public void SetCspDirectiveConfig_CommonCspDirectives_NoException([ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive) { var config = new CspConfiguration(); var directiveConfig = new CspDirectiveConfiguration(); Assert.DoesNotThrow(() => _mapper.SetCspDirectiveConfig(config, directive, directiveConfig)); }
public void Compare_NonceDiffers_ReturnsNonzero() { var firstConfig = new CspDirectiveConfiguration { Nonce = "a" }; var secondConfig = new CspDirectiveConfiguration { Nonce = "b" }; Assert.AreEqual(-1, _comparer.Compare(firstConfig, secondConfig)); Assert.AreEqual(1, _comparer.Compare(secondConfig, firstConfig)); }
public void Compare_UnsafeInlineSrcDiffers_ReturnsNonzero() { var firstConfig = new CspDirectiveConfiguration { UnsafeInlineSrc = false }; var secondConfig = new CspDirectiveConfiguration { UnsafeInlineSrc = true }; Assert.AreEqual(-1, _comparer.Compare(firstConfig, secondConfig)); Assert.AreEqual(1, _comparer.Compare(secondConfig, firstConfig)); }
public void Compare_EnabledDiffers_ReturnsNonzero() { var firstConfig = new CspDirectiveConfiguration { Enabled = false }; var secondConfig = new CspDirectiveConfiguration { Enabled = true }; Assert.AreEqual(-1, _comparer.Compare(firstConfig, secondConfig)); Assert.AreEqual(1, _comparer.Compare(secondConfig, firstConfig)); }
public void GetOverridenCspDirectiveConfig_EnabledOverride_EnabledOverriden([Values(true, false)] bool expectedResult) { var directiveConfig = new CspDirectiveConfiguration { Enabled = !expectedResult }; var directiveOverride = new CspDirectiveOverride { Enabled = expectedResult }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.AreEqual(expectedResult, newConfig.Enabled); }
public void GetOverridenCspDirectiveConfig_NullConfig_ReturnsNewDefaultConfig() { var directiveConfig = new CspDirectiveConfiguration(); var directiveOverride = new CspDirectiveOverride { Enabled = directiveConfig.Enabled }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, null); Assert.AreNotSame(directiveConfig, newConfig); Assert.That(newConfig, Is.EqualTo(directiveConfig).Using(new CspDirectiveConfigurationComparer())); }
public void GetCspDirectiveConfigCloned_DefaultDirective_ClonesDirective() { var directive = new CspDirectiveConfiguration(); var config = new CspConfiguration(false) { ScriptSrcDirective = directive }; var mapper = new CspConfigMapper(); var clone = mapper.GetCspDirectiveConfigCloned(config, CspDirectives.ScriptSrc); Assert.AreNotSame(directive, clone); Assert.That(clone, Is.EqualTo(directive).Using(new CspDirectiveConfigurationComparer())); }
public void GetOverridenCspDirectiveConfig_NoneDisabledOverride_OverridesNoneAndKeepsOtherSources() { var directiveConfig = new CspDirectiveConfiguration { NoneSrc = false, SelfSrc = true, Nonce = "hei", UnsafeEvalSrc = true, UnsafeInlineSrc = true, CustomSources = new[] { "nwebsec.com" } }; var directiveOverride = new CspDirectiveOverride { None = false }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.That(newConfig, Is.EqualTo(directiveConfig).Using(new CspDirectiveConfigurationComparer())); }
public void GetOverridenCspDirectiveConfig_NoneEnabledOverride_OverridesNoneAndDropsOtherSources() { //Overriding with 'none' should clear all other sources. var directiveConfig = new CspDirectiveConfiguration { NoneSrc = false, SelfSrc = true, Nonce = "hei", UnsafeEvalSrc = true, UnsafeInlineSrc = true, CustomSources = new[] { "nwebsec.com" } }; var directiveOverride = new CspDirectiveOverride { None = true }; var expectedConfig = new CspDirectiveConfiguration { NoneSrc = true }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.That(newConfig, Is.EqualTo(expectedConfig).Using(new CspDirectiveConfigurationComparer())); }
public void GetCspDirectiveConfigCloned_Configured_ClonesDirective() { var directive = new CspDirectiveConfiguration { Enabled = false, NoneSrc = true, SelfSrc = true, UnsafeEvalSrc = true, UnsafeInlineSrc = false, CustomSources = new[] { "https://www.nwebsec.com", "www.klings.org" } }; var config = new CspConfiguration(false) { ScriptSrcDirective = directive }; var mapper = new CspConfigMapper(); var clone = mapper.GetCspDirectiveConfigCloned(config, CspDirectives.ScriptSrc); Assert.AreNotSame(directive, clone); Assert.That(clone, Is.EqualTo(directive).Using(new CspDirectiveConfigurationComparer())); }
public void GetOverridenCspDirectiveConfig_CustomSourcesOverride_OverriddesCustomSources() { var directiveConfig = new CspDirectiveConfiguration { CustomSources = new[] { "www.nwebsec.com" } }; var directiveOverride = new CspDirectiveOverride { OtherSources = new[] { "*.nwebsec.com" }, InheritOtherSources = false }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.IsFalse(newConfig.SelfSrc); Assert.IsTrue(newConfig.CustomSources.Count() == 1); Assert.IsTrue(newConfig.CustomSources.First().Equals("*.nwebsec.com")); }
