public void SetCspDirectiveConfig_CommonCspDirectives_NoException([ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive) { var config = new CspConfiguration(); var directiveConfig = new CspDirectiveConfiguration(); Assert.DoesNotThrow(() => _mapper.SetCspDirectiveConfig(config, directive, directiveConfig)); }
public void GetCspPluginTypesConfigCloned_Configured_ClonesDirective() { var firstDirective = new CspPluginTypesDirectiveConfiguration() { Enabled = false, MediaTypes = new[] { "application/pdf" } }; var firstConfig = new CspConfiguration(false) { PluginTypesDirective = firstDirective }; var secondDirective = new CspPluginTypesDirectiveConfiguration() { Enabled = true, MediaTypes = new[] { "image/png", "application/pdf" } }; var secondConfig = new CspConfiguration(false) { PluginTypesDirective = secondDirective }; var mapper = new CspConfigMapper(); var firstResult = mapper.GetCspPluginTypesConfigCloned(firstConfig); var secondResult = mapper.GetCspPluginTypesConfigCloned(secondConfig); Assert.That(firstResult, Is.EqualTo(firstDirective).Using(new CspPluginTypesDirectiveConfigurationComparer())); Assert.That(secondResult, Is.EqualTo(secondDirective).Using(new CspPluginTypesDirectiveConfigurationComparer())); }
public void SetCspDirectiveConfig_CommonCspDirectives_NoException(CspDirectives directive) { var config = new CspConfiguration(); var directiveConfig = new CspDirectiveConfiguration(); _mapper.SetCspDirectiveConfig(config, directive, directiveConfig); }
public void MergeOverrides_HeaderConfiguredAndDirectivesNotConfigured_MergesHeaderConfigAndInitializesDirectives() { var sourceConfig = new CspOverrideConfiguration { Enabled = false, EnabledOverride = true }; var destinationConfig = new CspConfiguration(false) { Enabled = true }; _mapper.MergeOverrides(sourceConfig, destinationConfig); var directives = CspCommonDirectives.Directives().ToArray(); Assert.IsFalse(destinationConfig.Enabled); foreach (var directive in directives) { Assert.IsNotNull(_mapper.GetCspDirectiveConfig(destinationConfig, directive)); } Assert.IsNotNull(destinationConfig.PluginTypesDirective); Assert.IsNotNull(destinationConfig.SandboxDirective); Assert.IsNotNull(destinationConfig.UpgradeInsecureRequestsDirective); Assert.IsNotNull(destinationConfig.ReportUriDirective); }
public void GetCspSandboxConfigCloned_Configured_ClonesDirective() { var firstDirective = new CspSandboxDirectiveConfiguration { AllowForms = true, AllowModals = true, AllowOrientationLock = true, AllowPointerLock = true, AllowPopups = true }; var firstConfig = new CspConfiguration(false) { SandboxDirective = firstDirective }; var secondDirective = new CspSandboxDirectiveConfiguration() { AllowPopupsToEscapeSandbox = true, AllowPresentation = true, AllowSameOrigin = true, AllowScripts = true, AllowTopNavigation = true, Enabled = true }; var secondConfig = new CspConfiguration(false) { SandboxDirective = secondDirective }; var mapper = new CspConfigMapper(); var firstResult = mapper.GetCspSandboxConfigCloned(firstConfig); var secondResult = mapper.GetCspSandboxConfigCloned(secondConfig); Assert.Equal(firstResult, firstDirective, new CspSandboxDirectiveConfigurationEqualityComparer()); Assert.Equal(secondResult, secondDirective, new CspSandboxDirectiveConfigurationEqualityComparer()); }
public void MergeConfiguration_SourceAndTargetDirectivesNotConfigured_MergesHeaderAttributesAndInitializesDirectives() { var sourceConfig = new CspConfiguration(false) { Enabled = false }; var destinationConfig = new CspConfiguration(false) { Enabled = true }; _mapper.MergeConfiguration(sourceConfig, destinationConfig); var directives = new CspCommonDirectives().ToArray(); Assert.False(destinationConfig.Enabled); foreach (var directive in directives) { Assert.NotNull(_mapper.GetCspDirectiveConfig(destinationConfig, directive)); } Assert.NotNull(destinationConfig.PluginTypesDirective); Assert.NotNull(destinationConfig.SandboxDirective); Assert.NotNull(destinationConfig.UpgradeInsecureRequestsDirective); Assert.NotNull(destinationConfig.MixedContentDirective); Assert.NotNull(destinationConfig.ReportUriDirective); }
