Add Subresource Integrity value to manifest

Author: zcei

lib/propshaft/assembly.rb

@@ -16,7 +16,12 @@ def initialize(config)
   end
 
   def load_path
-    @load_path ||= Propshaft::LoadPath.new(config.paths, compilers: compilers, version: config.version)
+    @load_path ||= Propshaft::LoadPath.new(
+      config.paths,
+      compilers: compilers,
+      version: config.version,
+      integrity_hash_algorithm: config.integrity_hash_algorithm
+    )
   end
 
   def resolver

lib/propshaft/asset.rb

@@ -1,4 +1,5 @@
 require "digest/sha1"
+require "digest/sha2"
 require "action_dispatch/http/mime_type"
 
 class Propshaft::Asset
@@ -33,6 +34,24 @@ def digest
     @digest ||= Digest::SHA1.hexdigest("#{content_with_compile_references}#{load_path.version}").first(8)
   end
 
+  # Following the Subresource Integrity spec draft
+  # https://w3c.github.io/webappsec-subresource-integrity/
+  # allowing only sha256, sha384, and sha512
+  def integrity(hash_algorithm:)
+    bitlen = case hash_algorithm
+      when "sha256"
+        256
+      when "sha384"
+        384
+      when "sha512"
+        512
+      else
+        raise(Error.new("Subresource Integrity hash algorithm must be one of SHA2 family (sha256, sha384, sha512)"))
+      end
+
+    [hash_algorithm, Digest::SHA2.new(bitlen).base64digest(content)].join("-")
+  end
+
   def digested_path
     if already_digested?
       logical_path

lib/propshaft/load_path.rb

@@ -3,8 +3,8 @@
 class Propshaft::LoadPath
   attr_reader :paths, :compilers, :version
 
-  def initialize(paths = [], compilers:, version: nil)
-    @paths, @compilers, @version = dedup(paths), compilers, version
+  def initialize(paths = [], compilers:, version: nil, integrity_hash_algorithm: nil)
+    @paths, @compilers, @version, @integrity_hash_algorithm = dedup(paths), compilers, version, integrity_hash_algorithm
   end
 
   def find(asset_name)
@@ -32,7 +32,14 @@ def asset_paths_by_glob(glob)
   def manifest
     Hash.new.tap do |manifest|
       assets.each do |asset|
-        manifest[asset.logical_path.to_s] = asset.digested_path.to_s
+        manifest[asset.logical_path.to_s] = if @integrity_hash_algorithm.nil?
+          asset.digested_path.to_s
+        else
+          {
+            digested_path: asset.digested_path.to_s,
+            integrity: asset.integrity(hash_algorithm: @integrity_hash_algorithm)
+          }
+        end
       end
     end
   end

lib/propshaft/resolver/static.rb

@@ -7,13 +7,13 @@ def initialize(manifest_path:, prefix:)
     end
 
     def resolve(logical_path)
-      if asset_path = parsed_manifest[logical_path]
+      if asset_path = digested_path(logical_path)
         File.join prefix, asset_path
       end
     end
 
     def read(logical_path, encoding: "ASCII-8BIT")
-      if asset_path = parsed_manifest[logical_path]
+      if asset_path = digested_path(logical_path)
         File.read(manifest_path.dirname.join(asset_path), encoding: encoding)
       end
     end
@@ -22,5 +22,15 @@ def read(logical_path, encoding: "ASCII-8BIT")
       def parsed_manifest
         @parsed_manifest ||= JSON.parse(manifest_path.read, symbolize_names: false)
       end
+
+      def digested_path(logical_path)
+        entry = parsed_manifest[logical_path]
+
+        if entry.is_a?(String)
+          return entry
+        elsif entry.is_a?(Hash)
+          entry["digested_path"]
+        end
+      end
   end
 end

test/fixtures/output/.manifest_with_integrity.json

@@ -0,0 +1 @@
+{"one.txt": {"digested_path": "one-f2e1ec14.txt","integrity": "sha384-LdS8l2QTAF8bD8WPb8QSQv0skTWHhmcnS2XU5LBkVQneGzqIqnDRskQtJvi7ADMe"}}

