strelka-cors 0.0.1

data/lib/strelka/httpresponse/cors.rb

@@ -0,0 +1,175 @@
+# -*- ruby -*-
+#encoding: utf-8
+
+require 'strelka/httpresponse'
+
+
+# CORS-related extensions for Strelka HTTP response objects.
+module Strelka::HTTPResponse::CORS
+	extend Strelka::MethodUtilities
+
+
+	### Add some instance variables to the request object.
+	def initialize( * ) # :notnew:
+		@exposed_headers = []
+		@allowed_headers = []
+		@allowed_methods = []
+		@allowed_origin = nil
+		@credentials_allowed = false
+		@access_control_max_age = nil
+		super
+	end
+
+
+	######
+	public
+	######
+
+	##
+	# The Array of raw header names that should be exposed on the request.
+	attr_accessor :exposed_headers
+
+	##
+	# The Array of raw header names that should be allowed on a preflighted request
+	attr_accessor :allowed_headers
+
+	##
+	# The Array of raw HTTP verb names that should be allowed on a preflighted request
+	attr_accessor :allowed_methods
+
+	##
+	# The origin that should be allowed by the response.
+	attr_reader :allowed_origin
+
+	##
+	# The number of seconds a preflight request can be cached
+	attr_accessor :access_control_max_age
+
+
+	##
+	# Whether or not credentials are allowed in the preflighted request
+	attr_predicate_accessor :credentials_allowed
+
+
+	### Set the allowed origin for the response.
+	def allow_origin( new_origin )
+		@allowed_origin = new_origin
+	end
+
+
+	### Set the headers of the response to indicate that any Origin is allowed.
+	def allow_any_origin
+		self.allow_origin( '*' )
+	end
+
+
+	### Add +header_names+ to the list of headers that should be exposed in the
+	### response.
+	def expose_headers( *header_names )
+		self.exposed_headers ||= []
+		self.exposed_headers += header_names
+	end
+	alias_method :expose_header, :expose_headers
+
+
+	### Add +header_names+ to the list of headers that should be allowed in a
+	### preflighted request.
+	def allow_headers( *header_names )
+		self.allowed_headers ||= []
+		self.allowed_headers += header_names
+	end
+	alias_method :allow_header, :allow_headers
+
+
+	### Add +verbs+ to the list of HTTP methods that should be allowed in a
+	### preflighted request.
+	def allow_methods( *verbs )
+		self.allowed_methods ||= []
+		self.allowed_methods += verbs
+	end
+	alias_method :allow_method, :allow_methods
+
+
+	### Allow credentials in a preflighted request.
+	def allow_credentials
+		self.credentials_allowed = true
+	end
+	alias_method :allow_cookies, :allow_credentials
+
+
+	### Add any CORS headers which have been set up to the receiving response.
+	def add_cors_headers
+		origin = self.allowed_origin || self.request.origin.to_s
+		if self.set_header_if_present( :allow_origin, origin ) && origin != '*'
+			if (( current_vary = self.header.vary ))
+				self.header.vary = [current_vary, 'origin'].join( ', ' )
+			else
+				self.header.vary = 'origin'
+			end
+		end
+
+		self.set_header_if_present( :allow_credentials, self.credentials_allowed? )
+
+		if self.request.is_preflight?
+			self.log.debug "Preflight response; adding -Allow- headers"
+			self.set_header_if_present( :allow_headers, self.allow_headers_header )
+			self.set_header_if_present( :allow_methods, self.allow_methods_header )
+			self.set_header_if_present( :max_age, self.access_control_max_age_header )
+		else
+			self.log.debug "Regular response; adding -Expose- headers"
+			self.header.access_control_expose_headers = self.expose_headers_header
+		end
+	end
+
+
+	#########
+	protected
+	#########
+
+	### If +value+ is not nil or empty, set the access control header with the
+	### specified +name+ to it.
+	def set_header_if_present( name, value )
+		return unless value && !value.to_s.empty?
+		header_name = "access_control_%s" % [ name ]
+		self.header[ header_name ] = value.to_s
+
+		return value
+	end
+
+
+	### Return the value that should be set on the Access-Control-Expose-Headers
+	### header according to the response's #exposed_headers.
+	def expose_headers_header
+		return nil unless self.exposed_headers && !self.exposed_headers.empty?
+		return self.exposed_headers.map do |header_name|
+			header_name.to_s.split( /[\-_]+/ ).map( &:capitalize ).join( '-' )
+		end.sort.uniq.join( ' ' )
+	end
+
+
+	### Return the value that should be set on the Access-Control-Allow-Headers
+	### header according to the response's #allowed_headers.
+	def allow_headers_header
+		return nil unless self.allowed_headers && !self.allowed_headers.empty?
+		return self.allowed_headers.map do |header_name|
+			header_name.to_s.split( /[\-_]+/ ).map( &:capitalize ).join( '-' )
+		end.sort.uniq.join( ' ' )
+	end
+
+
+	### Return the value that should be set on the Access-Control-Allow-Methods
+	### header according to the response's #allowed_methods.
+	def allow_methods_header
+		return nil unless self.allowed_methods && !self.allowed_methods.empty?
+		return self.allowed_methods.map( &:to_s ).sort.uniq.join( ' ' )
+	end
+
+
+	### Return the value that should be set on the Access-Control-Max-Age header
+	### according to the responses #access_control_max_age
+	def access_control_max_age_header
+		max_age = self.access_control_max_age or return nil
+		return max_age.to_i.to_s
+	end
+
+end # module Strelka::HTTPResponse::CORS

