diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/lib/Security/CSP/AddContentSecurityPolicyEventTest.php | 44 | ||||
| -rw-r--r-- | tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php | 54 |
2 files changed, 96 insertions, 2 deletions
diff --git a/tests/lib/Security/CSP/AddContentSecurityPolicyEventTest.php b/tests/lib/Security/CSP/AddContentSecurityPolicyEventTest.php new file mode 100644 index 00000000000..01227ec359a --- /dev/null +++ b/tests/lib/Security/CSP/AddContentSecurityPolicyEventTest.php @@ -0,0 +1,44 @@ +<?php +declare(strict_types=1); +/** + * @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl> + * + * @author Roeland Jago Douma <roeland@famdouma.nl> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace Test\Security\CSP; + +use OC\Security\CSP\ContentSecurityPolicyManager; +use OCP\AppFramework\Http\ContentSecurityPolicy; +use OCP\Security\CSP\AddContentSecurityPolicyEvent; +use Test\TestCase; + +class AddContentSecurityPolicyEventTest extends TestCase { + public function testAddEvent() { + $cspManager = $this->createMock(ContentSecurityPolicyManager::class); + $policy = $this->createMock(ContentSecurityPolicy::class); + $event = new AddContentSecurityPolicyEvent($cspManager); + + $cspManager->expects($this->once()) + ->method('addDefaultPolicy') + ->with($policy); + + $event->addPolicy($policy); + } +} diff --git a/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php b/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php index 8f8be5cba9f..279c4672d80 100644 --- a/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php +++ b/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php @@ -23,14 +23,24 @@ namespace Test\Security\CSP; use OC\Security\CSP\ContentSecurityPolicyManager; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\Security\CSP\AddContentSecurityPolicyEvent; +use PHPUnit\Framework\MockObject\MockObject; +use Symfony\Component\EventDispatcher\EventDispatcher; +use Symfony\Component\EventDispatcher\EventDispatcherInterface; +use Test\TestCase; + +class ContentSecurityPolicyManagerTest extends TestCase { + /** @var EventDispatcherInterface */ + private $dispatcher; -class ContentSecurityPolicyManagerTest extends \Test\TestCase { /** @var ContentSecurityPolicyManager */ private $contentSecurityPolicyManager; public function setUp() { parent::setUp(); - $this->contentSecurityPolicyManager = new ContentSecurityPolicyManager(); + $this->dispatcher = \OC::$server->query(IEventDispatcher::class); + $this->contentSecurityPolicyManager = new ContentSecurityPolicyManager($this->dispatcher); } public function testAddDefaultPolicy() { @@ -69,4 +79,44 @@ class ContentSecurityPolicyManagerTest extends \Test\TestCase { $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy()); } + public function testGetDefaultPolicyWithPoliciesViaEvent() { + $this->dispatcher->addListener(AddContentSecurityPolicyEvent::class, function(AddContentSecurityPolicyEvent $e) { + $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(); + $policy->addAllowedFontDomain('mydomain.com'); + $policy->addAllowedImageDomain('anotherdomain.de'); + + $e->addPolicy($policy); + }); + + $this->dispatcher->addListener(AddContentSecurityPolicyEvent::class, function(AddContentSecurityPolicyEvent $e) { + $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(); + $policy->addAllowedFontDomain('example.com'); + $policy->addAllowedImageDomain('example.org'); + $policy->allowInlineScript(true); + $policy->allowEvalScript(true); + $e->addPolicy($policy); + }); + + $this->dispatcher->addListener(AddContentSecurityPolicyEvent::class, function(AddContentSecurityPolicyEvent $e) { + $policy = new \OCP\AppFramework\Http\EmptyContentSecurityPolicy(); + $policy->addAllowedChildSrcDomain('childdomain'); + $policy->addAllowedFontDomain('anotherFontDomain'); + $e->addPolicy($policy); + }); + + $expected = new \OC\Security\CSP\ContentSecurityPolicy(); + $expected->allowInlineScript(true); + $expected->allowEvalScript(true); + $expected->addAllowedFontDomain('mydomain.com'); + $expected->addAllowedFontDomain('example.com'); + $expected->addAllowedFontDomain('anotherFontDomain'); + $expected->addAllowedImageDomain('anotherdomain.de'); + $expected->addAllowedImageDomain('example.org'); + $expected->addAllowedChildSrcDomain('childdomain'); + $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self'"; + + $this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy()); + $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy()); + } + } |