diff --git a/molecule/testinfra/app/apache/test_apache_journalist_interface.py b/molecule/testinfra/app/apache/test_apache_journalist_interface.py index a4726d7028..585c66930c 100644 --- a/molecule/testinfra/app/apache/test_apache_journalist_interface.py +++ b/molecule/testinfra/app/apache/test_apache_journalist_interface.py @@ -17,10 +17,14 @@ def test_apache_headers_journalist_interface(host, header, value): assert f.user == "root" assert f.group == "root" assert f.mode == 0o644 - header_unset = "Header onsuccess unset {}".format(header) - assert f.contains(header_unset) - header_set = "Header always set {} \"{}\"".format(header, value) - assert f.contains(header_set) + if host.system_info.codename == "focal": + header_unset = "Header onsuccess unset {}".format(header) + assert f.contains(header_unset) + header_set = "Header always set {} \"{}\"".format(header, value) + assert f.contains(header_set) + else: + header_regex = "^Header set {}.*{}.*$".format(re.escape(header), re.escape(value)) + assert re.search(header_regex, f.content_string, re.M) # declare journalist-specific Apache configs @@ -29,8 +33,6 @@ def test_apache_headers_journalist_interface(host, header, value): securedrop_test_vars.apache_listening_address), "WSGIDaemonProcess journalist processes=2 threads=30 display-name=%{{GROUP}} python-path={}".format( # noqa securedrop_test_vars.securedrop_code), - 'Header onsuccess unset Referrer-Policy', - 'Header always set Referrer-Policy "no-referrer"', ( 'WSGIScriptAlias / /var/www/journalist.wsgi ' 'process-group=journalist application-group=journalist' @@ -63,6 +65,24 @@ def test_apache_config_journalist_interface(host, apache_opt): assert re.search(regex, f.content_string, re.M) +def test_apache_config_journalist_interface_headers_per_distro(host): + """ + During migration to Focal, we updated the syntax for forcing HTTP headers. + Honor the old Xenial syntax until EOL. + """ + f = host.file("/etc/apache2/sites-available/journalist.conf") + if host.system_info.codename == "xenial": + assert f.contains("Header always append X-Frame-Options: DENY") + assert f.contains('Header set Referrer-Policy "no-referrer"') + assert f.contains('Header edit Set-Cookie ^(.*)$ $1;HttpOnly') + else: + assert f.contains("Header onsuccess unset X-Frame-Options") + assert f.contains('Header always set X-Frame-Options "DENY"') + assert f.contains('Header onsuccess unset Referrer-Policy') + assert f.contains('Header always set Referrer-Policy "no-referrer"') + assert f.contains('Header edit Set-Cookie ^(.*)$ $1;HttpOnly') + + def test_apache_logging_journalist_interface(host): """ Check that logging is configured correctly for the Journalist Interface. diff --git a/molecule/testinfra/app/apache/test_apache_source_interface.py b/molecule/testinfra/app/apache/test_apache_source_interface.py index 352d7c5985..ab298daa50 100644 --- a/molecule/testinfra/app/apache/test_apache_source_interface.py +++ b/molecule/testinfra/app/apache/test_apache_source_interface.py @@ -17,10 +17,14 @@ def test_apache_headers_source_interface(host, header, value): assert f.user == "root" assert f.group == "root" assert f.mode == 0o644 - header_unset = "Header onsuccess unset {}".format(header) - assert f.contains(header_unset) - header_set = "Header always set {} \"{}\"".format(header, value) - assert f.contains(header_set) + if host.system_info.codename == "focal": + header_unset = "Header onsuccess unset {}".format(header) + assert f.contains(header_unset) + header_set = "Header always set {} \"{}\"".format(header, value) + assert f.contains(header_set) + else: + header_regex = "^Header set {}.*{}.