public void SetCspDirectiveOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)] bool reportOnly,
                                                                                                  [ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive)
        {
            var contextConfig  = new CspConfiguration();
            var overrideConfig = new CspOverrideConfiguration();

            //Returns CSP config from context
            _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns(contextConfig);
            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
            //There's no override for directive
            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns((ICspDirectiveConfiguration)null);
            //Returns cloned directive config from context config
            var clonedContextDirective = new CspDirectiveConfiguration();

            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(contextConfig, directive)).Returns(clonedContextDirective);
            //We need an override and a result.
            var directiveOverride       = new CspDirectiveOverride();
            var directiveOverrideResult = new CspDirectiveConfiguration();

            _directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult);
            //This should be called at the very end
            _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));

            CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);

            //Verify that the override result was set on the override config.
            _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
        }
Exemplo n.º 2
0
        public ICspDirectiveConfiguration GetOverridenCspDirectiveConfig(CspDirectiveOverride directiveOverride, ICspDirectiveConfiguration directiveConfig)
        {
            if (directiveOverride.None.HasValue && (bool)directiveOverride.None)
            {
                //When 'none' is true we don't want any other sources
                return(new CspDirectiveConfiguration {
                    NoneSrc = true
                });
            }

            var result = directiveConfig ?? new CspDirectiveConfiguration();

            result.Enabled = directiveOverride.Enabled;

            if (directiveOverride.None.HasValue)
            {
                result.NoneSrc = (bool)directiveOverride.None;
            }

            //Keep track if other sources have been enabled, so none must be disabled.
            var disableNone = false;

            if (directiveOverride.Self.HasValue)
            {
                result.SelfSrc = (bool)directiveOverride.Self;
                disableNone    = result.SelfSrc;
            }

            if (directiveOverride.UnsafeEval.HasValue)
            {
                result.UnsafeEvalSrc = (bool)directiveOverride.UnsafeEval;
                disableNone          = disableNone || result.UnsafeEvalSrc;
            }

            if (directiveOverride.UnsafeInline.HasValue)
            {
                result.UnsafeInlineSrc = (bool)directiveOverride.UnsafeInline;
                disableNone            = disableNone || result.UnsafeInlineSrc;
            }

            if (!directiveOverride.InheritOtherSources)
            {
                result.CustomSources = EmptySources;
            }

            if (directiveOverride.OtherSources != null && directiveOverride.OtherSources.Length > 0)
            {
                var newSources = new List <string>(result.CustomSources);
                newSources.AddRange(directiveOverride.OtherSources);
                result.CustomSources = newSources.Distinct();
                disableNone          = true;
            }

            if (disableNone)
            {
                result.NoneSrc = false;
            }

            return(result);
        }
Exemplo n.º 3
0
 protected CspDirectiveAttributeBase()
 {
     DirectiveConfig = new CspDirectiveOverride()
     {
         Enabled             = true,
         InheritOtherSources = true
     };
     _headerConfigurationOverrideHelper = new CspConfigurationOverrideHelper();
     _headerOverrideHelper = new HeaderOverrideHelper();
 }
        public void GetOverridenCspDirectiveConfig_StrictDynamicInherit_InheritsStrictDynamic(bool expectedResult)
        {
            var directiveConfig = new CspDirectiveConfiguration {
                StrictDynamicSrc = expectedResult
            };
            var directiveOverride = new CspDirectiveOverride();

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.Equal(expectedResult, newConfig.StrictDynamicSrc);
        }
Exemplo n.º 5
0
        public void GetOverridenCspDirectiveConfig_UnsafeInlineInherit_InheritsUnsafeInline([Values(true, false)] bool expectedResult)
        {
            var directiveConfig = new CspDirectiveConfiguration {
                UnsafeInlineSrc = expectedResult
            };
            var directiveOverride = new CspDirectiveOverride();

