tynn 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b3f1c481e9598f3996534f61913917797c496b2f
-  data.tar.gz: 7c5af7d6d35e404d81ec9eece88b35570a314851
+  metadata.gz: d0c2e697419542ac01be6106e60a3bd2a6221d3b
+  data.tar.gz: 917cac7cbbd5a4123c1f70ca431dd818aa17efcc
 SHA512:
-  metadata.gz: 3b571bda996fc71b5d4a1cf7abdeb99e0eef5cc3d962ca4d064293bedb253d862e2f58b8d440534426228bb9a5946039b88e98c6604bf69acf03547dce90c7bb
-  data.tar.gz: 99a7ec1117a9ff0b017bf02c310e9e525045bc30f7ea259ac9d531462e6c821a25c8e0f33e0ca0233d2dfab4a491176fd53cfc3760b202a10d02e921849a9764
+  metadata.gz: 70b7c35be68be33da92b5b95808b4e241081912c588b0d4e29a2f07a87413e5b5907f3adbe02ebc1aabee06d0d61071768cf471f05bb2e59e8f4fe132fd2a45a
+  data.tar.gz: 765f7512ccae32a7b6e92db62f2acc1a1b6370bcd05d0e14c6d1dd6da2cbe765dc9808baa269b1067e564b1beed0496082e6eb1859478455657303f89b15e7c6

data/.gitignore

@@ -0,0 +1 @@
+doc/

data/examples/protection.ru

@@ -0,0 +1,18 @@
+require_relative "../lib/tynn"
+require_relative "../lib/tynn/environment"
+require_relative "../lib/tynn/protection"
+require_relative "../lib/tynn/session"
+
+Tynn.helpers(Tynn::Environment)
+
+Tynn.helpers(Tynn::Protection, ssl: Tynn.production?)
+
+Tynn.helpers(Tynn::Session, secret: SecureRandom.hex(64))
+
+Tynn.define do
+  root do
+    res.write("use protection")
+  end
+end
+
+run(Tynn)

data/lib/tynn.rb

@@ -9,7 +9,7 @@ class Tynn < Syro::Deck
   end
 
   def self.use(_middleware, *args, &block)
-    middleware.unshift(Proc.new { |app| _middleware.new(app, *args, &block) })
+    middleware << (Proc.new { |app| _middleware.new(app, *args, &block) })
   end
 
   def self.helpers(helper, *args)
@@ -34,7 +34,7 @@ class Tynn < Syro::Deck
     if middleware.empty?
       return @syro
     else
-      return middleware.inject(@syro) { |a, m| m.call(a) }
+      return middleware.reverse.inject(@syro) { |a, m| m.call(a) }
     end
   end
 

data/lib/tynn/csrf.rb

@@ -0,0 +1,48 @@
+module Tynn::CSRF
+  def csrf
+    @csrf ||= Tynn::CSRF::Helper.new(self)
+  end
+
+  class Helper
+    CSRF_HEADER = "HTTP_X_CSRF_TOKEN".freeze
+
+    def initialize(app)
+      @app = app
+      @req = app.req
+    end
+
+    def token
+      return session[:csrf_token] ||= SecureRandom.base64(32)
+    end
+
+    def reset!
+      session.delete(:csrf_token)
+    end
+
+    def safe?
+      return @req.get? || @req.head? || verify_token
+    end
+
+    def unsafe?
+      return !safe?
+    end
+
+    def form_tag
+      return %Q(<input type="hidden" name="csrf_token" value="#{ token }">)
+    end
+
+    def meta_tag
+      return %Q(<meta name="csrf_token" content="#{ token }">)
+    end
+
+    private
+
+    def verify_token
+      return @req[:csrf_token] == token || @req.env[CSRF_HEADER] == token
+    end
+
+    def session
+      return @app.session
+    end
+  end
+end

data/lib/tynn/environment.rb

@@ -1,9 +1,26 @@
+# Adds helper methods to get and check the current environment.
+#
+#     require "tynn"
+#     require "tynn/environment"
+#
+#     Tynn.helpers(Tynn::Environment)
+#
+#     Tynn.environment  # => :development
+#
+#     Tynn.development? # => true
+#     Tynn.production?  # => false
+#     Tynn.test?        # => false
+#
+# By default, the environment is based on `ENV["RACK_ENV"]`.
+#
+#     Tynn.helpers(Tynn::Environment, env: ENV["RACK_ENV"])
+#
 module Tynn::Environment
   def self.setup(app, env: ENV["RACK_ENV"]) # :nodoc:
     app.settings[:environment] = (env || :development).to_sym
   end
 
