public void MergeOverrides_HeaderConfiguredAndDirectivesNotConfigured_MergesHeaderConfigAndInitializesDirectives()
{
var sourceConfig = new CspOverrideConfiguration {
Enabled = false, EnabledOverride = true
};
var destinationConfig = new CspConfiguration(false)
{
Enabled = true
};
_mapper.MergeOverrides(sourceConfig, destinationConfig);
var directives = CspCommonDirectives.Directives().ToArray();
Assert.IsFalse(destinationConfig.Enabled);
foreach (var directive in directives)
{
Assert.IsNotNull(_mapper.GetCspDirectiveConfig(destinationConfig, directive));
}
Assert.IsNotNull(destinationConfig.PluginTypesDirective);
Assert.IsNotNull(destinationConfig.SandboxDirective);
Assert.IsNotNull(destinationConfig.UpgradeInsecureRequestsDirective);
Assert.IsNotNull(destinationConfig.ReportUriDirective);
}
public void GetCspStyleNonce_StyleNonceRequestedNoOverrides_ClonesBaseConfigAndOverridesNonce()
{
var cspConfig = new CspConfiguration();
var cspConfigReportOnly = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
var overrideConfigReportOnly = new CspOverrideConfiguration();
var clonedCspDirective = new CspDirectiveConfiguration();
var clonedCspReportOnlyDirective = new CspDirectiveConfiguration();
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), false)).Returns(cspConfig);
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), true)).Returns(cspConfigReportOnly);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), false, false)).Returns(overrideConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly);
//No overrides
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfig, CspDirectives.StyleSrc)).Returns(clonedCspDirective);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfigReportOnly, CspDirectives.StyleSrc)).Returns(clonedCspReportOnlyDirective);
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective));
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective));
var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);
Assert.AreEqual(nonce, clonedCspDirective.Nonce);
Assert.AreEqual(nonce, clonedCspReportOnlyDirective.Nonce);
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective), Times.Once);
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective), Times.Once);
}
public void SetCspDirectiveOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)] bool reportOnly,
[ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive)
{
var contextConfig = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
//Returns CSP config from context
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns(contextConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
//There's no override for directive
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns((ICspDirectiveConfiguration)null);
//Returns cloned directive config from context config
var clonedContextDirective = new CspDirectiveConfiguration();
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(contextConfig, directive)).Returns(clonedContextDirective);
//We need an override and a result.
var directiveOverride = new CspDirectiveOverride();
var directiveOverrideResult = new CspDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult);
//This should be called at the very end
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));
CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
}
public void MergeOverrides(CspOverrideConfiguration source, ICspConfiguration destination)
{
if (source.EnabledOverride)
{
destination.Enabled = source.Enabled;
}
MergeDirectives(source, destination);
}
public void GetCspElementWithOverrides_OverrideAndNoConfigFromContext_MergesOverrides([Values(false, true)] bool reportOnly)
{
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns((ICspConfiguration)null);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, true)).Returns(overrideConfig);
_directiveConfigMapper.Setup(m => m.MergeOverrides(overrideConfig, It.IsAny <ICspConfiguration>()));
var overrideElement = CspConfigurationOverrideHelper.GetCspConfigWithOverrides(MockContext, reportOnly);
Assert.IsNotNull(overrideElement);
_directiveConfigMapper.Verify(m => m.MergeOverrides(overrideConfig, It.IsAny <ICspConfiguration>()), Times.Once);
}
public void SetCspHeaderOverride_OverridesWithHeaderEnabled_HeaderEnabled([Values(false, true)] bool reportOnly)
{
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
var cspOverride = new CspHeaderConfiguration {
Enabled = true
};
CspConfigurationOverrideHelper.SetCspHeaderOverride(MockContext, cspOverride, reportOnly);
Assert.IsTrue(overrideConfig.EnabledOverride);
Assert.IsTrue(overrideConfig.Enabled);
