unified_csrf_prevention 1.0.0

data/spec/xing/csrf_protection/core_spec.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe UnifiedCsrfPrevention::Core do
+  describe '#generate_token' do
+    subject { described_class.generate_token }
+
+    it { is_expected.to match(/\A[\w\-]+\z/) }
+    it { expect(subject.length).to eq ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH }
+
+    context 'randomness source' do
+      let(:bytes) { double }
+      let(:encoded_bytes) { double }
+      let(:encoded_bytes_substring) { double }
+
+      before do
+        allow(SecureRandom).to receive(:random_bytes).and_return bytes
+        allow(Base64).to receive(:urlsafe_encode64).with(bytes, anything).and_return encoded_bytes
+        allow(encoded_bytes).to receive(:[]).and_return(encoded_bytes_substring)
+      end
+
+      it { is_expected.to be encoded_bytes_substring }
+    end
+  end
+
+  describe '#checksum_for' do
+    let(:token) { 'a token' }
+
+    subject { described_class.checksum_for(token) }
+
+    context 'when the configuration variable is not set' do
+      before do
+        allow(Rails.configuration).to receive(:unified_csrf_prevention_key).and_raise(NoMethodError)
+      end
+
+      it { expect { subject }.to raise_error UnifiedCsrfPrevention::ConfigurationError }
+    end
+
+    context 'when the configuration variable is set' do
+      let(:shared_secret_key) { 'a shared secret key' }
+      before do
+        allow(Rails.configuration).to receive(:unified_csrf_prevention_key).and_return(shared_secret_key)
+      end
+
+      it { is_expected.to match(/\A[\w\-]+\z/) }
+
+      context 'example from the specification' do
+        let(:token) { 'such protect' }
+        let(:shared_secret_key) { 'much secure' }
+
+        it { is_expected.to eq 'fEFyEXot47K5knjFe7MB-CKW4q99a7BmP9rKwrxf9Qk' }
+      end
+    end
+  end
+
+  describe '#valid_token?' do
+    let(:token) { double }
+    let(:checksum) { double }
+
+    subject { described_class.valid_token?(token, checksum) }
+
+    context 'token is missing' do
+      let(:token) {}
+
+      it { is_expected.to be false }
+    end
+
+    context 'checksum is missing' do
+      let(:checksum) {}
+
+      it { is_expected.to be false }
+    end
+
+    context 'comparing checksums' do
+      let(:computed_checksum) { double }
+
+      before do
+        allow(described_class).to receive(:checksum_for).with(token).and_return(computed_checksum)
+        allow(ActiveSupport::SecurityUtils).to receive(:secure_compare).and_return(checksums_equal?)
+      end
+
+      after do
+        expect(ActiveSupport::SecurityUtils).to have_received(:secure_compare).with(computed_checksum, checksum)
+      end
+
+      context 'invalid checksum' do
+        let(:checksums_equal?) { false }
+
+        it { is_expected.to be false }
+      end
+
+      context 'valid checksum' do
+        let(:checksums_equal?) { true }
+
+        it { is_expected.to be true }
+      end
+    end
+  end
+end

data/spec/xing/csrf_protection/middleware_spec.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'rack'
+
+describe UnifiedCsrfPrevention::Middleware do
+  let(:app) do
+    proc do |env|
+      env['unified_csrf_prevention.token'] = token unless token.nil?
+      [200, {}, 'some body']
+    end
+  end
+  let(:middleware) { described_class.new(app) }
+  let(:request) { Rack::MockRequest.new(middleware) }
+
+  subject { request.get('/what-ever') }
+
+  context 'when the application did not set the token' do
+    let(:token) {}
+
+    it_behaves_like 'a middleware that does not set any cookie'
+  end
+
+  context 'when the application set the token' do
+    let(:token) { 'token' }
+    let(:checksum) { 'some_checksum' }
+
+    before do
+      allow(UnifiedCsrfPrevention::Core).to receive(:checksum_for).with(token).and_return(checksum)
+    end
+
+    %w[production preview].each do |environment|
+      context "in #{environment} environment" do
+        before { allow(Rails.env).to receive(:"#{environment}?").and_return(true) }
+
+        it_behaves_like 'a middleware that sets secure csrf cookies'
+        it_behaves_like 'a middleware that logs generated csrf token'
+      end
+    end
+
+    context 'in some other environment' do
+      it_behaves_like 'a middleware that sets insecure csrf cookies'
+    end
+  end
+end