-  module ClassMethods
+  module ClassMethods # :nodoc:
     def environment
       return settings[:environment]
     end

data/lib/tynn/json.rb

@@ -4,7 +4,7 @@ module Tynn::JSON
   JSON_CONTENT_TYPE = "application/json".freeze # :nodoc:
 
   def json(data)
-    res.headers[Rack::CONTENT_TYPE] ||= JSON_CONTENT_TYPE
+    res.headers[Rack::CONTENT_TYPE] = JSON_CONTENT_TYPE
 
     res.write(data.to_json)
   end

data/lib/tynn/json_parser.rb

@@ -2,7 +2,7 @@ require "json"
 
 module Tynn::JSONParser
   def self.setup(app) # :nodoc:
-    app.use(Middleware)
+    app.use(Tynn::JSONParser::Middleware)
   end
 
   class Middleware # :nodoc:
@@ -27,6 +27,8 @@ module Tynn::JSONParser
       return @app.call(request.env)
     end
 
+    private
+
     def json?(request)
       return request.media_type == CONTENT_TYPE
     end

data/lib/tynn/matchers.rb

@@ -0,0 +1,40 @@
+# Adds extra matchers to Tynn.
+#
+#     require "tynn"
+#     require "tynn/matchers"
+#
+#     Tynn.helpers(Tynn::Matchers)
+#
+module Tynn::Matchers
+  # A catch-all matcher.
+  #
+  #     Tynn.define do
+  #       authenticated? do
+  #         # ...
+  #       end
+  #
+  #       default do # on true
+  #         # ...
+  #       end
+  #     end
+  #
+  # :call-seq: default(&block)
+  #
+  def default
+    yield
+
+    halt(res.finish)
+  end
+
+  # Match if the given `params` are present.
+  #
+  #     Tynn.define do
+  #       on param?(:token) do
+  #         # ...
+  #       end
+  #     end
+  #
+  def param?(*params)
+    return params.all? { |param| (v = req[param]) && !v.empty? }
+  end
+end

data/lib/tynn/not_found.rb

@@ -0,0 +1,18 @@
+module Tynn::NotFound
+  def call(env, inbox) # :nodoc:
+    result = super(env, inbox)
+
+    status, _, body = result
+
+    if status == 404 && body.empty?
+      not_found
+
+      return res.finish
+    else
+      return result
+    end
+  end
+
+  def not_found # :nodoc:
+  end
+end

data/lib/tynn/protection.rb

@@ -0,0 +1,13 @@
+require_relative "secure_headers"
+
+module Tynn::Protection
+  def self.setup(app, ssl: false, hsts: {}) # :nodoc:
+    app.helpers(Tynn::SecureHeaders)
+
+    if ssl
+      require_relative "ssl"
+
+      app.helpers(Tynn::SSL, hsts: hsts)
+    end
+  end
+end

data/lib/tynn/secure_headers.rb

@@ -1,3 +1,10 @@
+# Adds security related HTTP headers.
+#
+#   require "tynn"
+#   require "tynn/secure_headers"
+#
+#   Tynn.helpers(Tynn::SecureHeaders)
+#
 module Tynn::SecureHeaders
   HEADERS = {
     "X-Content-Type-Options" => "nosniff",

data/lib/tynn/session.rb

@@ -2,6 +2,9 @@ module Tynn::Session
   RACK_SESSION = "rack.session".freeze # :nodoc:
 
   def self.setup(app, options = {}) # :nodoc:
+    options = options.dup
+    options[:http_only] ||= true
+
     app.use(Rack::Session::Cookie, options)
   end
 

