2019-07-10 18:33:16 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require "isolation/abstract_unit"
|
|
|
|
require "rack/test"
|
|
|
|
|
|
|
|
module ApplicationTests
|
2020-11-14 07:13:54 -05:00
|
|
|
class PermissionsPolicyTest < ActiveSupport::TestCase
|
2019-07-10 18:33:16 -04:00
|
|
|
include ActiveSupport::Testing::Isolation
|
|
|
|
include Rack::Test::Methods
|
|
|
|
|
|
|
|
def setup
|
|
|
|
build_app
|
|
|
|
end
|
|
|
|
|
|
|
|
def teardown
|
|
|
|
teardown_app
|
|
|
|
end
|
|
|
|
|
2020-11-14 07:13:54 -05:00
|
|
|
test "permissions policy is not enabled by default" do
|
2019-07-10 18:33:16 -04:00
|
|
|
controller :pages, <<-RUBY
|
|
|
|
class PagesController < ApplicationController
|
|
|
|
def index
|
|
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
|
|
Rails.application.routes.draw do
|
|
|
|
root to: "pages#index"
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app("development")
|
|
|
|
|
|
|
|
get "/"
|
2020-11-19 09:48:58 -05:00
|
|
|
assert_nil last_response.headers["Feature-Policy"]
|
2019-07-10 18:33:16 -04:00
|
|
|
end
|
|
|
|
|
2020-11-14 07:13:54 -05:00
|
|
|
test "global permissions policy in an initializer" do
|
2019-07-10 18:33:16 -04:00
|
|
|
controller :pages, <<-RUBY
|
|
|
|
class PagesController < ApplicationController
|
|
|
|
def index
|
|
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
2020-11-14 07:13:54 -05:00
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
|
|
Rails.application.config.permissions_policy do |p|
|
2019-07-10 18:33:16 -04:00
|
|
|
p.geolocation :none
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
|
|
Rails.application.routes.draw do
|
|
|
|
root to: "pages#index"
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app("development")
|
|
|
|
|
|
|
|
get "/"
|
|
|
|
assert_policy "geolocation 'none'"
|
|
|
|
end
|
|
|
|
|
2020-11-14 07:13:54 -05:00
|
|
|
test "override permissions policy using same directive in a controller" do
|
2019-07-10 18:33:16 -04:00
|
|
|
controller :pages, <<-RUBY
|
|
|
|
class PagesController < ApplicationController
|
2020-11-14 07:13:54 -05:00
|
|
|
permissions_policy do |p|
|
2019-07-10 18:33:16 -04:00
|
|
|
p.geolocation "https://example.com"
|
|
|
|
end
|
|
|
|
|
|
|
|
def index
|
|
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
2020-11-14 07:13:54 -05:00
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
|
|
Rails.application.config.permissions_policy do |p|
|
2019-07-10 18:33:16 -04:00
|
|
|
p.geolocation :none
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
|
|
Rails.application.routes.draw do
|
|
|
|
root to: "pages#index"
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app("development")
|
|
|
|
|
|
|
|
get "/"
|
|
|
|
assert_policy "geolocation https://example.com"
|
|
|
|
end
|
|
|
|
|
2020-11-14 07:13:54 -05:00
|
|
|
test "override permissions policy by unsetting a directive in a controller" do
|
2019-07-10 18:33:16 -04:00
|
|
|
controller :pages, <<-RUBY
|
|
|
|
class PagesController < ApplicationController
|
2020-11-14 07:13:54 -05:00
|
|
|
permissions_policy do |p|
|
2019-07-10 18:33:16 -04:00
|
|
|
p.geolocation nil
|
|
|
|
end
|
|
|
|
|
|
|
|
def index
|
|
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
2020-11-14 07:13:54 -05:00
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
|
|
Rails.application.config.permissions_policy do |p|
|
2019-07-10 18:33:16 -04:00
|
|
|
p.geolocation :none
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
|
|
Rails.application.routes.draw do
|
|
|
|
root to: "pages#index"
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app("development")
|
|
|
|
|
|
|
|
get "/"
|
|
|
|
assert_equal 200, last_response.status
|
2020-11-19 09:48:58 -05:00
|
|
|
assert_nil last_response.headers["Feature-Policy"]
|
2019-07-10 18:33:16 -04:00
|
|
|
end
|
|
|
|
|
2020-11-14 07:13:54 -05:00
|
|
|
test "override permissions policy using different directives in a controller" do
|
2019-07-10 18:33:16 -04:00
|
|
|
controller :pages, <<-RUBY
|
|
|
|
class PagesController < ApplicationController
|
2020-11-14 07:13:54 -05:00
|
|
|
permissions_policy do |p|
|
2019-07-10 18:33:16 -04:00
|
|
|
p.geolocation nil
|
|
|
|
p.payment "https://secure.example.com"
|
|
|
|
p.autoplay :none
|
|
|
|
end
|
|
|
|
|
|
|
|
def index
|
|
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
2020-11-14 07:13:54 -05:00
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
|
|
Rails.application.config.permissions_policy do |p|
|
2019-07-10 18:33:16 -04:00
|
|
|
p.geolocation :none
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
|
|
Rails.application.routes.draw do
|
|
|
|
root to: "pages#index"
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app("development")
|
|
|
|
|
|
|
|
get "/"
|
|
|
|
assert_policy "payment https://secure.example.com; autoplay 'none'"
|
|
|
|
end
|
|
|
|
|
2020-11-14 07:13:54 -05:00
|
|
|
test "global permissions policy added to rack app" do
|
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
|
|
Rails.application.config.permissions_policy do |p|
|
2019-07-10 18:33:16 -04:00
|
|
|
p.payment :none
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
|
|
Rails.application.routes.draw do
|
|
|
|
app = ->(env) {
|
|
|
|
[200, { "Content-Type" => "text/html" }, ["<p>Hello, World!</p>"]]
|
|
|
|
}
|
|
|
|
root to: app
|
|
|
|
end
|
|
|
|
RUBY
|
|
|
|
|
|
|
|
app("development")
|
|
|
|
|
|
|
|
get "/"
|
|
|
|
assert_policy "payment 'none'"
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
def assert_policy(expected)
|
|
|
|
assert_equal 200, last_response.status
|
2020-11-19 09:48:58 -05:00
|
|
|
assert_equal expected, last_response.headers["Feature-Policy"]
|
2019-07-10 18:33:16 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|