mozilla
/
fxa-auth-server
зеркало из https://github.com/mozilla/fxa-auth-server.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

refactor(headers): remove HPKP headers 

Fixes #2744
This commit is contained in:
vladikoff 2018-11-19 10:23:05 -05:00
Родитель e629a798b2
Коммит d98b10ca30
12 изменённых файлов: 0 добавлений и 388 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

38
config/index.js
Просмотреть файл

@ -736,44 +736,6 @@ var conf = convict({
env: 'SIGNIN_UNBLOCK_FORCED_EMAILS'
}
},
hpkpConfig: {
enabled: {
default: false,
doc: 'Feature flag for appending HPKP headers',
format: Boolean,
env: 'HPKP_ENABLE'
},
reportOnly: {
default: true,
doc: 'Enable report only mode',
format: Boolean,
env: 'HPKP_REPORT_ONLY'
},
reportUri: {
default: '',
doc: 'Enable report only mode',
format: String,
env: 'HPKP_REPORT_URI'
},
includeSubDomains: {
default: true,
doc: 'Include Sub-Domains',
format: Boolean,
env: 'HPKP_INCLUDE_SUBDOMAINS'
},
maxAge: {
default: 1,
doc: 'Max age for HPKP headers (seconds)',
format: Number,
env: 'HPKP_MAX_AGE'
},
sha256s: {
default: [],
doc: 'Supported pin-sha256s',
format: Array,
env: 'HPKP_PIN_SHA256'
}
},
push: {
allowedServerRegex: {
doc: 'RegExp that validates the URI format of the Push Server',

38
fxa-oauth-server/lib/config.js
Просмотреть файл

@ -150,44 +150,6 @@ const conf = convict({
default: ''
}
},
hpkpConfig: {
enabled: {
default: false,
doc: 'Feature flag for appending HPKP headers',
format: Boolean,
env: 'HPKP_ENABLE'
},
reportOnly: {
default: true,
doc: 'Enable report only mode',
format: Boolean,
env: 'HPKP_REPORT_ONLY'
},
reportUri: {
default: '',
doc: 'Enable report only mode',
format: String,
env: 'HPKP_REPORT_URI'
},
includeSubDomains: {
default: true,
doc: 'Include Sub-Domains',
format: Boolean,
env: 'HPKP_INCLUDE_SUBDOMAINS'
},
maxAge: {
default: 1,
doc: 'Max age for HPKP headers (seconds)',
format: Number,
env: 'HPKP_MAX_AGE'
},
sha256s: {
default: [],
doc: 'Supported pin-sha256s',
format: Array,
env: 'HPKP_PIN_SHA256'
}
},
localRedirects: {
doc: 'When true, `localhost` and `127.0.0.1` always are legal redirects.',
default: false,

21
fxa-oauth-server/lib/server/index.js
Просмотреть файл

@ -29,27 +29,6 @@ exports.create = async function createServer() {
server.auth.scheme(authBearer.AUTH_SCHEME, authBearer.strategy);
server.auth.strategy(authBearer.AUTH_STRATEGY, authBearer.AUTH_SCHEME);
if (config.hpkpConfig && config.hpkpConfig.enabled) {
var hpkpOptions = {
maxAge: config.hpkpConfig.maxAge,
sha256s: config.hpkpConfig.sha256s,
includeSubdomains: config.hpkpConfig.includeSubDomains
};
if (config.hpkpConfig.reportUri){
hpkpOptions.reportUri = config.hpkpConfig.reportUri;
}
if (config.hpkpConfig.reportOnly){
hpkpOptions.reportOnly = config.hpkpConfig.reportOnly;
}
await server.register({
plugin: require('hapi-hpkp'),
options: hpkpOptions
});
}
var routes = require('../routing').routes;
if (isProd) {
logger.info('prod', 'Disabling response schema validation');

21
fxa-oauth-server/lib/server/internal.js
Просмотреть файл

@ -24,27 +24,6 @@ exports.create = async function createServer() {
server.auth.scheme(auth.AUTH_SCHEME, auth.strategy);
server.auth.strategy(auth.AUTH_STRATEGY, auth.AUTH_SCHEME);
if (config.hpkpConfig && config.hpkpConfig.enabled) {
var hpkpOptions = {
maxAge: config.hpkpConfig.maxAge,
sha256s: config.hpkpConfig.sha256s,
includeSubdomains: config.hpkpConfig.includeSubDomains
};
if (config.hpkpConfig.reportUri){
hpkpOptions.reportUri = config.hpkpConfig.reportUri;
}
if (config.hpkpConfig.reportOnly){
hpkpOptions.reportOnly = config.hpkpConfig.reportOnly;
}
await server.register({
plugin: require('hapi-hpkp'),
options: hpkpOptions
});
}
var routes = require('../routing').clients;
if (isProd) {
logger.info('prod', 'Disabling response schema validation');

25
fxa-oauth-server/npm-shrinkwrap.json сгенерированный
Просмотреть файл

@ -4067,31 +4067,6 @@
}
}
},
"hapi-hpkp": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/hapi-hpkp/-/hapi-hpkp-2.0.0.tgz",
"integrity": "sha512-Kko4pgRWp3Q5VAZySU7IOYv1RJ3s8BXtmYtV44BaWINWQgt5vsDuKiKIZBzO2X8hphCkGw0tdkZFu1yrhIUscg==",
"requires": {
"joi": "13.3.0"
},
"dependencies": {
"hoek": {
"version": "5.0.4",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-5.0.4.tgz",
"integrity": "sha512-Alr4ZQgoMlnere5FZJsIyfIjORBqZll5POhDsF4q64dPuJR6rNxXdDxtHSQq8OXRurhmx+PWYEE8bXRROY8h0w=="
},
"joi": {
"version": "13.3.0",
"resolved": "https://registry.npmjs.org/joi/-/joi-13.3.0.tgz",
"integrity": "sha512-iF6jEYVfBIoYXztYymia1JfuoVbxBNuOcwdbsdoGin9/jjhBLhonKmfTQOvePss8r8v4tU4JOcNmYPHZzKEFag==",
"requires": {
"hoek": "5.x.x",
"isemail": "3.x.x",
"topo": "3.x.x"
}
}
}
},
"har-schema": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz",

1
fxa-oauth-server/package.json
Просмотреть файл

@ -32,7 +32,6 @@
"fxa-notifier-aws": "1.0.0",
"fxa-shared": "1.0.13",
"hapi": "17.6.0",
"hapi-hpkp": "2.0.0",
"joi": "14.0.0",
"keypair": "1.0.1",
"mozlog": "2.2.0",

73
fxa-oauth-server/test/hpkp.js
Просмотреть файл

@ -1,73 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
const assert = require('insist');
/*global describe,it,beforeEach*/
function clearRequireCache() {
// Delete require cache so that correct configuration values get injected when
// recreating server
delete require.cache[require.resolve('../lib/config')];
delete require.cache[require.resolve('../lib/server')];
}
describe('HPKP', function () {
// Since this test starts/stops servers to test different configs
// the timeout needs to be upped
this.timeout(5000);
var requestOptions = {
method: 'GET',
url: '/'
};
describe('enabled', function () {
beforeEach(function () {
process.env.HPKP_ENABLE = true;
process.env.HPKP_PIN_SHA256 = ['orlando=', 'magic='];
process.env.HPKP_MAX_AGE = 1;
clearRequireCache();
});
it('should set report header', function (done) {
process.env.HPKP_REPORT_ONLY = false;
require('../lib/server').create().then((Server) => {
return Server.inject(requestOptions);
}).then(function (res) {
assert.equal(res.statusCode, 200);
assert.equal(res.headers['public-key-pins'], 'pin-sha256="orlando="; pin-sha256="magic="; max-age=1; includeSubdomains');
done();
}).catch(done);
});
it('should set report-only header', function (done) {
process.env.HPKP_REPORT_ONLY = true;
require('../lib/server').create().then((Server) => {
return Server.inject(requestOptions);
}).then(function (res) {
assert.equal(res.statusCode, 200);
assert.equal(res.headers['public-key-pins-report-only'], 'pin-sha256="orlando="; pin-sha256="magic="; max-age=1; includeSubdomains');
done();
}).catch(done);
});
});
describe('disabled', function () {
it('should set no header', function (done) {
process.env.HPKP_ENABLE = false;
clearRequireCache();
require('../lib/server').create().then((Server) => {
return Server.inject(requestOptions);
}).then(function (res) {
assert.equal(res.statusCode, 200);
assert.equal(res.headers['public-key-pins'], undefined);
assert.equal(res.headers['public-key-pins-report-only'], undefined);
done();
}).catch(done);
});
});
});

23
lib/server.js
Просмотреть файл

@ -281,29 +281,6 @@ async function create (log, error, config, routes, db, translator) {
}
}
//register hpkp
if (config.hpkpConfig && config.hpkpConfig.enabled) {
var hpkpOptions = {
maxAge: config.hpkpConfig.maxAge,
sha256s: config.hpkpConfig.sha256s,
includeSubdomains: config.hpkpConfig.includeSubDomains
}
if (config.hpkpConfig.reportUri){
hpkpOptions.reportUri = config.hpkpConfig.reportUri
}
if (config.hpkpConfig.reportOnly){
hpkpOptions.reportOnly = config.hpkpConfig.reportOnly
}
await server.register({
plugin: require('hapi-hpkp'),
options: hpkpOptions
})
}
await server.register(require('hapi-auth-hawk'))
server.auth.strategy(

