Merge pull request #285 from GeekInTheNorth/hotfix/v3.0.2

Merge HF 3.0.2 into Main

Author: GeekInTheNorth

src/Stott.Security.Optimizely.Test/Features/Csp/CspOptimizerTests.cs

@@ -37,7 +37,7 @@ public sealed class CspServiceTests
     public void SetUp()
     {
         _mockReportUrlResolver = new Mock<ICspReportUrlResolver>();
-        _mockReportUrlResolver.Setup(x => x.GetReportUriPath()).Returns("https://www.example.com/");
+        _mockReportUrlResolver.Setup(x => x.GetReportToPath()).Returns("https://www.example.com/");
 
         _mockSettingsService = new Mock<ICspSettingsService>();
 
@@ -213,28 +213,6 @@ public async Task Build_GivenReportingIsConfiguredWithAReportingUrl_ThenReportTo
 
         // Assert
         Assert.That(actualHeader.Value.Contains(CspConstants.Directives.ReportTo), Is.True);
-        Assert.That(actualHeader.Value.Contains(CspConstants.Directives.ReportUri), Is.True);
-    }
-
-    [Test]
-    public async Task Build_GivenReportingIsConfiguredWithAnExternalReportingUri_ThenReportingAndExternalUrlShouldBePresent()
-    {
-        // Arrange
-        var sources = new List<CspSource>
-        {
-            new() { Source = "https://www.example.com", Directives = CspConstants.Directives.DefaultSource }
-        };
-
-        SetupCspSettings(true, false, false, true);
-        _mockPermissionService.Setup(x => x.GetAsync()).ReturnsAsync(sources);
-
-        // Act
-        var policy = await _cspService.GetCompiledHeaders(null);
-        var actualHeader = policy.First(x => x.Key == CspConstants.HeaderNames.ContentSecurityPolicy);
-
-        // Assert
-        Assert.That(actualHeader.Value.Contains(CspConstants.Directives.ReportTo), Is.True);
-        Assert.That(actualHeader.Value.Contains($"{CspConstants.Directives.ReportUri} https://www.example.com"), Is.True);
     }
 
     [Test]
@@ -443,8 +421,7 @@ private void SetupCspSettings(bool isEnabled, bool isReportOnly = false, bool us
             IsUpgradeInsecureRequestsEnabled = isUpgradeInsecureRequestsEnabled,
             UseExternalReporting = useExternalReporting,
             UseInternalReporting = useInternalReporting,
-            ExternalReportToUrl = useExternalReporting ? "https://www.example.com" : string.Empty,
-            ExternalReportUriUrl = useExternalReporting ? "https://www.example.com" : string.Empty
+            ExternalReportToUrl = useExternalReporting ? "https://www.example.com" : string.Empty
         };
 
         _mockSettingsService.Setup(x => x.GetAsync()).ReturnsAsync(settings);

src/Stott.Security.Optimizely.Test/Features/Csp/CspServiceTests.cs

@@ -0,0 +1,60 @@
+using NUnit.Framework;
+
+using Stott.Security.Optimizely.Common;
+using Stott.Security.Optimizely.Features.Csp.Dtos;
+
+namespace Stott.Security.Optimizely.Test.Features.Csp.Dtos;
+
+[TestFixture]
+public sealed class CspSourceDtoTests
+{
+    [Test]
+    public void Constructor_ValidSourceAndDirectives_SetsProperties()
+    {
+        // Arrange
+        var source = "https://example.com";
+        var directives = "script-src, img-src";
+        
+        // Act
+        var dto = new CspSourceDto(source, directives);
+        
+        // Assert
+        Assert.That(dto.Source, Is.EqualTo(source));
+        Assert.That(dto.Directives, Has.Count.EqualTo(2));
+        Assert.That(dto.Directives.Contains(CspConstants.Directives.ScriptSource), Is.True);
+        Assert.That(dto.Directives.Contains(CspConstants.Directives.ImageSource), Is.True);
+    }
+
+    [Test]
+    public void Constructor_GivenAnInvalidDirective_TheOnlyTheValidDirectivesAreSet()
+    {
+        // Arrange
+        var source = "https://example.com";
+        var directives = "script-src, invalid-directive";
+
+        // Act
+        var dto = new CspSourceDto(source, directives);
+
+        // Assert
+        Assert.That(dto.Source, Is.EqualTo(source));
+        Assert.That(dto.Directives, Has.Count.EqualTo(1));
+        Assert.That(dto.Directives.Contains(CspConstants.Directives.ScriptSource), Is.True);
+    }
+
+    [Test]
+    public void Constructor_GivenDirectivesContainInCorrectCasing_ThenCasingWillBeCorrectedWhenSet()
+    {
+        // Arrange
+        var source = "https://example.com";
+        var directives = "Script-Src, IMG-SRC";
+        
+        // Act
+        var dto = new CspSourceDto(source, directives);
+        
+        // Assert
+        Assert.That(dto.Source, Is.EqualTo(source));
+        Assert.That(dto.Directives, Has.Count.EqualTo(2));
+        Assert.That(dto.Directives.Contains(CspConstants.Directives.ScriptSource), Is.True);
+        Assert.That(dto.Directives.Contains(CspConstants.Directives.ImageSource), Is.True);
+    }
+}