}
public void SetCspReportUriOverride_ReportUriDisabledAndOverridden_ReturnsOverridenReportUri([Values(false, true)] bool reportOnly)
{
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
var reportUri = new CspReportUriDirectiveConfiguration {
Enabled = true, EnableBuiltinHandler = true
};
CspConfigurationOverrideHelper.SetCspReportUriOverride(MockContext, reportUri, reportOnly);
Assert.IsTrue(overrideConfig.ReportUriDirective.Enabled);
Assert.IsTrue(overrideConfig.ReportUriDirective.EnableBuiltinHandler);
}
public void GetCspStyleNonce_NonceRequestedAndNonceExists_ReturnsSameNonce()
{
var overrideConfig = new CspOverrideConfiguration {
StyleSrcDirective = new CspDirectiveConfiguration {
Nonce = "heyhey"
}
};
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), false, false)).Returns(overrideConfig);
var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);
Assert.AreEqual("heyhey", nonce);
}
public void GetCspElementWithOverrides_OverrideAndConfigFromContext_MergesConfigFromContextAndOverrides(bool reportOnly)
{
var cspConfig = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContext>(), reportOnly)).Returns(cspConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), reportOnly, true)).Returns(overrideConfig);
_directiveConfigMapper.Setup(m => m.MergeConfiguration(cspConfig, It.IsAny <ICspConfiguration>()));
_directiveConfigMapper.Setup(m => m.MergeOverrides(overrideConfig, It.IsAny <ICspConfiguration>()));
var overrideElement = _cspConfigurationOverrideHelper.GetCspConfigWithOverrides(MockContext, reportOnly);
Assert.NotNull(overrideElement);
_directiveConfigMapper.Verify(m => m.MergeConfiguration(cspConfig, It.IsAny <ICspConfiguration>()), Times.Once);
_directiveConfigMapper.Verify(m => m.MergeOverrides(overrideConfig, It.IsAny <ICspConfiguration>()), Times.Once);
}
public void GetCspConfigurationOverride_HasOverrideConfig_ReturnsExistingConfig(bool allowNull)
{
var cspOverrideConfig = new CspOverrideConfiguration();
var cspReportOnlyOverrideConfig = new CspOverrideConfiguration();
var overrideConfig = new ConfigurationOverrides {
CspOverride = cspOverrideConfig, CspReportOnlyOverride = cspReportOnlyOverrideConfig
};
_systemWebContext.ConfigOverrides = overrideConfig;
var cspResult = _contextHelper.GetCspConfigurationOverride(_mockContext, false, allowNull);
var cspReportOnlyResult = _contextHelper.GetCspConfigurationOverride(_mockContext, true, allowNull);
Assert.Same(cspOverrideConfig, cspResult);
Assert.Same(cspReportOnlyOverrideConfig, cspReportOnlyResult);
}
public void GetCspStyleNonce_StyleNonceRequestedAndOverrideWithoutNonce_SetsNonceOnOverride()
{
var overrideConfig = new CspOverrideConfiguration();
var overrideConfigReportOnly = new CspOverrideConfiguration();
var overrideCspDirective = new CspDirectiveConfiguration();
var overrideCspReportOnlyDirective = new CspDirectiveConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), false, false)).Returns(overrideConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns(overrideCspDirective);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns(overrideCspReportOnlyDirective);
var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);
Assert.AreEqual(nonce, overrideCspDirective.Nonce);
Assert.AreEqual(nonce, overrideCspReportOnlyDirective.Nonce);
}
public void SetCspPluginTypesOverride_HasOverride_OverridesExistingOverride(bool reportOnly)
{
//There's an override for directive
var currentDirectiveOverride = new CspPluginTypesDirectiveConfiguration();
var overrideConfig = new CspOverrideConfiguration {
PluginTypesDirective = currentDirectiveOverride
};
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <IHttpContextWrapper>(), reportOnly, false)).Returns(overrideConfig);
//We need an override and a result.
var directiveOverride = new CspPluginTypesOverride();
var directiveOverrideResult = new CspPluginTypesDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspPluginTypesConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);
CspConfigurationOverrideHelper.SetCspPluginTypesOverride(MockContext, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
Assert.Same(directiveOverrideResult, overrideConfig.PluginTypesDirective);
}
public void SetCspSandboxOverride_HasOverride_OverridesExistingOverride([Values(false, true)] bool reportOnly)
{
//There's an override for directive
var currentDirectiveOverride = new CspSandboxDirectiveConfiguration();
var overrideConfig = new CspOverrideConfiguration {
SandboxDirective = currentDirectiveOverride
};
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
//We need an override and a result.
