Open georgi-lozev opened 7 years ago
cf-gitbot
commented
7 years ago We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/150035658
The labels on this github issue will be updated when the story is started.
hsiliev
commented
7 years ago There are CF environments that do not require security to be on, since they rely on IaaS to encrypt the traffic. Networking release can restrict the access between apps, so using it can also make https optional. I would say we need to support both secure and non-secure environments.
As for the tests: the best would be to have both secured and non-secured tests, but this takes lots of time. Therefore some of the tests do not exercise both branches since the secure aspect is covered by another test.
I would say we need to remove all secure and non-secure branching from the tests and create an explicit group that deals with this. In this way it becomes quite clear what this test does and what is the implication when it fails.
Some of the abacus integration tests(bridge-test.js#L144) validate both with secured and non-secured environment, others(test.js#L186) validate only secured and there is a third group that does not deal explicitly with security, but still sign and pass tokens inside the code(accuracy-test.js#L59).
Maybe in the third option is left as an alternative the security to be controlled from outside, but it's somehow misleading and requires from you to know the test and the code in details in order to run it in all possible scenarios.
Does it make sense to test without security at all or do we need to support both?