+
+  should "allow subclasses to override default middleware" do
+    server = Class.new(Rack::Server).instance_eval { def default_middleware_by_environment; Hash.new [] end; self }
+    server.middleware['deployment'].should.equal []
+    server.new(:app => 'foo').middleware['deployment'].should.equal []
+  end
+
+  should "only provide default middleware for development and deployment environments" do
+    Rack::Server.default_middleware_by_environment.keys.sort.should.equal %w(deployment development)
+  end
+
+  should "always return an empty array for unknown environments" do
+    server = Rack::Server.new(:app => 'foo')
+    server.middleware['production'].should.equal []
+  end
+
+  should "not include Rack::Lint in deployment environment" do
+    server = Rack::Server.new(:app => 'foo')
+    server.middleware['deployment'].flatten.should.not.include(Rack::Lint)
+  end
+
+  should "not include Rack::ShowExceptions in deployment environment" do
+    server = Rack::Server.new(:app => 'foo')
+    server.middleware['deployment'].flatten.should.not.include(Rack::ShowExceptions)
+  end
+
+  should "include Rack::TempfileReaper in deployment environment" do
+    server = Rack::Server.new(:app => 'foo')
+    server.middleware['deployment'].flatten.should.include(Rack::TempfileReaper)
+  end
+
+  should "support CGI" do
+    begin
+      o, ENV["REQUEST_METHOD"] = ENV["REQUEST_METHOD"], 'foo'
+      server = Rack::Server.new(:app => 'foo')
+      server.server.name =~ /CGI/
+      Rack::Server.logging_middleware.call(server).should.eql(nil)
+    ensure
+      ENV['REQUEST_METHOD'] = o
+    end
+  end
+
+  should "be quiet if said so" do
+    server = Rack::Server.new(:app => "FOO", :quiet => true)
+    Rack::Server.logging_middleware.call(server).should.eql(nil)
+  end
+
+  should "use a full path to the pidfile" do
+    # avoids issues with daemonize chdir
+    opts = Rack::Server.new.send(:parse_options, %w[--pid testing.pid])
+    opts[:pid].should.eql(::File.expand_path('testing.pid'))
+  end
+
+  should "run a server" do
+    pidfile = Tempfile.open('pidfile') { |f| break f }.path
+    FileUtils.rm pidfile
+    server = Rack::Server.new(
+      :app         => app,
+      :environment => 'none',
+      :pid         => pidfile,
+      :Port        => TCPServer.open('127.0.0.1', 0){|s| s.addr[1] },
+      :Host        => '127.0.0.1',
+      :daemonize   => false,
+      :server      => 'webrick'
+    )
+    t = Thread.new { server.start { |s| Thread.current[:server] = s } }
+    t.join(0.01) until t[:server] && t[:server].status != :Stop
+    body = open("http://127.0.0.1:#{server.options[:Port]}/") { |f| f.read }
+    body.should.eql('success')
+
+    Process.kill(:INT, $$)
+    t.join
+    open(pidfile) { |f| f.read.should.eql $$.to_s }
+  end
+
+  should "check pid file presence and running process" do
+    pidfile = Tempfile.open('pidfile') { |f| f.write($$); break f }.path
+    server = Rack::Server.new(:pid => pidfile)
+    server.send(:pidfile_process_status).should.eql :running
+  end
+
+  should "check pid file presence and dead process" do
+    dead_pid = `echo $$`.to_i
+    pidfile = Tempfile.open('pidfile') { |f| f.write(dead_pid); break f }.path
+    server = Rack::Server.new(:pid => pidfile)
+    server.send(:pidfile_process_status).should.eql :dead
+  end
+
+  should "check pid file presence and exited process" do
+    pidfile = Tempfile.open('pidfile') { |f| break f }.path
+    ::File.delete(pidfile)
+    server = Rack::Server.new(:pid => pidfile)
+    server.send(:pidfile_process_status).should.eql :exited
+  end
+
+  should "check pid file presence and not owned process" do
+    pidfile = Tempfile.open('pidfile') { |f| f.write(1); break f }.path
+    server = Rack::Server.new(:pid => pidfile)
+    server.send(:pidfile_process_status).should.eql :not_owned
+  end
+
+  should "not write pid file when it is created after check" do
+    pidfile = Tempfile.open('pidfile') { |f| break f }.path
+    ::File.delete(pidfile)
+    server = Rack::Server.new(:pid => pidfile)
+    ::File.open(pidfile, 'w') { |f| f.write(1) }
+    with_stderr do |err|
+      should.raise(SystemExit) do
+        server.send(:write_pid)
+      end
+      err.rewind
+      output = err.read
+      output.should.match(/already running/)
+      output.should.include? pidfile
+    end
+  end
+
+  should "inform the user about existing pidfiles with running processes" do
+    pidfile = Tempfile.open('pidfile') { |f| f.write(1); break f }.path
+    server = Rack::Server.new(:pid => pidfile)
+    with_stderr do |err|
+      should.raise(SystemExit) do
+        server.start
+      end
+      err.rewind
+      output = err.read
+      output.should.match(/already running/)
+      output.should.include? pidfile
+    end
+  end
+
+end

data/test/spec_session_abstract_id.rb

@@ -0,0 +1,53 @@
+### WARNING: there be hax in this file.
