2017-07-24 16:20:53 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-08-06 12:54:50 -04:00
|
|
|
require "abstract_unit"
|
2011-03-27 15:05:14 -04:00
|
|
|
|
|
|
|
class ForceSSLController < ActionController::Base
|
|
|
|
def banana
|
2015-07-17 21:48:00 -04:00
|
|
|
render plain: "monkey"
|
2011-03-27 15:05:14 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def cheeseburger
|
2015-07-17 21:48:00 -04:00
|
|
|
render plain: "sikachu"
|
2011-03-27 15:05:14 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
class ForceSSLControllerLevel < ForceSSLController
|
Deprecate controller level force_ssl
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
2018-03-17 12:04:52 -04:00
|
|
|
ActiveSupport::Deprecation.silence do
|
|
|
|
force_ssl
|
|
|
|
end
|
2011-03-27 15:05:14 -04:00
|
|
|
end
|
|
|
|
|
2013-04-25 08:40:53 -04:00
|
|
|
class ForceSSLCustomOptions < ForceSSLController
|
Deprecate controller level force_ssl
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
2018-03-17 12:04:52 -04:00
|
|
|
ActiveSupport::Deprecation.silence do
|
|
|
|
force_ssl host: "secure.example.com", only: :redirect_host
|
|
|
|
force_ssl port: 8443, only: :redirect_port
|
|
|
|
force_ssl subdomain: "secure", only: :redirect_subdomain
|
|
|
|
force_ssl domain: "secure.com", only: :redirect_domain
|
|
|
|
force_ssl path: "/foo", only: :redirect_path
|
|
|
|
force_ssl status: :found, only: :redirect_status
|
|
|
|
force_ssl flash: { message: "Foo, Bar!" }, only: :redirect_flash
|
|
|
|
force_ssl alert: "Foo, Bar!", only: :redirect_alert
|
|
|
|
force_ssl notice: "Foo, Bar!", only: :redirect_notice
|
|
|
|
end
|
2013-04-25 08:40:53 -04:00
|
|
|
|
|
|
|
def force_ssl_action
|
2015-07-17 21:48:00 -04:00
|
|
|
render plain: action_name
|
2013-04-25 08:40:53 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
alias_method :redirect_host, :force_ssl_action
|
|
|
|
alias_method :redirect_port, :force_ssl_action
|
|
|
|
alias_method :redirect_subdomain, :force_ssl_action
|
|
|
|
alias_method :redirect_domain, :force_ssl_action
|
|
|
|
alias_method :redirect_path, :force_ssl_action
|
|
|
|
alias_method :redirect_status, :force_ssl_action
|
|
|
|
alias_method :redirect_flash, :force_ssl_action
|
|
|
|
alias_method :redirect_alert, :force_ssl_action
|
|
|
|
alias_method :redirect_notice, :force_ssl_action
|
|
|
|
|
|
|
|
def use_flash
|
2015-07-17 21:48:00 -04:00
|
|
|
render plain: flash[:message]
|
2013-04-25 08:40:53 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def use_alert
|
2015-07-17 21:48:00 -04:00
|
|
|
render plain: flash[:alert]
|
2013-04-25 08:40:53 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def use_notice
|
2015-07-17 21:48:00 -04:00
|
|
|
render plain: flash[:notice]
|
2013-04-25 08:40:53 -04:00
|
|
|
end
|
2011-10-08 19:38:02 -04:00
|
|
|
end
|
|
|
|
|
2011-03-27 15:05:14 -04:00
|
|
|
class ForceSSLOnlyAction < ForceSSLController
|
Deprecate controller level force_ssl
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
2018-03-17 12:04:52 -04:00
|
|
|
ActiveSupport::Deprecation.silence do
|
|
|
|
force_ssl only: :cheeseburger
|
|
|
|
end
|
2011-03-27 15:05:14 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
class ForceSSLExceptAction < ForceSSLController
|
Deprecate controller level force_ssl
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
2018-03-17 12:04:52 -04:00
|
|
|
ActiveSupport::Deprecation.silence do
|
|
|
|
force_ssl except: :banana
|
|
|
|
end
|
2011-03-27 15:05:14 -04:00
|
|
|
end
|
|
|
|
|
2012-04-01 01:44:49 -04:00
|
|
|
class ForceSSLIfCondition < ForceSSLController
|
Deprecate controller level force_ssl
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
2018-03-17 12:04:52 -04:00
|
|
|
ActiveSupport::Deprecation.silence do
|
|
|
|
force_ssl if: :use_force_ssl?
|
|
|
|
end
|
2012-04-01 01:44:49 -04:00
|
|
|
|
|
|
|
def use_force_ssl?
|
2016-08-06 12:54:50 -04:00
|
|
|
action_name == "cheeseburger"
|
2012-04-01 01:44:49 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-01-12 14:31:23 -05:00
|
|
|
class ForceSSLFlash < ForceSSLController
|
Deprecate controller level force_ssl
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
2018-03-17 12:04:52 -04:00
|
|
|
ActiveSupport::Deprecation.silence do
|
|
|
|
force_ssl except: [:banana, :set_flash, :use_flash]
|
|
|
|
end
|
2012-01-12 14:31:23 -05:00
|
|
|
|
|
|
|
def set_flash
|
|
|
|
flash["that"] = "hello"
|
2016-08-06 12:54:50 -04:00
|
|
|
redirect_to "/force_ssl_flash/cheeseburger"
|
2012-01-12 14:31:23 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def use_flash
|
|
|
|
@flash_copy = {}.update flash
|
|
|
|
@flashy = flash["that"]
|
2016-08-06 13:35:13 -04:00
|
|
|
render inline: "hello"
|
2012-01-12 14:31:23 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-05-31 10:06:17 -04:00
|
|
|
class RedirectToSSL < ForceSSLController
|
|
|
|
def banana
|
2016-08-06 12:54:50 -04:00
|
|
|
force_ssl_redirect || render(plain: "monkey")
|
2012-05-31 10:06:17 -04:00
|
|
|
end
|
|
|
|
def cheeseburger
|
2016-08-06 12:54:50 -04:00
|
|
|
force_ssl_redirect("secure.cheeseburger.host") || render(plain: "ihaz")
|
2012-05-31 10:06:17 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-03-27 15:05:14 -04:00
|
|
|
class ForceSSLControllerLevelTest < ActionController::TestCase
|
|
|
|
def test_banana_redirects_to_https
|
|
|
|
get :banana
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://test.host/force_ssl_controller_level/banana", redirect_to_url
|
|
|
|
end
|
|
|
|
|
2012-02-06 17:47:17 -05:00
|
|
|
def test_banana_redirects_to_https_with_extra_params
|
2015-01-04 04:35:06 -05:00
|
|
|
get :banana, params: { token: "secret" }
|
2012-02-06 17:47:17 -05:00
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://test.host/force_ssl_controller_level/banana?token=secret", redirect_to_url
|
|
|
|
end
|
|
|
|
|
2011-03-27 15:05:14 -04:00
|
|
|
def test_cheeseburger_redirects_to_https
|
|
|
|
get :cheeseburger
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://test.host/force_ssl_controller_level/cheeseburger", redirect_to_url
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-04-25 08:40:53 -04:00
|
|
|
class ForceSSLCustomOptionsTest < ActionController::TestCase
|
|
|
|
def setup
|
2016-08-06 12:54:50 -04:00
|
|
|
@request.env["HTTP_HOST"] = "www.example.com:80"
|
2013-04-25 08:40:53 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_redirect_to_custom_host
|
|
|
|
get :redirect_host
|
2011-10-08 19:38:02 -04:00
|
|
|
assert_response 301
|
2013-04-25 08:40:53 -04:00
|
|
|
assert_equal "https://secure.example.com/force_ssl_custom_options/redirect_host", redirect_to_url
|
2011-10-08 19:38:02 -04:00
|
|
|
end
|
2012-01-12 14:31:23 -05:00
|
|
|
|
2013-04-25 08:40:53 -04:00
|
|
|
def test_redirect_to_custom_port
|
|
|
|
get :redirect_port
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://www.example.com:8443/force_ssl_custom_options/redirect_port", redirect_to_url
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_redirect_to_custom_subdomain
|
|
|
|
get :redirect_subdomain
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://secure.example.com/force_ssl_custom_options/redirect_subdomain", redirect_to_url
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_redirect_to_custom_domain
|
|
|
|
get :redirect_domain
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://www.secure.com/force_ssl_custom_options/redirect_domain", redirect_to_url
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_redirect_to_custom_path
|
|
|
|
get :redirect_path
|
