secure_headers 2.5.3 → 3.0.0.pre

data/spec/lib/secure_headers/headers/x_download_options_spec.rb

@@ -1,31 +1,27 @@
+require 'spec_helper'
+
 module SecureHeaders
   describe XDownloadOptions do
-    specify { expect(XDownloadOptions.new.name).to eq(XDO_HEADER_NAME)}
-    specify { expect(XDownloadOptions.new.value).to eq("noopen")}
-    specify { expect(XDownloadOptions.new('noopen').value).to eq('noopen')}
-    specify { expect(XDownloadOptions.new(:value => 'noopen').value).to eq('noopen') }
+    specify { expect(XDownloadOptions.make_header).to eq([XDownloadOptions::HEADER_NAME, XDownloadOptions::DEFAULT_VALUE]) }
+    specify { expect(XDownloadOptions.make_header('noopen')).to eq([XDownloadOptions::HEADER_NAME, 'noopen']) }
 
     context "invalid configuration values" do
       it "accepts noopen" do
-        expect {
-          XDownloadOptions.new("noopen")
-        }.not_to raise_error
-
-        expect {
-          XDownloadOptions.new(:value => "noopen")
-        }.not_to raise_error
+        expect do
+          XDownloadOptions.validate_config!("noopen")
+        end.not_to raise_error
       end
 
       it "accepts nil" do
-        expect {
-          XDownloadOptions.new
-        }.not_to raise_error
+        expect do
+          XDownloadOptions.validate_config!(nil)
+        end.not_to raise_error
       end
 
       it "doesn't accept anything besides noopen" do
-        expect {
-          XDownloadOptions.new("open")
-        }.to raise_error(XDOBuildError)
+        expect do
+          XDownloadOptions.validate_config!("open")
+        end.to raise_error(XDOConfigError)
       end
     end
   end

data/spec/lib/secure_headers/headers/x_frame_options_spec.rb

@@ -2,34 +2,32 @@ require 'spec_helper'
 
 module SecureHeaders
   describe XFrameOptions do
-    specify{ expect(XFrameOptions.new.name).to eq("X-Frame-Options") }
-
     describe "#value" do
-      specify { expect(XFrameOptions.new.value).to eq(XFrameOptions::Constants::DEFAULT_VALUE)}
-      specify { expect(XFrameOptions.new("SAMEORIGIN").value).to eq("SAMEORIGIN")}
-      specify { expect(XFrameOptions.new(:value => 'DENY').value).to eq("DENY")}
+      specify { expect(XFrameOptions.make_header).to eq([XFrameOptions::HEADER_NAME, XFrameOptions::DEFAULT_VALUE]) }
+      specify { expect(XFrameOptions.make_header("DENY")).to eq([XFrameOptions::HEADER_NAME, "DENY"]) }
 
       context "with invalid configuration" do
         it "allows SAMEORIGIN" do
-          expect {
-            XFrameOptions.new("SAMEORIGIN").value
-          }.not_to raise_error
+          expect do
+            XFrameOptions.validate_config!("SAMEORIGIN")
+          end.not_to raise_error
         end
 
         it "allows DENY" do
-          expect {
-            XFrameOptions.new("DENY").value
-          }.not_to raise_error        end
+          expect do
+            XFrameOptions.validate_config!("DENY")
+          end.not_to raise_error
+        end
 
         it "allows ALLOW-FROM*" do
-          expect {
-            XFrameOptions.new("ALLOW-FROM: example.com").value
-          }.not_to raise_error
+          expect do
+            XFrameOptions.validate_config!("ALLOW-FROM: example.com")
+          end.not_to raise_error
         end
         it "does not allow garbage" do
-          expect {
-            XFrameOptions.new("I like turtles").value
-          }.to raise_error(XFOBuildError)
+          expect do
+            XFrameOptions.validate_config!("I like turtles")
+          end.to raise_error(XFOConfigError)
         end
       end
     end

data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb

@@ -1,63 +1,46 @@
+require 'spec_helper'
+
 module SecureHeaders
   describe XPermittedCrossDomainPolicies do
-    specify { expect(XPermittedCrossDomainPolicies.new.name).to eq(XPermittedCrossDomainPolicies::Constants::XPCDP_HEADER_NAME)}
-    specify { expect(XPermittedCrossDomainPolicies.new.value).to eq("none")}
-    specify { expect(XPermittedCrossDomainPolicies.new('master-only').value).to eq('master-only')}
-    specify { expect(XPermittedCrossDomainPolicies.new(:value => 'master-only').value).to eq('master-only') }
+    specify { expect(XPermittedCrossDomainPolicies.make_header).to eq([XPermittedCrossDomainPolicies::HEADER_NAME, "none"]) }
+    specify { expect(XPermittedCrossDomainPolicies.make_header('master-only')).to eq([XPermittedCrossDomainPolicies::HEADER_NAME, 'master-only']) }
 
     context "valid configuration values" do
       it "accepts 'all'" do
-        expect {
-          XPermittedCrossDomainPolicies.new("all")
-        }.not_to raise_error
-
-        expect {
-          XPermittedCrossDomainPolicies.new(:value => "all")
-        }.not_to raise_error
+        expect do
+          XPermittedCrossDomainPolicies.validate_config!("all")
+        end.not_to raise_error
       end
 
       it "accepts 'by-ftp-filename'" do
-        expect {
-          XPermittedCrossDomainPolicies.new("by-ftp-filename")
-        }.not_to raise_error
-
-        expect {
-          XPermittedCrossDomainPolicies.new(:value => "by-ftp-filename")
-        }.not_to raise_error
+        expect do
+          XPermittedCrossDomainPolicies.validate_config!("by-ftp-filename")
+        end.not_to raise_error
       end
 