public void AddCspHeaders_CspEnabledWithSandboxSources_ReturnsSetCspWithSandboxResult(bool reportOnly) { var cspConfig = new CspConfiguration { Enabled = true, SandboxDirective = { Enabled = true, AllowForms = true, AllowModals = true, AllowOrientationLock = true, AllowPointerLock = true, AllowPopups = true, AllowPopupsToEscapeSandbox = true, AllowPresentation = true, AllowSameOrigin = true, AllowScripts = true, AllowTopNavigation = true } }; var result = _generator.CreateCspResult(cspConfig, reportOnly); Assert.NotNull(result); Assert.Equal(HeaderResult.ResponseAction.Set, result.Action); Assert.Equal(CspHeaderName(reportOnly), result.Name); Assert.Equal("sandbox allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-top-navigation", result.Value); }
public void GetCspStyleNonce_StyleNonceRequestedNoOverrides_ClonesBaseConfigAndOverridesNonce() { var cspConfig = new CspConfiguration(); var cspConfigReportOnly = new CspConfiguration(); var overrideConfig = new CspOverrideConfiguration(); var overrideConfigReportOnly = new CspOverrideConfiguration(); var clonedCspDirective = new CspDirectiveConfiguration(); var clonedCspReportOnlyDirective = new CspDirectiveConfiguration(); _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), false)).Returns(cspConfig); _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), true)).Returns(cspConfigReportOnly); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), false, false)).Returns(overrideConfig); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly); //No overrides _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfig, CspDirectives.StyleSrc)).Returns(clonedCspDirective); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfigReportOnly, CspDirectives.StyleSrc)).Returns(clonedCspReportOnlyDirective); _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective)); _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective)); var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext); Assert.AreEqual(nonce, clonedCspDirective.Nonce); Assert.AreEqual(nonce, clonedCspReportOnlyDirective.Nonce); _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective), Times.Once); _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective), Times.Once); }
public void SetCspDirectiveOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)] bool reportOnly, [ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive) { var contextConfig = new CspConfiguration(); var overrideConfig = new CspOverrideConfiguration(); //Returns CSP config from context _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns(contextConfig); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig); //There's no override for directive _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns((ICspDirectiveConfiguration)null); //Returns cloned directive config from context config var clonedContextDirective = new CspDirectiveConfiguration(); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(contextConfig, directive)).Returns(clonedContextDirective); //We need an override and a result. var directiveOverride = new CspDirectiveOverride(); var directiveOverrideResult = new CspDirectiveConfiguration(); _directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult); //This should be called at the very end _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult)); CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly); //Verify that the override result was set on the override config. _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once); }
