1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
rails--rails/actionpack/test/controller/force_ssl_test.rb

346 lines
9.2 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
require "abstract_unit"
class ForceSSLController < ActionController::Base
def banana
render plain: "monkey"
end
def cheeseburger
render plain: "sikachu"
end
end
class ForceSSLControllerLevel < ForceSSLController
Deprecate controller level force_ssl Today there are two common ways for Rails developers to force their applications to communicate over HTTPS: * `config.force_ssl` is a setting in environment configurations that enables the `ActionDispatch::SSL` middleware. With this middleware enabled, all HTTP communication to your application will be redirected to HTTPS. The middleware also takes care of other best practices by setting HSTS headers, upgrading all cookies to secure only, etc. * The `force_ssl` controller method redirects HTTP requests to certain controllers to HTTPS. As a consultant, I've seen many applications with misconfigured HTTPS setups due to developers adding `force_ssl` to `ApplicationController` and not enabling `config.force_ssl`. With this configuration, many application requests can be served over HTTP such as assets, requests that hit mounted engines, etc. In addition, because cookies are not upgraded to secure only in this configuration and HSTS headers are not set, it's possible for cookies that are meant to be secure to be sent over HTTP. The confusion between these two methods of forcing HTTPS is compounded by the fact that they share an identical name. This makes finding documentation on the "right" method confusing. HTTPS throughout is quickly becomming table stakes for all web sites. Sites are expected to operate over HTTPS for all communication, sensitive or otherwise. Let's encourage use of the broader-reaching `ActionDispatch::SSL` middleware and elminate this source of user confusion. If, for some reason, applications need to expose certain endpoints over HTTP they can do so by properly configuring `config.ssl_options`.
2018-03-17 12:04:52 -04:00
ActiveSupport::Deprecation.silence do
force_ssl
end
end
class ForceSSLCustomOptions < ForceSSLController
Deprecate controller level force_ssl Today there are two common ways for Rails developers to force their applications to communicate over HTTPS: * `config.force_ssl` is a setting in environment configurations that enables the `ActionDispatch::SSL` middleware. With this middleware enabled, all HTTP communication to your application will be redirected to HTTPS. The middleware also takes care of other best practices by setting HSTS headers, upgrading all cookies to secure only, etc. * The `force_ssl` controller method redirects HTTP requests to certain controllers to HTTPS. As a consultant, I've seen many applications with misconfigured HTTPS setups due to developers adding `force_ssl` to `ApplicationController` and not enabling `config.force_ssl`. With this configuration, many application requests can be served over HTTP such as assets, requests that hit mounted engines, etc. In addition, because cookies are not upgraded to secure only in this configuration and HSTS headers are not set, it's possible for cookies that are meant to be secure to be sent over HTTP. The confusion between these two methods of forcing HTTPS is compounded by the fact that they share an identical name. This makes finding documentation on the "right" method confusing. HTTPS throughout is quickly becomming table stakes for all web sites. Sites are expected to operate over HTTPS for all communication, sensitive or otherwise. Let's encourage use of the broader-reaching `ActionDispatch::SSL` middleware and elminate this source of user confusion. If, for some reason, applications need to expose certain endpoints over HTTP they can do so by properly configuring `config.ssl_options`.
