From 49ba53b7b6b6720329d02637b2446721c8acfb7f Mon Sep 17 00:00:00 2001 From: Elvin Efendi Date: Wed, 11 Dec 2019 13:36:51 -0500 Subject: [PATCH] regression test for duplicate hsts --- test/e2e/framework/deployment.go | 6 ++++++ test/e2e/settings/tls.go | 12 ++++++++++++ 2 files changed, 18 insertions(+) diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index f9c4aecc1..c1c8c02c0 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -127,6 +127,12 @@ Request Body: location / { lua_need_request_body on; + header_filter_by_lua_block { + if ngx.var.arg_hsts == "true" then + ngx.header["Strict-Transport-Security"] = "max-age=3600; preload" + end + } + content_by_lua_block { ngx.header["Server"] = "echoserver" diff --git a/test/e2e/settings/tls.go b/test/e2e/settings/tls.go index ac9930786..4daa0d544 100644 --- a/test/e2e/settings/tls.go +++ b/test/e2e/settings/tls.go @@ -154,6 +154,18 @@ var _ = framework.IngressNginxDescribe("Settings - TLS)", func() { Expect(errs).Should(BeEmpty()) Expect(resp.StatusCode).Should(Equal(http.StatusOK)) Expect(resp.Header.Get("Strict-Transport-Security")).Should(Equal("max-age=86400; preload")) + + By("overriding what's set from the upstream") + + // we can not use gorequest here because it flattens the duplicate headers + // and specifically in case of Strict-Transport-Security it ignore extra headers + // intead of concatenating, rightfully. And I don't know of any API it provides for getting raw headers. + curlCmd := fmt.Sprintf("curl -I -k --fail --silent --resolve settings-tls:443:127.0.0.1 https://settings-tls/%v", "?hsts=true") + output, err := f.ExecIngressPod(curlCmd) + Expect(err).ToNot(HaveOccurred()) + Expect(output).Should(ContainSubstring("strict-transport-security: max-age=86400; preload")) + // this is what the upstream sets + Expect(output).ShouldNot(ContainSubstring("strict-transport-security: max-age=3600; preload")) }) It("should not use ports during the HTTP to HTTPS redirection", func() {