shamu 0.0.8 → 0.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: afa18618f6ec75e4163bbc06c2ac89d60b5729d6
-  data.tar.gz: 0d3fc88e85d907868e82a98d8b877c326eacb4b9
+  metadata.gz: e6619b53b0ccf99f395e9ef5687a3eb9cd2fd661
+  data.tar.gz: 425daaaa1d330ffeb4ec885a59e9b0c63e5e1548
 SHA512:
-  metadata.gz: 405509ea9020934875f4d74015c62b4733511b948c81caa617e67c94ffb3512dffd2264a8f8dcfcccd8277a2835eb142c6a84fb6edf090f6ed8dfdbd9aa8becf
-  data.tar.gz: af3f05ab6ac199ae75d9716d430ff3270eab6fc156f74a709ad87be0d70d7042fbcc8865cb5f660cdc60d1494657854b76a8c7e6fc10a2c0039ab98402cd6f35
+  metadata.gz: 6f1cad8cd5b39cbfe4b186d4dfbb5b4c4f1c5e549dabb829cc801d708516fb15be7e16b8da1f9e1829203ae1d4b695ac6acb8f943767910f716591deb93fc659
+  data.tar.gz: 9cccb625e79e236cc7829cf86db880f0a0ac814847b305137c7e33d222e63ca507c0e373c243c9472d40159e503f65fb5169fb4c1d9e5bd684a6def1aac54662

data/.ruby-version

@@ -1 +1 @@
-2.3.0
+2.3.1

data/Gemfile

@@ -14,7 +14,7 @@ group :test do
 
   gem "sqlite3", "~> 1.3.11"
   gem "guard", "~> 2.12.8"
-  gem "rubocop"
+  gem "rubocop", "~> 0.39.0"
   gem "guard-rubocop"
   gem "spring"
   gem "guard-rspec"

