Adds http_config.response_headers to the UI headers plus tests (#7369)

pull/7376/head
John Cowen 2020-03-03 13:18:35 +00:00 committed by GitHub
parent 2300e2d4ba
commit e83fb1882c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 56 additions and 2 deletions

View File

@ -322,9 +322,25 @@ func (s *HTTPServer) handler(enableDebug bool) http.Handler {
fs := assetFS()
uifs = fs
}
uifs = &redirectFS{fs: &templatedIndexFS{fs: uifs, templateVars: s.GenerateHTMLTemplateVars}}
mux.Handle("/robots.txt", http.FileServer(uifs))
mux.Handle(s.agent.config.UIContentPath, http.StripPrefix(s.agent.config.UIContentPath, http.FileServer(uifs)))
// create a http handler using the ui file system
// and the headers specified by the http_config.response_headers user config
uifsWithHeaders := serveHandlerWithHeaders(
http.FileServer(uifs),
s.agent.config.HTTPResponseHeaders,
)
mux.Handle(
"/robots.txt",
uifsWithHeaders,
)
mux.Handle(
s.agent.config.UIContentPath,
http.StripPrefix(
s.agent.config.UIContentPath,
uifsWithHeaders,
),
)
}
// Wrap the whole mux with a handler that bans URLs with non-printable
@ -752,6 +768,14 @@ func setHeaders(resp http.ResponseWriter, headers map[string]string) {
}
}
// serveHandlerWithHeaders is used to serve a http.Handler with the specified headers
func serveHandlerWithHeaders(h http.Handler, headers map[string]string) http.HandlerFunc {
return func(resp http.ResponseWriter, req *http.Request) {
setHeaders(resp, headers)
h.ServeHTTP(resp, req)
}
}
// parseWait is used to parse the ?wait and ?index query params
// Returns true on error
func parseWait(resp http.ResponseWriter, req *http.Request, b structs.QueryOptionsCompat) bool {

View File

@ -431,6 +431,36 @@ func TestHTTPAPIResponseHeaders(t *testing.T) {
t.Fatalf("bad X-XSS-Protection header: expected %q, got %q", "1; mode=block", xss)
}
}
func TestUIResponseHeaders(t *testing.T) {
t.Parallel()
a := NewTestAgent(t, t.Name(), `
http_config {
response_headers = {
"Access-Control-Allow-Origin" = "*"
"X-Frame-Options" = "SAMEORIGIN"
}
}
`)
defer a.Shutdown()
resp := httptest.NewRecorder()
handler := func(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
return nil, nil
}
req, _ := http.NewRequest("GET", "/ui", nil)
a.srv.wrap(handler, []string{"GET"})(resp, req)
origin := resp.Header().Get("Access-Control-Allow-Origin")
if origin != "*" {
t.Fatalf("bad Access-Control-Allow-Origin: expected %q, got %q", "*", origin)
}
frameOptions := resp.Header().Get("X-Frame-Options")
if frameOptions != "SAMEORIGIN" {
t.Fatalf("bad X-XSS-Protection header: expected %q, got %q", "SAMEORIGIN", frameOptions)
}
}
func TestContentTypeIsJSON(t *testing.T) {
t.Parallel()