Add test for presence of X-Forwarded-For and X-Forwarded-Proto HTTP headers (#299)

vojtad · web-flow · commit eca39797c4f5 · 2022-02-03T17:34:05.000-05:00
* add test for presence of X-Forwarded-For and X-Forwarded-Proto HTTP headers

Presence and content of `X-Forwarded-For` and `X-Forwarded-Proto` is checked in requests made to the origin server.

* add test for X-Forwarded-Proto for HTTP requests

* set X-Forwarded-Proto for requests forwarded to the origin server

* use insecure HTTP client for performing test requests

Generated cert is not trusted by the test runner.

* add comment for parseDumpedHTTPHeadersFromBody

* accept ::1 as valid X-Forwarded-For value in tests
diff --git a/cmd/puma-dev/main_test.go b/cmd/puma-dev/main_test.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"crypto/sha1"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -144,7 +145,14 @@ func getURLWithHost(t *testing.T, url string, host string) string {
 	req, _ := http.NewRequest("GET", url, nil)
 	req.Host = host
 
-	resp, err := http.DefaultClient.Do(req)
+	// we don't care about checking certs in tests
+	// the generated cert will not be trusted by the test runner
+	insecureTransport := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	insecureClient := &http.Client{Transport: insecureTransport}
+
+	resp, err := insecureClient.Do(req)
 
 	if err != nil {
 		assert.FailNow(t, err.Error())
@@ -157,6 +165,20 @@ func getURLWithHost(t *testing.T, url string, host string) string {
 	return strings.TrimSpace(string(bodyBytes))
 }
 
+// function to parse dumped request headers sent by puma-dev to the origin server
+// for details see etc/rack-request-headers-dump/config.ru
+func parseDumpedHTTPHeadersFromBody(body string) map[string]string {
+	dumpedHeadersLines := strings.Split(body, "\n")
+
+	dumpedHeaders := make(map[string]string)
+	for _, pairString := range dumpedHeadersLines {
+		pair := strings.SplitN(pairString, " ", 2)
+		dumpedHeaders[pair[0]] = pair[1]
+	}
+
+	return dumpedHeaders
+}
+
 func pollForEvent(t *testing.T, app string, event string, reason string) error {
 	return retry.Do(
 		func() error {
@@ -293,4 +315,24 @@ func runPlatformAgnosticTestScenarios(t *testing.T) {
 
 		assert.Equal(t, "rack wuz here", getURLWithHost(t, reqURL, statusHost))
 	})
+
+	t.Run("request-headers-dump contains X-Forwarded-* headers with http", func(t *testing.T) {
+		reqURL := fmt.Sprintf("http://localhost:%d/", *fHTTPPort)
+		statusHost := "request-headers-dump"
+
+		dumpedHeaders := parseDumpedHTTPHeadersFromBody(getURLWithHost(t, reqURL, statusHost))
+
+		assert.Regexp(t, `127\.0\.0\.1|::1`, dumpedHeaders["HTTP_X_FORWARDED_FOR"])
+		assert.Equal(t, "http", dumpedHeaders["HTTP_X_FORWARDED_PROTO"])
+	})
+
+	t.Run("request-headers-dump contains X-Forwarded-* headers with https", func(t *testing.T) {
+		reqURL := fmt.Sprintf("https://localhost:%d/", *fTLSPort)
+		statusHost := "request-headers-dump"
+
+		dumpedHeaders := parseDumpedHTTPHeadersFromBody(getURLWithHost(t, reqURL, statusHost))
+
+		assert.Regexp(t, `^127\.0\.0\.1|::1`, dumpedHeaders["HTTP_X_FORWARDED_FOR"])
+		assert.Equal(t, "https", dumpedHeaders["HTTP_X_FORWARDED_PROTO"])
+	})
 }
diff --git a/dev/devtest/testutils.go b/dev/devtest/testutils.go
@@ -220,8 +220,9 @@ func LinkTestApps(t *testing.T, workingDirPath string, testAppsToLink map[string
 
 func LinkAllTestApps(t *testing.T, workingDirPath string) func() {
 	testAppsToLink := map[string]string{
-		"hipuma":      "rack-hi-puma",
-		"static-site": "static-hi-puma",
+		"hipuma":               "rack-hi-puma",
+		"static-site":          "static-hi-puma",
+		"request-headers-dump": "rack-request-headers-dump",
 	}
 
 	return LinkTestApps(t, workingDirPath, testAppsToLink)
diff --git a/dev/http.go b/dev/http.go
@@ -144,6 +144,12 @@ func (h *HTTPServer) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		}
 	}
 
+	if req.TLS == nil {
+		req.Header.Set("X-Forwarded-Proto", "http")
+	} else {
+		req.Header.Set("X-Forwarded-Proto", "https")
+	}
+
 	req.URL.Scheme, req.URL.Host = app.Scheme, app.Address()
 	h.proxy.ServeHTTP(w, req)
 }
diff --git a/etc/rack-request-headers-dump/config.ru b/etc/rack-request-headers-dump/config.ru
@@ -0,0 +1,11 @@
+class Application
+  def call(env)
+    status  = 200
+    headers = { "Content-Type" => "application/json" }
+    body    = [ env.select { |k, v| k.start_with?('HTTP_') }.map { |(k, v)| [k, v].join(' ') }.join("\n") ]
+
+    [status, headers, body]
+  end
+end
+
+run Application.new
diff --git a/etc/rack-request-headers-dump/tmp/restart.txt b/etc/rack-request-headers-dump/tmp/restart.txt

Original file line number	Diff line number	Diff line change
`@@ -144,6 +144,12 @@ func (h HTTPServer) ServeHTTP(w http.ResponseWriter, req http.Request) {`
`144`	`144`	`}`
`145`	`145`	`}`
`146`	`146`
	`147`	`+ if req.TLS == nil {`
	`148`	`+ req.Header.Set("X-Forwarded-Proto", "http")`
	`149`	`+ } else {`
	`150`	`+ req.Header.Set("X-Forwarded-Proto", "https")`
	`151`	`+ }`
	`152`	`+`
`147`	`153`	`req.URL.Scheme, req.URL.Host = app.Scheme, app.Address()`
`148`	`154`	`h.proxy.ServeHTTP(w, req)`
`149`	`155`	`}`