1 files changed, 135 insertions, 0 deletions

diff --git a/test/haketilo_test/unit/test_policy_deciding.py b/test/haketilo_test/unit/test_policy_deciding.py
new file mode 100644
index 0000000..75b35ac
--- /dev/null
+++ b/test/haketilo_test/unit/test_policy_deciding.py
@@ -0,0 +1,135 @@
+# SPDX-License-Identifier: CC0-1.0
+
+"""
+Haketilo unit tests - determining what to do on a given web page
+"""
+
+# This file is part of Haketilo
+#
+# Copyright (C) 2021, Wojtek Kosior <koszko@koszko.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the CC0 1.0 Universal License as published by
+# the Creative Commons Corporation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# CC0 1.0 Universal License for more details.
+
+import re
+from hashlib import sha256
+import pytest
+
+from ..script_loader import load_script
+
+csp_re = re.compile(r'^\S+\s+\S+;(?:\s+\S+\s+\S+;)*$')
+rule_re = re.compile(r'^\s*(?P<src_kind>\S+)\s+(?P<allowed_origins>\S+)$')
+def parse_csp(csp):
+    '''
+    Parsing of CSP string into a dict. A simplified format of CSP is assumed.
+    '''
+    assert csp_re.match(csp)
+
+    result = {}
+
+    for rule in csp.split(';')[:-1]:
+        match = rule_re.match(rule)
+        result[match.group('src_kind')] = match.group('allowed_origins')
+
+    return result
+
+@pytest.mark.get_page('https://gotmyowndoma.in')
+def test_decide_policy(execute_in_page):
+    """
+    policy.js contains code that, using a Pattern Query Tree instance and a URL,
+    decides what Haketilo should do on a page opened at that URL, i.e. whether
+    it should block or allow script execution and whether it should inject its
+    own scripts and which ones. Test that the policy object gets constructed
+    properly.
+    """
+    execute_in_page(load_script('common/policy.js'))
+
+    policy = execute_in_page(
+        '''
+        returnval(decide_policy(pqt.make(), "http://unkno.wn/", true, "abcd"));
+        ''')
+    assert policy['allow'] == True
+    for prop in ('mapping', 'payload', 'nonce', 'csp', 'error'):
+        assert prop not in policy
+
+    policy = execute_in_page(
+        '''{
+        const tree = pqt.make();
+        pqt.register(tree, "http://kno.wn", "~allow", 1);
+        returnval(decide_policy(tree, "http://kno.wn/", false, "abcd"));
+        }''')
+    assert policy['allow'] == True
+    assert policy['mapping'] == '~allow'
+    for prop in ('payload', 'nonce', 'csp', 'error'):
+        assert prop not in policy
+
+    policy = execute_in_page(
+        '''
+        returnval(decide_policy(pqt.make(), "http://unkno.wn/", false, "abcd"));
+        '''
+        )
+    assert policy['allow'] == False
+    for prop in ('mapping', 'payload', 'nonce', 'error'):
+        assert prop not in policy
+    assert parse_csp(policy['csp']) == {
+        'prefetch-src':    "'none'",
+        'script-src-attr': "'none'",
+        'script-src':      "'none'",
+        'script-src-elem': "'none'"
+    }
+
+    policy = execute_in_page(
+        '''{
+        const tree = pqt.make();
+        pqt.register(tree, "http://kno.wn", "~allow", 0);
+        returnval(decide_policy(tree, "http://kno.wn/", true, "abcd"));
+        }''')
+    assert policy['allow'] == False
+    assert policy['mapping'] == '~allow'
+    for prop in ('payload', 'nonce', 'error'):
+        assert prop not in policy
+    assert parse_csp(policy['csp']) == {
+        'prefetch-src':    "'none'",
+        'script-src-attr': "'none'",
+        'script-src':      "'none'",
+        'script-src-elem': "'none'"
+    }
+
+    policy = execute_in_page(
+        '''{
+        const tree = pqt.make();
+        pqt.register(tree, "http://kno.wn", "m1", {identifier: "res1"});
+        returnval(decide_policy(tree, "http://kno.wn/", true, "abcd"));
+        }''')
+    assert policy['allow'] == False
+    assert policy['mapping'] == 'm1'
+    assert policy['payload'] == {'identifier': 'res1'}
+    assert 'error' not in policy
+    assert policy['nonce'] == \
+        sha256('m1:res1:http://kno.wn/:abcd'.encode()).digest().hex()
+    assert parse_csp(policy['csp']) == {
+        'prefetch-src':    f"'none'",
+        'script-src-attr': f"'none'",
+        'script-src':      f"'nonce-{policy['nonce']}'",
+        'script-src-elem': f"'nonce-{policy['nonce']}'"
+    }
+
+    policy = execute_in_page(
+        'returnval(decide_policy(pqt.make(), "<bad_url>", true, "abcd"));'
+    )
+    assert policy['allow'] == False
+    assert policy['error'] == {'haketilo_error_type': 'deciding_policy'}
+    for prop in ('mapping', 'payload', 'nonce'):
+        assert prop not in policy
+    assert parse_csp(policy['csp']) == {
+        'prefetch-src':    "'none'",
+        'script-src-attr': "'none'",
+        'script-src':      "'none'",
+        'script-src-elem': "'none'"
+    }