Correct UX bugs relating to context status.

Author: GeekInTheNorth

src/Stott.Security.Optimizely.Test/Features/Csp/Reporting/ViolationReportSummaryTests.cs

@@ -18,7 +18,7 @@ public void SanitizedSourceReturnsEitherTheFullDomainOrOriginalString(
         string expectedSanitizedSource)
     {
         // Arrange
-        var summary = new ViolationReportSummary(Guid.NewGuid(), source, string.Empty, 1, DateTime.Now);
+        var summary = new ViolationReportSummary(Guid.NewGuid(), source, string.Empty, null, null, 1, DateTime.Now);
 
         // Assert
         Assert.That(summary.SanitizedSource, Is.EqualTo(expectedSanitizedSource));
@@ -29,7 +29,7 @@ public void SanitizedSourceReturnsEitherTheFullDomainOrOriginalString(
     public void CreatesAppropriateSuggestionsForWildCardDomains(string source, IList<string> expectedSuggestions)
     {
         // Arrange
-        var summary = new ViolationReportSummary(Guid.NewGuid(), source, string.Empty, 1, DateTime.Now);
+        var summary = new ViolationReportSummary(Guid.NewGuid(), source, string.Empty, null, null, 1, DateTime.Now);
 
         // Assert
         Assert.That(summary.SourceSuggestions, Is.EquivalentTo(expectedSuggestions));
@@ -40,7 +40,7 @@ public void CreatesAppropriateSuggestionsForWildCardDomains(string source, IList
     public void CreatesASingleSuggestionMatchingTheSourceWhenSourceIsNotAUrl(string source)
     {
         // Arrange
-        var summary = new ViolationReportSummary(Guid.NewGuid(), source, string.Empty, 1, DateTime.Now);
+        var summary = new ViolationReportSummary(Guid.NewGuid(), source, string.Empty, null, null, 1, DateTime.Now);
 
         // Assert
         Assert.Multiple(() =>
@@ -55,7 +55,7 @@ public void CreatesASingleSuggestionMatchingTheSourceWhenSourceIsNotAUrl(string
     public void CreatesAppropriateSuggestionsForDirectives(string directive, IList<string> expectedDirectives)
     {
         // Arrange
-        var summary = new ViolationReportSummary(Guid.NewGuid(), string.Empty, directive, 1, DateTime.Now);
+        var summary = new ViolationReportSummary(Guid.NewGuid(), string.Empty, directive, null, null, 1, DateTime.Now);
 
         // Assert
         Assert.That(summary.DirectiveSuggestions, Is.EquivalentTo(expectedDirectives));

src/Stott.Security.Optimizely.Test/Features/PermissionPolicy/PermissionPolicyControllerTests.cs

@@ -235,31 +235,31 @@ public void DeleteDirectives_WhenServiceThrowsException_ThenExceptionIsRethrown(
     public async Task GetSettings_WhenOverrideExists_ThenIsInheritedIsFalse()
     {
         // Arrange
-        _mockService.Setup(x => x.HasOverrideAsync("app1", null)).ReturnsAsync(true);
+        _mockService.Setup(x => x.ExistsForContextAsync("app1", null)).ReturnsAsync(true);
         _mockService.Setup(x => x.GetPermissionPolicySettingsAsync("app1", null))
             .ReturnsAsync(new PermissionPolicySettingsModel { IsEnabled = true });
 
         // Act
         var result = await _controller.GetSettings("app1", null);
 
         // Assert
-        _mockService.Verify(x => x.HasOverrideAsync("app1", null), Times.Once);
+        _mockService.Verify(x => x.ExistsForContextAsync("app1", null), Times.Once);
         _mockService.Verify(x => x.GetPermissionPolicySettingsAsync("app1", null), Times.Once);
     }
 
     [Test]
     public async Task GetSettings_WhenNoOverrideExists_ThenIsInheritedIsTrue()
     {
         // Arrange
-        _mockService.Setup(x => x.HasOverrideAsync("app1", null)).ReturnsAsync(false);
+        _mockService.Setup(x => x.ExistsForContextAsync("app1", null)).ReturnsAsync(false);
         _mockService.Setup(x => x.GetPermissionPolicySettingsAsync("app1", null))
             .ReturnsAsync(new PermissionPolicySettingsModel { IsEnabled = false });
 
         // Act
         var result = await _controller.GetSettings("app1", null);
 
         // Assert
-        _mockService.Verify(x => x.HasOverrideAsync("app1", null), Times.Once);
+        _mockService.Verify(x => x.ExistsForContextAsync("app1", null), Times.Once);
         _mockService.Verify(x => x.GetPermissionPolicySettingsAsync("app1", null), Times.Once);
     }
 

src/Stott.Security.Optimizely.Test/Features/PermissionPolicy/Services/PermissionPolicyServiceTests.cs

@@ -446,7 +446,7 @@ public async Task HasOverrideAsync_WhenSettingsByContextReturnsNonNull_ThenRetur
             .ReturnsAsync(new PermissionPolicySettingsModel());
 