2018-03-17 12:04:52 -04:00
ActiveSupport::Deprecation.silence do
force_ssl host: "secure.example.com", only: :redirect_host
force_ssl port: 8443, only: :redirect_port
force_ssl subdomain: "secure", only: :redirect_subdomain
force_ssl domain: "secure.com", only: :redirect_domain
force_ssl path: "/foo", only: :redirect_path
force_ssl status: :found, only: :redirect_status
force_ssl flash: { message: "Foo, Bar!" }, only: :redirect_flash
force_ssl alert: "Foo, Bar!", only: :redirect_alert
force_ssl notice: "Foo, Bar!", only: :redirect_notice
end
def force_ssl_action
render plain: action_name
end
alias_method :redirect_host, :force_ssl_action
alias_method :redirect_port, :force_ssl_action
alias_method :redirect_subdomain, :force_ssl_action
alias_method :redirect_domain, :force_ssl_action
alias_method :redirect_path, :force_ssl_action
alias_method :redirect_status, :force_ssl_action
alias_method :redirect_flash, :force_ssl_action
alias_method :redirect_alert, :force_ssl_action
alias_method :redirect_notice, :force_ssl_action
def use_flash
render plain: flash[:message]
end
def use_alert
render plain: flash[:alert]
end
def use_notice
render plain: flash[:notice]
end
end
class ForceSSLOnlyAction < ForceSSLController
Deprecate controller level force_ssl Today there are two common ways for Rails developers to force their applications to communicate over HTTPS: * `config.force_ssl` is a setting in environment configurations that enables the `ActionDispatch::SSL` middleware. With this middleware enabled, all HTTP communication to your application will be redirected to HTTPS. The middleware also takes care of other best practices by setting HSTS headers, upgrading all cookies to secure only, etc. * The `force_ssl` controller method redirects HTTP requests to certain controllers to HTTPS. As a consultant, I've seen many applications with misconfigured HTTPS setups due to developers adding `force_ssl` to `ApplicationController` and not enabling `config.force_ssl`. With this configuration, many application requests can be served over HTTP such as assets, requests that hit mounted engines, etc. In addition, because cookies are not upgraded to secure only in this configuration and HSTS headers are not set, it's possible for cookies that are meant to be secure to be sent over HTTP. The confusion between these two methods of forcing HTTPS is compounded by the fact that they share an identical name. This makes finding documentation on the "right" method confusing. HTTPS throughout is quickly becomming table stakes for all web sites. Sites are expected to operate over HTTPS for all communication, sensitive or otherwise. Let's encourage use of the broader-reaching `ActionDispatch::SSL` middleware and elminate this source of user confusion. If, for some reason, applications need to expose certain endpoints over HTTP they can do so by properly configuring `config.ssl_options`.
2018-03-17 12:04:52 -04:00
ActiveSupport::Deprecation.silence do
force_ssl only: :cheeseburger
end
end
class ForceSSLExceptAction < ForceSSLController
Deprecate controller level force_ssl Today there are two common ways for Rails developers to force their applications to communicate over HTTPS: * `config.force_ssl` is a setting in environment configurations that enables the `ActionDispatch::SSL` middleware. With this middleware enabled, all HTTP communication to your application will be redirected to HTTPS. The middleware also takes care of other best practices by setting HSTS headers, upgrading all cookies to secure only, etc. * The `force_ssl` controller method redirects HTTP requests to certain controllers to HTTPS. As a consultant, I've seen many applications with misconfigured HTTPS setups due to developers adding `force_ssl` to `ApplicationController` and not enabling `config.force_ssl`. With this configuration, many application requests can be served over HTTP such as assets, requests that hit mounted engines, etc. In addition, because cookies are not upgraded to secure only in this configuration and HSTS headers are not set, it's possible for cookies that are meant to be secure to be sent over HTTP. The confusion between these two methods of forcing HTTPS is compounded by the fact that they share an identical name. This makes finding documentation on the "right" method confusing. HTTPS throughout is quickly becomming table stakes for all web sites. Sites are expected to operate over HTTPS for all communication, sensitive or otherwise. Let's encourage use of the broader-reaching `ActionDispatch::SSL` middleware and elminate this source of user confusion. If, for some reason, applications need to expose certain endpoints over HTTP they can do so by properly configuring `config.ssl_options`.
2018-03-17 12:04:52 -04:00
ActiveSupport::Deprecation.silence do
force_ssl except: :banana
end
end
2012-04-01 01:44:49 -04:00
class ForceSSLIfCondition < ForceSSLController
Deprecate controller level force_ssl Today there are two common ways for Rails developers to force their applications to communicate over HTTPS: * `config.force_ssl` is a setting in environment configurations that enables the `ActionDispatch::SSL` middleware. With this middleware enabled, all HTTP communication to your application will be redirected to HTTPS. The middleware also takes care of other best practices by setting HSTS headers, upgrading all cookies to secure only, etc. * The `force_ssl` controller method redirects HTTP requests to certain controllers to HTTPS. As a consultant, I've seen many applications with misconfigured HTTPS setups due to developers adding `force_ssl` to `ApplicationController` and not enabling `config.force_ssl`. With this configuration, many application requests can be served over HTTP such as assets, requests that hit mounted engines, etc. In addition, because cookies are not upgraded to secure only in this configuration and HSTS headers are not set, it's possible for cookies that are meant to be secure to be sent over HTTP. The confusion between these two methods of forcing HTTPS is compounded by the fact that they share an identical name. This makes finding documentation on the "right" method confusing. HTTPS throughout is quickly becomming table stakes for all web sites. Sites are expected to operate over HTTPS for all communication, sensitive or otherwise. Let's encourage use of the broader-reaching `ActionDispatch::SSL` middleware and elminate this source of user confusion. If, for some reason, applications need to expose certain endpoints over HTTP they can do so by properly configuring `config.ssl_options`.