test/propshaft/assembly_test.rb

@@ -43,4 +43,30 @@ class Propshaft::AssemblyTest < ActiveSupport::TestCase
 
     assert assembly.processor.is_a?(Propshaft::Processor)
   end
+
+  class Propshaft::AssemblyTest::WithIntegrityTest < ActiveSupport::TestCase
+    test "uses static resolver when manifest is present" do
+      assembly = Propshaft::Assembly.new(ActiveSupport::OrderedOptions.new.tap { |config|
+        config.output_path = Pathname.new("#{__dir__}/../fixtures/output")
+        config.manifest_path = config.output_path.join(".manifest_with_integrity.json")
+        config.prefix = "/assets"
+
+        config.integrity_hash_algorithm = "sha384"
+      })
+
+      assert assembly.resolver.is_a?(Propshaft::Resolver::Static)
+    end
+
+    test "uses dynamic resolver when manifest is missing" do
+      assembly = Propshaft::Assembly.new(ActiveSupport::OrderedOptions.new.tap { |config|
+        config.output_path = Pathname.new("#{__dir__}/../fixtures/assets")
+        config.manifest_path = config.output_path.join(".manifest_with_integrity.json")
+        config.prefix = "/assets"
+
+        config.integrity_hash_algorithm = "sha384"
+      })
+
+      assert assembly.resolver.is_a?(Propshaft::Resolver::Dynamic)
+    end
+  end
 end

test/propshaft/output_path_test.rb

@@ -8,6 +8,7 @@ class Propshaft::OutputPathTest < ActiveSupport::TestCase
   setup do
     @manifest    = {
       ".manifest.json": ".manifest.json",
+      ".manifest_with_integrity.json": ".manifest_with_integrity.json",
       "one.txt": "one-f2e1ec14.txt",
       "one.txt.map": "one-f2e1ec15.txt.map"
     }.stringify_keys

test/propshaft/processor_test.rb

@@ -21,6 +21,35 @@ class Propshaft::ProcessorTest < ActiveSupport::TestCase
     end
   end
 
+
+  test "new manifest version is written" do
+    assembly = Propshaft::Assembly.new(ActiveSupport::OrderedOptions.new.tap { |config|
+      config.output_path = Pathname.new("#{__dir__}/../fixtures/output")
+      config.prefix = "/assets"
+      config.paths = [
+        Pathname.new("#{__dir__}/../fixtures/assets/first_path"),
+        Pathname.new("#{__dir__}/../fixtures/assets/second_path")
+      ]
+
+      config.integrity_hash_algorithm = "sha384"
+    })
+
+    Dir.mktmpdir do |output_path|
+      output_path = Pathname.new(output_path)
+      processor = Propshaft::Processor.new(
+        load_path: assembly.load_path, output_path: output_path,
+        compilers: assembly.compilers, manifest_path: output_path.join(".manifest.json")
+      )
+
+      processor.process
+
+      manifest_entry = JSON.parse(processor.output_path.join(".manifest.json").read)["one.txt"]
+
+      assert_equal manifest_entry["digested_path"], "one-f2e1ec14.txt"
+      assert_equal manifest_entry["integrity"], "sha384-LdS8l2QTAF8bD8WPb8QSQv0skTWHhmcnS2XU5LBkVQneGzqIqnDRskQtJvi7ADMe"
+    end
+  end
+
   test "assets are copied" do
     processed do |processor|
       digested_asset_name = "one-f2e1ec14.txt"

test/propshaft/resolver/static_test.rb

@@ -40,4 +40,44 @@ class Propshaft::Resolver::StaticTest < ActiveSupport::TestCase
       @resolver.resolve("one.txt")
     end
   end
+
+  class Propshaft::Resolver::StaticTest::WithIntegrityTest < ActiveSupport::TestCase
+    setup do
+      @resolver = Propshaft::Resolver::Static.new(
+        manifest_path: Pathname.new("#{__dir__}/../../fixtures/output/.manifest_with_integrity.json"),
+        prefix: "/assets"
+      )
+    end
+
+    test "resolving present asset returns uri path" do
+      assert_equal \
+        "/assets/one-f2e1ec14.txt",
+        @resolver.resolve("one.txt")
+    end
+
+    test "reading static asset" do
+      assert_equal "ASCII-8BIT", @resolver.read("one.txt").encoding.to_s
+      assert_equal "One from first path", @resolver.read("one.txt")
+    end
+
+    test "reading static asset with encoding option" do
+      assert_equal "UTF-8", @resolver.read("one.txt", encoding: "UTF-8").encoding.to_s
+      assert_equal "One from first path", @resolver.read("one.txt", encoding: "UTF-8")
+    end
+
+    test "resolving missing asset returns nil" do
+      assert_nil @resolver.resolve("nowhere.txt")
+    end
+
+    test "resolver requests json optimizer gems to keep parsed manifest keys as strings" do
+      stub = Proc.new do |_, opts|
+        assert_equal false, opts[:symbolize_names]
+        {}
+      end
+
+      JSON.stub :parse, stub do
+        @resolver.resolve("one.txt")
+      end
+    end
+  end
 end