View source
<?php
namespace Drupal\Tests\csp\Unit\EventSubscriber;
use Drupal\Core\Asset\LibraryDependencyResolverInterface;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Render\HtmlResponse;
use Drupal\csp\Csp;
use Drupal\csp\CspEvents;
use Drupal\csp\Event\PolicyAlterEvent;
use Drupal\csp\EventSubscriber\CoreCspSubscriber;
use Drupal\Tests\UnitTestCase;
class CoreCspSubscriberTest extends UnitTestCase {
private $libraryDependencyResolver;
private $moduleHandler;
private $coreCspSubscriber;
private $response;
public function setUp() : void {
parent::setUp();
$this->libraryDependencyResolver = $this
->getMockBuilder(LibraryDependencyResolverInterface::class)
->disableOriginalConstructor()
->getMock();
$this->libraryDependencyResolver
->method('getLibrariesWithDependencies')
->willReturnArgument(0);
$this->moduleHandler = $this
->getMockBuilder(ModuleHandlerInterface::class)
->disableOriginalConstructor()
->getMock();
$this->response = $this
->getMockBuilder(HtmlResponse::class)
->disableOriginalConstructor()
->getMock();
$this->coreCspSubscriber = new CoreCspSubscriber($this->libraryDependencyResolver, $this->moduleHandler);
}
public function testSubscribedEvents() {
$this
->assertArrayHasKey(CspEvents::POLICY_ALTER, CoreCspSubscriber::getSubscribedEvents());
}
public function testNoAttachments() {
$policy = new Csp();
$this->response
->method('getAttachments')
->willReturn([]);
$alterEvent = new PolicyAlterEvent($policy, $this->response);
$this->coreCspSubscriber
->onCspPolicyAlter($alterEvent);
$this
->addToAssertionCount(1);
}
public function testCkeditorScriptNoDirectives() {
$policy = new Csp();
$this->response
->method('getAttachments')
->willReturn([
'library' => [
'core/ckeditor',
],
]);
$alterEvent = new PolicyAlterEvent($policy, $this->response);
$this->coreCspSubscriber
->onCspPolicyAlter($alterEvent);
$this
->assertFalse($alterEvent
->getPolicy()
->hasDirective('script-src'));
$this
->assertFalse($alterEvent
->getPolicy()
->hasDirective('script-src-attr'));
$this
->assertFalse($alterEvent
->getPolicy()
->hasDirective('script-src-elem'));
}
public function testCkeditorScript() {
$policy = new Csp();
$policy
->setDirective('default-src', [
Csp::POLICY_ANY,
]);
$policy
->setDirective('script-src', [
Csp::POLICY_SELF,
]);
$policy
->setDirective('script-src-attr', [
Csp::POLICY_SELF,
]);
$policy
->setDirective('script-src-elem', [
Csp::POLICY_SELF,
]);
$this->response
->method('getAttachments')
->willReturn([
'library' => [
'core/ckeditor',
],
]);
$alterEvent = new PolicyAlterEvent($policy, $this->response);
$this->coreCspSubscriber
->onCspPolicyAlter($alterEvent);
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], $alterEvent
->getPolicy()
->getDirective('script-src'));
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], $alterEvent
->getPolicy()
->getDirective('script-src-attr'));
$this
->assertEquals([
Csp::POLICY_SELF,
], $alterEvent
->getPolicy()
->getDirective('script-src-elem'));
}
public function testCkeditorScriptAttrFallback() {
$policy = new Csp();
$policy
->setDirective('default-src', [
Csp::POLICY_ANY,
]);
$policy
->setDirective('script-src', [
Csp::POLICY_SELF,
]);
$this->response
->method('getAttachments')
->willReturn([
'library' => [
'core/ckeditor',
],
]);
$alterEvent = new PolicyAlterEvent($policy, $this->response);
$this->coreCspSubscriber
->onCspPolicyAlter($alterEvent);
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], $alterEvent
->getPolicy()
->getDirective('script-src'));
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], array_unique($alterEvent
->getPolicy()
->getDirective('script-src-attr')));
$this
->assertEquals([
Csp::POLICY_SELF,
], $alterEvent
->getPolicy()
->getDirective('script-src-elem'));
}
public function testCkeditorScriptDefaultFallback() {
$policy = new Csp();
$policy
->setDirective('default-src', [
Csp::POLICY_SELF,
]);
$this->response
->method('getAttachments')
->willReturn([
