Merge pull request #148 from twitter/pass-reference-to-controller

Pass reference to controller to CSP callable config values

Author: oreoshake

README.md

@@ -49,6 +49,7 @@ This gem makes a few assumptions about how you will use some features.  For exam
   config.x_permitted_cross_domain_policies = 'none'
   config.csp = {
     :default_src => "https: self",
+    :enforce => proc {|controller| contoller.current_user.enforce_csp? }
     :frame_src => "https: http:.twimg.com http://itunes.apple.com",
     :img_src => "https:",
     :report_uri => '//example.com/uri-directive'

lib/secure_headers/headers/content_security_policy.rb

@@ -106,7 +106,7 @@ def initialize(config=nil, options={})
 
       # Config values can be string, array, or lamdba values
       @config = config.inject({}) do |hash, (key, value)|
-        config_val = value.respond_to?(:call) ? value.call : value
+        config_val = value.respond_to?(:call) ? value.call(@controller) : value
 
         if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
           config_val = config_val.split if config_val.is_a? String

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -76,7 +76,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
         end
 
         it "adds a @enforce and @app_name variables to the report uri" do
-          opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => lambda { 'twitter' })
+          opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => proc { 'twitter' })
           csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
           expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
         end
@@ -90,7 +90,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
         it "accepts procs for report-uris" do
           opts = {
             :default_src => 'self',
-            :report_uri => lambda { "http://lambda/result" }
+            :report_uri => proc { "http://lambda/result" }
           }
 
           csp = ContentSecurityPolicy.new(opts)
@@ -99,15 +99,29 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
         it "accepts procs for other fields" do
           opts = {
-            :default_src => lambda { "http://lambda/result" },
-            :enforce => lambda { true },
-            :disable_fill_missing => lambda { true }
+            :default_src => proc { "http://lambda/result" },
+            :enforce => proc { true },
+            :disable_fill_missing => proc { true }
           }
 
           csp = ContentSecurityPolicy.new(opts)
           expect(csp.value).to eq("default-src http://lambda/result; img-src http://lambda/result data:;")
           expect(csp.name).to match("Content-Security-Policy")
         end
+
+        it "passes a reference to the controller to the proc" do
+          controller = double
+          user = double(:beta_testing? => true)
+
+          allow(controller).to receive(:current_user).and_return(user)
+          opts = {
+            :disable_fill_missing => true,
+            :default_src => "self",
+            :enforce => lambda { |c| c.current_user.beta_testing? }
+          }
+          csp = ContentSecurityPolicy.new(opts, :controller => controller)
+          expect(csp.name).to match("Content-Security-Policy")
+        end
       end
     end