Merge pull request #206 from GeekInTheNorth/release/v2.6.0

Release 2.6.0

Author: GeekInTheNorth

Images/TabList.png

@@ -16,13 +16,14 @@ Stott Security is a free to use module, however if you want to show your support
 
 ## Interface
 
-The user interface is split into 7 tabs:
+The user interface is split into 8 tabs:
 
 - Tabs 1 to 3 focus on the Content Security Policy.
 - Tab 4 focuses on the Cross Origin Resource Sharing functionality.
 - Tab 5 focuses on miscellaneous response headers.
 - Tab 6 provides you with a preview of the headers the module will generate.
 - Tab 7 provides you with the audit history for all changes made within the module.
+- Tab 8 provides you with additional tools to import and export settings.
 
 ![CSP Settings Tab](/Images/TabList.png)
 
@@ -87,15 +88,15 @@ Recommendations:
 
 The CSP Violations tab is the forth tab dedicated to managing your Content Security Policy.  This tab requires a developer to add the reporting view component to the website (read more below under CSP Reporting).  When the plugin receives a report of a violation of the Content Security Policy, it will make a record of the third party source and what directive was violated. This is then presented to the user so that that can see how often a violation is happening and when it last happened.  A handy **Create CSP Entry** button allows the user to quickly merge the violated source and directive into the Content Security Policy.
 
-**Updated in version 2.0.0.0 to include source and directive filtering.**
+**Updated in version 2.0.0 to include source and directive filtering.**
 
 ![CSP Violations Tab](/Images/CspViolationTab.png)
 
 ### Cross Origin Resource Sharing
 
-**New in version 2.0.0.0**
+**New in version 2.0.0**
 
-The CORS tab is new in version 2.0.0.0 and allows the user to configure the Cross-Origin Resource Sharing headers for the website.  This is used to grant permissions to third party websites to consume APIs and content from your website.  As trends have moved towards headless and hybrid solutions, controlling your CORS headers can be essential to allowing hybrid solutions to work.
+The CORS tab is new in version 2.0.0 and allows the user to configure the Cross-Origin Resource Sharing headers for the website.  This is used to grant permissions to third party websites to consume APIs and content from your website.  As trends have moved towards headless and hybrid solutions, controlling your CORS headers can be essential to allowing hybrid solutions to work.
 
 ![CORS Tab](/Images/CorsTab.png)
 
@@ -113,7 +114,7 @@ The CORS tab is new in version 2.0.0.0 and allows the user to configure the Cros
 
 The Security Headers tab is a catch all for many simple security headers.  Some of these are deprecated by the existance of a Content Security Policy, but may still be required for older browsers which do not support a Content Security Policy.
 
-![CORS Tab](/Images/SecurityHeadersTab1.png)
+![Security Headers Tab](/Images/SecurityHeadersTab1.png)
 
 | Setting | Default | Recommended |
 |---------|---------|-------------|
@@ -124,15 +125,15 @@ The Security Headers tab is a catch all for many simple security headers.  Some
 
 Please note that the X-XSS-Protection header is classed as non-standard and deprecated by the Content Security Policy and in some implementations can introduce vulnerabilities.  This option may be removed in future. You can read more here: [X-XSS-Protection](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
 
-![CORS Tab](/Images/SecurityHeadersTab2.png)
+![Security Headers Tab](/Images/SecurityHeadersTab2.png)
 
 | Setting | Default | Recommended |
 |---------|---------|-------------|
 | Include Cross Origin Embedder Policy (Cross-Origin-Embedder-Policy) | disabled | Requires CORP |
 | Include Cross Origin Opener Policy (Cross-Origin-Opener-Policy) | disabled | Same Origin |
 | Include Cross Origin Resource Policy (Cross-Origin-Resource-Policy) | disabled | Same Origin |
 
-![CORS Tab](/Images/SecurityHeadersTab3.png)
+![Security Headers Tab](/Images/SecurityHeadersTab3.png)
 
 | Setting | Default | Recommended |
 |---------|---------|-------------|
@@ -144,7 +145,7 @@ Please note that the X-XSS-Protection header is classed as non-standard and depr
 
 The preview screen will show you the compiled headers that will be returned as part of any GET request.  This does not include CORS headers as these vary based on request or may only be exposed as part of a pre-flight request by the browser.
 
