X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fplugs%2Fhttp_security_plug_test.exs;h=7dfd50c1febd9a6a6f5ace616c853725bb16cf39;hb=ad5263c647aea65dbeb4c329825671895e0a8863;hp=169c3b3a84d98949736a27bfaa55852a4f83bd21;hpb=8b4397c704147bcc5ca12ab60dde32f2b6e11a41;p=akkoma diff --git a/test/plugs/http_security_plug_test.exs b/test/plugs/http_security_plug_test.exs index 169c3b3a8..7dfd50c1f 100644 --- a/test/plugs/http_security_plug_test.exs +++ b/test/plugs/http_security_plug_test.exs @@ -1,79 +1,102 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2018 Pleroma Authors +# SPDX-License-Identifier: AGPL-3.0-only + defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do use Pleroma.Web.ConnCase alias Pleroma.Config alias Plug.Conn - test "it sends CSP headers when enabled", %{conn: conn} do - Config.put([:http_security, :enabled], true) + describe "http security enabled" do + setup do + enabled = Config.get([:http_securiy, :enabled]) - conn = - conn - |> get("/api/v1/instance") + Config.put([:http_security, :enabled], true) - refute Conn.get_resp_header(conn, "x-xss-protection") == [] - refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] - refute Conn.get_resp_header(conn, "x-frame-options") == [] - refute Conn.get_resp_header(conn, "x-content-type-options") == [] - refute Conn.get_resp_header(conn, "x-download-options") == [] - refute Conn.get_resp_header(conn, "referrer-policy") == [] - refute Conn.get_resp_header(conn, "content-security-policy") == [] - end + on_exit(fn -> + Config.put([:http_security, :enabled], enabled) + end) - test "it does not send CSP headers when disabled", %{conn: conn} do - Config.put([:http_security, :enabled], false) + :ok + end - conn = - conn - |> get("/api/v1/instance") + test "it sends CSP headers when enabled", %{conn: conn} do + conn = get(conn, "/api/v1/instance") - assert Conn.get_resp_header(conn, "x-xss-protection") == [] - assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] - assert Conn.get_resp_header(conn, "x-frame-options") == [] - assert Conn.get_resp_header(conn, "x-content-type-options") == [] - assert Conn.get_resp_header(conn, "x-download-options") == [] - assert Conn.get_resp_header(conn, "referrer-policy") == [] - assert Conn.get_resp_header(conn, "content-security-policy") == [] - end + refute Conn.get_resp_header(conn, "x-xss-protection") == [] + refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] + refute Conn.get_resp_header(conn, "x-frame-options") == [] + refute Conn.get_resp_header(conn, "x-content-type-options") == [] + refute Conn.get_resp_header(conn, "x-download-options") == [] + refute Conn.get_resp_header(conn, "referrer-policy") == [] + refute Conn.get_resp_header(conn, "content-security-policy") == [] + end - test "it sends STS headers when enabled", %{conn: conn} do - Config.put([:http_security, :enabled], true) - Config.put([:http_security, :sts], true) + test "it sends STS headers when enabled", %{conn: conn} do + Config.put([:http_security, :sts], true) - conn = - conn - |> get("/api/v1/instance") + conn = get(conn, "/api/v1/instance") - refute Conn.get_resp_header(conn, "strict-transport-security") == [] - refute Conn.get_resp_header(conn, "expect-ct") == [] - end + refute Conn.get_resp_header(conn, "strict-transport-security") == [] + refute Conn.get_resp_header(conn, "expect-ct") == [] + end - test "it does not send STS headers when disabled", %{conn: conn} do - Config.put([:http_security, :enabled], true) - Config.put([:http_security, :sts], false) + test "it does not send STS headers when disabled", %{conn: conn} do + Config.put([:http_security, :sts], false) - conn = - conn - |> get("/api/v1/instance") + conn = get(conn, "/api/v1/instance") - assert Conn.get_resp_header(conn, "strict-transport-security") == [] - assert Conn.get_resp_header(conn, "expect-ct") == [] - end + assert Conn.get_resp_header(conn, "strict-transport-security") == [] + assert Conn.get_resp_header(conn, "expect-ct") == [] + end + + test "referrer-policy header reflects configured value", %{conn: conn} do + conn = get(conn, "/api/v1/instance") + + assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"] + + Config.put([:http_security, :referrer_policy], "no-referrer") - test "referrer-policy header reflects configured value", %{conn: conn} do - Config.put([:http_security, :enabled], true) + conn = + build_conn() + |> get("/api/v1/instance") - conn = - conn - |> get("/api/v1/instance") + assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"] + end - assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"] + test "it sends `report-to` & `report-uri` CSP response headers" do + conn = + build_conn() + |> get("/api/v1/instance") - Config.put([:http_security, :referrer_policy], "no-referrer") + [csp] = Conn.get_resp_header(conn, "content-security-policy") - conn = - build_conn() - |> get("/api/v1/instance") + assert csp =~ ~r|report-uri https://endpoint.com; report-to csp-endpoint;| - assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"] + [reply_to] = Conn.get_resp_header(conn, "reply-to") + + assert reply_to == + "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}" + end + end + + test "it does not send CSP headers when disabled", %{conn: conn} do + enabled = Config.get([:http_securiy, :enabled]) + + Config.put([:http_security, :enabled], false) + + on_exit(fn -> + Config.put([:http_security, :enabled], enabled) + end) + + conn = get(conn, "/api/v1/instance") + + assert Conn.get_resp_header(conn, "x-xss-protection") == [] + assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] + assert Conn.get_resp_header(conn, "x-frame-options") == [] + assert Conn.get_resp_header(conn, "x-content-type-options") == [] + assert Conn.get_resp_header(conn, "x-download-options") == [] + assert Conn.get_resp_header(conn, "referrer-policy") == [] + assert Conn.get_resp_header(conn, "content-security-policy") == [] end end