signed_form 0.0.1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ddf93bef4e43341d61d7f414960eec2b5823eca9
-  data.tar.gz: a6e68f939dc46cb096fd6db9425ceca4559b682c
+  metadata.gz: 13a5bc0a03b358342f6a21ab3f109424efdc19aa
+  data.tar.gz: 7e3edc29f8b6ebb848f1d928802bc0f6b5cae985
 SHA512:
-  metadata.gz: 5665ef2bc0cf38caa6b908f3424c0b4f0a9fe5db124900556e457a7ca9891abec70be1fe75ed74311159ed3b89c85756fd45d0b9f639f16a913a54b815833a49
-  data.tar.gz: ecafd68f4aa85fbc3edb3321e4306c8603677ed30b6862c9b46e7dd4a72a5a193888e444d02dd4de2f10c8b27a303f199f550ba8c9ddf333c54685be163dc513
+  metadata.gz: c86f3310a481303031dbb197d4d383ea4e18f62b14eaa3a630bc2280147e55c61aadd624d8251de6549cfd1d5c7f58253f9c584cfd9e2cb2b128a3887361dedb
+  data.tar.gz: 40a338b8e5fece5f63a84feff4107f18c9007d2e5105803d584d0aee4c421ea4ccc2e54de6234b3030ac9c4df77f14bbc8bd13186f85eceb7b7079af48c1dc61

data/.travis.yml

@@ -7,8 +7,6 @@ rvm:
   - 2.0.0
 
 env:
-  - RAILS_VERSION=3-0-stable
   - RAILS_VERSION=3-1-stable
   - RAILS_VERSION=3-2-stable
   - RAILS_VERSION=master
-

data/.yardopts

@@ -0,0 +1,3 @@
+--exclude features
+--no-private
+--markup markdown

data/Gemfile

@@ -10,11 +10,11 @@ when /master/
   gem "rails", github: "rails/rails"
 when /3-2-stable/
   gem "rails", github: "rails/rails", branch: "3-2-stable"
+  gem "strong_parameters"
 when /3-1-stable/
   gem "rails", github: "rails/rails", branch: "3-1-stable"
-when /3-0-stable/
-  gem "rails", github: "rails/rails", branch: "3-0-stable"
+  gem "strong_parameters"
 else
   gem "rails", ENV['RAILS_VERSION']
+  gem "strong_parameters"
 end
-

data/README.md

@@ -30,7 +30,7 @@ What this looks like:
 ```
 
 ``` ruby
-UserController < ApplicationController
+UsersController < ApplicationController
   def create
     @user = User.find params[:id]
     @user.update_attributes params[:user]
@@ -44,24 +44,19 @@ That's it. You're done. Need to add a field? Pop it in the form. You don't need
 Of course, you're free to continue using the standard `form_for`. `SignedForm` is strictly opt-in. It won't change the
 way you use standard forms.
 
-## Alpha Quality Software
-
-This software should not be considered production ready. At this time it is only suitable for experimentation.
-
-Now that I've made that disclaimer, you should know that SignedForm is functional.
-
 ## Requirements
 
 SignedForm requires:
 
 * Ruby 1.9 or later
-* Ruby on Rails 4 or 3 ([strong_parameters](https://github.com/rails/strong_parameters) gem required for Rails 3)
+* Ruby on Rails 4 or Rails 3 (3.0 not supported) ([strong_parameters](https://github.com/rails/strong_parameters) gem
+  required for Rails 3)
 
 ## Installation
 
 Add this line to your application's Gemfile:
 
-    gem 'signed_form', '~> 0.0.1'
+    gem 'signed_form'
 
 And then execute:
 
@@ -72,8 +67,8 @@ gem. Please set it up as instructed on the linked GitHub repo.
 
 If you're using Rails 4, it works out of the box.
 