public ICspDirectiveConfiguration GetCspDirectiveConfigCloned(ICspConfiguration cspConfig, CspDirectives directive) { var oldDirective = GetCspDirectiveConfig(cspConfig, directive); if (oldDirective == null) { return null; } var newConfig = new CspDirectiveConfiguration { Enabled = oldDirective.Enabled, NoneSrc = oldDirective.NoneSrc, SelfSrc = oldDirective.SelfSrc, UnsafeEvalSrc = oldDirective.UnsafeEvalSrc, UnsafeInlineSrc = oldDirective.UnsafeInlineSrc, Nonce = oldDirective.Nonce, CustomSources = oldDirective.CustomSources == null ? new List<string>(0) : oldDirective.CustomSources.ToList() }; return newConfig; }
public void GetOverridenCspDirectiveConfig_NoneInheritAndOtherSourcesOverride_OverridesNone() { //An inherited 'none' should be overriden when other sources are enabled. var overrides = new[] { new CspDirectiveOverride {Self = true}, new CspDirectiveOverride {UnsafeEval = true}, new CspDirectiveOverride {UnsafeInline = true}, new CspDirectiveOverride {OtherSources = new []{"nwebsec.com"}}, }; foreach (var directiveOverride in overrides) { var directiveConfig = new CspDirectiveConfiguration { NoneSrc = true }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.IsFalse(newConfig.NoneSrc); } }
public void GetOverridenCspDirectiveConfig_SelfOverride_OverridesSelf([Values(true, false)] bool expectedResult) { var directiveConfig = new CspDirectiveConfiguration { SelfSrc = !expectedResult }; var directiveOverride = new CspDirectiveOverride { Self = expectedResult }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.AreEqual(expectedResult, newConfig.SelfSrc); }
public void Compare_CustomSourcesAreEqual_ReturnsZero() { var firstConfig = new CspDirectiveConfiguration { CustomSources = new[] { "a", "b" } }; var secondConfig = new CspDirectiveConfiguration { CustomSources = new[] { "a", "b" } }; Assert.AreEqual(0, _comparer.Compare(firstConfig, secondConfig)); }
public void GetCspStyleNonce_StyleNonceRequestedNoOverrides_ClonesBaseConfigAndOverridesNonce() { var cspConfig = new CspConfiguration(); var cspConfigReportOnly = new CspConfiguration(); var overrideConfig = new CspOverrideConfiguration(); var overrideConfigReportOnly = new CspOverrideConfiguration(); var clonedCspDirective = new CspDirectiveConfiguration(); var clonedCspReportOnlyDirective = new CspDirectiveConfiguration(); _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), false)).Returns(cspConfig); _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), true)).Returns(cspConfigReportOnly); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), false, false)).Returns(overrideConfig); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly); //No overrides _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns((ICspDirectiveConfiguration)null); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfig, CspDirectives.StyleSrc)).Returns(clonedCspDirective); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(cspConfigReportOnly, CspDirectives.StyleSrc)).Returns(clonedCspReportOnlyDirective); _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective)); _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective)); var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext); Assert.AreEqual(nonce, clonedCspDirective.Nonce); Assert.AreEqual(nonce, clonedCspReportOnlyDirective.Nonce); _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc, clonedCspDirective), Times.Once); _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc, clonedCspReportOnlyDirective), Times.Once); }
public void SetCspDirectiveOverride_NoCurrentOverride_ClonesConfigFromContextAndOverrides([Values(false, true)]bool reportOnly, [ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive) { var contextConfig = new CspConfiguration(); var overrideConfig = new CspOverrideConfiguration(); //Returns CSP config from context _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny<HttpContextBase>(), reportOnly)).Returns(contextConfig); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig); //There's no override for directive _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns((ICspDirectiveConfiguration)null); //Returns cloned directive config from context config var clonedContextDirective = new CspDirectiveConfiguration(); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfigCloned(contextConfig, directive)).Returns(clonedContextDirective); //We need an override and a result. var directiveOverride = new CspDirectiveOverride(); var directiveOverrideResult = new CspDirectiveConfiguration(); _directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, clonedContextDirective)).Returns(directiveOverrideResult); //This should be called at the very end _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult)); CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly); //Verify that the override result was set on the override config. _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once); }