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.AreEqual(expectedResult, newConfig.UnsafeInlineSrc);
        }
        public void GetOverridenCspDirectiveConfig_UnsafeEvalInherit_InheritsUnsafeEval(bool expectedResult)
        {
            var directiveConfig = new CspDirectiveConfiguration {
                UnsafeEvalSrc = expectedResult
            };
            var directiveOverride = new CspDirectiveOverride();

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.Equal(expectedResult, newConfig.UnsafeEvalSrc);
        }
        public void GetOverridenCspDirectiveConfig_NullConfig_ReturnsNewDefaultConfig()
        {
            var directiveConfig   = new CspDirectiveConfiguration();
            var directiveOverride = new CspDirectiveOverride {
                Enabled = directiveConfig.Enabled
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, null);

            Assert.NotSame(directiveConfig, newConfig);
            Assert.Equal(newConfig, directiveConfig, new CspDirectiveConfigurationEqualityComparer());
        }
Exemplo n.º 8
0
        public void GetOverridenCspDirectiveConfig_NullConfig_ReturnsNewDefaultConfig()
        {
            var directiveConfig   = new CspDirectiveConfiguration();
            var directiveOverride = new CspDirectiveOverride {
                Enabled = directiveConfig.Enabled
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, null);

            Assert.AreNotSame(directiveConfig, newConfig);
            Assert.That(newConfig, Is.EqualTo(directiveConfig).Using(new CspDirectiveConfigurationComparer()));
        }
        public void GetOverridenCspDirectiveConfig_SelfOverride_OverridesSelf(bool expectedResult)
        {
            var directiveConfig = new CspDirectiveConfiguration {
                SelfSrc = !expectedResult
            };
            var directiveOverride = new CspDirectiveOverride {
                Self = expectedResult
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.Equal(expectedResult, newConfig.SelfSrc);
        }
Exemplo n.º 10
0
        public void GetOverridenCspDirectiveConfig_UnsafeEvalOverride_OverridesUnsafeEval([Values(true, false)] bool expectedResult)
        {
            var directiveConfig = new CspDirectiveConfiguration {
                UnsafeEvalSrc = !expectedResult
            };
            var directiveOverride = new CspDirectiveOverride {
                UnsafeEval = expectedResult
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.AreEqual(expectedResult, newConfig.UnsafeEvalSrc);
        }
        public void GetOverridenCspDirectiveConfig_UnsafeInlineOverride_OverridesUnsafeInline(bool expectedResult)
        {
            var directiveConfig = new CspDirectiveConfiguration {
                UnsafeInlineSrc = !expectedResult
            };
            var directiveOverride = new CspDirectiveOverride {
                UnsafeInline = expectedResult
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.Equal(expectedResult, newConfig.UnsafeInlineSrc);
        }
        public void GetOverridenCspDirectiveConfig_EnabledOverride_EnabledOverriden(bool expectedResult)
        {
            var directiveConfig = new CspDirectiveConfiguration {
                Enabled = !expectedResult
            };
            var directiveOverride = new CspDirectiveOverride {
                Enabled = expectedResult
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.Equal(expectedResult, newConfig.Enabled);
        }
        public void GetOverridenCspDirectiveConfig_NoCustomSourcesOverride_KeepsCustomSources()
        {
            var expectedSources = new[] { "www.nwebsec.com" };
            var directiveConfig = new CspDirectiveConfiguration {
                CustomSources = expectedSources
            };
            var directiveOverride = new CspDirectiveOverride {
                InheritOtherSources = true
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.True(expectedSources.SequenceEqual(newConfig.CustomSources), "CustomSources differed.");
        }
        public void GetOverridenCspDirectiveConfig_CustomSourcesOverrideWithSourcesInherited_KeepsAllSources()
        {
            var directiveConfig = new CspDirectiveConfiguration {
                CustomSources = new[] { "transformtool.codeplex.com", "nwebsec.codeplex.com" }
            };
            var directiveOverride = new CspDirectiveOverride {
                OtherSources = new[] { "nwebsec.codeplex.com" }, InheritOtherSources = true
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.Equal(2, newConfig.CustomSources.Count());
            Assert.Contains("transformtool.codeplex.com", newConfig.CustomSources.ToList());
            Assert.Contains("nwebsec.codeplex.com", newConfig.CustomSources.ToList());
        }
        public void GetOverridenCspDirectiveConfig_CustomSourcesOverride_OverriddesCustomSources()
        {
            var directiveConfig = new CspDirectiveConfiguration {
                CustomSources = new[] { "www.nwebsec.com" }
            };
            var directiveOverride = new CspDirectiveOverride {
                OtherSources = new[] { "*.nwebsec.com" }, InheritOtherSources = false
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.False(newConfig.SelfSrc);
            Assert.True(newConfig.CustomSources.Count() == 1);
            Assert.True(newConfig.CustomSources.First().Equals("*.nwebsec.com"));
        }
        public void GetOverridenCspDirectiveConfig_NoneDisabledOverride_OverridesNoneAndKeepsOtherSources()
        {
            var directiveConfig = new CspDirectiveConfiguration
            {
                NoneSrc          = false,
                SelfSrc          = true,
                Nonce            = "hei",
                UnsafeInlineSrc  = true,
                UnsafeEvalSrc    = true,
                StrictDynamicSrc = true,
                CustomSources    = new[] { "nwebsec.com" }
            };
            var directiveOverride = new CspDirectiveOverride {
                None = false
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.Equal(newConfig, directiveConfig, new CspDirectiveConfigurationEqualityComparer());
        }
Exemplo n.º 17
0
        public void SetCspDirectiveOverride_HasOverride_OverridesExistingOverride(bool reportOnly, CspDirectives directive)
        {
            var overrideConfig = new CspOverrideConfiguration();

