From 557fd9ea187b1279b43ff63b94fedf2320aa3351 Mon Sep 17 00:00:00 2001 From: Daniel Schalla Date: Tue, 16 Oct 2018 16:51:46 +0200 Subject: Set default ciphers, set tls 1.2 via config, set curve prefs (#9315) Config Checks at StartUp Part1 Config Checks; Tests for TLS Server HSTS header implementation + tests make gofmt happy with new go version... make gofmt happy with new go version #2... fix logic bug fix typo Fix unnecessary code block --- web/handlers.go | 4 ++++ web/handlers_test.go | 51 +++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 53 insertions(+), 2 deletions(-) (limited to 'web') diff --git a/web/handlers.go b/web/handlers.go index 71a43bc48..9b0705a5b 100644 --- a/web/handlers.go +++ b/web/handlers.go @@ -75,6 +75,10 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId) w.Header().Set(model.HEADER_VERSION_ID, fmt.Sprintf("%v.%v.%v.%v", model.CurrentVersion, model.BuildNumber, c.App.ClientConfigHash(), c.App.License() != nil)) + if *c.App.Config().ServiceSettings.TLSStrictTransport { + w.Header().Set("Strict-Transport-Security", fmt.Sprintf("max-age=%d", *c.App.Config().ServiceSettings.TLSStrictTransportMaxAge)) + } + if h.IsStatic { // Instruct the browser not to display us in an iframe unless is the same origin for anti-clickjacking w.Header().Set("X-Frame-Options", "SAMEORIGIN") diff --git a/web/handlers_test.go b/web/handlers_test.go index 0b9073fff..6b68a9987 100644 --- a/web/handlers_test.go +++ b/web/handlers_test.go @@ -13,7 +13,7 @@ import ( "github.com/stretchr/testify/assert" ) -func handlerForTest(c *Context, w http.ResponseWriter, r *http.Request) { +func handlerForHTTPErrors(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = model.NewAppError("loginWithSaml", "api.user.saml.not_available.app_error", nil, "", http.StatusFound) } @@ -25,7 +25,7 @@ func TestHandlerServeHTTPErrors(t *testing.T) { if err != nil { panic(err) } - handler := web.NewHandler(handlerForTest) + handler := web.NewHandler(handlerForHTTPErrors) var flagtests = []struct { name string @@ -57,3 +57,50 @@ func TestHandlerServeHTTPErrors(t *testing.T) { }) } } + +func handlerForHTTPSecureTransport(c *Context, w http.ResponseWriter, r *http.Request) { +} + +func TestHandlerServeHTTPSecureTransport(t *testing.T) { + a, err := app.New(app.StoreOverride(testStore), app.DisableConfigWatch) + defer a.Shutdown() + + a.UpdateConfig(func(config *model.Config) { + *config.ServiceSettings.TLSStrictTransport = true + *config.ServiceSettings.TLSStrictTransportMaxAge = 6000 + }) + + web := NewWeb(a, a.Srv.Router) + if err != nil { + panic(err) + } + handler := web.NewHandler(handlerForHTTPSecureTransport) + + request := httptest.NewRequest("GET", "/api/v4/test", nil) + + response := httptest.NewRecorder() + handler.ServeHTTP(response, request) + header := response.Header().Get("Strict-Transport-Security") + + if header == "" { + t.Errorf("Strict-Transport-Security expected but not existent") + } + + if header != "max-age=6000" { + t.Errorf("Expected max-age=6000, got %s", header) + } + + a.UpdateConfig(func(config *model.Config) { + *config.ServiceSettings.TLSStrictTransport = false + }) + + request = httptest.NewRequest("GET", "/api/v4/test", nil) + + response = httptest.NewRecorder() + handler.ServeHTTP(response, request) + header = response.Header().Get("Strict-Transport-Security") + + if header != "" { + t.Errorf("Strict-Transport-Security header is not expected, but returned") + } +} -- cgit v1.2.3-1-g7c22