summaryrefslogtreecommitdiff
path: root/test/plugs
diff options
context:
space:
mode:
Diffstat (limited to 'test/plugs')
-rw-r--r--test/plugs/cache_control_test.exs20
-rw-r--r--test/plugs/ensure_public_or_authenticated_plug_test.exs55
-rw-r--r--test/plugs/http_security_plug_test.exs133
-rw-r--r--test/plugs/http_signature_plug_test.exs1
-rw-r--r--test/plugs/legacy_authentication_plug_test.exs2
-rw-r--r--test/plugs/oauth_plug_test.exs20
-rw-r--r--test/plugs/rate_limit_plug_test.exs50
7 files changed, 222 insertions, 59 deletions
diff --git a/test/plugs/cache_control_test.exs b/test/plugs/cache_control_test.exs
new file mode 100644
index 000000000..45151b289
--- /dev/null
+++ b/test/plugs/cache_control_test.exs
@@ -0,0 +1,20 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.CacheControlTest do
+ use Pleroma.Web.ConnCase
+ alias Plug.Conn
+
+ test "Verify Cache-Control header on static assets", %{conn: conn} do
+ conn = get(conn, "/index.html")
+
+ assert Conn.get_resp_header(conn, "cache-control") == ["public, no-cache"]
+ end
+
+ test "Verify Cache-Control header on the API", %{conn: conn} do
+ conn = get(conn, "/api/v1/instance")
+
+ assert Conn.get_resp_header(conn, "cache-control") == ["max-age=0, private, must-revalidate"]
+ end
+end
diff --git a/test/plugs/ensure_public_or_authenticated_plug_test.exs b/test/plugs/ensure_public_or_authenticated_plug_test.exs
new file mode 100644
index 000000000..ce5d77ff7
--- /dev/null
+++ b/test/plugs/ensure_public_or_authenticated_plug_test.exs
@@ -0,0 +1,55 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Plugs.EnsurePublicOrAuthenticatedPlugTest do
+ use Pleroma.Web.ConnCase, async: true
+
+ alias Pleroma.Config
+ alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
+ alias Pleroma.User
+
+ test "it halts if not public and no user is assigned", %{conn: conn} do
+ set_public_to(false)
+
+ conn =
+ conn
+ |> EnsurePublicOrAuthenticatedPlug.call(%{})
+
+ assert conn.status == 403
+ assert conn.halted == true
+ end
+
+ test "it continues if public", %{conn: conn} do
+ set_public_to(true)
+
+ ret_conn =
+ conn
+ |> EnsurePublicOrAuthenticatedPlug.call(%{})
+
+ assert ret_conn == conn
+ end
+
+ test "it continues if a user is assigned, even if not public", %{conn: conn} do
+ set_public_to(false)
+
+ conn =
+ conn
+ |> assign(:user, %User{})
+
+ ret_conn =
+ conn
+ |> EnsurePublicOrAuthenticatedPlug.call(%{})
+
+ assert ret_conn == conn
+ end
+
+ defp set_public_to(value) do
+ orig = Config.get!([:instance, :public])
+ Config.put([:instance, :public], value)
+
+ on_exit(fn ->
+ Config.put([:instance, :public], orig)
+ end)
+ end
+end
diff --git a/test/plugs/http_security_plug_test.exs b/test/plugs/http_security_plug_test.exs
index 0cbb7e4b1..7dfd50c1f 100644
--- a/test/plugs/http_security_plug_test.exs
+++ b/test/plugs/http_security_plug_test.exs
@@ -7,77 +7,96 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
alias Pleroma.Config
alias Plug.Conn
- test "it sends CSP headers when enabled", %{conn: conn} do
- Config.put([:http_security, :enabled], true)
-
- conn =
- conn
- |> get("/api/v1/instance")
-
- refute Conn.get_resp_header(conn, "x-xss-protection") == []
- refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
- refute Conn.get_resp_header(conn, "x-frame-options") == []
- refute Conn.get_resp_header(conn, "x-content-type-options") == []
- refute Conn.get_resp_header(conn, "x-download-options") == []
- refute Conn.get_resp_header(conn, "referrer-policy") == []
- refute Conn.get_resp_header(conn, "content-security-policy") == []
- end
+ describe "http security enabled" do
+ setup do
+ enabled = Config.get([:http_securiy, :enabled])
- test "it does not send CSP headers when disabled", %{conn: conn} do
- Config.put([:http_security, :enabled], false)
+ Config.put([:http_security, :enabled], true)
- conn =
- conn
- |> get("/api/v1/instance")
+ on_exit(fn ->
+ Config.put([:http_security, :enabled], enabled)
