secure_headers 2.5.3 → 3.0.0.pre

data/lib/secure_headers/headers/public_key_pins.rb

@@ -1,63 +1,62 @@
 module SecureHeaders
-  class PublicKeyPinsBuildError < StandardError; end
-  class PublicKeyPins < Header
-    module Constants
-      HPKP_HEADER_NAME = "Public-Key-Pins"
-      ENV_KEY = 'secure_headers.public_key_pins'
-      HASH_ALGORITHMS = [:sha256]
-      DIRECTIVES = [:max_age]
-      CONFIG_KEY = :hpkp
-    end
+  class PublicKeyPinsConfigError < StandardError; end
+  class PublicKeyPins
+    HEADER_NAME = "Public-Key-Pins".freeze
+    REPORT_ONLY = "Public-Key-Pins-Report-Only".freeze
+    HASH_ALGORITHMS = [:sha256].freeze
+    CONFIG_KEY = :hpkp
+
+
     class << self
-      def symbol_to_hyphen_case sym
-        sym.to_s.gsub('_', '-')
+      # Public: make an hpkp header name, value pair
+      #
+      # Returns nil if not configured, returns header name and value if configured.
+      def make_header(config)
+        return if config.nil?
+        header = new(config)
+        [header.name, header.value]
       end
-    end
-    include Constants
 
-    def initialize(config=nil)
-      @config = validate_config(config)
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise PublicKeyPinsConfigError.new("config must be a hash.") unless config.is_a? Hash
+
+        if !config[:max_age]
+          raise PublicKeyPinsConfigError.new("max-age is a required directive.")
+        elsif config[:max_age].to_s !~ /\A\d+\z/
+          raise PublicKeyPinsConfigError.new("max-age must be a number.
+                                            #{config[:max_age]} was supplied.")
+        elsif config[:pins] && config[:pins].length < 2
+          raise PublicKeyPinsConfigError.new("A minimum of 2 pins are required.")
+        end
+      end
+    end
 
-      @pins = @config.fetch(:pins, nil)
-      @report_uri = @config.fetch(:report_uri, nil)
-      @app_name = @config.fetch(:app_name, nil)
-      @enforce = !!@config.fetch(:enforce, nil)
-      @include_subdomains = !!@config.fetch(:include_subdomains, nil)
-      @tag_report_uri = !!@config.fetch(:tag_report_uri, nil)
+    def initialize(config)
+      @max_age = config.fetch(:max_age, nil)
+      @pins = config.fetch(:pins, nil)
+      @report_uri = config.fetch(:report_uri, nil)
+      @report_only = !!config.fetch(:report_only, nil)
+      @include_subdomains = !!config.fetch(:include_subdomains, nil)
     end
 
     def name
-      base = HPKP_HEADER_NAME
-      if !@enforce
-        base += "-Report-Only"
+      if @report_only
+        REPORT_ONLY
+      else
+        HEADER_NAME
       end
-      base
     end
 
     def value
       header_value = [
-        generic_directives,
+        max_age_directive,
         pin_directives,
         report_uri_directive,
         subdomain_directive
       ].compact.join('; ').strip
     end
 
-    def validate_config(config)
-      raise PublicKeyPinsBuildError.new("config must be a hash.") unless config.is_a? Hash
-
-      if !config[:max_age]
-        raise PublicKeyPinsBuildError.new("max-age is a required directive.")
-      elsif config[:max_age].to_s !~ /\A\d+\z/
-        raise PublicKeyPinsBuildError.new("max-age must be a number.
-                                          #{config[:max_age]} was supplied.")
-      elsif config[:pins] && config[:pins].length < 2
-        raise PublicKeyPinsBuildError.new("A minimum of 2 pins are required.")
-      end
-
-      config
-    end
-
     def pin_directives
       return nil if @pins.nil?
       @pins.collect do |pin|
@@ -67,28 +66,14 @@ module SecureHeaders
       end.join('; ')
     end
 