         // Act
-        var result = await _service.HasOverrideAsync("app1", null);
+        var result = await _service.ExistsForContextAsync("app1", null);
 
         // Assert
         Assert.That(result, Is.True);
@@ -460,7 +460,7 @@ public async Task HasOverrideAsync_WhenSettingsByContextReturnsNull_ThenReturnsF
             .ReturnsAsync((PermissionPolicySettingsModel?)null);
 
         // Act
-        var result = await _service.HasOverrideAsync("app1", null);
+        var result = await _service.ExistsForContextAsync("app1", null);
 
         // Assert
         Assert.That(result, Is.False);

src/Stott.Security.Optimizely/Features/Csp/Reporting/Repository/CspViolationReportRepository.cs

@@ -86,28 +86,29 @@ public async Task<IList<ViolationReportSummary>> GetReportAsync(string? source,
         // - Include host-specific records when both appId and hostName are provided
         if (!string.IsNullOrWhiteSpace(appId) && !string.IsNullOrWhiteSpace(hostName))
         {
-            query = query.Where(x => x.AppId == null || x.AppId == string.Empty
-                                  || (x.AppId == appId && (x.HostName == null || x.HostName == string.Empty))
-                                  || (x.AppId == appId && x.HostName == hostName));
+            query = query.Where(x => x.AppId == appId && x.HostName == hostName);
         }
         else if (!string.IsNullOrWhiteSpace(appId))
         {
-            query = query.Where(x => x.AppId == null || x.AppId == string.Empty
-                                  || x.AppId == appId);
+            query = query.Where(x => x.AppId == appId);
         }
 
         // Groups violations by BlockedUri and Violated Directive and gets the latest stats.
         var violations = await (from violation in query
                                 group violation by new
                                 {
                                     violation.BlockedUri,
-                                    violation.ViolatedDirective
+                                    violation.ViolatedDirective,
+                                    violation.AppId,
+                                    violation.HostName
                                 } into violationGroup
                                 select new
                                 {
                                     Id = violationGroup.Select(x => x.Id).First(),
                                     Source = violationGroup.Key.BlockedUri,
                                     Directive = violationGroup.Key.ViolatedDirective,
+                                    violationGroup.Key.AppId,
+                                    violationGroup.Key.HostName,
                                     Violations = violationGroup.Sum(y => y.Instances),
                                     LastViolated = violationGroup.Max(y => y.LastReported)
                                 }).ToListAsync();
@@ -124,7 +125,7 @@ public async Task<IList<ViolationReportSummary>> GetReportAsync(string? source,
 
         // Convert to a model collection with a unique Id per row.
         return violations.Where(x => x.LastViolated >= threshold)
-                         .Select(x => new ViolationReportSummary(x.Id, x.Source, x.Directive, x.Violations, x.LastViolated))
+                         .Select(x => new ViolationReportSummary(x.Id, x.Source, x.Directive, x.AppId, x.HostName, x.Violations, x.LastViolated))
                          .OrderByDescending(x => x.LastViolated)
                          .ToList();
     }

src/Stott.Security.Optimizely/Features/Csp/Reporting/ViolationReportSummary.cs

@@ -14,6 +14,10 @@ public sealed class ViolationReportSummary
 
     public string SanitizedSource { get; }
 
+    public string? AppId { get; }
+
+    public string? HostName { get; }
+
     public IList<string> SourceSuggestions { get; }
 
     public string Directive { get; set; }
@@ -28,12 +32,16 @@ public ViolationReportSummary(
         Guid key,
         string? source,
         string? directive,
+        string? appId,
+        string? hostName,
         int violations,
         DateTime lastViolated)
     {
         Key = key;
         Source = source ?? string.Empty;
         Directive = directive ?? string.Empty;
+        AppId = appId;
+        HostName = hostName;
         Violations = violations;
         LastViolated = lastViolated;
 

src/Stott.Security.Optimizely/Features/Csp/Sandbox/CspSandboxController.cs

@@ -24,11 +24,10 @@ public async Task<IActionResult> Get(string? appId, string? hostName)
     {
         try
         {
-            var sanitizedHost = hostName.GetSanitizedHostDomain();
-            var contextData = await service.GetByContextAsync(appId, sanitizedHost);
-            var isInherited = contextData == null && (!string.IsNullOrWhiteSpace(appId) || !string.IsNullOrWhiteSpace(sanitizedHost));
-            contextData ??= await service.GetAsync(appId, sanitizedHost);
-            var data = CspSandboxMapper.MapToResponse(contextData, isInherited);
+            var sanitizedHostName = hostName.GetSanitizedHostDomain();
+            var existsForContext = await service.ExistsForContextAsync(appId, sanitizedHostName);
+            var contextData = await service.GetAsync(appId, sanitizedHostName);
+            var data = CspSandboxMapper.MapToResponse(contextData, !existsForContext);
 
             return CreateSuccessJson(data);
         }

src/Stott.Security.Optimizely/Features/Csp/Sandbox/Service/CspSandboxService.cs

@@ -26,11 +26,6 @@ public async Task<SandboxModel> GetAsync(string? appId, string? hostName)
         return settings;
     }
 