+
+require 'rack/session/abstract/id'
+
+describe Rack::Session::Abstract::ID do
+  id = Rack::Session::Abstract::ID
+
+  def silence_warning
+    o, $VERBOSE = $VERBOSE, nil
+    yield
+  ensure
+    $VERBOSE = o
+  end
+
+  def reload_id
+    $".delete $".find { |part| part =~ %r{session/abstract/id.rb} }
+    silence_warning { require 'rack/session/abstract/id' }
+  end
+
+  should "use securerandom when available" do
+    begin
+      fake = false
+      silence_warning do
+        ::SecureRandom = fake = true unless defined?(SecureRandom)
+      end
+      reload_id
+      id::DEFAULT_OPTIONS[:secure_random].should.eql(fake || SecureRandom)
+    ensure
+      Object.send(:remove_const, :SecureRandom) if fake
+    end
+  end
+
+  should "not use securerandom when unavailable" do
+    begin
+      sr = Object.send(:remove_const, :SecureRandom) if defined?(SecureRandom)
+      reload_id
+      id::DEFAULT_OPTIONS[:secure_random].should.eql false
+    ensure
+      ::SecureRandom = sr if defined?(sr)
+    end
+  end
+
+  should "allow to use another securerandom provider" do
+    secure_random = Class.new do
+      def hex(*args)
+        'fake_hex'
+      end
+    end
+    id = Rack::Session::Abstract::ID.new nil, :secure_random => secure_random.new
+    id.send(:generate_sid).should.eql 'fake_hex'
+  end
+
+end

data/test/spec_session_cookie.rb

@@ -0,0 +1,410 @@
+require 'rack/session/cookie'
+require 'rack/lint'
+require 'rack/mock'
+
+describe Rack::Session::Cookie do
+  incrementor = lambda do |env|
+    env["rack.session"]["counter"] ||= 0
+    env["rack.session"]["counter"] += 1
+    hash = env["rack.session"].dup
+    hash.delete("session_id")
+    Rack::Response.new(hash.inspect).to_a
+  end
+  
+  session_id = lambda do |env|
+    Rack::Response.new(env["rack.session"].to_hash.inspect).to_a
+  end
+
+  session_option = lambda do |opt|
+    lambda do |env|
+      Rack::Response.new(env["rack.session.options"][opt].inspect).to_a
+    end
+  end
+
+  nothing = lambda do |env|
+    Rack::Response.new("Nothing").to_a
+  end
+
+  renewer = lambda do |env|
+    env["rack.session.options"][:renew] = true
+    Rack::Response.new("Nothing").to_a
+  end
+
+  only_session_id = lambda do |env|
+    Rack::Response.new(env["rack.session"]["session_id"].to_s).to_a
+  end
+
+  bigcookie = lambda do |env|
+    env["rack.session"]["cookie"] = "big" * 3000
+    Rack::Response.new(env["rack.session"].inspect).to_a
+  end
+
+  destroy_session = lambda do |env|
+    env["rack.session"].destroy
+    Rack::Response.new("Nothing").to_a
+  end
+
+  def response_for(options={})
+    request_options = options.fetch(:request, {})
+    cookie = if options[:cookie].is_a?(Rack::Response)
+      options[:cookie]["Set-Cookie"]
+    else
+      options[:cookie]
+    end
+    request_options["HTTP_COOKIE"] = cookie || ""
+
+    app_with_cookie = Rack::Session::Cookie.new(*options[:app])
+    app_with_cookie = Rack::Lint.new(app_with_cookie)
+    Rack::MockRequest.new(app_with_cookie).get("/", request_options)
