예제 #1
0
        public void MergeOverrides_HeaderConfiguredAndDirectivesNotConfigured_MergesHeaderConfigAndInitializesDirectives()
        {
            var sourceConfig = new CspOverrideConfiguration {
                Enabled = false, EnabledOverride = true
            };
            var destinationConfig = new CspConfiguration(false)
            {
                Enabled = true
            };

            _mapper.MergeOverrides(sourceConfig, destinationConfig);

            var directives = CspCommonDirectives.Directives().ToArray();

            Assert.IsFalse(destinationConfig.Enabled);

            foreach (var directive in directives)
            {
                Assert.IsNotNull(_mapper.GetCspDirectiveConfig(destinationConfig, directive));
            }

            Assert.IsNotNull(destinationConfig.PluginTypesDirective);
            Assert.IsNotNull(destinationConfig.SandboxDirective);
            Assert.IsNotNull(destinationConfig.UpgradeInsecureRequestsDirective);
            Assert.IsNotNull(destinationConfig.ReportUriDirective);
        }
        public void GetCspStyleNonce_StyleNonceRequestedNoOverrides_ClonesBaseConfigAndOverridesNonce()
        {
            var cspConfig                    = new CspConfiguration();
            var cspConfigReportOnly          = new CspConfiguration();
            var overrideConfig               = new CspOverrideConfiguration();
            var overrideConfigReportOnly     = new CspOverrideConfiguration();
            var clonedCspDirective           = new CspDirectiveConfiguration();
            var clonedCspReportOnlyDirective = new CspDirectiveConfiguration();

            _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), false)).Returns(cspConfig);
            _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), true)).Returns(cspConfigReportOnly);
            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), false, false)).Returns(overrideConfig);
            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly);
            //No overrides
            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null);
            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null);
            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfig, CspDirectives.StyleSrc)).Returns(clonedCspDirective);
            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfigReportOnly, CspDirectives.StyleSrc)).Returns(clonedCspReportOnlyDirective);
            _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective));
            _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective));

            var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);

            Assert.AreEqual(nonce, clonedCspDirective.Nonce);
            Assert.AreEqual(nonce, clonedCspReportOnlyDirective.Nonce);
            _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective), Times.Once);
            _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective), Times.Once);
        }
        public void SetCspDirectiveOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)] bool reportOnly,
                                                                                                  [ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive)
        {
            var contextConfig  = new CspConfiguration();
            var overrideConfig = new CspOverrideConfiguration();

            //Returns CSP config from context
            _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns(contextConfig);
            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
            //There's no override for directive
            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns((ICspDirectiveConfiguration)null);
            //Returns cloned directive config from context config
            var clonedContextDirective = new CspDirectiveConfiguration();

            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(contextConfig, directive)).Returns(clonedContextDirective);
            //We need an override and a result.
            var directiveOverride       = new CspDirectiveOverride();
            var directiveOverrideResult = new CspDirectiveConfiguration();

            _directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult);
            //This should be called at the very end
            _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));

            CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);

            //Verify that the override result was set on the override config.
            _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
        }
예제 #4
0
        public void MergeOverrides(CspOverrideConfiguration source, ICspConfiguration destination)
        {
            if (source.EnabledOverride)
            {
                destination.Enabled = source.Enabled;
            }

            MergeDirectives(source, destination);
        }
        public void GetCspElementWithOverrides_OverrideAndNoConfigFromContext_MergesOverrides([Values(false, true)] bool reportOnly)
        {
            var overrideConfig = new CspOverrideConfiguration();

            _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns((ICspConfiguration)null);
            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, true)).Returns(overrideConfig);
            _directiveConfigMapper.Setup(m => m.MergeOverrides(overrideConfig, It.IsAny <ICspConfiguration>()));

            var overrideElement = CspConfigurationOverrideHelper.GetCspConfigWithOverrides(MockContext, reportOnly);