2018-03-17 12:04:52 -04:00
ActiveSupport::Deprecation.silence do
force_ssl if: :use_force_ssl?
end
2012-04-01 01:44:49 -04:00
def use_force_ssl?
action_name == "cheeseburger"
2012-04-01 01:44:49 -04:00
end
end
class ForceSSLFlash < ForceSSLController
Deprecate controller level force_ssl Today there are two common ways for Rails developers to force their applications to communicate over HTTPS: * `config.force_ssl` is a setting in environment configurations that enables the `ActionDispatch::SSL` middleware. With this middleware enabled, all HTTP communication to your application will be redirected to HTTPS. The middleware also takes care of other best practices by setting HSTS headers, upgrading all cookies to secure only, etc. * The `force_ssl` controller method redirects HTTP requests to certain controllers to HTTPS. As a consultant, I've seen many applications with misconfigured HTTPS setups due to developers adding `force_ssl` to `ApplicationController` and not enabling `config.force_ssl`. With this configuration, many application requests can be served over HTTP such as assets, requests that hit mounted engines, etc. In addition, because cookies are not upgraded to secure only in this configuration and HSTS headers are not set, it's possible for cookies that are meant to be secure to be sent over HTTP. The confusion between these two methods of forcing HTTPS is compounded by the fact that they share an identical name. This makes finding documentation on the "right" method confusing. HTTPS throughout is quickly becomming table stakes for all web sites. Sites are expected to operate over HTTPS for all communication, sensitive or otherwise. Let's encourage use of the broader-reaching `ActionDispatch::SSL` middleware and elminate this source of user confusion. If, for some reason, applications need to expose certain endpoints over HTTP they can do so by properly configuring `config.ssl_options`.
2018-03-17 12:04:52 -04:00
ActiveSupport::Deprecation.silence do
force_ssl except: [:banana, :set_flash, :use_flash]
end
def set_flash
flash["that"] = "hello"
redirect_to "/force_ssl_flash/cheeseburger"
end
def use_flash
@flash_copy = {}.update flash
@flashy = flash["that"]
2016-08-06 13:35:13 -04:00
render inline: "hello"
end
end
class RedirectToSSL < ForceSSLController
def banana
force_ssl_redirect || render(plain: "monkey")
end
def cheeseburger
force_ssl_redirect("secure.cheeseburger.host") || render(plain: "ihaz")
end
end
class ForceSSLControllerLevelTest < ActionController::TestCase
def test_banana_redirects_to_https
get :banana
assert_response 301
assert_equal "https://test.host/force_ssl_controller_level/banana", redirect_to_url
end
def test_banana_redirects_to_https_with_extra_params
get :banana, params: { token: "secret" }
assert_response 301
assert_equal "https://test.host/force_ssl_controller_level/banana?token=secret", redirect_to_url
end
def test_cheeseburger_redirects_to_https
get :cheeseburger
assert_response 301
assert_equal "https://test.host/force_ssl_controller_level/cheeseburger", redirect_to_url
end
end
class ForceSSLCustomOptionsTest < ActionController::TestCase
def setup
@request.env["HTTP_HOST"] = "www.example.com:80"
end
def test_redirect_to_custom_host
get :redirect_host
assert_response 301
assert_equal "https://secure.example.com/force_ssl_custom_options/redirect_host", redirect_to_url
end
def test_redirect_to_custom_port
get :redirect_port
assert_response 301
assert_equal "https://www.example.com:8443/force_ssl_custom_options/redirect_port", redirect_to_url
end
def test_redirect_to_custom_subdomain
get :redirect_subdomain
assert_response 301
assert_equal "https://secure.example.com/force_ssl_custom_options/redirect_subdomain", redirect_to_url
end
def test_redirect_to_custom_domain
get :redirect_domain
assert_response 301
assert_equal "https://www.secure.com/force_ssl_custom_options/redirect_domain", redirect_to_url
end
def test_redirect_to_custom_path
get :redirect_path
assert_response 301
assert_equal "https://www.example.com/foo", redirect_to_url
end
def test_redirect_to_custom_status
get :redirect_status
assert_response 302
assert_equal "https://www.example.com/force_ssl_custom_options/redirect_status", redirect_to_url
end
def test_redirect_to_custom_flash
get :redirect_flash
assert_response 301