'library' => [
'core/ckeditor',
],
]);
$alterEvent = new PolicyAlterEvent($policy, $this->response);
$this->coreCspSubscriber
->onCspPolicyAlter($alterEvent);
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], $alterEvent
->getPolicy()
->getDirective('script-src'));
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], array_unique($alterEvent
->getPolicy()
->getDirective('script-src-attr')));
$this
->assertEquals([
Csp::POLICY_SELF,
], $alterEvent
->getPolicy()
->getDirective('script-src-elem'));
}
public function testCkeditorStyle() {
$policy = new Csp();
$policy
->setDirective('default-src', [
Csp::POLICY_ANY,
]);
$policy
->setDirective('style-src', [
Csp::POLICY_SELF,
]);
$policy
->setDirective('style-src-attr', [
Csp::POLICY_SELF,
]);
$policy
->setDirective('style-src-elem', [
Csp::POLICY_SELF,
]);
$this->response
->method('getAttachments')
->willReturn([
'library' => [
'ckeditor/drupal.ckeditor',
],
]);
$alterEvent = new PolicyAlterEvent($policy, $this->response);
$this->coreCspSubscriber
->onCspPolicyAlter($alterEvent);
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], $alterEvent
->getPolicy()
->getDirective('style-src'));
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], $alterEvent
->getPolicy()
->getDirective('style-src-attr'));
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], $alterEvent
->getPolicy()
->getDirective('style-src-elem'));
}
public function testCkeditorStyleElemFallback() {
$policy = new Csp();
$policy
->setDirective('default-src', [
Csp::POLICY_ANY,
]);
$policy
->setDirective('style-src', [
Csp::POLICY_SELF,
]);
$this->response
->method('getAttachments')
->willReturn([
'library' => [
'ckeditor/drupal.ckeditor',
],
]);
$alterEvent = new PolicyAlterEvent($policy, $this->response);
$this->coreCspSubscriber
->onCspPolicyAlter($alterEvent);
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], $alterEvent
->getPolicy()
->getDirective('style-src'));
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], array_unique($alterEvent
->getPolicy()
->getDirective('style-src-attr')));
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], array_unique($alterEvent
->getPolicy()
->getDirective('style-src-elem')));
}
public function testCkeditorStyleDefaultFallback() {
$policy = new Csp();
$policy
->setDirective('default-src', [
Csp::POLICY_SELF,
]);
$this->response
->method('getAttachments')
->willReturn([
'library' => [
'ckeditor/drupal.ckeditor',
],
]);
$alterEvent = new PolicyAlterEvent($policy, $this->response);
$this->coreCspSubscriber
->onCspPolicyAlter($alterEvent);
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], $alterEvent
->getPolicy()
->getDirective('style-src'));
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], array_unique($alterEvent
->getPolicy()
->getDirective('style-src-attr')));
$this
->assertEquals([
Csp::POLICY_SELF,
Csp::POLICY_UNSAFE_INLINE,
], array_unique($alterEvent
->getPolicy()
->getDirective('style-src-elem')));
}
public function testUmamiFont() {
$policy = new Csp();
$policy
->setDirective('default-src', [
Csp::POLICY_ANY,
]);
$policy
->setDirective('font-src', []);
$this->response
->method('getAttachments')
->willReturn([
'library' => [
'umami/webfonts',
],
]);
$alterEvent = new PolicyAlterEvent($policy, $this->response);
$this->coreCspSubscriber
->onCspPolicyAlter($alterEvent);
$this
->assertEquals([
'https://fonts.gstatic.com',
], $alterEvent
->getPolicy()
->getDirective('font-src'));
}
public function testUmamiFontDefaultFallback() {
$policy = new Csp();
$policy
->setDirective('default-src', [
Csp::POLICY_SELF,
]);
$this->response
->method('getAttachments')
->willReturn([
'library' => [
'umami/webfonts',
],
]);
$alterEvent = new PolicyAlterEvent($policy, $this->response);
$this->coreCspSubscriber
->onCspPolicyAlter($alterEvent);
$this
->assertEquals([
Csp::POLICY_SELF,
'https://fonts.gstatic.com',
], $alterEvent
->getPolicy()
->getDirective('font-src'));
}
}