public void MergeConfiguration_SourceAndTargetDirectivesConfigured_MergesHeaderAttributesAndSourceDirectives() { var sourceConfig = new CspConfiguration { Enabled = false }; var destinationConfig = new CspConfiguration { Enabled = true }; _mapper.MergeConfiguration(sourceConfig, destinationConfig); var directives = CspCommonDirectives.Directives().ToArray(); Assert.IsFalse(destinationConfig.Enabled); foreach (var directive in directives) { Assert.AreSame(_mapper.GetCspDirectiveConfig(sourceConfig, directive), _mapper.GetCspDirectiveConfig(destinationConfig, directive)); } Assert.AreSame(sourceConfig.PluginTypesDirective, destinationConfig.PluginTypesDirective); Assert.AreSame(sourceConfig.SandboxDirective, destinationConfig.SandboxDirective); Assert.AreSame(sourceConfig.UpgradeInsecureRequestsDirective, destinationConfig.UpgradeInsecureRequestsDirective); Assert.AreSame(sourceConfig.ReportUriDirective, destinationConfig.ReportUriDirective); }
public void GetCspSandboxConfigCloned_Configured_ClonesDirective() { var firstDirective = new CspSandboxDirectiveConfiguration { AllowForms = true, AllowPointerLock = true, AllowPopups = true }; var firstConfig = new CspConfiguration(false) { SandboxDirective = firstDirective }; var secondDirective = new CspSandboxDirectiveConfiguration() { AllowSameOrigin = true, AllowScripts = true, AllowTopNavigation = true, Enabled = true }; var secondConfig = new CspConfiguration(false) { SandboxDirective = secondDirective }; var mapper = new CspConfigMapper(); var firstResult = mapper.GetCspSandboxConfigCloned(firstConfig); var secondResult = mapper.GetCspSandboxConfigCloned(secondConfig); Assert.That(firstResult, Is.EqualTo(firstDirective).Using(new CspSandboxDirectiveConfigurationComparer())); Assert.That(secondResult, Is.EqualTo(secondDirective).Using(new CspSandboxDirectiveConfigurationComparer())); }
public void GetCspSandboxConfigCloned_NoDirective_ReturnsNull() { var config = new CspConfiguration(false); var mapper = new CspConfigMapper(); var clone = mapper.GetCspSandboxConfigCloned(config); Assert.IsNull(clone); }
public void GetCspDirectiveConfigCloned_NoDirective_ReturnsNull() { var config = new CspConfiguration(false); var mapper = new CspConfigMapper(); var clone = mapper.GetCspDirectiveConfigCloned(config, CspDirectives.ScriptSrc); Assert.IsNull(clone); }
public void AddCspHeaders_Disabled_ReturnsEmptyResults(bool reportOnly) { var cspConfig = new CspConfiguration { Enabled = false, DefaultSrcDirective = { SelfSrc = true } }; var result = _generator.CreateCspResult(cspConfig, reportOnly); Assert.Null(result); }
public void GetCspReportonlyConfiguration_NoOwinContext_ReturnsSystemWebConfig() { var config = new CspConfiguration(); _systemWebContext.CspReportOnly = config; var result = _contextHelper.GetCspConfiguration(_mockContext, true); Assert.Same(config, result); }
public void GetCspConfiguration_NoOwinContext_ReturnsSystemWebConfig() { var config = new CspConfiguration(); _systemWebContext.Csp = config; var result = _contextHelper.GetCspConfiguration(_mockContext, false); Assert.AreSame(config, result); }
public void GetCspConfiguration_ReturnsContextConfig() { var config = new CspConfiguration(); _nwContext.Csp = config; var result = _contextHelper.GetCspConfiguration(_mockContext, false); Assert.Same(config, result); }
public void GetCspReportonlyConfiguration_ReturnsContextConfig() { var config = new CspConfiguration(); _nwContext.CspReportOnly = config; var result = _contextHelper.GetCspConfiguration(_mockContext, true); Assert.AreSame(config, result); }
public void AddCspHeaders_EnabledButNoDirectivesOrReportUriEnabled_ReturnsEmptyResults(bool reportOnly) { var cspConfig = new CspConfiguration { Enabled = true }; var result = _generator.CreateCspResult(cspConfig, reportOnly); Assert.Null(result); }
public void AddCspHeaders_DisabledButNoncesPresent_ReturnsEmptyResults(bool reportOnly) { var cspConfig = new CspConfiguration { Enabled = false, ScriptSrcDirective = { Nonce = "Heyhey" } }; var result = _generator.CreateCspResult(cspConfig, reportOnly); Assert.Null(result); }
public void GetCspReportonlyConfiguration_HasOwinConfig_ReturnsOwinConfig() { SetupOwinContext(); var config = new CspConfiguration(); _owinContext.CspReportOnly = config; var result = _contextHelper.GetCspConfiguration(_mockContext, true); Assert.Same(config, result); }
