555ab5e669
Implement complete workflow for assigning security header profiles to proxy hosts via dropdown selector in ProxyHostForm. Backend Changes: - Add security_header_profile_id handling to proxy host update endpoint - Add SecurityHeaderProfile preloading in service layer - Add 5 comprehensive tests for profile CRUD operations Frontend Changes: - Add Security Headers section to ProxyHostForm with dropdown - Group profiles: System Profiles (presets) vs Custom Profiles - Remove confusing "Apply" button from SecurityHeaders page - Rename section to "System Profiles (Read-Only)" for clarity - Show security score inline when profile selected UX Improvements: - Clear workflow: Select profile → Assign to host → Caddy applies - No more confusion about what "Apply" does - Discoverable security header assignment - Visual distinction between presets and custom profiles Tests: Backend 85.6%, Frontend 87.21% coverage Docs: Updated workflows in docs/features.md
368 lines
11 KiB
Go
368 lines
11 KiB
Go
package caddy
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/Wikid82/charon/backend/internal/models"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestBuildSecurityHeadersHandler_AllEnabled(t *testing.T) {
|
|
profile := &models.SecurityHeaderProfile{
|
|
HSTSEnabled: true,
|
|
HSTSMaxAge: 31536000,
|
|
HSTSIncludeSubdomains: true,
|
|
HSTSPreload: true,
|
|
CSPEnabled: true,
|
|
CSPDirectives: `{"default-src":["'self'"],"script-src":["'self'"]}`,
|
|
CSPReportOnly: false,
|
|
XFrameOptions: "DENY",
|
|
XContentTypeOptions: true,
|
|
ReferrerPolicy: "no-referrer",
|
|
PermissionsPolicy: `[{"feature":"camera","allowlist":[]}]`,
|
|
CrossOriginOpenerPolicy: "same-origin",
|
|
CrossOriginResourcePolicy: "same-origin",
|
|
CrossOriginEmbedderPolicy: "require-corp",
|
|
XSSProtection: true,
|
|
CacheControlNoStore: true,
|
|
}
|
|
|
|
host := &models.ProxyHost{
|
|
SecurityHeaderProfile: profile,
|
|
}
|
|
|
|
handler, err := buildSecurityHeadersHandler(host)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, handler)
|
|
assert.Equal(t, "headers", handler["handler"])
|
|
|
|
response := handler["response"].(map[string]interface{})
|
|
headers := response["set"].(map[string][]string)
|
|
|
|
assert.Contains(t, headers["Strict-Transport-Security"][0], "max-age=31536000")
|
|
assert.Contains(t, headers["Strict-Transport-Security"][0], "includeSubDomains")
|
|
assert.Contains(t, headers["Strict-Transport-Security"][0], "preload")
|
|
assert.Contains(t, headers, "Content-Security-Policy")
|
|
assert.Equal(t, "DENY", headers["X-Frame-Options"][0])
|
|
assert.Equal(t, "nosniff", headers["X-Content-Type-Options"][0])
|
|
assert.Equal(t, "no-referrer", headers["Referrer-Policy"][0])
|
|
assert.Contains(t, headers, "Permissions-Policy")
|
|
assert.Equal(t, "same-origin", headers["Cross-Origin-Opener-Policy"][0])
|
|
assert.Equal(t, "same-origin", headers["Cross-Origin-Resource-Policy"][0])
|
|
assert.Equal(t, "require-corp", headers["Cross-Origin-Embedder-Policy"][0])
|
|
assert.Equal(t, "1; mode=block", headers["X-XSS-Protection"][0])
|
|
assert.Equal(t, "no-store", headers["Cache-Control"][0])
|
|
}
|
|
|
|
func TestBuildSecurityHeadersHandler_HSTSOnly(t *testing.T) {
|
|
profile := &models.SecurityHeaderProfile{
|
|
HSTSEnabled: true,
|
|
HSTSMaxAge: 31536000,
|
|
HSTSIncludeSubdomains: true,
|
|
HSTSPreload: false,
|
|
CSPEnabled: false,
|
|
XFrameOptions: "SAMEORIGIN",
|
|
XContentTypeOptions: true,
|
|
}
|
|
|
|
host := &models.ProxyHost{
|
|
SecurityHeaderProfile: profile,
|
|
}
|
|
|
|
handler, err := buildSecurityHeadersHandler(host)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, handler)
|
|
|
|
response := handler["response"].(map[string]interface{})
|
|
headers := response["set"].(map[string][]string)
|
|
|
|
assert.Contains(t, headers["Strict-Transport-Security"][0], "max-age=31536000")
|
|
assert.Contains(t, headers["Strict-Transport-Security"][0], "includeSubDomains")
|
|
assert.NotContains(t, headers["Strict-Transport-Security"][0], "preload")
|
|
assert.NotContains(t, headers, "Content-Security-Policy")
|
|
assert.Equal(t, "SAMEORIGIN", headers["X-Frame-Options"][0])
|
|
assert.Equal(t, "nosniff", headers["X-Content-Type-Options"][0])
|
|
}
|
|
|
