protected CspDirectiveAttributeBase() { DirectiveConfig = new CspDirectiveOverride() { Enabled = true, InheritOtherSources = true }; _headerConfigurationOverrideHelper = new CspConfigurationOverrideHelper(); _headerOverrideHelper = new HeaderOverrideHelper(); }
public void GetOverridenCspDirectiveConfig_EnabledOverride_EnabledOverriden([Values(true, false)] bool expectedResult) { var directiveConfig = new CspDirectiveConfiguration { Enabled = !expectedResult }; var directiveOverride = new CspDirectiveOverride { Enabled = expectedResult }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.AreEqual(expectedResult, newConfig.Enabled); }
public ICspDirectiveConfiguration GetOverridenCspDirectiveConfig(CspDirectiveOverride directiveOverride, ICspDirectiveConfiguration directiveConfig) { if (directiveOverride.None.HasValue && (bool)directiveOverride.None) { //When 'none' is true we don't want any other sources return new CspDirectiveConfiguration { NoneSrc = true }; } var result = directiveConfig ?? new CspDirectiveConfiguration(); result.Enabled = directiveOverride.Enabled; if (directiveOverride.None.HasValue) { result.NoneSrc = (bool)directiveOverride.None; } //Keep track if other sources have been enabled, so none must be disabled. var disableNone = false; if (directiveOverride.Self.HasValue) { result.SelfSrc = (bool)directiveOverride.Self; disableNone = result.SelfSrc; } if (directiveOverride.UnsafeEval.HasValue) { result.UnsafeEvalSrc = (bool)directiveOverride.UnsafeEval; disableNone = disableNone || result.UnsafeEvalSrc; } if (directiveOverride.UnsafeInline.HasValue) { result.UnsafeInlineSrc = (bool)directiveOverride.UnsafeInline; disableNone = disableNone || result.UnsafeInlineSrc; } if (!directiveOverride.InheritOtherSources) { result.CustomSources = EmptySources; } if (directiveOverride.OtherSources != null && directiveOverride.OtherSources.Length > 0) { var newSources = new List<string>(result.CustomSources); newSources.AddRange(directiveOverride.OtherSources); result.CustomSources = newSources.Distinct(); disableNone = true; } if (disableNone) { result.NoneSrc = false; } return result; }
public void GetOverridenCspDirectiveConfig_NullConfig_ReturnsNewDefaultConfig() { var directiveConfig = new CspDirectiveConfiguration(); var directiveOverride = new CspDirectiveOverride { Enabled = directiveConfig.Enabled }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, null); Assert.AreNotSame(directiveConfig, newConfig); Assert.That(newConfig, Is.EqualTo(directiveConfig).Using(new CspDirectiveConfigurationComparer())); }
internal void SetCspDirectiveOverride(HttpContextBase context, CspDirectives directive, CspDirectiveOverride config, bool reportOnly) { var overrides = _contextConfigurationHelper.GetCspConfigurationOverride(context, reportOnly, false); var directiveToOverride = _configMapper.GetCspDirectiveConfig(overrides, directive); if (directiveToOverride == null) { var baseConfig = _contextConfigurationHelper.GetCspConfiguration(context, reportOnly); directiveToOverride = _configMapper.GetCspDirectiveConfigCloned(baseConfig, directive); } var newConfig = _cspDirectiveOverrideHelper.GetOverridenCspDirectiveConfig(config, directiveToOverride); _configMapper.SetCspDirectiveConfig(overrides, directive, newConfig); }
public void GetOverridenCspDirectiveConfig_NoneDisabledOverride_OverridesNoneAndKeepsOtherSources() { var directiveConfig = new CspDirectiveConfiguration { NoneSrc = false, SelfSrc = true, Nonce = "hei", UnsafeEvalSrc = true, UnsafeInlineSrc = true, CustomSources = new[] { "nwebsec.com" } }; var directiveOverride = new CspDirectiveOverride { None = false }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.That(newConfig, Is.EqualTo(directiveConfig).Using(new CspDirectiveConfigurationComparer())); }
public void GetOverridenCspDirectiveConfig_NoneEnabledOverride_OverridesNoneAndDropsOtherSources() { //Overriding with 'none' should clear all other sources. var directiveConfig = new CspDirectiveConfiguration { NoneSrc = false, SelfSrc = true, Nonce = "hei", UnsafeEvalSrc = true, UnsafeInlineSrc = true, CustomSources = new[] { "nwebsec.com" } }; var directiveOverride = new CspDirectiveOverride { None = true }; var expectedConfig = new CspDirectiveConfiguration { NoneSrc = true }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.That(newConfig, Is.EqualTo(expectedConfig).Using(new CspDirectiveConfigurationComparer())); }