-    public async Task<SandboxModel?> GetByContextAsync(string? appId, string? hostName)
-    {
-        return await repository.GetByContextAsync(appId, hostName);
-    }
-
     public async Task SaveAsync(SandboxModel model, string? modifiedBy, string? appId, string? hostName)
     {
         if (string.IsNullOrWhiteSpace(modifiedBy))
@@ -55,6 +50,17 @@ public async Task DeleteByContextAsync(string? appId, string? hostName, string?
         cacheWrapper.RemoveAll();
     }
 
+    public async Task<bool> ExistsForContextAsync(string? appId, string? hostName)
+    {
+        if (string.IsNullOrWhiteSpace(appId) && string.IsNullOrWhiteSpace(hostName))
+        {
+            return true;
+        }
+
+        var actualSettings = await repository.GetByContextAsync(appId, hostName);
+        return actualSettings is not null;
+    }
+
     private static string GetCacheKey(string? appId, string? hostName)
     {
         return $"{CacheKeyPrefix}.{appId ?? "global"}.{hostName ?? "all"}";

src/Stott.Security.Optimizely/Features/Csp/Sandbox/Service/ICspSandboxService.cs

@@ -16,14 +16,6 @@ public interface ICspSandboxService
     /// <returns></returns>
     Task<SandboxModel> GetAsync(string? appId, string? hostName);
 
-    /// <summary>
-    /// Gets sandbox settings without using fallbacks.
-    /// </summary>
-    /// <param name="appId"></param>
-    /// <param name="hostName"></param>
-    /// <returns></returns>
-    Task<SandboxModel?> GetByContextAsync(string? appId, string? hostName);
-
     /// <summary>
     /// Saves a specific sandbox settings for a given application and host context.
     /// </summary>
@@ -42,4 +34,12 @@ public interface ICspSandboxService
     /// <param name="deletedBy"></param>
     /// <returns></returns>
     Task DeleteByContextAsync(string? appId, string? hostName, string? deletedBy);
+
+    /// <summary>
+    /// Determines whether sandbox settings exist for a specific context (appId and hostName) that would override inherited settings.
+    /// </summary>
+    /// <param name="appId"></param>
+    /// <param name="hostName"></param>
+    /// <returns></returns>
+    Task<bool> ExistsForContextAsync(string? appId, string? hostName);
 }

src/Stott.Security.Optimizely/Features/Csp/Settings/CspSettingsController.cs

@@ -24,9 +24,9 @@ public async Task<IActionResult> Get(string? appId, string? hostName)
     {
         try
         {
-            var contextData = await service.GetByContextAsync(appId, hostName);
-            var isInherited = contextData == null && (!string.IsNullOrWhiteSpace(appId) || !string.IsNullOrWhiteSpace(hostName));
-            var data = contextData ?? await service.GetAsync(appId, hostName.GetSanitizedHostDomain());
+            var sanitizedHostName = hostName.GetSanitizedHostDomain();
+            var existsForContext = await service.ExistsForContextAsync(appId, sanitizedHostName);
+            var data = await service.GetAsync(appId, sanitizedHostName);
 
             return CreateSuccessJson(new CspSettingsResponseModel
             {
@@ -38,7 +38,7 @@ public async Task<IActionResult> Get(string? appId, string? hostName)
                 UseInternalReporting = data.UseInternalReporting,
                 UseExternalReporting = data.UseExternalReporting,
                 ExternalReportToUrl = data.ExternalReportToUrl ?? string.Empty,
-                IsInherited = isInherited
+                IsInherited = !existsForContext
             });
         }
         catch (Exception exception)

src/Stott.Security.Optimizely/Features/Csp/Settings/Service/CspSettingsService.cs

@@ -26,11 +26,6 @@ public async Task<CspSettings> GetAsync(string? appId, string? hostName)
         return settings;
     }
 
-    public async Task<CspSettings?> GetByContextAsync(string? appId, string? hostName)
-    {
-        return await repository.GetByContextAsync(appId, hostName);
-    }
-
     public async Task SaveAsync(ICspSettings? cspSettings, string? modifiedBy, string? appId, string? hostName)
     {
         if (cspSettings is null || string.IsNullOrWhiteSpace(modifiedBy))
@@ -55,6 +50,17 @@ public async Task DeleteByContextAsync(string? appId, string? hostName, string?
         cache.RemoveAll();
     }
 
+    public async Task<bool> ExistsForContextAsync(string? appId, string? hostName)
+    {
+        if (string.IsNullOrWhiteSpace(appId) && string.IsNullOrWhiteSpace(hostName))
+        {
+            return false;
+        }
+
+        var actualSettings = await repository.GetByContextAsync(appId, hostName);
+        return actualSettings is not null;
+    }
+
     private static string GetCacheKey(string? appId, string? hostName)
     {
         return $"{CacheKeyPrefix}.{appId ?? "global"}.{hostName ?? "all"}";