Class: Cuba

Inherits:

Object

• Object
• Cuba

Defined in:

lib/cuba/safe/secure_headers.rb,
lib/cuba.rb,
lib/cuba/safe.rb,
lib/cuba/render.rb,
lib/cuba/safe/csrf.rb

Overview

Secure HTTP Headers

This plugin will automatically apply several headers that are related to security. This includes:

- HTTP Strict Transport Security (HSTS) [2].
- X-Frame-Options [3].
- X-XSS-Protection [4].
- X-Content-Type-Options [5].
- X-Download-Options [6].
- X-Permitted-Cross-Domain-Policies [7].

Due to HTTP/2 specifications and Rack specifications, field names are applied in all lowercase.

References

[1]: github.com/twitter/secureheaders [2]: tools.ietf.org/html/rfc6797 [3]: tools.ietf.org/html/draft-ietf-websec-x-frame-options-02 [4]: msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx [5]: msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx [6]: msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx [7]: www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html [8]: datatracker.ietf.org/doc/html/rfc9113#name-http-fields

Defined Under Namespace

Modules: Render, Safe Classes: Response

Constant Summary

SLASH =

"/".freeze

EMPTY =

"".freeze

SEGMENT =

"([^\\/]+)".freeze

DEFAULT =

"text/html; charset=utf-8".freeze

REGEXES =

Hash.new { |h, pattern| h[pattern] = /\A\/(#{pattern})(\/|\z)/ }

Instance Attribute Summary

• #captures ⇒ Object readonly

  Returns the value of attribute captures.

• #env ⇒ Object readonly

  Returns the value of attribute env.

• #req ⇒ Object readonly

  Returns the value of attribute req.

• #res ⇒ Object readonly

  Returns the value of attribute res.

Class Method Summary

• .app ⇒ Object
• .call(env) ⇒ Object
• .deepclone(obj) ⇒ Object
• .define(&block) ⇒ Object
• .inherited(child) ⇒ Object
• .plugin(mixin) ⇒ Object
• .prototype ⇒ Object
• .reset! ⇒ Object
• .settings ⇒ Object
• .use(middleware, *args, **kwargs, &block) ⇒ Object

Instance Method Summary

• #accept(mimetype) ⇒ Object

  If you want to match against the HTTP_ACCEPT value.

• #call(env) ⇒ Object
• #call!(env) ⇒ Object
• #default ⇒ Object

  Syntactic sugar for providing catch-all matches.

• #delete ⇒ Object
• #extension(ext = "\\w+") ⇒ Object

  A matcher for files with a certain extension.

• #get ⇒ Object

  Syntatic sugar for providing HTTP Verb matching.

• #halt(response) ⇒ Object
• #head ⇒ Object
• #host(hostname) ⇒ Object

  Useful for matching against the request host (i.e. HTTP_HOST).

• #initialize(&blk) ⇒ Cuba constructor

  A new instance of Cuba.

• #link ⇒ Object
• #match(matcher, segment = SEGMENT) ⇒ Object
• #not_found ⇒ Object
• #on(*args, &block) ⇒ Object

  The heart of the path / verb / any condition matching.

• #options ⇒ Object
• #param(key, default = nil) ⇒ Object

  Ensures that certain request parameters are present.

• #patch ⇒ Object
• #post ⇒ Object
• #put ⇒ Object
• #root ⇒ Object

  Access the root of the application.

• #run(app) ⇒ Object

  If you want to halt the processing of an existing handler and continue it via a different handler.

• #session ⇒ Object
• #settings ⇒ Object
• #trace ⇒ Object
• #unlink ⇒ Object
• #vars ⇒ Object

  Returns a hash with the information set by the #with method.

• #with(dict = {}) ⇒ Object

  Adds ability to pass information to a nested Cuba application.

Constructor Details

#initialize(&blk) ⇒ Cuba

Returns a new instance of Cuba.

# File 'lib/cuba.rb', line 134

def initialize(&blk)
  @blk = blk
  @captures = []
end

Instance Attribute Details

#captures ⇒ Object (readonly)

Returns the value of attribute captures.

# File 'lib/cuba.rb', line 132

def captures
  @captures
end

#env ⇒ Object (readonly)

Returns the value of attribute env.

# File 'lib/cuba.rb', line 129

def env
  @env
end

#req ⇒ Object (readonly)

Returns the value of attribute req.

# File 'lib/cuba.rb', line 130

def req
  @req
end

#res ⇒ Object (readonly)

Returns the value of attribute res.

