public void SetCspDirectiveConfig_CommonCspDirectives_NoException([ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive)
{
var config = new CspConfiguration();
var directiveConfig = new CspDirectiveConfiguration();
Assert.DoesNotThrow(() => _mapper.SetCspDirectiveConfig(config, directive, directiveConfig));
}
public void Compare_NonceDiffers_ReturnsNonzero()
{
var firstConfig = new CspDirectiveConfiguration { Nonce = "a" };
var secondConfig = new CspDirectiveConfiguration { Nonce = "b" };
Assert.AreEqual(-1, _comparer.Compare(firstConfig, secondConfig));
Assert.AreEqual(1, _comparer.Compare(secondConfig, firstConfig));
}
public void Compare_UnsafeInlineSrcDiffers_ReturnsNonzero()
{
var firstConfig = new CspDirectiveConfiguration { UnsafeInlineSrc = false };
var secondConfig = new CspDirectiveConfiguration { UnsafeInlineSrc = true };
Assert.AreEqual(-1, _comparer.Compare(firstConfig, secondConfig));
Assert.AreEqual(1, _comparer.Compare(secondConfig, firstConfig));
}
public void Compare_EnabledDiffers_ReturnsNonzero()
{
var firstConfig = new CspDirectiveConfiguration { Enabled = false };
var secondConfig = new CspDirectiveConfiguration { Enabled = true };
Assert.AreEqual(-1, _comparer.Compare(firstConfig, secondConfig));
Assert.AreEqual(1, _comparer.Compare(secondConfig, firstConfig));
}
public void GetOverridenCspDirectiveConfig_EnabledOverride_EnabledOverriden([Values(true, false)] bool expectedResult)
{
var directiveConfig = new CspDirectiveConfiguration { Enabled = !expectedResult };
var directiveOverride = new CspDirectiveOverride { Enabled = expectedResult };
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.AreEqual(expectedResult, newConfig.Enabled);
}
public void GetOverridenCspDirectiveConfig_NullConfig_ReturnsNewDefaultConfig()
{
var directiveConfig = new CspDirectiveConfiguration();
var directiveOverride = new CspDirectiveOverride { Enabled = directiveConfig.Enabled };
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, null);
Assert.AreNotSame(directiveConfig, newConfig);
Assert.That(newConfig, Is.EqualTo(directiveConfig).Using(new CspDirectiveConfigurationComparer()));
}
public void GetCspDirectiveConfigCloned_DefaultDirective_ClonesDirective()
{
var directive = new CspDirectiveConfiguration();
var config = new CspConfiguration(false) { ScriptSrcDirective = directive };
var mapper = new CspConfigMapper();
var clone = mapper.GetCspDirectiveConfigCloned(config, CspDirectives.ScriptSrc);
Assert.AreNotSame(directive, clone);
Assert.That(clone, Is.EqualTo(directive).Using(new CspDirectiveConfigurationComparer()));
}
public void GetOverridenCspDirectiveConfig_NoneDisabledOverride_OverridesNoneAndKeepsOtherSources()
{
var directiveConfig = new CspDirectiveConfiguration
{
NoneSrc = false,
SelfSrc = true,
Nonce = "hei",
UnsafeEvalSrc = true,
UnsafeInlineSrc = true,
CustomSources = new[] { "nwebsec.com" }
};
var directiveOverride = new CspDirectiveOverride { None = false };
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.That(newConfig, Is.EqualTo(directiveConfig).Using(new CspDirectiveConfigurationComparer()));
}
public void GetOverridenCspDirectiveConfig_NoneEnabledOverride_OverridesNoneAndDropsOtherSources()
{
//Overriding with 'none' should clear all other sources.
