rockstart 0.1.0

data/lib/generators/rockstart/scaffold_templates/templates/rspec/scaffold/request_spec.rb

@@ -0,0 +1,408 @@
+<%- resource_path = name.underscore.pluralize -%>
+<%- permitted_params = attributes.map { |a| ":#{a.name}" }.join(", ") -%>
+# frozen_string_literal: true
+
+require "rails_helper"
+
+<% module_namespacing do -%>
+RSpec.describe "<%= controller_class_name %>", <%= type_metatag(:request) %> do
+<% unless options[:singleton] -%>
+  describe "GET /<%= resource_path %>" do
+    context "with an authenticated admin" do
+      let(:authenticated_admin) { create(:user, :admin) }
+
+      before do
+        sign_in(authenticated_admin)
+      end
+
+      it "renders a successful response" do
+        create(:<%= file_name %>)
+        get <%= index_helper %>_url
+        expect(response).to be_successful
+      end
+    end
+
+    context "with an authenticated user" do
+      let(:authenticated_user) { create(:user) }
+
+      before do
+        sign_in(authenticated_user)
+      end
+
+      it "renders a successful response" do
+        create(:<%= file_name %>)
+        get <%= index_helper %>_url
+        expect(response).to be_successful
+      end
+    end
+
+    context "with an unauthorized user" do
+      let(:unauthorized_user) do
+        skip("Provide a user where <%= class_name %>Policy.index? is not granted")
+      end
+
+      before do
+        sign_in(unauthorized_user)
+      end
+
+      it "forbids access" do
+        create(:<%= file_name %>)
+        get <%= index_helper %>_url
+        expect(response).to redirect_to(url_for_user_dashboard)
+
+        follow_redirect!
+        expect(response.body).to have_selector(".alert-error", text: t("pundit.example_policy.index?", default: t("pundit.default")))
+      end
+    end
+
+    it "does not allow access to guests" do
+      create(:<%= file_name %>)
+      get <%= index_helper %>_url
+      expect(response).to redirect_to(url_for_authentication)
+    end
+  end
+<% end -%>
+
+  describe "GET /<%= resource_path %>/:id" do
+    context "with an authenticated admin" do
+      let(:authenticated_admin) { create(:user, :admin) }
+
+      before do
+        sign_in(authenticated_admin)
+      end
+
+      it "renders a successful response" do
+        <%= file_name %> = create(:<%= file_name %>)
+        get <%= show_helper.tr('@', '') %>
+        expect(response).to be_successful
+      end
+    end
+
+    context "with an authenticated user" do
+      let(:authenticated_user) { create(:user) }
+
+      before do
+        sign_in(authenticated_user)
+      end
+
+      it "renders a successful response" do
+        <%= file_name %> = create(:<%= file_name %>)
+        get <%= show_helper.tr('@', '') %>
+        expect(response).to be_successful
+      end
+    end
+
+    context "with an unauthorized user" do
+      let(:unauthorized_user) do
+        skip("Provide a user where <%= class_name %>Policy.show? is not granted")
+      end
+
+      before do
+        sign_in(unauthorized_user)
+      end
+
+      it "forbids access" do
+        <%= file_name %> = create(:<%= file_name %>)
+        get <%= show_helper.tr('@', '') %>
+        expect(response).to redirect_to(<%= index_helper %>_url)
+
+        follow_redirect!
+        expect(response.body).to have_selector(".alert-error", text: t("pundit.example_policy.show?", default: t("pundit.default")))
+      end
+    end
+
+    it "does not allow access to guests" do
+      <%= file_name %> = create(:<%= file_name %>)
+      get <%= show_helper.tr('@', '') %>
+      expect(response).to redirect_to(url_for_authentication)
+    end
+  end
+
+  describe "GET /<%= resource_path %>/new" do
+    context "with an authenticated admin" do
+      let(:authenticated_admin) { create(:user, :admin) }
+
+      before do
+        sign_in(authenticated_admin)
+      end
+
+      it "renders a successful response" do
+        get <%= new_helper %>
+        expect(response).to be_successful
+      end
+    end
+
+    context "with an authenticated user" do
+      let(:authenticated_user) { create(:user) }
+
+      before do
+        sign_in(authenticated_user)
+      end
+
+      it "forbids access" do
+        get <%= new_helper %>
+        expect(response).to redirect_to(<%= index_helper %>_url)
+
+        follow_redirect!
+        expect(response.body).to have_selector(".alert-error", text: t("pundit.example_policy.new?", default: t("pundit.default")))
