RubyGems - secure_headers - Versions diffs - 2.5.3 → 3.0.0.pre - Mend

secure_headers 2.5.3 → 3.0.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (125) hide show

data/Rakefile CHANGED Viewed

@@ -7,44 +7,10 @@ require 'net/https'
 desc "Run RSpec"
 RSpec::Core::RakeTask.new do |t|
   t.verbose = false
-   t.rspec_opts = "--format progress"
+  t.rspec_opts = "--format progress"
 end
-task :default => :all_spec
-desc "Run all specs, and test fixture apps"
-task :all_spec => :spec do
-  pwd = Dir.pwd
-  Dir.chdir 'fixtures/rails_3_2_22'
-  puts Dir.pwd
-  str = `bundle install >> /dev/null; bundle exec rspec spec`
-  puts str
-  unless $? == 0
-    Dir.chdir pwd
-    fail "Header tests with app not using initializer failed exit code: #{$?}"
-  end
-  Dir.chdir pwd
-  Dir.chdir 'fixtures/rails_3_2_22_no_init'
-  puts Dir.pwd
-  puts `bundle install >> /dev/null; bundle exec rspec spec`
-  unless $? == 0
-    fail "Header tests with app not using initializer failed"
-    Dir.chdir pwd
-  end
-  Dir.chdir pwd
-  Dir.chdir 'fixtures/rails_4_1_8'
-  puts Dir.pwd
-  puts `bundle install >> /dev/null; bundle exec rspec spec`
-  unless $? == 0
-    fail "Header tests with Rails 4 failed"
-    Dir.chdir pwd
-  end
-end
+task default: :spec
 begin
   require 'rdoc/task'

