feat: Migrate HSTS check to Security headers SetupCheck

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>

2 files changed, 0 insertions, 262 deletions

diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index d11f05858c4..0c0e673eae7 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -156,73 +156,5 @@
 				})
 			}
 		},
-
-		/**
-		 * Runs generic checks on the server side, the difference to dedicated
-		 * methods is that we use the same XHR object for all checks to save
-		 * requests.
-		 *
-		 * @return $.Deferred object resolved with an array of error messages
-		 */
-		checkGeneric: function() {
-			var self = this;
-			var deferred = $.Deferred();
-			var afterCall = function(data, statusText, xhr) {
-				var messages = [];
-				messages = messages.concat(self._checkSSL(xhr));
-				deferred.resolve(messages);
-			};
-
-			$.ajax({
-				type: 'GET',
-				url: OC.generateUrl('heartbeat'),
-				allowAuthErrors: true
-			}).then(afterCall, afterCall);
-
-			return deferred.promise();
-		},
-
-		/**
-		 * Runs check for some SSL configuration issues on the server side
-		 *
-		 * @param {Object} xhr
-		 * @return {Array} Array with error messages
-		 */
-		_checkSSL: function(xhr) {
-			var messages = [];
-
-			if (xhr.status === 200) {
-				var tipsUrl = OC.theme.docPlaceholderUrl.replace('PLACEHOLDER', 'admin-security');
-				if(OC.getProtocol() === 'https') {
-					// Extract the value of 'Strict-Transport-Security'
-					var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
-					if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
-						var firstComma = transportSecurityValidity.indexOf(";");
-						if(firstComma !== -1) {
-							transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);
-						} else {
-							transportSecurityValidity = transportSecurityValidity.substring(8);
-						}
-					}
-
-					var minimumSeconds = 15552000;
-					if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
-						messages.push({
-							msg: t('core', 'The "Strict-Transport-Security" HTTP header is not set to at least "{seconds}" seconds. For enhanced security, it is recommended to enable HSTS as described in the {linkstart}security tips ↗{linkend}.', {'seconds': minimumSeconds})
-								.replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + tipsUrl + '">')
-								.replace('{linkend}', '</a>'),
-							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
-						});
-					}
-				}
-			} else {
-				messages.push({
-					msg: t('core', 'Error occurred while checking server setup'),
-					type: OC.SetupChecks.MESSAGE_TYPE_ERROR
-				});
-			}
-
-			return messages;
-		}
 	};
 })();
diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js
index b027bfd21bd..99f72754ace 100644
--- a/core/js/tests/specs/setupchecksSpec.js
+++ b/core/js/tests/specs/setupchecksSpec.js
@@ -320,198 +320,4 @@ describe('OC.SetupChecks tests', function() {
 			});
 		});
 	});
-
-	describe('checkGeneric', function() {
-		it('should return an error if the response has no statuscode 200', function(done) {
-			var async = OC.SetupChecks.checkGeneric();
-
-			suite.server.requests[0].respond(
-				500,
-				{
-					'Content-Type': 'application/json'
-				}
-			);
-
-			async.done(function( data, s, x ){
-				expect(data).toEqual([{
-					msg: 'Error occurred while checking server setup',
-					type: OC.SetupChecks.MESSAGE_TYPE_ERROR
-				}]);
-				done();
-			});
-		});
-	});
-
-	it('should return an error if the response has no statuscode 200', function(done) {
-		var async = OC.SetupChecks.checkGeneric();
-
-		suite.server.requests[0].respond(
-			500,
-			{
-				'Content-Type': 'application/json'
-			},
-			JSON.stringify({data: {serverHasInternetConnectionProblems: true}})
-		);
-		async.done(function( data, s, x ){
-			expect(data).toEqual([{
-				msg: 'Error occurred while checking server setup',
-				type: OC.SetupChecks.MESSAGE_TYPE_ERROR
-			}]);
-			done();
-		});
-	});
-
-	it('should return a SSL warning if SSL used without Strict-Transport-Security-Header', function(done) {
-		protocolStub.returns('https');
-		var async = OC.SetupChecks.checkGeneric();
-
-		suite.server.requests[0].respond(200,
-			{
-				'X-XSS-Protection': '1; mode=block',
-				'X-Content-Type-Options': 'nosniff',
-				'X-Robots-Tag': 'noindex, nofollow',
-				'X-Frame-Options': 'SAMEORIGIN',
-				'X-Permitted-Cross-Domain-Policies': 'none',