src/Stott.Security.Optimizely.Test/Features/Csp/Dtos/CspSourceDtoTests.cs

@@ -125,7 +125,6 @@ public static IEnumerable<TestCaseData> GetValidDirectivesTestCases
             yield return new TestCaseData(new List<string> { CspConstants.Directives.ImageSource });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.ManifestSource });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.MediaSource });
-            yield return new TestCaseData(new List<string> { CspConstants.Directives.NavigateTo });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.ObjectSource });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.PreFetchSource });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.ScriptSourceAttribute });

src/Stott.Security.Optimizely.Test/Features/Csp/Permissions/Save/SavePermissionModelTestCases.cs

@@ -78,78 +78,6 @@ public void SetUp()
         };
     }
 
-    [Test]
-    [TestCase(false, false)]
-    [TestCase(false, true)]
-    [TestCase(true, false)]
-    public async Task ReportUriViolation_WhenReportingIsNotEnabled_ReturnsAnOkObjectResultWithoutSaving(bool isEnabled, bool useInternalReporting)
-    {
-        // Arrange
-        _mockSettingsService.Setup(x => x.GetAsync())
-                            .ReturnsAsync(new CspSettings { IsEnabled = isEnabled, UseInternalReporting = useInternalReporting });
-
-        // Act
-        var result = await _controller.ReportUriViolation();
-
-        // Assert
-        Assert.That(result, Is.AssignableTo<OkObjectResult>());
-
-        _mockReportService.Verify(x => x.SaveAsync(It.IsAny<ICspReport>()), Times.Never());
-    }
-
-    [Test]
-    public void ReportUriViolation_WhenTheCommandThrowsAnException_ThenTheErrorIsReThrown()
-    {
-        // Arrange
-        var saveModel = JsonConvert.SerializeObject(new ReportUriWrapper { CspReport = new ReportUriBody() });
-        var testStream = new MemoryStream(Encoding.UTF8.GetBytes(saveModel));
-
-        _mockRequest.Setup(x => x.Body).Returns(testStream);
-
-        _mockReportService.Setup(x => x.SaveAsync(It.IsAny<ICspReport>()))
-                          .ThrowsAsync(new Exception(string.Empty));
-
-        // Assert
-        Assert.ThrowsAsync<Exception>(() => _controller.ReportUriViolation());
-    }
-
-    [Test]
-    public async Task ReportUriViolation_WhenTheCommandIsSuccessful_ThenAnOkResponseIsReturned()
-    {
-        // Arrange
-        var saveModel = JsonConvert.SerializeObject(new ReportUriWrapper { CspReport = new ReportUriBody() });
-        var testStream = new MemoryStream(Encoding.UTF8.GetBytes(saveModel));
-
-        _mockRequest.Setup(x => x.Body).Returns(testStream);
-
-        // Act
-        var response = await _controller.ReportUriViolation();
-
-        // Assert
-        Assert.That(response, Is.AssignableFrom<OkResult>());
-    }
-
-    [Test]
-    [TestCase(true, 1)]
-    [TestCase(false, 0)]
-    public async Task ReportUriViolation_AddsViolationToTheCspWhenItIsOnTheAllowList(bool isOnAllowList, int expectedUpdatesToCsp)
-    {
-        // Arrange
-        var saveModel = JsonConvert.SerializeObject(new ReportUriWrapper { CspReport = new ReportUriBody() });
-        var testStream = new MemoryStream(Encoding.UTF8.GetBytes(saveModel));
-
-        _mockRequest.Setup(x => x.Body).Returns(testStream);
-
-        _mockAllowListService.Setup(x => x.IsOnAllowListAsync(It.IsAny<string>(), It.IsAny<string>()))
-                             .ReturnsAsync(isOnAllowList);
-
-        // Act
-        await _controller.ReportUriViolation();
-
-        // Assert
-        _mockAllowListService.Verify(x => x.AddFromAllowListToCspAsync(It.IsAny<string>(), It.IsAny<string>()), Times.Exactly(expectedUpdatesToCsp));
-    }
-
     [Test]
     [TestCase(false, false)]
     [TestCase(false, true)]

