5 files changed, 218 insertions, 3 deletions

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 6c9f3e0e67..92efb060a2 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,5 +1,7 @@
 ## Rails 4.0.0 (unreleased) ##
 
+*   Added ActionDispatch::SSL middleware that when included force all the requests to be under HTTPS protocol. *Rafael Mendonça França*
+
 *   Add `include_hidden` option to select tag. With `:include_hidden => false` select with `multiple` attribute doesn't generate hidden input with blank value. *Vasiliy Ermolovich*
 
 *   Removed default `size` option from the `text_field`, `search_field`, `telephone_field`, `url_field`, `email_field` helpers. *Philip Arndt*
@@ -120,8 +122,8 @@
 
 *   `favicon_link_tag` helper will now use the favicon in app/assets by default. *Lucas Caton*
 
-*    `ActionView::Helpers::TextHelper#highlight` now defaults to the
-     HTML5 `mark` element. *Brian Cardarella*
+*   `ActionView::Helpers::TextHelper#highlight` now defaults to the
+    HTML5 `mark` element. *Brian Cardarella*
 
 
 ## Rails 3.2.3 (unreleased) ##
diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index a9542a7d1b..e3b04ac097 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -61,6 +61,7 @@ module ActionDispatch
     autoload :Reloader
     autoload :RemoteIp
     autoload :ShowExceptions
+    autoload :SSL
     autoload :Static
   end
 