-You'll need to include `SignedForm::ActionController::PermitSignedParams` in the controller(s) you want to use SignedForm with. This can
-be done application wide by adding the `include` to your ApplicationController.
+You'll need to include `SignedForm::ActionController::PermitSignedParams` in the controller(s) you want to use
+SignedForm with. This can be done application wide by adding the `include` to your ApplicationController.
 
 ``` ruby
 ApplicationController < ActionController::Base
@@ -108,6 +103,26 @@ a new secret in the event you remove access to an attribute in a form.
 My above initializer example errs on the side of caution, generating a new secret key every time the app starts up. Only
 you can decide what is right for you with respect to the secret key.
 
+### Multiple Access Points
+
+Take for example the case where you have an administrative backend. You might have `/admin/users/edit`. Users can also
+change some information about themselves though, so there's `/users/edit` as well. Now you have an admin that gets
+demoted, but still has a user account. If that admin were to retain a form signature from `/admin/users/edit` they could
+use that signature to modify the same fields from `/users/edit`. As a means of preventing such access SignedForm provides
+the `sign_destination` option to `signed_form_for`. Example:
+
+``` erb
+<%= signed_form_for(@user, sign_destination: true) do |f| %>
+  <%= f.text_field :name %>
+  <!-- ... -->
+<% end %>
+```
+
+With `sign_destination` enabled, a form generated with a destination of `/admin/users/5` for example will only be
+accepted at that end point. The form would not be accepted at `/users/5`. So in the event you would like to use
+SignedForm on forms for the same resource, but different access levels, you have protection against the form being used
+elsewhere.
+
 ### Caching
 
 Another consideration to be aware of is caching. If you cache a form, and then change the secret key that form will

data/Rakefile

@@ -1,13 +1,6 @@
 require "bundler/gem_tasks"
-require "rdoc/task"
 
 desc 'Generate documentation.'
-RDoc::Task.new(:rdoc) do |rdoc|
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'SignedForm'
-
-  rdoc.options << '--line-numbers'
-  rdoc.rdoc_files.include('README.md')
-  rdoc.rdoc_files.include('lib/**/*.rb')
+task :rdoc do
+  system 'yardoc'
 end
-

data/lib/signed_form.rb

@@ -7,4 +7,3 @@ require "signed_form/form_builder"
 require "signed_form/hmac"
 require "signed_form/action_view/form_helper"
 require "signed_form/action_controller/permit_signed_params"
-

data/lib/signed_form/action_controller/permit_signed_params.rb

@@ -1,10 +1,17 @@
 module SignedForm
   module ActionController
+
+    # This module is required for parameter verification on the controller.
+    # Include it in controllers that will be receiving signed forms.
     module PermitSignedParams
       def self.included(base)
         base.prepend_before_filter :permit_signed_form_data
+
+        gem 'strong_parameters' unless defined?(::ActionController::Parameters)
       end
 
+      protected
+
       def permit_signed_form_data
         return if request.method == 'GET' || params['form_signature'].blank?
 
@@ -13,7 +20,11 @@ module SignedForm
         signature ||= ''
 
         raise Errors::InvalidSignature, "Form signature is not valid" unless SignedForm::HMAC.verify_hmac signature, data
+
         allowed_attributes = Marshal.load Base64.strict_decode64(data)
+        options            = allowed_attributes.delete(:__options__)
+
+        raise Errors::InvalidURL if options && (!options[:method].to_s.casecmp(request.method) || options[:url] != request.fullpath)
 
         allowed_attributes.each do |k, v|
           params[k] = params.require(k).permit(*v)
@@ -22,4 +33,3 @@ module SignedForm
     end
   end
 end
