summaryrefslogtreecommitdiffstats
path: root/tests/lib
diff options
context:
space:
mode:
authorRoeland Jago Douma <roeland@famdouma.nl>2019-05-24 21:42:37 +0200
committerRoeland Jago Douma <roeland@famdouma.nl>2019-07-08 20:35:15 +0200
commit5ac857bcdcd204d6dbfd86f8a09d241661cdd2c5 (patch)
tree4a02f63a1f9a2ced4e3565e97ad628c612aef5c9 /tests/lib
parenteb092bbdc74fd10253e7a75850d5725df27daa25 (diff)
downloadnextcloud-server-5ac857bcdcd204d6dbfd86f8a09d241661cdd2c5.tar.gz
nextcloud-server-5ac857bcdcd204d6dbfd86f8a09d241661cdd2c5.zip
Add an event to edit the CSP
This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'tests/lib')
-rw-r--r--tests/lib/Security/CSP/AddContentSecurityPolicyEventTest.php44
-rw-r--r--tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php54
2 files changed, 96 insertions, 2 deletions
diff --git a/tests/lib/Security/CSP/AddContentSecurityPolicyEventTest.php b/tests/lib/Security/CSP/AddContentSecurityPolicyEventTest.php
new file mode 100644
index 00000000000..01227ec359a
--- /dev/null
+++ b/tests/lib/Security/CSP/AddContentSecurityPolicyEventTest.php
@@ -0,0 +1,44 @@
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace Test\Security\CSP;
+
+use OC\Security\CSP\ContentSecurityPolicyManager;
+use OCP\AppFramework\Http\ContentSecurityPolicy;
+use OCP\Security\CSP\AddContentSecurityPolicyEvent;
+use Test\TestCase;
+
+class AddContentSecurityPolicyEventTest extends TestCase {
+ public function testAddEvent() {
+ $cspManager = $this->createMock(ContentSecurityPolicyManager::class);
+ $policy = $this->createMock(ContentSecurityPolicy::class);
+ $event = new AddContentSecurityPolicyEvent($cspManager);
+
+ $cspManager->expects($this->once())
+ ->method('addDefaultPolicy')
+ ->with($policy);
+
+ $event->addPolicy($policy);
+ }
+}
diff --git a/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php b/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php
index 8f8be5cba9f..279c4672d80 100644
--- a/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php
+++ b/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php
@@ -23,14 +23,24 @@ namespace Test\Security\CSP;
use OC\Security\CSP\ContentSecurityPolicyManager;
+use OCP\EventDispatcher\IEventDispatcher;
+use OCP\Security\CSP\AddContentSecurityPolicyEvent;
+use PHPUnit\Framework\MockObject\MockObject;
+use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Test\TestCase;
+
+class ContentSecurityPolicyManagerTest extends TestCase {
+ /** @var EventDispatcherInterface */
+ private $dispatcher;
-class ContentSecurityPolicyManagerTest extends \Test\TestCase {
/** @var ContentSecurityPolicyManager */
private $contentSecurityPolicyManager;
public function setUp() {
parent::setUp();
- $this->contentSecurityPolicyManager = new ContentSecurityPolicyManager();
+ $this->dispatcher = \OC::$server->query(IEventDispatcher::class);
+ $this->contentSecurityPolicyManager = new ContentSecurityPolicyManager($this->dispatcher);
}
public function testAddDefaultPolicy() {
@@ -69,4 +79,44 @@ class ContentSecurityPolicyManagerTest extends \Test\TestCase {
$this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy());
}
+ public function testGetDefaultPolicyWithPoliciesViaEvent() {
+ $this->dispatcher->addListener(AddContentSecurityPolicyEvent::class, function(AddContentSecurityPolicyEvent $e) {
+ $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy();
+ $policy->addAllowedFontDomain('mydomain.com');
+ $policy->addAllowedImageDomain('anotherdomain.de');
+
+ $e->addPolicy($policy);
+ });
+
+ $this->dispatcher->addListener(AddContentSecurityPolicyEvent::class, function(AddContentSecurityPolicyEvent $e) {
+ $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy();
+ $policy->addAllowedFontDomain('example.com');
+ $policy->addAllowedImageDomain('example.org');
+ $policy->allowInlineScript(true);
+ $policy->allowEvalScript(true);
+ $e->addPolicy($policy);
+ });
+
+ $this->dispatcher->addListener(AddContentSecurityPolicyEvent::class, function(AddContentSecurityPolicyEvent $e) {
+ $policy = new \OCP\AppFramework\Http\EmptyContentSecurityPolicy();
+ $policy->addAllowedChildSrcDomain('childdomain');
+ $policy->addAllowedFontDomain('anotherFontDomain');
+ $e->addPolicy($policy);
+ });
+
+ $expected = new \OC\Security\CSP\ContentSecurityPolicy();
+ $expected->allowInlineScript(true);
+ $expected->allowEvalScript(true);
+ $expected->addAllowedFontDomain('mydomain.com');
+ $expected->addAllowedFontDomain('example.com');
+ $expected->addAllowedFontDomain('anotherFontDomain');
+ $expected->addAllowedImageDomain('anotherdomain.de');
+ $expected->addAllowedImageDomain('example.org');
+ $expected->addAllowedChildSrcDomain('childdomain');
+ $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self'";
+
+ $this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy());
+ $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy());
+ }
+
}