|
func TestBuildSecurityHeadersHandler_CSPOnly(t *testing.T) {
|
|
profile := &models.SecurityHeaderProfile{
|
|
HSTSEnabled: false,
|
|
CSPEnabled: true,
|
|
CSPDirectives: `{
|
|
"default-src": ["'self'"],
|
|
"script-src": ["'self'", "https://cdn.example.com"],
|
|
"style-src": ["'self'", "'unsafe-inline'"]
|
|
}`,
|
|
}
|
|
|
|
host := &models.ProxyHost{
|
|
SecurityHeaderProfile: profile,
|
|
}
|
|
|
|
handler, err := buildSecurityHeadersHandler(host)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, handler)
|
|
|
|
response := handler["response"].(map[string]interface{})
|
|
headers := response["set"].(map[string][]string)
|
|
|
|
assert.NotContains(t, headers, "Strict-Transport-Security")
|
|
assert.Contains(t, headers, "Content-Security-Policy")
|
|
csp := headers["Content-Security-Policy"][0]
|
|
assert.Contains(t, csp, "default-src 'self'")
|
|
assert.Contains(t, csp, "script-src 'self' https://cdn.example.com")
|
|
assert.Contains(t, csp, "style-src 'self' 'unsafe-inline'")
|
|
}
|
|
|
|
func TestBuildSecurityHeadersHandler_CSPReportOnly(t *testing.T) {
|
|
profile := &models.SecurityHeaderProfile{
|
|
CSPEnabled: true,
|
|
CSPDirectives: `{"default-src":["'self'"]}`,
|
|
CSPReportOnly: true,
|
|
}
|
|
|
|
host := &models.ProxyHost{
|
|
SecurityHeaderProfile: profile,
|
|
}
|
|
|
|
handler, err := buildSecurityHeadersHandler(host)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, handler)
|
|
|
|
response := handler["response"].(map[string]interface{})
|
|
headers := response["set"].(map[string][]string)
|
|
|
|
assert.NotContains(t, headers, "Content-Security-Policy")
|
|
assert.Contains(t, headers, "Content-Security-Policy-Report-Only")
|
|
}
|
|
|
|
func TestBuildSecurityHeadersHandler_NoProfile(t *testing.T) {
|
|
host := &models.ProxyHost{
|
|
SecurityHeaderProfile: nil,
|
|
SecurityHeadersEnabled: true,
|
|
}
|
|
|
|
handler, err := buildSecurityHeadersHandler(host)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, handler)
|
|
|
|
// Should use defaults
|
|
response := handler["response"].(map[string]interface{})
|
|
headers := response["set"].(map[string][]string)
|
|
|
|
assert.Contains(t, headers, "Strict-Transport-Security")
|
|
assert.Equal(t, "SAMEORIGIN", headers["X-Frame-Options"][0])
|
|
assert.Equal(t, "nosniff", headers["X-Content-Type-Options"][0])
|
|
}
|
|
|
|
func TestBuildSecurityHeadersHandler_Disabled(t *testing.T) {
|
|
host := &models.ProxyHost{
|
|
SecurityHeaderProfile: nil,
|
|
SecurityHeadersEnabled: false,
|
|
}
|
|
|
|
handler, err := buildSecurityHeadersHandler(host)
|
|
assert.NoError(t, err)
|
|
assert.Nil(t, handler)
|
|
}
|
|
|
|
func TestBuildSecurityHeadersHandler_NilHost(t *testing.T) {
|
|
handler, err := buildSecurityHeadersHandler(nil)
|
|
assert.NoError(t, err)
|
|
assert.Nil(t, handler)
|
|
}
|
|
|
|
func TestBuildCSPString(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
input string
|
|
expected string
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "simple CSP",
|
|
input: `{"default-src":["'self'"]}`,
|
|
expected: "default-src 'self'",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "multiple directives",
|
|
input: `{"default-src":["'self'"],"script-src":["'self'","https:"],"style-src":["'self'","'unsafe-inline'"]}`,
|
|
expected: "default-src 'self'; script-src 'self' https:; style-src 'self' 'unsafe-inline'",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "empty string",
|
|
input: "",
|
|
expected: "",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "invalid JSON",
|
|
input: "not json",
|
|
expected: "",
|
|
wantErr: true,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result, err := buildCSPString(tt.input)
|
|
if tt.wantErr {
|
|
assert.Error(t, err)
|
|
} else {
|
|
assert.NoError(t, err)
|
|
// CSP order can vary, so check parts exist
|
|
if tt.expected != "" {
|
|
parts := []string{}
|
|
if tt.expected == "default-src 'self'" {
|
|
parts = []string{"default-src 'self'"}
|
|
} else {
|
|
// For multiple directives, just check all parts are present
|
|
parts = []string{"default-src 'self'", "script-src", "style-src"}
|
|
}
|
|
for _, part := range parts {
|
|
assert.Contains(t, result, part)
|
|
}
