Merge pull request #21 from brokenhandsio/vapor4

Vapor 4

Author: 0xTim

.github/workflows/ci.yml

@@ -1,26 +1,27 @@
 name: CI
 on:
-- push
+  push:
+  pull_request:
 jobs:
   xenial:
     container: 
-      image: vapor/swift:5.1-xenial
+      image: vapor/swift:5.2-xenial
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
-    - run: swift test --enable-test-discovery --enable-code-coverage
+    - run: swift test --enable-test-discovery --enable-code-coverage --sanitize=thread
   bionic:
     container: 
-      image: vapor/swift:5.1-bionic
+      image: vapor/swift:5.2-bionic
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
     - name: Run Bionic Tests
-      run: swift test --enable-test-discovery --enable-code-coverage
+      run: swift test --enable-test-discovery --enable-code-coverage --sanitize=thread
     - name: Setup container for codecov upload
       run: apt-get update && apt-get install curl
     - name: Process coverage file
-      run: llvm-cov show .build/x86_64-unknown-linux/debug/VaporSecurityHeadersPackageTests.xctest -instr-profile=.build/x86_64-unknown-linux/debug/codecov/default.profdata > coverage.txt
+      run: llvm-cov show .build/x86_64-unknown-linux-gnu/debug/VaporSecurityHeadersPackageTests.xctest -instr-profile=.build/debug/codecov/default.profdata > coverage.txt
     - name: Upload code coverage
       uses: codecov/codecov-action@v1
       with:

.gitignore

@@ -5,3 +5,4 @@
 DerivedData/
 Package.pins
 Package.resolved
+.swiftpm/

Package.swift

@@ -1,17 +1,22 @@
-// swift-tools-version:4.0
+// swift-tools-version:5.2
 
 import PackageDescription
 
 let package = Package(
     name: "VaporSecurityHeaders",
+    platforms: [
+       .macOS(.v10_15)
+    ],
     products: [
         .library(name: "VaporSecurityHeaders", targets: ["VaporSecurityHeaders"]),
     ],
     dependencies: [
-    	.package(url: "https://github.com/vapor/vapor.git", from: "3.0.0"),
+    	.package(url: "https://github.com/vapor/vapor.git", from: "4.0.0"),
     ],
     targets: [
-        .target(name: "VaporSecurityHeaders", dependencies: ["Vapor"]),
+        .target(name: "VaporSecurityHeaders", dependencies: [
+            .product(name: "Vapor", package: "vapor")
+        ]),
         .testTarget(name: "VaporSecurityHeadersTests", dependencies: ["VaporSecurityHeaders"]),
     ]
 )

README.md

@@ -3,7 +3,7 @@
     <br>
     <br>
     <a href="https://swift.org">
-        <img src="http://img.shields.io/badge/Swift-4.1-brightgreen.svg" alt="Language">
+        <img src="http://img.shields.io/badge/Swift-5.2-brightgreen.svg" alt="Language">
     </a>
     <a href="https://github.com/brokenhandsio/VaporSecurityHeaders/actions">
          <img src="https://github.com/brokenhandsio/VaporSecurityHeaders/workflows/CI/badge.svg?branch=master" alt="Build Status">
@@ -34,16 +34,37 @@ These headers will *help* prevent cross-site scripting attacks, SSL downgrade at
 
 # Usage
 
-To use Vapor Security Headers, just register the middleware with your services and add it to your `MiddlewareConfig`. Vapor Security Headers makes this easy to do with a `build` function on the factory. In `configure.swift` add:
+## Add the package
+
+Add the package as a dependency in your `Package.swift` manifest:
+
+```swift
+dependencies: [
+    ...,
+    .package(url: "https://github.com/brokenhandsio/VaporSecurityHeaders.git", from: "3.0.0")
+]
+```
+
+Then add the dependency to your target:
+
+```swift
+.target(name: "App",
+        dependencies: [
+                // ...
+                "VaporSecurityHeaders"]),
+```
+
+## Configuration
+
+To use Vapor Security Headers, you need to add the middleware to your `Application`'s `Middlewares`. Vapor Security Headers makes this easy to do with a `build` function on the factory. **Note:** if you want security headers added to error reponses (recommended), you need to initialise the `Middlewares` from fresh and add the middleware in _after_ the `SecuriyHeaders`. In `configure.swift` add:
 
 ```swift
 let securityHeadersFactory = SecurityHeadersFactory()
-services.register(securityHeadersFactory.build())
 
-var middlewareConfig = MiddlewareConfig()
-// ...
-middlewareConfig.use(SecurityHeaders.self)
-services.register(middlewareConfig)
+application.middleware = Middlewares()
+application.middleware.use(securityHeadersFactory.build())
+application.middleware.use(ErrorMiddleware.default(environment: application.environment))
+// Add other middlewares...
 ```
 
