aboutsummaryrefslogtreecommitdiffstats
path: root/railties/test/application
Commit message (Collapse)AuthorAgeFilesLines
* Adds support for configuring HTTP Feature Policy (#33439)Jacob Bednarz2019-07-102-0/+192
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
* Merge pull request #36534 from y-yagi/fixes_35137Yuji Yaginuma2019-07-031-0/+32
|\ | | | | Add the ability to set the CSP nonce only to the specified directives
| * Add the ability to set the CSP nonce only to the specified directivesyuuji.yaginuma2019-06-221-0/+32
| | | | | | | | | | | | | | | | | | | | | | I changed to set CSP nonce to `style-src` directive in #32932. But this causes an issue when `unsafe-inline` is specified to `style-src` (If a nonce is present, a nonce takes precedence over `unsafe-inline`). So, I fixed to nonce directives configurable. By configure this, users can make CSP as before. Fixes #35137.
* | Make `bin/setup` test pass even if the database does not existyuuji.yaginuma2019-06-301-1/+1
| |
* | Load initial database.yml once, and warn if we can't create taskseileencodes2019-06-271-0/+28
|/ | | | | | | | | | | | | | | | | | | | | | | | | For multiple databases we attempt to generate the tasks by reading the database.yml before the Rails application is booted. This means that we need to strip out ERB since it could be reading Rails configs. In some cases like https://github.com/rails/rails/issues/36540 the ERB is too complex and we can't overwrite with the DummyCompilier we used in https://github.com/rails/rails/pull/35497. For the complex causes we simply issue a warning that says we couldn't infer the database tasks from the database.yml. While working on this I decided to update the code to only load the database.yml once initially so that we avoid having to issue the same warning multiple times. Note that this had no performance impact in my testing and is merely for not having to save the error off somewhere. Also this feels cleaner. Note that this will not break running tasks that exist, it will just mean that tasks for multi-db like `db:create:other_db` will not be generated. If the database.yml is actually unreadable it will blow up during normal rake task calls. Fixes #36540
* Make `ActionDispatch::Response#content_type` behavior configurableyuuji.yaginuma2019-06-211-0/+27
| | | | | | | | | I changed return value of `ActionDispatch::Response#content_type` in #36034. But this change seems to an obstacle to upgrading. https://github.com/rails/rails/pull/36034#issuecomment-498795893 Therefore, I restored the behavior of `ActionDispatch::Response#content_type` to 5.2 and deprecated old behavior. Also, made it possible to control the behavior with the config.
* Move SchemaMigration to migration_contexteileencodes2019-06-141-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | This PR moves the `schema_migration` to `migration_context` so that we can access the `schema_migration` per connection. This does not change behavior of the SchemaMigration if you are using one database. This also does not change behavior of any public APIs. `Migrator` is private as is `MigrationContext` so we can change these as needed. We now need to pass a `schema_migration` to `Migrator` so that we can run migrations on the right connection outside the context of a rake task. The bugs this fixes were discovered while debugging the issues around the SchemaCache on initialization with multiple database. It was clear that `get_all_versions` wouldn't work without these changes outside the context of a rake task (because in the rake task we establish a connection and change AR::Base.connection to the db we're running on). Because the `SchemaCache` relies on the `SchemaMigration` information we need to make sure we store it per-connection rather than on ActiveRecord::Base. [Eileen M. Uchitelle & Aaron Patterson]
* Merge pull request #36472 from kamipo/empty_line_only_before_access_modifierRyuta Kamizono2019-06-135-5/+0
|\ | | | | Enable `Layout/EmptyLinesAroundAccessModifier` cop
| * Enable `Layout/EmptyLinesAroundAccessModifier` copRyuta Kamizono2019-06-135-5/+0
| | | | | | | | | | | | | | | | | | | | | | We sometimes say "✂️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
* | Don't `drop_table` before schema cache testsRyuta Kamizono2019-06-131-1/+2
|/ | | | Since 5cab34449, `drop_table` clears schema cache.
* Convert the db:abort_if_pending_migrations task to be multi-DB awareMark Lee2019-06-101-0/+26
|
* Merge pull request #36416 from freeletics/fix-db-prepareEileen M. Uchitelle2019-06-051-0/+20
|\ | | | | Fixed db:prepare task for multiple databases.
| * Fixed db:prepare task for multiple databases.Wojciech Wnętrzak2019-06-051-0/+20
| | | | | | | | | | When one database existed already, but not the other, during setup of missing one, existing database was wiped out.
