X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fplugs%2Fhttp_security_plug_test.exs;h=7a2835e3dc04d753a8fb9a4d257d593749d27555;hb=74f7f308f879b26a261db3b5c1d389cea898541c;hp=0cbb7e4b11fcfd6f57bb752ad583c840ad7c91a0;hpb=bee6acd51dc4e84e44caecf9d123dfff2f640a38;p=akkoma diff --git a/test/plugs/http_security_plug_test.exs b/test/plugs/http_security_plug_test.exs index 0cbb7e4b1..7a2835e3d 100644 --- a/test/plugs/http_security_plug_test.exs +++ b/test/plugs/http_security_plug_test.exs @@ -7,77 +7,85 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do alias Pleroma.Config alias Plug.Conn - test "it sends CSP headers when enabled", %{conn: conn} do - Config.put([:http_security, :enabled], true) - - conn = - conn - |> get("/api/v1/instance") - - refute Conn.get_resp_header(conn, "x-xss-protection") == [] - refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] - refute Conn.get_resp_header(conn, "x-frame-options") == [] - refute Conn.get_resp_header(conn, "x-content-type-options") == [] - refute Conn.get_resp_header(conn, "x-download-options") == [] - refute Conn.get_resp_header(conn, "referrer-policy") == [] - refute Conn.get_resp_header(conn, "content-security-policy") == [] - end + clear_config([:http_securiy, :enabled]) + clear_config([:http_security, :sts]) - test "it does not send CSP headers when disabled", %{conn: conn} do - Config.put([:http_security, :enabled], false) + describe "http security enabled" do + setup do + Config.put([:http_security, :enabled], true) + end - conn = - conn - |> get("/api/v1/instance") + test "it sends CSP headers when enabled", %{conn: conn} do + conn = get(conn, "/api/v1/instance") - assert Conn.get_resp_header(conn, "x-xss-protection") == [] - assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] - assert Conn.get_resp_header(conn, "x-frame-options") == [] - assert Conn.get_resp_header(conn, "x-content-type-options") == [] - assert Conn.get_resp_header(conn, "x-download-options") == [] - assert Conn.get_resp_header(conn, "referrer-policy") == [] - assert Conn.get_resp_header(conn, "content-security-policy") == [] - end + refute Conn.get_resp_header(conn, "x-xss-protection") == [] + refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] + refute Conn.get_resp_header(conn, "x-frame-options") == [] + refute Conn.get_resp_header(conn, "x-content-type-options") == [] + refute Conn.get_resp_header(conn, "x-download-options") == [] + refute Conn.get_resp_header(conn, "referrer-policy") == [] + refute Conn.get_resp_header(conn, "content-security-policy") == [] + end - test "it sends STS headers when enabled", %{conn: conn} do - Config.put([:http_security, :enabled], true) - Config.put([:http_security, :sts], true) + test "it sends STS headers when enabled", %{conn: conn} do + Config.put([:http_security, :sts], true) - conn = - conn - |> get("/api/v1/instance") + conn = get(conn, "/api/v1/instance") - refute Conn.get_resp_header(conn, "strict-transport-security") == [] - refute Conn.get_resp_header(conn, "expect-ct") == [] - end + refute Conn.get_resp_header(conn, "strict-transport-security") == [] + refute Conn.get_resp_header(conn, "expect-ct") == [] + end - test "it does not send STS headers when disabled", %{conn: conn} do - Config.put([:http_security, :enabled], true) - Config.put([:http_security, :sts], false) + test "it does not send STS headers when disabled", %{conn: conn} do + Config.put([:http_security, :sts], false) - conn = - conn - |> get("/api/v1/instance") + conn = get(conn, "/api/v1/instance") - assert Conn.get_resp_header(conn, "strict-transport-security") == [] - assert Conn.get_resp_header(conn, "expect-ct") == [] - end + assert Conn.get_resp_header(conn, "strict-transport-security") == [] + assert Conn.get_resp_header(conn, "expect-ct") == [] + end + + test "referrer-policy header reflects configured value", %{conn: conn} do + conn = get(conn, "/api/v1/instance") + + assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"] - test "referrer-policy header reflects configured value", %{conn: conn} do - Config.put([:http_security, :enabled], true) + Config.put([:http_security, :referrer_policy], "no-referrer") - conn = - conn - |> get("/api/v1/instance") + conn = + build_conn() + |> get("/api/v1/instance") - assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"] + assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"] + end - Config.put([:http_security, :referrer_policy], "no-referrer") + test "it sends `report-to` & `report-uri` CSP response headers" do + conn = + build_conn() + |> get("/api/v1/instance") - conn = - build_conn() - |> get("/api/v1/instance") + [csp] = Conn.get_resp_header(conn, "content-security-policy") - assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"] + assert csp =~ ~r|report-uri https://endpoint.com; report-to csp-endpoint;| + + [reply_to] = Conn.get_resp_header(conn, "reply-to") + + assert reply_to == + "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}" + end + end + + test "it does not send CSP headers when disabled", %{conn: conn} do + Config.put([:http_security, :enabled], false) + + conn = get(conn, "/api/v1/instance") + + assert Conn.get_resp_header(conn, "x-xss-protection") == [] + assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] + assert Conn.get_resp_header(conn, "x-frame-options") == [] + assert Conn.get_resp_header(conn, "x-content-type-options") == [] + assert Conn.get_resp_header(conn, "x-download-options") == [] + assert Conn.get_resp_header(conn, "referrer-policy") == [] + assert Conn.get_resp_header(conn, "content-security-policy") == [] end end