-

data/lib/signed_form/action_view/form_helper.rb

@@ -1,6 +1,10 @@
 module SignedForm
   module ActionView
     module FormHelper
+
+      # This is a wrapper around ActionView's form_for helper.
+      #
+      # @option options :sign_destination [Boolean] Only the URL given/created will be allowed to receive the form.
       def signed_form_for(record, options = {}, &block)
         options[:builder] ||= SignedForm::FormBuilder
 
@@ -14,4 +18,3 @@ module SignedForm
 end
 
 ActionView::Base.send :include, SignedForm::ActionView::FormHelper
-

data/lib/signed_form/errors.rb

@@ -2,5 +2,6 @@ module SignedForm
   module Errors
     class NoSecretKey < StandardError; end
     class InvalidSignature < StandardError; end
+    class InvalidURL < StandardError; end
   end
 end

data/lib/signed_form/form_builder.rb

@@ -11,7 +11,7 @@ module SignedForm
         end
       end
 
-      def initialize(*) #:nodoc:#
+      def initialize(*)
         super
         if options[:signed_attributes_object]
           self.signed_attributes_object = options[:signed_attributes_object]
@@ -23,12 +23,16 @@ module SignedForm
 
       def form_signature_tag
         signed_attributes.each { |k,v| v.uniq! if v.is_a?(Array) }
+        signed_attributes[:__options__] = { method: options[:html][:method], url: options[:url] } if options[:sign_destination]
         encoded_data = Base64.strict_encode64 Marshal.dump(signed_attributes)
-        signature = SignedForm::HMAC::create_hmac(encoded_data)
+        signature = SignedForm::HMAC.create_hmac(encoded_data)
         token = "#{encoded_data}--#{signature}"
         %(<input type="hidden" name="form_signature" value="#{token}" />\n).html_safe
       end
 
+      # Wrapper for Rails fields_for
+      #
+      # @see http://api.rubyonrails.org/classes/ActionView/Helpers/FormBuilder.html#method-i-fields_for
       def fields_for(record_name, record_object = nil, fields_options = {}, &block)
         hash  = {}
         array = []
@@ -46,6 +50,13 @@ module SignedForm
         content
       end
 
+      # This method is used to add additional fields to sign. A usecase for this may be if you want to add fields later with javascript.
+      #
+      # @example
+      #   <%= signed_form_for(@user) do |f| %>
+      #     <% f.add_signed_fields :name, :address
+      #   <% end %>
+      #
       def add_signed_fields(*fields)
         signed_attributes_object.push(*fields)
       end
@@ -58,4 +69,3 @@ module SignedForm
     include Methods
   end
 end
-

data/lib/signed_form/hmac.rb

@@ -22,6 +22,8 @@ module SignedForm
       secure_compare OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret_key, data), signature
     end
 
+    private
+
     # After the Rack implementation
     def secure_compare(a, b)
       return false unless a.bytesize == b.bytesize

data/lib/signed_form/version.rb

@@ -1,9 +1,8 @@
 module SignedForm
   MAJOR = 0
-  MINOR = 0
-  PATCH = 1
+  MINOR = 1
+  PATCH = 0
   PRE   = nil
 
   VERSION = [MAJOR, MINOR, PATCH, PRE].compact.join '.'
 end
-

data/signed_form.gemspec

@@ -21,9 +21,9 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency "rake"
   spec.add_development_dependency "rspec", "~> 2.13"
-  spec.add_development_dependency "activemodel", ">= 3.0"
+  spec.add_development_dependency "activemodel", ">= 3.1"
 
-  spec.add_dependency "actionpack", ">= 3.0"
+  spec.add_dependency "actionpack", ">= 3.1"
 
   spec.required_ruby_version = '>= 1.9'
 end

data/spec/form_builder_spec.rb

@@ -36,12 +36,25 @@ describe SignedForm::FormBuilder do
       end
 
       regex = '<form.*>.*<input type="hidden" name="form_signature" ' \
-              'value="BAh7BkkiCXVzZXIGOgZFRlsGOgluYW1l--e8f61481cb89382653c1f9de617e9a47e22c7da5".*/>.*' \
+              'value="\w+={0,2}--\w+".*/>.*' \
               '<input.*name="user\[name\]".*/>.*' \