# File 'lib/cuba.rb', line 131

def res
  @res
end

Class Method Details

.app ⇒ Object

# File 'lib/cuba.rb', line 90

def self.app
  @app ||= Rack::Builder.new
end

.call(env) ⇒ Object

# File 'lib/cuba.rb', line 106

def self.call(env)
  prototype.call(env)
end

.deepclone(obj) ⇒ Object

# File 'lib/cuba.rb', line 121

def self.deepclone(obj)
  Marshal.load(Marshal.dump(obj))
end

.define(&block) ⇒ Object

# File 'lib/cuba.rb', line 98

def self.define(&block)
  app.run new(&block)
end

.inherited(child) ⇒ Object

# File 'lib/cuba.rb', line 125

def self.inherited(child)
  child.settings.replace(deepclone(settings))
end

.plugin(mixin) ⇒ Object

# File 'lib/cuba.rb', line 110

def self.plugin(mixin)
  include mixin
  extend  mixin::ClassMethods if defined?(mixin::ClassMethods)

  mixin.setup(self) if mixin.respond_to?(:setup)
end

.prototype ⇒ Object

# File 'lib/cuba.rb', line 102

def self.prototype
  @prototype ||= app.to_app
end

.reset! ⇒ Object

# File 'lib/cuba.rb', line 85

def self.reset!
  @app = nil
  @prototype = nil
end

.settings ⇒ Object

# File 'lib/cuba.rb', line 117

def self.settings
  @settings ||= {}
end

.use(middleware, *args, **kwargs, &block) ⇒ Object

# File 'lib/cuba.rb', line 94

def self.use(middleware, *args, **kwargs, &block)
  app.use(middleware, *args, **kwargs, &block)
end

Instance Method Details

#accept(mimetype) ⇒ Object

If you want to match against the HTTP_ACCEPT value.

Examples:

# HTTP_ACCEPT=application/xml
on accept("application/xml") do
  # automatically set to application/xml.
  res.write res["Content-Type"]
end

# File 'lib/cuba.rb', line 314

def accept(mimetype)
  lambda do
    accept = String(env["HTTP_ACCEPT"]).split(",")

    if accept.any? { |s| s.strip == mimetype }
      res[Rack::CONTENT_TYPE] = mimetype
    end
  end
end

#call(env) ⇒ Object

# File 'lib/cuba.rb', line 143

def call(env)
  dup.call!(env)
end

#call!(env) ⇒ Object

# File 'lib/cuba.rb', line 147

def call!(env)
  @env = env
  @req = settings[:req].new(env)
  @res = settings[:res].new(settings[:default_headers].dup)

  # This `catch` statement will either receive a
  # rack response tuple via a `halt`, or will
  # fall back to issuing a 404.
  #
  # When it `catch`es a throw, the return value
  # of this whole `call!` method will be the
  # rack response tuple, which is exactly what we want.
  catch(:halt) do
    instance_eval(&@blk)

    not_found
    res.finish
  end
end

#default ⇒ Object

Syntactic sugar for providing catch-all matches.

Examples:

on default do
  res.write "404"
end

# File 'lib/cuba.rb', line 330

def default
  true
end

#delete ⇒ Object

# File 'lib/cuba.rb', line 358

def delete;  req.delete?  end

#extension(ext = "\\w+") ⇒ Object

A matcher for files with a certain extension.

Examples:

# PATH_INFO=/style/app.css
on "style", extension("css") do |file|
  res.write file # writes app
end

# File 'lib/cuba.rb', line 272

def extension(ext = "\\w+")
  lambda { consume("([^\\/]+?)\.#{ext}\\z") }
end

#get ⇒ Object

Syntatic sugar for providing HTTP Verb matching.

Examples:

on get, "signup" do
end

on post, "signup" do
end

# File 'lib/cuba.rb', line 354

def get;     req.get?     end

#halt(response) ⇒ Object

# File 'lib/cuba.rb', line 382

def halt(response)
  throw :halt, response
end

#head ⇒ Object

# File 'lib/cuba.rb', line 359

def head;    req.head?    end

#host(hostname) ⇒ Object

Useful for matching against the request host (i.e. HTTP_HOST).

Examples:

on host("account1.example.com"), "api" do
  res.write "You have reached the API of account1."
end

# File 'lib/cuba.rb', line 302

def host(hostname)
  hostname === req.host
end

#link ⇒ Object

# File 'lib/cuba.rb', line 361

def link;    req.link?    end

#match(matcher, segment = SEGMENT) ⇒ Object

# File 'lib/cuba.rb', line 254

def match(matcher, segment = SEGMENT)
  case matcher
  when String then consume(matcher.gsub(/:\w+/, segment))
  when Regexp then consume(matcher)
  when Symbol then consume(segment)
  when Proc   then matcher.call
  else
    matcher
  end
end

#not_found ⇒ Object

# File 'lib/cuba.rb', line 429

def not_found
  res.status = 404
end

#on(*args, &block) ⇒ Object

The heart of the path / verb / any condition matching.