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestBuildPermissionsPolicyString(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
input string
|
|
expected string
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "single feature no allowlist",
|
|
input: `[{"feature":"camera","allowlist":[]}]`,
|
|
expected: "camera=()",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "single feature with self",
|
|
input: `[{"feature":"microphone","allowlist":["self"]}]`,
|
|
expected: "microphone=(self)",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "multiple features",
|
|
input: `[{"feature":"camera","allowlist":[]},{"feature":"microphone","allowlist":["self"]},{"feature":"geolocation","allowlist":["*"]}]`,
|
|
expected: "camera=(), microphone=(self), geolocation=(*)",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "empty string",
|
|
input: "",
|
|
expected: "",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "invalid JSON",
|
|
input: "not json",
|
|
expected: "",
|
|
wantErr: true,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result, err := buildPermissionsPolicyString(tt.input)
|
|
if tt.wantErr {
|
|
assert.Error(t, err)
|
|
} else {
|
|
assert.NoError(t, err)
|
|
if tt.expected != "" {
|
|
assert.Equal(t, tt.expected, result)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestGetDefaultSecurityHeaderProfile(t *testing.T) {
|
|
profile := getDefaultSecurityHeaderProfile()
|
|
|
|
assert.NotNil(t, profile)
|
|
assert.True(t, profile.HSTSEnabled)
|
|
assert.Equal(t, 31536000, profile.HSTSMaxAge)
|
|
assert.False(t, profile.HSTSIncludeSubdomains)
|
|
assert.False(t, profile.HSTSPreload)
|
|
assert.False(t, profile.CSPEnabled) // Off by default
|
|
assert.Equal(t, "SAMEORIGIN", profile.XFrameOptions)
|
|
assert.True(t, profile.XContentTypeOptions)
|
|
assert.Equal(t, "strict-origin-when-cross-origin", profile.ReferrerPolicy)
|
|
assert.True(t, profile.XSSProtection)
|
|
assert.Equal(t, "same-origin", profile.CrossOriginOpenerPolicy)
|
|
assert.Equal(t, "same-origin", profile.CrossOriginResourcePolicy)
|
|
}
|
|
|
|
func TestBuildSecurityHeadersHandler_PermissionsPolicy(t *testing.T) {
|
|
profile := &models.SecurityHeaderProfile{
|
|
PermissionsPolicy: `[{"feature":"camera","allowlist":[]},{"feature":"microphone","allowlist":["self"]},{"feature":"geolocation","allowlist":["*"]}]`,
|
|
}
|
|
|
|
host := &models.ProxyHost{
|
|
SecurityHeaderProfile: profile,
|
|
}
|
|
|
|
handler, err := buildSecurityHeadersHandler(host)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, handler)
|
|
|
|
response := handler["response"].(map[string]interface{})
|
|
headers := response["set"].(map[string][]string)
|
|
|
|
assert.Contains(t, headers, "Permissions-Policy")
|
|
pp := headers["Permissions-Policy"][0]
|
|
assert.Contains(t, pp, "camera=()")
|
|
assert.Contains(t, pp, "microphone=(self)")
|
|
assert.Contains(t, pp, "geolocation=(*)")
|
|
}
|
|
|
|
func TestBuildSecurityHeadersHandler_InvalidCSPJSON(t *testing.T) {
|
|
profile := &models.SecurityHeaderProfile{
|
|
CSPEnabled: true,
|
|
CSPDirectives: "invalid json",
|
|
// Add another header so handler isn't nil
|
|
XContentTypeOptions: true,
|
|
}
|
|
|
|
host := &models.ProxyHost{
|
|
SecurityHeaderProfile: profile,
|
|
}
|
|
|
|
handler, err := buildSecurityHeadersHandler(host)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, handler)
|
|
|
|
// Should skip CSP if invalid JSON
|
|
response := handler["response"].(map[string]interface{})
|
|
headers := response["set"].(map[string][]string)
|
|
assert.NotContains(t, headers, "Content-Security-Policy")
|
|
// But should include the other header
|
|
assert.Contains(t, headers, "X-Content-Type-Options")
|
|
}
|
|
|
|
func TestBuildSecurityHeadersHandler_InvalidPermissionsJSON(t *testing.T) {
|
|
profile := &models.SecurityHeaderProfile{
|
|
PermissionsPolicy: "invalid json",
|
|
}
|
|
|
|
host := &models.ProxyHost{
|
|
SecurityHeaderProfile: profile,
|
|
}
|
|
|
|
handler, err := buildSecurityHeadersHandler(host)
|
|
assert.NoError(t, err)
|
|
|
|
// Should skip invalid permissions policy but continue with other headers
|
|
// If profile had no other headers, handler would be nil
|
|
// Since we're only testing permissions policy, handler will be nil
|
|
assert.Nil(t, handler)
|
|
}
|