test/couchdb_csp_tests.erl - couchdb-couch - Git at Google

 % Licensed under the Apache License, Version 2.0 (the "License"); you may not
 % use this file except in compliance with the License. You may obtain a copy of
 % the License at
 %
 %   http://www.apache.org/licenses/LICENSE-2.0
 %
 % Unless required by applicable law or agreed to in writing, software
 % distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 % WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 % License for the specific language governing permissions and limitations under
 % the License.

 -module(couchdb_csp_tests).

 -include_lib("couch/include/couch_eunit.hrl").

 -define(TIMEOUT, 1000).


 setup() ->
     ok = config:set("csp", "enable", "true", false),
     Addr = config:get("httpd", "bind_address", "127.0.0.1"),
     Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)),
     lists:concat(["http://", Addr, ":", Port, "/_utils/"]).

 teardown(_) ->
     ok.


 csp_test_() ->
     {
         "Content Security Policy tests",
         {
             setup,
             fun test_util:start_couch/0, fun test_util:stop_couch/1,
             {
                 foreach,
                 fun setup/0, fun teardown/1,
                 [
                     fun should_not_return_any_csp_headers_when_disabled/1,
                     fun should_apply_default_policy/1,
                     fun should_return_custom_policy/1,
                     fun should_only_enable_csp_when_true/1
                 ]
             }
         }
     }.


 should_not_return_any_csp_headers_when_disabled(Url) ->
     ?_assertEqual(undefined,
         begin
             ok = config:set("csp", "enable", "false", false),
             {ok, _, Headers, _} = test_request:get(Url),
             proplists:get_value("Content-Security-Policy", Headers)
         end).

 should_apply_default_policy(Url) ->
     ?_assertEqual(
         "default-src 'self'; img-src 'self' data:; font-src 'self'; "
         "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
         begin
             {ok, _, Headers, _} = test_request:get(Url),
             proplists:get_value("Content-Security-Policy", Headers)
         end).

 should_return_custom_policy(Url) ->
     ?_assertEqual("default-src 'http://example.com';",
         begin
             ok = config:set("csp", "header_value",
                                   "default-src 'http://example.com';", false),
             {ok, _, Headers, _} = test_request:get(Url),
             proplists:get_value("Content-Security-Policy", Headers)
         end).

 should_only_enable_csp_when_true(Url) ->
     ?_assertEqual(undefined,
         begin
             ok = config:set("csp", "enable", "tru", false),
             {ok, _, Headers, _} = test_request:get(Url),
             proplists:get_value("Content-Security-Policy", Headers)
         end).
	% Licensed under the Apache License, Version 2.0 (the "License"); you may not
	% use this file except in compliance with the License. You may obtain a copy of
	% the License at
	%
	% http://www.apache.org/licenses/LICENSE-2.0
	%
	% Unless required by applicable law or agreed to in writing, software
	% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	% License for the specific language governing permissions and limitations under
	% the License.

	-module(couchdb_csp_tests).

	-include_lib("couch/include/couch_eunit.hrl").

	-define(TIMEOUT, 1000).


	setup() ->
	ok = config:set("csp", "enable", "true", false),
	Addr = config:get("httpd", "bind_address", "127.0.0.1"),
	Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)),
	lists:concat(["http://", Addr, ":", Port, "/_utils/"]).

	teardown(_) ->
	ok.


	csp_test_() ->
	{
	"Content Security Policy tests",
	{
	setup,
	fun test_util:start_couch/0, fun test_util:stop_couch/1,
	{
	foreach,
	fun setup/0, fun teardown/1,
	[
	fun should_not_return_any_csp_headers_when_disabled/1,
	fun should_apply_default_policy/1,
	fun should_return_custom_policy/1,
	fun should_only_enable_csp_when_true/1
	]
	}
	}
	}.


	should_not_return_any_csp_headers_when_disabled(Url) ->
	?_assertEqual(undefined,
	begin
	ok = config:set("csp", "enable", "false", false),
	{ok, _, Headers, _} = test_request:get(Url),
	proplists:get_value("Content-Security-Policy", Headers)
	end).

	should_apply_default_policy(Url) ->
	?_assertEqual(
	"default-src 'self'; img-src 'self' data:; font-src 'self'; "
	"script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
	begin
	{ok, _, Headers, _} = test_request:get(Url),
	proplists:get_value("Content-Security-Policy", Headers)
	end).

	should_return_custom_policy(Url) ->
	?_assertEqual("default-src 'http://example.com';",
	begin
	ok = config:set("csp", "header_value",
	"default-src 'http://example.com';", false),
	{ok, _, Headers, _} = test_request:get(Url),
	proplists:get_value("Content-Security-Policy", Headers)
	end).

	should_only_enable_csp_when_true(Url) ->
	?_assertEqual(undefined,
	begin
	ok = config:set("csp", "enable", "tru", false),
	{ok, _, Headers, _} = test_request:get(Url),
	proplists:get_value("Content-Security-Policy", Headers)
	end).