github.com/jfrerich/mattermost-server@v5.8.0-rc2+incompatible/web/handlers_test.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package web 5 6 import ( 7 "net/http" 8 "net/http/httptest" 9 "testing" 10 11 "github.com/mattermost/mattermost-server/app" 12 "github.com/mattermost/mattermost-server/model" 13 "github.com/stretchr/testify/assert" 14 "github.com/stretchr/testify/require" 15 ) 16 17 func handlerForHTTPErrors(c *Context, w http.ResponseWriter, r *http.Request) { 18 c.Err = model.NewAppError("loginWithSaml", "api.user.saml.not_available.app_error", nil, "", http.StatusFound) 19 } 20 21 func TestHandlerServeHTTPErrors(t *testing.T) { 22 s, err := app.NewServer(app.StoreOverride(mainHelper.Store), app.DisableConfigWatch) 23 require.Nil(t, err) 24 defer s.Shutdown() 25 26 web := New(s, s.AppOptions, s.Router) 27 if err != nil { 28 panic(err) 29 } 30 handler := web.NewHandler(handlerForHTTPErrors) 31 32 var flagtests = []struct { 33 name string 34 url string 35 mobile bool 36 redirect bool 37 }{ 38 {"redirect on desktop non-api endpoint", "/login/sso/saml", false, true}, 39 {"not redirect on desktop api endpoint", "/api/v4/test", false, false}, 40 {"not redirect on mobile non-api endpoint", "/login/sso/saml", true, false}, 41 {"not redirect on mobile api endpoint", "/api/v4/test", true, false}, 42 } 43 44 for _, tt := range flagtests { 45 t.Run(tt.name, func(t *testing.T) { 46 request := httptest.NewRequest("GET", tt.url, nil) 47 if tt.mobile { 48 request.Header.Add("X-Mobile-App", "mattermost") 49 } 50 response := httptest.NewRecorder() 51 handler.ServeHTTP(response, request) 52 53 if tt.redirect { 54 assert.Equal(t, response.Code, http.StatusFound) 55 } else { 56 assert.NotContains(t, response.Body.String(), "/error?message=") 57 } 58 }) 59 } 60 } 61 62 func handlerForHTTPSecureTransport(c *Context, w http.ResponseWriter, r *http.Request) { 63 } 64 65 func TestHandlerServeHTTPSecureTransport(t *testing.T) { 66 s, err := app.NewServer(app.StoreOverride(mainHelper.Store), app.DisableConfigWatch) 67 require.Nil(t, err) 68 defer s.Shutdown() 69 70 a := s.FakeApp() 71 72 a.UpdateConfig(func(config *model.Config) { 73 *config.ServiceSettings.TLSStrictTransport = true 74 *config.ServiceSettings.TLSStrictTransportMaxAge = 6000 75 }) 76 77 web := New(s, s.AppOptions, s.Router) 78 if err != nil { 79 panic(err) 80 } 81 handler := web.NewHandler(handlerForHTTPSecureTransport) 82 83 request := httptest.NewRequest("GET", "/api/v4/test", nil) 84 85 response := httptest.NewRecorder() 86 handler.ServeHTTP(response, request) 87 header := response.Header().Get("Strict-Transport-Security") 88 89 if header == "" { 90 t.Errorf("Strict-Transport-Security expected but not existent") 91 } 92 93 if header != "max-age=6000" { 94 t.Errorf("Expected max-age=6000, got %s", header) 95 } 96 97 a.UpdateConfig(func(config *model.Config) { 98 *config.ServiceSettings.TLSStrictTransport = false 99 }) 100 101 request = httptest.NewRequest("GET", "/api/v4/test", nil) 102 103 response = httptest.NewRecorder() 104 handler.ServeHTTP(response, request) 105 header = response.Header().Get("Strict-Transport-Security") 106 107 if header != "" { 108 t.Errorf("Strict-Transport-Security header is not expected, but returned") 109 } 110 }