* | Merge pull request #36394 from eileencodes/treat-application-record-as-primaryEileen M. Uchitelle2019-06-051-3/+3
|\ \ | |/ |/| Treat ActiveRecord::Base and ApplicationRecord as "primary"
| * Treat ActiveRecord::Base and ApplicationRecord as "primary"eileencodes2019-06-051-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When someone has a multi-db application their `ApplicationRecord` will look like: ```ruby class ApplicationRecord < ActiveRecord::Base self.abstract_class = true connects_to database: { writing: :primary, reading: :replica } end ``` This will cause us to open 2 connections to ActiveRecord::Base's database when we actually only want 1. This is because Rails sees `ApplicationRecord` and thinks it's a new connection, not the existing `ActiveRecord::Base` connection because the `connection_specification_name` is different. This PR changes `ApplicationRecord` classes to consider themselves the same as the "primary" connection. Fixes #36382
* | Extract default log file open operation to methodyuuji.yaginuma2019-06-051-0/+7
|/ | | | | | This allows customize a default log file(e.g. `reopen`) by an application. Fixes #32211.
* Fail parallel tests if workers exit earlyJohn Hawthorn2019-05-301-0/+18
| | | | | | | | | | | | | | | | Previously, if a test worker exited early, the in-flight test it was supposed to run wasn't reported as a failure. If all workers exited immediately, this would be reported as ex. Finished in 1.708349s, 39.2192 runs/s, 79.0237 assertions/s. 67 runs, 135 assertions, 0 failures, 0 errors, 2 skips This commit validates that all workers finish running tests by ensuring that the queue is empty after they exit. This works because we signal the workers to exit by pushing nil onto the queue, so that there should be a number of items left in the queue matching potentially missed tests.
* Fix: DummyCompiler embeds invalid YAML contentVishal Telangre2019-05-151-0/+17
| | | | | | Fixes https://github.com/rails/rails/issues/36285. Follow up of https://github.com/rails/rails/pull/36237.
* Fix database loading when ERB is single line ternaryeileencodes2019-05-101-0/+16
| | | | | | | | | | | | *sigh* this seems like the never ending bug. I don't love or even like this fix but it does _work_. Rafael suggested using `dummy_key: dummy_value` but unfortunately that doesn't work. So we're left with checking whethere there might be ternary type things in the content and then assuming that we want to replace the line with a key value pair. Technically fixes https://github.com/rails/rails/issues/36088
* Merge pull request #36196 from st0012/fix-29947Eileen M. Uchitelle2019-05-071-0/+16
| | | | | | | Hide malformed parameters from error page Accidentally merged this to 6-0-stable so forward porting it to master here instead.
* new config to opt-out from adding app directories to $LOAD_PATHXavier Noria2019-04-281-0/+28
|
* upgrades Zeitwerk to 2.1.4Xavier Noria2019-04-231-51/+21
| | | | | | This commit more or less undoes 9b5401f, restores autoloaded? not to touch the descendants tracker, and autoloaded_constants because it is documented in the guide.
* Revert "Include Caching module for ActionController::API"Rafael França2019-04-221-13/+0
|
* Merge pull request #36038 from st0012/fix-35602Guillermo Iguaran2019-04-221-0/+13
|\ | | | | Include Caching module for ActionController::API
| * Make sure api controllers can perform caching as wellst00122019-04-191-0/+13
| | | | | | | | | | | | | | | | | | | | Currently ActionController::API doesn't include Caching module, so it can't perform caching. And even if users include it later manually, it won't inherit application's default cache store for action_controllers. So the only way to solve this issue is to include Caching module in ActionController::API, too. This closes #35602
* | Make system tests take failed screenshots in `before_teardown` hookRichard Macklin2019-04-201-0/+26
| | | | | | | | | | | | | | | | | | | | | | | | Previously we were calling the `take_failed_screenshot` method in an `after_teardown` hook. However, this means that other teardown hooks have to be executed before we take the screenshot. Since there can be dynamic updates to the page after the assertion fails and before we take a screenshot, it seems desirable to minimize that gap as much as possible. Taking the screenshot in a `before_teardown` rather than an `after_teardown` helps with that, and has a side benefit of allowing us to remove the nested `ensure` commented on here: https://github.com/rails/rails/pull/34411#discussion_r232819478
* | Handle up/down for multiple databaseseileencodes2019-04-191-1/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds the ability to run up/down for a database in a multi-db environment. If you have an app with a primary and animals database the following tasks will be generated: ``` VERSION=123 rake db:migrate:up:primary VERSION=123 rake db:migrate:up:primary VERSION=123 rake db:migrate:down:primary VERSION=123 rake db:migrate:up:animals ``` I didn't generate descriptions with them since we don't generate a description for a single database application. In addition to this change I've made it so if your application has multiple databases Rails will raise if you try to run `up` or `down` without a namespace. This is because we don't know which DB you want to run `up` or `down` against unless the app tells us, so it's safer to just block it and recommend using namespaced versions of up/down respectively. The output for the raise looks like: ``` You're using a multiple database application. To use `db:migrate:down` you must run the namespaced task with a VERSION. Available tasks are db:migrate:down:primary and db:migrate:down:animals. ```
* | Manage ActionDispatch::ActionableExceptions from the default middleware stackGenadi Samokovarov2019-04-191-0/+2
|/
* Factorize bin/update in bin/setup, and make bin/setup idempotentDavid Stosik2019-04-171-15/+11
| | | | | | | | | | | | | | | `bin/setup` and `bin/update` are currently almost the same file. The only thing that keeps them apart is that one is running `bin/rails db:setup` and the other `bin/rails db:migrate`. I'm suggesting here that they should be a unique script, which needs to be idempotent. - New to a project, need to get started? `bin/setup` - Need to install new dependencies that were added recently? `bin/setup`. Before deprecating `bin/update`, I'm suggesting we just have it call `bin/setup`.
