feat: allow rack protection use and except options to be configured

pact-foundation · Sep 14, 2022 · f44db58 · f44db58
1 parent e9a66b9
commit f44db58
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/lib/pact_broker/app.rb b/lib/pact_broker/app.rb
@@ -217,7 +217,14 @@ def configure_basic_auth
 
     def configure_rack_protection
       if configuration.use_rack_protection
-        @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
+        rack_protection_options = {
+          logger: logger,
+          use: configuration.rack_protection_use,
+          except: configuration.rack_protection_except
+        }.compact
+
+        logger.info("Configuring Rack::Protection", payload: rack_protection_options)
+        @app_builder.use Rack::Protection, rack_protection_options
 
         is_hal_browser = ->(env) { env["PATH_INFO"] == "/hal-browser/browser.html" }
         not_hal_browser = ->(env) { env["PATH_INFO"] != "/hal-browser/browser.html" }

diff --git a/lib/pact_broker/config/runtime_configuration.rb b/lib/pact_broker/config/runtime_configuration.rb
@@ -68,6 +68,8 @@ class RuntimeConfiguration < Anyway::Config
         use_hal_browser: true,
         enable_diagnostic_endpoints: true,
         use_rack_protection: true,
+        rack_protection_use: nil,
+        rack_protection_except: [:path_traversal, :remote_token, :session_hijacking, :http_origin], # Beth: not sure why these are disabled
         badge_provider_mode: :redirect,
         enable_public_badge_access: false,
         shields_io_base_url: "https://img.shields.io",
@@ -180,6 +182,14 @@ def features= features
         super(value_to_string_array(features, "features").collect(&:downcase))
       end
 
+      def rack_protection_use= rack_protection_use
+        super(value_to_string_array(rack_protection_use, "rack_protection_use")&.collect(&:to_sym))
+      end
+
+      def rack_protection_except= rack_protection_except
+        super(value_to_string_array(rack_protection_except, "rack_protection_except")&.collect(&:to_sym))
+      end
+
       def webhook_certificates= webhook_certificates
         if webhook_certificates.is_a?(Array)
           super(webhook_certificates.collect(&:symbolize_keys))

diff --git a/spec/lib/pact_broker/config/runtime_configuration_documentation_spec.rb b/spec/lib/pact_broker/config/runtime_configuration_documentation_spec.rb
@@ -10,6 +10,8 @@ module Config
         :warning_error_class_names,
         :log_configuration_on_startup,
         :use_rack_protection,
+        :rack_protection_use,
+        :rack_protection_except,
         :use_case_sensitive_resource_names,
         :order_versions_by_date,
         :base_equality_only_on_content_that_affects_verification_results,