+      end
+    end
+
+    it "does not allow access to guests" do
+      get <%= new_helper %>
+      expect(response).to redirect_to(url_for_authentication)
+    end
+  end
+
+  describe "GET /<%= resource_path %>/:id/edit" do
+    context "with an authenticated admin" do
+      let(:authenticated_admin) { create(:user, :admin) }
+
+      before do
+        sign_in(authenticated_admin)
+      end
+
+      it "render a successful response" do
+        <%= file_name %> = create(:<%= file_name %>)
+        get <%= edit_helper.tr('@','') %>
+        expect(response).to be_successful
+      end
+    end
+
+    context "with an authenticated user" do
+      let(:authenticated_user) { create(:user) }
+
+      before do
+        sign_in(authenticated_user)
+      end
+
+      it "forbids access" do
+        <%= file_name %> = create(:<%= file_name %>)
+        get <%= edit_helper.tr('@','') %>
+        expect(response).to redirect_to(<%= show_helper.tr('@', '') %>)
+
+        follow_redirect!
+        expect(response.body).to have_selector(".alert-error", text: t("pundit.example_policy.edit?", default: t("pundit.default")))
+      end
+    end
+
+    it "does not allow access to guests" do
+      <%= file_name %> = create(:<%= file_name %>)
+      get <%= edit_helper.tr('@','') %>
+      expect(response).to redirect_to(url_for_authentication)
+    end
+  end
+
+  describe "POST /<%= resource_path %>" do
+    context "with valid parameters" do
+      let(:valid_attributes) do
+        <%- if attributes.any? -%>
+        attributes_for(:<%= ns_file_name %>).slice(<%= permitted_params %>)
+        <%- else -%>
+        skip("Add a hash of attributes valid for your model")
+        <%- end -%>
+      end
+
+      context "with an authenticated admin" do
+        let(:authenticated_admin) { create(:user, :admin) }
+
+        before do
+          sign_in(authenticated_admin)
+        end
+
+        it "creates a new <%= class_name %>" do
+          expect do
+            post <%= index_helper %>_url, params: { <%= ns_file_name %>: valid_attributes }
+          end.to change(<%= class_name %>, :count).by(1)
+
+          <%= file_name %> = <%= class_name %>.last
+          <%- if attributes.any? -%>
+          <%- attributes.each do |attribute| -%>
+          expect(<%= file_name %>.<%= attribute.name %>).to eq(valid_attributes[:<%= attribute.name %>])
+           <%- end -%>
+          <%- else -%>
+          skip("Add assertions for created state")
+          <%- end -%>
+        end
+
+        it "redirects to the created <%= ns_file_name %>" do
+          post <%= index_helper %>_url, params: { <%= ns_file_name %>: valid_attributes }
+          expect(response).to redirect_to(<%= show_helper.gsub("\@#{file_name}", class_name+".last") %>)
+        end
+      end
+
+      context "with an authenticated user" do
+        let(:authenticated_user) { create(:user) }
+
+        before do
+          sign_in(authenticated_user)
+        end
+
+        it "forbids access" do
+          post <%= index_helper %>_url, params: { <%= ns_file_name %>: valid_attributes }
+          expect(response).to redirect_to(<%= index_helper %>_url)
+
+          follow_redirect!
+          expect(response.body).to have_selector(".alert-error", text: t("pundit.example_policy.create?", default: t("pundit.default")))
+        end
+      end
+
+      it "does not allow access to guests" do
+        post <%= index_helper %>_url, params: { <%= ns_file_name %>: valid_attributes }
+        expect(response).to redirect_to(url_for_authentication)
+      end
+    end
+
+    context "with invalid parameters" do
+      let(:authenticated_admin) { create(:user, :admin) }
+
+      let(:invalid_attributes) do
+        skip("Add a hash of attributes invalid for your model")
+      end
+
+      before do
+        sign_in(authenticated_admin)
+      end
+
+      it "does not create a new <%= class_name %>" do
+        expect do
+          post <%= index_helper %>_url, params: { <%= ns_file_name %>: invalid_attributes }
+        end.to change(<%= class_name %>, :count).by(0)
+      end
+
+      it "renders a successful response (i.e. to display the 'new' template)" do
+        post <%= index_helper %>_url, params: { <%= ns_file_name %>: invalid_attributes }
+        expect(response).to be_successful
+      end
+    end
+  end
+
+  describe "PATCH /<%= resource_path %>/:id" do
+    context "with valid parameters" do
