X-Git-Url: https://git.squeep.com/?a=blobdiff_plain;f=test%2Fplugs%2Fhttp_security_plug_test.exs;h=63b4d3f31fefe5a0ec8edfd43fbac8ded7ebb73a;hb=984897810956c723a48f49bf8e097471527ebd38;hp=169c3b3a84d98949736a27bfaa55852a4f83bd21;hpb=fe2759bc9f2dad044b49f4954693ac09f9368041;p=akkoma diff --git a/test/plugs/http_security_plug_test.exs b/test/plugs/http_security_plug_test.exs index 169c3b3a8..63b4d3f31 100644 --- a/test/plugs/http_security_plug_test.exs +++ b/test/plugs/http_security_plug_test.exs @@ -1,79 +1,92 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2020 Pleroma Authors +# SPDX-License-Identifier: AGPL-3.0-only + defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do use Pleroma.Web.ConnCase alias Pleroma.Config alias Plug.Conn - test "it sends CSP headers when enabled", %{conn: conn} do - Config.put([:http_security, :enabled], true) + setup do: clear_config([:http_securiy, :enabled]) + setup do: clear_config([:http_security, :sts]) + setup do: clear_config([:http_security, :referrer_policy]) - conn = - conn - |> get("/api/v1/instance") + describe "http security enabled" do + setup do + Config.put([:http_security, :enabled], true) + end - refute Conn.get_resp_header(conn, "x-xss-protection") == [] - refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] - refute Conn.get_resp_header(conn, "x-frame-options") == [] - refute Conn.get_resp_header(conn, "x-content-type-options") == [] - refute Conn.get_resp_header(conn, "x-download-options") == [] - refute Conn.get_resp_header(conn, "referrer-policy") == [] - refute Conn.get_resp_header(conn, "content-security-policy") == [] - end + test "it sends CSP headers when enabled", %{conn: conn} do + conn = get(conn, "/api/v1/instance") - test "it does not send CSP headers when disabled", %{conn: conn} do - Config.put([:http_security, :enabled], false) + refute Conn.get_resp_header(conn, "x-xss-protection") == [] + refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] + refute Conn.get_resp_header(conn, "x-frame-options") == [] + refute Conn.get_resp_header(conn, "x-content-type-options") == [] + refute Conn.get_resp_header(conn, "x-download-options") == [] + refute Conn.get_resp_header(conn, "referrer-policy") == [] + refute Conn.get_resp_header(conn, "content-security-policy") == [] + end - conn = - conn - |> get("/api/v1/instance") + test "it sends STS headers when enabled", %{conn: conn} do + Config.put([:http_security, :sts], true) - assert Conn.get_resp_header(conn, "x-xss-protection") == [] - assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] - assert Conn.get_resp_header(conn, "x-frame-options") == [] - assert Conn.get_resp_header(conn, "x-content-type-options") == [] - assert Conn.get_resp_header(conn, "x-download-options") == [] - assert Conn.get_resp_header(conn, "referrer-policy") == [] - assert Conn.get_resp_header(conn, "content-security-policy") == [] - end + conn = get(conn, "/api/v1/instance") - test "it sends STS headers when enabled", %{conn: conn} do - Config.put([:http_security, :enabled], true) - Config.put([:http_security, :sts], true) + refute Conn.get_resp_header(conn, "strict-transport-security") == [] + refute Conn.get_resp_header(conn, "expect-ct") == [] + end - conn = - conn - |> get("/api/v1/instance") + test "it does not send STS headers when disabled", %{conn: conn} do + Config.put([:http_security, :sts], false) - refute Conn.get_resp_header(conn, "strict-transport-security") == [] - refute Conn.get_resp_header(conn, "expect-ct") == [] - end + conn = get(conn, "/api/v1/instance") - test "it does not send STS headers when disabled", %{conn: conn} do - Config.put([:http_security, :enabled], true) - Config.put([:http_security, :sts], false) + assert Conn.get_resp_header(conn, "strict-transport-security") == [] + assert Conn.get_resp_header(conn, "expect-ct") == [] + end - conn = - conn - |> get("/api/v1/instance") + test "referrer-policy header reflects configured value", %{conn: conn} do + conn = get(conn, "/api/v1/instance") - assert Conn.get_resp_header(conn, "strict-transport-security") == [] - assert Conn.get_resp_header(conn, "expect-ct") == [] - end + assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"] + + Config.put([:http_security, :referrer_policy], "no-referrer") - test "referrer-policy header reflects configured value", %{conn: conn} do - Config.put([:http_security, :enabled], true) + conn = + build_conn() + |> get("/api/v1/instance") - conn = - conn - |> get("/api/v1/instance") + assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"] + end - assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"] + test "it sends `report-to` & `report-uri` CSP response headers" do + conn = + build_conn() + |> get("/api/v1/instance") - Config.put([:http_security, :referrer_policy], "no-referrer") + [csp] = Conn.get_resp_header(conn, "content-security-policy") - conn = - build_conn() - |> get("/api/v1/instance") + assert csp =~ ~r|report-uri https://endpoint.com;report-to csp-endpoint;| - assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"] + [reply_to] = Conn.get_resp_header(conn, "reply-to") + + assert reply_to == + "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}" + end + end + + test "it does not send CSP headers when disabled", %{conn: conn} do + Config.put([:http_security, :enabled], false) + + conn = get(conn, "/api/v1/instance") + + assert Conn.get_resp_header(conn, "x-xss-protection") == [] + assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] + assert Conn.get_resp_header(conn, "x-frame-options") == [] + assert Conn.get_resp_header(conn, "x-content-type-options") == [] + assert Conn.get_resp_header(conn, "x-download-options") == [] + assert Conn.get_resp_header(conn, "referrer-policy") == [] + assert Conn.get_resp_header(conn, "content-security-policy") == [] end end