data/lib/tynn/ssl.rb

@@ -0,0 +1,71 @@
+module Tynn::SSL
+  def self.setup(app, options = {}) # :nodoc:
+    app.use(Tynn::SSL::Middleware, options)
+  end
+
+  class Middleware # :nodoc:
+    def initialize(app, hsts: {})
+      @app = app
+      @hsts_header = build_hsts_header(hsts)
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+
+      unless request.ssl?
+        return [301, redirect_headers(request), []]
+      end
+
+      result = @app.call(env)
+
+      set_hsts_header(result[1])
+      set_cookies_as_secure(result[1])
+
+      return result
+    end
+
+    private
+
+    HSTS_HEADER = "Strict-Transport-Security".freeze
+    HSTS_EXPIRE = 15_552_000 # 180 days
+
+    def build_hsts_header(options)
+      header = sprintf("max-age=%i", options.fetch(:expires, HSTS_EXPIRE))
+      header << "; includeSubdomains" if options.fetch(:subdomains, true)
+      header << "; preload" if options[:preload]
+
+      return header
+    end
+
+    def redirect_headers(request)
+      return {
+        "Content-Type" => "text/html",
+        "Location" => https_location(request)
+      }
+    end
+
+    HTTPS_LOCATION = "https://%s%s".freeze
+
+    def https_location(request)
+      return sprintf(HTTPS_LOCATION, request.host, request.fullpath)
+    end
+
+    def set_hsts_header(headers)
+      headers[HSTS_HEADER] = @hsts_header
+    end
+
+    COOKIE_HEADER = "Set-Cookie".freeze
+    COOKIE_SEPARATOR = "\n".freeze
+    COOKIE_REGEXP = /;\s*secure\s*(;|$)/i
+
+    def set_cookies_as_secure(headers)
+      return unless cookies = headers[COOKIE_HEADER]
+
+      cookies = cookies.split(COOKIE_SEPARATOR).map do |cookie|
+        (cookie !~ COOKIE_REGEXP) ?  "#{ cookie }; secure" : cookie
+      end
+
+      headers[COOKIE_HEADER] = cookies.join(COOKIE_SEPARATOR)
+    end
+  end
+end

data/lib/tynn/version.rb

@@ -1,3 +1,3 @@
 class Tynn
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end

data/makefile

@@ -1,9 +1,12 @@
 default: test
 
+docs:
+	@rdoc --markup markdown ./lib/
+
 install:
 	@cat .gems | xargs gem install
 
 test:
-	@cutest -r ./test/helper.rb ./test/*.rb
+	@cutest -r ./test/helper.rb ./test/*_test.rb
 
 .PHONY: test

data/test/csrf_test.rb

@@ -0,0 +1,98 @@
+require "securerandom"
+require_relative "../lib/tynn/csrf"
+require_relative "../lib/tynn/session"
+
+setup do
+  Tynn.helpers(Tynn::CSRF)
+  Tynn.helpers(Tynn::Session, secret: SecureRandom.hex(64))
+
+  Tynn::Test.new
+end
+
+test "get should be safe" do |app|
+  Tynn.define do
+    get do
+      res.write(csrf.safe?)
+    end
+  end
+
+  app.get("/")
+
+  assert_equal "true", app.res.body
+end
+
+test "head should be safe" do |app|
+  Tynn.define do
+    on req.head? do
+      res.write(csrf.safe?)
+    end
+  end
+
+  app.head("/")
+
+  assert_equal "true", app.res.body
+end
+
+test "invalid csrf token" do |app|
+  Tynn.define do
+    post do
+      res.write(csrf.unsafe?)
+    end
+  end
+
+  app.post("/")
+
+  assert_equal "true", app.res.body
+end
+
+test "valid csrf token" do |app|
+  token = SecureRandom.hex(64)
+
+  Tynn.define do
+    post do
+      session[:csrf_token] = token
+
+      res.write(csrf.safe?)
+    end
+  end
+
+  app.post("/", csrf_token: token)
+
+  assert_equal "true", app.res.body
+end
+
+test "resets token" do |app|
+  token = SecureRandom.hex(64)
+
+  Tynn.define do
+    post do
+      session[:csrf_token] = token
+
+      if csrf.unsafe?
+        csrf.reset!
+      end
+
+      res.write(csrf.token)
+    end
+  end
+
+  app.post("/", csrf_token: "nonsense")
+
+  assert token != app.res.body
+end
+
+test "http header" do |app|
+  token = SecureRandom.hex(64)
+
+  Tynn.define do
+    post do
+      session[:csrf_token] = token
+
+      res.write(csrf.safe?)
+    end
+  end
+
+  app.post("/", {}, "HTTP_X_CSRF_TOKEN" => token)
+
+  assert_equal "true", app.res.body
+end

data/test/matchers_test.rb

@@ -0,0 +1,37 @@
+require_relative "../lib/tynn/matchers"
+
+setup do
+  Tynn.helpers(Tynn::Matchers)
+
+  Tynn::Test.new
+end
+
+test "default" do |app|
+  Tynn.define do
+    default do
+      res.write("foo")
+    end
+  end
+
+  app.get("/")
+
+  assert_equal 200, app.res.status
+  assert_equal "foo", app.res.body
+end
+
+test "param?" do |app|
+  Tynn.define do
+    on param?(:key) do
+      res.write(req[:key])
+    end
+  end
+
+  app.get("/")
+
+  assert_equal 404, app.res.status
+
+  app.get("/", key: "foo")
+
+  assert_equal 200, app.res.status
+  assert_equal "foo", app.res.body
+end

