public void SetCspDirectiveConfig_CommonCspDirectives_NoException([ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive)
{
var config = new CspConfiguration();
var directiveConfig = new CspDirectiveConfiguration();
Assert.DoesNotThrow(() => _mapper.SetCspDirectiveConfig(config, directive, directiveConfig));
}
public void GetCspPluginTypesConfigCloned_Configured_ClonesDirective()
{
var firstDirective = new CspPluginTypesDirectiveConfiguration()
{
Enabled = false,
MediaTypes = new[] { "application/pdf" }
};
var firstConfig = new CspConfiguration(false)
{
PluginTypesDirective = firstDirective
};
var secondDirective = new CspPluginTypesDirectiveConfiguration()
{
Enabled = true,
MediaTypes = new[] { "image/png", "application/pdf" }
};
var secondConfig = new CspConfiguration(false)
{
PluginTypesDirective = secondDirective
};
var mapper = new CspConfigMapper();
var firstResult = mapper.GetCspPluginTypesConfigCloned(firstConfig);
var secondResult = mapper.GetCspPluginTypesConfigCloned(secondConfig);
Assert.That(firstResult, Is.EqualTo(firstDirective).Using(new CspPluginTypesDirectiveConfigurationComparer()));
Assert.That(secondResult, Is.EqualTo(secondDirective).Using(new CspPluginTypesDirectiveConfigurationComparer()));
}
public void SetCspDirectiveConfig_CommonCspDirectives_NoException(CspDirectives directive)
{
var config = new CspConfiguration();
var directiveConfig = new CspDirectiveConfiguration();
_mapper.SetCspDirectiveConfig(config, directive, directiveConfig);
}
public void MergeOverrides_HeaderConfiguredAndDirectivesNotConfigured_MergesHeaderConfigAndInitializesDirectives()
{
var sourceConfig = new CspOverrideConfiguration {
Enabled = false, EnabledOverride = true
};
var destinationConfig = new CspConfiguration(false)
{
Enabled = true
};
_mapper.MergeOverrides(sourceConfig, destinationConfig);
var directives = CspCommonDirectives.Directives().ToArray();
Assert.IsFalse(destinationConfig.Enabled);
foreach (var directive in directives)
{
Assert.IsNotNull(_mapper.GetCspDirectiveConfig(destinationConfig, directive));
}
Assert.IsNotNull(destinationConfig.PluginTypesDirective);
Assert.IsNotNull(destinationConfig.SandboxDirective);
Assert.IsNotNull(destinationConfig.UpgradeInsecureRequestsDirective);
Assert.IsNotNull(destinationConfig.ReportUriDirective);
}
public void GetCspSandboxConfigCloned_Configured_ClonesDirective()
{
var firstDirective = new CspSandboxDirectiveConfiguration
{
AllowForms = true,
AllowModals = true,
AllowOrientationLock = true,
AllowPointerLock = true,
AllowPopups = true
};
var firstConfig = new CspConfiguration(false)
{
SandboxDirective = firstDirective
};
var secondDirective = new CspSandboxDirectiveConfiguration()
{
AllowPopupsToEscapeSandbox = true,
AllowPresentation = true,
AllowSameOrigin = true,
AllowScripts = true,
AllowTopNavigation = true,
Enabled = true
};
var secondConfig = new CspConfiguration(false)
{
SandboxDirective = secondDirective
};
var mapper = new CspConfigMapper();
var firstResult = mapper.GetCspSandboxConfigCloned(firstConfig);
var secondResult = mapper.GetCspSandboxConfigCloned(secondConfig);
Assert.Equal(firstResult, firstDirective, new CspSandboxDirectiveConfigurationEqualityComparer());
Assert.Equal(secondResult, secondDirective, new CspSandboxDirectiveConfigurationEqualityComparer());
}
public void MergeConfiguration_SourceAndTargetDirectivesNotConfigured_MergesHeaderAttributesAndInitializesDirectives()
{
var sourceConfig = new CspConfiguration(false)
{
Enabled = false
};
var destinationConfig = new CspConfiguration(false)
{
Enabled = true
};
_mapper.MergeConfiguration(sourceConfig, destinationConfig);
var directives = new CspCommonDirectives().ToArray();
Assert.False(destinationConfig.Enabled);
foreach (var directive in directives)
{
Assert.NotNull(_mapper.GetCspDirectiveConfig(destinationConfig, directive));
}
Assert.NotNull(destinationConfig.PluginTypesDirective);
Assert.NotNull(destinationConfig.SandboxDirective);