 The default factory will add default values to your site for Content-Security-Policy, X-XSS-Protection, X-Frame-Options and X-Content-Type-Options.
@@ -55,7 +76,7 @@ x-frame-options: DENY
 x-xss-protection: 1; mode=block
 ```
 
-***Note:*** You should ensure you set the security headers as the last middleware in your `MiddlewareConfig` (i.e., the first middleware to be applied to responses) to make sure the headers get added to all responses.
+***Note:*** You should ensure you set the security headers as the first middleware in your `Middlewares` (i.e., the first middleware to be applied to responses) to make sure the headers get added to all responses.
 
 If you want to add your own values, it is easy to do using the factory. For instance, to add a content security policy configuration, just do:
 
@@ -65,7 +86,7 @@ let cspValue = "default-src 'none'; script-src https://static.brokenhands.io;"
 let cspConfig = ContentSecurityPolicyConfiguration(value: cspValue)
 
 let securityHeadersFactory = SecurityHeadersFactory().with(contentSecurityPolicy: cspConfig)
-services.register(securityHeadersFactory.build())
+application.middleware.use(securityHeadersFactory.build())
 ```
 
 ```HTTP
@@ -75,15 +96,6 @@ x-frame-options: DENY
 x-xss-protection: 1; mode=block
 ```
 
-You will need to add it as a dependency in your `Package.swift` file:
-
-```swift
-dependencies: [
-    ...,
-    .package(url: "https://github.com/brokenhandsio/VaporSecurityHeaders.git", from: "2.0.0")
-]
-```
-
 Each different header has its own configuration and options, details of which can be found below.
 
 You can test your site by visiting the awesome [Security Headers](https://securityheaders.io) (no affiliation) website.
@@ -94,6 +106,7 @@ If you are running an API you can choose a default configuration for that by cre
 
 ```swift
 let securityHeaders = SecurityHeadersFactory.api()
+application.middleware.use(securityHeaders)
 ```
 
 ```http
@@ -103,19 +116,11 @@ x-frame-options: DENY
 x-xss-protection: 1; mode=block
 ```
 
-## Manual Initialization
-
-You can also build the middleware manually like so:
-
-```swift
-let securityHeadersMiddleware = SecurityHeadersFactory().build()
-```
-
 # Server Configuration
 
 ## Vapor
 
-If you are running Vapor on it's own (i.e. not as a CGI application or behind and reverse proxy) then you do not need to do anything more to get it running!
+If you are running Vapor on it's own (i.e. not as a CGI application or behind a reverse proxy) then you do not need to do anything more to get it running!
 
 ## Nginx, Apache and 3rd Party Services
 
@@ -276,7 +281,7 @@ Check out [https://report-uri.io/](https://report-uri.io/) for a free tool to se
 
 ### Page Specific CSP
 
-Vapor Security Headers also supports setting the CSP on a route or request basis. If the middleware has been added to the `MiddlewareConfig`, you can override the CSP for a request. This allows you to have a strict default CSP, but allow content from extra sources when required, such as only allowing the Javascript for blog comments on the blog page. Create a separate `ContentSecurityPolicyConfiguration` and then add it to the request. For example, inside a route handler, you could do:
+Vapor Security Headers also supports setting the CSP on a route or request basis. If the middleware has been added to the `Middlewares`, you can override the CSP for a request. This allows you to have a strict default CSP, but allow content from extra sources when required, such as only allowing the Javascript for blog comments on the blog page. Create a separate `ContentSecurityPolicyConfiguration` and then add it to the request. For example, inside a route handler, you could do:
 
 ```swift
 let cspConfig = ContentSecurityPolicy()
@@ -291,14 +296,6 @@ req.contentSecurityPolicy = pageSpecificCSP
 content-security-policy: default-src 'none'; script-src https://comments.disqus.com
 ```
 
-You must also enable the `CSPRequestConfiguration` service for this to work. In `configure.swift` add:
-
-```swift
-services.register { _ in
-    return CSPRequestConfiguration()
-}
-```
-
 ## Content-Security-Policy-Report-Only
 
 Content-Security-Policy-Report-Only works in exactly the same way as Content-Security-Policy except that any violations will not block content, but they will be reported back to you. This is extremely useful for testing a CSP before rolling it out over your site. You can run both side by side - so for example have a fairly simply policy under Content-Security-Policy but test a more restrictive policy over Content-Security-Policy-Report-Only. The great thing about this is that your users do all your testing for you!
@@ -443,7 +440,7 @@ strict-transport-security: max-age=31536000; includeSubDomains; preload
 
 The Server header is usually hidden from responses in order to not give away what type of server you are running and what version you are using. This is to stop attackers from scanning your site and using known vulnerabilities against it easily. By default Vapor does not show the server header in responses for this reason.
 