-**New in version 2.2.0.0**
+**New in version 2.2.0**
 
 ![CORS Tab](/Images/PreviewTab.png)
 
@@ -156,6 +157,14 @@ Please note that this module does not contain any code that clears down the audi
 
 ![CORS Tab](/Images/AuditTab.png)
 
+## Tools
+
+The tools tab introduces the ability to import and export your entire configuration.  The Export function will provide you with a JSON file of all of your configuration settings.  The Import function will require the same JSON file structure and will validate the content of the configuration before applying it.
+
+**New in version 2.6.0**
+
+![Tools Tab](/Images/ToolsTab.png)
+
 ## Configuration
 
 After pulling in a reference to the Stott.Security.Optimizely project, you only need to ensure the following lines are added to the startup class of your solution:

Images/ToolsTab.png

@@ -1,11 +1,14 @@
 namespace OptimizelyTwelveTest;
 
+using System;
+
 using EPiServer.Cms.UI.AspNetIdentity;
 using EPiServer.Scheduler;
 using EPiServer.Web.Routing;
 
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Net.Http.Headers;
@@ -38,7 +41,6 @@ public void ConfigureServices(IServiceCollection services)
             });
         }
 
-        services.AddRazorPages();
         services.AddCmsAspNetIdentity<ApplicationUser>();
 
         // Various serialization formats.
@@ -107,15 +109,15 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
         app.UseResponseCaching();
         app.Use(async (context, next) =>
         {
-            if (context.Request is not null)
+            if (context.Request is not null && !context.Request.Path.Value.StartsWith("/episerver/", StringComparison.OrdinalIgnoreCase))
             {
                 if (context.Response.Headers.ContainsKey(HeaderNames.CacheControl))
                 {
                     context.Response.Headers[HeaderNames.CacheControl] = "no-cache, max-age=0";
                 }
                 else
                 {
-                    context.Response.Headers.Add(HeaderNames.CacheControl, "no-cache, max-age=0");
+                    context.Response.Headers.Append(HeaderNames.CacheControl, "no-cache, max-age=0");
                 }
             }
 
@@ -133,7 +135,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
         app.UseEndpoints(endpoints =>
         {
             endpoints.MapContent();
-            endpoints.MapRazorPages();
+            endpoints.MapControllers();
         });
     }
 }

README.md

@@ -10,7 +10,7 @@
   "urls": "http://*:8000/;https://*:8001/;",
   "AllowedHosts": "*",
   "ConnectionStrings": {
-    "EPiServerDB": "Server=.\\SQLEXPRESS;Database=EPiServerDB_565f2030;User Id=EPiServerDB_0aa972a3User;Password=R4&leNE*JIjF4bFA@3d^O42hN;MultipleActiveResultSets=True;trustServerCertificate=true"
+    "EPiServerDB": "Server=.\\SQLEXPRESS;Database=EPiServerDB_565f2030;User Id=EPiServerDB_0aa972a3User;Password=R4&leNE*JIjF4bFA@3d^O42hN;MultipleActiveResultSets=False;trustServerCertificate=true"
   },
   "EPiServer": {
     "Find": {

Sample/OptimizelyTwelveTest/Startup.cs

@@ -15,13 +15,13 @@
 using Stott.Security.Optimizely.Features.AllowList;
 using Stott.Security.Optimizely.Features.Caching;
 using Stott.Security.Optimizely.Features.Permissions.Service;
-using Stott.Security.Optimizely.Features.Settings.Repository;
+using Stott.Security.Optimizely.Features.Settings.Service;
 using Stott.Security.Optimizely.Test.TestCases;
 
 [TestFixture]
 public class AllowListServiceTests
 {
-    private Mock<ICspSettingsRepository> _mockSettingsRepository;
+    private Mock<ICspSettingsService> _mockSettingsService;
 
     private Mock<IAllowListRepository> _mockRepository;
 
@@ -36,14 +36,14 @@ public class AllowListServiceTests
     [SetUp]
     public void SetUp()
     {
-        _mockSettingsRepository = new Mock<ICspSettingsRepository>();
+        _mockSettingsService = new Mock<ICspSettingsService>();
         _mockRepository = new Mock<IAllowListRepository>();
         _mockCspPermissionService = new Mock<ICspPermissionService>();
         _mockLogger = new Mock<ILogger<IAllowListService>>();
         _mockCacheWrapper = new Mock<ICacheWrapper>();
 