var directiveOverride = new CspSandboxOverride();
var directiveOverrideResult = new CspSandboxDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspSandboxConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);
CspConfigurationOverrideHelper.SetCspSandboxOverride(MockContext, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
Assert.AreSame(directiveOverrideResult, overrideConfig.SandboxDirective);
}
public void MergeOverrides_HeaderConfiguredAndDirectivesConfigured_MergesHeaderAndDirectives()
{
var directives = new CspCommonDirectives().ToArray();
var sourceConfig = new CspOverrideConfiguration {
Enabled = false, EnabledOverride = true
};
foreach (var directive in directives)
{
_mapper.SetCspDirectiveConfig(sourceConfig, directive, new CspDirectiveConfiguration {
Nonce = directive.ToString()
});
}
sourceConfig.PluginTypesDirective = new CspPluginTypesDirectiveConfiguration();
sourceConfig.SandboxDirective = new CspSandboxDirectiveConfiguration();
sourceConfig.UpgradeInsecureRequestsDirective = new CspUpgradeDirectiveConfiguration();
sourceConfig.MixedContentDirective = new CspMixedContentDirectiveConfiguration();
sourceConfig.ReportUriDirective = new CspReportUriDirectiveConfiguration();
var destinationConfig = new CspConfiguration(false)
{
Enabled = true
};
_mapper.MergeOverrides(sourceConfig, destinationConfig);
Assert.False(destinationConfig.Enabled);
foreach (var directive in directives)
{
var directiveConfig = _mapper.GetCspDirectiveConfig(destinationConfig, directive);
Assert.NotNull(directiveConfig);
Assert.Equal(directive.ToString(), directiveConfig.Nonce);
}
Assert.Same(sourceConfig.PluginTypesDirective, destinationConfig.PluginTypesDirective);
Assert.Same(sourceConfig.SandboxDirective, destinationConfig.SandboxDirective);
Assert.Same(sourceConfig.UpgradeInsecureRequestsDirective, destinationConfig.UpgradeInsecureRequestsDirective);
Assert.Same(sourceConfig.MixedContentDirective, destinationConfig.MixedContentDirective);
Assert.Same(sourceConfig.ReportUriDirective, destinationConfig.ReportUriDirective);
}
public void SetCspDirectiveOverride_HasOverride_OverridesExistingOverride(bool reportOnly, CspDirectives directive)
{
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), reportOnly, false)).Returns(overrideConfig);
//There's an override for directive
var currentDirectiveOverride = new CspDirectiveConfiguration();
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns(currentDirectiveOverride);
//We need an override and a result.
var directiveOverride = new CspDirectiveOverride();
var directiveOverrideResult = new CspDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);
//This should be called at the very end
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));
_cspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
}
public void SetCspSandboxOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)] bool reportOnly)
{
var contextConfig = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
//Returns CSP config from context
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns(contextConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
//Returns cloned directive config from context config
var clonedContextDirective = new CspSandboxDirectiveConfiguration();
_directiveConfigMapper.Setup(m => m.GetCspSandboxConfigCloned(contextConfig)).Returns(clonedContextDirective);
//We need an override and a result.
var directiveOverride = new CspSandboxOverride();
var directiveOverrideResult = new CspSandboxDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspSandboxConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult);
CspConfigurationOverrideHelper.SetCspSandboxOverride(MockContext, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
Assert.AreSame(directiveOverrideResult, overrideConfig.SandboxDirective);
}
public void MergeOverrides_HeaderNotConfiguredAndDirectivesConfigured_MergesDirectives()
{
var directives = CspCommonDirectives.Directives().ToArray();
var sourceConfig = new CspOverrideConfiguration {
Enabled = false, EnabledOverride = false
};
foreach (var directive in directives)
{
_mapper.SetCspDirectiveConfig(sourceConfig, directive, new CspDirectiveConfiguration {
Nonce = directive.ToString()
});
}
sourceConfig.PluginTypesDirective = new CspPluginTypesDirectiveConfiguration();
sourceConfig.SandboxDirective = new CspSandboxDirectiveConfiguration();
sourceConfig.ReportUriDirective = new CspReportUriDirectiveConfiguration();
var destinationConfig = new CspConfiguration(false)
{
Enabled = true
};
_mapper.MergeOverrides(sourceConfig, destinationConfig);
Assert.IsTrue(destinationConfig.Enabled);
foreach (var directive in directives)
{
var directiveConfig = _mapper.GetCspDirectiveConfig(destinationConfig, directive);
Assert.IsNotNull(directiveConfig);
Assert.AreEqual(directive.ToString(), directiveConfig.Nonce);
}
Assert.AreSame(sourceConfig.PluginTypesDirective, destinationConfig.PluginTypesDirective);
Assert.AreSame(sourceConfig.SandboxDirective, destinationConfig.SandboxDirective);
Assert.AreSame(sourceConfig.ReportUriDirective, destinationConfig.ReportUriDirective);
}