test: Route tests for frame ancestors config

deploy/docker/route-tests/Dockerfile

@@ -1,8 +1,7 @@
 FROM node:lts-alpine
 
 RUN apk add --no-cache bash caddy \
-  && apk add --no-cache hurl mkcert --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing/ \
+  && apk add --no-cache hurl mkcert --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing/
-  && mkcert -install
 
 WORKDIR /code
 

deploy/docker/route-tests/common-https/custom-domain.hurl

@@ -16,7 +16,7 @@ GET https://custom-domain.com
 HTTP 200
 [Asserts]
 header "Server" not exists
-certificate "Issuer" == "O = mkcert development CA, OU = root@ar, CN = mkcert root@ar"
+certificate "Issuer" contains "{{ca_issuer}}"
 
 GET https://custom-domain.com/random/path
 HTTP 200

deploy/docker/route-tests/common/index-html-response.hurl

@@ -1,6 +1,7 @@
 GET http://localhost
 HTTP 200
 Content-Type: text/html; charset=utf-8
+Content-Security-Policy: frame-ancestors {{frame_ancestors}}
 [Asserts]
 header "Server" not exists
 body == "index.html body"
@@ -8,6 +9,7 @@ body == "index.html body"
 GET http://127.0.0.1
 HTTP 200
 Content-Type: text/html; charset=utf-8
+Content-Security-Policy: frame-ancestors {{frame_ancestors}}
 [Asserts]
 header "Server" not exists
 body == "index.html body"
@@ -15,6 +17,7 @@ body == "index.html body"
 GET http://local.com
 HTTP 200
 Content-Type: text/html; charset=utf-8
+Content-Security-Policy: frame-ancestors {{frame_ancestors}}
 [Asserts]
 header "Server" not exists
 body == "index.html body"
@@ -22,6 +25,7 @@ body == "index.html body"
 GET http://localhost/some/non/handled/path
 HTTP 200
 Content-Type: text/html; charset=utf-8
+Content-Security-Policy: frame-ancestors {{frame_ancestors}}
 [Asserts]
 header "Server" not exists
 body == "index.html body"
@@ -29,6 +33,7 @@ body == "index.html body"
 GET http://127.0.0.1/some/non/handled/path
 HTTP 200
 Content-Type: text/html; charset=utf-8
+Content-Security-Policy: frame-ancestors {{frame_ancestors}}
 [Asserts]
 header "Server" not exists
 body == "index.html body"
@@ -36,6 +41,7 @@ body == "index.html body"
 GET http://local.com/some/non/handled/path
 HTTP 200
 Content-Type: text/html; charset=utf-8
+Content-Security-Policy: frame-ancestors {{frame_ancestors}}
 [Asserts]
 header "Server" not exists
 body == "index.html body"

deploy/docker/route-tests/entrypoint.sh

@@ -3,11 +3,14 @@
 set -o errexit
 set -o nounset
 set -o pipefail
-#set -o xtrace
 
 new-spec() {
   echo "-----------" "$@" "-----------"
-  unset APPSMITH_CUSTOM_DOMAIN
+
+  # Unset influencing state
+  unset APPSMITH_CUSTOM_DOMAIN APPSMITH_ALLOWED_FRAME_ANCESTORS
+
+  # Clean custom certificates
   mkdir -p /appsmith-stacks/ssl
   find /appsmith-stacks/ssl -type f -delete
 }
@@ -59,8 +62,12 @@ caddy start --config "$TMP/Caddyfile" >> "$TMP/caddy.log" 2>&1
 
 sleep 1
 
+# Default values for Hurl variables
+export HURL_frame_ancestors="'self'"
 
-new-spec "Spec 1: With no custom domain"
+
+# Run tests, scenario by scenario
+new-spec "Spec 1: With no custom domain and no frame ancestors"
 node /caddy-reconfigure.mjs
 reload-caddy
 run-hurl common/*.hurl
@@ -72,7 +79,8 @@ node /caddy-reconfigure.mjs
 #sed -i '2i acme_ca https://acme-staging-v02.api.letsencrypt.org/directory' "$TMP/Caddyfile"
 sed -i '/https:\/\/'"$APPSMITH_CUSTOM_DOMAIN"' {$/a tls internal' "$TMP/Caddyfile"
 reload-caddy
-run-hurl common/*.hurl common-https/*.hurl spec-2/*.hurl
+run-hurl --variable ca_issuer="CN = Caddy Local Authority - ECC Intermediate" \
+  common/*.hurl common-https/*.hurl
 
 
 new-spec "Spec 3: With a custom domain, certs given in ssl folder"
@@ -80,4 +88,35 @@ export APPSMITH_CUSTOM_DOMAIN=custom-domain.com
 mkcert -cert-file "/appsmith-stacks/ssl/fullchain.pem" -key-file "/appsmith-stacks/ssl/privkey.pem" "$APPSMITH_CUSTOM_DOMAIN"
 node /caddy-reconfigure.mjs
 reload-caddy
-run-hurl common/*.hurl spec-3/*.hurl
+run-hurl --variable ca_issuer="O = mkcert development CA" \
+  common/*.hurl common-https/*.hurl
+
+
+new-spec "Spec 4: No custom domain, but certs present in ssl folder"
+mkcert -cert-file "/appsmith-stacks/ssl/fullchain.pem" -key-file "/appsmith-stacks/ssl/privkey.pem" random-domain.com
+node /caddy-reconfigure.mjs
+reload-caddy
+run-hurl common/*.hurl
+
+
+new-spec "Spec 5: Empty custom domain, but certs present in ssl folder"
+export APPSMITH_CUSTOM_DOMAIN=""
+mkcert -cert-file "/appsmith-stacks/ssl/fullchain.pem" -key-file "/appsmith-stacks/ssl/privkey.pem" random-domain.com
+node /caddy-reconfigure.mjs
+reload-caddy
+run-hurl common/*.hurl
+
+
+new-spec "Spec 6: Custom frame ancestors"
+export APPSMITH_ALLOWED_FRAME_ANCESTORS="something.com another.com"
+node /caddy-reconfigure.mjs
+reload-caddy
+run-hurl --variable frame_ancestors="something.com another.com" \
+  common/*.hurl
+
+
+new-spec "Spec 7: Empty frame ancestors"
+export APPSMITH_ALLOWED_FRAME_ANCESTORS=""
+node /caddy-reconfigure.mjs
+reload-caddy
+run-hurl common/*.hurl

deploy/docker/route-tests/run.sh

@@ -4,7 +4,7 @@ set -o errexit
 set -o nounset
 
 loc="$(dirname "$0")"
-docker build -f "$loc/Dockerfile" --tag ar "$loc/.."
+#docker build -f "$loc/Dockerfile" --tag ar "$loc/.."
 docker run \
   --name ar \
   --rm \

deploy/docker/route-tests/spec-2/custom-domain.hurl

@@ -1,27 +0,0 @@
-GET http://custom-domain.com
-HTTP 302
-Location: https://custom-domain.com/
-[Asserts]
-header "Server" not exists
-
-GET http://custom-domain.com/random/path
-HTTP 302
-Location: https://custom-domain.com/random/path
-[Asserts]
-header "Server" not exists
-
-GET https://custom-domain.com
-HTTP 200
-[Asserts]
-header "Server" not exists
-certificate "Issuer" == "CN = Caddy Local Authority - ECC Intermediate"
-
-GET https://custom-domain.com/random/path
-HTTP 200
-[Asserts]
-header "Server" not exists
-
-GET https://custom-domain.com/static/x
-HTTP 404
-[Asserts]
-header "Server" not exists