strelka-cors 0.0.1

data/spec/strelka/httprequest/cors_spec.rb

@@ -0,0 +1,91 @@
+#!/usr/bin/env rspec -cfd
+
+require_relative '../../helpers'
+
+require 'strelka'
+require 'mongrel2/testing'
+require 'strelka/testing'
+
+require 'strelka/httprequest/cors'
+
+
+describe Strelka::HTTPRequest::CORS do
+
+	before( :all ) do
+		@request_factory = Mongrel2::RequestFactory.new(
+			host: 'telomere.com',
+			port: '80',
+			route: '/api/v1'
+		)
+	end
+
+
+	let( :get_request ) do
+		req = @request_factory.get( '/api/v1/test' )
+		req.extend( described_class )
+		req
+	end
+
+
+	describe "header accessors" do
+
+		it "adds a convenience method for accessing the Origin header" do
+			expect {
+				get_request.header[ :origin ] = 'http://acme.com/api/v1/test'
+			}.to change { get_request.origin }.to( URI('http://acme.com/api/v1/test') )
+		end
+
+	end
+
+
+	describe "predicates" do
+
+		let( :options_request ) do
+			req = @request_factory.options( '/api/v1/test' )
+			req.extend( described_class )
+		end
+
+
+		it "knows when it's a cross-origin request" do
+			get_request.headers.merge!( origin: 'http://acme.com/' )
+			expect( get_request ).to be_cross_origin
+		end
+
+
+		it "knows it's not a cross-origin request when its Origin matches its Host" do
+			get_request.headers.merge!( host: 'acme.com', origin: 'http://acme.com/' )
+			expect( get_request ).to_not be_cross_origin
+		end
+
+
+		it "knows when it's a preflight request" do
+			options_request.header.host = 'telomere.com'
+			options_request.header.origin = 'http://acme.com/'
+			options_request.header.access_control_request_method = 'POST'
+
+			expect( options_request ).to be_preflight
+		end
+
+
+		it "knows it's not a preflight request when it doesn't have an Access-Control-Request-Method header" do
+			options_request.header.host = 'telomere.com'
+			options_request.header.origin = 'http://acme.com/'
+			options_request.header.access_control_request_method = nil
+
+			expect( options_request ).to_not be_preflight
+		end
+
+
+		it "knows it's not a preflight request when its verb isn't OPTIONS" do
+			get_request.header.host = 'telomere.com'
+			get_request.header.origin = 'http://acme.com/'
+			get_request.header.access_control_request_method = 'POST'
+
+			expect( get_request ).to_not be_preflight
+		end
+
+
+	end
+
+end
+

data/spec/strelka/httpresponse/cors_spec.rb

@@ -0,0 +1,234 @@
+#!/usr/bin/env rspec -cfd
+
+require_relative '../../helpers'
+
+require 'strelka'
+require 'mongrel2/testing'
+require 'strelka/testing'
+
+require 'strelka/httprequest/cors'
+require 'strelka/httpresponse/cors'
+
+
+describe Strelka::HTTPResponse::CORS do
+
+	before( :all ) do
+		@request_factory = Mongrel2::RequestFactory.new(
+			host: 'telomere.com',
+			port: '80',
+			route: '/api/v1',
+			headers: {
+				origin: 'https://telomere.com'
+			}
+		)
+	end
+
+
+	let( :regular_request ) do
+		req = @request_factory.get( '/api/v1/test' )
+		req.extend( Strelka::HTTPRequest::CORS )
+		req.response.extend( described_class )
+		req
+	end
+
+	let( :regular_response ) do
+		regular_request.response
+	end
+
+
+	let( :preflight_request ) do
+		req = @request_factory.options( '/api/v1/test', access_control_request_method: 'POST' )
+		req.extend( Strelka::HTTPRequest::CORS )
+		req.response.extend( described_class )
+		req
+	end
+
+	let( :preflight_response ) do
+		preflight_request.response
+	end
+
+
+	describe "header accessors" do