* Merge pull request #35997 from ↵Rafael França2019-04-161-0/+7
|\ | | | | | | | | tjoyal/Rails/MailersController/do-not-leak-I18n-global-setting-changes [Rails::MailersController] Do not leak I18n global setting changes
| * [Rails::MailersController] Do not leak I18n global setting changesThierry Joyal2019-04-161-0/+7
| |
* | Squash warning: possibly useless use of a constantutilum2019-04-161-2/+2
|/ | | | in void context
* Remove the Amazon SES ingressGeorge Claghorn2019-04-141-1/+0
| | | It's unusable and not ready to ship in Rails 6.0. We'll rewrite it for 6.1.
* deprecates autoloading constants during initialization [closes #35745]Xavier Noria2019-04-141-0/+55
| | | | See rationale in the warning message included in the patch.
* improves the reloading disabled error messageXavier Noria2019-04-111-0/+9
| | | | | | | | The original message from Zeitwerk is "can't reload, please call loader.enable_reloading before setup (Zeitwerk::Error)", which is not very informative for Rails programmers. Rails should err with a message worded in terms of its interface.
* cleanup up constant in test suiteXavier Noria2019-04-091-0/+1
|
* depend on Zeitwerk 2.1.0Xavier Noria2019-04-091-9/+61
|
* depend on Zeitwerk 2Xavier Noria2019-04-071-0/+14
|
* Auto-correct rubocop offencesRyuta Kamizono2019-04-031-2/+2
|
* Merge pull request #35768 from robertomiranda/r/rake-db-prepareEileen M. Uchitelle2019-04-022-0/+36
|\ | | | | Add db:prepare rake task.
| * Add migration in case of db:drop assertionRoberto Miranda2019-04-021-0/+7
| |
| * 💇Roberto Miranda2019-04-022-2/+1
| |
| * Add test cases for rake db:prepareRoberto Miranda2019-04-022-0/+30
| |
* | url -> URL where apt except inside actionpack/Sharang Dashputre2019-04-015-8/+8
| |
* | [ci skip] Fix typo directores -> directoriesAbhay Nikam2019-03-301-1/+1
| |
* | optimizes eager loading in :zeitwerk modeXavier Noria2019-03-301-0/+14
| | | | | | | | | | | | | | | | | | | | | | During initialization, the eager load paths of engines are unshifted into AS::Dependencies.autoload_paths. After that, the collection is frozen. (See the initializers in railties/lib/rails/engine.rb.) Hence, there is no eager load path that is not an autoload path too, and so the array difference in the deleted code is always an empty array. Just do nothing.
* | fixes eager loading edge case in :zeitwerk modeXavier Noria2019-03-301-0/+28
|/
* Add config.disable_sandbox option to Rails consolePrem Sichanugrist2019-03-232-3/+34
| | | | | | | | | | | A long-running `rails console --sandbox` could cause a database server to become out-of-memory as it's holding on to changes that happen on the database. Given that it's common for Ruby on Rails application with huge traffic to have separate write database and read database, we should allow the developers to disable this sandbox option to prevent someone from accidentally causing the Denial-of-Service on their server.
* Fix server restart test on Puma 3.12.1yuuji.yaginuma2019-03-221-2/+2
| | | | | | | | | | | Since https://github.com/puma/puma/pull/1700, the default host is correctly used. So `localhost` is used instead of `0.0.0.0`. As a result, the log output on restart is changed, and the restart test fails on Puma 3.12.1. https://travis-ci.org/rails/rails/jobs/509239592#L2303-L2305 Specify binding explicitly to avoid being affected by Puma changes.
* Engines are reloaded in Zeitwerk mode [closes #35618]Xavier Noria2019-03-151-14/+19
|