*$".format(re.escape(header), re.escape(value)) + assert re.search(header_regex, f.content_string, re.M) @pytest.mark.parametrize("apache_opt", [ @@ -31,8 +35,6 @@ def test_apache_headers_source_interface(host, header, value): 'WSGIProcessGroup source', 'WSGIScriptAlias / /var/www/source.wsgi', 'Header set Cache-Control "no-store"', - 'Header onsuccess unset Referrer-Policy', - 'Header always set Referrer-Policy "same-origin"', 'Header unset Etag', "Alias /static {}/static".format(securedrop_test_vars.securedrop_code), 'XSendFile Off', @@ -57,6 +59,24 @@ def test_apache_config_source_interface(host, apache_opt): assert re.search(regex, f.content_string, re.M) +def test_apache_config_source_interface_headers_per_distro(host): + """ + During migration to Focal, we updated the syntax for forcing HTTP headers. + Honor the old Xenial syntax until EOL. + """ + f = host.file("/etc/apache2/sites-available/source.conf") + if host.system_info.codename == "xenial": + assert f.contains("Header always append X-Frame-Options: DENY") + assert f.contains('Header set Referrer-Policy "same-origin"') + assert f.contains('Header edit Set-Cookie ^(.*)$ $1;HttpOnly') + else: + assert f.contains("Header onsuccess unset X-Frame-Options") + assert f.contains('Header always set X-Frame-Options "DENY"') + assert f.contains('Header onsuccess unset Referrer-Policy') + assert f.contains('Header always set Referrer-Policy "same-origin"') + assert f.contains('Header edit Set-Cookie ^(.*)$ $1;HttpOnly') + + @pytest.mark.parametrize("apache_opt", [ """ diff --git a/molecule/testinfra/vars/app-qubes-staging.yml b/molecule/testinfra/vars/app-qubes-staging.yml index 93ae5b1e64..8e2a218e40 100644 --- a/molecule/testinfra/vars/app-qubes-staging.yml +++ b/molecule/testinfra/vars/app-qubes-staging.yml @@ -1,7 +1,6 @@ --- # Testinfra vars file for app-staigng. wanted_apache_headers: - X-Frame-Options: DENY X-XSS-Protection: "1; mode=block" X-Content-Type-Options: nosniff X-Download-Options: noopen diff --git a/molecule/testinfra/vars/app-staging.yml b/molecule/testinfra/vars/app-staging.yml index af4556acbd..6278019570 100644 --- a/molecule/testinfra/vars/app-staging.yml +++ b/molecule/testinfra/vars/app-staging.yml @@ -1,7 +1,6 @@ --- # Testinfra vars file for app-staigng. wanted_apache_headers: - X-Frame-Options: DENY X-XSS-Protection: "1; mode=block" X-Content-Type-Options: nosniff X-Download-Options: noopen diff --git a/molecule/testinfra/vars/prod.yml b/molecule/testinfra/vars/prod.yml index 67d59e13b8..f5ee4fd891 100644 --- a/molecule/testinfra/vars/prod.yml +++ b/molecule/testinfra/vars/prod.yml @@ -1,7 +1,6 @@ --- # Testinfra vars file for app-staigng. wanted_apache_headers: - X-Frame-Options: DENY X-XSS-Protection: "1; mode=block" X-Content-Type-Options: nosniff X-Download-Options: noopen diff --git a/molecule/testinfra/vars/prodVM.yml b/molecule/testinfra/vars/prodVM.yml index 0f97a1e4b5..412a4fd366 100644 --- a/molecule/testinfra/vars/prodVM.yml +++ b/molecule/testinfra/vars/prodVM.yml @@ -1,7 +1,6 @@ --- # Testinfra vars file for app-staigng. wanted_apache_headers: - X-Frame-Options: DENY X-XSS-Protection: "1; mode=block" X-Content-Type-Options: nosniff X-Download-Options: noopen diff --git a/molecule/testinfra/vars/qubes-staging.yml b/molecule/testinfra/vars/qubes-staging.yml index 56af16685a..42bf80df29 100644 --- a/molecule/testinfra/vars/qubes-staging.yml +++ b/molecule/testinfra/vars/qubes-staging.yml @@ -1,7 +1,6 @@ --- # Testinfra vars file for app-staigng. wanted_apache_headers: - X-Frame-Options: DENY X-XSS-Protection: "1; mode=block" X-Content-Type-Options: nosniff X-Download-Options: noopen diff --git a/molecule/testinfra/vars/staging.yml b/molecule/testinfra/vars/staging.yml index 784d116ae2..44ff905796 100644 --- a/molecule/testinfra/vars/staging.yml +++ b/molecule/testinfra/vars/staging.yml @@ -1,7 +1,6 @@ --- # Testinfra vars file for app-staigng. wanted_apache_headers: - X-Frame-Options: DENY X-XSS-Protection: "1; mode=block" X-Content-Type-Options: nosniff X-Download-Options: noopen