public void SetCspDirectiveOverride_HasOverride_OverridesExistingOverride([Values(false, true)]bool reportOnly, [ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive) { var overrideConfig = new CspOverrideConfiguration(); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig); //There's an override for directive var currentDirectiveOverride = new CspDirectiveConfiguration(); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns(currentDirectiveOverride); //We need an override and a result. var directiveOverride = new CspDirectiveOverride(); var directiveOverrideResult = new CspDirectiveConfiguration(); _directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult); //This should be called at the very end _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult)); CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly); //Verify that the override result was set on the override config. _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once); }
public void SetCspDirectiveOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)]bool reportOnly, [ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive) { var contextConfig = new CspConfiguration(); var overrideConfig = new CspOverrideConfiguration(); //Returns CSP config from context _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), reportOnly)).Returns(contextConfig); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig); //There's no override for directive _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns((ICspDirectiveConfiguration)null); //Returns cloned directive config from context config var clonedContextDirective = new CspDirectiveConfiguration(); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(contextConfig, directive)).Returns(clonedContextDirective); //We need an override and a result. var directiveOverride = new CspDirectiveOverride(); var directiveOverrideResult = new CspDirectiveConfiguration(); _directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult); //This should be called at the very end _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult)); CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly); //Verify that the override result was set on the override config. _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once); }
public void GetOverridenCspDirectiveConfig_CustomSourcesOverrideWithSourcesInherited_KeepsAllSources() { var directiveConfig = new CspDirectiveConfiguration { CustomSources = new[] { "transformtool.codeplex.com", "nwebsec.codeplex.com" } }; var directiveOverride = new CspDirectiveOverride { OtherSources = new[] { "nwebsec.codeplex.com" }, InheritOtherSources = true }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.AreEqual(2, newConfig.CustomSources.Count()); Assert.Contains("transformtool.codeplex.com", newConfig.CustomSources.ToList()); Assert.Contains("nwebsec.codeplex.com", newConfig.CustomSources.ToList()); }
public void GetOverridenCspDirectiveConfig_CustomSourcesOverride_OverriddesCustomSources() { var directiveConfig = new CspDirectiveConfiguration { CustomSources = new[] { "www.nwebsec.com" } }; var directiveOverride = new CspDirectiveOverride { OtherSources = new[] { "*.nwebsec.com" }, InheritOtherSources = false }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.IsFalse(newConfig.SelfSrc); Assert.IsTrue(newConfig.CustomSources.Count() == 1); Assert.IsTrue(newConfig.CustomSources.First().Equals("*.nwebsec.com")); }
public void GetOverridenCspDirectiveConfig_NoCustomSourcesOverride_KeepsCustomSources() { var expectedSources = new[] { "www.nwebsec.com" }; var directiveConfig = new CspDirectiveConfiguration { CustomSources = expectedSources }; var directiveOverride = new CspDirectiveOverride { InheritOtherSources = true }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.IsTrue(expectedSources.SequenceEqual(newConfig.CustomSources), "CustomSources differed."); }
public void GetOverridenCspDirectiveConfig_UnsafeInlineInherit_InheritsUnsafeInline([Values(true, false)] bool expectedResult) { var directiveConfig = new CspDirectiveConfiguration { UnsafeInlineSrc = expectedResult }; var directiveOverride = new CspDirectiveOverride(); var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.AreEqual(expectedResult, newConfig.UnsafeInlineSrc); }
public void GetOverridenCspDirectiveConfig_UnsafeEvalOverride_OverridesUnsafeEval([Values(true, false)] bool expectedResult) { var directiveConfig = new CspDirectiveConfiguration { UnsafeEvalSrc = !expectedResult }; var directiveOverride = new CspDirectiveOverride { UnsafeEval = expectedResult }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.AreEqual(expectedResult, newConfig.UnsafeEvalSrc); }
public void GetOverridenCspDirectiveConfig_SelfOverride_OverridesSelf([Values(true, false)] bool expectedResult) { var directiveConfig = new CspDirectiveConfiguration { SelfSrc = !expectedResult }; var directiveOverride = new CspDirectiveOverride { Self = expectedResult }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.AreEqual(expectedResult, newConfig.SelfSrc); }