From ea4079da4bcfa626b20eeda99394345dfccaecd9 Mon Sep 17 00:00:00 2001 From: Shrikant Sharat Kandula Date: Tue, 19 Dec 2023 17:01:28 +0530 Subject: [PATCH] test: Route tests for frame ancestors config --- deploy/docker/route-tests/Dockerfile | 3 +- .../custom-domain.hurl | 2 +- .../common/index-html-response.hurl | 6 +++ deploy/docker/route-tests/entrypoint.sh | 49 +++++++++++++++++-- deploy/docker/route-tests/run.sh | 2 +- .../route-tests/spec-2/custom-domain.hurl | 27 ---------- 6 files changed, 53 insertions(+), 36 deletions(-) rename deploy/docker/route-tests/{spec-3 => common-https}/custom-domain.hurl (86%) delete mode 100644 deploy/docker/route-tests/spec-2/custom-domain.hurl diff --git a/deploy/docker/route-tests/Dockerfile b/deploy/docker/route-tests/Dockerfile index 075747550b..f465f4527c 100644 --- a/deploy/docker/route-tests/Dockerfile +++ b/deploy/docker/route-tests/Dockerfile @@ -1,8 +1,7 @@ FROM node:lts-alpine RUN apk add --no-cache bash caddy \ - && apk add --no-cache hurl mkcert --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing/ \ - && mkcert -install + && apk add --no-cache hurl mkcert --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing/ WORKDIR /code diff --git a/deploy/docker/route-tests/spec-3/custom-domain.hurl b/deploy/docker/route-tests/common-https/custom-domain.hurl similarity index 86% rename from deploy/docker/route-tests/spec-3/custom-domain.hurl rename to deploy/docker/route-tests/common-https/custom-domain.hurl index a1a391bef9..aae858e397 100644 --- a/deploy/docker/route-tests/spec-3/custom-domain.hurl +++ b/deploy/docker/route-tests/common-https/custom-domain.hurl @@ -16,7 +16,7 @@ GET https://custom-domain.com HTTP 200 [Asserts] header "Server" not exists -certificate "Issuer" == "O = mkcert development CA, OU = root@ar, CN = mkcert root@ar" +certificate "Issuer" contains "{{ca_issuer}}" GET https://custom-domain.com/random/path HTTP 200 diff --git a/deploy/docker/route-tests/common/index-html-response.hurl b/deploy/docker/route-tests/common/index-html-response.hurl index 068f55e6d8..2959a7fcc9 100644 --- a/deploy/docker/route-tests/common/index-html-response.hurl +++ b/deploy/docker/route-tests/common/index-html-response.hurl @@ -1,6 +1,7 @@ GET http://localhost HTTP 200 Content-Type: text/html; charset=utf-8 +Content-Security-Policy: frame-ancestors {{frame_ancestors}} [Asserts] header "Server" not exists body == "index.html body" @@ -8,6 +9,7 @@ body == "index.html body" GET http://127.0.0.1 HTTP 200 Content-Type: text/html; charset=utf-8 +Content-Security-Policy: frame-ancestors {{frame_ancestors}} [Asserts] header "Server" not exists body == "index.html body" @@ -15,6 +17,7 @@ body == "index.html body" GET http://local.com HTTP 200 Content-Type: text/html; charset=utf-8 +Content-Security-Policy: frame-ancestors {{frame_ancestors}} [Asserts] header "Server" not exists body == "index.html body" @@ -22,6 +25,7 @@ body == "index.html body" GET http://localhost/some/non/handled/path HTTP 200 Content-Type: text/html; charset=utf-8 +Content-Security-Policy: frame-ancestors {{frame_ancestors}} [Asserts] header "Server" not exists body == "index.html body" @@ -29,6 +33,7 @@ body == "index.html body" GET http://127.0.0.1/some/non/handled/path HTTP 200 Content-Type: text/html; charset=utf-8 +Content-Security-Policy: frame-ancestors {{frame_ancestors}} [Asserts] header "Server" not exists body == "index.html body" @@ -36,6 +41,7 @@ body == "index.html body" GET http://local.com/some/non/handled/path HTTP 200 Content-Type: text/html; charset=utf-8 +Content-Security-Policy: frame-ancestors {{frame_ancestors}} [Asserts] header "Server" not exists body == "index.html body" diff --git a/deploy/docker/route-tests/entrypoint.sh b/deploy/docker/route-tests/entrypoint.sh index 916a061448..868363cdad 100644 --- a/deploy/docker/route-tests/entrypoint.sh +++ b/deploy/docker/route-tests/entrypoint.sh @@ -3,11 +3,14 @@ set -o errexit set -o nounset set -o pipefail -#set -o xtrace new-spec() { echo "-----------" "$@" "-----------" - unset APPSMITH_CUSTOM_DOMAIN + + # Unset influencing state + unset APPSMITH_CUSTOM_DOMAIN APPSMITH_ALLOWED_FRAME_ANCESTORS + + # Clean custom certificates mkdir -p /appsmith-stacks/ssl find /appsmith-stacks/ssl -type f -delete } @@ -59,8 +62,12 @@ caddy start --config "$TMP/Caddyfile" >> "$TMP/caddy.log" 2>&1 sleep 1 +# Default values for Hurl variables +export HURL_frame_ancestors="'self'" -new-spec "Spec 1: With no custom domain" + +# Run tests, scenario by scenario +new-spec "Spec 1: With no custom domain and no frame ancestors" node /caddy-reconfigure.mjs reload-caddy run-hurl common/*.hurl @@ -72,7 +79,8 @@ node /caddy-reconfigure.mjs #sed -i '2i acme_ca https://acme-staging-v02.api.letsencrypt.org/directory' "$TMP/Caddyfile" sed -i '/https:\/\/'"$APPSMITH_CUSTOM_DOMAIN"' {$/a tls internal' "$TMP/Caddyfile" reload-caddy -run-hurl common/*.hurl common-https/*.hurl spec-2/*.hurl +run-hurl --variable ca_issuer="CN = Caddy Local Authority - ECC Intermediate" \ + common/*.hurl common-https/*.hurl new-spec "Spec 3: With a custom domain, certs given in ssl folder" @@ -80,4 +88,35 @@ export APPSMITH_CUSTOM_DOMAIN=custom-domain.com mkcert -cert-file "/appsmith-stacks/ssl/fullchain.pem" -key-file "/appsmith-stacks/ssl/privkey.pem" "$APPSMITH_CUSTOM_DOMAIN" node /caddy-reconfigure.mjs reload-caddy -run-hurl common/*.hurl spec-3/*.hurl +run-hurl --variable ca_issuer="O = mkcert development CA" \ + common/*.hurl common-https/*.hurl + + +new-spec "Spec 4: No custom domain, but certs present in ssl folder" +mkcert -cert-file "/appsmith-stacks/ssl/fullchain.pem" -key-file "/appsmith-stacks/ssl/privkey.pem" random-domain.com +node /caddy-reconfigure.mjs +reload-caddy +run-hurl common/*.hurl + + +new-spec "Spec 5: Empty custom domain, but certs present in ssl folder" +export APPSMITH_CUSTOM_DOMAIN="" +mkcert -cert-file "/appsmith-stacks/ssl/fullchain.pem" -key-file "/appsmith-stacks/ssl/privkey.pem" random-domain.com +node /caddy-reconfigure.mjs +reload-caddy +run-hurl common/*.hurl + + +new-spec "Spec 6: Custom frame ancestors" +export APPSMITH_ALLOWED_FRAME_ANCESTORS="something.com another.com" +node /caddy-reconfigure.mjs +reload-caddy +run-hurl --variable frame_ancestors="something.com another.com" \ + common/*.hurl + + +new-spec "Spec 7: Empty frame ancestors" +export APPSMITH_ALLOWED_FRAME_ANCESTORS="" +node /caddy-reconfigure.mjs +reload-caddy +run-hurl common/*.hurl diff --git a/deploy/docker/route-tests/run.sh b/deploy/docker/route-tests/run.sh index 85abf91847..2acfc5d8be 100755 --- a/deploy/docker/route-tests/run.sh +++ b/deploy/docker/route-tests/run.sh @@ -4,7 +4,7 @@ set -o errexit set -o nounset loc="$(dirname "$0")" -docker build -f "$loc/Dockerfile" --tag ar "$loc/.." +#docker build -f "$loc/Dockerfile" --tag ar "$loc/.." docker run \ --name ar \ --rm \ diff --git a/deploy/docker/route-tests/spec-2/custom-domain.hurl b/deploy/docker/route-tests/spec-2/custom-domain.hurl deleted file mode 100644 index c48772343f..0000000000 --- a/deploy/docker/route-tests/spec-2/custom-domain.hurl +++ /dev/null @@ -1,27 +0,0 @@ -GET http://custom-domain.com -HTTP 302 -Location: https://custom-domain.com/ -[Asserts] -header "Server" not exists - -GET http://custom-domain.com/random/path -HTTP 302 -Location: https://custom-domain.com/random/path -[Asserts] -header "Server" not exists - -GET https://custom-domain.com -HTTP 200 -[Asserts] -header "Server" not exists -certificate "Issuer" == "CN = Caddy Local Authority - ECC Intermediate" - -GET https://custom-domain.com/random/path -HTTP 200 -[Asserts] -header "Server" not exists - -GET https://custom-domain.com/static/x -HTTP 404 -[Asserts] -header "Server" not exists