@@ -12,97 +12,97 @@ |
||
12 | 12 | */ |
13 | 13 | class InitialisationMiddleware implements HTTPMiddleware |
14 | 14 | { |
15 | - use Configurable; |
|
16 | - |
|
17 | - /** |
|
18 | - * Disable the automatically added 'X-XSS-Protection' header that is added to all responses. This should be left |
|
19 | - * alone in most circumstances to include the header. Refer to Mozilla Developer Network for more information: |
|
20 | - * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection |
|
21 | - * |
|
22 | - * @config |
|
23 | - * @var bool |
|
24 | - */ |
|
25 | - private static $xss_protection_disabled = false; |
|
26 | - |
|
27 | - /** |
|
28 | - * Enable egress proxy. This works on the principle of setting http(s)_proxy environment variables, |
|
29 | - * which will be automatically picked up by curl. This means RestfulService and raw curl |
|
30 | - * requests should work out of the box. Stream-based requests need extra manual configuration. |
|
31 | - * Refer to https://www.cwp.govt.nz/guides/core-technical-documentation/common-web-platform-core/en/how-tos/external_http_requests_with_proxy |
|
32 | - * |
|
33 | - * @config |
|
34 | - * @var bool |
|
35 | - */ |
|
36 | - private static $egress_proxy_default_enabled = true; |
|
37 | - |
|
38 | - /** |
|
39 | - * Configure the list of domains to bypass proxy by setting the NO_PROXY environment variable. |
|
40 | - * 'services.cwp.govt.nz' needs to be present for Solr and Docvert internal CWP integration. |
|
41 | - * 'localhost' is necessary for accessing services on the same instance such as tika-server for text extraction. |
|
42 | - * |
|
43 | - * @config |
|
44 | - * @var string[] |
|
45 | - */ |
|
46 | - private static $egress_proxy_exclude_domains = [ |
|
47 | - 'services.cwp.govt.nz', |
|
48 | - 'localhost', |
|
49 | - ]; |
|
50 | - |
|
51 | - public function process(HTTPRequest $request, callable $delegate) |
|
52 | - { |
|
53 | - $response = $delegate($request); |
|
54 | - |
|
55 | - if ($this->config()->get('egress_proxy_default_enabled')) { |
|
56 | - $this->configureEgressProxy(); |
|
57 | - } |
|
15 | + use Configurable; |
|
16 | + |
|
17 | + /** |
|
18 | + * Disable the automatically added 'X-XSS-Protection' header that is added to all responses. This should be left |
|
19 | + * alone in most circumstances to include the header. Refer to Mozilla Developer Network for more information: |
|
20 | + * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection |
|
21 | + * |
|
22 | + * @config |
|
23 | + * @var bool |
|
24 | + */ |
|
25 | + private static $xss_protection_disabled = false; |
|
26 | + |
|
27 | + /** |
|
28 | + * Enable egress proxy. This works on the principle of setting http(s)_proxy environment variables, |
|
29 | + * which will be automatically picked up by curl. This means RestfulService and raw curl |
|
30 | + * requests should work out of the box. Stream-based requests need extra manual configuration. |
|
31 | + * Refer to https://www.cwp.govt.nz/guides/core-technical-documentation/common-web-platform-core/en/how-tos/external_http_requests_with_proxy |
|
32 | + * |
|
33 | + * @config |
|
34 | + * @var bool |
|
35 | + */ |
|
36 | + private static $egress_proxy_default_enabled = true; |
|
37 | + |
|
38 | + /** |
|
39 | + * Configure the list of domains to bypass proxy by setting the NO_PROXY environment variable. |
|
40 | + * 'services.cwp.govt.nz' needs to be present for Solr and Docvert internal CWP integration. |
|
41 | + * 'localhost' is necessary for accessing services on the same instance such as tika-server for text extraction. |
|
42 | + * |
|
43 | + * @config |
|
44 | + * @var string[] |
|
45 | + */ |
|
46 | + private static $egress_proxy_exclude_domains = [ |
