unified_csrf_prevention 1.0.0

data/spec/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,5 @@
+require 'unified_csrf_prevention'
+
+class ApplicationController < ActionController::Base
+  protect_from_forgery with: :exception
+end

data/spec/dummy/app/controllers/dummy_controller.rb

@@ -0,0 +1,11 @@
+class DummyController < ApplicationController
+  def index; end
+
+  def success
+    head :ok
+  end
+
+  def update
+    head :ok
+  end
+end

data/spec/dummy/app/views/dummy/index.html.erb

@@ -0,0 +1 @@
+<%= form_tag %>

data/spec/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Dummy App</title>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/spec/dummy/config/application.rb

@@ -0,0 +1,32 @@
+require File.expand_path('../boot', __FILE__)
+
+require "rails"
+# Pick the frameworks you want:
+# require "active_model/railtie"
+# require "active_job/railtie"
+# require "active_record/railtie"
+require "action_controller/railtie"
+# require "action_mailer/railtie"
+require "action_view/railtie"
+# require "sprockets/railtie"
+# require "rails/test_unit/railtie"
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+module Dummy
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+  end
+end

data/spec/dummy/config/boot.rb

@@ -0,0 +1,3 @@
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+
+require 'bundler/setup' # Set up gems listed in the Gemfile.

data/spec/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the Rails application.
+require File.expand_path('../application', __FILE__)
+
+# Initialize the Rails application.
+Rails.application.initialize!

data/spec/dummy/config/environments/test.rb

@@ -0,0 +1,44 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
+
+  # Configure static file server for tests with Cache-Control for performance.
+  config.serve_static_files   = true
+  config.static_cache_control = 'public, max-age=3600'
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates.
+  config.action_dispatch.show_exceptions = false
+
+  # Enable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = true
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  # config.action_mailer.delivery_method = :test
+
+  # Randomize the order test cases are executed.
+  config.active_support.test_order = :random
+
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+
+  config.unified_csrf_prevention_key = 'protected to the max'
+end

data/spec/dummy/config/initializers/backtrace_silencers.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!

data/spec/dummy/config/initializers/cookies_serializer.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.action_dispatch.cookies_serializer = :json

data/spec/dummy/config/initializers/filter_parameter_logging.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]

data/spec/dummy/config/initializers/inflections.rb

@@ -0,0 +1,16 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# These inflection rules are supported but not enabled by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.acronym 'RESTful'
+# end

data/spec/dummy/config/initializers/mime_types.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf

data/spec/dummy/config/initializers/session_store.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.session_store :disabled

data/spec/dummy/config/initializers/to_time_preserves_timezone.rb

@@ -0,0 +1,10 @@
+# Be sure to restart your server when you modify this file.
+
+# Preserve the timezone of the receiver when calling to `to_time`.
+# Ruby 2.4 will change the behavior of `to_time` to preserve the timezone
+# when converting to an instance of `Time` instead of the previous behavior
+# of converting to the local system timezone.
+#
+# Rails 5.0 introduced this config option so that apps made with earlier
+# versions of Rails are not affected when upgrading.
+ActiveSupport.to_time_preserves_timezone = true

data/spec/dummy/config/initializers/wrap_parameters.rb

@@ -0,0 +1,9 @@
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+end

data/spec/dummy/config/routes.rb

@@ -0,0 +1,5 @@
+Rails.application.routes.draw do
+  get  '/'        => 'dummy#index'
+  post '/'        => 'dummy#update'
+  get  '/success' => 'dummy#success'
+end

data/spec/dummy/config/secrets.yml

@@ -0,0 +1,22 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
+
+# Make sure the secrets in this file are kept private
+# if you're sharing your code publicly.
+
+development:
+  secret_key_base: e20fedf9cf9b2c879b4865d7b0c9485e262ddb5fe169b9b8fcae0ada5c1a7525e0f9a41e80fbb6a44c6f9ea367199d0671d187ae3ffea2199f47e41a2593360b
+
+test:
+  secret_key_base: 3683f82c161cabc21d5d60e3b23aa6ec3b74b4601d0ea0dbc35baf027c8eaee0194d24391954cd5cba71cafaa8f39820c267bf827117dd21c753ca43058113c6
+
+# Do not keep production secrets in the repository,
+# instead read values from the environment.
+production:
+  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

data/spec/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment', __FILE__)
+run Rails.application

data/spec/rails_helper.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+ENV['RAILS_ENV'] ||= 'test'
+
+require 'spec_helper'
+require File.expand_path('../dummy/config/environment', __FILE__)
+require 'rspec/rails'
+
+Dir[File.expand_path('**/*.rb', './spec/support/')].each { |f| require f }

data/spec/spec_helper.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'unified_csrf_prevention'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    mocks.verify_partial_doubles = true
+  end
+
+  config.shared_context_metadata_behavior = :apply_to_host_groups
+
+  config.filter_run_when_matching :focus
+
+  config.warnings = true
+
+  config.order = :random
+  Kernel.srand config.seed
+end