+ end)
- assert Conn.get_resp_header(conn, "x-xss-protection") == []
- assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
- assert Conn.get_resp_header(conn, "x-frame-options") == []
- assert Conn.get_resp_header(conn, "x-content-type-options") == []
- assert Conn.get_resp_header(conn, "x-download-options") == []
- assert Conn.get_resp_header(conn, "referrer-policy") == []
- assert Conn.get_resp_header(conn, "content-security-policy") == []
- end
+ :ok
+ end
- test "it sends STS headers when enabled", %{conn: conn} do
- Config.put([:http_security, :enabled], true)
- Config.put([:http_security, :sts], true)
+ test "it sends CSP headers when enabled", %{conn: conn} do
+ conn = get(conn, "/api/v1/instance")
- conn =
- conn
- |> get("/api/v1/instance")
+ refute Conn.get_resp_header(conn, "x-xss-protection") == []
+ refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
+ refute Conn.get_resp_header(conn, "x-frame-options") == []
+ refute Conn.get_resp_header(conn, "x-content-type-options") == []
+ refute Conn.get_resp_header(conn, "x-download-options") == []
+ refute Conn.get_resp_header(conn, "referrer-policy") == []
+ refute Conn.get_resp_header(conn, "content-security-policy") == []
+ end
- refute Conn.get_resp_header(conn, "strict-transport-security") == []
- refute Conn.get_resp_header(conn, "expect-ct") == []
- end
+ test "it sends STS headers when enabled", %{conn: conn} do
+ Config.put([:http_security, :sts], true)
- test "it does not send STS headers when disabled", %{conn: conn} do
- Config.put([:http_security, :enabled], true)
- Config.put([:http_security, :sts], false)
+ conn = get(conn, "/api/v1/instance")
- conn =
- conn
- |> get("/api/v1/instance")
+ refute Conn.get_resp_header(conn, "strict-transport-security") == []
+ refute Conn.get_resp_header(conn, "expect-ct") == []
+ end
- assert Conn.get_resp_header(conn, "strict-transport-security") == []
- assert Conn.get_resp_header(conn, "expect-ct") == []
- end
+ test "it does not send STS headers when disabled", %{conn: conn} do
+ Config.put([:http_security, :sts], false)
+
+ conn = get(conn, "/api/v1/instance")
+
+ assert Conn.get_resp_header(conn, "strict-transport-security") == []
+ assert Conn.get_resp_header(conn, "expect-ct") == []
+ end
+
+ test "referrer-policy header reflects configured value", %{conn: conn} do
+ conn = get(conn, "/api/v1/instance")
+
+ assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
- test "referrer-policy header reflects configured value", %{conn: conn} do
- Config.put([:http_security, :enabled], true)
+ Config.put([:http_security, :referrer_policy], "no-referrer")
- conn =
- conn
- |> get("/api/v1/instance")
+ conn =
+ build_conn()
+ |> get("/api/v1/instance")
- assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
+ assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
+ end
- Config.put([:http_security, :referrer_policy], "no-referrer")
+ test "it sends `report-to` & `report-uri` CSP response headers" do
+ conn =
+ build_conn()
+ |> get("/api/v1/instance")
- conn =
- build_conn()
- |> get("/api/v1/instance")
+ [csp] = Conn.get_resp_header(conn, "content-security-policy")
- assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
+ assert csp =~ ~r|report-uri https://endpoint.com; report-to csp-endpoint;|
+
+ [reply_to] = Conn.get_resp_header(conn, "reply-to")
+
+ assert reply_to ==
+ "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"
+ end
+ end
+
+ test "it does not send CSP headers when disabled", %{conn: conn} do
+ enabled = Config.get([:http_securiy, :enabled])
+
+ Config.put([:http_security, :enabled], false)
+
+ on_exit(fn ->
+ Config.put([:http_security, :enabled], enabled)
+ end)
+
+ conn = get(conn, "/api/v1/instance")
+
+ assert Conn.get_resp_header(conn, "x-xss-protection") == []
+ assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
+ assert Conn.get_resp_header(conn, "x-frame-options") == []