|
47 | + 'services.cwp.govt.nz', |
|
48 | + 'localhost', |
|
49 | + ]; |
|
50 | + |
|
51 | + public function process(HTTPRequest $request, callable $delegate) |
|
52 | + { |
|
53 | + $response = $delegate($request); |
|
54 | + |
|
55 | + if ($this->config()->get('egress_proxy_default_enabled')) { |
|
56 | + $this->configureEgressProxy(); |
|
57 | + } |
|
58 | 58 | |
59 | - $this->configureProxyDomainExclusions(); |
|
60 | - |
|
61 | - if (!$this->config()->get('xss_protection_disabled') && $response) { |
|
62 | - $response->addHeader('X-XSS-Protection', '1; mode=block'); |
|
63 | - } |
|
64 | - |
|
65 | - return $response; |
|
66 | - } |
|
67 | - |
|
68 | - /** |
|
69 | - * If the outbound egress proxy details have been defined in environment variables, configure the proxy |
|
70 | - * variables that are used to configure it. |
|
71 | - */ |
|
72 | - protected function configureEgressProxy() |
|
73 | - { |
|
74 | - if (!Environment::getEnv('SS_OUTBOUND_PROXY') |
|
75 | - || !Environment::getEnv('SS_OUTBOUND_PROXY_PORT') |
|
76 | - ) { |
|
77 | - return; |
|
78 | - } |
|
79 | - |
|
80 | - $proxy = Environment::getEnv('SS_OUTBOUND_PROXY'); |
|
81 | - $proxyPort = Environment::getEnv('SS_OUTBOUND_PROXY_PORT'); |
|
82 | - |
|
83 | - Environment::setEnv('http_proxy', $proxy . ':' . $proxyPort); |
|
84 | - Environment::setEnv('https_proxy', $proxy . ':' . $proxyPort); |
|
85 | - } |
|
86 | - |
|
87 | - /** |
|
88 | - * Configure any domains that should be excluded from egress proxy rules and provide them to the environment |
|
89 | - */ |
|
90 | - protected function configureProxyDomainExclusions() |
|
91 | - { |
|
92 | - $noProxy = $this->config()->get('egress_proxy_exclude_domains'); |
|
93 | - if (empty($noProxy)) { |
|
94 | - return; |
|
95 | - } |
|
96 | - |
|
97 | - if (!is_array($noProxy)) { |
|
98 | - $noProxy = [$noProxy]; |
|
99 | - } |
|
100 | - |
|
101 | - // Merge with exsiting if needed. |
|
102 | - if (Environment::getEnv('NO_PROXY')) { |
|
103 | - $noProxy = array_merge(explode(',', Environment::getEnv('NO_PROXY')), $noProxy); |
|
104 | - } |
|
105 | - |
|
106 | - Environment::setEnv('NO_PROXY', implode(',', array_unique($noProxy))); |
|
107 | - } |
|
59 | + $this->configureProxyDomainExclusions(); |
|
60 | + |
|
61 | + if (!$this->config()->get('xss_protection_disabled') && $response) { |
|
62 | + $response->addHeader('X-XSS-Protection', '1; mode=block'); |
|
63 | + } |
|
64 | + |
|
65 | + return $response; |
|
66 | + } |
|
67 | + |
|
68 | + /** |
|
69 | + * If the outbound egress proxy details have been defined in environment variables, configure the proxy |
|
70 | + * variables that are used to configure it. |
|
71 | + */ |
|
72 | + protected function configureEgressProxy() |
|
73 | + { |
|
74 | + if (!Environment::getEnv('SS_OUTBOUND_PROXY') |
|
75 | + || !Environment::getEnv('SS_OUTBOUND_PROXY_PORT') |
|
76 | + ) { |
|
77 | + return; |
|
78 | + } |
|
79 | + |
|
80 | + $proxy = Environment::getEnv('SS_OUTBOUND_PROXY'); |
|
81 | + $proxyPort = Environment::getEnv('SS_OUTBOUND_PROXY_PORT'); |
|
82 | + |
|
83 | + Environment::setEnv('http_proxy', $proxy . ':' . $proxyPort); |
|
84 | + Environment::setEnv('https_proxy', $proxy . ':' . $proxyPort); |
|
85 | + } |
|
86 | + |
|
87 | + /** |
|
88 | + * Configure any domains that should be excluded from egress proxy rules and provide them to the environment |
|
89 | + */ |
|
90 | + protected function configureProxyDomainExclusions() |
|
91 | + { |
|
92 | + $noProxy = $this->config()->get('egress_proxy_exclude_domains'); |
|
93 | + if (empty($noProxy)) { |
|
94 | + return; |
|
95 | + } |
|
96 | + |
|
97 | + if (!is_array($noProxy)) { |
|