         _allowListService = new AllowListService(
-            _mockSettingsRepository.Object,
+            _mockSettingsService.Object,
             _mockRepository.Object,
             _mockCspPermissionService.Object,
             _mockCacheWrapper.Object,
@@ -72,7 +72,7 @@ public void Constructor_GivenANullAllowListRepositoryThenAnArgumentNullException
         Assert.Throws<ArgumentNullException>(() => 
         { 
             new AllowListService(
-                _mockSettingsRepository.Object, 
+                _mockSettingsService.Object, 
                 null, 
                 _mockCspPermissionService.Object, 
                 _mockCacheWrapper.Object,
@@ -87,7 +87,7 @@ public void Constructor_GivenANullCspPermissionServiceThenAnArgumentNullExceptio
         Assert.Throws<ArgumentNullException>(() => 
         { 
             new AllowListService(
-                _mockSettingsRepository.Object, 
+                _mockSettingsService.Object, 
                 _mockRepository.Object, 
                 null, 
                 _mockCacheWrapper.Object,
@@ -102,7 +102,7 @@ public void Constructor_GivenANullCacheWrapperThenAnArgumentNullExceptionIsThrow
         Assert.Throws<ArgumentNullException>(() =>
         {
             new AllowListService(
-                _mockSettingsRepository.Object,
+                _mockSettingsService.Object,
                 _mockRepository.Object,
                 _mockCspPermissionService.Object,
                 null,
@@ -117,7 +117,7 @@ public void Constructor_GivenAValidAllowListOptionsThenAnExceptionIsNotThrown()
         Assert.DoesNotThrow(() => 
         { 
             new AllowListService(
-                _mockSettingsRepository.Object, 
+                _mockSettingsService.Object, 
                 _mockRepository.Object, 
                 _mockCspPermissionService.Object, 
                 _mockCacheWrapper.Object,
@@ -130,8 +130,8 @@ public void Constructor_GivenAValidAllowListOptionsThenAnExceptionIsNotThrown()
     public async Task AddFromAllowListToCsp_DoesNotProcessTheAllowListWhenAllowListOptionsIsDisabled(string violationSource, string violationDirective)
     {
         // Arrange
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = false });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = false });
 
         // Act
         await _allowListService.AddFromAllowListToCspAsync(violationSource, violationDirective);
@@ -146,8 +146,8 @@ public async Task AddFromAllowListToCsp_DoesNotProcessTheAllowListWhenAllowListO
     public async Task AddFromAllowListToCsp_DoesNotProcessTheAllowListWhenViolationSourceOrDirectiveIsNullOrEmpty(string violationSource, string violationDirective)
     {
         // Arrange
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
 
         // Act
         await _allowListService.AddFromAllowListToCspAsync(violationSource, violationDirective);
@@ -162,8 +162,8 @@ public async Task AddFromAllowListToCsp_DoesNotProcessTheAllowListWhenViolationS
     public async Task AddFromAllowListToCsp_WhenGivenAValidSourceAndDomainAndAllowListIsEnabled_ThenTheAllowListIsRetrieved(string violationSource, string violationDirective)
     {
         // Arrange
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
 
         _mockRepository.Setup(x => x.GetAllowListAsync(It.IsAny<string>()))
                        .ReturnsAsync(new AllowListCollection(new List<AllowListEntry>(0)));
@@ -180,8 +180,8 @@ public async Task AddFromAllowListToCsp_WhenGivenAValidSourceAndDomainAndAllowLi
     public async Task AddFromAllowListToCsp_WhenGivenAValidSourceAndDomainAndAnEmptyAllowList_ThenTheCspIsNotUpdated(string violationSource, string violationDirective)
     {
         // Arrange
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
 
         _mockRepository.Setup(x => x.GetAllowListAsync(It.IsAny<string>()))
                        .ReturnsAsync(new AllowListCollection(new List<AllowListEntry>(0)));
@@ -209,8 +209,8 @@ public async Task AddFromAllowListToCsp_WhenGivenAValidSourceAndDomainThatAreNot
         };
         var allowListCollection = new AllowListCollection(allowListEntries);
 
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
 
         _mockRepository.Setup(x => x.GetAllowListAsync(It.IsAny<string>()))
                        .ReturnsAsync(allowListCollection);
@@ -243,8 +243,8 @@ public async Task AddFromAllowListToCsp_WhenGivenAValidSourceAndDomainThatAreOnT
         };
         var allowListCollection = new AllowListCollection(allowListEntries);
 
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
 
         _mockRepository.Setup(x => x.GetAllowListAsync(It.IsAny<string>()))
                        .ReturnsAsync(allowListCollection);
@@ -262,8 +262,8 @@ public async Task AddFromAllowListToCsp_WhenGivenAValidSourceAndDomainThatAreOnT
     public async Task IsOnAllowList_ReturnsFalseWhenAllowListOptionsIsDisabled(string violationSource, string violationDirective)
     {
         // Arrange
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = false });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = false });
 