data/unified_csrf_prevention.gemspec

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'English'
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'unified_csrf_prevention/version'
+
+Gem::Specification.new do |s|
+  s.name          = 'unified_csrf_prevention'
+  s.version       = UnifiedCsrfPrevention::VERSION
+  s.authors       = ['Egor Balyshev']
+  s.email         = ['egor.balyshev@gmail.com']
+  s.summary       = 'Cross-application CSRF prevention for Rails'
+  s.description   = 'Unified stateless cross-application CSRF prevention implementation for Rails'
+  s.homepage      = 'https://github.com/xing/unified_csrf_prevention'
+  s.license       = 'MIT'
+
+  s.required_rubygems_version = '>= 2.0'
+
+  s.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  s.executables   = s.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  s.test_files    = s.files.grep(%r{^(test|spec|features)/})
+  s.require_paths = ['lib']
+
+  s.add_runtime_dependency 'rails', '>= 4.2'
+
+  s.add_development_dependency 'appraisal'
+  s.add_development_dependency 'bundler', '~> 1.12'
+  s.add_development_dependency 'rubocop', '~> 0.49.1'
+  s.add_development_dependency 'rspec', '~> 3.6'
+  s.add_development_dependency 'rspec-rails', '~> 3.6'
+  s.add_development_dependency 'rake', '~> 12.0'
+end

metadata

@@ -0,0 +1,215 @@
+--- !ruby/object:Gem::Specification
+name: unified_csrf_prevention
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Egor Balyshev
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-07-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.49.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.49.1
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+description: Unified stateless cross-application CSRF prevention implementation for
+  Rails
+email:
+- egor.balyshev@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- Appraisals
+- CHANGELOG.md
+- Gemfile
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/unified_csrf_prevention.rb
+- lib/unified_csrf_prevention/core.rb
+- lib/unified_csrf_prevention/middleware.rb
+- lib/unified_csrf_prevention/railtie.rb
+- lib/unified_csrf_prevention/request_forgery_protection.rb
+- lib/unified_csrf_prevention/version.rb
+- spec/controllers/dummy_controller_spec.rb
+- spec/dummy/app/controllers/application_controller.rb
+- spec/dummy/app/controllers/dummy_controller.rb
+- spec/dummy/app/views/dummy/index.html.erb
+- spec/dummy/app/views/layouts/application.html.erb
+- spec/dummy/config.ru
+- spec/dummy/config/application.rb
+- spec/dummy/config/boot.rb
+- spec/dummy/config/environment.rb
+- spec/dummy/config/environments/test.rb
+- spec/dummy/config/initializers/backtrace_silencers.rb
+- spec/dummy/config/initializers/cookies_serializer.rb
+- spec/dummy/config/initializers/filter_parameter_logging.rb
+- spec/dummy/config/initializers/inflections.rb
+- spec/dummy/config/initializers/mime_types.rb
+- spec/dummy/config/initializers/session_store.rb
+- spec/dummy/config/initializers/to_time_preserves_timezone.rb
+- spec/dummy/config/initializers/wrap_parameters.rb
+- spec/dummy/config/routes.rb
+- spec/dummy/config/secrets.yml
+- spec/dummy/log/.keep
+- spec/rails_helper.rb
+- spec/spec_helper.rb
+- spec/support/shared_context/for_controllers.rb
+- spec/support/shared_examples/for_controllers.rb
+- spec/support/shared_examples/for_middleware.rb
+- spec/xing/csrf_protection/core_spec.rb
+- spec/xing/csrf_protection/middleware_spec.rb
+- unified_csrf_prevention.gemspec
+homepage: https://github.com/xing/unified_csrf_prevention
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: Cross-application CSRF prevention for Rails
+test_files:
+- spec/controllers/dummy_controller_spec.rb
+- spec/dummy/app/controllers/application_controller.rb
+- spec/dummy/app/controllers/dummy_controller.rb
+- spec/dummy/app/views/dummy/index.html.erb
+- spec/dummy/app/views/layouts/application.html.erb
+- spec/dummy/config.ru
+- spec/dummy/config/application.rb
+- spec/dummy/config/boot.rb
+- spec/dummy/config/environment.rb
+- spec/dummy/config/environments/test.rb
+- spec/dummy/config/initializers/backtrace_silencers.rb
+- spec/dummy/config/initializers/cookies_serializer.rb
+- spec/dummy/config/initializers/filter_parameter_logging.rb
+- spec/dummy/config/initializers/inflections.rb
+- spec/dummy/config/initializers/mime_types.rb
+- spec/dummy/config/initializers/session_store.rb
+- spec/dummy/config/initializers/to_time_preserves_timezone.rb
+- spec/dummy/config/initializers/wrap_parameters.rb
+- spec/dummy/config/routes.rb
+- spec/dummy/config/secrets.yml
+- spec/dummy/log/.keep
+- spec/rails_helper.rb
+- spec/spec_helper.rb
+- spec/support/shared_context/for_controllers.rb
+- spec/support/shared_examples/for_controllers.rb
+- spec/support/shared_examples/for_middleware.rb
+- spec/xing/csrf_protection/core_spec.rb
+- spec/xing/csrf_protection/middleware_spec.rb