Add an integration test to verify security headers on the supervisor authorize endpoint.
It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
74e52187a3
commit
24c01d3e54
@ -57,7 +57,8 @@ func TestSupervisorLogin(t *testing.T) {
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
// Create an HTTP client that can reach the downstream discovery endpoint using the CA certs.
|
// Create an HTTP client that can reach the downstream discovery endpoint using the CA certs.
|
||||||
httpClient := &http.Client{Transport: &http.Transport{
|
httpClient := &http.Client{
|
||||||
|
Transport: &http.Transport{
|
||||||
TLSClientConfig: &tls.Config{RootCAs: ca.Pool()},
|
TLSClientConfig: &tls.Config{RootCAs: ca.Pool()},
|
||||||
Proxy: func(req *http.Request) (*url.URL, error) {
|
Proxy: func(req *http.Request) (*url.URL, error) {
|
||||||
if env.Proxy == "" {
|
if env.Proxy == "" {
|
||||||
@ -69,7 +70,12 @@ func TestSupervisorLogin(t *testing.T) {
|
|||||||
t.Logf("passing request for %s through proxy %s", req.URL, proxyURL.String())
|
t.Logf("passing request for %s through proxy %s", req.URL, proxyURL.String())
|
||||||
return proxyURL, nil
|
return proxyURL, nil
|
||||||
},
|
},
|
||||||
}}
|
},
|
||||||
|
// Don't follow redirects automatically.
|
||||||
|
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
||||||
|
return http.ErrUseLastResponse
|
||||||
|
},
|
||||||
|
}
|
||||||
oidcHTTPClientContext := coreosoidc.ClientContext(ctx, httpClient)
|
oidcHTTPClientContext := coreosoidc.ClientContext(ctx, httpClient)
|
||||||
|
|
||||||
// Use the CA to issue a TLS server cert.
|
// Use the CA to issue a TLS server cert.
|
||||||
@ -144,6 +150,14 @@ func TestSupervisorLogin(t *testing.T) {
|
|||||||
pkceParam.Method(),
|
pkceParam.Method(),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Make the authorize request one "manually" so we can check its response headers.
|
||||||
|
authorizeRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, downstreamAuthorizeURL, nil)
|
||||||
|
require.NoError(t, err)
|
||||||
|
authorizeResp, err := httpClient.Do(authorizeRequest)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.NoError(t, authorizeResp.Body.Close())
|
||||||
|
expectSecurityHeaders(t, authorizeResp)
|
||||||
|
|
||||||
// Open the web browser and navigate to the downstream authorize URL.
|
// Open the web browser and navigate to the downstream authorize URL.
|
||||||
page := browsertest.Open(t)
|
page := browsertest.Open(t)
|
||||||
t.Logf("opening browser to downstream authorize URL %s", library.MaskTokens(downstreamAuthorizeURL))
|
t.Logf("opening browser to downstream authorize URL %s", library.MaskTokens(downstreamAuthorizeURL))
|
||||||
@ -306,3 +320,16 @@ func doTokenExchange(t *testing.T, config *oauth2.Config, tokenResponse *oauth2.
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
t.Logf("exchanged token claims:\n%s", string(indentedClaims))
|
t.Logf("exchanged token claims:\n%s", string(indentedClaims))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func expectSecurityHeaders(t *testing.T, response *http.Response) {
|
||||||
|
h := response.Header
|
||||||
|
assert.Equal(t, "default-src 'none'; frame-ancestors 'none'", h.Get("Content-Security-Policy"))
|
||||||
|
assert.Equal(t, "DENY", h.Get("X-Frame-Options"))
|
||||||
|
assert.Equal(t, "1; mode=block", h.Get("X-XSS-Protection"))
|
||||||
|
assert.Equal(t, "nosniff", h.Get("X-Content-Type-Options"))
|
||||||
|
assert.Equal(t, "no-referrer", h.Get("Referrer-Policy"))
|
||||||
|
assert.Equal(t, "off", h.Get("X-DNS-Prefetch-Control"))
|
||||||
|
assert.Equal(t, "no-cache,no-store,max-age=0,must-revalidate", h.Get("Cache-Control"))
|
||||||
|
assert.Equal(t, "no-cache", h.Get("Pragma"))
|
||||||
|
assert.Equal(t, "0", h.Get("Expires"))
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user