# SPDX-License-Identifier: GPL-3.0-or-later
# Tools for working with Content Security Policy headers.
#
# This file is part of Hydrilla&Haketilo.
#
# Copyright (C) 2022 Wojtek Kosior
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
#
# I, Wojtek Kosior, thereby promise not to sue for violation of this
# file's license. Although I request that you do not make use of this
# code in a proprietary program, I am not going to enforce this in
# court.
"""
.....
"""
import re
import typing as t
import dataclasses as dc
from immutables import Map, MapMutation
from . import http_messages
enforce_header_names = (
'content-security-policy',
'x-content-security-policy',
'x-webkit-csp'
)
header_names = (*enforce_header_names, 'content-security-policy-report-only')
@dc.dataclass
class ContentSecurityPolicy:
directives: Map[str, t.Sequence[str]]
header_name: str = 'Content-Security-Policy'
disposition: str = 'enforce'
def remove(self, directives: t.Sequence[str]) -> 'ContentSecurityPolicy':
mutation = self.directives.mutate()
for name in directives:
mutation.pop(name, None)
return dc.replace(self, directives = mutation.finish())
def extend(self, directives: t.Mapping[str, t.Sequence[str]]) \
-> 'ContentSecurityPolicy':
mutation = self.directives.mutate()
for name, extras in directives.items():
if name in mutation:
mutation[name] = (*mutation[name], *extras)
return dc.replace(self, directives = mutation.finish())
def serialize(self) -> tuple[str, str]:
"""
Produces (name, value) pair suitable for use as an HTTP header.
If a deserialized policy is being reserialized, the resulting value is
not guaranteed to be the same as the original one. It shall be merely
semantically equivalent.
"""
serialized_directives = []
for name, value_seq in self.directives.items():
if all(val == "'none'" for val in value_seq):
value_seq = ["'none'"]
else:
value_seq = [val for val in value_seq if val != "'none'"]
serialized_directives.append(f'{name} {" ".join(value_seq)}')
return (self.header_name, ';'.join(serialized_directives))
@staticmethod
def deserialize(
serialized: str,
header_name: str,
disposition: str = 'enforce'
) -> 'ContentSecurityPolicy':
"""
Parses the policy as required by W3C Working Draft.
Extra whitespace information, invalid/empty directives and the order of
directives are not preserved, only the semantically-relevant information
is.
"""
# For more info, see:
# https://www.w3.org/TR/CSP3/#parse-serialized-policy
empty_directives: Map[str, t.Sequence[str]] = Map()
directives = empty_directives.mutate()
for serialized_directive in serialized.split(';'):
if not serialized_directive.isascii():
continue
serialized_directive = serialized_directive.strip()
if len(serialized_directive) == 0:
continue
tokens = serialized_directive.split()
directive_name = tokens.pop(0).lower()
directive_value = tokens
# Specs mention giving warnings for duplicate directive names but
# from our proxy's perspective this is not important right now.
if directive_name in directives:
continue
directives[directive_name] = directive_value
return ContentSecurityPolicy(
directives = directives.finish(),
header_name = header_name,
disposition = disposition
)
# def extract(headers: http_messages.IHeaders) \
# -> tuple[ContentSecurityPolicy, ...]:
# """...."""
# csp_policies = []
# for header_name, disposition in header_names_and_dispositions:
# for serialized_list in headers.get_all(header_name):
# for serialized in serialized_list.split(','):
# policy = ContentSecurityPolicy.deserialize(
# serialized,
# header_name,
# disposition
# )
# if policy.directives != Map():
# csp_policies.append(policy)
# return tuple(csp_policies)
def modify(
headers: http_messages.IHeaders,
clear: t.Union[t.Sequence[str], t.Literal['all']] = (),
extend: t.Mapping[str, t.Sequence[str]] = Map(),
add: t.Mapping[str, t.Sequence[str]] = Map(),
) -> http_messages.IHeaders:
"""
This function modifies the CSP Headers. The following actions are performed
*in order*
1. report-only CSP Headers are removed,
2. directives with names in `clear` are removed,
3. directives that could cause CSP reports to be sent are removed,
4. directives from `add` are added in a separate Content-Security-Policy,
header.
5. directives from `extend` are merged into the existing directives,
effectively loosening them,
No measures are yet implemented to prevent fingerprinting when serving HTTP
responses with headers modified by this function. Please use wisely, you
have been warned.
"""
headers_list = [
(key, val)
for key, val in headers.items()
if key.lower() not in header_names
]
if clear != 'all':
for name in header_names:
for serialized_list in headers.get_all(name):
for serialized in serialized_list.split(','):
policy = ContentSecurityPolicy.deserialize(serialized, name)
policy = policy.remove((*clear, 'report-to', 'report-uri'))
policy = policy.extend(extend)
if policy.directives != Map():
headers_list.append(policy.serialize())
if add != Map():
csp_to_add = ContentSecurityPolicy(Map(add)).extend(extend)
headers_list.append(csp_to_add.serialize())
return http_messages.make_headers(headers_list)