               '</form>'
 
       content.should =~ Regexp.new(regex, Regexp::MULTILINE)
     end
+
+    it "should set a target" do
+      content = signed_form_for(User.new, sign_destination: true) do |f|
+        f.text_field :name
+      end
+
+      data = get_data_from_form(content)
+      data.size.should == 2
+      data.should include(:__options__)
+      data[:__options__].should include(:method, :url)
+      data[:__options__][:method].should == :post
+      data[:__options__][:url].should == '/users'
+    end
   end
 
   describe "form inputs" do
@@ -52,6 +65,7 @@ describe SignedForm::FormBuilder do
         end
 
         data = get_data_from_form(content)
+        data.size.should == 1
         data['user'].size.should == 1
         data['user'].should include(:name)
       end
@@ -135,4 +149,3 @@ describe SignedForm::FormBuilder do
     end
   end
 end
-

data/spec/hmac_spec.rb

@@ -32,4 +32,3 @@ describe SignedForm::HMAC do
     end
   end
 end
-

data/spec/permit_signed_params_spec.rb

@@ -2,6 +2,8 @@ require 'spec_helper'
 
 class Controller < ActionController::Base
   include SignedForm::ActionController::PermitSignedParams
+
+  public :permit_signed_form_data
 end
 
 describe SignedForm::ActionController::PermitSignedParams do
@@ -10,7 +12,7 @@ describe SignedForm::ActionController::PermitSignedParams do
   before do
     SignedForm::HMAC.secret_key = "abc123"
 
-    Controller.any_instance.stub(request: double('request', method: 'POST'))
+    Controller.any_instance.stub(request: double('request', method: 'POST', fullpath: '/users'))
     Controller.any_instance.stub(params: { "user" => { name: "Erich Menge", occupation: 'developer' } })
   end
 
@@ -33,4 +35,32 @@ describe SignedForm::ActionController::PermitSignedParams do
     params.should_receive(:permit).with(:name).and_return(params)
     controller.permit_signed_form_data
   end
+
+  it "should verify current url matches targeted url" do
+    params = controller.params
+
+    data      = Base64.strict_encode64(Marshal.dump("user" => [:name], :__options__ => { method: 'post', url: '/users'  }))
+    signature = SignedForm::HMAC.create_hmac(data)
+
+    params['form_signature'] = "#{data}--#{signature}"
+
+    params.stub(:require).with('user').and_return(params)
+    params.stub(:permit).with(:name).and_return(params)
+    controller.request.should_receive(:fullpath).and_return '/users'
+    controller.permit_signed_form_data
+  end
+
+  it "should reject if url doesn't match" do
+    params = controller.params
+
+    data      = Base64.strict_encode64(Marshal.dump("user" => [:name], :__options__ => { method: 'post', url: '/admin'  }))
+    signature = SignedForm::HMAC.create_hmac(data)
+
+    params['form_signature'] = "#{data}--#{signature}"
+
+    params.stub(:require).with('user').and_return(params)
+    params.stub(:permit).with(:name).and_return(params)
+
+    expect { controller.permit_signed_form_data }.to raise_error(SignedForm::Errors::InvalidURL)
+  end
 end

data/spec/spec_helper.rb

@@ -30,11 +30,11 @@ module SignedFormViewHelper
   end
 
   def user_path(*)
-    '/'
+    '/users'
   end
 
   def polymorphic_path(*)
-    '/'
+    '/users'
   end
 
   def _routes(*)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: signed_form
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - Erich Menge
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-27 00:00:00.000000000 Z
+date: 2013-04-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.1'
 description: Rails signed form security
 email:
 - erichmenge@gmail.com
@@ -90,6 +90,7 @@ files:
 - .gitignore
 - .rspec
 - .travis.yml
+- .yardopts
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -135,3 +136,4 @@ test_files:
 - spec/hmac_spec.rb
 - spec/permit_signed_params_spec.rb
 - spec/spec_helper.rb
+has_rdoc: