traefik/integration/headers_test.go

package integration

import (
	"net"
	"net/http"
	"net/http/httptest"
	"os"
	"time"

	"github.com/go-check/check"
	"github.com/traefik/traefik/v3/integration/try"
	checker "github.com/vdemeester/shakers"
)

// Headers tests suite.
type HeadersSuite struct{ BaseSuite }

func (s *HeadersSuite) TestSimpleConfiguration(c *check.C) {
	cmd, display := s.traefikCmd(withConfigFile("fixtures/headers/basic.toml"))
	defer display(c)
	err := cmd.Start()
	c.Assert(err, checker.IsNil)
	defer s.killCmd(cmd)

	// Expected a 404 as we did not configure anything
	err = try.GetRequest("http://127.0.0.1:8000/", 1000*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
	c.Assert(err, checker.IsNil)
}

func (s *HeadersSuite) TestReverseProxyHeaderRemoved(c *check.C) {
	file := s.adaptFile(c, "fixtures/headers/remove_reverseproxy_headers.toml", struct{}{})
	defer os.Remove(file)
	cmd, display := s.traefikCmd(withConfigFile(file))
	defer display(c)

	err := cmd.Start()
	c.Assert(err, checker.IsNil)
	defer s.killCmd(cmd)

	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, found := r.Header["X-Forwarded-Host"]
		c.Assert(found, checker.True)
		_, found = r.Header["Foo"]
		c.Assert(found, checker.False)
		_, found = r.Header["X-Forwarded-For"]
		c.Assert(found, checker.False)
	})

	listener, err := net.Listen("tcp", "127.0.0.1:9000")
	c.Assert(err, checker.IsNil)

	ts := &httptest.Server{
		Listener: listener,
		Config:   &http.Server{Handler: handler},
	}
	ts.Start()
	defer ts.Close()

	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
	c.Assert(err, checker.IsNil)
	req.Host = "test.localhost"
	req.Header = http.Header{
		"Foo": {"bar"},
	}

	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
	c.Assert(err, checker.IsNil)
}

func (s *HeadersSuite) TestCorsResponses(c *check.C) {
	file := s.adaptFile(c, "fixtures/headers/cors.toml", struct{}{})
	defer os.Remove(file)
	cmd, display := s.traefikCmd(withConfigFile(file))
	defer display(c)

	err := cmd.Start()
	c.Assert(err, checker.IsNil)
	defer s.killCmd(cmd)

	backend := startTestServer("9000", http.StatusOK, "")
	defer backend.Close()

	err = try.GetRequest(backend.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
	c.Assert(err, checker.IsNil)

	testCase := []struct {
		desc           string
		requestHeaders http.Header
		expected       http.Header
		reqHost        string
		method         string
	}{
		{
			desc: "simple access control allow origin",
			requestHeaders: http.Header{
				"Origin": {"https://foo.bar.org"},
			},
			expected: http.Header{
				"Access-Control-Allow-Origin": {"https://foo.bar.org"},
				"Vary":                        {"Origin"},
			},
			reqHost: "test.localhost",
			method:  http.MethodGet,
		},
		{
			desc: "simple preflight request",
			requestHeaders: http.Header{
				"Access-Control-Request-Headers": {"origin"},
				"Access-Control-Request-Method":  {"GET", "OPTIONS"},
				"Origin":                         {"https://foo.bar.org"},
			},
			expected: http.Header{
				"Access-Control-Allow-Origin":  {"https://foo.bar.org"},
				"Access-Control-Max-Age":       {"100"},
				"Access-Control-Allow-Methods": {"GET,OPTIONS,PUT"},
			},
			reqHost: "test.localhost",
			method:  http.MethodOptions,
		},
		{
			desc: "preflight Options request with no cors configured",
			requestHeaders: http.Header{
				"Access-Control-Request-Headers": {"origin"},
				"Access-Control-Request-Method":  {"GET", "OPTIONS"},
				"Origin":                         {"https://foo.bar.org"},
			},
			expected: http.Header{
				"X-Custom-Response-Header": {"True"},
			},
			reqHost: "test2.localhost",
			method:  http.MethodOptions,
		},
		{
			desc: "preflight Get request with no cors configured",
			requestHeaders: http.Header{
				"Access-Control-Request-Headers": {"origin"},
				"Access-Control-Request-Method":  {"GET", "OPTIONS"},
				"Origin":                         {"https://foo.bar.org"},
			},
			expected: http.Header{
				"X-Custom-Response-Header": {"True"},
			},
			reqHost: "test2.localhost",
			method:  http.MethodGet,
		},
	}

