aboutsummaryrefslogblamecommitdiffstats
path: root/actionpack/test/dispatch/ssl_test.rb
blob: 7ced41bc2e21c2d8ad47f2e2ae3915769b9f9e4c (plain) (tree)





















                                                                                 
                                                                               









                                                      





                                                   




                                                            









                                                                   
                                                            








                                                                                 






                                                                                    


























                                                                                     

























                                                                




























                                                              

     













                                                               




























                                                                                              






                                                                                   













                                                                               
require 'abstract_unit'

class SSLTest < ActionDispatch::IntegrationTest
  def default_app
    lambda { |env|
      headers = {'Content-Type' => "text/html"}
      headers['Set-Cookie'] = "id=1; path=/\ntoken=abc; path=/; secure; HttpOnly"
      [200, headers, ["OK"]]
    }
  end

  def app
    @app ||= ActionDispatch::SSL.new(default_app)
  end
  attr_writer :app

  def test_allows_https_url
    get "https://example.org/path?key=value"
    assert_response :success
  end

  def test_allows_https_proxy_header_url
    get "http://example.org/", headers: { 'HTTP_X_FORWARDED_PROTO' => "https" }
    assert_response :success
  end

  def test_redirects_http_to_https
    get "http://example.org/path?key=value"
    assert_response :redirect
    assert_equal "https://example.org/path?key=value",
      response.headers['Location']
  end

  def test_hsts_header_by_default
    get "https://example.org/"
    assert_equal "max-age=31536000",
      response.headers['Strict-Transport-Security']
  end

  def test_no_hsts_with_insecure_connection
    get "http://example.org/"
    assert_not response.headers['Strict-Transport-Security']
  end

  def test_hsts_header
    self.app = ActionDispatch::SSL.new(default_app, :hsts => true)
    get "https://example.org/"
    assert_equal "max-age=31536000",
      response.headers['Strict-Transport-Security']
  end

  def test_disable_hsts_header
    self.app = ActionDispatch::SSL.new(default_app, :hsts => false)
    get "https://example.org/"
    assert_not response.headers['Strict-Transport-Security']
  end

  def test_hsts_expires
    self.app = ActionDispatch::SSL.new(default_app, :hsts => { :expires => 500 })
    get "https://example.org/"
    assert_equal "max-age=500",
      response.headers['Strict-Transport-Security']
  end

  def test_hsts_expires_with_duration
    self.app = ActionDispatch::SSL.new(default_app, :hsts => { :expires => 1.year })
    get "https://example.org/"
    assert_equal "max-age=31557600",
      response.headers['Strict-Transport-Security']
  end

  def test_hsts_include_subdomains
    self.app = ActionDispatch::SSL.new(default_app, :hsts => { :subdomains => true })
    get "https://example.org/"
    assert_equal "max-age=31536000; includeSubDomains",
      response.headers['Strict-Transport-Security']
  end

  def test_flag_cookies_as_secure
    get "https://example.org/"
    assert_equal ["id=1; path=/; secure", "token=abc; path=/; secure; HttpOnly" ],
      response.headers['Set-Cookie'].split("\n")
  end

  def test_flag_cookies_as_secure_at_end_of_line
    self.app = ActionDispatch::SSL.new(lambda { |env|
      headers = {
        'Content-Type' => "text/html",
        'Set-Cookie' => "problem=def; path=/; HttpOnly; secure"
      }
      [200, headers, ["OK"]]
    })

    get "https://example.org/"
    assert_equal ["problem=def; path=/; HttpOnly; secure"],
      response.headers['Set-Cookie'].split("\n")
  end

  def test_flag_cookies_as_secure_with_more_spaces_before
    self.app = ActionDispatch::SSL.new(lambda { |env|
      headers = {
        'Content-Type' => "text/html",
        'Set-Cookie' => "problem=def; path=/; HttpOnly;  secure"
      }
      [200, headers, ["OK"]]
    })

    get "https://example.org/"
    assert_equal ["problem=def; path=/; HttpOnly;  secure"],
      response.headers['Set-Cookie'].split("\n")
  end

  def test_flag_cookies_as_secure_with_more_spaces_after
    self.app = ActionDispatch::SSL.new(lambda { |env|
      headers = {
        'Content-Type' => "text/html",
        'Set-Cookie' => "problem=def; path=/; secure;  HttpOnly"
      }
      [200, headers, ["OK"]]
    })

    get "https://example.org/"
    assert_equal ["problem=def; path=/; secure;  HttpOnly"],
      response.headers['Set-Cookie'].split("\n")
  end


  def test_flag_cookies_as_secure_with_has_not_spaces_before
    self.app = ActionDispatch::SSL.new(lambda { |env|
      headers = {
        'Content-Type' => "text/html",
        'Set-Cookie' => "problem=def; path=/;secure; HttpOnly"
      }
      [200, headers, ["OK"]]
    })

    get "https://example.org/"
    assert_equal ["problem=def; path=/;secure; HttpOnly"],
      response.headers['Set-Cookie'].split("\n")
  end

  def test_flag_cookies_as_secure_with_has_not_spaces_after
    self.app = ActionDispatch::SSL.new(lambda { |env|
      headers = {
        'Content-Type' => "text/html",
        'Set-Cookie' => "problem=def; path=/; secure;HttpOnly"
      }
      [200, headers, ["OK"]]
    })

    get "https://example.org/"
    assert_equal ["problem=def; path=/; secure;HttpOnly"],
      response.headers['Set-Cookie'].split("\n")
  end

  def test_flag_cookies_as_secure_with_ignore_case
    self.app = ActionDispatch::SSL.new(lambda { |env|
      headers = {
        'Content-Type' => "text/html",
        'Set-Cookie' => "problem=def; path=/; Secure; HttpOnly"
      }
      [200, headers, ["OK"]]
    })

    get "https://example.org/"
    assert_equal ["problem=def; path=/; Secure; HttpOnly"],
      response.headers['Set-Cookie'].split("\n")
  end

  def test_no_cookies
    self.app = ActionDispatch::SSL.new(lambda { |env|
      [200, {'Content-Type' => "text/html"}, ["OK"]]
    })
    get "https://example.org/"
    assert !response.headers['Set-Cookie']
  end

  def test_redirect_to_host
    self.app = ActionDispatch::SSL.new(default_app, :host => "ssl.example.org")
    get "http://example.org/path?key=value"
    assert_equal "https://ssl.example.org/path?key=value",
      response.headers['Location']
  end

  def test_redirect_to_port
    self.app = ActionDispatch::SSL.new(default_app, :port => 8443)
    get "http://example.org/path?key=value"
    assert_equal "https://example.org:8443/path?key=value",
      response.headers['Location']
  end

  def test_redirect_to_host_and_port
    self.app = ActionDispatch::SSL.new(default_app, :host => "ssl.example.org", :port => 8443)
    get "http://example.org/path?key=value"
    assert_equal "https://ssl.example.org:8443/path?key=value",
      response.headers['Location']
  end

  def test_redirect_to_host_with_port
    self.app = ActionDispatch::SSL.new(default_app, :host => "ssl.example.org:443")
    get "http://example.org/path?key=value"
    assert_equal "https://ssl.example.org:443/path?key=value",
      response.headers['Location']
  end

  def test_redirect_to_secure_host_when_on_subdomain
    self.app = ActionDispatch::SSL.new(default_app, :host => "ssl.example.org")
    get "http://ssl.example.org/path?key=value"
    assert_equal "https://ssl.example.org/path?key=value",
      response.headers['Location']
  end

  def test_redirect_to_secure_subdomain_when_on_deep_subdomain
    self.app = ActionDispatch::SSL.new(default_app, :host => "example.co.uk")
    get "http://double.rainbow.what.does.it.mean.example.co.uk/path?key=value"
    assert_equal "https://example.co.uk/path?key=value",
      response.headers['Location']
  end
end