data/lib/shamu/attributes/html_sanitation.rb

@@ -0,0 +1,218 @@
+require "loofah"
+
+module Shamu
+  module Attributes
+
+    # Adds an HTML sanitation option to attributes. When present, string values
+    # will be sanitized when the attribute is read.
+    #
+    # The raw unfiltered value is always available as `#{ attribute }_raw`.
+    module HtmlSanitation
+      extend ActiveSupport::Concern
+
+      # The standard HTML sanitation filter methods.
+      STANDARD_FILTER_METHODS = [
+        :none,      # Don't allow any HTML
+        :simple,    # Allow very simple HTML. See {#simple_html_sanitize}.
+        :body,      # Allow subset useful for body copy. See
+                    #   {#body_html_sanitize}.
+        :safe,      # Allow a broad subset of HTML tags and attributes. See
+                    #   {#safe_html_sanitize}.
+        :allow      # Allow all HTML.
+      ].freeze
+
+      # Tags safe for simple text.
+      SIMPLE_TAGS = %w( B I STRONG EM ).freeze
+
+      # Tags safe for body text.
+      BODY_TAGS = %w( B BR CODE DIV EM H2 H3 H4 H5 H6 HR I LI OL P PRE SPAN STRONG U UL ).freeze
+
+      # Tags that are not safe.
+      UNSAFE_TAGS = %w( FORM SCRIPT IFRAME FRAME ).freeze
+
+      class_methods do
+        # (see Attributes.attribute)
+        # @param [Symbol,#call] html sanitation options. Acceptable values are
+        #
+        #   - `:none` strip all HTML. The default.
+        #   - `:simple` simple formatting suitable for most places. See
+        #     {#simple_html_sanitize} for details.
+        #   - `:body` basic formatting for 'body' text. See
+        #     {#body_html_sanitize} for details.
+        #   - `:allow` permit any HTML tag.
+        #   - Any other symbol is assumed to be a method on the entity that will
+        #     be called to filter the html.
+        #   - `#call` anything that responds to `#call` that takes a single
+        #     argument of the raw string and returns the sanitized HTML.
+        def attribute( name, *args, **options, &block )
+          super.tap do
+            define_html_sanitized_attribute_reader( name, options[ :html ] ) if options.key?( :html )
+          end
+        end
+
+        private
+
+          def define_attribute_reader( name, as: nil, ** )
+            super
+
+            class_eval <<-RUBY, __FILE__, __LINE__ + 1
+              def #{ name }_raw                                       # def attribute_raw
+                return @#{ name } if defined? @#{ name }              #   return @attribute if defined? @attribute
+                @#{ name } = fetch_#{ name }                          #   @attribute = fetch_attribute
+              end                                                     # end
+            RUBY
+          end
+
+          def define_html_sanitized_attribute_reader( name, method )
+            method ||= :none
+
+            filter_method = resolve_html_filter_method( name, method )
+            class_eval <<-RUBY, __FILE__, __LINE__ + 1
+              def #{ name }                                                               # def attribute
+                return @#{ name }_html_sanitized if defined? @#{ name }_html_sanitized    #   return @attribute_html_sanitized if defined? @attribute_html_sanitized
+                @#{ name }_html_sanitized = #{ filter_method }( #{ name }_raw )           #   @attribute_html_sanitized = simple_html_sanitized( attribute_raw )
+              end                                                                         # end
+            RUBY
+          end
+
+          def resolve_html_filter_method( name, method )
+            if STANDARD_FILTER_METHODS.include?( method )
+              "#{ method }_html_sanitize"
+            elsif method.is_a?( Symbol )
+              method
+            else
+              filter_method = "custom_#{ name }_html_sanitize"
+              define_method filter_method, &method
+              filter_method
+            end
+          end
+      end
+
+      private
+
+        # @!visibility public
+        #
+        # Remove all HTML from the value.
+        #
+        # @param [String] value to sanitize.
+        # @return [String] the sanitized value.
+        def none_html_sanitize( value )
+          return value unless value.is_a?( String )
+
+          Loofah.fragment( value ).scrub!( NoneScrubber.new ).to_s
+        end
+
+        # @!visibility public
+        #
+        # Remove all but the simplest html tags <B>, <I>, <STRONG>, <EM>.
+        #
+        # @param [String] value to sanitize.
+        # @return [String] the sanitized value.
+        def simple_html_sanitize( value )
+          return value unless value.is_a?( String )
+
+          Loofah.fragment( value ).scrub!( SimpleScrubber.new ).to_s
+        end
+
+        # @!visibility public
+        #
+        # Remove all but a limited subset of common tags useful for body copy
+        # text. See {BODY_TAGS}.
+        #
+        # @param [String] value to sanitize.
+        # @return [String] the sanitized value.
+        def body_html_sanitize( value )
+          return value unless value.is_a?( String )
+
+          Loofah.fragment( value ).scrub!( BodyScrubber.new ).to_s
+        end
+
+        # @!visibility public
+        #
+        # Remove all HTML from the value.
+        #
+        # @param [String] value to sanitize.
+        # @return [String] the sanitized value.
+        def safe_html_sanitize( value )
+          return value unless value.is_a?( String )
+
+          Loofah.fragment( value )
+                .scrub!( SafeScrubber.new )
+                .scrub!( :no_follow )
+                .to_s
+        end
+
+        # @!visibility public
+        #
+        # Does not perform any sanitization of the value.
+        #
+        # @param [String] value to sanitize.
+        # @return [String] the sanitized value.
+        def allow_html_sanitize( value )
+          return value unless value.is_a?( String )
+
+          Loofah.fragment( value ).scrub!( :no_follow ).to_s
+        end
+
+      class NoneScrubber < Loofah::Scrubber
+        def initialize
+          @direction = :bottom_up
+        end
+
+        def scrub( node )
+          if node.text?
+            Loofah::Scrubber::CONTINUE
+          else
+            node.before node.children
+            node.remove
+          end
+        end
+      end
+
+      class PermitScrubber < Loofah::Scrubber
+        def initialize
+          @direction = :bottom_up
+        end
+
+        def scrub( node )
+          if node.type == Nokogiri::XML::Node::ELEMENT_NODE
+            if allowed_element?( node.name )
+              Loofah::HTML5::Scrub.scrub_attributes node
+            else
+              node.before node.children unless unsafe_element?( node.name )
+              node.remove
+            end
+          end
+
+          Loofah::Scrubber::CONTINUE
+        end
+
+        def allowed_element?( name )
+        end
+
+        def unsafe_element?( name )
+          UNSAFE_TAGS.include?( name.upcase )
+        end
+      end
+
+      class SimpleScrubber < PermitScrubber
+        def allowed_element?( name )
+          SIMPLE_TAGS.include?( name.upcase )
+        end
+      end
+
+      class BodyScrubber < PermitScrubber
+        def allowed_element?( name )
+          BODY_TAGS.include?( name.upcase )
+        end
+      end
+
+      class SafeScrubber < PermitScrubber
+        def allowed_element?( name )
+          !unsafe_element?( name )
+        end
+      end
+
+    end
+  end
+end