98 | + $noProxy = [$noProxy]; |
|
99 | + } |
|
100 | + |
|
101 | + // Merge with exsiting if needed. |
|
102 | + if (Environment::getEnv('NO_PROXY')) { |
|
103 | + $noProxy = array_merge(explode(',', Environment::getEnv('NO_PROXY')), $noProxy); |
|
104 | + } |
|
105 | + |
|
106 | + Environment::setEnv('NO_PROXY', implode(',', array_unique($noProxy))); |
|
107 | + } |
|
108 | 108 | } |
@@ -10,105 +10,105 @@ |
||
10 | 10 | |
11 | 11 | class InitialisationMiddlewareTest extends FunctionalTest |
12 | 12 | { |
13 | - /** |
|
14 | - * @var HTTPRequest |
|
15 | - */ |
|
16 | - protected $request; |
|
17 | - |
|
18 | - /** |
|
19 | - * @var InitialisationMiddleware |
|
20 | - */ |
|
21 | - protected $middleware; |
|
22 | - |
|
23 | - protected function setUp() |
|
24 | - { |
|
25 | - parent::setUp(); |
|
26 | - |
|
27 | - $this->request = new HTTPRequest('GET', '/'); |
|
28 | - $this->middleware = new InitialisationMiddleware(); |
|
29 | - |
|
30 | - Environment::setEnv('SS_OUTBOUND_PROXY', ''); |
|
31 | - Environment::setEnv('SS_OUTBOUND_PROXY_PORT', ''); |
|
32 | - Environment::setEnv('NO_PROXY', ''); |
|
33 | - } |
|
34 | - |
|
35 | - public function testDoNotConfigureProxyIfNoEnvironmentVarsAreSet() |
|
36 | - { |
|
37 | - $this->runMiddleware(); |
|
38 | - |
|
39 | - $this->assertEmpty( |
|
40 | - Environment::getEnv('http_proxy'), |
|
41 | - 'Proxy information is not set if no outbound proxy is configured' |
|
42 | - ); |
|
43 | - } |
|
44 | - |
|
45 | - public function testConfigureEgressProxyWhenVarsAreSet() |
|
46 | - { |
|
47 | - Environment::setEnv('SS_OUTBOUND_PROXY', 'http://example.com'); |
|
48 | - Environment::setEnv('SS_OUTBOUND_PROXY_PORT', '8024'); |
|
49 | - |
|
50 | - $this->runMiddleware(); |
|
51 | - |
|
52 | - $this->assertEquals( |
|
53 | - 'http://example.com:8024', |
|
54 | - Environment::getEnv('http_proxy'), |
|
55 | - 'Proxy is configured with proxy and port' |
|
56 | - ); |
|
57 | - } |
|
58 | - |
|
59 | - public function testDoNotConfigureProxyDomainExclusionsWhenNoneAreDefined() |
|
60 | - { |
|
61 | - Config::modify()->remove(InitialisationMiddleware::class, 'egress_proxy_exclude_domains'); |
|
62 | - |
|
63 | - $this->runMiddleware(); |
|
64 | - |
|
65 | - $this->assertSame( |
|
66 | - '', |
|
67 | - Environment::getEnv('NO_PROXY'), |
|
68 | - 'No domain exclusions are set when none are defined' |
|
69 | - ); |
|
70 | - } |
|
71 | - |
|
72 | - public function testConfigureEgressProxyDomainExclusions() |
|
73 | - { |
|
74 | - Config::modify()->set( |
|
75 | - InitialisationMiddleware::class, |
|
76 | - 'egress_proxy_exclude_domains', |
|
77 | - 'example.com' |
|
78 | - ); |
|
79 | - |
|
80 | - Environment::setEnv('NO_PROXY', 'foo.com,bar.com'); |
|
81 | - |
|
82 | - $this->runMiddleware(); |
|
83 | - |
|
84 | - $this->assertSame( |
|
85 | - 'foo.com,bar.com,example.com', |
|
86 | - Environment::getEnv('NO_PROXY'), |
|
87 | - 'Domain exclusions are combined with existing values and configuration settings' |
|
88 | - ); |
|
89 | - } |
|
90 | - |
|
91 | - public function testSecurityHeadersAddedByDefault() |
|
92 | - { |
|
93 | - $response = $this->get('test'); |
|
94 | - $this->assertArrayHasKey('x-xss-protection', $response->getHeaders()); |
|
95 | - $this->assertSame('1; mode=block', $response->getHeader('x-xss-protection')); |
|
96 | - } |
|
97 | - |
|
98 | - public function testXSSProtectionHeaderNotAdded() |
|
99 | - { |
|
100 | - Config::modify()->set(InitialisationMiddleware::class, 'xss_protection_disabled', true); |
|
101 | - $response = $this->get('test'); |
|
102 | - $this->assertArrayNotHasKey('x-xss-protection', $response->getHeaders()); |
|
103 | - } |
|
104 | - |
|
105 | - /** |
|
