Hide default config behind a private class method

We don't expect public callers to actually access the default config directly.
So, we hide it behind a private class method. There is only one caller in the
entire codebase that is not a test. It does make tests a bit uglier, but is
probably worth it for the benefits of hiding it from the public API.

Author: ptoomey3

lib/secure_headers.rb

@@ -195,7 +195,7 @@ def content_security_policy_style_nonce(request)
     # Falls back to the global config
     def config_for(request, prevent_dup = false)
       config = request.env[SECURE_HEADERS_CONFIG] ||
-        Configuration.default
+        Configuration.send(:default_config)
 
 
       # Global configs are frozen, per-request configs are not. When we're not

lib/secure_headers/configuration.rb

@@ -6,6 +6,7 @@ class Configuration
     DEFAULT_CONFIG = :default
     NOOP_OVERRIDE = "secure_headers_noop_override"
     class AlreadyConfiguredError < StandardError; end
+    class NotYetConfiguredError < StandardError; end
     class IllegalPolicyModificationError < StandardError; end
     class << self
       # Public: Set the global default configuration.
@@ -14,14 +15,6 @@ class << self
       #
       # Returns the newly created config.
       def default(&block)
-        if defined?(@default_config) && !block_given?
-          return @default_config
-        else
-          configure(&block)
-        end
-      end
-
-      def configure(&block)
         if defined?(@default_config)
           raise AlreadyConfiguredError, "Policy already configured"
         end
@@ -38,6 +31,7 @@ def configure(&block)
         new_config.validate_config!
         @default_config = new_config
       end
+      alias_method :configure, :default
 
       # Public: create a named configuration that overrides the default config.
       #
@@ -83,6 +77,17 @@ def deep_copy(config)
         end
       end
 
+      # Private: Returns the internal default configuration. This should only
+      # ever be called by internal callers (or tests) that know the semantics
+      # of ensuring that the default config is never mutated and is dup(ed)
+      # before it is used in a request.
+      def default_config
+        unless defined?(@default_config)
+          raise NotYetConfiguredError, "Default policy not yet configured"
+        end
+        @default_config
+      end
+
       # Private: convenience method purely DRY things up. The value may not be a
       # hash (e.g. OPT_OUT, nil)
       def deep_copy_if_hash(value)

spec/lib/secure_headers/configuration_spec.rb

@@ -41,7 +41,7 @@ module SecureHeaders
         config.cookies = OPT_OUT
       end
 
-      config = Configuration.default
+      config = Configuration.send(:default_config)
       expect(config.cookies).to eq(OPT_OUT)
     end
 
@@ -50,7 +50,7 @@ module SecureHeaders
         config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
       end
 
-      config = Configuration.default
+      config = Configuration.send(:default_config)
       expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
     end
   end

spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -5,6 +5,7 @@ module SecureHeaders
   describe PolicyManagement do
     before(:each) do
       reset_config
+      Configuration.default
     end
 
     let (:default_opts) do
@@ -161,14 +162,18 @@ module SecureHeaders
     end
 
     describe "#combine_policies" do
+      before(:each) do
+        reset_config
+      end
       it "combines the default-src value with the override if the directive was unconfigured" do
         Configuration.default do |config|
           config.csp = {
             default_src: %w(https:),
             script_src: %w('self'),
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, style_src: %w(anothercdn.com))
+        default_policy = Configuration.send(:default_config)
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, style_src: %w(anothercdn.com))
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
         expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
@@ -183,7 +188,8 @@ module SecureHeaders
           }.freeze
         end
         report_uri = "https://report-uri.io/asdf"
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, report_uri: [report_uri])
+        default_policy = Configuration.send(:default_config)
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_uri: [report_uri])
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.value).to include("report-uri #{report_uri}")
       end
@@ -199,7 +205,8 @@ module SecureHeaders
         non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
           hash[directive] = %w("http://example.org)
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, non_default_source_additions)
+        default_policy = Configuration.send(:default_config)
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, non_default_source_additions)
 
         ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
           expect(combined_config[directive]).to eq(%w("http://example.org))
@@ -214,7 +221,8 @@ module SecureHeaders
             report_only: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, report_only: true)
+        default_policy = Configuration.send(:default_config)
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_only: true)
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
       end
@@ -227,7 +235,8 @@ module SecureHeaders
             block_all_mixed_content: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, block_all_mixed_content: true)
+        default_policy = Configuration.send(:default_config)
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, block_all_mixed_content: true)
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
       end
@@ -236,8 +245,9 @@ module SecureHeaders
         Configuration.default do |config|
           config.csp = OPT_OUT
         end
+        default_policy = Configuration.send(:default_config)
         expect do
-          ContentSecurityPolicy.combine_policies(Configuration.default.csp.to_h, script_src: %w(anothercdn.com))
+          ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, script_src: %w(anothercdn.com))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
     end

spec/lib/secure_headers/middleware_spec.rb

@@ -11,10 +11,12 @@ module SecureHeaders
 
     before(:each) do
       reset_config
+      Configuration.default
     end
 
     it "warns if the hpkp report-uri host is the same as the current host" do
       report_host = "report-uri.io"
+      reset_config
       Configuration.default do |config|
         config.hpkp = {
           max_age: 10000000,
@@ -54,6 +56,9 @@ module SecureHeaders
     end
 
     context "cookies" do
+      before(:each) do
+        reset_config
+      end
       context "cookies should be flagged" do
         it "flags cookies as secure" do
           Configuration.default { |config| config.cookies = {secure: true, httponly: OPT_OUT, samesite: OPT_OUT} }
@@ -85,6 +90,9 @@ module SecureHeaders
     end
 
     context "cookies" do
+      before(:each) do
+        reset_config
+      end
       it "flags cookies from configuration" do
         Configuration.default { |config| config.cookies = { secure: true, httponly: true, samesite: { lax: true} } }
         request = Rack::Request.new("HTTPS" => "on")

spec/lib/secure_headers_spec.rb

@@ -9,6 +9,18 @@ module SecureHeaders
 
     let(:request) { Rack::Request.new("HTTP_X_FORWARDED_SSL" => "on") }
 
+    it "raises a NotYetConfiguredError if default has not been set" do
+      expect do
+        SecureHeaders.header_hash_for(request)
+      end.to raise_error(Configuration::NotYetConfiguredError)
+    end
+
+    it "raises a NotYetConfiguredError if trying to opt-out of unconfigured headers" do
+      expect do
+        SecureHeaders.opt_out_of_header(request, :csp)
+      end.to raise_error(Configuration::NotYetConfiguredError)
+    end
+
     it "raises and ArgumentError when referencing an override that has not been set" do
       expect do
         Configuration.default