data/lib/shamu/attributes.rb

@@ -12,6 +12,7 @@ module Shamu
   # - {Attributes::FluidAssignment}
   # - {Attributes::Validation}
   # - {Attributes::Equality}
+  # - {Attributes::HtmlSanitation}
   #
   # @example
   #
@@ -27,6 +28,7 @@ module Shamu
     require "shamu/attributes/fluid_assignment"
     require "shamu/attributes/validation"
     require "shamu/attributes/equality"
+    require "shamu/attributes/html_sanitation"
 
     def initialize( *attributes )
       assign_attributes( attributes.last )

data/lib/shamu/entities/html_sanitation.rb

@@ -0,0 +1,24 @@
+module Shamu
+  module Entities
+
+    # Forces all string attributes to be html sanitized.
+    module HtmlSanitation
+      extend ActiveSupport::Concern
+
+      included do
+        include Shamu::Attributes::HtmlSanitation
+        extend AttributeMethod
+      end
+
+      module AttributeMethod
+        # (see Attributes::HtmlSanitation.attribute)
+        def attribute( name, *args, **options, &block )
+          options[:html] ||= :none
+
+          super name, *args, **options, &block
+        end
+      end
+
+    end
+  end
+end

data/lib/shamu/entities.rb

@@ -7,5 +7,6 @@ module Shamu
     require "shamu/entities/list_scope"
     require "shamu/entities/identity_cache"
     require "shamu/entities/entity_path"
+    require "shamu/entities/html_sanitation"
   end
 end

data/lib/shamu/locale/en.yml

@@ -17,7 +17,7 @@ en:
         access_denied: You are not permitted to do that.
         incomplete_setup: Security has been enabled but is not yet configured.
         no_actiev_record_policy_checks: Don't check for policy on ActiveRecord resources. Check their projected Entity instead.
-
+        no_policy_impersonation: Impersonation is not supported by this principal.
     events:
       errors:
         unknown_runner: Unknown runner. Each process should offer a consitent but unique runner_id.

data/lib/shamu/security/delegate_principal.rb

@@ -0,0 +1,19 @@
+module Shamu
+  module Security
+
+    # ...
+    class DelegatePrincipal < Principal
+
+      # (see Principal#impersonate)
+      def impersonate( user_id )
+        fail NoPolicyImpersonationError
+      end
+
+      # (see Principal#service_delegate?)
+      def service_delegate?
+        true
+      end
+
+    end
+  end
+end

data/lib/shamu/security/error.rb

@@ -61,5 +61,11 @@ module Shamu
       end
     end
 
+    # Principal does not support impersonation.
+    class NoPolicyImpersonationError < Error
+      def initialize( message = :no_policy_impersonation )
+        super
+      end
+    end
   end
 end

data/lib/shamu/security/principal.rb

@@ -67,6 +67,12 @@ module Shamu
         self.class.new( user_id: user_id, parent_principal: self, remote_ip: remote_ip, elevated: elevated )
       end
 
+      # @return [Boolean] true if the principal was offered by one service to
+      #     another and requesting that the downstream service delegate security
+      #     checks to the calling service.
+      def service_delegate?
+      end
+
     end
   end
 end

data/lib/shamu/security/support.rb

@@ -76,6 +76,7 @@ module Shamu
         # @return [Boolean] true if the service has been asked to delegate
         #     policy checks to the upstream service and
         def service_policy_delegation?
+          security_principal.service_delegate?
         end
 
     end

data/lib/shamu/services/request_support.rb

@@ -70,10 +70,34 @@ module Shamu
         #     end
         #   end
         def with_request( params, request_class, &block )
-          request = request_class.coerce( params )
-          sources = yield( request ) if request.valid?
+          with_partial_request params, request_class do |request|
+            next unless request.valid?
 
-          result request, *sources
+            yield request
+          end
+        end
+
+        # @!visibility public
+        #
+        # Behaves the same as {#with_request} but always executes the block even
+        # if the params are not yet valid. Allows the block to populate the
+        # request with missing information before validating.
+        #
+        # @param (see #with_request)
+        # @return (see #with_request)
+        # @see #with_request
+        def with_partial_request( params, request_class, &block )
+          request = request_class.coerce( params )
+          # Make sure the request captures errors even if the block doesn't
+          # check
+          request.valid?
+          sources = yield( request )
+
+          if sources.is_a?( Result )
+            sources
+          else
+            result request, *Array.wrap( sources )
+          end
         end
 
