|
3 | 3 | import io.quarkus.test.InjectMock; |
4 | 4 | import io.quarkus.test.junit.QuarkusTest; |
5 | 5 | import io.quarkus.test.security.TestSecurity; |
| 6 | +import io.restassured.response.ValidatableResponse; |
6 | 7 | import org.finos.calm.store.NamespaceStore; |
7 | 8 | import org.finos.calm.store.UserAccessStore; |
8 | 9 | import org.junit.jupiter.api.Test; |
|
21 | 22 | public class TestSecurityResponseHeadersShould { |
22 | 23 |
|
23 | 24 | @InjectMock |
24 | | - NamespaceStore namespaceStore; |
| 25 | + NamespaceStore mockNamespaceStore; |
25 | 26 |
|
26 | 27 | @InjectMock |
27 | | - UserAccessStore userAccessStore; |
| 28 | + UserAccessStore mockUserAccessStore; |
| 29 | + |
| 30 | + private static void assertSecurityHeaders(ValidatableResponse response) { |
| 31 | + response |
| 32 | + .header("X-Frame-Options", equalTo("DENY")) |
| 33 | + .header("X-Content-Type-Options", equalTo("nosniff")) |
| 34 | + .header("Referrer-Policy", equalTo("no-referrer")); |
| 35 | + } |
28 | 36 |
|
29 | 37 | @Test |
30 | | - void return_x_frame_options_deny_on_get_request() { |
31 | | - when(namespaceStore.getNamespaces()).thenReturn(new ArrayList<>()); |
| 38 | + void return_security_headers_on_get_request() { |
| 39 | + when(mockNamespaceStore.getNamespaces()).thenReturn(new ArrayList<>()); |
32 | 40 |
|
33 | | - given() |
| 41 | + assertSecurityHeaders(given() |
34 | 42 | .when() |
35 | 43 | .get("/api/calm/namespaces") |
36 | 44 | .then() |
37 | | - .statusCode(200) |
38 | | - .header("X-Frame-Options", equalTo("DENY")); |
| 45 | + .statusCode(200)); |
39 | 46 | } |
40 | 47 |
|
41 | 48 | @Test |
42 | | - void return_x_frame_options_deny_on_post_request() { |
43 | | - given() |
| 49 | + void return_security_headers_on_head_request() { |
| 50 | + when(mockNamespaceStore.getNamespaces()).thenReturn(new ArrayList<>()); |
| 51 | + |
| 52 | + assertSecurityHeaders(given() |
| 53 | + .when() |
| 54 | + .head("/api/calm/namespaces") |
| 55 | + .then() |
| 56 | + .statusCode(200)); |
| 57 | + } |
| 58 | + |
| 59 | + @Test |
| 60 | + void return_security_headers_on_post_request() { |
| 61 | + assertSecurityHeaders(given() |
44 | 62 | .contentType("application/json") |
45 | 63 | .body("{\"name\":\"test\",\"description\":\"test\"}") |
46 | 64 | .when() |
47 | 65 | .post("/api/calm/namespaces") |
48 | | - .then() |
49 | | - .header("X-Frame-Options", equalTo("DENY")); |
| 66 | + .then()); |
50 | 67 | } |
51 | 68 | } |
0 commit comments