            Assert.IsNotNull(overrideElement);
            _directiveConfigMapper.Verify(m => m.MergeOverrides(overrideConfig, It.IsAny <ICspConfiguration>()), Times.Once);
        }
        public void SetCspHeaderOverride_OverridesWithHeaderEnabled_HeaderEnabled([Values(false, true)] bool reportOnly)
        {
            var overrideConfig = new CspOverrideConfiguration();

            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
            var cspOverride = new CspHeaderConfiguration {
                Enabled = true
            };

            CspConfigurationOverrideHelper.SetCspHeaderOverride(MockContext, cspOverride, reportOnly);

            Assert.IsTrue(overrideConfig.EnabledOverride);
            Assert.IsTrue(overrideConfig.Enabled);
        }
        public void SetCspReportUriOverride_ReportUriDisabledAndOverridden_ReturnsOverridenReportUri([Values(false, true)] bool reportOnly)
        {
            var overrideConfig = new CspOverrideConfiguration();

            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
            var reportUri = new CspReportUriDirectiveConfiguration {
                Enabled = true, EnableBuiltinHandler = true
            };

            CspConfigurationOverrideHelper.SetCspReportUriOverride(MockContext, reportUri, reportOnly);

            Assert.IsTrue(overrideConfig.ReportUriDirective.Enabled);
            Assert.IsTrue(overrideConfig.ReportUriDirective.EnableBuiltinHandler);
        }
        public void GetCspStyleNonce_NonceRequestedAndNonceExists_ReturnsSameNonce()
        {
            var overrideConfig = new CspOverrideConfiguration {
                StyleSrcDirective = new CspDirectiveConfiguration {
                    Nonce = "heyhey"
                }
            };

            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), false, false)).Returns(overrideConfig);

            var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);

            Assert.AreEqual("heyhey", nonce);
        }
예제 #9
0
        public void GetCspElementWithOverrides_OverrideAndConfigFromContext_MergesConfigFromContextAndOverrides(bool reportOnly)
        {
            var cspConfig      = new CspConfiguration();
            var overrideConfig = new CspOverrideConfiguration();

            _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContext>(), reportOnly)).Returns(cspConfig);
            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), reportOnly, true)).Returns(overrideConfig);
            _directiveConfigMapper.Setup(m => m.MergeConfiguration(cspConfig, It.IsAny <ICspConfiguration>()));
            _directiveConfigMapper.Setup(m => m.MergeOverrides(overrideConfig, It.IsAny <ICspConfiguration>()));

            var overrideElement = _cspConfigurationOverrideHelper.GetCspConfigWithOverrides(MockContext, reportOnly);

            Assert.NotNull(overrideElement);
            _directiveConfigMapper.Verify(m => m.MergeConfiguration(cspConfig, It.IsAny <ICspConfiguration>()), Times.Once);
            _directiveConfigMapper.Verify(m => m.MergeOverrides(overrideConfig, It.IsAny <ICspConfiguration>()), Times.Once);
        }
예제 #10
0
        public void GetCspConfigurationOverride_HasOverrideConfig_ReturnsExistingConfig(bool allowNull)
        {
            var cspOverrideConfig           = new CspOverrideConfiguration();
            var cspReportOnlyOverrideConfig = new CspOverrideConfiguration();
            var overrideConfig = new ConfigurationOverrides {
                CspOverride = cspOverrideConfig, CspReportOnlyOverride = cspReportOnlyOverrideConfig
            };

            _systemWebContext.ConfigOverrides = overrideConfig;

            var cspResult           = _contextHelper.GetCspConfigurationOverride(_mockContext, false, allowNull);
            var cspReportOnlyResult = _contextHelper.GetCspConfigurationOverride(_mockContext, true, allowNull);