            _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), reportOnly, false)).Returns(overrideConfig);
            //There's an override for directive
            var currentDirectiveOverride = new CspDirectiveConfiguration();

            _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns(currentDirectiveOverride);
            //We need an override and a result.
            var directiveOverride       = new CspDirectiveOverride();
            var directiveOverrideResult = new CspDirectiveConfiguration();

            _directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);
            //This should be called at the very end
            _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));

            _cspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);

            //Verify that the override result was set on the override config.
            _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
        }
Exemplo n.º 18
0
        public void GetOverridenCspDirectiveConfig_NoneEnabledOverride_OverridesNoneAndDropsOtherSources()
        {
            //Overriding with 'none' should clear all other sources.
            var directiveConfig = new CspDirectiveConfiguration
            {
                NoneSrc         = false,
                SelfSrc         = true,
                Nonce           = "hei",
                UnsafeEvalSrc   = true,
                UnsafeInlineSrc = true,
                CustomSources   = new[] { "nwebsec.com" }
            };
            var directiveOverride = new CspDirectiveOverride {
                None = true
            };
            var expectedConfig = new CspDirectiveConfiguration {
                NoneSrc = true
            };

            var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);

            Assert.That(newConfig, Is.EqualTo(expectedConfig).Using(new CspDirectiveConfigurationComparer()));
        }
        internal void SetCspDirectiveOverride(HttpContextBase context, CspDirectives directive, CspDirectiveOverride config, bool reportOnly)
        {
            var overrides = _contextConfigurationHelper.GetCspConfigurationOverride(context, reportOnly, false);

            var directiveToOverride = _configMapper.GetCspDirectiveConfig(overrides, directive);

            if (directiveToOverride == null)
            {
                var baseConfig = _contextConfigurationHelper.GetCspConfiguration(context, reportOnly);
                directiveToOverride = _configMapper.GetCspDirectiveConfigCloned(baseConfig, directive);
            }

            var newConfig = _cspDirectiveOverrideHelper.GetOverridenCspDirectiveConfig(config, directiveToOverride);

            _configMapper.SetCspDirectiveConfig(overrides, directive, newConfig);
        }