Examples:

on get do
  res.write "GET"
end

on get, "signup" do
  res.write "Signup"
end

on "user/:id" do |uid|
  res.write "User: #{uid}"
end

on "styles", extension("css") do |file|
  res.write render("styles/#{file}.sass")
end

# File 'lib/cuba.rb', line 193

def on(*args, &block)
  try do
    # For every block, we make sure to reset captures so that
    # nesting matchers won't mess with each other's captures.
    @captures = []

    # We stop evaluation of this entire matcher unless
    # each and every `arg` defined for this matcher evaluates
    # to a non-false value.
    #
    # Short circuit examples:
    #    on true, false do
    #
    #    # PATH_INFO=/user
    #    on true, "signup"
    return unless args.all? { |arg| match(arg) }

    # The captures we yield here were generated and assembled
    # by evaluating each of the `arg`s above. Most of these
    # are carried out by #consume.
    yield(*captures)

    if res.status.nil?
      if res.body.empty?
        not_found
      else
        res.headers[Rack::CONTENT_TYPE] ||= DEFAULT
        res.status = 200
      end
    end

    halt(res.finish)
  end
end

#options ⇒ Object

# File 'lib/cuba.rb', line 360

def options; req.options? end

#param(key, default = nil) ⇒ Object

Ensures that certain request parameters are present. Acts like a precondition / assertion for your route. A default value can be provided as a second argument. In that case, it always matches and the result is either the parameter or the default value.

Examples:

# POST with data like user[fname]=John&user[lname]=Doe
on "signup", param("user") do |atts|
  User.create(atts)
end

on "login", param("username", "guest") do |username|
  # If not provided, username == "guest"
end

# File 'lib/cuba.rb', line 290

def param(key, default = nil)
  value = req.params[key.to_s] || default

  lambda { captures << value unless value.to_s.empty? }
end

#patch ⇒ Object

# File 'lib/cuba.rb', line 357

def patch;   req.patch?   end

#post ⇒ Object

# File 'lib/cuba.rb', line 355

def post;    req.post?    end

#put ⇒ Object

# File 'lib/cuba.rb', line 356

def put;     req.put?     end

#root ⇒ Object

Access the root of the application.

Examples:

# GET /
on root do
  res.write "Home"
end

# File 'lib/cuba.rb', line 342

def root
  env[Rack::PATH_INFO] == SLASH || env[Rack::PATH_INFO] == EMPTY
end

#run(app) ⇒ Object

If you want to halt the processing of an existing handler and continue it via a different handler.

Examples:

def redirect(*args)
  run Cuba.new { on(default) { res.redirect(*args) }}
end

on "account" do
  redirect "/login" unless session["uid"]

  res.write "Super secure account info."
end

# File 'lib/cuba.rb', line 378

def run(app)
  halt app.call(req.env)
end

#session ⇒ Object

# File 'lib/cuba.rb', line 167

def session
  env["rack.session"] || raise(RuntimeError,
    "You're missing a session handler. You can get started " +
    "by adding Cuba.use Rack::Session::Cookie")
end

#settings ⇒ Object

# File 'lib/cuba.rb', line 139

def settings
  self.class.settings
end

#trace ⇒ Object

# File 'lib/cuba.rb', line 363

def trace;   req.trace?   end

#unlink ⇒ Object

# File 'lib/cuba.rb', line 362

def unlink;  req.unlink?  end

#vars ⇒ Object

Returns a hash with the information set by the #with method.

with(role: "admin", site: "main") do
  on default do
    res.write(vars.inspect)
  end
end
# => '{:role=>"admin", :site=>"main"}'

# File 'lib/cuba.rb', line 425

def vars
  env["cuba.vars"] ||= {}
end

#with(dict = {}) ⇒ Object

Adds ability to pass information to a nested Cuba application. It receives two parameters: a hash that represents the passed information and a block. The #vars method is used to retrieve a hash with the passed information.

class Platforms < Cuba
  define do
    platform = vars[:platform]

    on default do
      res.write(platform) # => "heroku" or "salesforce"
    end
  end
end

Cuba.define do
  on "(heroku|salesforce)" do |platform|
    with(platform: platform) do
      run(Platforms)
    end
  end
end

# File 'lib/cuba.rb', line 409

def with(dict = {})
  old, env["cuba.vars"] = vars, vars.merge(dict)
  yield
ensure
  env["cuba.vars"] = old
end