20
npm-shrinkwrap.json сгенерированный
Просмотреть файл

@ -9251,26 +9251,6 @@
}
}
},
"hapi-hpkp": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/hapi-hpkp/-/hapi-hpkp-2.0.0.tgz",
"integrity": "sha512-Kko4pgRWp3Q5VAZySU7IOYv1RJ3s8BXtmYtV44BaWINWQgt5vsDuKiKIZBzO2X8hphCkGw0tdkZFu1yrhIUscg==",
"requires": {
"joi": "13.3.0"
},
"dependencies": {
"joi": {
"version": "13.3.0",
"resolved": "https://registry.npmjs.org/joi/-/joi-13.3.0.tgz",
"integrity": "sha512-iF6jEYVfBIoYXztYymia1JfuoVbxBNuOcwdbsdoGin9/jjhBLhonKmfTQOvePss8r8v4tU4JOcNmYPHZzKEFag==",
"requires": {
"hoek": "5.x.x",
"isemail": "3.x.x",
"topo": "3.x.x"
}
}
}
},
"har-schema": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz",

1
package.json
Просмотреть файл

@ -57,7 +57,6 @@
"hapi-auth-hawk": "4.0.0",
"hapi-error": "1.8.0",
"hapi-fxa-oauth": "3.0.0",
"hapi-hpkp": "2.0.0",
"hkdf": "0.0.2",
"i18n-abide": "0.0.26",
"jed": "0.5.4",

3
test/local/server.js
Просмотреть файл

@ -519,9 +519,6 @@ function getConfig () {
port: 9000
},
useHttps: false,
hpkpConfig: {
enabled: false
},
oauth: {
clientIds: {},
url: 'http://localhost:9010',

124
test/remote/hpkp_tests.js
Просмотреть файл

@ -1,124 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
'use strict'
const { assert } = require('chai')
const sinon = require('sinon')
const P = require('../../lib/promise')
const TestServer = require('../test_server')
const request = P.promisify(require('request'), { multiArgs: true })
const mockLog = {
info: sinon.spy()
}
describe('remote hpkp', function() {
this.timeout(30000)
it(
'Fails with no sha pins set',
() => {
var Server = require('../../lib/server')
var config = require('../../config').getProperties()
config.hpkpConfig.enabled = true
config.hpkpConfig.sha256s = []
return Server.create(mockLog,{},config,{})
.then(assert.fail, (err) => {
assert.equal(
err.message,
'ValidationError: child "sha256s" fails because ["sha256s" must contain at least 1 items]',
'assert server error if no sha passed')
})
}
)
it(
'Does not send HPKP header when disabled',
() => {
var config = require('../../config').getProperties()
config.hpkpConfig.enabled = false
var server
return TestServer.start(config)
.then(function main(serverObj) {
server = serverObj
})
.then(function () {
return request({
url: config.publicUrl + '/'
})
})
.spread(function (res) {
assert.equal(res.headers['public-key-pins-report-only'], undefined, 'HPKP header not set')
})
.then(function () {
return server.stop()
})
}
)
it(
'Sends HPKP header',
() => {
var config = require('../../config').getProperties()
var server
config.hpkpConfig.enabled = true
config.hpkpConfig.reportOnly = false
config.hpkpConfig.sha256s = ['sha1=', 'sha2=']
return TestServer.start(config)
.then(function main(serverObj) {
server = serverObj
})
.then(function () {
return request({
url: config.publicUrl + '/'
})
})
.spread(function (res) {
var headerValue = 'pin-sha256="sha1="; pin-sha256="sha2="; max-age=1; includeSubdomains'
assert.equal(res.headers['public-key-pins'], headerValue, 'HPKP header was set correctly')
})
.then(function () {
return server.stop()
})
}
)
it(
'Sends HPKP report header',
() => {
var config = require('../../config').getProperties()
var server
config.hpkpConfig.enabled = true
config.hpkpConfig.reportOnly = true
config.hpkpConfig.sha256s = ['sha1=', 'sha2=']
config.hpkpConfig.reportUri = 'http://example.com'
return TestServer.start(config)
.then(function main(serverObj) {
server = serverObj
})
.then(function () {
return request({
url: config.publicUrl + '/'
})
})
.spread(function (res) {
var headerValue = 'pin-sha256="sha1="; pin-sha256="sha2="; max-age=1; includeSubdomains; report-uri="http://example.com"'
assert.equal(res.headers['public-key-pins-report-only'], headerValue, 'HPKP report header was set correctly')
})
.then(function () {
return server.stop()
})
}
)
after(() => {
return TestServer.stop()
})
})