+  end
+
+  before do
+    @warnings = warnings = []
+    Rack::Session::Cookie.class_eval do
+      define_method(:warn) { |m| warnings << m }
+    end
+  end
+
+  after do
+    Rack::Session::Cookie.class_eval { remove_method :warn }
+  end
+
+  describe 'Base64' do
+    it 'uses base64 to encode' do
+      coder = Rack::Session::Cookie::Base64.new
+      str   = 'fuuuuu'
+      coder.encode(str).should.equal [str].pack('m')
+    end
+
+    it 'uses base64 to decode' do
+      coder = Rack::Session::Cookie::Base64.new
+      str   = ['fuuuuu'].pack('m')
+      coder.decode(str).should.equal str.unpack('m').first
+    end
+
+    describe 'Marshal' do
+      it 'marshals and base64 encodes' do
+        coder = Rack::Session::Cookie::Base64::Marshal.new
+        str   = 'fuuuuu'
+        coder.encode(str).should.equal [::Marshal.dump(str)].pack('m')
+      end
+
+      it 'marshals and base64 decodes' do
+        coder = Rack::Session::Cookie::Base64::Marshal.new
+        str   = [::Marshal.dump('fuuuuu')].pack('m')
+        coder.decode(str).should.equal ::Marshal.load(str.unpack('m').first)
+      end
+
+      it 'rescues failures on decode' do
+        coder = Rack::Session::Cookie::Base64::Marshal.new
+        coder.decode('lulz').should.equal nil
+      end
+    end
+
+    describe 'JSON' do
+      it 'marshals and base64 encodes' do
+        coder = Rack::Session::Cookie::Base64::JSON.new
+        obj   = %w[fuuuuu]
+        coder.encode(obj).should.equal [::Rack::Utils::OkJson.encode(obj)].pack('m')
+      end
+
+      it 'marshals and base64 decodes' do
+        coder = Rack::Session::Cookie::Base64::JSON.new
+        str   = [::Rack::Utils::OkJson.encode(%w[fuuuuu])].pack('m')
+        coder.decode(str).should.equal ::Rack::Utils::OkJson.decode(str.unpack('m').first)
+      end
+
+      it 'rescues failures on decode' do
+        coder = Rack::Session::Cookie::Base64::JSON.new
+        coder.decode('lulz').should.equal nil
+      end
+    end
+
+    describe 'ZipJSON' do
+      it 'jsons, deflates, and base64 encodes' do
+        coder = Rack::Session::Cookie::Base64::ZipJSON.new
+        obj   = %w[fuuuuu]
+        json = Rack::Utils::OkJson.encode(obj)
+        coder.encode(obj).should.equal [Zlib::Deflate.deflate(json)].pack('m')
+      end
+
+      it 'base64 decodes, inflates, and decodes json' do
+        coder = Rack::Session::Cookie::Base64::ZipJSON.new
+        obj   = %w[fuuuuu]
+        json  = Rack::Utils::OkJson.encode(obj)
+        b64   = [Zlib::Deflate.deflate(json)].pack('m')
+        coder.decode(b64).should.equal obj
+      end
+
+      it 'rescues failures on decode' do
+        coder = Rack::Session::Cookie::Base64::ZipJSON.new
+        coder.decode('lulz').should.equal nil
+      end
+    end
+  end
+
+  it "warns if no secret is given" do
+    Rack::Session::Cookie.new(incrementor)
+    @warnings.first.should =~ /no secret/i
+    @warnings.clear
+    Rack::Session::Cookie.new(incrementor, :secret => 'abc')
+    @warnings.should.be.empty?