-				'Referrer-Policy': 'no-referrer',
-			}
-		);
-
-		async.done(function( data, s, x ){
-			expect(data).toEqual([{
-				msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
-				type: OC.SetupChecks.MESSAGE_TYPE_WARNING
-			}]);
-			done();
-		});
-	});
-
-	it('should return a SSL warning if SSL used with to small Strict-Transport-Security-Header', function(done) {
-		protocolStub.returns('https');
-		var async = OC.SetupChecks.checkGeneric();
-
-		suite.server.requests[0].respond(200,
-			{
-				'Strict-Transport-Security': 'max-age=15551999',
-				'X-XSS-Protection': '1; mode=block',
-				'X-Content-Type-Options': 'nosniff',
-				'X-Robots-Tag': 'noindex, nofollow',
-				'X-Frame-Options': 'SAMEORIGIN',
-				'X-Permitted-Cross-Domain-Policies': 'none',
-				'Referrer-Policy': 'no-referrer',
-			}
-		);
-
-		async.done(function( data, s, x ){
-			expect(data).toEqual([{
-				msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
-				type: OC.SetupChecks.MESSAGE_TYPE_WARNING
-			}]);
-			done();
-		});
-	});
-
-	it('should return a SSL warning if SSL used with to a bogus Strict-Transport-Security-Header', function(done) {
-		protocolStub.returns('https');
-		var async = OC.SetupChecks.checkGeneric();
-
-		suite.server.requests[0].respond(200,
-			{
-				'Strict-Transport-Security': 'iAmABogusHeader342',
-				'X-XSS-Protection': '1; mode=block',
-				'X-Content-Type-Options': 'nosniff',
-				'X-Robots-Tag': 'noindex, nofollow',
-				'X-Frame-Options': 'SAMEORIGIN',
-				'X-Permitted-Cross-Domain-Policies': 'none',
-				'Referrer-Policy': 'no-referrer',
-			}
-		);
-
-		async.done(function( data, s, x ){
-			expect(data).toEqual([{
-				msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
-				type: OC.SetupChecks.MESSAGE_TYPE_WARNING
-			}]);
-			done();
-		});
-	});
-
-	it('should return no SSL warning if SSL used with to exact the minimum Strict-Transport-Security-Header', function(done) {
-		protocolStub.returns('https');
-		var async = OC.SetupChecks.checkGeneric();
-
-		suite.server.requests[0].respond(200, {
-			'Strict-Transport-Security': 'max-age=15768000',
-			'X-XSS-Protection': '1; mode=block',
-			'X-Content-Type-Options': 'nosniff',
-			'X-Robots-Tag': 'noindex, nofollow',
-			'X-Frame-Options': 'SAMEORIGIN',
-			'X-Permitted-Cross-Domain-Policies': 'none',
-			'Referrer-Policy': 'no-referrer',
-		});
-
-		async.done(function( data, s, x ){
-			expect(data).toEqual([]);
-			done();
-		});
-	});
-
-	it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header', function(done) {
-		protocolStub.returns('https');
-		var async = OC.SetupChecks.checkGeneric();
-
-		suite.server.requests[0].respond(200, {
-			'Strict-Transport-Security': 'max-age=99999999',
-			'X-XSS-Protection': '1; mode=block',
-			'X-Content-Type-Options': 'nosniff',
-			'X-Robots-Tag': 'noindex, nofollow',
-			'X-Frame-Options': 'SAMEORIGIN',
-			'X-Permitted-Cross-Domain-Policies': 'none',
-			'Referrer-Policy': 'no-referrer',
-		});
-
-		async.done(function( data, s, x ){
-			expect(data).toEqual([]);
-			done();
-		});
-	});
-
-	it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains parameter', function(done) {
-		protocolStub.returns('https');
-		var async = OC.SetupChecks.checkGeneric();
-
-		suite.server.requests[0].respond(200, {
-			'Strict-Transport-Security': 'max-age=99999999; includeSubDomains',
-			'X-XSS-Protection': '1; mode=block',
-			'X-Content-Type-Options': 'nosniff',
-			'X-Robots-Tag': 'noindex, nofollow',
-			'X-Frame-Options': 'SAMEORIGIN',
-			'X-Permitted-Cross-Domain-Policies': 'none',
-			'Referrer-Policy': 'no-referrer',
-		});
-
-		async.done(function( data, s, x ){
-			expect(data).toEqual([]);
-			done();
-		});
-	});
-
-	it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains and preload parameter', function(done) {
-		protocolStub.returns('https');
-		var async = OC.SetupChecks.checkGeneric();
-
-		suite.server.requests[0].respond(200, {
-			'Strict-Transport-Security': 'max-age=99999999; preload; includeSubDomains',
-			'X-XSS-Protection': '1; mode=block',
-			'X-Content-Type-Options': 'nosniff',
-			'X-Robots-Tag': 'noindex, nofollow',
-			'X-Frame-Options': 'SAMEORIGIN',
-			'X-Permitted-Cross-Domain-Policies': 'none',
-			'Referrer-Policy': 'no-referrer',
-		});
-
-		async.done(function( data, s, x ){
-			expect(data).toEqual([]);
-			done();
-		});
-	});
 });