       # Static methods added to {RequestSupport}

data/lib/shamu/services/service.rb

@@ -116,9 +116,9 @@ module Shamu
         #     record.
         # @param [Symbol,#call(record)] match the attribute or a Proc used to
         #  extract the id used to compare records.
-        # @param [Symbol,#call] coerce a method that can be used to coerce id values
-        #     to the same type (eg :to_i). If not set, automatically uses :to_i
-        #     if match is an 'id' attribute.
+        # @param [Symbol,#call] coerce a method that can be used to coerce id
+        #     values to the same type (eg :to_i). If not set, automatically uses
+        #     :to_model_id if match is an 'id' attribute.
         # @yield (see #entity_list)
         # @yieldparam (see #entity_list)
         # @yieldreturn (see #entity_list)
@@ -153,7 +153,7 @@ module Shamu
         def entity_lookup_list( records, ids, null_class, match: :id, coerce: :not_set, &transformer )
           matcher = entity_lookup_list_matcher( match )
           coerce  = coerce_method( coerce, match )
-          ids = ids.map( &coerce ) if coerce
+          ids     = ids.map( &coerce ) if coerce
 
           list = entity_list records, &transformer
           matched = ids.map do |id|
@@ -175,7 +175,7 @@ module Shamu
 
           def coerce_method( coerce, match )
             return coerce unless coerce == :not_set
-            :to_i if match.is_a?( Symbol ) && match =~ /(^|_)id$/
+            :to_model_id if match.is_a?( Symbol ) && match =~ /(^|_)ids?$/
           end
 
         # @!visibility public
@@ -297,6 +297,8 @@ module Shamu
         #     end
         #   end
         def cached_lookup( ids, match: :id, coerce: :not_set, entity: nil, &lookup )
+          coerce      = coerce_method( coerce, match )
+          ids         = ids.map( &coerce ) if coerce
           cache       = cache_for( key: match, coerce: coerce, entity: entity )
           missing_ids = cache.uncached_keys( ids )
 

data/lib/shamu/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module Shamu
   # The primary version number
-  VERSION_NUMBER  = "0.0.8".freeze
+  VERSION_NUMBER  = "0.0.9".freeze
 
   # Version suffix such as 'beta' or 'alpha'
   VERSION_SUFFIX  = "".freeze

data/shamu.gemspec

@@ -27,7 +27,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "rack", "~> 1"
   spec.add_dependency "listen", "~> 3"
   spec.add_dependency "crc32", "~> 1"
-
+  spec.add_dependency "loofah", "~> 2"
 
   spec.add_development_dependency "bundler", "~> 1.6"
   spec.add_development_dependency "i18n", "~> 0.7"

data/spec/lib/shamu/attributes/html_sanitation_spec.rb

@@ -0,0 +1,42 @@
+require "spec_helper"
+
+module HtmlSanitationSpec
+  class Attrs
+    include Shamu::Attributes
+    include Shamu::Attributes::HtmlSanitation
+
+    attribute :bio, html: :body
+    attribute :name, html: :simple
+    attribute :email, html: :none
+  end
+end
+
+describe Shamu::Attributes::HtmlSanitation do
+  context "simple sanitation" do
+    let( :entity ) { HtmlSanitationSpec::Attrs.new( name: "<b>Bold</b> <p>Name</p>" ) }
+
+    it "removes non-simple HTML by default" do
+      expect( entity.name ).to eq "<b>Bold</b> Name"
+    end
+
+    it "exposes original value available via raw attribute" do
+      expect( entity.name_raw ).to eq "<b>Bold</b> <p>Name</p>"
+    end
+  end
+
+  context "none sanitation" do
+    let( :entity ) { HtmlSanitationSpec::Attrs.new( email: "<b>Bold</b> <p>Name</p>" ) }
+
+    it "removes all HTML by default" do
+      expect( entity.email ).to eq "Bold Name"
+    end
+  end
+
+  context "body sanitation" do
+    let( :entity ) { HtmlSanitationSpec::Attrs.new( bio: "<script>alert('Hacked')</script><h2>Title</h2>" ) }
+
+    it "only removes illegal HTML" do
+      expect( entity.bio ).to eq "<h2>Title</h2>"
+    end
+  end
+end

data/spec/lib/shamu/entities/html_sanitation_spec.rb

@@ -0,0 +1,17 @@
+require "spec_helper"
+
+module HtmlSanitationSpec
+  class Entity < Shamu::Entities::Entity
+    include Shamu::Entities::HtmlSanitation
+
+    attribute :name
+  end
+end
+
+describe Shamu::Attributes::HtmlSanitation do
+  let( :entity ) { HtmlSanitationSpec::Entity.new( name: "<b>Bold</b> <p>Name</p>" ) }
+
+  it "removes all HTML by default" do
+    expect( entity.name ).to eq "Bold Name"
+  end
+end

data/spec/lib/shamu/services/request_support_spec.rb

@@ -15,6 +15,12 @@ module RequestSupportSpec
       end
     end
 
+    def partial_process( params )
+      with_partial_request( params, Request::Change ) do |_|
+        request_hook
+      end
+    end
+
     def request_hook
     end
 