var directiveConfig = new CspDirectiveConfiguration
{
NoneSrc = false,
SelfSrc = true,
Nonce = "hei",
UnsafeEvalSrc = true,
UnsafeInlineSrc = true,
CustomSources = new[] { "nwebsec.com" }
};
var directiveOverride = new CspDirectiveOverride { None = true };
var expectedConfig = new CspDirectiveConfiguration { NoneSrc = true };
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.That(newConfig, Is.EqualTo(expectedConfig).Using(new CspDirectiveConfigurationComparer()));
}
public void GetCspDirectiveConfigCloned_Configured_ClonesDirective()
{
var directive = new CspDirectiveConfiguration
{
Enabled = false,
NoneSrc = true,
SelfSrc = true,
UnsafeEvalSrc = true,
UnsafeInlineSrc = false,
CustomSources = new[] { "https://www.nwebsec.com", "www.klings.org" }
};
var config = new CspConfiguration(false) { ScriptSrcDirective = directive };
var mapper = new CspConfigMapper();
var clone = mapper.GetCspDirectiveConfigCloned(config, CspDirectives.ScriptSrc);
Assert.AreNotSame(directive, clone);
Assert.That(clone, Is.EqualTo(directive).Using(new CspDirectiveConfigurationComparer()));
}
public void GetOverridenCspDirectiveConfig_CustomSourcesOverride_OverriddesCustomSources()
{
var directiveConfig = new CspDirectiveConfiguration { CustomSources = new[] { "www.nwebsec.com" } };
var directiveOverride = new CspDirectiveOverride { OtherSources = new[] { "*.nwebsec.com" }, InheritOtherSources = false };
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.IsFalse(newConfig.SelfSrc);
Assert.IsTrue(newConfig.CustomSources.Count() == 1);
Assert.IsTrue(newConfig.CustomSources.First().Equals("*.nwebsec.com"));
}
public ICspDirectiveConfiguration GetCspDirectiveConfigCloned(ICspConfiguration cspConfig, CspDirectives directive)
{
var oldDirective = GetCspDirectiveConfig(cspConfig, directive);
if (oldDirective == null)
{
return null;
}
var newConfig = new CspDirectiveConfiguration
{
Enabled = oldDirective.Enabled,
NoneSrc = oldDirective.NoneSrc,
SelfSrc = oldDirective.SelfSrc,
UnsafeEvalSrc = oldDirective.UnsafeEvalSrc,
UnsafeInlineSrc = oldDirective.UnsafeInlineSrc,
Nonce = oldDirective.Nonce,
CustomSources = oldDirective.CustomSources == null ? new List<string>(0) : oldDirective.CustomSources.ToList()
};
return newConfig;
}
public void GetOverridenCspDirectiveConfig_NoneInheritAndOtherSourcesOverride_OverridesNone()
{
//An inherited 'none' should be overriden when other sources are enabled.
var overrides = new[]
{
new CspDirectiveOverride {Self = true},
new CspDirectiveOverride {UnsafeEval = true},
new CspDirectiveOverride {UnsafeInline = true},
new CspDirectiveOverride {OtherSources = new []{"nwebsec.com"}},
};
foreach (var directiveOverride in overrides)
{
var directiveConfig = new CspDirectiveConfiguration { NoneSrc = true };
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.IsFalse(newConfig.NoneSrc);
}
}
public void GetOverridenCspDirectiveConfig_SelfOverride_OverridesSelf([Values(true, false)] bool expectedResult)
{
var directiveConfig = new CspDirectiveConfiguration { SelfSrc = !expectedResult };
var directiveOverride = new CspDirectiveOverride { Self = expectedResult };
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.AreEqual(expectedResult, newConfig.SelfSrc);
}
public void Compare_CustomSourcesAreEqual_ReturnsZero()
{
var firstConfig = new CspDirectiveConfiguration { CustomSources = new[] { "a", "b" } };
var secondConfig = new CspDirectiveConfiguration { CustomSources = new[] { "a", "b" } };
Assert.AreEqual(0, _comparer.Compare(firstConfig, secondConfig));
}
public void GetCspStyleNonce_StyleNonceRequestedNoOverrides_ClonesBaseConfigAndOverridesNonce()
{
var cspConfig = new CspConfiguration();
var cspConfigReportOnly = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
var overrideConfigReportOnly = new CspOverrideConfiguration();
var clonedCspDirective = new CspDirectiveConfiguration();
var clonedCspReportOnlyDirective = new CspDirectiveConfiguration();
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), false)).Returns(cspConfig);
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), true)).Returns(cspConfigReportOnly);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), false, false)).Returns(overrideConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly);
//No overrides
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfig, CspDirectives.StyleSrc)).Returns(clonedCspDirective);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfigReportOnly, CspDirectives.StyleSrc)).Returns(clonedCspReportOnlyDirective);
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective));
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective));
var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);
Assert.AreEqual(nonce, clonedCspDirective.Nonce);
Assert.AreEqual(nonce, clonedCspReportOnlyDirective.Nonce);
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective), Times.Once);
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective), Times.Once);
}
public void SetCspDirectiveOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)]bool reportOnly,
[ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive)
{
var contextConfig = new CspConfiguration();
var overrideConfig = new CspOverrideConfiguration();
//Returns CSP config from context
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), reportOnly)).Returns(contextConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
//There's no override for directive
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns((ICspDirectiveConfiguration)null);
//Returns cloned directive config from context config
var clonedContextDirective = new CspDirectiveConfiguration();
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(contextConfig, directive)).Returns(clonedContextDirective);
//We need an override and a result.