+  end
+
+  it 'uses a coder' do
+    identity = Class.new {
+      attr_reader :calls
+
+      def initialize
+        @calls = []
+      end
+
+      def encode(str); @calls << :encode; str; end
+      def decode(str); @calls << :decode; str; end
+    }.new
+    response = response_for(:app => [incrementor, { :coder => identity }])
+
+    response["Set-Cookie"].should.include("rack.session=")
+    response.body.should.equal '{"counter"=>1}'
+    identity.calls.should.equal [:decode, :encode]
+  end
+
+  it "creates a new cookie" do
+    response = response_for(:app => incrementor)
+    response["Set-Cookie"].should.include("rack.session=")
+    response.body.should.equal '{"counter"=>1}'
+  end
+
+  it "loads from a cookie" do
+    response = response_for(:app => incrementor)
+
+    response = response_for(:app => incrementor, :cookie => response)
+    response.body.should.equal '{"counter"=>2}'
+
+    response = response_for(:app => incrementor, :cookie => response)
+    response.body.should.equal '{"counter"=>3}'
+  end
+
+  it "renew session id" do
+    response = response_for(:app => incrementor)
+    cookie   = response['Set-Cookie']
+    response = response_for(:app => only_session_id, :cookie => cookie)
+    cookie   = response['Set-Cookie'] if response['Set-Cookie']
+
+    response.body.should.not.equal ""
+    old_session_id = response.body
+
+    response = response_for(:app => renewer, :cookie => cookie)
+    cookie   = response['Set-Cookie'] if response['Set-Cookie']
+    response = response_for(:app => only_session_id, :cookie => cookie)
+
+    response.body.should.not.equal ""
+    response.body.should.not.equal old_session_id
+  end
+
+  it "destroys session" do
+    response = response_for(:app => incrementor)
+    response = response_for(:app => only_session_id, :cookie => response)
+
+    response.body.should.not.equal ""
+    old_session_id = response.body
+
+    response = response_for(:app => destroy_session, :cookie => response)
+    response = response_for(:app => only_session_id, :cookie => response)
+
+    response.body.should.not.equal ""
+    response.body.should.not.equal old_session_id
+  end
+
+  it "survives broken cookies" do
+    response = response_for(
+      :app => incrementor,
+      :cookie => "rack.session=blarghfasel"
+    )
+    response.body.should.equal '{"counter"=>1}'
+
+    response = response_for(
+      :app => [incrementor, { :secret => "test" }],
+      :cookie => "rack.session="
+    )
+    response.body.should.equal '{"counter"=>1}'
+  end
+
+  it "barks on too big cookies" do
+    lambda{
+      response_for(:app => bigcookie, :request => { :fatal => true })
+    }.should.raise(Rack::MockRequest::FatalWarning)
+  end
+
+  it "loads from a cookie with integrity hash" do
+    app = [incrementor, { :secret => "test" }]
+
+    response = response_for(:app => app)
+    response = response_for(:app => app, :cookie => response)
+    response.body.should.equal '{"counter"=>2}'
+
+    response = response_for(:app => app, :cookie => response)
+    response.body.should.equal '{"counter"=>3}'
+
+    app = [incrementor, { :secret => "other" }]
+
+    response = response_for(:app => app, :cookie => response)
+    response.body.should.equal '{"counter"=>1}'
+  end
+
+  it "loads from a cookie wih accept-only integrity hash for graceful key rotation" do
+    response = response_for(:app => [incrementor, { :secret => "test" }])
+
+    app = [incrementor, { :secret => "test2", :old_secret => "test" }]
+    response = response_for(:app => app, :cookie => response)
+    response.body.should.equal '{"counter"=>2}'
+
+    app = [incrementor, { :secret => "test3", :old_secret => "test2" }]
+    response = response_for(:app => app, :cookie => response)
+    response.body.should.equal '{"counter"=>3}'
+  end
+
+  it "ignores tampered with session cookies" do
+    app = [incrementor, { :secret => "test" }]
+    response = response_for(:app => app)
+    response.body.should.equal '{"counter"=>1}'
+
+    response = response_for(:app => app, :cookie => response)
+    response.body.should.equal '{"counter"=>2}'
+
+    _, digest = response["Set-Cookie"].split("--")
+    tampered_with_cookie = "hackerman-was-here" + "--" + digest
+
+    response = response_for(:app => app, :cookie => tampered_with_cookie)
+    response.body.should.equal '{"counter"=>1}'
+  end
+
+  it "supports either of secret or old_secret" do
+    app = [incrementor, { :secret => "test" }]
+    response = response_for(:app => app)
