feat(hpkp): Add hpkp headers to all requests (#207) r=vladikoff

2016-11-18 13:51:42 -05:00 · 2016-11-18 13:51:42 -05:00 · 9bbdf88178
--- a/lib/config.js
+++ b/lib/config.js
@ -220,6 +220,44 @@ const conf = convict({
      default: 'http://127.0.0.1:1113',
      env: 'WORKER_URL'
    }
+  },
+  hpkpConfig: {
+    enabled: {
+      default: false,
+      doc: 'Feature flag for appending HPKP headers',
+      format: Boolean,
+      env: 'HPKP_ENABLE'
+    },
+    reportOnly: {
+      default: true,
+      doc: 'Enable report only mode',
+      format: Boolean,
+      env: 'HPKP_REPORT_ONLY'
+    },
+    reportUri: {
+      default: '',
+      doc: 'Enable report only mode',
+      format: String,
+      env: 'HPKP_REPORT_URI'
+    },
+    includeSubDomains: {
+      default: true,
+      doc: 'Include Sub-Domains',
+      format: Boolean,
+      env: 'HPKP_INCLUDE_SUBDOMAINS'
+    },
+    maxAge: {
+      default: 1,
+      doc: 'Max age for HPKP headers (seconds)',
+      format: Number,
+      env: 'HPKP_MAX_AGE'
+    },
+    sha256s: {
+      default: [],
+      doc: 'Supported pin-sha256s',
+      format: Array,
+      env: 'HPKP_PIN_SHA256'
+    }
  }
 });

--- a/lib/server/web.js
+++ b/lib/server/web.js
@ -64,6 +64,31 @@ exports.create = function createServer() {
    port: config.server.port
  });

+  if (config.hpkpConfig && config.hpkpConfig.enabled) {
+    var hpkpOptions = {
+      maxAge: config.hpkpConfig.maxAge,
+      sha256s: config.hpkpConfig.sha256s,
+      includeSubdomains: config.hpkpConfig.includeSubDomains
+    };
+
+    if (config.hpkpConfig.reportUri){
+      hpkpOptions.reportUri = config.hpkpConfig.reportUri;
+    }
+
+    if (config.hpkpConfig.reportOnly){
+      hpkpOptions.reportOnly = config.hpkpConfig.reportOnly;
+    }
+
+    server.register({
+      register: require('hapi-hpkp'),
+      options: hpkpOptions
+    }, function (err) {
+      if (err) {
+        throw err;
+      }
+    });
+  }
+
  server.auth.scheme('oauth', function() {
    return {
      authenticate: function(req, reply) {
@ -164,6 +189,7 @@ exports.create = function createServer() {
      response = AppError.translate(response);
    }
    summary(request, response);
+
    next(response);
  });

--- a/npm-shrinkwrap.json
+++ b/npm-shrinkwrap.json
--- a/package.json
+++ b/package.json
@ -20,6 +20,7 @@
    "fxa-notifier-aws": "1.0.0",
    "gm": "1.22.0",
    "hapi": "14.2.0",
+    "hapi-hpkp": "1.0.0",
    "inert": "4.0.2",
    "joi": "9.0.4",
    "mozlog": "2.0.5",
--- a/test/hpkp.js
+++ b/test/hpkp.js
@ -0,0 +1,72 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+const assert = require('insist');
+
+/*global describe,it,beforeEach*/
+
+function clearRequireCache() {
+  // Delete require cache so that correct configuration values get injected when
+  // recreating server
+  Object.keys(require.cache).forEach(function (key) {
+    delete require.cache[key];
+  });
+}
+
+describe('HPKP', function () {
+  // Since this test starts/stops servers to test different configs
+  // the timeout needs to be upped
+  this.timeout(5000);
+
+  var Server;
+  var requestOptions = {
+    method: 'GET',
+    url: '/'
+  };
+
+  describe('enabled', function () {
+    beforeEach(function () {
+      process.env.HPKP_ENABLE = true;
+      process.env.HPKP_PIN_SHA256 = ['orlando=', 'magic='];
+      process.env.HPKP_MAX_AGE = 1;
+
+      clearRequireCache();
+    });
+
+    it('should set report header', function (done) {
+      process.env.HPKP_REPORT_ONLY = false;
+      Server = require('../lib/server').create();
+      Server.inject(requestOptions).then(function (res) {
+        assert.equal(res.statusCode, 200);
+        assert.equal(res.headers['public-key-pins'], 'pin-sha256="orlando="; pin-sha256="magic="; max-age=1; includeSubdomains');
+        done();
+      }).catch(done);
+    });
+
+    it('should set report-only header', function (done) {
+      process.env.HPKP_REPORT_ONLY = true;
+      Server = require('../lib/server').create();
+      Server.inject(requestOptions).then(function (res) {
+        assert.equal(res.statusCode, 200);
+        assert.equal(res.headers['public-key-pins-report-only'], 'pin-sha256="orlando="; pin-sha256="magic="; max-age=1; includeSubdomains');
+        done();
+      }).catch(done);
+    });
+  });
+
+  describe('disabled', function () {
+    it('should set no header', function (done) {
+      process.env.HPKP_ENABLE = false;
+
+      clearRequireCache();
+      Server = require('../lib/server').create();
+      Server.inject(requestOptions).then(function (res) {
+        assert.equal(res.statusCode, 200);
+        assert.equal(res.headers['public-key-pins'], undefined);
+        assert.equal(res.headers['public-key-pins-report-only'], undefined);
+        done();
+      }).catch(done);
+    });
+  });
+});