-    def generic_directives
-      DIRECTIVES.collect do |directive_name|
-        build_directive(directive_name) if @config[directive_name]
-      end.join('; ')
-    end
-
-    def build_directive(key)
-      "#{self.class.symbol_to_hyphen_case(key)}=#{@config[key]}"
+    def max_age_directive
+      "max-age=#{@max_age}" if @max_age
     end
 
     def report_uri_directive
-      return nil if @report_uri.nil?
-
-      if @tag_report_uri
-        @report_uri = "#{@report_uri}?enforce=#{@enforce}"
-        @report_uri += "&app_name=#{@app_name}" if @app_name
-      end
-
-      "report-uri=\"#{@report_uri}\""
+      "report-uri=\"#{@report_uri}\"" if @report_uri
     end
 
-
     def subdomain_directive
       @include_subdomains ? 'includeSubDomains' : nil
     end

data/lib/secure_headers/headers/strict_transport_security.rb

@@ -1,55 +1,27 @@
 module SecureHeaders
-  class STSBuildError < StandardError; end
-
-  class StrictTransportSecurity < Header
-    module Constants
-      HSTS_HEADER_NAME = 'Strict-Transport-Security'
-      HSTS_MAX_AGE = "631138519"
-      DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
-      VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
-      MESSAGE = "The config value supplied for the HSTS header was invalid."
-      CONFIG_KEY = :hsts
-    end
-    include Constants
-
-    def initialize(config = nil)
-      @config = config
-      validate_config unless @config.nil?
-    end
-
-    def name
-      return HSTS_HEADER_NAME
-    end
-
-    def value
-      case @config
-      when String
-        return @config
-      when NilClass
-        return DEFAULT_VALUE
+  class STSConfigError < StandardError; end
+
+  class StrictTransportSecurity
+    HEADER_NAME = 'Strict-Transport-Security'
+    HSTS_MAX_AGE = "631138519"
+    DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
+    VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
+    MESSAGE = "The config value supplied for the HSTS header was invalid. Must match #{VALID_STS_HEADER}"
+    CONFIG_KEY = :hsts
+
+    class << self
+      # Public: generate an hsts header name, value pair.
+      #
+      # Returns a default header if no configuration is provided, or a
+      # header name and value based on the config.
+      def make_header(config = nil)
+        [HEADER_NAME, config || DEFAULT_VALUE]
       end
 
-      max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
-      value = "max-age=" + max_age.to_s
-      value += "; includeSubdomains" if @config[:include_subdomains]
-      value += "; preload" if @config[:preload]
-
-      value
-    end
-
-    private
-
-    def validate_config
-      if @config.is_a? Hash
-        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for StrictTransportSecurity config"
-        if !@config[:max_age]
-          raise STSBuildError.new("No max-age was supplied.")
-        elsif @config[:max_age].to_s !~ /\A\d+\z/
-          raise STSBuildError.new("max-age must be a number. #{@config[:max_age]} was supplied.")
-        end
-      else
-        @config = @config.to_s
-        raise STSBuildError.new(MESSAGE) unless @config =~ VALID_STS_HEADER
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise TypeError.new("Must be a string. Found #{config.class}: #{config} #{config.class}") unless config.is_a?(String)
+        raise STSConfigError.new(MESSAGE) unless config =~ VALID_STS_HEADER
       end
     end
   end

data/lib/secure_headers/headers/x_content_type_options.rb

@@ -1,41 +1,26 @@
 module SecureHeaders
-  class XContentTypeOptionsBuildError < StandardError; end
+  class XContentTypeOptionsConfigError < StandardError; end
   # IE only
-  class XContentTypeOptions < Header
-    module Constants
-      X_CONTENT_TYPE_OPTIONS_HEADER_NAME = "X-Content-Type-Options"
-      DEFAULT_VALUE = "nosniff"
-      CONFIG_KEY = :x_content_type_options
-    end
-    include Constants
-
-    def initialize(config=nil)
-      @config = config
-      validate_config unless @config.nil?
-    end
+  class XContentTypeOptions
+    HEADER_NAME = "X-Content-Type-Options"
+    DEFAULT_VALUE = "nosniff"
+    CONFIG_KEY = :x_content_type_options
 