assert_equal "https://www.example.com/force_ssl_custom_options/redirect_flash", redirect_to_url
get :use_flash
assert_response 200
assert_equal "Foo, Bar!", @response.body
end
def test_redirect_to_custom_alert
get :redirect_alert
assert_response 301
assert_equal "https://www.example.com/force_ssl_custom_options/redirect_alert", redirect_to_url
get :use_alert
assert_response 200
assert_equal "Foo, Bar!", @response.body
end
def test_redirect_to_custom_notice
get :redirect_notice
assert_response 301
assert_equal "https://www.example.com/force_ssl_custom_options/redirect_notice", redirect_to_url
get :use_notice
assert_response 200
assert_equal "Foo, Bar!", @response.body
end
end
class ForceSSLOnlyActionTest < ActionController::TestCase
def test_banana_not_redirects_to_https
get :banana
assert_response 200
end
def test_cheeseburger_redirects_to_https
get :cheeseburger
assert_response 301
assert_equal "https://test.host/force_ssl_only_action/cheeseburger", redirect_to_url
end
end
class ForceSSLExceptActionTest < ActionController::TestCase
def test_banana_not_redirects_to_https
get :banana
assert_response 200
end
def test_cheeseburger_redirects_to_https
get :cheeseburger
assert_response 301
assert_equal "https://test.host/force_ssl_except_action/cheeseburger", redirect_to_url
end
end
2012-04-01 01:44:49 -04:00
class ForceSSLIfConditionTest < ActionController::TestCase
def test_banana_not_redirects_to_https
get :banana
assert_response 200
end
def test_cheeseburger_redirects_to_https
get :cheeseburger
assert_response 301
assert_equal "https://test.host/force_ssl_if_condition/cheeseburger", redirect_to_url
end
end
class ForceSSLFlashTest < ActionController::TestCase
def test_cheeseburger_redirects_to_https
get :set_flash
assert_response 302
assert_equal "http://test.host/force_ssl_flash/cheeseburger", redirect_to_url
@request.env.delete("PATH_INFO")
get :cheeseburger
assert_response 301
assert_equal "https://test.host/force_ssl_flash/cheeseburger", redirect_to_url
@request.env.delete("PATH_INFO")
get :use_flash
assert_equal "hello", @controller.instance_variable_get("@flash_copy")["that"]
assert_equal "hello", @controller.instance_variable_get("@flashy")
end
end
class ForceSSLDuplicateRoutesTest < ActionController::TestCase
tests ForceSSLControllerLevel
def test_force_ssl_redirects_to_same_path
with_routing do |set|
set.draw do
2016-08-06 13:35:13 -04:00
get "/foo", to: "force_ssl_controller_level#banana"
get "/bar", to: "force_ssl_controller_level#banana"
end
@request.env["PATH_INFO"] = "/bar"
get :banana
assert_response 301
assert_equal "https://test.host/bar", redirect_to_url
end
end
end
class ForceSSLFormatTest < ActionController::TestCase
tests ForceSSLControllerLevel
def test_force_ssl_redirects_to_same_format
with_routing do |set|
set.draw do
2016-08-06 13:35:13 -04:00
get "/foo", to: "force_ssl_controller_level#banana"
end
get :banana, format: :json
assert_response 301
assert_equal "https://test.host/foo.json", redirect_to_url
end
end
end
class ForceSSLOptionalSegmentsTest < ActionController::TestCase
tests ForceSSLControllerLevel
def test_force_ssl_redirects_to_same_format
with_routing do |set|
set.draw do
scope "(:locale)" do
2016-08-06 13:35:13 -04:00
defaults locale: "en" do
get "/foo", to: "force_ssl_controller_level#banana"
end
end
end
@request.env["PATH_INFO"] = "/en/foo"
get :banana, params: { locale: "en" }
assert_equal "en", @controller.params[:locale]
assert_response 301
assert_equal "https://test.host/en/foo", redirect_to_url
end
end
end
class RedirectToSSLTest < ActionController::TestCase
def test_banana_redirects_to_https_if_not_https
get :banana
assert_response 301
assert_equal "https://test.host/redirect_to_ssl/banana", redirect_to_url
end
def test_cheeseburgers_redirects_to_https_with_new_host_if_not_https
get :cheeseburger
assert_response 301
assert_equal "https://secure.cheeseburger.host/redirect_to_ssl/cheeseburger", redirect_to_url
end
2015-04-11 05:59:56 -04:00
def test_cheeseburgers_does_not_redirect_if_already_https
request.env["HTTPS"] = "on"
get :cheeseburger
assert_response 200
assert_equal "ihaz", response.body
end
end
class ForceSSLControllerLevelTest < ActionController::TestCase
def test_no_redirect_websocket_ssl_request
request.env["rack.url_scheme"] = "wss"
request.env["Upgrade"] = "websocket"
get :cheeseburger
assert_response 200
end
end