Assert.NotNull(destinationConfig.UpgradeInsecureRequestsDirective);
Assert.NotNull(destinationConfig.MixedContentDirective);
Assert.NotNull(destinationConfig.ReportUriDirective);
}
public void AddCspHeaders_CspEnabledWithSandboxSources_ReturnsSetCspWithSandboxResult(bool reportOnly)
{
var cspConfig = new CspConfiguration
{
Enabled = true,
SandboxDirective =
{
Enabled = true,
AllowForms = true,
AllowModals = true,
AllowOrientationLock = true,
AllowPointerLock = true,
AllowPopups = true,
AllowPopupsToEscapeSandbox = true,
AllowPresentation = true,
AllowSameOrigin = true,
AllowScripts = true,
AllowTopNavigation = true
}
};
var result = _generator.CreateCspResult(cspConfig, reportOnly);
Assert.NotNull(result);
Assert.Equal(HeaderResult.ResponseAction.Set, result.Action);
Assert.Equal(CspHeaderName(reportOnly), result.Name);
Assert.Equal("sandbox allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-top-navigation", result.Value);
}
public void GetCspStyleNonce_StyleNonceRequestedNoOverrides_ClonesBaseConfigAndOverridesNonce()
{
var cspConfig = new CspConfiguration();
var cspConfigReportOnly = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
var overrideConfigReportOnly = new CspOverrideConfiguration();
var clonedCspDirective = new CspDirectiveConfiguration();
var clonedCspReportOnlyDirective = new CspDirectiveConfiguration();
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), false)).Returns(cspConfig);
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), true)).Returns(cspConfigReportOnly);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), false, false)).Returns(overrideConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly);
//No overrides
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfig, CspDirectives.StyleSrc)).Returns(clonedCspDirective);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfigReportOnly, CspDirectives.StyleSrc)).Returns(clonedCspReportOnlyDirective);
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective));
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective));
var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);
Assert.AreEqual(nonce, clonedCspDirective.Nonce);
Assert.AreEqual(nonce, clonedCspReportOnlyDirective.Nonce);
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective), Times.Once);
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective), Times.Once);
}
public void SetCspDirectiveOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)] bool reportOnly,
[ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive)
{
var contextConfig = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
//Returns CSP config from context
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns(contextConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
//There's no override for directive
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns((ICspDirectiveConfiguration)null);
//Returns cloned directive config from context config
var clonedContextDirective = new CspDirectiveConfiguration();
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(contextConfig, directive)).Returns(clonedContextDirective);
//We need an override and a result.
var directiveOverride = new CspDirectiveOverride();
var directiveOverrideResult = new CspDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult);
//This should be called at the very end
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));
CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
}
public void MergeConfiguration_SourceAndTargetDirectivesConfigured_MergesHeaderAttributesAndSourceDirectives()
{
var sourceConfig = new CspConfiguration {
Enabled = false
};
var destinationConfig = new CspConfiguration {
Enabled = true
};
_mapper.MergeConfiguration(sourceConfig, destinationConfig);
var directives = CspCommonDirectives.Directives().ToArray();
Assert.IsFalse(destinationConfig.Enabled);
foreach (var directive in directives)
{
Assert.AreSame(_mapper.GetCspDirectiveConfig(sourceConfig, directive), _mapper.GetCspDirectiveConfig(destinationConfig, directive));