            Assert.Same(cspOverrideConfig, cspResult);
            Assert.Same(cspReportOnlyOverrideConfig, cspReportOnlyResult);
        }
        public void GetCspStyleNonce_StyleNonceRequestedAndOverrideWithoutNonce_SetsNonceOnOverride()
        {
            var overrideConfig                 = new CspOverrideConfiguration();
            var overrideConfigReportOnly       = new CspOverrideConfiguration();
            var overrideCspDirective           = new CspDirectiveConfiguration();
            var overrideCspReportOnlyDirective = new CspDirectiveConfiguration();

            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), false, false)).Returns(overrideConfig);
            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly);
            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns(overrideCspDirective);
            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns(overrideCspReportOnlyDirective);

            var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);

            Assert.AreEqual(nonce, overrideCspDirective.Nonce);
            Assert.AreEqual(nonce, overrideCspReportOnlyDirective.Nonce);
        }
        public void SetCspPluginTypesOverride_HasOverride_OverridesExistingOverride(bool reportOnly)
        {
            //There's an override for directive
            var currentDirectiveOverride = new CspPluginTypesDirectiveConfiguration();
            var overrideConfig           = new CspOverrideConfiguration {
                PluginTypesDirective = currentDirectiveOverride
            };

            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <IHttpContextWrapper>(), reportOnly, false)).Returns(overrideConfig);
            //We need an override and a result.
            var directiveOverride       = new CspPluginTypesOverride();
            var directiveOverrideResult = new CspPluginTypesDirectiveConfiguration();

            _directiveOverrideHelper.Setup(h => h.GetOverridenCspPluginTypesConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);

            CspConfigurationOverrideHelper.SetCspPluginTypesOverride(MockContext, directiveOverride, reportOnly);

            //Verify that the override result was set on the override config.
            Assert.Same(directiveOverrideResult, overrideConfig.PluginTypesDirective);
        }
        public void SetCspSandboxOverride_HasOverride_OverridesExistingOverride([Values(false, true)] bool reportOnly)
        {
            //There's an override for directive
            var currentDirectiveOverride = new CspSandboxDirectiveConfiguration();
            var overrideConfig           = new CspOverrideConfiguration {
                SandboxDirective = currentDirectiveOverride
            };

            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
            //We need an override and a result.
            var directiveOverride       = new CspSandboxOverride();
            var directiveOverrideResult = new CspSandboxDirectiveConfiguration();

            _directiveOverrideHelper.Setup(h => h.GetOverridenCspSandboxConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);

            CspConfigurationOverrideHelper.SetCspSandboxOverride(MockContext, directiveOverride, reportOnly);

            //Verify that the override result was set on the override config.
            Assert.AreSame(directiveOverrideResult, overrideConfig.SandboxDirective);
        }
예제 #14
0
        public void MergeOverrides_HeaderConfiguredAndDirectivesConfigured_MergesHeaderAndDirectives()
        {
            var directives   = new CspCommonDirectives().ToArray();
            var sourceConfig = new CspOverrideConfiguration {
                Enabled = false, EnabledOverride = true
            };

            foreach (var directive in directives)
            {
                _mapper.SetCspDirectiveConfig(sourceConfig, directive, new CspDirectiveConfiguration {
                    Nonce = directive.ToString()
                });
            }
            sourceConfig.PluginTypesDirective             = new CspPluginTypesDirectiveConfiguration();
            sourceConfig.SandboxDirective                 = new CspSandboxDirectiveConfiguration();
            sourceConfig.UpgradeInsecureRequestsDirective = new CspUpgradeDirectiveConfiguration();
            sourceConfig.MixedContentDirective            = new CspMixedContentDirectiveConfiguration();
            sourceConfig.ReportUriDirective               = new CspReportUriDirectiveConfiguration();

            var destinationConfig = new CspConfiguration(false)
            {
                Enabled = true
            };

            _mapper.MergeOverrides(sourceConfig, destinationConfig);

            Assert.False(destinationConfig.Enabled);

            foreach (var directive in directives)
            {
                var directiveConfig = _mapper.GetCspDirectiveConfig(destinationConfig, directive);
                Assert.NotNull(directiveConfig);
                Assert.Equal(directive.ToString(), directiveConfig.Nonce);
            }