data/test/not_found_test.rb

@@ -0,0 +1,19 @@
+require_relative "../lib/tynn/not_found"
+
+test "not found" do
+  Tynn.helpers(Tynn::NotFound)
+
+  class Tynn
+    def not_found
+      res.write("not found")
+    end
+  end
+
+  Tynn.define do
+  end
+
+  app = Tynn::Test.new
+  app.get("/notfound")
+
+  assert_equal "not found", app.res.body
+end

data/test/protection_test.rb

@@ -0,0 +1,29 @@
+require_relative "../lib/tynn/protection"
+
+test "includes secure headers" do
+  Tynn.helpers(Tynn::Protection)
+
+  assert Tynn.include?(Tynn::SecureHeaders)
+end
+
+test "includes ssl helper if ssl is true" do
+  Tynn.helpers(Tynn::Protection, ssl: true)
+
+  assert Tynn.include?(Tynn::SSL)
+end
+
+test "supports hsts options" do
+  hsts = { expires: 100, subdomains: false, preload: true }
+
+  Tynn.helpers(Tynn::Protection, ssl: true, hsts: hsts)
+
+  Tynn.define do
+  end
+
+  app = Tynn::Test.new
+  app.get("/", {}, "HTTPS" => "on")
+
+  hsts = app.res.headers["Strict-Transport-Security"]
+
+  assert_equal "max-age=100; preload", hsts
+end

data/test/{session.rb → session_test.rb}

@@ -15,8 +15,11 @@ test "session" do
   app = Tynn::Test.new
   app.get("/")
 
-  env = app.last_request.env
+  env = app.req.env
+  session = env["rack.session"]
+  session_options = env["rack.session.options"]
 
   assert_equal "foo", app.res.body
-  assert_equal "foo", env["rack.session"]["foo"]
+  assert_equal "foo", session["foo"]
+  assert_equal true, session_options[:http_only]
 end

data/test/ssl_test.rb

@@ -0,0 +1,82 @@
+require_relative "../lib/tynn/ssl"
+
+setup do
+  Tynn::Test.new
+end
+
+test "redirects to https" do |app|
+  Tynn.helpers(Tynn::SSL)
+
+  Tynn.define do
+  end
+
+  app.get("/")
+
+  assert_equal 301, app.res.status
+  assert_equal "https://example.org/", app.res.location
+end
+
+test "https request" do |app|
+  Tynn.helpers(Tynn::SSL)
+
+  Tynn.define do
+    root do
+      res.write("secure")
+    end
+  end
+
+  app.get("/", {}, "HTTPS" => "on")
+
+  assert_equal "secure", app.res.body
+end
+
+test "hsts header" do |app|
+  Tynn.helpers(Tynn::SSL)
+
+  Tynn.define do
+  end
+
+  app = Tynn::Test.new
+  app.get("/", {}, "HTTPS" => "on")
+
+  header = app.res.headers["Strict-Transport-Security"]
+
+  assert_equal "max-age=15552000; includeSubdomains", header
+end
+
+test "hsts header options" do |app|
+  Tynn.helpers(Tynn::SSL, hsts: {
+    expires: 1,
+    subdomains: false,
+    preload: true
+  })
+
+  Tynn.define do
+  end
+
+  app = Tynn::Test.new
+  app.get("/", {}, "HTTPS" => "on")
+
+  header = app.res.headers["Strict-Transport-Security"]
+
+  assert_equal "max-age=1; preload", header
+end
+
+test "secure cookies" do |app|
+  Tynn.helpers(Tynn::SSL)
+
+  Tynn.define do
+    get do
+      res.set_cookie("first", "cookie")
+      res.set_cookie("other", "cookie")
+    end
+  end
+
+  app = Tynn::Test.new
+  app.get("/", {}, "HTTPS" => "on")
+
+  first, other = app.res.headers["Set-Cookie"].split("\n")
+
+  assert_equal "first=cookie; secure", first
+  assert_equal "other=cookie; secure", other
+end

data/test/{static.rb → static_test.rb}

@@ -7,7 +7,7 @@ test "static" do
   end
 
   app = Tynn::Test.new
-  app.get("/test/static.rb")
+  app.get("/test/static_test.rb")
 
