|
| 1 | +package io.openfednow.security; |
| 2 | + |
| 3 | +import io.openfednow.infrastructure.AbstractInfrastructureIntegrationTest; |
| 4 | +import org.junit.jupiter.api.Test; |
| 5 | +import org.springframework.beans.factory.annotation.Autowired; |
| 6 | +import org.springframework.boot.test.context.SpringBootTest; |
| 7 | +import org.springframework.boot.test.web.client.TestRestTemplate; |
| 8 | +import org.springframework.http.HttpHeaders; |
| 9 | +import org.springframework.http.ResponseEntity; |
| 10 | + |
| 11 | +import static org.assertj.core.api.Assertions.assertThat; |
| 12 | + |
| 13 | +/** |
| 14 | + * Verifies the HTTP security response headers configured in {@link SecurityConfig}. |
| 15 | + * |
| 16 | + * <p>Spring Security 6 enables the default header set automatically; this test |
| 17 | + * exists so a future refactor (e.g., switching to a custom header chain) can't |
| 18 | + * silently drop them. HSTS is configured explicitly and is verified here too. |
| 19 | + * |
| 20 | + * <p>Drives a real HTTP port via {@link TestRestTemplate} so the full filter |
| 21 | + * chain is exercised end-to-end. |
| 22 | + */ |
| 23 | +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) |
| 24 | +class SecurityHeadersTest extends AbstractInfrastructureIntegrationTest { |
| 25 | + |
| 26 | + @Autowired |
| 27 | + private TestRestTemplate restTemplate; |
| 28 | + |
| 29 | + @Test |
| 30 | + void responseHasXContentTypeOptionsHeader() { |
| 31 | + HttpHeaders headers = anyEndpointHeaders(); |
| 32 | + assertThat(headers.getFirst("X-Content-Type-Options")).isEqualTo("nosniff"); |
| 33 | + } |
| 34 | + |
| 35 | + @Test |
| 36 | + void responseHasXFrameOptionsDeny() { |
| 37 | + HttpHeaders headers = anyEndpointHeaders(); |
| 38 | + // Spring Security default: DENY |
| 39 | + assertThat(headers.getFirst("X-Frame-Options")).isEqualTo("DENY"); |
| 40 | + } |
| 41 | + |
| 42 | + @Test |
| 43 | + void responseHasStrictTransportSecurity() { |
| 44 | + HttpHeaders headers = anyEndpointHeaders(); |
| 45 | + String hsts = headers.getFirst("Strict-Transport-Security"); |
| 46 | + assertThat(hsts).isNotNull(); |
| 47 | + // Configured to 2 years (63072000 seconds) with includeSubDomains |
| 48 | + assertThat(hsts).contains("max-age=63072000"); |
| 49 | + assertThat(hsts).contains("includeSubDomains"); |
| 50 | + } |
| 51 | + |
| 52 | + @Test |
| 53 | + void responseHasCacheControl() { |
| 54 | + HttpHeaders headers = anyEndpointHeaders(); |
| 55 | + // Spring Security defaults set no-cache directives so admin / auth responses |
| 56 | + // are not cached by intermediaries. |
| 57 | + String cacheControl = headers.getFirst("Cache-Control"); |
| 58 | + assertThat(cacheControl).isNotNull(); |
| 59 | + assertThat(cacheControl).containsAnyOf("no-cache", "no-store"); |
| 60 | + } |
| 61 | + |
| 62 | + @Test |
| 63 | + void healthEndpointAlsoCarriesSecurityHeaders() { |
| 64 | + // Even unauthenticated paths get the security headers — the chain is global. |
| 65 | + ResponseEntity<String> response = restTemplate.getForEntity("/fednow/health", String.class); |
| 66 | + HttpHeaders headers = response.getHeaders(); |
| 67 | + assertThat(headers.getFirst("X-Content-Type-Options")).isEqualTo("nosniff"); |
| 68 | + assertThat(headers.getFirst("X-Frame-Options")).isEqualTo("DENY"); |
| 69 | + assertThat(headers.getFirst("Strict-Transport-Security")).isNotNull(); |
| 70 | + } |
| 71 | + |
| 72 | + private HttpHeaders anyEndpointHeaders() { |
| 73 | + // /actuator/health is permitAll-ed and stable across environments |
| 74 | + ResponseEntity<String> response = restTemplate.getForEntity("/actuator/health", String.class); |
| 75 | + return response.getHeaders(); |
| 76 | + } |
| 77 | +} |
0 commit comments