         // Act
         var isOnAllowList = await _allowListService.IsOnAllowListAsync(violationSource, violationDirective);
@@ -277,8 +277,8 @@ public async Task IsOnAllowList_ReturnsFalseWhenAllowListOptionsIsDisabled(strin
     public async Task IsOnAllowList_ReturnsFalseWhenViolationSourceOrDirectiveIsNullOrEmpty(string violationSource, string violationDirective)
     {
         // Arrange
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
 
         // Act
         var isOnAllowList = await _allowListService.IsOnAllowListAsync(violationSource, violationDirective);
@@ -292,8 +292,8 @@ public async Task IsOnAllowList_ReturnsFalseWhenViolationSourceOrDirectiveIsNull
     public async Task IsOnAllowList_DoesNotAttemptToGetAAllowListWhenAllowListOptionsIsDisabled(string violationSource, string violationDirective)
     {
         // Arrange
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = false });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = false });
 
         // Act
         var isOnAllowList = await _allowListService.IsOnAllowListAsync(violationSource, violationDirective);
@@ -307,8 +307,8 @@ public async Task IsOnAllowList_DoesNotAttemptToGetAAllowListWhenAllowListOption
     public async Task IsOnAllowList_DoesNotAttemptToGetAAllowListWhenViolationSourceOrDirectiveIsNullOrEmpty(string violationSource, string violationDirective)
     {
         // Arrange
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
 
         // Act
         var isOnAllowList = await _allowListService.IsOnAllowListAsync(violationSource, violationDirective);
@@ -322,8 +322,8 @@ public async Task IsOnAllowList_DoesNotAttemptToGetAAllowListWhenViolationSource
     public async Task IsOnAllowList_WhenGivenAValidSourceAndDomainAndAllowListIsEnabled_ThenTheAllowListIsRetrieved(string violationSource, string directive)
     {
         // Arrange
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
 
         // Act
         var isOnAllowList = await _allowListService.IsOnAllowListAsync(violationSource, directive);
@@ -349,8 +349,8 @@ public async Task IsOnAllowList_WhenDomainMatchesAAllowListEntry_ThenReturnsTrue
         };
         var allowListCollection = new AllowListCollection(allowListEntries);
 
-        _mockSettingsRepository.Setup(x => x.GetAsync())
-                               .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
+        _mockSettingsService.Setup(x => x.GetAsync())
+                            .ReturnsAsync(new CspSettings { IsAllowListEnabled = true });
 
         _mockRepository.Setup(x => x.GetAllowListAsync(It.IsAny<string>()))
                        .Returns(Task.FromResult(allowListCollection));

Sample/OptimizelyTwelveTest/appsettings.json

@@ -3,6 +3,8 @@
 using System;
 using System.Threading.Tasks;
 
+using EPiServer.ServiceLocation;
+
 using JetBrains.Annotations;
 
 using Microsoft.AspNetCore.Cors.Infrastructure;
@@ -29,6 +31,8 @@ public sealed class CustomCorsPolicyProviderTests
 
     private Mock<HttpContext> _mockHttpContext;
 
+    private Mock<IServiceProvider> _mockServiceProvider;
+
     private CustomCorsPolicyProvider _provider;
 
     [SetUp]
@@ -39,6 +43,11 @@ public void SetUp()
         _mockService = new Mock<ICorsSettingsService>();
         _mockService.Setup(x => x.GetAsync()).ReturnsAsync(new CorsConfiguration());
 
+        _mockServiceProvider = new Mock<IServiceProvider>();
+        _mockServiceProvider.Setup(x => x.GetService(typeof(ICorsSettingsService))).Returns(_mockService.Object);
+
+        ServiceLocator.SetServiceProvider(_mockServiceProvider.Object);
+
         _mockHttpContext = new Mock<HttpContext>();
 
         var corsOptions = new CorsOptions();
@@ -52,7 +61,7 @@ public void SetUp()
         _mockOptions = new Mock<IOptions<CorsOptions>>();
         _mockOptions.Setup(x => x.Value).Returns(corsOptions);
 
-        _provider = new CustomCorsPolicyProvider(_mockCache.Object, _mockService.Object, _mockOptions.Object);
+        _provider = new CustomCorsPolicyProvider(_mockCache.Object, _mockOptions.Object);
     }
 
     [Test]