public void SetCspHeaderOverride_OverridesWithHeaderEnabled_HeaderEnabled([Values(false, true)]bool reportOnly)
{
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
var cspOverride = new CspHeaderConfiguration { Enabled = true };
CspConfigurationOverrideHelper.SetCspHeaderOverride(MockContext, cspOverride, reportOnly);
Assert.IsTrue(overrideConfig.EnabledOverride);
Assert.IsTrue(overrideConfig.Enabled);
}
public void GetCspElementWithOverrides_OverrideAndNoConfigFromContext_MergesOverrides([Values(false, true)]bool reportOnly)
{
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), reportOnly)).Returns((ICspConfiguration)null);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, true)).Returns(overrideConfig);
_directiveConfigMapper.Setup(m => m.MergeOverrides(overrideConfig, It.IsAny<ICspConfiguration>()));
var overrideElement = CspConfigurationOverrideHelper.GetCspConfigWithOverrides(MockContext, reportOnly);
Assert.IsNotNull(overrideElement);
_directiveConfigMapper.Verify(m => m.MergeOverrides(overrideConfig, It.IsAny<ICspConfiguration>()), Times.Once);
}
public void SetCspReportUriOverride_ReportUriDisabledAndOverridden_ReturnsOverridenReportUri([Values(false, true)]bool reportOnly)
{
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
var reportUri = new CspReportUriDirectiveConfiguration { Enabled = true, EnableBuiltinHandler = true };
CspConfigurationOverrideHelper.SetCspReportUriOverride(MockContext, reportUri, reportOnly);
Assert.IsTrue(overrideConfig.ReportUriDirective.Enabled);
Assert.IsTrue(overrideConfig.ReportUriDirective.EnableBuiltinHandler);
}
public void GetCspStyleNonce_StyleNonceRequestedAndOverrideWithoutNonce_SetsNonceOnOverride()
{
var overrideConfig = new CspOverrideConfiguration();
var overrideConfigReportOnly = new CspOverrideConfiguration();
var overrideCspDirective = new CspDirectiveConfiguration();
var overrideCspReportOnlyDirective = new CspDirectiveConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), false, false)).Returns(overrideConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns(overrideCspDirective);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns(overrideCspReportOnlyDirective);
var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);
Assert.AreEqual(nonce, overrideCspDirective.Nonce);
Assert.AreEqual(nonce, overrideCspReportOnlyDirective.Nonce);
}
public void GetCspStyleNonce_NonceRequestedAndNonceExists_ReturnsSameNonce()
{
var overrideConfig = new CspOverrideConfiguration { StyleSrcDirective = new CspDirectiveConfiguration { Nonce = "heyhey" } };
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), false, false)).Returns(overrideConfig);
var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);
Assert.AreEqual("heyhey", nonce);
}
public void SetCspSandboxOverride_HasOverride_OverridesExistingOverride([Values(false, true)]bool reportOnly)
{
//There's an override for directive
var currentDirectiveOverride = new CspSandboxDirectiveConfiguration();
var overrideConfig = new CspOverrideConfiguration {SandboxDirective = currentDirectiveOverride};
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
//We need an override and a result.
var directiveOverride = new CspSandboxOverride();
var directiveOverrideResult = new CspSandboxDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspSandboxConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);
CspConfigurationOverrideHelper.SetCspSandboxOverride(MockContext, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
Assert.AreSame(directiveOverrideResult, overrideConfig.SandboxDirective);
}
public void GetCspStyleNonce_StyleNonceRequestedNoOverrides_ClonesBaseConfigAndOverridesNonce()
{
var cspConfig = new CspConfiguration();
var cspConfigReportOnly = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
var overrideConfigReportOnly = new CspOverrideConfiguration();
var clonedCspDirective = new CspDirectiveConfiguration();
var clonedCspReportOnlyDirective = new CspDirectiveConfiguration();
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), false)).Returns(cspConfig);
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), true)).Returns(cspConfigReportOnly);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), false, false)).Returns(overrideConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly);
//No overrides
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfig, CspDirectives.StyleSrc)).Returns(clonedCspDirective);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfigReportOnly, CspDirectives.StyleSrc)).Returns(clonedCspReportOnlyDirective);
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective));
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective));
var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);
Assert.AreEqual(nonce, clonedCspDirective.Nonce);
Assert.AreEqual(nonce, clonedCspReportOnlyDirective.Nonce);
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective), Times.Once);
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective), Times.Once);
}
public void SetCspDirectiveOverride_HasOverride_OverridesExistingOverride([Values(false, true)]bool reportOnly,
[ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive)
{
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
//There's an override for directive
var currentDirectiveOverride = new CspDirectiveConfiguration();
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns(currentDirectiveOverride);
//We need an override and a result.