-    def name
-      X_CONTENT_TYPE_OPTIONS_HEADER_NAME
-    end
-
-    def value
-      case @config
-      when NilClass
-        DEFAULT_VALUE
-      when String
-        @config
-      else
-        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XContentTypeOptions config"
-        @config[:value]
+    class << self
+      # Public: generate an X-Content-Type-Options header.
+      #
+      # Returns a default header if no configuration is provided, or a
+      # header name and value based on the config.
+      def make_header(config = nil)
+        [HEADER_NAME, config || DEFAULT_VALUE]
       end
-    end
-
-    private
 
-    def validate_config
-      value = @config.is_a?(Hash) ? @config[:value] : @config
-      unless value.casecmp(DEFAULT_VALUE) == 0
-        raise XContentTypeOptionsBuildError.new("Value can only be nil or 'nosniff'")
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+        unless config.casecmp(DEFAULT_VALUE) == 0
+          raise XContentTypeOptionsConfigError.new("Value can only be nil or 'nosniff'")
+        end
       end
     end
   end

data/lib/secure_headers/headers/x_download_options.rb

@@ -1,40 +1,25 @@
 module SecureHeaders
-  class XDOBuildError < StandardError; end
-  class XDownloadOptions < Header
-    module Constants
-      XDO_HEADER_NAME = "X-Download-Options"
-      DEFAULT_VALUE = 'noopen'
-      CONFIG_KEY = :x_download_options
-    end
-    include Constants
-
-    def initialize(config = nil)
-      @config = config
-      validate_config unless @config.nil?
-    end
+  class XDOConfigError < StandardError; end
+  class XDownloadOptions
+    HEADER_NAME = "X-Download-Options"
+    DEFAULT_VALUE = 'noopen'
+    CONFIG_KEY = :x_download_options
 
-    def name
-      XDO_HEADER_NAME
-    end
-
-    def value
-      case @config
-      when NilClass
-        DEFAULT_VALUE
-      when String
-        @config
-      else
-        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XDownloadOptions config"
-        @config[:value]
+    class << self
+      # Public: generate an X-Download-Options header.
+      #
+      # Returns a default header if no configuration is provided, or a
+      # header name and value based on the config.
+      def make_header(config = nil)
+        [HEADER_NAME, config || DEFAULT_VALUE]
       end
-    end
-
-    private
 
-    def validate_config
-      value = @config.is_a?(Hash) ? @config[:value] : @config
-      unless value.casecmp(DEFAULT_VALUE) == 0
-        raise XDOBuildError.new("Value can only be nil or 'noopen'")
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+        unless config.casecmp(DEFAULT_VALUE) == 0
+          raise XDOConfigError.new("Value can only be nil or 'noopen'")
+        end
       end
     end
   end

data/lib/secure_headers/headers/x_frame_options.rb

@@ -1,41 +1,31 @@
 module SecureHeaders
-  class XFOBuildError < StandardError; end
-  class XFrameOptions < Header
-    module Constants
-      XFO_HEADER_NAME = "X-Frame-Options"
-      DEFAULT_VALUE = 'SAMEORIGIN'
-      VALID_XFO_HEADER = /\A(SAMEORIGIN\z|DENY\z|ALLOW-FROM[:\s])/i
-      CONFIG_KEY = :x_frame_options
-    end
-    include Constants
-
-    def initialize(config = nil)
-      @config = config
-      validate_config unless @config.nil?
-    end
+  class XFOConfigError < StandardError; end
+  class XFrameOptions
+    HEADER_NAME = "X-Frame-Options"
+    CONFIG_KEY = :x_frame_options
+    SAMEORIGIN = "sameorigin"
+    DENY = "deny"
+    ALLOW_FROM = "allow-from"
+    ALLOW_ALL = "allowall"
+    DEFAULT_VALUE = SAMEORIGIN
+    VALID_XFO_HEADER = /\A(#{SAMEORIGIN}\z|#{DENY}\z|#{ALLOW_ALL}\z|#{ALLOW_FROM}[:\s])/i
 
