File: expect_certificate_transparency.rb

package info (click to toggle)
ruby-secure-headers 6.3.2-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 496 kB
  • sloc: ruby: 3,342; makefile: 5
file content (69 lines) | stat: -rw-r--r-- 2,214 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
# frozen_string_literal: true
module SecureHeaders
  class ExpectCertificateTransparencyConfigError < StandardError; end

  class ExpectCertificateTransparency
    HEADER_NAME = "Expect-CT".freeze
    INVALID_CONFIGURATION_ERROR = "config must be a hash.".freeze
    INVALID_ENFORCE_VALUE_ERROR = "enforce must be a boolean".freeze
    REQUIRED_MAX_AGE_ERROR      = "max-age is a required directive.".freeze
    INVALID_MAX_AGE_ERROR       = "max-age must be a number.".freeze

    class << self
      # Public: Generate a Expect-CT header.
      #
      # Returns nil if not configured, returns header name and value if
      # configured.
      def make_header(config, use_agent = nil)
        return if config.nil? || config == OPT_OUT

        header = new(config)
        [HEADER_NAME, header.value]
      end

      def validate_config!(config)
        return if config.nil? || config == OPT_OUT
        raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash

        unless [true, false, nil].include?(config[:enforce])
          raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
        end

        if !config[:max_age]
          raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
        elsif config[:max_age].to_s !~ /\A\d+\z/
          raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
        end
      end
    end

    def initialize(config)
      @enforced   = config.fetch(:enforce, nil)
      @max_age    = config.fetch(:max_age, nil)
      @report_uri = config.fetch(:report_uri, nil)
    end

    def value
      [
        enforced_directive,
        max_age_directive,
        report_uri_directive
      ].compact.join(", ").strip
    end

    def enforced_directive
      # Unfortunately `if @enforced` isn't enough here in case someone
      # passes in a random string so let's be specific with it to prevent
      # accidental enforcement.
      "enforce" if @enforced == true
    end

    def max_age_directive
      "max-age=#{@max_age}" if @max_age
    end

    def report_uri_directive
      "report-uri=\"#{@report_uri}\"" if @report_uri
    end
  end
end