}
Assert.AreSame(sourceConfig.PluginTypesDirective, destinationConfig.PluginTypesDirective);
Assert.AreSame(sourceConfig.SandboxDirective, destinationConfig.SandboxDirective);
Assert.AreSame(sourceConfig.UpgradeInsecureRequestsDirective, destinationConfig.UpgradeInsecureRequestsDirective);
Assert.AreSame(sourceConfig.ReportUriDirective, destinationConfig.ReportUriDirective);
}
public void GetCspSandboxConfigCloned_Configured_ClonesDirective()
{
var firstDirective = new CspSandboxDirectiveConfiguration
{
AllowForms = true,
AllowPointerLock = true,
AllowPopups = true
};
var firstConfig = new CspConfiguration(false)
{
SandboxDirective = firstDirective
};
var secondDirective = new CspSandboxDirectiveConfiguration()
{
AllowSameOrigin = true,
AllowScripts = true,
AllowTopNavigation = true,
Enabled = true
};
var secondConfig = new CspConfiguration(false)
{
SandboxDirective = secondDirective
};
var mapper = new CspConfigMapper();
var firstResult = mapper.GetCspSandboxConfigCloned(firstConfig);
var secondResult = mapper.GetCspSandboxConfigCloned(secondConfig);
Assert.That(firstResult, Is.EqualTo(firstDirective).Using(new CspSandboxDirectiveConfigurationComparer()));
Assert.That(secondResult, Is.EqualTo(secondDirective).Using(new CspSandboxDirectiveConfigurationComparer()));
}
public void GetCspSandboxConfigCloned_NoDirective_ReturnsNull()
{
var config = new CspConfiguration(false);
var mapper = new CspConfigMapper();
var clone = mapper.GetCspSandboxConfigCloned(config);
Assert.IsNull(clone);
}
public void GetCspDirectiveConfigCloned_NoDirective_ReturnsNull()
{
var config = new CspConfiguration(false);
var mapper = new CspConfigMapper();
var clone = mapper.GetCspDirectiveConfigCloned(config, CspDirectives.ScriptSrc);
Assert.IsNull(clone);
}
public void AddCspHeaders_Disabled_ReturnsEmptyResults(bool reportOnly)
{
var cspConfig = new CspConfiguration {
Enabled = false, DefaultSrcDirective = { SelfSrc = true }
};
var result = _generator.CreateCspResult(cspConfig, reportOnly);
Assert.Null(result);
}
public void GetCspReportonlyConfiguration_NoOwinContext_ReturnsSystemWebConfig()
{
var config = new CspConfiguration();
_systemWebContext.CspReportOnly = config;
var result = _contextHelper.GetCspConfiguration(_mockContext, true);
Assert.Same(config, result);
}
public void GetCspConfiguration_NoOwinContext_ReturnsSystemWebConfig()
{
var config = new CspConfiguration();
_systemWebContext.Csp = config;
var result = _contextHelper.GetCspConfiguration(_mockContext, false);
Assert.AreSame(config, result);
}
public void GetCspConfiguration_ReturnsContextConfig()
{
var config = new CspConfiguration();
_nwContext.Csp = config;
var result = _contextHelper.GetCspConfiguration(_mockContext, false);
Assert.Same(config, result);
}
public void GetCspReportonlyConfiguration_ReturnsContextConfig()
{
var config = new CspConfiguration();
_nwContext.CspReportOnly = config;
var result = _contextHelper.GetCspConfiguration(_mockContext, true);
Assert.AreSame(config, result);
}
public void AddCspHeaders_EnabledButNoDirectivesOrReportUriEnabled_ReturnsEmptyResults(bool reportOnly)
{
var cspConfig = new CspConfiguration {
Enabled = true
};
var result = _generator.CreateCspResult(cspConfig, reportOnly);
Assert.Null(result);
}
public void AddCspHeaders_DisabledButNoncesPresent_ReturnsEmptyResults(bool reportOnly)
{
var cspConfig = new CspConfiguration {
Enabled = false, ScriptSrcDirective = { Nonce = "Heyhey" }
};
var result = _generator.CreateCspResult(cspConfig, reportOnly);
Assert.Null(result);
}
public void GetCspReportonlyConfiguration_HasOwinConfig_ReturnsOwinConfig()
{
SetupOwinContext();
var config = new CspConfiguration();
_owinContext.CspReportOnly = config;
var result = _contextHelper.GetCspConfiguration(_mockContext, true);
Assert.Same(config, result);
}
public void GetCspConfiguration_OwinContextWithoutConfig_ReturnsSystemWebConfig()
{
SetupOwinContext();
