signed_form 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d48194df6c241a277cc79382344715c75aac7d9c
-  data.tar.gz: 279e08bc94e45b2ce9f5e25364104bd5433ecb34
+  metadata.gz: 3ebbb64117232076f2250063ef9e6f06805df345
+  data.tar.gz: cb322f4dbce4c9ec4621779215c6aa7a2bbf003a
 SHA512:
-  metadata.gz: 75e21c1f42bfa9b1e8df77e4afbabb6d8ffc8a5295ddbc53d90347bfae0ed391e73f0a97b529e7b0e835957b737acf4f2deb9f692063c277408c66602a09d11a
-  data.tar.gz: 448f4016cf450248230406b3f89947f953398b81dcf56cdf06c9433eda9f9ad806e091aa93d7895ac6e62982dce271055b35101a0349b3952c62292bf1cd5498
+  metadata.gz: 90a7f07fcd52abf71694bf4af3a4e10b64c30cb44a0f346f092b639c909ed4c6564419b0aef11bc4f92de52cb11be1c70b6faa62779c0ef1d970ca5e0820239f
+  data.tar.gz: 0b64c9465db9bd2ebb543be19b060cf684862da2928190f53e74de3956010692512db40fddf0b35c8983a73c0dd35803db447bd5a28f7f62da801d42ed890a30

data/.travis.yml

@@ -1,6 +1,5 @@
 script: bundle exec rspec
 language: ruby
-before_install: gem install bundler
 
 rvm:
   - 1.9.3
@@ -9,4 +8,9 @@ rvm:
 env:
   - RAILS_VERSION=3-1-stable
   - RAILS_VERSION=3-2-stable
+  - RAILS_VERSION=4-0-stable
   - RAILS_VERSION=master
+
+matrix:
+  allow_failures:
+    - env: RAILS_VERSION=master

data/.yardopts

@@ -1,3 +1,2 @@
---exclude features
 --no-private
 --markup markdown

data/Changes.md

@@ -0,0 +1,30 @@
+## 0.2.0
+
+* Instead of using `signed_form_for` add an option for form signing to `form_for` so that signing third party builders
+  like SimpleForm doesn't require an adapter.
+* Move configuration options to main module name-space.
+* Add default options hash to be passed to `form_for`.
+* Add a digestor to verify that out dated forms aren't being submitted.
+* Add a test helper to make testing controllers easy.
+* Only permit parameters but don't require them. Requiring them raises an exception if they're missing from the form
+  submission. But in cases where other parameters are sent as well and the form object may be optional this would raise
+  an exception that would be undesired.
+* Allow all forms to be signed by default.
+
+## 0.1.2
+
+* Fix issues where request method was not being compared properly and request
+  url would not handle some potential cases leading to an erroneous rejection of
+  the form. [Marc Schütz, #6]
+
+## 0.1.1
+
+* Add some select and date/time field helpers that were not getting added to the signature [#5].
+
+## 0.1.0
+
+* Add `sign_destination` option to `signed_form_for`.
+
+## 0.0.1
+
+* Initial Release

data/Gemfile

@@ -8,6 +8,8 @@ rails_version = ENV['RAILS_VERSION'] || 'master'
 case rails_version
 when /master/
   gem "rails", github: "rails/rails"
+when /4-0-stable/
+  gem "rails", github: "rails/rails", branch: "4-0-stable"
 when /3-2-stable/
   gem "rails", github: "rails/rails", branch: "3-2-stable"
   gem "strong_parameters"

data/README.md

@@ -3,9 +3,19 @@
 [![Gem Version](https://badge.fury.io/rb/signed_form.png)](http://badge.fury.io/rb/signed_form)
 [![Build Status](https://travis-ci.org/erichmenge/signed_form.png?branch=master)](https://travis-ci.org/erichmenge/signed_form)
 [![Code Climate](https://codeclimate.com/github/erichmenge/signed_form.png)](https://codeclimate.com/github/erichmenge/signed_form)
+[![Coverage Status](https://coveralls.io/repos/erichmenge/signed_form/badge.png?branch=master)](https://coveralls.io/r/erichmenge/signed_form)
 
 SignedForm brings new convenience and security to your Rails 4 or Rails 3 application.
 