+ assert Conn.get_resp_header(conn, "x-content-type-options") == []
+ assert Conn.get_resp_header(conn, "x-download-options") == []
+ assert Conn.get_resp_header(conn, "referrer-policy") == []
+ assert Conn.get_resp_header(conn, "content-security-policy") == []
end
end
diff --git a/test/plugs/http_signature_plug_test.exs b/test/plugs/http_signature_plug_test.exs
index 6a00dd4fd..efd811df7 100644
--- a/test/plugs/http_signature_plug_test.exs
+++ b/test/plugs/http_signature_plug_test.exs
@@ -4,7 +4,6 @@
defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
use Pleroma.Web.ConnCase
- alias Pleroma.Web.HTTPSignatures
alias Pleroma.Web.Plugs.HTTPSignaturePlug
import Plug.Conn
diff --git a/test/plugs/legacy_authentication_plug_test.exs b/test/plugs/legacy_authentication_plug_test.exs
index 8b0b06772..02f530058 100644
--- a/test/plugs/legacy_authentication_plug_test.exs
+++ b/test/plugs/legacy_authentication_plug_test.exs
@@ -3,7 +3,7 @@
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Plugs.LegacyAuthenticationPlugTest do
- use Pleroma.Web.ConnCase, async: true
+ use Pleroma.Web.ConnCase
alias Pleroma.Plugs.LegacyAuthenticationPlug
alias Pleroma.User
diff --git a/test/plugs/oauth_plug_test.exs b/test/plugs/oauth_plug_test.exs
index 17fdba916..5a2ed11cc 100644
--- a/test/plugs/oauth_plug_test.exs
+++ b/test/plugs/oauth_plug_test.exs
@@ -38,6 +38,26 @@ defmodule Pleroma.Plugs.OAuthPlugTest do
assert conn.assigns[:user] == opts[:user]
end
+ test "with valid token(downcase) in url parameters, it assings the user", opts do
+ conn =
+ :get
+ |> build_conn("/?access_token=#{opts[:token]}")
+ |> put_req_header("content-type", "application/json")
+ |> fetch_query_params()
+ |> OAuthPlug.call(%{})
+
+ assert conn.assigns[:user] == opts[:user]
+ end
+
+ test "with valid token(downcase) in body parameters, it assigns the user", opts do
+ conn =
+ :post
+ |> build_conn("/api/v1/statuses", access_token: opts[:token], status: "test")
+ |> OAuthPlug.call(%{})
+
+ assert conn.assigns[:user] == opts[:user]
+ end
+
test "with invalid token, it not assigns the user", %{conn: conn} do
conn =
conn
diff --git a/test/plugs/rate_limit_plug_test.exs b/test/plugs/rate_limit_plug_test.exs
new file mode 100644
index 000000000..2ec9a8fb7
--- /dev/null
+++ b/test/plugs/rate_limit_plug_test.exs
@@ -0,0 +1,50 @@
+defmodule Pleroma.Plugs.RateLimitPlugTest do
+ use ExUnit.Case, async: true
+ use Plug.Test
+
+ alias Pleroma.Plugs.RateLimitPlug
+
+ @opts RateLimitPlug.init(%{max_requests: 5, interval: 1})
+
+ setup do
+ enabled = Pleroma.Config.get([:app_account_creation, :enabled])
+
+ Pleroma.Config.put([:app_account_creation, :enabled], true)
+
+ on_exit(fn ->
+ Pleroma.Config.put([:app_account_creation, :enabled], enabled)
+ end)
+
+ :ok
+ end
+
+ test "it restricts by opts" do
+ conn = conn(:get, "/")
+ bucket_name = conn.remote_ip |> Tuple.to_list() |> Enum.join(".")
+ ms = 1000
+
+ conn = RateLimitPlug.call(conn, @opts)
+ {1, 4, _, _, _} = ExRated.inspect_bucket(bucket_name, ms, 5)
+ conn = RateLimitPlug.call(conn, @opts)
+ {2, 3, _, _, _} = ExRated.inspect_bucket(bucket_name, ms, 5)
+ conn = RateLimitPlug.call(conn, @opts)
+ {3, 2, _, _, _} = ExRated.inspect_bucket(bucket_name, ms, 5)
+ conn = RateLimitPlug.call(conn, @opts)
+ {4, 1, _, _, _} = ExRated.inspect_bucket(bucket_name, ms, 5)
+ conn = RateLimitPlug.call(conn, @opts)
+ {5, 0, to_reset, _, _} = ExRated.inspect_bucket(bucket_name, ms, 5)
+ conn = RateLimitPlug.call(conn, @opts)
+ assert conn.status == 403
+ assert conn.halted
+ assert conn.resp_body == "{\"error\":\"Rate limit exceeded.\"}"
+
+ Process.sleep(to_reset)
+
+ conn = conn(:get, "/")
+ conn = RateLimitPlug.call(conn, @opts)
+ {1, 4, _, _, _} = ExRated.inspect_bucket(bucket_name, ms, 5)
+ refute conn.status == 403
+ refute conn.halted
+ refute conn.resp_body
+ end
+end
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-16 00:34:15 +0000