001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.rest; 019 020import static org.hamcrest.CoreMatchers.not; 021import static org.hamcrest.core.Is.is; 022import static org.hamcrest.core.IsEqual.equalTo; 023import static org.junit.Assert.assertThat; 024import org.apache.hadoop.hbase.HBaseClassTestRule; 025import org.apache.hadoop.hbase.HBaseTestingUtility; 026import org.apache.hadoop.hbase.rest.client.Client; 027import org.apache.hadoop.hbase.rest.client.Cluster; 028import org.apache.hadoop.hbase.rest.client.Response; 029import org.apache.hadoop.hbase.testclassification.MediumTests; 030import org.apache.hadoop.hbase.testclassification.RestTests; 031import org.junit.After; 032import org.junit.ClassRule; 033import org.junit.Test; 034import org.junit.experimental.categories.Category; 035 036@Category({RestTests.class, MediumTests.class}) 037public class TestSecurityHeadersFilter { 038 039 @ClassRule 040 public static final HBaseClassTestRule CLASS_RULE = 041 HBaseClassTestRule.forClass(TestSecurityHeadersFilter.class); 042 043 private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); 044 private static final HBaseRESTTestingUtility REST_TEST_UTIL = 045 new HBaseRESTTestingUtility(); 046 private static Client client; 047 048 @After 049 public void tearDown() throws Exception { 050 REST_TEST_UTIL.shutdownServletContainer(); 051 TEST_UTIL.shutdownMiniCluster(); 052 } 053 054 @Test 055 public void testDefaultValues() throws Exception { 056 TEST_UTIL.startMiniCluster(); 057 REST_TEST_UTIL.startServletContainer(TEST_UTIL.getConfiguration()); 058 client = new Client(new Cluster().add("localhost", 059 REST_TEST_UTIL.getServletPort())); 060 061 String path = "/version/cluster"; 062 Response response = client.get(path); 063 assertThat(response.getCode(), equalTo(200)); 064 065 assertThat("Header 'X-Content-Type-Options' is missing from Rest response", 066 response.getHeader("X-Content-Type-Options"), is(not((String)null))); 067 assertThat("Header 'X-Content-Type-Options' has invalid default value", 068 response.getHeader("X-Content-Type-Options"), equalTo("nosniff")); 069 070 assertThat("Header 'X-XSS-Protection' is missing from Rest response", 071 response.getHeader("X-XSS-Protection"), is(not((String)null))); 072 assertThat("Header 'X-XSS-Protection' has invalid default value", 073 response.getHeader("X-XSS-Protection"), equalTo("1; mode=block")); 074 075 assertThat("Header 'Strict-Transport-Security' should be missing from Rest response," + 076 "but it's present", 077 response.getHeader("Strict-Transport-Security"), is((String)null)); 078 assertThat("Header 'Content-Security-Policy' should be missing from Rest response," + 079 "but it's present", 080 response.getHeader("Content-Security-Policy"), is((String)null)); 081 } 082 083 @Test 084 public void testHstsAndCspSettings() throws Exception { 085 TEST_UTIL.getConfiguration().set("hbase.http.filter.hsts.value", 086 "max-age=63072000;includeSubDomains;preload"); 087 TEST_UTIL.getConfiguration().set("hbase.http.filter.csp.value", 088 "default-src https: data: 'unsafe-inline' 'unsafe-eval'"); 089 TEST_UTIL.startMiniCluster(); 090 REST_TEST_UTIL.startServletContainer(TEST_UTIL.getConfiguration()); 091 client = new Client(new Cluster().add("localhost", 092 REST_TEST_UTIL.getServletPort())); 093 094 String path = "/version/cluster"; 095 Response response = client.get(path); 096 assertThat(response.getCode(), equalTo(200)); 097 098 assertThat("Header 'Strict-Transport-Security' is missing from Rest response", 099 response.getHeader("Strict-Transport-Security"), is(not((String)null))); 100 assertThat("Header 'Strict-Transport-Security' has invalid value", 101 response.getHeader("Strict-Transport-Security"), 102 equalTo("max-age=63072000;includeSubDomains;preload")); 103 104 assertThat("Header 'Content-Security-Policy' is missing from Rest response", 105 response.getHeader("Content-Security-Policy"), is(not((String)null))); 106 assertThat("Header 'Content-Security-Policy' has invalid value", 107 response.getHeader("Content-Security-Policy"), 108 equalTo("default-src https: data: 'unsafe-inline' 'unsafe-eval'")); 109 } 110}