+
+		it "adds a convenience method for setting allowed origin" do
+			regular_response.allow_origin( 'http://acme.com' )
+
+			expect {
+				regular_response.add_cors_headers
+			}.to change { regular_response.header.access_control_allow_origin }.to( 'http://acme.com' )
+		end
+
+
+		it "adds a convenience method for allowing any origin" do
+			regular_response.allow_any_origin
+
+			expect {
+				regular_response.add_cors_headers
+			}.to change { regular_response.header.access_control_allow_origin }.to( '*' )
+		end
+
+
+		it "sets the `Vary` response header to `Origin` if it specifies an explicit Origin" do
+			regular_response.allow_origin( 'http://acme.com' )
+
+			expect {
+				regular_response.add_cors_headers
+			}.to change { regular_response.header.vary }.to( match(/\borigin\b/i) )
+		end
+
+
+		it "doesn't set the `Vary` response header to `Origin` if it allows any origin" do
+			regular_response.allow_any_origin
+
+			expect {
+				regular_response.add_cors_headers
+			}.to_not change { regular_response.header.vary }
+		end
+
+
+		it "adds `Origin` to an existing Vary header if it specifies an explicit Origin" do
+			regular_response.allow_origin( 'http://acme.com' )
+			regular_response.header.vary = 'content-encoding, content-type'
+
+			regular_response.add_cors_headers
+
+			expect( regular_response.header.vary.downcase.split(/\s*,\s*/) ).
+				to include( 'origin', 'content-encoding', 'content-type' )
+		end
+
+
+		it "adds a convenience method for allowing a single header" do
+			preflight_response.allow_header :content_type
+			preflight_response.allow_header :x_thingfish_owner
+
+			expect {
+				preflight_response.add_cors_headers
+			}.to change { preflight_response.header.access_control_allow_headers }
+			expect( preflight_response.header.access_control_allow_headers.split ).to include(
+				'Content-Type',
+				'X-Thingfish-Owner'
+			)
+		end
+
+
+		it "adds a convenience method for allowing several headers" do
+			preflight_response.allow_headers :content_type, :vary
+			preflight_response.allow_headers 'x-ordered-by', 'x-offset', 'x-set-size'
+
+			expect {
+				preflight_response.add_cors_headers
+			}.to change { preflight_response.header.access_control_allow_headers }
+			expect( preflight_response.header.access_control_allow_headers.split ).to include(
+				'Content-Type',
+				'Vary',
+				'X-Ordered-By',
+				'X-Offset',
+				'X-Set-Size'
+			)
+		end
+
+
+		it "adds a convenience method for setting the set of allowed request headers" do
+			preflight_response.allowed_headers = ['content-type', 'x-sorted-by']
+
+			expect {
+				preflight_response.add_cors_headers
+			}.to change { preflight_response.header.access_control_allow_headers }
+			expect( preflight_response.header.access_control_allow_headers.split ).to include(
+				'Content-Type',
+				'X-Sorted-By'
+			)
+		end
+
+
+		it "doesn't set exposed headers on a response to a preflight request" do
+			preflight_response.expose_headers( :content_type, :content_disposition )
+			preflight_response.add_cors_headers
+
+			expect( preflight_response.headers.access_control_exposed_headers ).to be_nil
+		end
+
+
+		it "adds a convenience method for exposing a single header" do
+			regular_response.expose_header :content_type
+			regular_response.expose_header :x_thingfish_owner
+
+			expect {
+				regular_response.add_cors_headers
+			}.to change { regular_response.header.access_control_expose_headers }
+			expect( regular_response.header.access_control_expose_headers.split ).to include(
+				'Content-Type',
+				'X-Thingfish-Owner'
+			)
+		end
+
+
+		it "adds a convenience method for exposing several of the response headers" do
+			regular_response.expose_headers :content_type, :vary
+			regular_response.expose_headers 'x-ordered-by', 'x-offset', 'x-set-size'
+
+			expect {
+				regular_response.add_cors_headers
+			}.to change { regular_response.header.access_control_expose_headers }
+			expect( regular_response.header.access_control_expose_headers.split ).to include(
+				'Content-Type',
+				'Vary',
+				'X-Ordered-By',
+				'X-Offset',
+				'X-Set-Size'
+			)
+		end
+
+
+		it "adds a convenience method for setting the set of exposed response headers" do
+			regular_response.exposed_headers = ['content-type', 'x-sorted-by']
+
+			expect {
+				regular_response.add_cors_headers
+			}.to change { regular_response.header.access_control_expose_headers }
+			expect( regular_response.header.access_control_expose_headers.split ).to include(
+				'Content-Type',
+				'X-Sorted-By'
+			)
+		end
+
+
+		it "doesn't set allowed headers on a response to a regular request" do
+			regular_response.allow_headers( :content_type, :content_disposition )
+			regular_response.add_cors_headers
+
+			expect( regular_response.headers.access_control_allow_headers ).to be_nil
+		end
+
+
+		it "adds a convenience method for allowing particular HTTP methods" do
+			preflight_response.allow_methods( :GET, :POST, :PATCH )
+			preflight_response.add_cors_headers
+
+			expect(
+				preflight_response.header.access_control_allow_methods.split
+			).to include( 'GET', 'POST', 'PATCH' )
+		end
+
+
+		it "adds a convenience method for allowing cookies (credentials)" do
+			preflight_response.allow_credentials
+			preflight_response.add_cors_headers
+
+			expect( preflight_response.header.access_control_allow_credentials ).to eq( 'true' )
+		end
+
+
+		it "adds a convenience method for setting the maximum number of seconds a preflight " \
+		   "request can be cached" do
+			preflight_response.access_control_max_age = 300
+			preflight_response.add_cors_headers
+
+			expect( preflight_response.header.access_control_max_age ).to eq( '300' )
+		end
+
+	end
+
+
+end
+

metadata

@@ -0,0 +1,231 @@
+--- !ruby/object:Gem::Specification
+name: strelka-cors
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Michael Granger
+autorequire: 
+bindir: bin
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIEbDCCAtSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA+MQwwCgYDVQQDDANnZWQx
+  GTAXBgoJkiaJk/IsZAEZFglGYWVyaWVNVUQxEzARBgoJkiaJk/IsZAEZFgNvcmcw
+  HhcNMTYwODIwMTgxNzQyWhcNMTcwODIwMTgxNzQyWjA+MQwwCgYDVQQDDANnZWQx
+  GTAXBgoJkiaJk/IsZAEZFglGYWVyaWVNVUQxEzARBgoJkiaJk/IsZAEZFgNvcmcw
+  ggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC/JWGRHO+USzR97vXjkFgt
+  83qeNf2KHkcvrRTSnR64i6um/ziin0I0oX23H7VYrDJC9A/uoUa5nGRJS5Zw/+wW
+  ENcvWVZS4iUzi4dsYJGY6yEOsXh2CcF46+QevV8iE+UmbkU75V7Dy1JCaUOyizEt
+  TH5UHsOtUU7k9TYARt/TgYZKuaoAMZZd5qyVqhF1vV+7/Qzmp89NGflXf2xYP26a
+  4MAX2qqKX/FKXqmFO+AGsbwYTEds1mksBF3fGsFgsQWxftG8GfZQ9+Cyu2+l1eOw
+  cZ+lPcg834G9DrqW2zhqUoLr1MTly4pqxYGb7XoDhoR7dd1kFE2a067+DzWC/ADt
+  +QkcqWUm5oh1fN0eqr7NsZlVJDulFgdiiYPQiIN7UNsii4Wc9aZqBoGcYfBeQNPZ
+  soo/6za/bWajOKUmDhpqvaiRv9EDpVLzuj53uDoukMMwxCMfgb04+ckQ0t2G7wqc