+SignedForm is under active development. Please make sure you're reading the README associated with the version of
+SignedForm you're using. Click the tag link on GitHub to switch to the version you've installed to get the correct
+README.
+
+Or be brave and bundle the gem straight from GitHub master.
+
+A nicely displayed version of this README complete with table of contents is available
+[here](http://erichmenge.com/signed_form/).
+
 ## How It Works
 
 Traditionally, when you create a form with Rails you enter your fields using something like `f.text_field :name` and so
@@ -19,8 +29,8 @@ no more `attr_accessible`. It just works.
 
 What this looks like:
 
-``` erb
-<%= signed_form_for(@user) do |f| %>
+```erb
+<%= form_for @user, signed: true do |f| %>
   <% f.add_signed_fields :zipcode, :state # Optionally add additional fields to sign %>
 
   <%= f.text_field :name %>
@@ -29,9 +39,9 @@ What this looks like:
 <% end %>
 ```
 
-``` ruby
+```ruby
 UsersController < ApplicationController
-  def create
+  def update
     @user = User.find params[:id]
     @user.update_attributes params[:user]
   end
@@ -39,11 +49,21 @@ end
 ```
 
 That's it. You're done. Need to add a field? Pop it in the form. You don't need to then update a list of attributes.
-`signed_form_for` works just like the standard `form_for`.
 
 Of course, you're free to continue using the standard `form_for`. `SignedForm` is strictly opt-in. It won't change the
 way you use standard forms.
 
+## More than just Convenience - Security
+
+SignedForm protects you in 3 ways:
+
+* Form fields are signed, so no alteration of the fields are allowed.
+* Form actions are signed. That means a form with an action of `/admin/users/3` will not work when submitted to `/users/3`.
+* Form views are digested (see below). So if you remove a field from your form, old forms will not be accepted despite
+  a valid signature.
+
+The second two methods of security are optional and can be turned off globally or on a form by form basis.
+
 ## Requirements
 
 SignedForm requires:
@@ -56,7 +76,9 @@ SignedForm requires:
 
 Add this line to your application's Gemfile:
 
-    gem 'signed_form'
+```ruby
+gem 'signed_form'
+```
 
 And then execute:
 
@@ -70,7 +92,7 @@ If you're using Rails 4, it works out of the box.
 You'll need to include `SignedForm::ActionController::PermitSignedParams` in the controller(s) you want to use
 SignedForm with. This can be done application wide by adding the `include` to your ApplicationController.
 
-``` ruby
+```ruby
 ApplicationController < ActionController::Base
   include SignedForm::ActionController::PermitSignedParams
 
@@ -80,54 +102,145 @@ end
 
 You'll also need to create an initializer:
 
-    $ echo 'SignedForm::HMAC.secret_key = SecureRandom.hex(64)' > config/initializers/signed_form.rb
+```shell
+$ echo "SignedForm.secret_key = '$(rake secret)'" > config/initializers/signed_form.rb
+```
 
-**IMPORTANT** Please read below for information regarding this secret key.
+You'll probably want to keep this out of version control. Treat this key like you would your session secret, keep it
+private.
 
 ## Support for other Builders
 
-* [SimpleForm Adapter](https://github.com/erichmenge/signed_form-simple_form)
+Any form that wraps `form_for` and the default field helpers will work with SignedForm. For example, a signed SimpleForm
+might look like this:
 
-## Special Considerations
+```erb
+<%= simple_form_for @user, signed: true do |f| %>
+  f.input :name
+<% end %>
+```
 
-If you're running only a single application server the above initializer should work great for you, with a couple of
-caveats. If a user is in process of filling out a form and you restart your server, their form will be invalidated.
-You could pick a secret key using `rake secret` and put that in the initializer instead, but then in the event you
-remove a field someone could still access it using the old signature if some malicious person were to keep it around.
+This will create a signed form as expected.
 
-If you're running multiple application servers, the above initializer will not work. You'll need to keep the key in sync
-between all the servers. The security caveat with that is that if you ever remove a field from a form without updating
-that secret key, a malicious user could still access the field with the old signature. So you'll probably want to choose
-a new secret in the event you remove access to an attribute in a form.
+For builders that don't use the standard field helpers under the hood, you can create an adapter like this:
 
-My above initializer example errs on the side of caution, generating a new secret key every time the app starts up. Only
-you can decide what is right for you with respect to the secret key.
+```ruby
+class MyAdapter < SomeOtherBuilder
+  include SignedForm::FormBuilder
 
-### Multiple Access Points
+  def some_helper(field, *other_args)
+    add_signed_fields field
+    super
+  end
+end
+```
 