   assert_equal File.read(__FILE__), app.res.body
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tynn
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Francesco Rodríguez
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-10-02 00:00:00.000000000 Z
+date: 2015-10-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -116,43 +116,51 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gems"
+- ".gitignore"
 - LICENSE
 - README.md
 - examples/composition.ru
 - examples/hello.ru
+- examples/protection.ru
 - examples/render.ru
 - examples/views/home.erb
 - examples/views/layout.erb
 - lib/tynn.rb
-- lib/tynn/default_matcher.rb
+- lib/tynn/csrf.rb
 - lib/tynn/environment.rb
 - lib/tynn/erubis.rb
 - lib/tynn/hmote.rb
-- lib/tynn/hsts.rb
 - lib/tynn/json.rb
 - lib/tynn/json_parser.rb
+- lib/tynn/matchers.rb
+- lib/tynn/not_found.rb
+- lib/tynn/protection.rb
 - lib/tynn/render.rb
 - lib/tynn/secure_headers.rb
 - lib/tynn/send_file.rb
 - lib/tynn/session.rb
+- lib/tynn/ssl.rb
 - lib/tynn/static.rb
 - lib/tynn/test.rb
 - lib/tynn/version.rb
 - makefile
-- test/core.rb
-- test/default_matcher.rb
-- test/environment.rb
-- test/erubis.rb
+- test/core_test.rb
+- test/csrf_test.rb
+- test/environment_test.rb
+- test/erubis_test.rb
 - test/helper.rb
-- test/hmote.rb
-- test/hsts.rb
-- test/json.rb
-- test/json_parser.rb
-- test/render.rb
-- test/secure_headers.rb
-- test/send_file.rb
-- test/session.rb
-- test/static.rb
+- test/hmote_test.rb
+- test/json_parser_test.rb
+- test/json_test.rb
+- test/matchers_test.rb
+- test/not_found_test.rb
+- test/protection_test.rb
+- test/render_test.rb
+- test/secure_headers_test.rb
+- test/send_file_test.rb
+- test/session_test.rb
+- test/ssl_test.rb
+- test/static_test.rb
 - test/views/custom_layout.erb
 - test/views/custom_layout.mote
 - test/views/layout.erb

data/lib/tynn/default_matcher.rb

@@ -1,7 +0,0 @@
-module Tynn::DefaultMatcher
-  def default
-    yield
-
-    halt(res.finish)
-  end
-end

data/lib/tynn/hsts.rb

@@ -1,23 +0,0 @@
-module Tynn::HSTS
-  HSTS_HEADER = "Strict-Transport-Security".freeze # :nodoc:
-  HSTS_EXPIRE = 15_552_000 # 180 days # :nodoc:
-
-  def self.setup(app, options = {}) # :nodoc:
-    max_age = options.fetch(:max_age, HSTS_EXPIRE)
-    subdomains = options.fetch(:subdomains, true)
-    preload = options.fetch(:preload, false)
-
-    header = sprintf("max-age=%i", max_age)
-    header << "; includeSubdomains" if subdomains
-    header << "; preload" if preload
-
-    app.settings[:hsts] = header
-  end
-
-  def call(env, inbox) # :nodoc:
-    result = super(env, inbox)
-    result[1][HSTS_HEADER] = settings[:hsts]
-
-    return result
-  end
-end

data/test/default_matcher.rb

@@ -1,17 +0,0 @@
-require_relative "../lib/tynn/default_matcher"
-
-test "default" do
-  Tynn.helpers(Tynn::DefaultMatcher)
-
-  Tynn.define do
-    default do
-      res.write("foo")
-    end
-  end
-
-  app = Tynn::Test.new
-  app.get("/")
-
-  assert_equal 200, app.res.status
-  assert_equal "foo", app.res.body
-end

data/test/hsts.rb

@@ -1,29 +0,0 @@
-require_relative "../lib/tynn/hsts"
-
-test "hsts" do
-  Tynn.helpers(Tynn::HSTS)
-
-  Tynn.define do
-  end
-
-  app = Tynn::Test.new
-  app.get("/")
-
-  header = app.res.headers["Strict-Transport-Security"]
-
-  assert_equal "max-age=15552000; includeSubdomains", header
-end
-
-test "hsts with options" do
-  Tynn.helpers(Tynn::HSTS, max_age: 1, preload: true)
-
-  Tynn.define do
-  end
-
-  app = Tynn::Test.new
-  app.get("/")
-
-  header = app.res.headers["Strict-Transport-Security"]
-
-  assert_equal "max-age=1; includeSubdomains; preload", header
-end