diff --git a/actionpack/lib/action_dispatch/middleware/show_exceptions.rb b/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
index 836136eb95..ab740a0190 100644
--- a/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
+++ b/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
@@ -9,7 +9,7 @@ module ActionDispatch
   # of ShowExceptions. Everytime there is an exception, ShowExceptions will
   # store the exception in env["action_dispatch.exception"], rewrite the
   # PATH_INFO to the exception status code and call the rack app.
-  # 
+  #
   # If the application returns a "X-Cascade" pass response, this middleware
   # will send an empty response as result with the correct status code.
   # If any exception happens inside the exceptions app, this middleware
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
new file mode 100644
index 0000000000..c758110367
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -0,0 +1,77 @@
+module ActionDispatch
+  class SSL
+    YEAR = 31536000
+
+    def self.default_hsts_options
+      { :expires => YEAR, :subdomains => false }
+    end
+
+    def initialize(app, options = {})
+      @app = app
+
+      @hsts = options.fetch(:hsts, {})
+      @hsts = {} if @hsts == true
+      @hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
+
+      @exclude = options[:exclude]
+      @host    = options[:host]
+      @port    = options[:port]
+    end
+
+    def call(env)
+      return @app.call(env) if exclude?(env)
+
+      request = Request.new(env)
+
+      if request.ssl?
+        status, headers, body = @app.call(env)
+        headers = hsts_headers.merge(headers)
+        flag_cookies_as_secure!(headers)
+        [status, headers, body]
+      else
+        redirect_to_https(request)
+      end
+    end
+
+    private
+      def exclude?(env)
+        @exclude && @exclude.call(env)
+      end
+
+      def redirect_to_https(request)
+        url        = URI(request.url)
+        url.scheme = "https"
+        url.host   = @host if @host
+        url.port   = @port if @port
+        headers    = hsts_headers.merge('Content-Type' => 'text/html',
+                                        'Location'     => url.to_s)
+
+        [301, headers, []]
+      end
+
+      # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
+      def hsts_headers
+        if @hsts
+          value = "max-age=#{@hsts[:expires]}"
+          value += "; includeSubDomains" if @hsts[:subdomains]
+          { 'Strict-Transport-Security' => value }
+        else
+          {}
+        end
+      end
+
+      def flag_cookies_as_secure!(headers)
+        if cookies = headers['Set-Cookie']
+          cookies = cookies.split("\n")
+
+          headers['Set-Cookie'] = cookies.map { |cookie|
+            if cookie !~ /; secure(;|$)/
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          }.join("\n")
+        end
+      end
+  end
+end
diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb
new file mode 100644
index 0000000000..b1463f31cf
--- /dev/null
+++ b/actionpack/test/dispatch/ssl_test.rb
@@ -0,0 +1,135 @@
+require 'abstract_unit'
+
+class SSLTest < ActionDispatch::IntegrationTest
+  def default_app
+    lambda { |env|
+      headers = {'Content-Type' => "text/html"}
+      headers['Set-Cookie'] = "id=1; path=/\ntoken=abc; path=/; secure; HttpOnly"
+      [200, headers, ["OK"]]
+    }
+  end
+
+  def app
+    @app ||= ActionDispatch::SSL.new(default_app)
+  end
+  attr_writer :app
+
+  def test_allows_https_url
+    get "https://example.org/path?key=value"
+    assert_response :success
+  end
+
+  def test_allows_https_proxy_header_url
+    get "http://example.org/", {}, 'HTTP_X_FORWARDED_PROTO' => "https"
+    assert_response :success
+  end
+
+  def test_redirects_http_to_https
+    get "http://example.org/path?key=value"
+    assert_response :redirect
+    assert_equal "https://example.org/path?key=value",
+      response.headers['Location']
+  end
+
+  def test_exclude_from_redirect
+    self.app = ActionDispatch::SSL.new(default_app, :exclude => lambda { |env| true })
+    get "http://example.org/"
+    assert_response :success
+  end
+
+  def test_hsts_header_by_default
+    get "https://example.org/"
+    assert_equal "max-age=31536000",
+      response.headers['Strict-Transport-Security']
+  end
+
+  def test_hsts_header
+    self.app = ActionDispatch::SSL.new(default_app, :hsts => true)
+    get "https://example.org/"
+    assert_equal "max-age=31536000",
+      response.headers['Strict-Transport-Security']
+  end
+
+  def test_disable_hsts_header
+    self.app = ActionDispatch::SSL.new(default_app, :hsts => false)
+    get "https://example.org/"
+    refute response.headers['Strict-Transport-Security']
+  end
+
+  def test_hsts_expires
+    self.app = ActionDispatch::SSL.new(default_app, :hsts => { :expires => 500 })
+    get "https://example.org/"
+    assert_equal "max-age=500",
+      response.headers['Strict-Transport-Security']
+  end
+
+  def test_hsts_include_subdomains
+    self.app = ActionDispatch::SSL.new(default_app, :hsts => { :subdomains => true })
+    get "https://example.org/"
+    assert_equal "max-age=31536000; includeSubDomains",
+      response.headers['Strict-Transport-Security']
+  end
+
+  def test_flag_cookies_as_secure
+    get "https://example.org/"
+    assert_equal ["id=1; path=/; secure", "token=abc; path=/; secure; HttpOnly" ],
+      response.headers['Set-Cookie'].split("\n")
+  end
+
+  def test_flag_cookies_as_secure_at_end_of_line
+    self.app = ActionDispatch::SSL.new(lambda { |env|
+      headers = {
+        'Content-Type' => "text/html",
+        'Set-Cookie' => "problem=def; path=/; HttpOnly; secure"
+      }
+      [200, headers, ["OK"]]
+    })
+
+    get "https://example.org/"
+    assert_equal ["problem=def; path=/; HttpOnly; secure"],
+      response.headers['Set-Cookie'].split("\n")
+  end
+
+  def test_no_cookies
+    self.app = ActionDispatch::SSL.new(lambda { |env|
+      [200, {'Content-Type' => "text/html"}, ["OK"]]
+    })
+    get "https://example.org/"
+    assert !response.headers['Set-Cookie']
+  end
+
+  def test_redirect_to_host
+    self.app = ActionDispatch::SSL.new(default_app, :host => "ssl.example.org")
+    get "http://example.org/path?key=value"
+    assert_equal "https://ssl.example.org/path?key=value",
+      response.headers['Location']
+  end
+
+  def test_redirect_to_port
+    self.app = ActionDispatch::SSL.new(default_app, :port => 8443)
+    get "http://example.org/path?key=value"
+    assert_equal "https://example.org:8443/path?key=value",
+      response.headers['Location']
+  end
+
+  def test_redirect_to_host_and_port
+    self.app = ActionDispatch::SSL.new(default_app, :host => "ssl.example.org", :port => 8443)
+    get "http://example.org/path?key=value"
+    assert_equal "https://ssl.example.org:8443/path?key=value",
+      response.headers['Location']
+  end
+
+  def test_redirect_to_secure_host_when_on_subdomain
+    self.app = ActionDispatch::SSL.new(default_app, :host => "ssl.example.org")
+    get "http://ssl.example.org/path?key=value"
+    assert_equal "https://ssl.example.org/path?key=value",
+      response.headers['Location']
+  end
+
+  def test_redirect_to_secure_subdomain_when_on_deep_subdomain
+    self.app = ActionDispatch::SSL.new(default_app, :host => "example.co.uk")
+    get "http://double.rainbow.what.does.it.mean.example.co.uk/path?key=value"
+    assert_equal "https://example.co.uk/path?key=value",
+      response.headers['Location']
+  end
+end