-Take for example the case where you have an administrative backend. You might have `/admin/users/edit`. Users can also
-change some information about themselves though, so there's `/users/edit` as well. Now you have an admin that gets
-demoted, but still has a user account. If that admin were to retain a form signature from `/admin/users/edit` they could
-use that signature to modify the same fields from `/users/edit`. As a means of preventing such access SignedForm provides
-the `sign_destination` option to `signed_form_for`. Example:
+Then in your view:
 
-``` erb
-<%= signed_form_for(@user, sign_destination: true) do |f| %>
-  <%= f.text_field :name %>
-  <!-- ... -->
+```erb
+<%= form_for @user, signed: true, builder: MyAdapter do |f| %>
+  <%= f.some_helper :name %>
 <% end %>
 ```
 
-With `sign_destination` enabled, a form generated with a destination of `/admin/users/5` for example will only be
-accepted at that end point. The form would not be accepted at `/users/5`. So in the event you would like to use
-SignedForm on forms for the same resource, but different access levels, you have protection against the form being used
-elsewhere.
+## Form Digests
+
+SignedForm will create a digest of all the views/partials involved with rendering your form. If the form is modifed old
+forms will be expired. This is done to eliminate the possibility of old forms coming back to bite you.
+
+By default, there is a 5 minute grace period before old forms will be rejected. This is done so that if you make a
+trivial change to a form you won't prevent a form a user is currently filling out from being accepted when you
+restart your server.
+
+Of course if a critical mistake is made (such as allowing an admin field to be set in the form) you could change the
+secret key to prevent any old form from getting through.
+
+By default, these digests are not cached. That means that each form that is submitted will have the views be digested
+again. Most views and partials are relatively small so the cost of computing the MD5 hash of the files is not very
+expensive. However, if this is something you care about SignedForm also provides a memory store
+(`SignedForm::DigestStores::MemoryStore`) that will cache the digests in memory. Other stores could be used as well, as
+long as the object responds to `#fetch` taking the cache key as an argument as well as the block that will return the
+digest.
+
+## Example Configuration
+
+An example config/initializers/signed_form.rb might look something like this (these are the defaults, with the exception
+of the key of course):
+
+```ruby
+SignedForm.config do |c|
+  c.options[:sign_destination]    = true
+  c.options[:digest]              = true
+  c.options[:digest_grace_period] = 300
+  c.options[:signed]              = false # If true, sign all forms by default
+
+  c.digest_store = SignedForm::DigestStores::NullStore.new
+  c.secret_key   = 'supersecret'
+end
+```
+
+Those options that are in the options hash are the default per-form options. They can be overridden by passing the same
+option to the `form_for` method.
+
+## Testing Your Controllers
+
+Because your tests won't include a signature you will get a `ForbiddenAttributes` exception in your tests that do mass
+assignment. SignedForm includes a test helper method, `permit_all_parameters` that works with both TestUnit and RSpec.
+
+In your `spec_helper` file or `test_helper` file `require 'signed_form/test_helper'`. Then `include
+SignedForm::TestHelper` in tests where you need it. An example is below.
+
+**Caution**: `permit_all_parameters` without a block modifies the singleton class of the controller under test which
+lasts for the duration of the test. If you want `permit_all_parameters` to be limited to a specific part of the test,
+pass it a block and only that block will be affected. Example:
+
+```ruby
+describe CarsController do
+  include SignedForm::TestHelper
+
+  describe "POST create" do
+    it "should create a car" do
+      permit_all_parameters do
+        # This won't raise ForbiddenAttributesError
+        post :create, {:car => valid_attributes}, valid_session
+      end
+
+      # This one will raise
+      post :create, {:car => valid_attributes}, valid_session
+
+      # ...
+    end
+  end
+end
+```
+
+Example without a block:
+
+```ruby
+describe CarsController do
+  include SignedForm::TestHelper
+
+  describe "POST create" do
+    before { permit_all_parameters }
+
+    describe "with valid params" do
+      it "assigns a newly created car as @car" do
+        post :create, {:car => valid_attributes}, valid_session
+
+        assigns(:car).should be_a(Car)
+        assigns(:car).should be_persisted
+      end
+
+      # ...
+    end
+  end
+end
+```
 
-### Caching
+## I want to hear from you
 