2011-10-08 19:38:02 -04:00
|
|
|
assert_response 301
|
2013-04-25 08:40:53 -04:00
|
|
|
assert_equal "https://www.example.com/foo", redirect_to_url
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_redirect_to_custom_status
|
|
|
|
get :redirect_status
|
|
|
|
assert_response 302
|
|
|
|
assert_equal "https://www.example.com/force_ssl_custom_options/redirect_status", redirect_to_url
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_redirect_to_custom_flash
|
|
|
|
get :redirect_flash
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://www.example.com/force_ssl_custom_options/redirect_flash", redirect_to_url
|
|
|
|
|
|
|
|
get :use_flash
|
|
|
|
assert_response 200
|
|
|
|
assert_equal "Foo, Bar!", @response.body
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_redirect_to_custom_alert
|
|
|
|
get :redirect_alert
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://www.example.com/force_ssl_custom_options/redirect_alert", redirect_to_url
|
|
|
|
|
|
|
|
get :use_alert
|
|
|
|
assert_response 200
|
|
|
|
assert_equal "Foo, Bar!", @response.body
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_redirect_to_custom_notice
|
|
|
|
get :redirect_notice
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://www.example.com/force_ssl_custom_options/redirect_notice", redirect_to_url
|
|
|
|
|
|
|
|
get :use_notice
|
|
|
|
assert_response 200
|
|
|
|
assert_equal "Foo, Bar!", @response.body
|
2011-10-08 19:38:02 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-03-27 15:05:14 -04:00
|
|
|
class ForceSSLOnlyActionTest < ActionController::TestCase
|
|
|
|
def test_banana_not_redirects_to_https
|
|
|
|
get :banana
|
|
|
|
assert_response 200
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_cheeseburger_redirects_to_https
|
|
|
|
get :cheeseburger
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://test.host/force_ssl_only_action/cheeseburger", redirect_to_url
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
class ForceSSLExceptActionTest < ActionController::TestCase
|
|
|
|
def test_banana_not_redirects_to_https
|
|
|
|
get :banana
|
|
|
|
assert_response 200
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_cheeseburger_redirects_to_https
|
|
|
|
get :cheeseburger
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://test.host/force_ssl_except_action/cheeseburger", redirect_to_url
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-04-01 01:44:49 -04:00
|
|
|
class ForceSSLIfConditionTest < ActionController::TestCase
|
|
|
|
def test_banana_not_redirects_to_https
|
|
|
|
get :banana
|
|
|
|
assert_response 200
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_cheeseburger_redirects_to_https
|
|
|
|
get :cheeseburger
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://test.host/force_ssl_if_condition/cheeseburger", redirect_to_url
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-01-12 14:31:23 -05:00
|
|
|
class ForceSSLFlashTest < ActionController::TestCase
|
|
|
|
def test_cheeseburger_redirects_to_https
|
|
|
|
get :set_flash
|
|
|
|
assert_response 302
|
|
|
|
assert_equal "http://test.host/force_ssl_flash/cheeseburger", redirect_to_url
|
|
|
|
|
2016-08-06 12:54:50 -04:00
|
|
|
@request.env.delete("PATH_INFO")
|
2013-04-25 03:33:21 -04:00
|
|
|
|
2012-01-12 14:31:23 -05:00
|
|
|
get :cheeseburger
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://test.host/force_ssl_flash/cheeseburger", redirect_to_url
|
|
|
|
|
2016-08-06 12:54:50 -04:00
|
|
|
@request.env.delete("PATH_INFO")
|
2013-04-25 03:33:21 -04:00
|
|
|
|
2012-01-12 14:31:23 -05:00
|
|
|
get :use_flash
|
2015-05-13 06:28:33 -04:00
|
|
|
assert_equal "hello", @controller.instance_variable_get("@flash_copy")["that"]
|
|
|
|
