aboutsummaryrefslogtreecommitdiff
# SPDX-License-Identifier: CC0-1.0

"""
Haketilo unit tests - determining what to do on a given web page
"""

# This file is part of Haketilo
#
# Copyright (C) 2021, Wojtek Kosior <koszko@koszko.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the CC0 1.0 Universal License as published by
# the Creative Commons Corporation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# CC0 1.0 Universal License for more details.

import re
from hashlib import sha256
import pytest

from ..script_loader import load_script

csp_re = re.compile(r'''
^
\S+(?:\s+\S+)+;      # first directive
(?:
  \s+\S+(?:\s+\S+)+; # subsequent directive
)*
$
''',
re.VERBOSE)

rule_re = re.compile(r'''
^
\s*
(?P<src_kind>\S+)
\s+
(?P<allowed_origins>
  \S+(?:\s+\S+)*
)
$
''', re.VERBOSE)

def parse_csp(csp):
    '''Parsing of CSP string into a dict.'''
    assert csp_re.match(csp)

    result = {}

    for rule in csp.split(';')[:-1]:
        match = rule_re.match(rule)
        result[match.group('src_kind')] = match.group('allowed_origins').split()

    return result

@pytest.mark.get_page('https://gotmyowndoma.in')
def test_decide_policy(execute_in_page):
    """
    policy.js contains code that, using a Pattern Query Tree instance and a URL,
    decides what Haketilo should do on a page opened at that URL, i.e. whether
    it should block or allow script execution and whether it should inject its
    own scripts and which ones. Test that the policy object gets constructed
    properly.
    """
    execute_in_page(load_script('common/policy.js'))

    policy = execute_in_page(
        '''
        returnval(decide_policy(pqt.make(), "http://unkno.wn/", true, "abcd"));
        ''')
    assert policy['allow'] == True
    for prop in ('mapping', 'payload', 'nonce', 'csp', 'error'):
        assert prop not in policy

    policy = execute_in_page(
        '''{
        const tree = pqt.make();
        pqt.register(tree, "http://kno.wn", "~allow", 1);
        returnval(decide_policy(tree, "http://kno.wn/", false, "abcd"));
        }''')
    assert policy['allow'] == True
    assert policy['mapping'] == '~allow'
    for prop in ('payload', 'nonce', 'csp', 'error'):
        assert prop not in policy

    policy = execute_in_page(
        '''
        returnval(decide_policy(pqt.make(), "http://unkno.wn/", false, "abcd"));
        '''
        )
    assert policy['allow'] == False
    for prop in ('mapping', 'payload', 'nonce', 'error'):
        assert prop not in policy
    assert parse_csp(policy['csp']) == {
        'prefetch-src':    ["'none'"],
        'script-src-attr': ["'none'"],
        'script-src':      ["'none'", "'unsafe-eval'"],
        'script-src-elem': ["'none'"]
    }

    policy = execute_in_page(
        '''{
        const tree = pqt.make();
        pqt.register(tree, "http://kno.wn", "~allow", 0);
        returnval(decide_policy(tree, "http://kno.wn/", true, "abcd"));
        }''')
    assert policy['allow'] == False
    assert policy['mapping'] == '~allow'
    for prop in ('payload', 'nonce', 'error'):
        assert prop not in policy
    assert parse_csp(policy['csp']) == {
        'prefetch-src':    ["'none'"],
        'script-src-attr': ["'none'"],
        'script-src':      ["'none'", "'unsafe-eval'"],
        'script-src-elem': ["'none'"]
    }

    policy = execute_in_page(
        '''{
        const tree = pqt.make();
        pqt.register(tree, "http://kno.wn", "m1", {identifier: "res1"});
        returnval(decide_policy(tree, "http://kno.wn/", true, "abcd"));
        }''')
    assert policy['allow'] == False
    assert policy['mapping'] == 'm1'
    assert policy['payload'] == {'identifier': 'res1'}
    assert 'error' not in policy
    assert policy['nonce'] == \
        sha256('m1:res1:http://kno.wn/:abcd'.encode()).digest().hex()
    assert parse_csp(policy['csp']) == {
        'prefetch-src':    ["'none'"],
        'script-src-attr': ["'none'"],
        'script-src':      [f"'nonce-{policy['nonce']}'", "'unsafe-eval'"],
        'script-src-elem': [f"'nonce-{policy['nonce']}'"]
    }

    policy = execute_in_page(
        'returnval(decide_policy(pqt.make(), "<bad_url>", true, "abcd"));'
    )
    assert policy['allow'] == False
    assert policy['error'] == {'haketilo_error_type': 'deciding_policy'}
    for prop in ('mapping', 'payload', 'nonce'):
        assert prop not in policy
    assert parse_csp(policy['csp']) == {
        'prefetch-src':    ["'none'"],
        'script-src-attr': ["'none'"],
        'script-src':      ["'none'", "'unsafe-eval'"],
        'script-src-elem': ["'none'"]
    }