var config = new CspConfiguration();
_systemWebContext.Csp = config;
var result = _contextHelper.GetCspConfiguration(_mockContext, false);
Assert.Same(config, result);
}
public void GetCspConfiguration_HasOwinConfig_ReturnsOwinConfig()
{
SetupOwinContext();
var config = new CspConfiguration();
_owinContext.Csp = config;
var result = _contextHelper.GetCspConfiguration(_mockContext, false);
Assert.AreSame(config, result);
}
public void SetCspHeaders_NoOverride_DoesNothing(bool reportOnly)
{
var contextConfig = new CspConfiguration();
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <IHttpContextWrapper>(), reportOnly)).Returns(contextConfig);
_cspConfigurationOverrideHelper.Setup(h => h.GetCspConfigWithOverrides(It.IsAny <IHttpContextWrapper>(), reportOnly)).Returns((CspConfiguration)null);
_overrideHelper.SetCspHeaders(_httpContext, reportOnly);
_headerGenerator.Verify(g => g.CreateCspResult(It.IsAny <ICspConfiguration>(), reportOnly, It.IsAny <string>(), It.IsAny <ICspConfiguration>()), Times.Never);
_headerResultHandler.Verify(h => h.HandleHeaderResult(_httpContext, It.IsAny <HeaderResult>()), Times.Never);
}
public void AddCspHeaders_EnabledButNoDirectivesEnabledAndReportUriEnabled_ReturnsEmptyResults([Values(false, true)] bool reportOnly)
{
var cspConfig = new CspConfiguration {
Enabled = true
};
cspConfig.ReportUriDirective.Enabled = true;
cspConfig.ReportUriDirective.EnableBuiltinHandler = true;
var result = _generator.CreateCspResult(cspConfig, reportOnly);
Assert.IsNull(result);
}
public void TryUpgradeInsecureRequest_CspDisabledAndHttpRequest_ReturnsFalse()
{
SetSecureConnection(false);
var cspConfig = new CspConfiguration
{
Enabled = false,
UpgradeInsecureRequestsDirective = { Enabled = true }
};
var helper = new CspUpgradeInsecureRequestHelper(cspConfig);
Assert.IsFalse(helper.TryUpgradeInsecureRequest(_context.Object));
Assert.AreEqual(200, _response.Object.StatusCode);
}
public void AddCspHeaders_CspEnabledWithScriptSrc_ReturnsSetCspWithScriptSrcResult(bool reportOnly)
{
var cspConfig = new CspConfiguration
{
Enabled = true,
ScriptSrcDirective = { UnsafeEvalSrc = true }
};
var result = _generator.CreateCspResult(cspConfig, reportOnly);
Assert.NotNull(result);
Assert.Equal(HeaderResult.ResponseAction.Set, result.Action);
Assert.Equal(CspHeaderName(reportOnly), result.Name);
Assert.Equal("script-src 'unsafe-eval'", result.Value);
}
public void AddCspHeaders_DisabledWithCspEnabledInOldConfig_ReturnsRemoveResult(bool reportOnly)
{
var cspConfig = new CspConfiguration {
Enabled = false, DefaultSrcDirective = { SelfSrc = true }
};
var oldCspConfig = new CspConfiguration {
Enabled = true, DefaultSrcDirective = { SelfSrc = true }
};
var result = _generator.CreateCspResult(cspConfig, reportOnly, oldCspConfig: oldCspConfig);
Assert.NotNull(result);
Assert.Equal(HeaderResult.ResponseAction.Remove, result.Action);
Assert.Equal(CspHeaderName(reportOnly), result.Name);
}
public void AddCspHeaders_CspDirectiveWithTwoSources_ReturnsSetCspCorrectlyFormattedDirectiveResult(bool reportOnly)
{
var cspConfig = new CspConfiguration {
Enabled = true, DefaultSrcDirective = { SelfSrc = true }
};
cspConfig.DefaultSrcDirective.CustomSources = new[] { "nwebsec.codeplex.com" };
var result = _generator.CreateCspResult(cspConfig, reportOnly);
Assert.NotNull(result);
Assert.Equal(HeaderResult.ResponseAction.Set, result.Action);
Assert.Equal(CspHeaderName(reportOnly), result.Name);
Assert.Equal("default-src 'self' nwebsec.codeplex.com", result.Value);
}
public void AddCspHeaders_CspEnabledWithMixedContent_ReturnsSetCspWithMixedContentResult(bool reportOnly)
{
var cspConfig = new CspConfiguration
{
Enabled = true,
MixedContentDirective = { Enabled = true }
};
var result = _generator.CreateCspResult(cspConfig, reportOnly);
Assert.NotNull(result);
Assert.Equal(HeaderResult.ResponseAction.Set, result.Action);
Assert.Equal(CspHeaderName(reportOnly), result.Name);
Assert.Equal("block-all-mixed-content", result.Value);
}