assert_equal "hello", @controller.instance_variable_get("@flashy")
|
2012-01-12 14:31:23 -05:00
|
|
|
end
|
|
|
|
end
|
2012-05-31 10:06:17 -04:00
|
|
|
|
2013-04-25 03:33:21 -04:00
|
|
|
class ForceSSLDuplicateRoutesTest < ActionController::TestCase
|
2013-04-25 08:40:53 -04:00
|
|
|
tests ForceSSLControllerLevel
|
2013-04-25 03:33:21 -04:00
|
|
|
|
|
|
|
def test_force_ssl_redirects_to_same_path
|
|
|
|
with_routing do |set|
|
|
|
|
set.draw do
|
2016-08-06 13:35:13 -04:00
|
|
|
get "/foo", to: "force_ssl_controller_level#banana"
|
|
|
|
get "/bar", to: "force_ssl_controller_level#banana"
|
2013-04-25 03:33:21 -04:00
|
|
|
end
|
|
|
|
|
2016-08-06 12:54:50 -04:00
|
|
|
@request.env["PATH_INFO"] = "/bar"
|
2013-04-25 03:33:21 -04:00
|
|
|
|
|
|
|
get :banana
|
|
|
|
assert_response 301
|
2016-08-06 12:54:50 -04:00
|
|
|
assert_equal "https://test.host/bar", redirect_to_url
|
2013-04-25 03:33:21 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
class ForceSSLFormatTest < ActionController::TestCase
|
|
|
|
tests ForceSSLControllerLevel
|
|
|
|
|
|
|
|
def test_force_ssl_redirects_to_same_format
|
|
|
|
with_routing do |set|
|
|
|
|
set.draw do
|
2016-08-06 13:35:13 -04:00
|
|
|
get "/foo", to: "force_ssl_controller_level#banana"
|
2013-04-25 03:33:21 -04:00
|
|
|
end
|
|
|
|
|
2015-01-04 04:35:06 -05:00
|
|
|
get :banana, format: :json
|
2013-04-25 03:33:21 -04:00
|
|
|
assert_response 301
|
2016-08-06 12:54:50 -04:00
|
|
|
assert_equal "https://test.host/foo.json", redirect_to_url
|
2013-04-25 03:33:21 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
class ForceSSLOptionalSegmentsTest < ActionController::TestCase
|
|
|
|
tests ForceSSLControllerLevel
|
|
|
|
|
|
|
|
def test_force_ssl_redirects_to_same_format
|
|
|
|
with_routing do |set|
|
|
|
|
set.draw do
|
2016-08-06 12:54:50 -04:00
|
|
|
scope "(:locale)" do
|
2016-08-06 13:35:13 -04:00
|
|
|
defaults locale: "en" do
|
|
|
|
get "/foo", to: "force_ssl_controller_level#banana"
|
2013-04-25 03:33:21 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-08-06 12:54:50 -04:00
|
|
|
@request.env["PATH_INFO"] = "/en/foo"
|
|
|
|
get :banana, params: { locale: "en" }
|
|
|
|
assert_equal "en", @controller.params[:locale]
|
2013-04-25 03:33:21 -04:00
|
|
|
assert_response 301
|
2016-08-06 12:54:50 -04:00
|
|
|
assert_equal "https://test.host/en/foo", redirect_to_url
|
2013-04-25 03:33:21 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-05-31 10:06:17 -04:00
|
|
|
class RedirectToSSLTest < ActionController::TestCase
|
|
|
|
def test_banana_redirects_to_https_if_not_https
|
|
|
|
get :banana
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://test.host/redirect_to_ssl/banana", redirect_to_url
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_cheeseburgers_redirects_to_https_with_new_host_if_not_https
|
|
|
|
get :cheeseburger
|
|
|
|
assert_response 301
|
|
|
|
assert_equal "https://secure.cheeseburger.host/redirect_to_ssl/cheeseburger", redirect_to_url
|
|
|
|
end
|
|
|
|
|
2015-04-11 05:59:56 -04:00
|
|
|
def test_cheeseburgers_does_not_redirect_if_already_https
|
2016-08-06 12:54:50 -04:00
|
|
|
request.env["HTTPS"] = "on"
|
2012-05-31 10:06:17 -04:00
|
|
|
get :cheeseburger
|
|
|
|
assert_response 200
|
2016-08-06 12:54:50 -04:00
|
|
|
assert_equal "ihaz", response.body
|
2012-05-31 10:06:17 -04:00
|
|
|
end
|
2014-05-04 02:55:23 -04:00
|
|
|
end
|
2016-02-11 19:41:27 -05:00
|
|
|
|
|
|
|
class ForceSSLControllerLevelTest < ActionController::TestCase
|
|
|
|
def test_no_redirect_websocket_ssl_request
|
2016-08-06 12:54:50 -04:00
|
|
|
request.env["rack.url_scheme"] = "wss"
|
|
|
|
request.env["Upgrade"] = "websocket"
|
2016-02-11 19:41:27 -05:00
|
|
|
get :cheeseburger
|
|
|
|
assert_response 200
|
|
|
|
end
|
|
|
|
end
|