	for _, test := range testCase {
		req, err := http.NewRequest(test.method, "http://127.0.0.1:8000/", nil)
		c.Assert(err, checker.IsNil)
		req.Host = test.reqHost
		req.Header = test.requestHeaders

		err = try.Request(req, 500*time.Millisecond, try.HasHeaderStruct(test.expected))
		c.Assert(err, checker.IsNil)
	}
}

func (s *HeadersSuite) TestSecureHeadersResponses(c *check.C) {
	file := s.adaptFile(c, "fixtures/headers/secure.toml", struct{}{})
	defer os.Remove(file)
	cmd, display := s.traefikCmd(withConfigFile(file))
	defer display(c)

	err := cmd.Start()
	c.Assert(err, checker.IsNil)
	defer s.killCmd(cmd)

	backend := startTestServer("9000", http.StatusOK, "")
	defer backend.Close()

	err = try.GetRequest(backend.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
	c.Assert(err, checker.IsNil)

	testCase := []struct {
		desc            string
		expected        http.Header
		reqHost         string
		internalReqHost string
	}{
		{
			desc: "Permissions-Policy Set",
			expected: http.Header{
				"Permissions-Policy": {"microphone=(),"},
			},
			reqHost:         "test.localhost",
			internalReqHost: "internal.localhost",
		},
	}

	for _, test := range testCase {
		req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
		c.Assert(err, checker.IsNil)
		req.Host = test.reqHost

		err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasHeaderStruct(test.expected))
		c.Assert(err, checker.IsNil)

		req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/api/rawdata", nil)
		c.Assert(err, checker.IsNil)
		req.Host = test.internalReqHost

		err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasHeaderStruct(test.expected))
		c.Assert(err, checker.IsNil)
	}
}

func (s *HeadersSuite) TestMultipleSecureHeadersResponses(c *check.C) {
	file := s.adaptFile(c, "fixtures/headers/secure_multiple.toml", struct{}{})
	defer os.Remove(file)
	cmd, display := s.traefikCmd(withConfigFile(file))
	defer display(c)

	err := cmd.Start()
	c.Assert(err, checker.IsNil)
	defer s.killCmd(cmd)

	backend := startTestServer("9000", http.StatusOK, "")
	defer backend.Close()

	err = try.GetRequest(backend.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
	c.Assert(err, checker.IsNil)

	testCase := []struct {
		desc     string
		expected http.Header
		reqHost  string
	}{
		{
			desc: "Multiple Secure Headers Set",
			expected: http.Header{
				"X-Frame-Options":        {"DENY"},
				"X-Content-Type-Options": {"nosniff"},
			},
			reqHost: "test.localhost",
		},
	}

	for _, test := range testCase {
		req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
		c.Assert(err, checker.IsNil)
		req.Host = test.reqHost

		err = try.Request(req, 500*time.Millisecond, try.HasHeaderStruct(test.expected))
		c.Assert(err, checker.IsNil)
	}
}
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`package integration`

			`import (`
Allow X-Forwarded-For delete operation Co-authored-by: landrybe <lbenguigui@gmail.com> 2023-09-22 09:00:07 +00:00			`"net"`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`"net/http"`
Allow X-Forwarded-For delete operation Co-authored-by: landrybe <lbenguigui@gmail.com> 2023-09-22 09:00:07 +00:00			`"net/http/httptest"`
Restrict traefik.toml to static configuration. 2019-07-15 08:22:03 +00:00			`"os"`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`"time"`

			`"github.com/go-check/check"`
fix: go module 2023-02-03 14:24:05 +00:00			`"github.com/traefik/traefik/v3/integration/try"`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`checker "github.com/vdemeester/shakers"`
			`)`

Update linter 2020-05-11 10:06:07 +00:00			`// Headers tests suite.`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`type HeadersSuite struct{ BaseSuite }`

			`func (s HeadersSuite) TestSimpleConfiguration(c check.C) {`
			`cmd, display := s.traefikCmd(withConfigFile("fixtures/headers/basic.toml"))`
			`defer display(c)`
			`err := cmd.Start()`
			`c.Assert(err, checker.IsNil)`
fix: flaky integration tests 2020-10-09 07:32:03 +00:00			`defer s.killCmd(cmd)`
Enable CORS configuration 2019-04-02 08:40:04 +00:00
			`// Expected a 404 as we did not configure anything`
			`err = try.GetRequest("http://127.0.0.1:8000/", 1000*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))`
			`c.Assert(err, checker.IsNil)`
			`}`

Allow X-Forwarded-For delete operation Co-authored-by: landrybe <lbenguigui@gmail.com> 2023-09-22 09:00:07 +00:00			`func (s HeadersSuite) TestReverseProxyHeaderRemoved(c check.C) {`
			`file := s.adaptFile(c, "fixtures/headers/remove_reverseproxy_headers.toml", struct{}{})`
			`defer os.Remove(file)`
			`cmd, display := s.traefikCmd(withConfigFile(file))`
			`defer display(c)`

			`err := cmd.Start()`
			`c.Assert(err, checker.IsNil)`
			`defer s.killCmd(cmd)`

			`handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`_, found := r.Header["X-Forwarded-Host"]`
			`c.Assert(found, checker.True)`
			`_, found = r.Header["Foo"]`
			`c.Assert(found, checker.False)`
			`_, found = r.Header["X-Forwarded-For"]`
			`c.Assert(found, checker.False)`
			`})`

			`listener, err := net.Listen("tcp", "127.0.0.1:9000")`
			`c.Assert(err, checker.IsNil)`

			`ts := &httptest.Server{`
			`Listener: listener,`
			`Config: &http.Server{Handler: handler},`
			`}`
			`ts.Start()`
			`defer ts.Close()`

			`req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)`
			`c.Assert(err, checker.IsNil)`
			`req.Host = "test.localhost"`
			`req.Header = http.Header{`
			`"Foo": {"bar"},`
			`}`

			`err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))`
			`c.Assert(err, checker.IsNil)`
			`}`

Enable CORS configuration 2019-04-02 08:40:04 +00:00			`func (s HeadersSuite) TestCorsResponses(c check.C) {`
Restrict traefik.toml to static configuration. 2019-07-15 08:22:03 +00:00			`file := s.adaptFile(c, "fixtures/headers/cors.toml", struct{}{})`
			`defer os.Remove(file)`
			`cmd, display := s.traefikCmd(withConfigFile(file))`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`defer display(c)`

			`err := cmd.Start()`
			`c.Assert(err, checker.IsNil)`
fix: flaky integration tests 2020-10-09 07:32:03 +00:00			`defer s.killCmd(cmd)`
Enable CORS configuration 2019-04-02 08:40:04 +00:00
Fix domain fronting Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com> 2020-07-17 13:38:04 +00:00			`backend := startTestServer("9000", http.StatusOK, "")`
Properly add response headers for CORS 2019-07-12 09:46:04 +00:00			`defer backend.Close()`

			`err = try.GetRequest(backend.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))`
			`c.Assert(err, checker.IsNil)`

Enable CORS configuration 2019-04-02 08:40:04 +00:00			`testCase := []struct {`
			`desc string`
			`requestHeaders http.Header`
			`expected http.Header`
Properly add response headers for CORS 2019-07-12 09:46:04 +00:00			`reqHost string`
			`method string`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`}{`
			`{`
			`desc: "simple access control allow origin",`
			`requestHeaders: http.Header{`
			`"Origin": {"https://foo.bar.org"},`
			`},`
			`expected: http.Header{`
			`"Access-Control-Allow-Origin": {"https://foo.bar.org"},`
			`"Vary": {"Origin"},`
			`},`
Properly add response headers for CORS 2019-07-12 09:46:04 +00:00			`reqHost: "test.localhost",`
			`method: http.MethodGet,`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`},`
			`{`
			`desc: "simple preflight request",`
			`requestHeaders: http.Header{`
			`"Access-Control-Request-Headers": {"origin"},`
			`"Access-Control-Request-Method": {"GET", "OPTIONS"},`
			`"Origin": {"https://foo.bar.org"},`
			`},`
			`expected: http.Header{`
			`"Access-Control-Allow-Origin": {"https://foo.bar.org"},`
			`"Access-Control-Max-Age": {"100"},`
			`"Access-Control-Allow-Methods": {"GET,OPTIONS,PUT"},`
			`},`
Properly add response headers for CORS 2019-07-12 09:46:04 +00:00			`reqHost: "test.localhost",`
			`method: http.MethodOptions,`
			`},`
			`{`
			`desc: "preflight Options request with no cors configured",`
			`requestHeaders: http.Header{`
			`"Access-Control-Request-Headers": {"origin"},`
			`"Access-Control-Request-Method": {"GET", "OPTIONS"},`
			`"Origin": {"https://foo.bar.org"},`
			`},`
			`expected: http.Header{`
			`"X-Custom-Response-Header": {"True"},`
			`},`
			`reqHost: "test2.localhost",`
			`method: http.MethodOptions,`
			`},`
			`{`
			`desc: "preflight Get request with no cors configured",`
			`requestHeaders: http.Header{`
			`"Access-Control-Request-Headers": {"origin"},`
			`"Access-Control-Request-Method": {"GET", "OPTIONS"},`
			`"Origin": {"https://foo.bar.org"},`
			`},`
			`expected: http.Header{`
			`"X-Custom-Response-Header": {"True"},`
			`},`
			`reqHost: "test2.localhost",`
			`method: http.MethodGet,`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`},`
			`}`

			`for _, test := range testCase {`
Properly add response headers for CORS 2019-07-12 09:46:04 +00:00			`req, err := http.NewRequest(test.method, "http://127.0.0.1:8000/", nil)`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`c.Assert(err, checker.IsNil)`
Properly add response headers for CORS 2019-07-12 09:46:04 +00:00			`req.Host = test.reqHost`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`req.Header = test.requestHeaders`

Properly add response headers for CORS 2019-07-12 09:46:04 +00:00			`err = try.Request(req, 500*time.Millisecond, try.HasHeaderStruct(test.expected))`
Enable CORS configuration 2019-04-02 08:40:04 +00:00			`c.Assert(err, checker.IsNil)`
			`}`
			`}`
Add Feature-Policy header support 2019-07-29 14:12:05 +00:00
			`func (s HeadersSuite) TestSecureHeadersResponses(c check.C) {`
			`file := s.adaptFile(c, "fixtures/headers/secure.toml", struct{}{})`
			`defer os.Remove(file)`
			`cmd, display := s.traefikCmd(withConfigFile(file))`
			`defer display(c)`

			`err := cmd.Start()`
			`c.Assert(err, checker.IsNil)`
fix: flaky integration tests 2020-10-09 07:32:03 +00:00			`defer s.killCmd(cmd)`
Add Feature-Policy header support 2019-07-29 14:12:05 +00:00
Fix domain fronting Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com> 2020-07-17 13:38:04 +00:00			`backend := startTestServer("9000", http.StatusOK, "")`
Add Feature-Policy header support 2019-07-29 14:12:05 +00:00			`defer backend.Close()`

			`err = try.GetRequest(backend.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))`
			`c.Assert(err, checker.IsNil)`