data/spec/helpers.rb

@@ -0,0 +1,74 @@
+#!/usr/bin/ruby
+# coding: utf-8
+
+BEGIN {
+	require 'pathname'
+	basedir = Pathname.new( __FILE__ ).dirname.parent.parent
+
+	srcdir = basedir.parent
+	strelkadir = srcdir + 'Strelka'
+	strelkalibdir = strelkadir + 'lib'
+
+	$LOAD_PATH.unshift( strelkalibdir.to_s ) unless $LOAD_PATH.include?( strelkalibdir.to_s )
+}
+
+# SimpleCov test coverage reporting; enable this using the :coverage rake task
+if ENV['COVERAGE']
+	$stderr.puts "\n\n>>> Enabling coverage report.\n\n"
+	require 'simplecov'
+	SimpleCov.start do
+		add_filter 'spec'
+		add_group "Needing tests" do |file|
+			file.covered_percent < 90
+		end
+	end
+end
+
+require 'loggability'
+require 'loggability/spechelpers'
+require 'configurability'
+
+require 'rspec'
+require 'mongrel2'
+require 'mongrel2/testing'
+
+require 'strelka'
+require 'strelka/testing'
+
+
+Loggability.format_with( :color ) if $stdout.tty?
+
+
+### RSpec helper functions.
+module Strelka::CORSSpecHelpers
+
+	# Send and receive specs for the test app
+	TEST_SEND_SPEC = 'tcp://127.0.0.1:9997'
+	TEST_RECV_SPEC = 'tcp://127.0.0.1:9996'
+
+end # Strelka::MetriksSpecHelpers
+
+
+abort "You need a version of RSpec >= 2.6.0" unless defined?( RSpec )
+
+### Mock with RSpec
+RSpec.configure do |config|
+	include Strelka::Constants
+	include Strelka::CORSSpecHelpers
+
+	config.run_all_when_everything_filtered = true
+	config.filter_run :focus
+	config.order = 'random'
+	config.mock_with( :rspec ) do |mock|
+		mock.syntax = :expect
+	end
+
+	config.include( Loggability::SpecHelpers )
+	config.include( Mongrel2::SpecHelpers )
+	config.include( Strelka::Constants )
+	config.include( Strelka::Testing )
+	config.include( Strelka::CORSSpecHelpers )
+end
+
+# vim: set nosta noet ts=4 sw=4:
+