+    response.body.should.equal '{"counter"=>1}'
+
+    response = response_for(:app => app, :cookie => response)
+    response.body.should.equal '{"counter"=>2}'
+
+    app = [incrementor, { :old_secret => "test" }]
+    response = response_for(:app => app)
+    response.body.should.equal '{"counter"=>1}'
+
+    response = response_for(:app => app, :cookie => response)
+    response.body.should.equal '{"counter"=>2}'
+  end
+
+  it "can handle Rack::Lint middleware" do
+    response = response_for(:app => incrementor)
+
+    lint = Rack::Lint.new(session_id)
+    response = response_for(:app => lint, :cookie => response)
+    response.body.should.not.be.nil
+  end
+
+  it "can handle middleware that inspects the env" do
+    class TestEnvInspector
+      def initialize(app)
+        @app = app
+      end
+      def call(env)
+        env.inspect
+        @app.call(env)
+      end
+    end
+
+    response = response_for(:app => incrementor)
+
+    inspector = TestEnvInspector.new(session_id)
+    response = response_for(:app => inspector, :cookie => response)
+    response.body.should.not.be.nil
+  end
+
+  it "returns the session id in the session hash" do
+    response = response_for(:app => incrementor)
+    response.body.should.equal '{"counter"=>1}'
+
+    response = response_for(:app => session_id, :cookie => response)
+    response.body.should.match(/"session_id"=>/)
+    response.body.should.match(/"counter"=>1/)
+  end
+
+  it "does not return a cookie if set to secure but not using ssl" do
+    app = [incrementor, { :secure => true }]
+
+    response = response_for(:app => app)
+    response["Set-Cookie"].should.be.nil
+
+    response = response_for(:app => app, :request => { "HTTPS" => "on" })
+    response["Set-Cookie"].should.not.be.nil
+    response["Set-Cookie"].should.match(/secure/)
+  end
+
+  it "does not return a cookie if cookie was not read/written" do
+    response = response_for(:app => nothing)
+    response["Set-Cookie"].should.be.nil
+  end
+
+  it "does not return a cookie if cookie was not written (only read)" do
+    response = response_for(:app => session_id)
+    response["Set-Cookie"].should.be.nil
+  end
+
+  it "returns even if not read/written if :expire_after is set" do
+    app = [nothing, { :expire_after => 3600 }]
+    request = { "rack.session" => { "not" => "empty" }}
+    response = response_for(:app => app, :request => request)
+    response["Set-Cookie"].should.not.be.nil
+  end
+
+  it "returns no cookie if no data was written and no session was created previously, even if :expire_after is set" do
+    app = [nothing, { :expire_after => 3600 }]
+    response = response_for(:app => app)
+    response["Set-Cookie"].should.be.nil
+  end
+
+  it "exposes :secret in env['rack.session.option']" do
+    response = response_for(:app => [session_option[:secret], { :secret => "foo" }])
+    response.body.should == '"foo"'
+  end
+
+  it "exposes :coder in env['rack.session.option']" do
+    response = response_for(:app => session_option[:coder])
+    response.body.should.match(/Base64::Marshal/)
+  end
+
+  it "allows passing in a hash with session data from middleware in front" do
+    request = { 'rack.session' => { :foo => 'bar' }}
+    response = response_for(:app => session_id, :request => request)
+    response.body.should.match(/foo/)
+  end
+
+  it "allows modifying session data with session data from middleware in front" do
+    request = { 'rack.session' => { :foo => 'bar' }}
+    response = response_for(:app => incrementor, :request => request)
+    response.body.should.match(/counter/)
+    response.body.should.match(/foo/)
+  end
+
+  it "allows more than one '--' in the cookie when calculating digests" do
+    @counter = 0
+    app = lambda do |env|
+      env["rack.session"]["message"] ||= ""
+      env["rack.session"]["message"] << "#{(@counter += 1).to_s}--"
+      hash = env["rack.session"].dup
+      hash.delete("session_id")
+      Rack::Response.new(hash["message"]).to_a
+    end
+    # another example of an unsafe coder is Base64.urlsafe_encode64
+    unsafe_coder = Class.new {
+      def encode(hash); hash.inspect end
+      def decode(str); eval(str) if str; end
+    }.new
+    _app = [ app, { :secret => "test", :coder => unsafe_coder } ]
+    response = response_for(:app => _app)
+    response.body.should.equal "1--"
+    response = response_for(:app => _app, :cookie => response)
+    response.body.should.equal "1--2--"
+  end
+end