1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package web
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/mattermost/mattermost-server/app"
"github.com/mattermost/mattermost-server/model"
"github.com/stretchr/testify/assert"
)
func handlerForHTTPErrors(c *Context, w http.ResponseWriter, r *http.Request) {
c.Err = model.NewAppError("loginWithSaml", "api.user.saml.not_available.app_error", nil, "", http.StatusFound)
}
func TestHandlerServeHTTPErrors(t *testing.T) {
a, err := app.New(app.StoreOverride(testStore), app.DisableConfigWatch)
defer a.Shutdown()
web := NewWeb(a, a.Srv.Router)
if err != nil {
panic(err)
}
handler := web.NewHandler(handlerForHTTPErrors)
var flagtests = []struct {
name string
url string
mobile bool
redirect bool
}{
{"redirect on destkop non-api endpoint", "/login/sso/saml", false, true},
{"not redirect on destkop api endpoint", "/api/v4/test", false, false},
{"not redirect on mobile non-api endpoint", "/login/sso/saml", true, false},
{"not redirect on mobile api endpoint", "/api/v4/test", true, false},
}
for _, tt := range flagtests {
t.Run(tt.name, func(t *testing.T) {
request := httptest.NewRequest("GET", tt.url, nil)
if tt.mobile {
request.Header.Add("X-Mobile-App", "mattermost")
}
response := httptest.NewRecorder()
handler.ServeHTTP(response, request)
if tt.redirect {
assert.Equal(t, response.Code, http.StatusFound)
} else {
assert.NotContains(t, response.Body.String(), "/error?message=")
}
})
}
}
func handlerForHTTPSecureTransport(c *Context, w http.ResponseWriter, r *http.Request) {
}
func TestHandlerServeHTTPSecureTransport(t *testing.T) {
a, err := app.New(app.StoreOverride(testStore), app.DisableConfigWatch)
defer a.Shutdown()
a.UpdateConfig(func(config *model.Config) {
*config.ServiceSettings.TLSStrictTransport = true
*config.ServiceSettings.TLSStrictTransportMaxAge = 6000
})
web := NewWeb(a, a.Srv.Router)
if err != nil {
panic(err)
}
handler := web.NewHandler(handlerForHTTPSecureTransport)
request := httptest.NewRequest("GET", "/api/v4/test", nil)
response := httptest.NewRecorder()
handler.ServeHTTP(response, request)
header := response.Header().Get("Strict-Transport-Security")
if header == "" {
t.Errorf("Strict-Transport-Security expected but not existent")
}
if header != "max-age=6000" {
t.Errorf("Expected max-age=6000, got %s", header)
}
a.UpdateConfig(func(config *model.Config) {
*config.ServiceSettings.TLSStrictTransport = false
})
request = httptest.NewRequest("GET", "/api/v4/test", nil)
response = httptest.NewRecorder()
handler.ServeHTTP(response, request)
header = response.Header().Get("Strict-Transport-Security")
if header != "" {
t.Errorf("Strict-Transport-Security header is not expected, but returned")
}
}
|