            Assert.Same(sourceConfig.PluginTypesDirective, destinationConfig.PluginTypesDirective);
            Assert.Same(sourceConfig.SandboxDirective, destinationConfig.SandboxDirective);
            Assert.Same(sourceConfig.UpgradeInsecureRequestsDirective, destinationConfig.UpgradeInsecureRequestsDirective);
            Assert.Same(sourceConfig.MixedContentDirective, destinationConfig.MixedContentDirective);
            Assert.Same(sourceConfig.ReportUriDirective, destinationConfig.ReportUriDirective);
        }
예제 #15
0
        public void SetCspDirectiveOverride_HasOverride_OverridesExistingOverride(bool reportOnly, CspDirectives directive)
        {
            var overrideConfig = new CspOverrideConfiguration();

            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), reportOnly, false)).Returns(overrideConfig);
            //There's an override for directive
            var currentDirectiveOverride = new CspDirectiveConfiguration();

            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns(currentDirectiveOverride);
            //We need an override and a result.
            var directiveOverride       = new CspDirectiveOverride();
            var directiveOverrideResult = new CspDirectiveConfiguration();

            _directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);
            //This should be called at the very end
            _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));

            _cspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);

            //Verify that the override result was set on the override config.
            _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
        }
        public void SetCspSandboxOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)] bool reportOnly)
        {
            var contextConfig  = new CspConfiguration();
            var overrideConfig = new CspOverrideConfiguration();

            //Returns CSP config from context
            _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns(contextConfig);
            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
            //Returns cloned directive config from context config
            var clonedContextDirective = new CspSandboxDirectiveConfiguration();

            _directiveConfigMapper.Setup(m => m.GetCspSandboxConfigCloned(contextConfig)).Returns(clonedContextDirective);
            //We need an override and a result.
            var directiveOverride       = new CspSandboxOverride();
            var directiveOverrideResult = new CspSandboxDirectiveConfiguration();

            _directiveOverrideHelper.Setup(h => h.GetOverridenCspSandboxConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult);

            CspConfigurationOverrideHelper.SetCspSandboxOverride(MockContext, directiveOverride, reportOnly);

            //Verify that the override result was set on the override config.
            Assert.AreSame(directiveOverrideResult, overrideConfig.SandboxDirective);
        }
예제 #17
0
        public void MergeOverrides_HeaderNotConfiguredAndDirectivesConfigured_MergesDirectives()
        {
            var directives   = CspCommonDirectives.Directives().ToArray();
            var sourceConfig = new CspOverrideConfiguration {
                Enabled = false, EnabledOverride = false
            };

            foreach (var directive in directives)
            {
                _mapper.SetCspDirectiveConfig(sourceConfig, directive, new CspDirectiveConfiguration {
                    Nonce = directive.ToString()
                });
            }

            sourceConfig.PluginTypesDirective = new CspPluginTypesDirectiveConfiguration();
            sourceConfig.SandboxDirective     = new CspSandboxDirectiveConfiguration();
            sourceConfig.ReportUriDirective   = new CspReportUriDirectiveConfiguration();
            var destinationConfig = new CspConfiguration(false)
            {
                Enabled = true
            };

            _mapper.MergeOverrides(sourceConfig, destinationConfig);

            Assert.IsTrue(destinationConfig.Enabled);

            foreach (var directive in directives)
            {
                var directiveConfig = _mapper.GetCspDirectiveConfig(destinationConfig, directive);
                Assert.IsNotNull(directiveConfig);
                Assert.AreEqual(directive.ToString(), directiveConfig.Nonce);
            }

            Assert.AreSame(sourceConfig.PluginTypesDirective, destinationConfig.PluginTypesDirective);
            Assert.AreSame(sourceConfig.SandboxDirective, destinationConfig.SandboxDirective);
            Assert.AreSame(sourceConfig.ReportUriDirective, destinationConfig.ReportUriDirective);
        }