106 | - * Runs the middleware with a stubbed delegate |
|
107 | - */ |
|
108 | - protected function runMiddleware() |
|
109 | - { |
|
110 | - $this->middleware->process($this->request, function () { |
|
111 | - // no op |
|
112 | - }); |
|
113 | - } |
|
13 | + /** |
|
14 | + * @var HTTPRequest |
|
15 | + */ |
|
16 | + protected $request; |
|
17 | + |
|
18 | + /** |
|
19 | + * @var InitialisationMiddleware |
|
20 | + */ |
|
21 | + protected $middleware; |
|
22 | + |
|
23 | + protected function setUp() |
|
24 | + { |
|
25 | + parent::setUp(); |
|
26 | + |
|
27 | + $this->request = new HTTPRequest('GET', '/'); |
|
28 | + $this->middleware = new InitialisationMiddleware(); |
|
29 | + |
|
30 | + Environment::setEnv('SS_OUTBOUND_PROXY', ''); |
|
31 | + Environment::setEnv('SS_OUTBOUND_PROXY_PORT', ''); |
|
32 | + Environment::setEnv('NO_PROXY', ''); |
|
33 | + } |
|
34 | + |
|
35 | + public function testDoNotConfigureProxyIfNoEnvironmentVarsAreSet() |
|
36 | + { |
|
37 | + $this->runMiddleware(); |
|
38 | + |
|
39 | + $this->assertEmpty( |
|
40 | + Environment::getEnv('http_proxy'), |
|
41 | + 'Proxy information is not set if no outbound proxy is configured' |
|
42 | + ); |
|
43 | + } |
|
44 | + |
|
45 | + public function testConfigureEgressProxyWhenVarsAreSet() |
|
46 | + { |
|
47 | + Environment::setEnv('SS_OUTBOUND_PROXY', 'http://example.com'); |
|
48 | + Environment::setEnv('SS_OUTBOUND_PROXY_PORT', '8024'); |
|
49 | + |
|
50 | + $this->runMiddleware(); |
|
51 | + |
|
52 | + $this->assertEquals( |
|
53 | + 'http://example.com:8024', |
|
54 | + Environment::getEnv('http_proxy'), |
|
55 | + 'Proxy is configured with proxy and port' |
|
56 | + ); |
|
57 | + } |
|
58 | + |
|
59 | + public function testDoNotConfigureProxyDomainExclusionsWhenNoneAreDefined() |
|
60 | + { |
|
61 | + Config::modify()->remove(InitialisationMiddleware::class, 'egress_proxy_exclude_domains'); |
|
62 | + |
|
63 | + $this->runMiddleware(); |
|
64 | + |
|
65 | + $this->assertSame( |
|
66 | + '', |
|
67 | + Environment::getEnv('NO_PROXY'), |
|
68 | + 'No domain exclusions are set when none are defined' |
|
69 | + ); |
|
70 | + } |
|
71 | + |
|
72 | + public function testConfigureEgressProxyDomainExclusions() |
|
73 | + { |
|
74 | + Config::modify()->set( |
|
75 | + InitialisationMiddleware::class, |
|
76 | + 'egress_proxy_exclude_domains', |
|
77 | + 'example.com' |
|
78 | + ); |
|
79 | + |
|
80 | + Environment::setEnv('NO_PROXY', 'foo.com,bar.com'); |
|
81 | + |
|
82 | + $this->runMiddleware(); |
|
83 | + |
|
84 | + $this->assertSame( |
|
85 | + 'foo.com,bar.com,example.com', |
|
86 | + Environment::getEnv('NO_PROXY'), |
|
87 | + 'Domain exclusions are combined with existing values and configuration settings' |
|
88 | + ); |
|
89 | + } |
|
90 | + |
|
91 | + public function testSecurityHeadersAddedByDefault() |
|
92 | + { |
|
93 | + $response = $this->get('test'); |
|
94 | + $this->assertArrayHasKey('x-xss-protection', $response->getHeaders()); |
|
95 | + $this->assertSame('1; mode=block', $response->getHeader('x-xss-protection')); |
|
96 | + } |
|
97 | + |
|
98 | + public function testXSSProtectionHeaderNotAdded() |
|
99 | + { |
|
100 | + Config::modify()->set(InitialisationMiddleware::class, 'xss_protection_disabled', true); |
|
101 | + $response = $this->get('test'); |
|
102 | + $this->assertArrayNotHasKey('x-xss-protection', $response->getHeaders()); |
|
103 | + } |
|
104 | + |
|
105 | + /** |
|
106 | + * Runs the middleware with a stubbed delegate |
|
107 | + */ |
|
108 | + protected function runMiddleware() |
|
109 | + { |
|
110 | + $this->middleware->process($this->request, function () { |
|
111 | + // no op |
|
112 | + }); |
|
113 | + } |
|
114 | 114 | } |