@@ -120,6 +126,24 @@ describe Shamu::Services::RequestSupport do
     end
   end
 
+  describe "#with_partial_request" do
+    let( :request_params ) { { level: 1, amount: 5 } }
+    let( :service ) { scorpion.new RequestSupportSpec::Service }
+
+    it "yields even if params are invalid" do
+      request_params.delete :amount
+      expect( service ).to receive( :request_hook )
+      service.partial_process( request_params )
+    end
+
+    it "reports errors even if block doesn't check" do
+      request_params.delete :amount
+      result = service.partial_process( request_params )
+
+      expect( result.request.errors ).not_to be_empty
+    end
+  end
+
   describe "#request_for" do
     it "returns request" do
       request = service.request_for( :create )

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shamu
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.0.9
 platform: ruby
 authors:
 - Paul Alexander
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-20 00:00:00.000000000 Z
+date: 2016-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -108,6 +108,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1'
+- !ruby/object:Gem::Dependency
+  name: loofah
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -213,6 +227,7 @@ files:
 - lib/shamu/attributes/assignment.rb
 - lib/shamu/attributes/equality.rb
 - lib/shamu/attributes/fluid_assignment.rb
+- lib/shamu/attributes/html_sanitation.rb
 - lib/shamu/attributes/validation.rb
 - lib/shamu/auditing.rb
 - lib/shamu/auditing/README.md
@@ -228,6 +243,7 @@ files:
 - lib/shamu/entities/active_record_soft_destroy.rb
 - lib/shamu/entities/entity.rb
 - lib/shamu/entities/entity_path.rb
+- lib/shamu/entities/html_sanitation.rb
 - lib/shamu/entities/identity_cache.rb
 - lib/shamu/entities/list.rb
 - lib/shamu/entities/list_scope.rb
@@ -311,6 +327,7 @@ files:
 - lib/shamu/security.rb
 - lib/shamu/security/README.md
 - lib/shamu/security/active_record_policy.rb
+- lib/shamu/security/delegate_principal.rb
 - lib/shamu/security/error.rb
 - lib/shamu/security/hashed_value.rb
 - lib/shamu/security/no_policy.rb
@@ -350,6 +367,7 @@ files:
 - spec/lib/shamu/attributes/assignment_spec.rb
 - spec/lib/shamu/attributes/equality_spec.rb
 - spec/lib/shamu/attributes/fluid_assignment_spec.rb
+- spec/lib/shamu/attributes/html_sanitation_spec.rb
 - spec/lib/shamu/attributes/validation_spec.rb
 - spec/lib/shamu/attributes_spec.rb
 - spec/lib/shamu/auditing/logging_auditing_service_spec.rb
@@ -358,6 +376,7 @@ files:
 - spec/lib/shamu/entities/active_record_spec.rb
 - spec/lib/shamu/entities/entity_path_spec.rb
 - spec/lib/shamu/entities/entity_spec.rb
+- spec/lib/shamu/entities/html_sanitation_spec.rb
 - spec/lib/shamu/entities/identity_cache_spec.rb
 - spec/lib/shamu/entities/list_scope/dates_spec.rb
 - spec/lib/shamu/entities/list_scope/paging_spec.rb
@@ -463,6 +482,7 @@ test_files:
 - spec/lib/shamu/attributes/assignment_spec.rb
 - spec/lib/shamu/attributes/equality_spec.rb
 - spec/lib/shamu/attributes/fluid_assignment_spec.rb
+- spec/lib/shamu/attributes/html_sanitation_spec.rb
 - spec/lib/shamu/attributes/validation_spec.rb
 - spec/lib/shamu/attributes_spec.rb
 - spec/lib/shamu/auditing/logging_auditing_service_spec.rb
@@ -471,6 +491,7 @@ test_files:
 - spec/lib/shamu/entities/active_record_spec.rb
 - spec/lib/shamu/entities/entity_path_spec.rb
 - spec/lib/shamu/entities/entity_spec.rb
+- spec/lib/shamu/entities/html_sanitation_spec.rb
 - spec/lib/shamu/entities/identity_cache_spec.rb
 - spec/lib/shamu/entities/list_scope/dates_spec.rb
 - spec/lib/shamu/entities/list_scope/paging_spec.rb