data/spec/strelka/app/cors_spec.rb

@@ -0,0 +1,193 @@
+#!/usr/bin/env rspec -cfd -b
+
+require_relative '../../helpers'
+
+require 'rspec'
+
+require 'strelka'
+require 'mongrel2/testing'
+require 'strelka/testing'
+require 'strelka/behavior/plugin'
+
+require 'strelka/app/cors'
+
+
+describe Strelka::App::CORS do
+
+	before( :all ) do
+		@request_factory = Mongrel2::RequestFactory.new(
+			host: 'acme.com',
+			port: 80,
+			route: '/api/v1',
+			headers: {
+				origin: 'https://acme.com/'
+			}
+		)
+	end
+
+
+	it_should_behave_like( "A Strelka Plugin" )
+
+
+	it "adds a method to applications to declare access control rules" do
+		app = Class.new( Strelka::App ) do
+			plugins :cors
+		end
+
+		expect( app ).to respond_to( :access_controls )
+		expect( app ).to respond_to( :cors_access_control )
+	end
+
+
+	it "adds the CORS mixin to the request class" do
+		app = Class.new( Strelka::App ) do
+			plugins :cors
+		end
+		app.install_plugins
+
+		response = @request_factory.get( '/api/v1/verify' )
+
+		expect( response ).to respond_to( :cross_origin? )
+	end
+
+
+	it "adds the CORS mixin to the response class" do
+		app = Class.new( Strelka::App ) do
+			plugins :cors
+		end
+		app.install_plugins
+
+		response = @request_factory.get( '/api/v1/verify' ).response
+
+		expect( response ).to respond_to( :credentials_allowed? )
+	end
+
+
+	describe "in an app" do
+
+		let( :appclass ) do
+			Class.new( Strelka::App ) do
+				plugins :cors
+
+				def initialize( appid='cors-test', sspec=TEST_SEND_SPEC, rspec=TEST_RECV_SPEC )
+					super
+				end
+
+				def handle_request( req )
+					super do
+						res = req.response
+						res.status = HTTP::OK
+						res.content_type = 'text/plain'
+						res.puts "Ran successfully."
+
+						res
+					end
+				end
+			end
+		end
+
+
+		context "handling a regular request" do
+
+			it "sets a default Access-Control-Allow-Origin header on responses" do
+				request = @request_factory.get( '/api/v1/verify' )
+
+				response = appclass.new.handle( request )
+
+				expect( response.headers ).to include( :access_control_allow_origin )
+				expect( response.headers.access_control_allow_origin ).to eq( request.origin.to_s )
+			end
+
+		end
+
+
+
+		context "handles a pre-flight request" do
+
+			it "runs access controls blocks that match the request's path" do
+				request = @request_factory.options( '/api/v1/verify',
+					 access_control_request_method: 'POST'
+				)
+
+				appclass.access_control( '/verify' ) do |req, res|
+					res.allow_origin( '*' )
+					res.allow_headers( 'Content-Type', 'X-Object-Owner' )
+				end
+				response = appclass.new.handle( request )
+
+				expect( response.headers ).to include(
+					:access_control_allow_origin,
+					:access_control_allow_headers
+				)
+				expect( response.headers.access_control_allow_origin ).to eq( '*' )
+				expect( response.headers.access_control_allow_headers ).
+					to eq( 'Content-Type X-Object-Owner' )
+			end
+
+
+			it "runs access controls blocks that match the request's path as a Regexp" do
+				request = @request_factory.options( '/api/v1/verify',
+					 access_control_request_method: 'POST'
+				)
+
+				appclass.access_control( %r{\A/(verify|concede|command)} ) do |req, res|
+					res.allow_origin( '*' )
+					res.allow_headers( 'Content-Type', 'X-Object-Owner' )
+				end
+				response = appclass.new.handle( request )
+
+				expect( response.headers ).to include(
+					:access_control_allow_origin,
+					:access_control_allow_headers
+				)
+				expect( response.headers.access_control_allow_origin ).to eq( '*' )
+				expect( response.headers.access_control_allow_headers ).
+					to eq( 'Content-Type X-Object-Owner' )
+			end
+
+
+			it "runs access controls blocks that don't specify a path" do
+				request = @request_factory.options( '/api/v1/verify',
+					 access_control_request_method: 'POST'
+				)
+
+				appclass.access_control do |req, res|
+					res.allow_origin( 'https://acme.com/' )
+					res.allow_methods( :GET, :HEAD, :POST )
+				end
+				response = appclass.new.handle( request )
+
+				expect( response.headers ).to include(
+					:access_control_allow_origin,
+					:access_control_allow_methods,
+					:vary
+				)
+				expect( response.headers.access_control_allow_origin ).
+					to eq( 'https://acme.com/' )
+				expect( response.headers.vary.downcase.split(/\s*,\s*/) ).to include( 'origin' )
+				expect( response.headers.access_control_allow_methods ).
+					to eq( 'GET HEAD POST' )
+			end
+
+
+			it "doesn't run access controls blocks that don't match the request's path" do
+				request = @request_factory.options( '/api/v1/verify',
+					 access_control_request_method: 'POST'
+				)
+
+				appclass.access_control( 'optimise' ) do |req, res|
+					res.allow_origin( '*' )
+					res.allow_headers( 'Content-Type', 'X-Object-Owner' )
+				end
+				response = appclass.new.handle( request )
+
+				expect( response.headers ).to_not include( :access_control_allow_headers )
+				expect( response.headers.access_control_allow_origin ).to eq( request.origin.to_s )
+			end
+
+		end
+
+	end
+
+end
+

data/spec/strelka/cors_spec.rb

@@ -0,0 +1,15 @@
+#!/usr/bin/env rspec -cfd
+
+require_relative '../helpers'
+
+require 'strelka/cors'
+
+
+describe Strelka::CORS do
+
+	it "knows what version of the library it is" do
+		expect( described_class::VERSION ).to be_a( String ).and( match(/\A\d+\.\d+\.\d+\z/) )
+	end
+
+end
+