-    def name
-      XFO_HEADER_NAME
-    end
-
-    def value
-      case @config
-      when NilClass
-        DEFAULT_VALUE
-      when String
-        @config
-      else
-        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XFrameOptions config"
-        @config[:value]
+    class << self
+      # Public: generate an X-Frame-Options header.
+      #
+      # Returns a default header if no configuration is provided, or a
+      # header name and value based on the config.
+      def make_header(config = nil)
+        return if config == OPT_OUT
+        [HEADER_NAME, config || DEFAULT_VALUE]
       end
-    end
-
-    private
 
-    def validate_config
-      value = @config.is_a?(Hash) ? @config[:value] : @config
-      unless value =~ VALID_XFO_HEADER
-        raise XFOBuildError.new("Value must be SAMEORIGIN|DENY|ALLOW-FROM:")
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+        unless config =~ VALID_XFO_HEADER
+          raise XFOConfigError.new("Value must be SAMEORIGIN|DENY|ALLOW-FROM:|ALLOWALL")
+        end
       end
     end
   end

data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb

@@ -1,41 +1,26 @@
 module SecureHeaders
-  class XPCDPBuildError < StandardError; end
-  class XPermittedCrossDomainPolicies < Header
-    module Constants
-      XPCDP_HEADER_NAME = "X-Permitted-Cross-Domain-Policies"
-      DEFAULT_VALUE = 'none'
-      VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
-      CONFIG_KEY = :x_permitted_cross_domain_policies
-    end
-    include Constants
-
-    def initialize(config = nil)
-      @config = config
-      validate_config unless @config.nil?
-    end
+  class XPCDPConfigError < StandardError; end
+  class XPermittedCrossDomainPolicies
+    HEADER_NAME = "X-Permitted-Cross-Domain-Policies"
+    DEFAULT_VALUE = 'none'
+    VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
+    CONFIG_KEY = :x_permitted_cross_domain_policies
 
-    def name
-      XPCDP_HEADER_NAME
-    end
-
-    def value
-      case @config
-      when NilClass
-        DEFAULT_VALUE
-      when String
-        @config
-      else
-        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XPermittedCrossDomainPolicies config"
-        @config[:value]
+    class << self
+      # Public: generate an X-Permitted-Cross-Domain-Policies header.
+      #
+      # Returns a default header if no configuration is provided, or a
+      # header name and value based on the config.
+      def make_header(config = nil)
+        [HEADER_NAME, config || DEFAULT_VALUE]
       end
-    end
-
-    private
 
-    def validate_config
-      value = @config.is_a?(Hash) ? @config[:value] : @config
-      unless VALID_POLICIES.include?(value.downcase)
-        raise XPCDPBuildError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+        unless VALID_POLICIES.include?(config.downcase)
+          raise XPCDPConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
+        end
       end
     end
   end

data/lib/secure_headers/headers/x_xss_protection.rb

@@ -1,55 +1,24 @@
 module SecureHeaders
-  class XXssProtectionBuildError < StandardError; end
-  class XXssProtection < Header
-    module Constants
-      X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
-      DEFAULT_VALUE = "1"
-      VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
-      CONFIG_KEY = :x_xss_protection
-    end
-    include Constants
-
-    def initialize(config=nil)
-      @config = config
-      validate_config unless @config.nil?
-    end
-
-    def name
-      X_XSS_PROTECTION_HEADER_NAME
-    end
+  class XXssProtectionConfigError < StandardError; end
+  class XXssProtection
+    HEADER_NAME = 'X-XSS-Protection'
+    DEFAULT_VALUE = "1; mode=block"
+    VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
+    CONFIG_KEY = :x_xss_protection
 