			`testCase := []struct {`
internal handlers: support for response modifiers Co-authored-by: Julien Salleyron <julien@containo.us> Co-authored-by: Romain <rtribotte@users.noreply.github.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com> 2020-06-15 10:20:05 +00:00			`desc string`
			`expected http.Header`
			`reqHost string`
			`internalReqHost string`
Add Feature-Policy header support 2019-07-29 14:12:05 +00:00			`}{`
			`{`
add `permissionsPolicy` and deprecate `featurePolicy` 2021-06-21 13:16:13 +00:00			`desc: "Permissions-Policy Set",`
Add Feature-Policy header support 2019-07-29 14:12:05 +00:00			`expected: http.Header{`
add `permissionsPolicy` and deprecate `featurePolicy` 2021-06-21 13:16:13 +00:00			`"Permissions-Policy": {"microphone=(),"},`
Add Feature-Policy header support 2019-07-29 14:12:05 +00:00			`},`
internal handlers: support for response modifiers Co-authored-by: Julien Salleyron <julien@containo.us> Co-authored-by: Romain <rtribotte@users.noreply.github.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com> 2020-06-15 10:20:05 +00:00			`reqHost: "test.localhost",`
			`internalReqHost: "internal.localhost",`
Add Feature-Policy header support 2019-07-29 14:12:05 +00:00			`},`
			`}`

			`for _, test := range testCase {`
			`req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)`
			`c.Assert(err, checker.IsNil)`
			`req.Host = test.reqHost`

internal handlers: support for response modifiers Co-authored-by: Julien Salleyron <julien@containo.us> Co-authored-by: Romain <rtribotte@users.noreply.github.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com> 2020-06-15 10:20:05 +00:00			`err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasHeaderStruct(test.expected))`
			`c.Assert(err, checker.IsNil)`

			`req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/api/rawdata", nil)`
			`c.Assert(err, checker.IsNil)`
			`req.Host = test.internalReqHost`

			`err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasHeaderStruct(test.expected))`
Add Feature-Policy header support 2019-07-29 14:12:05 +00:00			`c.Assert(err, checker.IsNil)`
			`}`
			`}`
Allow multiple secure middlewares to operate independently 2020-07-01 08:42:04 +00:00
			`func (s HeadersSuite) TestMultipleSecureHeadersResponses(c check.C) {`
			`file := s.adaptFile(c, "fixtures/headers/secure_multiple.toml", struct{}{})`
			`defer os.Remove(file)`
			`cmd, display := s.traefikCmd(withConfigFile(file))`
			`defer display(c)`

			`err := cmd.Start()`
			`c.Assert(err, checker.IsNil)`
fix: flaky integration tests 2020-10-09 07:32:03 +00:00			`defer s.killCmd(cmd)`
Allow multiple secure middlewares to operate independently 2020-07-01 08:42:04 +00:00
Merge v2.2 into v2.3 2020-07-22 12:39:45 +00:00			`backend := startTestServer("9000", http.StatusOK, "")`
Allow multiple secure middlewares to operate independently 2020-07-01 08:42:04 +00:00			`defer backend.Close()`

			`err = try.GetRequest(backend.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))`
			`c.Assert(err, checker.IsNil)`

			`testCase := []struct {`
			`desc string`
			`expected http.Header`
			`reqHost string`
			`}{`
			`{`
add `permissionsPolicy` and deprecate `featurePolicy` 2021-06-21 13:16:13 +00:00			`desc: "Multiple Secure Headers Set",`
Allow multiple secure middlewares to operate independently 2020-07-01 08:42:04 +00:00			`expected: http.Header{`
			`"X-Frame-Options": {"DENY"},`
			`"X-Content-Type-Options": {"nosniff"},`
			`},`
			`reqHost: "test.localhost",`
			`},`
			`}`

			`for _, test := range testCase {`
			`req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)`
			`c.Assert(err, checker.IsNil)`
			`req.Host = test.reqHost`

			`err = try.Request(req, 500*time.Millisecond, try.HasHeaderStruct(test.expected))`
			`c.Assert(err, checker.IsNil)`
			`}`
			`}`