       it "accepts 'by-content-type'" do
-        expect {
-          XPermittedCrossDomainPolicies.new("by-content-type")
-        }.not_to raise_error
-
-        expect {
-          XPermittedCrossDomainPolicies.new(:value => "by-content-type")
-        }.not_to raise_error
+        expect do
+          XPermittedCrossDomainPolicies.validate_config!("by-content-type")
+        end.not_to raise_error
       end
       it "accepts 'master-only'" do
-        expect {
-          XPermittedCrossDomainPolicies.new("master-only")
-        }.not_to raise_error
-
-        expect {
-          XPermittedCrossDomainPolicies.new(:value => "master-only")
-        }.not_to raise_error
+        expect do
+          XPermittedCrossDomainPolicies.validate_config!("master-only")
+        end.not_to raise_error
       end
 
       it "accepts nil" do
-        expect {
-          XPermittedCrossDomainPolicies.new
-        }.not_to raise_error
+        expect do
+          XPermittedCrossDomainPolicies.validate_config!(nil)
+        end.not_to raise_error
       end
     end
 
     context 'invlaid configuration values' do
-
       it "doesn't accept invalid values" do
-        expect {
-          XPermittedCrossDomainPolicies.new("open")
-        }.to raise_error(XPCDPBuildError)
+        expect do
+          XPermittedCrossDomainPolicies.validate_config!("open")
+        end.to raise_error(XPCDPConfigError)
       end
     end
   end

data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb

@@ -2,55 +2,45 @@ require 'spec_helper'
 
 module SecureHeaders
   describe XXssProtection do
-    specify { expect(XXssProtection.new.name).to eq(X_XSS_PROTECTION_HEADER_NAME)}
-    specify { expect(XXssProtection.new.value).to eq("1")}
-    specify { expect(XXssProtection.new("0").value).to eq("0")}
-    specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') }
-    specify { expect(XXssProtection.new(:value => 1, :mode => 'block', :report_uri => 'https://www.secure.com/reports').value).to eq('1; mode=block; report=https://www.secure.com/reports') }
+    specify { expect(XXssProtection.make_header).to eq([XXssProtection::HEADER_NAME, XXssProtection::DEFAULT_VALUE]) }
+    specify { expect(XXssProtection.make_header("1; mode=block; report=https://www.secure.com/reports")).to eq([XXssProtection::HEADER_NAME, '1; mode=block; report=https://www.secure.com/reports']) }
 
     context "with invalid configuration" do
       it "should raise an error when providing a string that is not valid" do
-        expect {
-          XXssProtection.new("asdf")
-        }.to raise_error(XXssProtectionBuildError)
+        expect do
+          XXssProtection.validate_config!("asdf")
+        end.to raise_error(XXssProtectionConfigError)
 
-        expect {
-          XXssProtection.new("asdf; mode=donkey")
-        }.to raise_error(XXssProtectionBuildError)
+        expect do
+          XXssProtection.validate_config!("asdf; mode=donkey")
+        end.to raise_error(XXssProtectionConfigError)
       end
 
       context "when using a hash value" do
         it "should allow string values ('1' or '0' are the only valid strings)" do
-          expect {
-            XXssProtection.new(:value => '1')
-          }.not_to raise_error
-        end
-
-        it "should allow integer values (1 or 0 are the only valid integers)" do
-          expect {
-            XXssProtection.new(:value => 1)
-          }.not_to raise_error
+          expect do
+            XXssProtection.validate_config!('1')
+          end.not_to raise_error
         end
 
         it "should raise an error if no value key is supplied" do
-          expect {
-            XXssProtection.new(:mode => 'block')
-          }.to raise_error(XXssProtectionBuildError)
+          expect do
+            XXssProtection.validate_config!("mode=block")
+          end.to raise_error(XXssProtectionConfigError)
         end
 
         it "should raise an error if an invalid key is supplied" do
-          expect {
-            XXssProtection.new(:value => 123)
-          }.to raise_error(XXssProtectionBuildError)
+          expect do
+            XXssProtection.validate_config!("123")
+          end.to raise_error(XXssProtectionConfigError)
         end
 
         it "should raise an error if mode != block" do
-          expect {
-            XXssProtection.new(:value => 1, :mode => "donkey")
-          }.to raise_error(XXssProtectionBuildError)
+          expect do
+            XXssProtection.validate_config!("1; mode=donkey")
+          end.to raise_error(XXssProtectionConfigError)
         end
       end
-
     end
   end
 end

data/spec/lib/secure_headers/middleware_spec.rb

@@ -0,0 +1,40 @@
+require "spec_helper"
+
+module SecureHeaders
+  describe Middleware do
+    let(:app) { ->(env) { [200, env, "app"] } }
+
+    let :middleware do
+      Middleware.new(app)
+    end
+
+    before(:each) do
+      reset_config
+      Configuration.default do |config|
+        # use all default provided by the library
+      end
+    end
+
+    it "sets the headers" do
+      _, env = middleware.call(Rack::MockRequest.env_for("https://looocalhost", {}))
+      expect_default_values(env)
+    end
+
+    it "respects overrides" do
+      request = Rack::Request.new("HTTP_X_FORWARDED_SSL" => "on")
+      SecureHeaders.override_x_frame_options(request, "DENY")
+      _, env = middleware.call request.env
+      expect(env[XFrameOptions::HEADER_NAME]).to eq("DENY")
+    end
+
+    it "uses named overrides" do
+      Configuration.override("my_custom_config") do |config|
+        config.csp[:script_src] = %w(example.org)
+      end
+      request = Rack::Request.new({})
+      SecureHeaders.use_secure_headers_override(request, "my_custom_config")
+      _, env = middleware.call request.env
+      expect(env[CSP::HEADER_NAME]).to match("example.org")
+    end
+  end
+end