Ed Tanous | c94ad49 | 2019-10-10 15:39:33 -0700 | [diff] [blame] | 1 | #include <app.h> |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 2 | |
| 3 | #include <security_headers_middleware.hpp> |
| 4 | |
Ed Tanous | 9140a67 | 2017-04-24 17:01:32 -0700 | [diff] [blame] | 5 | #include <gmock/gmock.h> |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame] | 6 | #include <gtest/gtest.h> |
Ed Tanous | b4a7bfa | 2017-04-04 17:23:00 -0700 | [diff] [blame] | 7 | |
| 8 | using namespace crow; |
| 9 | using namespace std; |
| 10 | |
| 11 | // Tests that the security headers are added correctly |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 12 | TEST(SecurityHeaders, TestHeadersExist) |
| 13 | { |
| 14 | App<SecurityHeadersMiddleware> app; |
| 15 | app.bindaddr("127.0.0.1").port(45451); |
| 16 | BMCWEB_ROUTE(app, "/")([]() { return boost::beast::http::status::ok; }); |
| 17 | auto _ = async(launch::async, [&] { app.run(); }); |
Ed Tanous | b4a7bfa | 2017-04-04 17:23:00 -0700 | [diff] [blame] | 18 | |
Ed Tanous | 8f62635 | 2018-12-19 14:51:54 -0800 | [diff] [blame] | 19 | asio::io_context is; |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 20 | std::array<char, 2048> buf; |
| 21 | std::string sendmsg; |
Ed Tanous | b4a7bfa | 2017-04-04 17:23:00 -0700 | [diff] [blame] | 22 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 23 | { |
| 24 | // Retry a couple of times waiting for the server to come up |
| 25 | // TODO(ed) This is really unfortunate, and should use some form of |
| 26 | // mock |
| 27 | asio::ip::tcp::socket c(is); |
| 28 | for (int i = 0; i < 200; i++) |
| 29 | { |
| 30 | try |
| 31 | { |
| 32 | c.connect(asio::ip::tcp::endpoint( |
| 33 | asio::ip::address::from_string("127.0.0.1"), 45451)); |
| 34 | c.close(); |
| 35 | break; |
| 36 | } |
| 37 | catch (std::exception e) |
| 38 | { |
| 39 | // do nothing. We expect this to fail while the server is |
| 40 | // starting up |
| 41 | } |
| 42 | } |
| 43 | } |
| 44 | |
| 45 | // Test correct login credentials |
| 46 | sendmsg = "GET /\r\n\r\n"; |
| 47 | |
Ed Tanous | b4a7bfa | 2017-04-04 17:23:00 -0700 | [diff] [blame] | 48 | asio::ip::tcp::socket c(is); |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 49 | c.connect(asio::ip::tcp::endpoint( |
| 50 | asio::ip::address::from_string("127.0.0.1"), 45451)); |
| 51 | c.send(asio::buffer(sendmsg)); |
| 52 | c.receive(asio::buffer(buf)); |
| 53 | c.close(); |
| 54 | auto return_code = std::string(&buf[9], &buf[12]); |
| 55 | EXPECT_EQ("200", return_code); |
| 56 | std::string response(std::begin(buf), std::end(buf)); |
| 57 | |
| 58 | // This is a routine to split strings until a blank is hit |
| 59 | // TODO(ed) this should really use the HTTP parser |
| 60 | std::vector<std::string> headers; |
| 61 | std::string::size_type pos = 0; |
| 62 | std::string::size_type prev = 0; |
| 63 | while ((pos = response.find("\r\n", prev)) != std::string::npos) |
| 64 | { |
| 65 | auto this_string = response.substr(prev, pos - prev); |
| 66 | if (this_string == "") |
| 67 | { |
| 68 | break; |
| 69 | } |
| 70 | headers.push_back(this_string); |
| 71 | prev = pos + 2; |
Ed Tanous | b4a7bfa | 2017-04-04 17:23:00 -0700 | [diff] [blame] | 72 | } |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 73 | headers.push_back(response.substr(prev)); |
Ed Tanous | b4a7bfa | 2017-04-04 17:23:00 -0700 | [diff] [blame] | 74 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 75 | EXPECT_EQ(headers[0], "HTTP/1.1 200 OK"); |
| 76 | EXPECT_THAT(headers, ::testing::Contains("Strict-Transport-Security: " |
| 77 | "max-age=31536000; " |
| 78 | "includeSubdomains; preload")); |
| 79 | EXPECT_THAT(headers, ::testing::Contains("X-UA-Compatible: IE=11")); |
| 80 | EXPECT_THAT(headers, ::testing::Contains("X-Frame-Options: DENY")); |
| 81 | EXPECT_THAT(headers, |
| 82 | ::testing::Contains("X-XSS-Protection: 1; mode=block")); |
| 83 | EXPECT_THAT(headers, ::testing::Contains( |
| 84 | "X-Content-Security-Policy: default-src 'self'")); |
| 85 | app.stop(); |
Ed Tanous | b4a7bfa | 2017-04-04 17:23:00 -0700 | [diff] [blame] | 86 | } |