+  /D+K9JW9DDs3Yjgv9k4h7YMhW5gftosd+NkNC/+Y2CkCAwEAAaN1MHMwCQYDVR0T
+  BAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFHKN/nkRusdqCJEuq3lgB3fJvyTg
+  MBwGA1UdEQQVMBOBEWdlZEBGYWVyaWVNVUQub3JnMBwGA1UdEgQVMBOBEWdlZEBG
+  YWVyaWVNVUQub3JnMA0GCSqGSIb3DQEBCwUAA4IBgQAPJzKiT0zBU7kpqe0aS2qb
+  FI0PJ4y5I8buU4IZGUD5NEt/N7pZNfOyBxkrZkXhS44Fp+xwBH5ebLbq/WY78Bqd
+  db0z6ZgW4LMYMpWFfbXsRbd9TU2f52L8oMAhxOvF7Of5qJMVWuFQ8FPagk2iHrdH
+  inYLQagqAF6goWTXgAJCdPd6SNeeSNqA6vlY7CV1Jh5kfNJJ6xu/CVij1GzCLu/5
+  DMOr26DBv+qLJRRC/2h34uX71q5QgeOyxvMg+7V3u/Q06DXyQ2VgeeqiwDFFpEH0
+  PFkdPO6ZqbTRcLfNH7mFgCBJjsfSjJrn0sPBlYyOXgCoByfZnZyrIMH/UY+lgQqS
+  6Von1VDsfQm0eJh5zYZD64ZF86phSR7mUX3mXItwH04HrZwkWpvgd871DZVR3i1n
+  w8aNA5re5+Rt/Vvjxj5AcEnZnZiz5x959NaddQocX32Z1unHw44pzRNUur1GInfW
+  p4vpx2kUSFSAGjtCbDGTNV2AH8w9OU4xEmNz8c5lyoA=
+  -----END CERTIFICATE-----
+date: 2016-11-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: strelka
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+- !ruby/object:Gem::Dependency
+  name: hoe-mercurial
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: hoe-deveiate
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: hoe-highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: hoe
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.15'
+description: "This is a Strelka application plugin for describing rules for [Cross-Origin
+  Resource Sharing (CORS)](http://www.w3.org/TR/cors/).\n\nNOTE: It's still a work
+  in progress.\n\nBy default, the plugin has paranoid defaults, and doesn't do anything.
+  You'll need to grant access to the resources you want to share.\n\nTo grant access,
+  you declare one or more `access_control` blocks which can modify responses to matching
+  access-control requests. All the blocks which match the incoming request's URI are
+  called with the request and response objects in the order in which they're declared:
+  \n\n\t# Allow access to all resources from any origin by default\n\taccess_control
+  do |req, res|\n\t\tres.allow_origin '*'\n\t\tres.allow_methods 'GET', 'POST'\n\t\tres.allow_credentials\n\t\tres.allow_headers
+  :content_type\n\tend\n\n\nThese are applied in the order you declare them, with
+  each matching block passed the request if it matches. This happens before the application
+  gets the request, so it can do any further modification it needs to, and so it can
+  block requests from disallowed origins/methods/etc.\n\nThere are a number of helper
+  methods added to the request and response objects for applying and declaring access-control
+  rules when this plugin is loaded:"
+email:
+- ged@FaerieMUD.org
+executables: []
+extensions: []
+extra_rdoc_files:
+- History.md
+- Manifest.txt
+- README.md
+files:
+- ChangeLog
+- History.md
+- Manifest.txt
+- README.md
+- Rakefile
+- lib/strelka/app/cors.rb
+- lib/strelka/cors.rb
+- lib/strelka/httprequest/cors.rb
+- lib/strelka/httpresponse/cors.rb
+- spec/helpers.rb
+- spec/strelka/app/cors_spec.rb
+- spec/strelka/cors_spec.rb
+- spec/strelka/httprequest/cors_spec.rb
+- spec/strelka/httpresponse/cors_spec.rb
+homepage: http://deveiate.org/projects/strelka-cors
+licenses:
+- BSD-3-Clause
+metadata: {}
+post_install_message: 
+rdoc_options:
+- "--main"
+- README.md
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: This is a Strelka application plugin for describing rules for [Cross-Origin
+  Resource Sharing (CORS)](http://www.w3.org/TR/cors/)
+test_files: []