var directiveOverride = new CspDirectiveOverride();
var directiveOverrideResult = new CspDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult);
//This should be called at the very end
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));
CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
}
public void GetOverridenCspDirectiveConfig_NoCustomSourcesOverride_KeepsCustomSources()
{
var expectedSources = new[] { "www.nwebsec.com" };
var directiveConfig = new CspDirectiveConfiguration { CustomSources = expectedSources };
var directiveOverride = new CspDirectiveOverride { InheritOtherSources = true };
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.IsTrue(expectedSources.SequenceEqual(newConfig.CustomSources), "CustomSources differed.");
}
public void GetOverridenCspDirectiveConfig_UnsafeInlineInherit_InheritsUnsafeInline([Values(true, false)] bool expectedResult)
{
var directiveConfig = new CspDirectiveConfiguration { UnsafeInlineSrc = expectedResult };
var directiveOverride = new CspDirectiveOverride();
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.AreEqual(expectedResult, newConfig.UnsafeInlineSrc);
}
public void GetOverridenCspDirectiveConfig_UnsafeEvalOverride_OverridesUnsafeEval([Values(true, false)] bool expectedResult)
{
var directiveConfig = new CspDirectiveConfiguration { UnsafeEvalSrc = !expectedResult };
var directiveOverride = new CspDirectiveOverride { UnsafeEval = expectedResult };
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.AreEqual(expectedResult, newConfig.UnsafeEvalSrc);
}
public void SetCspDirectiveOverride_HasOverride_OverridesExistingOverride([Values(false, true)]bool reportOnly,
[ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive)
{
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig);
//There's an override for directive
var currentDirectiveOverride = new CspDirectiveConfiguration();
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns(currentDirectiveOverride);
//We need an override and a result.
var directiveOverride = new CspDirectiveOverride();
var directiveOverrideResult = new CspDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);
//This should be called at the very end
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));
CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
}
public void GetOverridenCspDirectiveConfig_CustomSourcesOverrideWithSourcesInherited_KeepsAllSources()
{
var directiveConfig = new CspDirectiveConfiguration { CustomSources = new[] { "transformtool.codeplex.com", "nwebsec.codeplex.com" } };
var directiveOverride = new CspDirectiveOverride { OtherSources = new[] { "nwebsec.codeplex.com" }, InheritOtherSources = true };
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.AreEqual(2, newConfig.CustomSources.Count());
Assert.Contains("transformtool.codeplex.com", newConfig.CustomSources.ToList());
Assert.Contains("nwebsec.codeplex.com", newConfig.CustomSources.ToList());
}
public void GetCspStyleNonce_StyleNonceRequestedAndOverrideWithoutNonce_SetsNonceOnOverride()
{
var overrideConfig = new CspOverrideConfiguration();
var overrideConfigReportOnly = new CspOverrideConfiguration();
var overrideCspDirective = new CspDirectiveConfiguration();
var overrideCspReportOnlyDirective = new CspDirectiveConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), false, false)).Returns(overrideConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns(overrideCspDirective);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns(overrideCspReportOnlyDirective);
var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext);
Assert.AreEqual(nonce, overrideCspDirective.Nonce);
Assert.AreEqual(nonce, overrideCspReportOnlyDirective.Nonce);
}
public void Compare_CustomSourcesDiffersInElements_ReturnsNonzero()
{
var firstConfig = new CspDirectiveConfiguration { CustomSources = new[] { "a", "b" } };
var secondConfig = new CspDirectiveConfiguration { CustomSources = new[] { "a", "c" } };
Assert.AreEqual(-1, _comparer.Compare(firstConfig, secondConfig));
Assert.AreEqual(1, _comparer.Compare(secondConfig, firstConfig));
}