Makes apache header tests distro-specific

freedomofpress · Feb 23, 2021 · c3d4626 · c3d4626
1 parent ae28d9e
commit c3d4626
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 18 deletions.
diff --git a/molecule/testinfra/app/apache/test_apache_journalist_interface.py b/molecule/testinfra/app/apache/test_apache_journalist_interface.py
@@ -17,10 +17,14 @@ def test_apache_headers_journalist_interface(host, header, value):
     assert f.user == "root"
     assert f.group == "root"
     assert f.mode == 0o644
-    header_unset = "Header onsuccess unset {}".format(header)
-    assert f.contains(header_unset)
-    header_set = "Header always set {} \"{}\"".format(header, value)
-    assert f.contains(header_set)
+    if host.system_info.codename == "focal":
+        header_unset = "Header onsuccess unset {}".format(header)
+        assert f.contains(header_unset)
+        header_set = "Header always set {} \"{}\"".format(header, value)
+        assert f.contains(header_set)
+    else:
+        header_regex = "^Header set {}.*{}.*$".format(re.escape(header), re.escape(value))
+        assert re.search(header_regex, f.content_string, re.M)
 
 
 # declare journalist-specific Apache configs
@@ -29,8 +33,6 @@ def test_apache_headers_journalist_interface(host, header, value):
       securedrop_test_vars.apache_listening_address),
   "WSGIDaemonProcess journalist processes=2 threads=30 display-name=%{{GROUP}} python-path={}".format(  # noqa
       securedrop_test_vars.securedrop_code),
-  'Header onsuccess unset Referrer-Policy',
-  'Header always set Referrer-Policy "no-referrer"',
   (
       'WSGIScriptAlias / /var/www/journalist.wsgi '
       'process-group=journalist application-group=journalist'
@@ -63,6 +65,24 @@ def test_apache_config_journalist_interface(host, apache_opt):
     assert re.search(regex, f.content_string, re.M)
 
 
+def test_apache_config_journalist_interface_headers_per_distro(host):
+    """
+    During migration to Focal, we updated the syntax for forcing HTTP headers.
+    Honor the old Xenial syntax until EOL.
+    """
+    f = host.file("/etc/apache2/sites-available/journalist.conf")
+    if host.system_info.codename == "xenial":
+        assert f.contains("Header always append X-Frame-Options: DENY")
+        assert f.contains('Header set Referrer-Policy "no-referrer"')
+        assert f.contains('Header edit Set-Cookie ^(.*)$ $1;HttpOnly')
+    else:
+        assert f.contains("Header onsuccess unset X-Frame-Options")
+        assert f.contains('Header always set X-Frame-Options "DENY"')
+        assert f.contains('Header onsuccess unset Referrer-Policy')
+        assert f.contains('Header always set Referrer-Policy "no-referrer"')
+        assert f.contains('Header edit Set-Cookie ^(.*)$ $1;HttpOnly')
+
+
 def test_apache_logging_journalist_interface(host):
     """
     Check that logging is configured correctly for the Journalist Interface.

diff --git a/molecule/testinfra/app/apache/test_apache_source_interface.py b/molecule/testinfra/app/apache/test_apache_source_interface.py
@@ -17,10 +17,14 @@ def test_apache_headers_source_interface(host, header, value):
     assert f.user == "root"
     assert f.group == "root"
     assert f.mode == 0o644
-    header_unset = "Header onsuccess unset {}".format(header)
-    assert f.contains(header_unset)
-    header_set = "Header always set {} \"{}\"".format(header, value)
-    assert f.contains(header_set)
+    if host.system_info.codename == "focal":
+        header_unset = "Header onsuccess unset {}".format(header)
+        assert f.contains(header_unset)
+        header_set = "Header always set {} \"{}\"".format(header, value)
+        assert f.contains(header_set)
+    else:
+        header_regex = "^Header set {}.*{}.*$".format(re.escape(header), re.escape(value))
+        assert re.search(header_regex, f.content_string, re.M)
 
 
 @pytest.mark.parametrize("apache_opt", [
@@ -31,8 +35,6 @@ def test_apache_headers_source_interface(host, header, value):
     'WSGIProcessGroup source',
     'WSGIScriptAlias / /var/www/source.wsgi',
     'Header set Cache-Control "no-store"',
-    'Header onsuccess unset Referrer-Policy',
-    'Header always set Referrer-Policy "same-origin"',
     'Header unset Etag',
     "Alias /static {}/static".format(securedrop_test_vars.securedrop_code),
     'XSendFile        Off',
@@ -57,6 +59,24 @@ def test_apache_config_source_interface(host, apache_opt):
     assert re.search(regex, f.content_string, re.M)
 
 
+def test_apache_config_source_interface_headers_per_distro(host):
+    """
+    During migration to Focal, we updated the syntax for forcing HTTP headers.
+    Honor the old Xenial syntax until EOL.
+    """
+    f = host.file("/etc/apache2/sites-available/source.conf")
+    if host.system_info.codename == "xenial":
+        assert f.contains("Header always append X-Frame-Options: DENY")
+        assert f.contains('Header set Referrer-Policy "same-origin"')
+        assert f.contains('Header edit Set-Cookie ^(.*)$ $1;HttpOnly')
+    else:
+        assert f.contains("Header onsuccess unset X-Frame-Options")
+        assert f.contains('Header always set X-Frame-Options "DENY"')
+        assert f.contains('Header onsuccess unset Referrer-Policy')
+        assert f.contains('Header always set Referrer-Policy "same-origin"')
+        assert f.contains('Header edit Set-Cookie ^(.*)$ $1;HttpOnly')
+
+
 @pytest.mark.parametrize("apache_opt", [
     """
 <Directory />

diff --git a/molecule/testinfra/vars/app-qubes-staging.yml b/molecule/testinfra/vars/app-qubes-staging.yml
@@ -1,7 +1,6 @@
 ---
 # Testinfra vars file for app-staigng.
 wanted_apache_headers:
-  X-Frame-Options: DENY
   X-XSS-Protection: "1; mode=block"
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen

diff --git a/molecule/testinfra/vars/app-staging.yml b/molecule/testinfra/vars/app-staging.yml
@@ -1,7 +1,6 @@
 ---
 # Testinfra vars file for app-staigng.
 wanted_apache_headers:
-  X-Frame-Options: DENY
   X-XSS-Protection: "1; mode=block"
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen

diff --git a/molecule/testinfra/vars/prod.yml b/molecule/testinfra/vars/prod.yml
@@ -1,7 +1,6 @@
 ---
 # Testinfra vars file for app-staigng.
 wanted_apache_headers:
-  X-Frame-Options: DENY
   X-XSS-Protection: "1; mode=block"
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen

diff --git a/molecule/testinfra/vars/prodVM.yml b/molecule/testinfra/vars/prodVM.yml
@@ -1,7 +1,6 @@
 ---
 # Testinfra vars file for app-staigng.
 wanted_apache_headers:
-  X-Frame-Options: DENY
   X-XSS-Protection: "1; mode=block"
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen

diff --git a/molecule/testinfra/vars/qubes-staging.yml b/molecule/testinfra/vars/qubes-staging.yml
@@ -1,7 +1,6 @@
 ---
 # Testinfra vars file for app-staigng.
 wanted_apache_headers:
-  X-Frame-Options: DENY
   X-XSS-Protection: "1; mode=block"
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen

diff --git a/molecule/testinfra/vars/staging.yml b/molecule/testinfra/vars/staging.yml
@@ -1,7 +1,6 @@
 ---
 # Testinfra vars file for app-staigng.
 wanted_apache_headers:
-  X-Frame-Options: DENY
   X-XSS-Protection: "1; mode=block"
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen