Remove deprecated code in ssl middleware

fda5afeb · Rafael Mendonça França · 2ca83c4a · fda5afeb · fda5afeb · fda5afeb
4 changed file
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
+*   Change HSTS subdomain to true.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated `host` and `port` ssl options.
+
+    *Rafael Mendonça França*
+
 *   Remove deprecated `const_error` argument in
    `ActionDispatch::Session::SessionRestoreError#initialize`.


--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -45,35 +45,17 @@ class SSL
    HSTS_EXPIRES_IN = 15552000

    def self.default_hsts_options
-      { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
+      { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
    end

-    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
+    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true)
      @app = app

-      if options[:host] || options[:port]
-        ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
-          The `:host` and `:port` options are moving within `:redirect`:
-          `config.ssl_options = { redirect: { host: …, port: … } }`.
-        end_warning
-        @redirect = options.slice(:host, :port)
-      else
      @redirect = redirect
-      end

      @exclude = @redirect && @redirect[:exclude] || proc { !@redirect }
      @secure_cookies = secure_cookies

-      if hsts != true && hsts != false && hsts[:subdomains].nil?
-        hsts[:subdomains] = false
-
-        ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
-          In Rails 5.1, The `:subdomains` option of HSTS config will be treated as true if
-          unspecified. Set `config.ssl_options = { hsts: { subdomains: false } }` to opt out
-          of this behavior.
-        end_warning
-      end
-
      @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
    end


--- a/actionpack/test/dispatch/ssl_test.rb
+++ b/actionpack/test/dispatch/ssl_test.rb
@@ -12,25 +12,16 @@ def build_app(headers: {}, ssl_options: {})
 end

 class RedirectSSLTest < SSLTest
-  def assert_not_redirected(url, headers: {}, redirect: {}, deprecated_host: nil,
-    deprecated_port: nil)
-
-    self.app = build_app ssl_options: { redirect: redirect,
-      host: deprecated_host, port: deprecated_port
-    }
-
+  def assert_not_redirected(url, headers: {}, redirect: {})
+    self.app = build_app ssl_options: { redirect: redirect }
    get url, headers: headers
    assert_response :ok
  end

-  def assert_redirected(redirect: {}, deprecated_host: nil, deprecated_port: nil,
-    from: "http://a/b?c=d", to: from.sub("http", "https"))
-
+  def assert_redirected(redirect: {}, from: "http://a/b?c=d", to: from.sub("http", "https"))
    redirect = { status: 301, body: [] }.merge(redirect)

-    self.app = build_app ssl_options: { redirect: redirect,
-      host: deprecated_host, port: deprecated_port
-    }
+    self.app = build_app ssl_options: { redirect: redirect }

    get from
    assert_response redirect[:status] || 301
@@ -99,18 +90,6 @@ def assert_post_redirected(redirect: {}, from: "http://a/b?c=d",
    assert_redirected redirect: { host: "ssl:443" }, to: "https://ssl:443/b?c=d"
  end

-  test ":host is deprecated, moved within redirect: { host: … }" do
-    assert_deprecated do
-      assert_redirected deprecated_host: "foo", to: "https://foo/b?c=d"
-    end
-  end
-
-  test ":port is deprecated, moved within redirect: { port: … }" do
-    assert_deprecated do
-      assert_redirected deprecated_port: 1, to: "https://a:1/b?c=d"
-    end
-  end
-
  test "no redirect with redirect set to false" do
    assert_not_redirected "http://example.org", redirect: false
  end
@@ -139,23 +118,19 @@ def assert_hsts(expected, url: "https://example.org", hsts: { subdomains: true }
  end

  test "hsts: true enables default settings" do
-    assert_hsts EXPECTED, hsts: true
+    assert_hsts EXPECTED_WITH_SUBDOMAINS, hsts: true
  end

  test "hsts: false sets max-age to zero, clearing browser HSTS settings" do
-    assert_hsts "max-age=0", hsts: false
+    assert_hsts "max-age=0; includeSubDomains", hsts: false
  end

  test ":expires sets max-age" do
-    assert_deprecated do
-      assert_hsts "max-age=500", hsts: { expires: 500 }
-    end
+    assert_hsts "max-age=500; includeSubDomains", hsts: { expires: 500 }
  end

  test ":expires supports AS::Duration arguments" do
-    assert_deprecated do
-      assert_hsts "max-age=31557600", hsts: { expires: 1.year }
-    end
+    assert_hsts "max-age=31557600; includeSubDomains", hsts: { expires: 1.year }
  end

  test "include subdomains" do
@@ -167,15 +142,11 @@ def assert_hsts(expected, url: "https://example.org", hsts: { subdomains: true }
  end

  test "opt in to browser preload lists" do
-    assert_deprecated do
-      assert_hsts "#{EXPECTED}; preload", hsts: { preload: true }
-    end
+    assert_hsts "#{EXPECTED_WITH_SUBDOMAINS}; preload", hsts: { preload: true }
  end

  test "opt out of browser preload lists" do
-    assert_deprecated do
-      assert_hsts EXPECTED, hsts: { preload: false }
-    end
+    assert_hsts EXPECTED_WITH_SUBDOMAINS, hsts: { preload: false }
  end
 end


--- a/railties/test/application/middleware_test.rb
+++ b/railties/test/application/middleware_test.rb
@@ -100,10 +100,10 @@ def app

    test "ActionDispatch::SSL is configured with options when given" do
      add_to_config "config.force_ssl = true"
-      add_to_config "config.ssl_options = { host: 'example.com' }"
+      add_to_config "config.ssl_options = { redirect: { host: 'example.com' } }"
      boot!

-      assert_equal [{ host: "example.com" }], Rails.application.middleware.first.args
+      assert_equal [{ redirect: { host: "example.com" } }], Rails.application.middleware.first.args
    end

    test "removing Active Record omits its middleware" do