From e6841d6848a22006468df4f790420646f97ac401 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mislav=20Marohni=C4=87?= Date: Sun, 16 Feb 2014 03:05:25 +0100 Subject: [PATCH] Validate that HTTPS is used by default for API requests Since we use a test server representing the GitHub API, all requests get transformed to HTTP in tests. Make a check that the original requests really was intended to go over HTTPS. --- features/fork.feature | 10 ++++++++-- lib/hub/github_api.rb | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/features/fork.feature b/features/fork.feature index 6e6b8570..4b992f30 100644 --- a/features/fork.feature +++ b/features/fork.feature @@ -7,7 +7,10 @@ Feature: hub fork Scenario: Fork the repository Given the GitHub API server: """ - before { halt 401 unless request.env['HTTP_AUTHORIZATION'] == 'token OTOKEN' } + before { + halt 400 unless request.env['HTTP_X_ORIGINAL_SCHEME'] == 'https' + halt 401 unless request.env['HTTP_AUTHORIZATION'] == 'token OTOKEN' + } get('/repos/mislav/dotfiles', :host_name => 'api.github.com') { 404 } post('/repos/evilchelu/dotfiles/forks', :host_name => 'api.github.com') { '' } """ @@ -121,7 +124,10 @@ Scenario: Related fork already exists Scenario: Enterprise fork Given the GitHub API server: """ - before { halt 401 unless request.env['HTTP_AUTHORIZATION'] == 'token FITOKEN' } + before { + halt 400 unless request.env['HTTP_X_ORIGINAL_SCHEME'] == 'https' + halt 401 unless request.env['HTTP_AUTHORIZATION'] == 'token FITOKEN' + } post('/api/v3/repos/evilchelu/dotfiles/forks', :host_name => 'git.my.org') { '' } """ And the "origin" remote has url "git@git.my.org:evilchelu/dotfiles.git" diff --git a/lib/hub/github_api.rb b/lib/hub/github_api.rb index 488d9a0c..26b4918c 100644 --- a/lib/hub/github_api.rb +++ b/lib/hub/github_api.rb @@ -248,6 +248,7 @@ module Hub def configure_connection req, url if ENV['HUB_TEST_HOST'] req['Host'] = url.host + req['X-Original-Scheme'] = url.scheme url = url.dup url.scheme = 'http' url.host, test_port = ENV['HUB_TEST_HOST'].split(':')