+      let(:new_attributes) do
+        <%- if attributes.any? -%>
+        attributes_for(:<%= ns_file_name %>).slice(<%= permitted_params %>)
+        <%- else -%>
+        skip("Add a hash of attributes valid for your model")
+        <%- end -%>
+      end
+
+      context "with an authenticated admin" do
+        let(:authenticated_admin) { create(:user, :admin) }
+
+        before do
+          sign_in(authenticated_admin)
+        end
+
+        it "updates the requested <%= ns_file_name %>" do
+          <%= file_name %> = create(:<%= file_name %>)
+          patch <%= show_helper.tr('@', '') %>, params: { <%= singular_table_name %>: new_attributes }
+
+          <%= file_name %>.reload
+          <%- if attributes.any? -%>
+          <%- attributes.each do |attribute| -%>
+          expect(<%= file_name %>.<%= attribute.name %>).to eq(new_attributes[:<%= attribute.name %>])
+           <%- end -%>
+          <%- else -%>
+          skip("Add assertions for updated state")
+          <%- end -%>
+        end
+
+        it "redirects to the <%= ns_file_name %>" do
+          <%= file_name %> = create(:<%= file_name %>)
+          patch <%= show_helper.tr('@', '') %>, params: { <%= singular_table_name %>: new_attributes }
+          <%= file_name %>.reload
+          expect(response).to redirect_to(<%= singular_table_name %>_url(<%= file_name %>))
+        end
+      end
+
+      context "with an authenticated user" do
+        let(:authenticated_user) { create(:user) }
+
+        before do
+          sign_in(authenticated_user)
+        end
+
+        it "forbids access" do
+          <%= file_name %> = create(:<%= file_name %>)
+          patch <%= show_helper.tr('@', '') %>, params: { <%= singular_table_name %>: new_attributes }
+          expect(response).to redirect_to(<%= show_helper.tr('@', '') %>)
+
+          follow_redirect!
+          expect(response.body).to have_selector(".alert-error", text: t("pundit.example_policy.update?", default: t("pundit.default")))
+        end
+      end
+
+      it "does not allow access to guests" do
+        <%= file_name %> = create(:<%= file_name %>)
+        patch <%= show_helper.tr('@', '') %>, params: { <%= singular_table_name %>: new_attributes }
+        expect(response).to redirect_to(url_for_authentication)
+      end
+    end
+
+    context "with invalid parameters" do
+      let(:authenticated_admin) { create(:user, :admin) }
+
+      let(:invalid_attributes) do
+        skip("Add a hash of attributes invalid for your model")
+      end
+
+      before do
+        sign_in(authenticated_admin)
+      end
+
+      it "renders a successful response (i.e. to display the 'edit' template)" do
+        <%= file_name %> = create(:<%= file_name %>)
+        patch <%= show_helper.tr('@', '') %>, params: { <%= singular_table_name %>: invalid_attributes }
+        expect(response).to be_successful
+      end
+    end
+  end
+
+  describe "DELETE /<%= resource_path %>/:id" do
+    context "with an authenticated admin" do
+      let(:authenticated_admin) { create(:user, :admin) }
+
+      before do
+        sign_in(authenticated_admin)
+      end
+
+      it "destroys the requested <%= ns_file_name %>" do
+        <%= file_name %> = create(:<%= file_name %>)
+        expect do
+          delete <%= show_helper.tr('@', '') %>
+        end.to change(<%= class_name %>, :count).by(-1)
+      end
+
+      it "redirects to the <%= table_name %> list" do
+        <%= file_name %> = create(:<%= file_name %>)
+        delete <%= show_helper.tr('@', '') %>
+        expect(response).to redirect_to(<%= index_helper %>_url)
+      end
+    end
+
+    context "with an authenticated user" do
+      let(:authenticated_user) { create(:user) }
+
+      before do
+        sign_in(authenticated_user)
+      end
+
+      it "forbids access" do
+        <%= file_name %> = create(:<%= file_name %>)
+        delete <%= show_helper.tr('@', '') %>
+        expect(response).to redirect_to(<%= show_helper.tr('@', '') %>)
+
+        follow_redirect!
+        expect(response.body).to have_selector(".alert-error", text: t("pundit.example_policy.destroy?", default: t("pundit.default")))
+      end
+    end
+
+    it "does not allow access to guests" do
+      <%= file_name %> = create(:<%= file_name %>)
+      delete <%= show_helper.tr('@', '') %>
+      expect(response).to redirect_to(url_for_authentication)
+    end
+  end
+end
+<% end -%>

data/lib/generators/rockstart/security/USAGE

@@ -0,0 +1,13 @@
+Description:
+    Adds security checks and middleware to a Rails app
+
+Example:
+    rails generate rockstart:security
+
+    This will create:
+        Installs bundler-audit to safely check gems
+        Installs brakeman to check for any potential exploits
+        Adds rack_attack with a simple policy to block most attacks
+        Configures a minimalist Content Security Policy with supporting test coverage
+        Ensures test (and unconfigured) environments are using an in-memory cache
+        Enforces secure HTTPS connections by defaults

data/lib/generators/rockstart/security/security_generator.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+class Rockstart::SecurityGenerator < Rails::Generators::Base
+  include Rails::Generators::AppName
+  source_root File.expand_path("templates", __dir__)
+
+  class_option :font_hosts, type: :array,
+                            desc: "Known third-party hosts for Fonts",
+                            default: []
+
+  class_option :image_hosts, type: :array,
+                             desc: "Known third-party hosts for Images",
+                             default: []
+
+  class_option :script_hosts, type: :array,
+                              desc: "Known third-party hosts for (Java)Scripts",
+                              default: []
+
+  class_option :style_hosts, type: :array,
+                             desc: "Known third-party hosts for Stylesheets",
+                             default: []
+
+  class_option :session_name, type: :string,
+                              desc: "Name used for Rails Sessions",
+                              default: Rockstart::Env.default_session_name
+
+  def install_bundler_audit
+    gem "bundler-audit", github: "rubysec/bundler-audit"
+
+    Bundler.clean_system("bundle install --quiet")
+
+    copy_file "bundler_audit.rake", "lib/tasks/bundler_audit.rake"
+  end
+
+  def install_brakeman
+    gem "brakeman", group: %i[development test]
+
+    Bundler.clean_system("bundle install --quiet")
+
+    copy_file "brakeman.rake", "lib/tasks/brakeman.rake"
+
+    append_to_file ".gitignore", "brakeman\n"
+  end
+
+  def add_security_rake_tasks
+    copy_file "security.rake", "lib/tasks/security.rake"
+  end
+
+  def install_rack_attack
+    gem "rack-attack"
+
+    Bundler.clean_system("bundle install --quiet")
+
+    copy_file "rack_attack.rb", "config/initializers/rack_attack.rb"
+    copy_file "cache_support.rb", "spec/support/cache.rb"
+
+    application do
+      <<~CACHE
+        # Use memory_store cache for testing and default configurations
+        config.cache_store = :memory_store
+      CACHE
+    end
+    comment_lines "config/environments/test.rb", "config.cache_store = "
+  end
+
+  def add_session_initializer
+    template "session_store_initializer.rb.tt", "config/initializers/session_store.rb"
+  end
+
+  def add_content_security_policy
+    template "content_security_policy_initializer.rb.tt",
+             "config/initializers/content_security_policy.rb"
+
+    copy_file "csp_violations_controller.rb", "app/controllers/csp_violations_controller.rb"
+    route "resources :csp_violations, only: [:create]"
+
+    template "content_security_spec.rb.tt", "spec/requests/content_security_spec.rb"
+  end
+
+  def enforce_ssl
+    gsub_file "config/environments/production.rb",
+              /config.force_ssl = .+$/,
+              'config.force_ssl = ENV["ALLOW_INSECURE_HTTP"].to_i != 1'
+    uncomment_lines "config/environments/production.rb", /config.force_ssl =/
+  end
+
+  private
+
+  def font_hosts
+    options[:font_hosts] || []
+  end
+
+  def image_hosts
+    options[:image_hosts] || []
+  end
+
+  def script_hosts
+    options[:script_hosts] || []
+  end
+
+  def style_hosts
+    options[:style_hosts] || []
+  end
+
+  def session_name
+    options[:session_name]
+  end
+end