-Another consideration to be aware of is caching. If you cache a form, and then change the secret key that form will
-perpetually submit parameters that fail verification. So if you want to cache the form you should tie the cache key to
-something that will be changed whenever the secret key changes.
+If you're using SignedForm, I'd love to hear from you. What do you like? What could be better? I'd love to hear your
+ideas. Join the mailing list on librelist to join the discussion at [signedform@librelist.com](mailto:signedform@librelist.com).
 
 ## Contributing
 

data/app/views/signed_form/expired_form.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Form is Expired</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <div class="dialog">
+    <h1>Form Expired</h1>
+    <p>The form you submitted has expired. Please go back and refresh the form to try again.</p>
+  </div>
+</body>
+</html>

data/lib/signed_form.rb

@@ -5,5 +5,36 @@ require "signed_form/version"
 require "signed_form/errors"
 require "signed_form/form_builder"
 require "signed_form/hmac"
+require "signed_form/digest_stores"
+require "signed_form/digestor"
 require "signed_form/action_view/form_helper"
+require "signed_form/gate_keeper"
 require "signed_form/action_controller/permit_signed_params"
+require "signed_form/engine" if defined?(Rails)
+
+module SignedForm
+  DEFAULT_OPTIONS = {
+    sign_destination:    true,
+    digest:              true,
+    digest_grace_period: 300,
+    signed:              false
+  }.freeze
+
+  class << self
+    attr_accessor :secret_key
+
+    attr_writer :options
+    def options
+      @options ||= DEFAULT_OPTIONS.dup
+    end
+
+    attr_writer :digest_store
+    def digest_store
+      @digest_store ||= SignedForm::DigestStores::NullStore.new
+    end
+
+    def config
+      yield self
+    end
+  end
+end

data/lib/signed_form/action_controller/permit_signed_params.rb

@@ -15,24 +15,17 @@ module SignedForm
       def permit_signed_form_data
         return if request.method == 'GET' || params['form_signature'].blank?
 
-        data, signature = params['form_signature'].split('--', 2)
+        gate_keeper = GateKeeper.new(self)
 
-        signature ||= ''
-
-        raise Errors::InvalidSignature, "Form signature is not valid" unless SignedForm::HMAC.verify_hmac signature, data
-
-        allowed_attributes = Marshal.load Base64.strict_decode64(data)
-        options            = allowed_attributes.delete(:__options__)
-
-        if options
-          raise Errors::InvalidURL if options[:method].to_s.casecmp(request.request_method) != 0
-
-          url = url_for(options[:url])
-          raise Errors::InvalidURL if url != request.fullpath && url != request.url
+        gate_keeper.allowed_attributes.each do |k, v|
+          next if params[k].nil? || v.empty?
+          params[k] = params[k].permit(*v)
         end
-
-        allowed_attributes.each do |k, v|
-          params[k] = params.require(k).permit(*v)
+      rescue Errors::ExpiredForm
+        if defined?(Rails)
+          render 'signed_form/expired_form', status: 500, layout: nil
+        else
+          raise
         end
       end
     end

data/lib/signed_form/action_view/form_helper.rb

@@ -2,13 +2,27 @@ module SignedForm
   module ActionView
     module FormHelper
 
-      # This is a wrapper around ActionView's form_for helper.
-      #
       # @option options :sign_destination [Boolean] Only the URL given/created will be allowed to receive the form.
-      def signed_form_for(record, options = {}, &block)
-        options[:builder] ||= SignedForm::FormBuilder
+      # @option options :digest [Boolean] Digest and verify the views have not been modified
+      # @option options :digest_grace_period [Integer] Time in seconds to allow old forms
+      # @option options :wrap_form [Symbol] Method of a form builder to wrap. Default is form_for
+      def form_for(record, options = {}, &block)
+        if options[:signed].nil? && !SignedForm.options[:signed] || !options[:signed].nil? && !options[:signed]
+          return super
+        end
+
+        options = SignedForm.options.merge options
+        options[:builder] ||= ::ActionView::Helpers::FormBuilder
+
+        ancestors = options[:builder].ancestors
+
+        if !ancestors.include?(::ActionView::Helpers::FormBuilder) && !ancestors.include?(SignedForm::FormBuilder)
+          raise "Form signing not supported on builders that don't subclass ActionView::Helpers::FormBuilder or include SignedForm::FormBuilder"
+        elsif !ancestors.include?(SignedForm::FormBuilder)
+          options[:builder] = SignedForm::FormBuilder::BUILDERS[options[:builder]]
+        end
 
-        form_for(record, options) do |f|
+        super record, options do |f|
           output = capture(f, &block)
           f.form_signature_tag + output
         end