public void GetOverridenCspDirectiveConfig_NoCustomSourcesOverride_KeepsCustomSources() { var expectedSources = new[] { "www.nwebsec.com" }; var directiveConfig = new CspDirectiveConfiguration { CustomSources = expectedSources }; var directiveOverride = new CspDirectiveOverride { InheritOtherSources = true }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.IsTrue(expectedSources.SequenceEqual(newConfig.CustomSources), "CustomSources differed."); }
public void GetOverridenCspDirectiveConfig_UnsafeInlineInherit_InheritsUnsafeInline([Values(true, false)] bool expectedResult) { var directiveConfig = new CspDirectiveConfiguration { UnsafeInlineSrc = expectedResult }; var directiveOverride = new CspDirectiveOverride(); var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.AreEqual(expectedResult, newConfig.UnsafeInlineSrc); }
public void GetOverridenCspDirectiveConfig_UnsafeEvalOverride_OverridesUnsafeEval([Values(true, false)] bool expectedResult) { var directiveConfig = new CspDirectiveConfiguration { UnsafeEvalSrc = !expectedResult }; var directiveOverride = new CspDirectiveOverride { UnsafeEval = expectedResult }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.AreEqual(expectedResult, newConfig.UnsafeEvalSrc); }
public void SetCspDirectiveOverride_HasOverride_OverridesExistingOverride([Values(false, true)]bool reportOnly, [ValueSource(typeof(CspCommonDirectives), "Directives")] CspDirectives directive) { var overrideConfig = new CspOverrideConfiguration(); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), reportOnly, false)).Returns(overrideConfig); //There's an override for directive var currentDirectiveOverride = new CspDirectiveConfiguration(); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns(currentDirectiveOverride); //We need an override and a result. var directiveOverride = new CspDirectiveOverride(); var directiveOverrideResult = new CspDirectiveConfiguration(); _directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult); //This should be called at the very end _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult)); CspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly); //Verify that the override result was set on the override config. _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once); }
public void GetOverridenCspDirectiveConfig_CustomSourcesOverrideWithSourcesInherited_KeepsAllSources() { var directiveConfig = new CspDirectiveConfiguration { CustomSources = new[] { "transformtool.codeplex.com", "nwebsec.codeplex.com" } }; var directiveOverride = new CspDirectiveOverride { OtherSources = new[] { "nwebsec.codeplex.com" }, InheritOtherSources = true }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.AreEqual(2, newConfig.CustomSources.Count()); Assert.Contains("transformtool.codeplex.com", newConfig.CustomSources.ToList()); Assert.Contains("nwebsec.codeplex.com", newConfig.CustomSources.ToList()); }
public void GetCspStyleNonce_StyleNonceRequestedAndOverrideWithoutNonce_SetsNonceOnOverride() { var overrideConfig = new CspOverrideConfiguration(); var overrideConfigReportOnly = new CspOverrideConfiguration(); var overrideCspDirective = new CspDirectiveConfiguration(); var overrideCspReportOnlyDirective = new CspDirectiveConfiguration(); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), false, false)).Returns(overrideConfig); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny<HttpContextBase>(), true, false)).Returns(overrideConfigReportOnly); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.StyleSrc)).Returns(overrideCspDirective); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.StyleSrc)).Returns(overrideCspReportOnlyDirective); var nonce = CspConfigurationOverrideHelper.GetCspStyleNonce(MockContext); Assert.AreEqual(nonce, overrideCspDirective.Nonce); Assert.AreEqual(nonce, overrideCspReportOnlyDirective.Nonce); }
public void Compare_CustomSourcesDiffersInElements_ReturnsNonzero() { var firstConfig = new CspDirectiveConfiguration { CustomSources = new[] { "a", "b" } }; var secondConfig = new CspDirectiveConfiguration { CustomSources = new[] { "a", "c" } }; Assert.AreEqual(-1, _comparer.Compare(firstConfig, secondConfig)); Assert.AreEqual(1, _comparer.Compare(secondConfig, firstConfig)); }