SONAR-6964 Do not display administration sensitive data when opening browser history

author: Teryk Bellahsene <teryk.bellahsene@sonarsource.com> 2016-05-19 16:23:56 +0200
committer: Teryk Bellahsene <teryk.bellahsene@sonarsource.com> 2016-05-20 09:04:56 +0200
commit: ed30dd2e73019a30db58f5be7fe027cd9aea9969 (patch)
tree: 69d3555a7a6296761ee562ca7cae1240b00a2f15 /it
parent: f4dce455f68336247653f0a19b346dde105bce37 (diff)
download: sonarqube-ed30dd2e73019a30db58f5be7fe027cd9aea9969.tar.gz
sonarqube-ed30dd2e73019a30db58f5be7fe027cd9aea9969.zip
2 files changed, 107 insertions, 0 deletions
diff --git a/it/it-tests/src/test/java/it/Category4Suite.java b/it/it-tests/src/test/java/it/Category4Suite.java
index ea5ecc1175e..a12a4f39779 100644
--- a/it/it-tests/src/test/java/it/Category4Suite.java
+++ b/it/it-tests/src/test/java/it/Category4Suite.java
@@ -30,6 +30,7 @@ import it.dbCleaner.PurgeTest;
 import it.duplication.CrossProjectDuplicationsOnRemoveFileTest;
 import it.duplication.CrossProjectDuplicationsTest;
 import it.duplication.DuplicationsTest;
+import it.http.HttpHeadersTest;
 import it.projectComparison.ProjectComparisonTest;
 import it.projectEvent.EventTest;
 import it.serverSystem.ServerSystemTest;
@@ -82,6 +83,8 @@ import static util.ItUtils.xooPlugin;
   ProjectComparisonTest.class,
   // component search
   AllProjectsTest.class,
+  // http
+  HttpHeadersTest.class,
   // ui
   UiTest.class,
   // ui extensions
diff --git a/it/it-tests/src/test/java/it/http/HttpHeadersTest.java b/it/it-tests/src/test/java/it/http/HttpHeadersTest.java
new file mode 100644
index 00000000000..c03ab8536cf
--- /dev/null
+++ b/it/it-tests/src/test/java/it/http/HttpHeadersTest.java
@@ -0,0 +1,104 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2016 SonarSource SA
+ * mailto:contact AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+package it.http;
+
+import com.google.common.base.Throwables;
+import com.sonar.orchestrator.Orchestrator;
+import com.squareup.okhttp.CacheControl;
+import com.squareup.okhttp.OkHttpClient;
+import com.squareup.okhttp.Request;
+import com.squareup.okhttp.Response;
+import it.Category4Suite;
+import java.io.IOException;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import util.QaOnly;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@Category(QaOnly.class)
+public class HttpHeadersTest {
+
+  @ClassRule
+  public static final Orchestrator orchestrator = Category4Suite.ORCHESTRATOR;
+
+  /**
+   * SONAR-6964
+   */
+  @Test
+  public void no_browser_cache_for_pages() {
+    Response httpResponse = call(orchestrator.getServer().getUrl() + "/");
+
+    assertNoCacheInBrowser(httpResponse);
+  }
+
+  @Test
+  public void no_browser_cache_for_ws() {
+    Response httpResponse = call(orchestrator.getServer().getUrl() + "/api/issues/search");
+
+    assertNoCacheInBrowser(httpResponse);
+  }
+
+  @Test
+  public void no_browser_cache_in_ruby_ws() {
+    Response httpResponse = call(orchestrator.getServer().getUrl() + "/api/resources/index");
+
+    assertNoCacheInBrowser(httpResponse);
+  }
+
+  @Test
+  public void browser_cache_on_images() {
+    Response httpResponse = call(orchestrator.getServer().getUrl() + "/images/logo.svg");
+
+    assertCacheInBrowser(httpResponse);
+  }
+
+  @Test
+  public void browser_cache_on_css() {
+    Response httpResponse = call(orchestrator.getServer().getUrl() + "/css/sonar.css");
+
+    assertCacheInBrowser(httpResponse);
+  }
+
+  private static void assertCacheInBrowser(Response httpResponse) {
+    CacheControl cacheControl = httpResponse.cacheControl();
+    assertThat(cacheControl.mustRevalidate()).isFalse();
+    assertThat(cacheControl.noCache()).isFalse();
+    assertThat(cacheControl.noStore()).isFalse();
+  }
+
+  private static void assertNoCacheInBrowser(Response httpResponse) {
+    CacheControl cacheControl = httpResponse.cacheControl();
+    assertThat(cacheControl.mustRevalidate()).isTrue();
+    assertThat(cacheControl.noCache()).isTrue();
+    assertThat(cacheControl.noStore()).isTrue();
+  }
+
+  private static Response call(String url) {
+    Request request = new Request.Builder().get().url(url).build();
+    try {
+      return new OkHttpClient().newCall(request).execute();
+    } catch (IOException e) {
+      throw Throwables.propagate(e);
+    }
+  }
+}
author	Teryk Bellahsene <teryk.bellahsene@sonarsource.com>	2016-05-19 16:23:56 +0200
committer	Teryk Bellahsene <teryk.bellahsene@sonarsource.com>	2016-05-20 09:04:56 +0200
commit	ed30dd2e73019a30db58f5be7fe027cd9aea9969 (patch)
tree	69d3555a7a6296761ee562ca7cae1240b00a2f15 /it
parent	f4dce455f68336247653f0a19b346dde105bce37 (diff)
download	sonarqube-ed30dd2e73019a30db58f5be7fe027cd9aea9969.tar.gz sonarqube-ed30dd2e73019a30db58f5be7fe027cd9aea9969.zip