-However, it can be fun to add in a custom server configuration for a bit of personalization, such as your website name, or company name (look at Github's response) and the `ServerConfiguraiton` is to allow this. So, for example, if I wanted my `Server` header to be `brokenhands.io`, I would configure it like:
+However, it can be fun to add in a custom server configuration for a bit of personalization, such as your website name, or company name (look at Github's response) and the `ServerConfiguraiton` allows this. So, for example, if I wanted my `Server` header to be `brokenhands.io`, I would configure it like:
 
 ```swift
 let serverConfig = ServerConfiguration(value: "brokenhands.io")

Sources/VaporSecurityHeaders/Configurations/ContentSecurityPolicyConfiguration.swift

@@ -14,31 +14,25 @@ public struct ContentSecurityPolicyConfiguration: SecurityHeaderConfiguration {
 
     func setHeader(on response: Response, from request: Request) {
         if let requestCSP = request.contentSecurityPolicy {
-            response.http.headers.replaceOrAdd(name: .contentSecurityPolicy, value: requestCSP.value)
+            response.headers.replaceOrAdd(name: .contentSecurityPolicy, value: requestCSP.value)
         } else {
-            response.http.headers.replaceOrAdd(name: .contentSecurityPolicy, value: value)
+            response.headers.replaceOrAdd(name: .contentSecurityPolicy, value: value)
         }
     }
 }
 
-public class CSPRequestConfiguration: Service {
-    var configuration: ContentSecurityPolicyConfiguration?
-    public init() {}
+extension ContentSecurityPolicyConfiguration: StorageKey {
+    public typealias Value = Self
 }
 
 extension Request {
+    
     public var contentSecurityPolicy: ContentSecurityPolicyConfiguration? {
         get {
-            if let requestConfig = try? privateContainer.make(CSPRequestConfiguration.self) {
-                return requestConfig.configuration
-            } else {
-                return nil
-            }
+            return self.storage[ContentSecurityPolicyConfiguration.self]
         }
         set {
-            if let requestConfig = try? privateContainer.make(CSPRequestConfiguration.self) {
-                requestConfig.configuration = newValue
-            }
+            self.storage[ContentSecurityPolicyConfiguration.self] = newValue
         }
     }
 }
@@ -98,81 +92,103 @@ public class ContentSecurityPolicy {
         return policy.joined(separator: "; ")
     }
 
+    @discardableResult
     public func set(value: String) -> ContentSecurityPolicy {
         policy.append(value)
         return self
     }
-
+    
+    @discardableResult
     public func baseUri(sources: String...) -> ContentSecurityPolicy {
         policy.append("base-uri \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func blockAllMixedContent() -> ContentSecurityPolicy {
         policy.append("block-all-mixed-content")
         return self
     }
+    
+    @discardableResult
+    public func childSrc(sources: String...) -> ContentSecurityPolicy {
+        policy.append("child-src \(sources.joined(separator: " "))")
+        return self
+    }
 
+    @discardableResult
     public func connectSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("connect-src \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func defaultSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("default-src \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func fontSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("font-src \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func formAction(sources: String...) -> ContentSecurityPolicy {
         policy.append("form-action \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func frameAncestors(sources: String...) -> ContentSecurityPolicy {
         policy.append("frame-ancestors \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func frameSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("frame-src \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func imgSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("img-src \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func manifestSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("manifest-src \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func mediaSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("media-src \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func objectSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("object-src \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func pluginTypes(types: String...) -> ContentSecurityPolicy {
         policy.append("plugin-types \(types.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func requireSriFor(values: String...) -> ContentSecurityPolicy {
         policy.append("require-sri-for \(values.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func reportTo(reportToObject: CSPReportTo) -> ContentSecurityPolicy {
         let encoder = JSONEncoder()
         guard let data = try? encoder.encode(reportToObject) else { return self }
@@ -181,31 +197,37 @@ public class ContentSecurityPolicy {
         return self
     }
 
+    @discardableResult
     public func reportUri(uri: String) -> ContentSecurityPolicy {
         policy.append("report-uri \(uri)")
         return self
     }
 
+    @discardableResult
     public func sandbox(values: String...) -> ContentSecurityPolicy {
         policy.append("sandbox \(values.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func scriptSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("script-src \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func styleSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("style-src \(sources.joined(separator: " "))")
         return self
     }
 
+    @discardableResult
     public func upgradeInsecureRequests() -> ContentSecurityPolicy {
         policy.append("upgrade-insecure-requests")
         return self
     }
 
+    @discardableResult
     public func workerSrc(sources: String...) -> ContentSecurityPolicy {
         policy.append("worker-src \(sources.joined(separator: " "))")
         return self