public void GetCspConfiguration_OwinContextWithoutConfig_ReturnsSystemWebConfig() { SetupOwinContext(); var config = new CspConfiguration(); _systemWebContext.Csp = config; var result = _contextHelper.GetCspConfiguration(_mockContext, false); Assert.Same(config, result); }
public void GetCspConfiguration_HasOwinConfig_ReturnsOwinConfig() { SetupOwinContext(); var config = new CspConfiguration(); _owinContext.Csp = config; var result = _contextHelper.GetCspConfiguration(_mockContext, false); Assert.AreSame(config, result); }
public void SetCspHeaders_NoOverride_DoesNothing(bool reportOnly) { var contextConfig = new CspConfiguration(); _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <IHttpContextWrapper>(), reportOnly)).Returns(contextConfig); _cspConfigurationOverrideHelper.Setup(h => h.GetCspConfigWithOverrides(It.IsAny <IHttpContextWrapper>(), reportOnly)).Returns((CspConfiguration)null); _overrideHelper.SetCspHeaders(_httpContext, reportOnly); _headerGenerator.Verify(g => g.CreateCspResult(It.IsAny <ICspConfiguration>(), reportOnly, It.IsAny <string>(), It.IsAny <ICspConfiguration>()), Times.Never); _headerResultHandler.Verify(h => h.HandleHeaderResult(_httpContext, It.IsAny <HeaderResult>()), Times.Never); }
public void AddCspHeaders_EnabledButNoDirectivesEnabledAndReportUriEnabled_ReturnsEmptyResults([Values(false, true)] bool reportOnly) { var cspConfig = new CspConfiguration { Enabled = true }; cspConfig.ReportUriDirective.Enabled = true; cspConfig.ReportUriDirective.EnableBuiltinHandler = true; var result = _generator.CreateCspResult(cspConfig, reportOnly); Assert.IsNull(result); }
public void TryUpgradeInsecureRequest_CspDisabledAndHttpRequest_ReturnsFalse() { SetSecureConnection(false); var cspConfig = new CspConfiguration { Enabled = false, UpgradeInsecureRequestsDirective = { Enabled = true } }; var helper = new CspUpgradeInsecureRequestHelper(cspConfig); Assert.IsFalse(helper.TryUpgradeInsecureRequest(_context.Object)); Assert.AreEqual(200, _response.Object.StatusCode); }
public void AddCspHeaders_CspEnabledWithScriptSrc_ReturnsSetCspWithScriptSrcResult(bool reportOnly) { var cspConfig = new CspConfiguration { Enabled = true, ScriptSrcDirective = { UnsafeEvalSrc = true } }; var result = _generator.CreateCspResult(cspConfig, reportOnly); Assert.NotNull(result); Assert.Equal(HeaderResult.ResponseAction.Set, result.Action); Assert.Equal(CspHeaderName(reportOnly), result.Name); Assert.Equal("script-src 'unsafe-eval'", result.Value); }
public void AddCspHeaders_DisabledWithCspEnabledInOldConfig_ReturnsRemoveResult(bool reportOnly) { var cspConfig = new CspConfiguration { Enabled = false, DefaultSrcDirective = { SelfSrc = true } }; var oldCspConfig = new CspConfiguration { Enabled = true, DefaultSrcDirective = { SelfSrc = true } }; var result = _generator.CreateCspResult(cspConfig, reportOnly, oldCspConfig: oldCspConfig); Assert.NotNull(result); Assert.Equal(HeaderResult.ResponseAction.Remove, result.Action); Assert.Equal(CspHeaderName(reportOnly), result.Name); }
public void AddCspHeaders_CspDirectiveWithTwoSources_ReturnsSetCspCorrectlyFormattedDirectiveResult(bool reportOnly) { var cspConfig = new CspConfiguration { Enabled = true, DefaultSrcDirective = { SelfSrc = true } }; cspConfig.DefaultSrcDirective.CustomSources = new[] { "nwebsec.codeplex.com" }; var result = _generator.CreateCspResult(cspConfig, reportOnly); Assert.NotNull(result); Assert.Equal(HeaderResult.ResponseAction.Set, result.Action); Assert.Equal(CspHeaderName(reportOnly), result.Name); Assert.Equal("default-src 'self' nwebsec.codeplex.com", result.Value); }
public void AddCspHeaders_CspEnabledWithMixedContent_ReturnsSetCspWithMixedContentResult(bool reportOnly) { var cspConfig = new CspConfiguration { Enabled = true, MixedContentDirective = { Enabled = true } }; var result = _generator.CreateCspResult(cspConfig, reportOnly); Assert.NotNull(result); Assert.Equal(HeaderResult.ResponseAction.Set, result.Action); Assert.Equal(CspHeaderName(reportOnly), result.Name); Assert.Equal("block-all-mixed-content", result.Value); }