# SPDX-License-Identifier: CC0-1.0 """ Haketilo unit tests - determining what to do on a given web page """ # This file is part of Haketilo # # Copyright (C) 2021, Wojtek Kosior <koszko@koszko.org> # # This program is free software: you can redistribute it and/or modify # it under the terms of the CC0 1.0 Universal License as published by # the Creative Commons Corporation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # CC0 1.0 Universal License for more details. import re from hashlib import sha256 import pytest from ..script_loader import load_script csp_re = re.compile(r''' ^ \S+(?:\s+\S+)+; # first directive (?: \s+\S+(?:\s+\S+)+; # subsequent directive )* $ ''', re.VERBOSE) rule_re = re.compile(r''' ^ \s* (?P<src_kind>\S+) \s+ (?P<allowed_origins> \S+(?:\s+\S+)* ) $ ''', re.VERBOSE) def parse_csp(csp): '''Parsing of CSP string into a dict.''' assert csp_re.match(csp) result = {} for rule in csp.split(';')[:-1]: match = rule_re.match(rule) result[match.group('src_kind')] = match.group('allowed_origins').split() return result @pytest.mark.get_page('https://gotmyowndoma.in') def test_decide_policy(execute_in_page): """ policy.js contains code that, using a Pattern Query Tree instance and a URL, decides what Haketilo should do on a page opened at that URL, i.e. whether it should block or allow script execution and whether it should inject its own scripts and which ones. Test that the policy object gets constructed properly. """ execute_in_page(load_script('common/policy.js')) policy = execute_in_page( ''' returnval(decide_policy(pqt.make(), "http://unkno.wn/", true, "abcd")); ''') assert policy['allow'] == True for prop in ('mapping', 'payload', 'nonce', 'csp', 'error'): assert prop not in policy policy = execute_in_page( '''{ const tree = pqt.make(); pqt.register(tree, "http://kno.wn", "~allow", 1); returnval(decide_policy(tree, "http://kno.wn/", false, "abcd")); }''') assert policy['allow'] == True assert policy['mapping'] == '~allow' for prop in ('payload', 'nonce', 'csp', 'error'): assert prop not in policy policy = execute_in_page( ''' returnval(decide_policy(pqt.make(), "http://unkno.wn/", false, "abcd")); ''' ) assert policy['allow'] == False for prop in ('mapping', 'payload', 'nonce', 'error'): assert prop not in policy assert parse_csp(policy['csp']) == { 'prefetch-src': ["'none'"], 'script-src-attr': ["'none'"], 'script-src': ["'none'", "'unsafe-eval'"], 'script-src-elem': ["'none'"] } policy = execute_in_page( '''{ const tree = pqt.make(); pqt.register(tree, "http://kno.wn", "~allow", 0); returnval(decide_policy(tree, "http://kno.wn/", true, "abcd")); }''') assert policy['allow'] == False assert policy['mapping'] == '~allow' for prop in ('payload', 'nonce', 'error'): assert prop not in policy assert parse_csp(policy['csp']) == { 'prefetch-src': ["'none'"], 'script-src-attr': ["'none'"], 'script-src': ["'none'", "'unsafe-eval'"], 'script-src-elem': ["'none'"] } policy = execute_in_page( '''{ const tree = pqt.make(); pqt.register(tree, "http://kno.wn", "m1", {identifier: "res1"}); returnval(decide_policy(tree, "http://kno.wn/", true, "abcd")); }''') assert policy['allow'] == False assert policy['mapping'] == 'm1' assert policy['payload'] == {'identifier': 'res1'} assert 'error' not in policy assert policy['nonce'] == \ sha256('m1:res1:http://kno.wn/:abcd'.encode()).digest().hex() assert parse_csp(policy['csp']) == { 'prefetch-src': ["'none'"], 'script-src-attr': ["'none'"], 'script-src': [f"'nonce-{policy['nonce']}'", "'unsafe-eval'"], 'script-src-elem': [f"'nonce-{policy['nonce']}'"] } policy = execute_in_page( 'returnval(decide_policy(pqt.make(), "<bad_url>", true, "abcd"));' ) assert policy['allow'] == False assert policy['error'] == {'haketilo_error_type': 'deciding_policy'} for prop in ('mapping', 'payload', 'nonce'): assert prop not in policy assert parse_csp(policy['csp']) == { 'prefetch-src': ["'none'"], 'script-src-attr': ["'none'"], 'script-src': ["'none'", "'unsafe-eval'"], 'script-src-elem': ["'none'"] }