-    def value
-      case @config
-      when NilClass
-        DEFAULT_VALUE
-      when String
-        @config
-      else
-        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XXssProtection config"
-        value = @config[:value].to_s
-        value += "; mode=#{@config[:mode]}" if @config[:mode]
-        value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
-        value
+    class << self
+      # Public: generate an X-Xss-Protection header.
+      #
+      # Returns a default header if no configuration is provided, or a
+      # header name and value based on the config.
+      def make_header(config = nil)
+        [HEADER_NAME, config || DEFAULT_VALUE]
       end
-    end
-
-    private
-
-    def validate_config
-      if @config.is_a? Hash
-        if !@config[:value]
-          raise XXssProtectionBuildError.new(":value key is missing")
-        elsif @config[:value]
-          unless [0,1].include?(@config[:value].to_i)
-            raise XXssProtectionBuildError.new(":value must be 1 or 0")
-          end
 
-          if @config[:mode] && @config[:mode].casecmp('block') != 0
-            raise XXssProtectionBuildError.new(":mode must nil or 'block'")
-          end
-        end
-      elsif @config.is_a? String
-        raise XXssProtectionBuildError.new("Invalid format (see VALID_X_XSS_HEADER)") unless @config =~ VALID_X_XSS_HEADER
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+        raise XXssProtectionConfigError.new("Invalid format (see VALID_X_XSS_HEADER)") unless config.to_s =~ VALID_X_XSS_HEADER
       end
     end
   end

data/lib/secure_headers/middleware.rb

@@ -0,0 +1,15 @@
+module SecureHeaders
+  class Middleware
+    def initialize(app)
+      @app = app
+    end
+
+    # merges the hash of headers into the current header set.
+    def call(env)
+      req = Rack::Request.new(env)
+      status, headers, response = @app.call(env)
+      headers.merge!(SecureHeaders.header_hash_for(req))
+      [status, headers, response]
+    end
+  end
+end

data/lib/secure_headers/padrino.rb

@@ -5,10 +5,9 @@ module SecureHeaders
       # Main class that register this extension.
       #
       def registered(app)
-        app.extend SecureHeaders::ClassMethods
         app.helpers SecureHeaders::InstanceMethods
       end
-      alias :included :registered
+      alias_method :included, :registered
     end
   end
 end

data/lib/secure_headers/railtie.rb

@@ -1,24 +1,27 @@
 # rails 3.1+
 if defined?(Rails::Railtie)
   module SecureHeaders
-    class Railtie < Rails::Engine
-      isolate_namespace ::SecureHeaders if defined? isolate_namespace # rails 3.0
+    class Railtie < Rails::Railtie
+      isolate_namespace SecureHeaders if defined? isolate_namespace # rails 3.0
       conflicting_headers = ['X-Frame-Options', 'X-XSS-Protection', 'X-Content-Type-Options',
                              'X-Permitted-Cross-Domain-Policies', 'X-Download-Options',
                              'X-Content-Type-Options', 'Strict-Transport-Security',
                              'Content-Security-Policy', 'Content-Security-Policy-Report-Only',
-                             'X-Permitted-Cross-Domain-Policies','Public-Key-Pins','Public-Key-Pins-Report-Only']
+                             'X-Permitted-Cross-Domain-Policies', 'Public-Key-Pins', 'Public-Key-Pins-Report-Only']
+
+      initializer "secure_headers.middleware" do
+        Rails.application.config.middleware.use SecureHeaders::Middleware
+      end
 
       initializer "secure_headers.action_controller" do
         ActiveSupport.on_load(:action_controller) do
-          include ::SecureHeaders::ControllerExtension
+          include SecureHeaders
 
           unless Rails.application.config.action_dispatch.default_headers.nil?
             conflicting_headers.each do |header|
               Rails.application.config.action_dispatch.default_headers.delete(header)
             end
           end
-
         end
       end
     end
@@ -26,7 +29,7 @@ if defined?(Rails::Railtie)
 else
   module ActionController
     class Base
-      include ::SecureHeaders::ControllerExtension
+      include SecureHeaders
     end
   end
 end