data/lib/secure_headers/configuration.rb ADDED Viewed

@@ -0,0 +1,189 @@
+module SecureHeaders
+  class Configuration
+    DEFAULT_CONFIG = :default
+    NOOP_CONFIGURATION = "secure_headers_noop_config"
+    class NotYetConfiguredError < StandardError; end
+    class << self
+      # Public: Set the global default configuration.
+      #
+      # Optionally supply a block to override the defaults set by this library.
+      #
+      # Returns the newly created config.
+      def default(&block)
+        config = new(&block)
+        add_noop_configuration
+        add_configuration(DEFAULT_CONFIG, config)
+      end
+      alias_method :configure, :default
+      # Public: create a named configuration that overrides the default config.
+      #
+      # name - use an idenfier for the override config.
+      # base - override another existing config, or override the default config
+      # if no value is supplied.
+      #
+      # Returns: the newly created config
+      def override(name, base = DEFAULT_CONFIG)
+        unless get(base)
+          raise NotYetConfiguredError, "#{base} policy not yet supplied"
+        end
+        override = @configurations[base].dup
+        yield(override)
+        add_configuration(name, override)
+      end
+      # Public: retrieve a global configuration object
+      #
+      # Returns the configuration with a given name or raises a
+      # NotYetConfiguredError if `default` has not been called.
+      def get(name = DEFAULT_CONFIG)
+        if @configurations.nil?
+          raise NotYetConfiguredError, "Default policy not yet supplied"
+        end
+        @configurations[name]
+      end
+      # Public: perform a basic deep dup. The shallow copy provided by dup/clone
+      # can lead to modifying parent objects.
+      def deep_copy(config)
+        config.each_with_object({}) do |(key, value), hash|
+          hash[key] = if value.is_a?(Array)
+            value.dup
+          else
+            value
+          end
+        end
+      end
+      private
+      # Private: add a valid configuration to the global set of named configs.
+      #
+      # config - the config to store
+      # name - the lookup value for this config
+      #
+      # Raises errors if the config is invalid or if a config named `name`
+      # already exists.
+      #
+      # Returns the config, if valid
+      def add_configuration(name, config)
+        config.validate_config!
+        @configurations ||= {}
+        config.send(:cache_headers!)
+        config.freeze
+        @configurations[name] = config
+      end
+      # Private: Automatically add an "opt-out of everything" override.
+      #
+      # Returns the noop config
+      def add_noop_configuration
+        noop_config = new do |config|
+          ALL_HEADER_CLASSES.each do |klass|
+            config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
+          end
+        end
+        add_configuration(NOOP_CONFIGURATION, noop_config)
+      end
+    end
+    attr_accessor :hsts, :x_frame_options, :x_content_type_options,
+      :x_xss_protection, :csp, :x_download_options, :x_permitted_cross_domain_policies,
+      :hpkp
+    attr_reader :cached_headers
+    def initialize(&block)
+      self.hpkp = OPT_OUT
+      self.csp = self.class.deep_copy(CSP::DEFAULT_CONFIG)
+      instance_eval &block if block_given?
+    end
+    # Public: copy everything but the cached headers
+    #
+    # Returns a deep-dup'd copy of this configuration.
+    def dup
+      copy = self.class.new
+      copy.hsts = hsts
+      copy.x_frame_options = x_frame_options
+      copy.x_content_type_options = x_content_type_options
+      copy.x_xss_protection = x_xss_protection
+      copy.x_download_options = x_download_options
+      copy.x_permitted_cross_domain_policies = x_permitted_cross_domain_policies
+      copy.csp = if csp.is_a?(Hash)
+        self.class.deep_copy(csp)
+      else
+        csp
+      end
+      copy.hpkp = if hpkp.is_a?(Hash)
+        self.class.deep_copy(hpkp)
+      else
+        hpkp
+      end
+      copy
+    end
+    # Public: Retrieve a config based on the CONFIG_KEY for a class
+    #
+    # Returns the value if available, and returns a dup of any hash values.
+    def fetch(key)
+      config = send(key)
+      config = self.class.deep_copy(config) if config.is_a?(Hash)
+      config
+    end
+    # Public: validates all configurations values.
+    #
+    # Raises various configuration errors if any invalid config is detected.
+    #
+    # Returns nothing
+    def validate_config!
+      StrictTransportSecurity.validate_config!(hsts)
+      ContentSecurityPolicy.validate_config!(csp)
+      XFrameOptions.validate_config!(x_frame_options)
+      XContentTypeOptions.validate_config!(x_content_type_options)
+      XXssProtection.validate_config!(x_xss_protection)
+      XDownloadOptions.validate_config!(x_download_options)
+      XPermittedCrossDomainPolicies.validate_config!(x_permitted_cross_domain_policies)
+      PublicKeyPins.validate_config!(hpkp)
+    end
+    # Public: Precompute the header names and values for this configuraiton.
+    # Ensures that headers generated at configure time, not on demand.
+    #
+    # Returns the cached headers
+    def cache_headers!
+      # generate defaults for the "easy" headers
+      headers = (ALL_HEADERS_BESIDES_CSP).each_with_object({}) do |klass, hash|
+        config = fetch(klass::CONFIG_KEY)
+        unless config == OPT_OUT
+          hash[klass::CONFIG_KEY] = klass.make_header(config).freeze
+        end
+      end
+      generate_csp_headers(headers)
+      headers.freeze
+      @cached_headers = headers
+    end
+    # Private: adds CSP headers for each variation of CSP support.
+    #
+    # headers - generated headers are added to this hash namespaced by The
+    #   different variations
+    #
+    # Returns nothing
+    def generate_csp_headers(headers)
+      unless csp == OPT_OUT
+        headers[CSP::CONFIG_KEY] = {}
+        CSP::VARIATIONS.each do |name, _|
+          csp_config = fetch(CSP::CONFIG_KEY)
+          csp = CSP.make_header(csp_config, UserAgent.parse(name))
+          headers[CSP::CONFIG_KEY][name] = csp.freeze
+        end
+      end
+    end
+  end
+end