Replace #get with #default and don't require explicit initial configuration anymore

Author: ptoomey3

lib/secure_headers.rb

@@ -166,7 +166,7 @@ def header_hash_for(request)
     # name - the name of the previously configured override.
     def use_secure_headers_override(request, name)
       config = config_for(request)
-      config.apply_override(name)
+      config.override(name)
       override_secure_headers_request_config(request, config)
     end
 
@@ -195,7 +195,7 @@ def content_security_policy_style_nonce(request)
     # Falls back to the global config
     def config_for(request, prevent_dup = false)
       config = request.env[SECURE_HEADERS_CONFIG] ||
-        Configuration.get
+        Configuration.default
 
 
       # Global configs are frozen, per-request configs are not. When we're not

lib/secure_headers/configuration.rb

@@ -5,7 +5,7 @@ module SecureHeaders
   class Configuration
     DEFAULT_CONFIG = :default
     NOOP_OVERRIDE = "secure_headers_noop_override"
-    class NotYetConfiguredError < StandardError; end
+    class AlreadyConfiguredError < StandardError; end
     class IllegalPolicyModificationError < StandardError; end
     class << self
       # Public: Set the global default configuration.
@@ -14,6 +14,18 @@ class << self
       #
       # Returns the newly created config.
       def default(&block)
+        if defined?(@default_config) && !block_given?
+          return @default_config
+        else
+          configure(&block)
+        end
+      end
+
+      def configure(&block)
+        if defined?(@default_config)
+          raise AlreadyConfiguredError, "Policy already configured"
+        end
+
         # Define a built-in override that clears all configuration options and
         # results in no security headers being set.
         override(NOOP_OVERRIDE) do |config|
@@ -26,12 +38,6 @@ def default(&block)
         new_config.validate_config!
         @default_config = new_config
       end
-      alias_method :configure, :default
-
-      def get
-        raise NotYetConfiguredError, "Default policy not yet supplied" unless @default_config
-        @default_config
-      end
 
       # Public: create a named configuration that overrides the default config.
       #
@@ -170,7 +176,7 @@ def dup
     # Public: Apply a named override to the current config
     #
     # Returns self
-    def apply_override(name)
+    def override(name = nil, &block)
       if override = self.class.overrides(name)
         instance_eval(&override)
       else

spec/lib/secure_headers/configuration_spec.rb

@@ -5,14 +5,14 @@ module SecureHeaders
   describe Configuration do
     before(:each) do
       reset_config
-      Configuration.default
     end
 
     it "has a default config" do
       expect(Configuration.default).to_not be_nil
     end
 
     it "has an 'noop' override" do
+      Configuration.default
       expect(Configuration.overrides(Configuration::NOOP_OVERRIDE)).to_not be_nil
     end
 
@@ -41,7 +41,7 @@ module SecureHeaders
         config.cookies = OPT_OUT
       end
 
-      config = Configuration.get
+      config = Configuration.default
       expect(config.cookies).to eq(OPT_OUT)
     end
 
@@ -50,7 +50,7 @@ module SecureHeaders
         config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
       end
 
-      config = Configuration.get
+      config = Configuration.default
       expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
     end
   end

spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -3,6 +3,10 @@
 
 module SecureHeaders
   describe PolicyManagement do
+    before(:each) do
+      reset_config
+    end
+
     let (:default_opts) do
       {
         default_src: %w(https:),
@@ -164,7 +168,7 @@ module SecureHeaders
             script_src: %w('self'),
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, style_src: %w(anothercdn.com))
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, style_src: %w(anothercdn.com))
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
         expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
@@ -179,7 +183,7 @@ module SecureHeaders
           }.freeze
         end
         report_uri = "https://report-uri.io/asdf"
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_uri: [report_uri])
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, report_uri: [report_uri])
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.value).to include("report-uri #{report_uri}")
       end
@@ -195,7 +199,7 @@ module SecureHeaders
         non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
           hash[directive] = %w("http://example.org)
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, non_default_source_additions)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, non_default_source_additions)
 
         ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
           expect(combined_config[directive]).to eq(%w("http://example.org))
@@ -210,7 +214,7 @@ module SecureHeaders
             report_only: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_only: true)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, report_only: true)
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
       end
@@ -223,7 +227,7 @@ module SecureHeaders
             block_all_mixed_content: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, block_all_mixed_content: true)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, block_all_mixed_content: true)
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
       end
@@ -233,7 +237,7 @@ module SecureHeaders
           config.csp = OPT_OUT
         end
         expect do
-          ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, script_src: %w(anothercdn.com))
+          ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, script_src: %w(anothercdn.com))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
     end

spec/lib/secure_headers/middleware_spec.rb

@@ -11,7 +11,6 @@ module SecureHeaders
 
     before(:each) do
       reset_config
-      Configuration.default
     end
 
     it "warns if the hpkp report-uri host is the same as the current host" do

spec/lib/secure_headers/view_helpers_spec.rb

@@ -105,6 +105,7 @@ module SecureHeaders
     let(:filename) { "app/views/asdfs/index.html.erb" }
 
     before(:all) do
+      reset_config
       Configuration.default do |config|
         config.csp = {
           default_src: %w('self'),

spec/lib/secure_headers_spec.rb

@@ -9,18 +9,6 @@ module SecureHeaders
 
     let(:request) { Rack::Request.new("HTTP_X_FORWARDED_SSL" => "on") }
 
-    it "raises a NotYetConfiguredError if default has not been set" do
-      expect do
-        SecureHeaders.header_hash_for(request)
-      end.to raise_error(Configuration::NotYetConfiguredError)
-    end
-
-    it "raises a NotYetConfiguredError if trying to opt-out of unconfigured headers" do
-      expect do
-        SecureHeaders.opt_out_of_header(request, :csp)
-      end.to raise_error(Configuration::NotYetConfiguredError)
-    end
-
     it "raises and ArgumentError when referencing an override that has not been set" do
       expect do
         Configuration.default
@@ -364,6 +352,7 @@ module SecureHeaders
           end
 
           it "sets identical values when the configs are the same" do
+            reset_config
             Configuration.default do |config|
               config.csp = {
                 default_src: %w('self'),
@@ -381,6 +370,7 @@ module SecureHeaders
           end
 
           it "sets different headers when the configs are different" do
+            reset_config
             Configuration.default do |config|
               config.csp = {
                 default_src: %w('self'),
@@ -395,6 +385,7 @@ module SecureHeaders
           end
 
           it "allows you to opt-out of enforced CSP" do
+            reset_config
             Configuration.default do |config|
               config.csp = SecureHeaders::OPT_OUT
               config.csp_report_only = {
@@ -452,6 +443,7 @@ module SecureHeaders
 
           context "when inferring which config to modify" do
             it "updates the enforced header when configured" do
+              reset_config
               Configuration.default do |config|
                 config.csp = {
                   default_src: %w('self'),
@@ -466,6 +458,7 @@ module SecureHeaders
             end
 
             it "updates the report only header when configured" do
+              reset_config
               Configuration.default do |config|
                 config.csp = OPT_OUT
                 config.csp_report_only = {
@@ -481,6 +474,7 @@ module SecureHeaders
             end
 
             it "updates both headers if both are configured" do
+              reset_config
               Configuration.default do |config|
                 config.csp = {
                   default_src: %w(enforced.com),

spec/spec_helper.rb

@@ -44,7 +44,7 @@ module SecureHeaders
   class Configuration
     class << self
       def clear_default_config
-        @default_config = nil
+        remove_instance_variable(:@default_config) if defined?(@default_config)
       end
     end
   end