var directiveOverride = new CspDirectiveOverride();
var directiveOverrideResult = new CspDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);
//This should be called at the very end
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));
CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
}
public void SetCspSandboxOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)]bool reportOnly)
{
var contextConfig = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
//Returns CSP config from context
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), reportOnly)).Returns(contextConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
//Returns cloned directive config from context config
var clonedContextDirective = new CspSandboxDirectiveConfiguration();
_directiveConfigMapper.Setup(m => m.GetCspSandboxConfigCloned(contextConfig)).Returns(clonedContextDirective);
//We need an override and a result.
var directiveOverride = new CspSandboxOverride();
var directiveOverrideResult = new CspSandboxDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspSandboxConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult);
CspConfigurationOverrideHelper.SetCspSandboxOverride(MockContext, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
Assert.AreSame(directiveOverrideResult, overrideConfig.SandboxDirective);
}
public void SetCspDirectiveOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)]bool reportOnly,
[ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive)
{
var contextConfig = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
//Returns CSP config from context
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), reportOnly)).Returns(contextConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
//There's no override for directive
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns((ICspDirectiveConfiguration)null);
//Returns cloned directive config from context config
var clonedContextDirective = new CspDirectiveConfiguration();
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(contextConfig, directive)).Returns(clonedContextDirective);
//We need an override and a result.
var directiveOverride = new CspDirectiveOverride();
var directiveOverrideResult = new CspDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult);
//This should be called at the very end
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));
CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
}
public void MergeOverrides_HeaderNotConfiguredAndDirectivesConfigured_MergesDirectives()
{
var directives = CspCommonDirectives.Directives().ToArray();
var sourceConfig = new CspOverrideConfiguration { Enabled = false, EnabledOverride = false };
foreach (var directive in directives)
{
_mapper.SetCspDirectiveConfig(sourceConfig, directive, new CspDirectiveConfiguration { Nonce = directive.ToString() });
}
sourceConfig.PluginTypesDirective = new CspPluginTypesDirectiveConfiguration();
sourceConfig.SandboxDirective = new CspSandboxDirectiveConfiguration();
sourceConfig.ReportUriDirective = new CspReportUriDirectiveConfiguration();
var destinationConfig = new CspConfiguration(false) { Enabled = true };
_mapper.MergeOverrides(sourceConfig, destinationConfig);
Assert.IsTrue(destinationConfig.Enabled);
foreach (var directive in directives)
{
var directiveConfig = _mapper.GetCspDirectiveConfig(destinationConfig, directive);
Assert.IsNotNull(directiveConfig);
Assert.AreEqual(directive.ToString(), directiveConfig.Nonce);
}
Assert.AreSame(sourceConfig.PluginTypesDirective, destinationConfig.PluginTypesDirective);
Assert.AreSame(sourceConfig.SandboxDirective, destinationConfig.SandboxDirective);
Assert.AreSame(sourceConfig.ReportUriDirective, destinationConfig.ReportUriDirective);
}
public void MergeOverrides_HeaderConfiguredAndDirectivesNotConfigured_MergesHeaderConfigAndInitializesDirectives()
{
var sourceConfig = new CspOverrideConfiguration { Enabled = false, EnabledOverride = true };
var destinationConfig = new CspConfiguration(false) { Enabled = true };
_mapper.MergeOverrides(sourceConfig, destinationConfig);
var directives = CspCommonDirectives.Directives().ToArray();
Assert.IsFalse(destinationConfig.Enabled);
foreach (var directive in directives)
{
Assert.IsNotNull(_mapper.GetCspDirectiveConfig(destinationConfig, directive));
}
Assert.IsNotNull(destinationConfig.PluginTypesDirective);
Assert.IsNotNull(destinationConfig.SandboxDirective);
Assert.IsNotNull(destinationConfig.ReportUriDirective);
}
public void MergeOverrides(CspOverrideConfiguration source, ICspConfiguration destination)
{
if (source.EnabledOverride)
{
destination.Enabled = source.Enabled;
}
MergeDirectives(source, destination);
}
public void GetCspConfigurationOverride_HasOverrideConfig_ReturnsExistingConfig([Values(false, true)] bool allowNull)
{
var cspOverrideConfig = new CspOverrideConfiguration();
var cspReportOnlyOverrideConfig = new CspOverrideConfiguration();
var overrideConfig = new ConfigurationOverrides { CspOverride = cspOverrideConfig, CspReportOnlyOverride = cspReportOnlyOverrideConfig };
_systemWebContext.ConfigOverrides = overrideConfig;
var cspResult = _contextHelper.GetCspConfigurationOverride(_mockContext, false, allowNull);
var cspReportOnlyResult = _contextHelper.GetCspConfigurationOverride(_mockContext, true, allowNull);
Assert.AreSame(cspOverrideConfig, cspResult);
Assert.AreSame(cspReportOnlyOverrideConfig, cspReportOnlyResult);
}