data/lib/generators/rockstart/security/templates/brakeman.rake

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+desc "Run brakeman check on your codebase"
+task :brakeman do
+  system "bundle exec brakeman -w 2 -o brakeman"
+end

data/lib/generators/rockstart/security/templates/bundler_audit.rake

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require "bundler/audit/task"
+Bundler::Audit::Task.new

data/lib/generators/rockstart/security/templates/cache_support.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+# Support for tests that depend on Rails.cache
+module CacheSupport
+  def clear_rails_cache
+    Rails.cache.clear
+  end
+end
+
+RSpec.configure do |config|
+  config.include CacheSupport
+
+  config.around(cache_testing: true) do |example|
+    clear_rails_cache
+    example.run
+    clear_rails_cache
+  end
+end

data/lib/generators/rockstart/security/templates/content_security_policy_initializer.rb.tt

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+# Be sure to restart your server when you modify this file.
+
+# Define an application-wide content security policy
+# For further information see the following documentation
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+
+# Configure any external domains used to host assets here
+csp_connect_sources = []
+csp_font_sources = <%= font_hosts.inspect %>
+csp_image_sources = <%= image_hosts.inspect %>
+csp_script_sources = <%= script_hosts.inspect %>
+csp_style_sources = <%= style_hosts.inspect %>
+
+# Allow the asset host to serve assets
+if (asset_host = Rails.application.config.action_controller.asset_host.presence)
+  csp_font_sources.append(asset_host)
+  csp_image_sources.append(asset_host)
+  csp_script_sources.append(asset_host)
+  csp_style_sources.append(asset_host)
+end
+
+# Allow webpacker to render styles inline
+if Rails.env.development?
+  csp_connect_sources += %w[http://localhost:3035 ws://localhost:3035]
+  csp_style_sources.append(:unsafe_inline)
+end
+
+Rails.application.config.content_security_policy do |policy|
+  policy.default_src :none
+  policy.connect_src :self, *csp_connect_sources
+  policy.font_src    :self, *csp_font_sources
+  policy.img_src     :self, :data, *csp_image_sources
+  policy.object_src  :none
+  policy.script_src  :self, *csp_script_sources
+  policy.style_src   :self, *csp_style_sources
+
+  # Prevent non secure resources from being loaded
+  policy.block_all_mixed_content
+  policy.upgrade_insecure_requests
+
+  # Specify URI for violation reports
+  policy.report_uri "/csp_violations"
+end
+
+# If you are using UJS then enable automatic nonce generation
+# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
+
+# Set the nonce only to specific directives
+# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
+
+# Report CSP violations to a specified URI
+# For further information see the following documentation:
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+# Rails.application.config.content_security_policy_report_only = true