# SPDX-License-Identifier: CC0-1.0
"""
Haketilo unit tests - determining what to do on a given web page
"""
# This file is part of Haketilo
#
# Copyright (C) 2021, Wojtek Kosior <koszko@koszko.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the CC0 1.0 Universal License as published by
# the Creative Commons Corporation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# CC0 1.0 Universal License for more details.
import re
from hashlib import sha256
import pytest
from ..script_loader import load_script
csp_re = re.compile(r'''
^
\S+(?:\s+\S+)+; # first directive
(?:
\s+\S+(?:\s+\S+)+; # subsequent directive
)*
$
''',
re.VERBOSE)
rule_re = re.compile(r'''
^
\s*
(?P<src_kind>\S+)
\s+
(?P<allowed_origins>
\S+(?:\s+\S+)*
)
$
''', re.VERBOSE)
def parse_csp(csp):
'''Parsing of CSP string into a dict.'''
assert csp_re.match(csp)
result = {}
for rule in csp.split(';')[:-1]:
match = rule_re.match(rule)
result[match.group('src_kind')] = match.group('allowed_origins').split()
return result
@pytest.mark.get_page('https://gotmyowndoma.in')
def test_decide_policy(execute_in_page):
"""
policy.js contains code that, using a Pattern Query Tree instance and a URL,
decides what Haketilo should do on a page opened at that URL, i.e. whether
it should block or allow script execution and whether it should inject its
own scripts and which ones. Test that the policy object gets constructed
properly.
"""
execute_in_page(load_script('common/policy.js'))
policy = execute_in_page(
'''
returnval(decide_policy(pqt.make(), "http://unkno.wn/", true, "abcd"));
''')
assert policy['allow'] == True
for prop in ('mapping', 'payload', 'nonce', 'csp', 'error'):
assert prop not in policy
policy = execute_in_page(
'''{
const tree = pqt.make();
pqt.register(tree, "http://kno.wn", "~allow", 1);
returnval(decide_policy(tree, "http://kno.wn/", false, "abcd"));
}''')
assert policy['allow'] == True
assert policy['mapping'] == '~allow'
for prop in ('payload', 'nonce', 'csp', 'error'):
assert prop not in policy
policy = execute_in_page(
'''
returnval(decide_policy(pqt.make(), "http://unkno.wn/", false, "abcd"));
'''
)
assert policy['allow'] == False
for prop in ('mapping', 'payload', 'nonce', 'error'):
assert prop not in policy
assert parse_csp(policy['csp']) == {
'prefetch-src': ["'none'"],
'script-src-attr': ["'none'"],
'script-src': ["'none'", "'unsafe-eval'"],
'script-src-elem': ["'none'"]
}
policy = execute_in_page(
'''{
const tree = pqt.make();
pqt.register(tree, "http://kno.wn", "~allow", 0);
returnval(decide_policy(tree, "http://kno.wn/", true, "abcd"));
}''')
assert policy['allow'] == False
assert policy['mapping'] == '~allow'
for prop in ('payload', 'nonce', 'error'):
assert prop not in policy
assert parse_csp(policy['csp']) == {
'prefetch-src': ["'none'"],
'script-src-attr': ["'none'"],
'script-src': ["'none'", "'unsafe-eval'"],
'script-src-elem': ["'none'"]
}
policy = execute_in_page(
'''{
const tree = pqt.make();
pqt.register(tree, "http://kno.wn", "m1", {identifier: "res1"});
returnval(decide_policy(tree, "http://kno.wn/", true, "abcd"));
}''')
assert policy['allow'] == False
assert policy['mapping'] == 'm1'
assert policy['payload'] == {'identifier': 'res1'}
assert 'error' not in policy
assert policy['nonce'] == \
sha256('m1:res1:http://kno.wn/:abcd'.encode()).digest().hex()
assert parse_csp(policy['csp']) == {
'prefetch-src': ["'none'"],
'script-src-attr': ["'none'"],
'script-src': [f"'nonce-{policy['nonce']}'", "'unsafe-eval'"],
'script-src-elem': [f"'nonce-{policy['nonce']}'"]
}
policy = execute_in_page(
'returnval(decide_policy(pqt.make(), "<bad_url>", true, "abcd"));'
)
assert policy['allow'] == False
assert policy['error'] == {'haketilo_error_type': 'deciding_policy'}
for prop in ('mapping', 'payload', 'nonce'):
assert prop not in policy
assert parse_csp(policy['csp']) == {
'prefetch-src': ["'none'"],
'script-src-attr': ["'none'"],
'script-src': ["'none'", "'unsafe-eval'"],
'script-src-elem': ["'none'"]
}