data/spec/support/shared_context/for_controllers.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+shared_context 'with token and checksum' do
+  let(:token) { 'A token should be 32 bytes long.' }
+  let(:checksum) { 'a checksum' }
+
+  before do
+    allow(UnifiedCsrfPrevention::Core).to receive(:valid_token?).and_return(false)
+    allow(UnifiedCsrfPrevention::Core).to receive(:valid_token?).with(token, checksum).and_return(valid_token?)
+
+    request.cookies['csrf_token'] = token
+    request.cookies['csrf_checksum'] = checksum
+  end
+end
+
+shared_context 'empty update request' do
+  let(:perform_request) do
+    post :update
+  end
+end
+
+shared_context 'update request with a csrf token form parameter' do
+  let(:perform_request) do
+    post_with_params :update, params: { authenticity_token: token }
+  end
+end
+
+shared_context 'update request with a fetched csrf token form parameter' do
+  render_views
+
+  let(:perform_request) do
+    get :index
+    actual_token = response.body.match(%r{<input type="hidden" name="authenticity_token" value="([^"]+)" />})[1]
+
+    post_with_params :update, params: { authenticity_token: actual_token }
+  end
+end
+
+shared_context 'update request with a csrf token header' do
+  let(:perform_request) do
+    request.headers['X-CSRF-Token'] = token
+    post :update
+  end
+end
+
+# rspec-rails `post` interface is different starting from Rails 5
+# https://relishapp.com/rspec/rspec-rails/docs/request-specs/request-spec#specify-managing-a-widget-with-rails-integration-methods
+
+POST_RAILS_5 = Gem.loaded_specs['rails']&.version.to_s.to_i >= 5
+
+def post_with_params(action, params:)
+  post action, POST_RAILS_5 ? { params: params } : params
+end

data/spec/support/shared_examples/for_controllers.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+TOKEN_INPUT_REGEXP = %r{<input type="hidden" name="authenticity_token" value="([^"]+)" />}
+TOKEN_META_REGEXP  = %r{<meta name="csrf-token" content="([^"]+)" />}
+
+shared_examples 'an action that outputs the csrf token' do
+  let(:real_form_token) do
+    encoded_token = response.body.match(TOKEN_INPUT_REGEXP)[1]
+    decode_token(encoded_token)
+  end
+
+  let(:real_meta_token) do
+    encoded_token = response.body.match(TOKEN_META_REGEXP)[1]
+    decode_token(encoded_token)
+  end
+
+  it 'renders form with a new token' do
+    perform_request
+
+    expect(response.body).to match(TOKEN_INPUT_REGEXP)
+    expect(real_form_token).to eq(output_token)
+  end
+
+  it 'renders csrf meta tags with a new token' do
+    perform_request
+
+    expect(response.body).to match(%r{<meta name="csrf-param" content="authenticity_token" />})
+    expect(response.body).to match(TOKEN_META_REGEXP)
+    expect(real_meta_token).to eq(output_token)
+  end
+end
+
+shared_examples 'an action that outputs the csrf cookies' do
+  it 'sets the token for the middleware' do
+    begin
+      perform_request
+    rescue ActionController::InvalidAuthenticityToken
+      nil
+    end
+
+    expect(request.env).to include('unified_csrf_prevention.token' => output_token)
+  end
+end
+
+shared_examples 'an action that does not output the csrf cookies' do
+  it 'does not set the token for the middleware' do
+    begin
+      perform_request
+    rescue ActionController::InvalidAuthenticityToken
+      nil
+    end
+
+    expect(request.env).not_to include('unified_csrf_prevention.token')
+  end
+end
+
+shared_examples 'an action that responds with a csrf validation error' do
+  it do
+    expect { perform_request }.to raise_error ActionController::InvalidAuthenticityToken
+  end
+end
+
+shared_examples 'an action that responds with OK' do
+  it do
+    perform_request
+
+    expect(response).to be_ok
+  end
+end
+
+# Code parts were taken from ActionController::RequestForgeryProtection
+def decode_token(encoded_masked_token)
+  masked_token = Base64.strict_decode64(encoded_masked_token)
+  one_time_pad = masked_token[0...ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH]
+  encrypted_csrf_token = masked_token[ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH..-1]
+  one_time_pad.bytes.zip(encrypted_csrf_token.bytes).map { |(c1, c2)| c1 ^ c2 }.pack('c*')
+end

data/spec/support/shared_examples/for_middleware.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+shared_examples 'a middleware that does not set any cookie' do
+  it { is_expected.to be_ok }
+
+  it 'does not output Set-Cookie header' do
+    expect(subject.headers).not_to include('Set-Cookie')
+  end
+end
+
+shared_examples 'a middleware that sets secure csrf cookies' do
+  it { is_expected.to be_ok }
+  it 'sets the csrf cookie headers' do
+    expect(subject.headers).to include('Set-Cookie' => %r{^csrf_token=#{token}; path=/; secure; SameSite=Strict$})
+    expect(subject.headers).to include('Set-Cookie' => %r{^csrf_checksum=#{checksum}; path=/; secure; HttpOnly; SameSite=Strict$})
+  end
+end
+
+shared_examples 'a middleware that logs generated csrf token' do
+  before { allow(Rails.logger).to receive(:info) }
+
+  it { is_expected.to be_ok }
+  it 'logs the token' do
+    subject
+    expect(Rails.logger).to have_received(:info).with("Set CSRF token: #{token}")
+  end
+end
+
+shared_examples 'a middleware that sets insecure csrf cookies' do
+  it { is_expected.to be_ok }
+  it 'sets the csrf cookie headers' do
+    expect(subject.headers).to include('Set-Cookie' => %r{^csrf_token=#{token}; path=/; SameSite=Strict$})
+    expect(subject.headers).to include('Set-Cookie' => %r{^csrf_checksum=#{checksum}; path=/; HttpOnly; SameSite=Strict$})
+  end
+end