src/Stott.Security.Optimizely.Test/Features/Csp/Reporting/CspReportingControllerTests.cs

@@ -87,7 +87,6 @@ public static IEnumerable<TestCaseData> DirectiveSuggestionTestCases
             yield return new TestCaseData(CspConstants.Directives.ImageSource, new List<string> { CspConstants.Directives.ImageSource });
             yield return new TestCaseData(CspConstants.Directives.ManifestSource, new List<string> { CspConstants.Directives.ManifestSource });
             yield return new TestCaseData(CspConstants.Directives.MediaSource, new List<string> { CspConstants.Directives.MediaSource });
-            yield return new TestCaseData(CspConstants.Directives.NavigateTo, new List<string> { CspConstants.Directives.NavigateTo });
             yield return new TestCaseData(CspConstants.Directives.ObjectSource, new List<string> { CspConstants.Directives.ObjectSource });
             yield return new TestCaseData(CspConstants.Directives.PreFetchSource, new List<string> { CspConstants.Directives.PreFetchSource });
             yield return new TestCaseData(CspConstants.Directives.ScriptSourceAttribute, new List<string> { CspConstants.Directives.ScriptSourceAttribute, CspConstants.Directives.ScriptSource });

src/Stott.Security.Optimizely.Test/Features/Csp/Reporting/Models/ReportUriBodyTests.cs

@@ -92,8 +92,7 @@ public async Task GivenSettingsDoesContainACsp_AndTheDataRecordDoesNotExist_Then
                 IsStrictDynamicEnabled = true,
                 UseInternalReporting = true,
                 UseExternalReporting = true,
-                ExternalReportToUrl = "https://www.example.com/two/",
-                ExternalReportUriUrl = "https://www.example.com/three/"
+                ExternalReportToUrl = "https://www.example.com/two/"
             }
         };
 
@@ -114,7 +113,6 @@ public async Task GivenSettingsDoesContainACsp_AndTheDataRecordDoesNotExist_Then
         Assert.That(updatedRecord.UseInternalReporting, Is.EqualTo(settings.Csp.UseInternalReporting));
         Assert.That(updatedRecord.UseExternalReporting, Is.EqualTo(settings.Csp.UseExternalReporting));
         Assert.That(updatedRecord.ExternalReportToUrl, Is.EqualTo(settings.Csp.ExternalReportToUrl));
-        Assert.That(updatedRecord.ExternalReportUriUrl, Is.EqualTo(settings.Csp.ExternalReportUriUrl));
     }
 
     [Test]
@@ -134,8 +132,7 @@ public async Task GivenSettingsDoesContainACsp_AndTheDataRecordDoesExist_ThenARe
                 IsStrictDynamicEnabled = true,
                 UseInternalReporting = true,
                 UseExternalReporting = true,
-                ExternalReportToUrl = "https://www.example.com/two/",
-                ExternalReportUriUrl = "https://www.example.com/three/"
+                ExternalReportToUrl = "https://www.example.com/two/"
             }
         };
 
@@ -164,7 +161,6 @@ public async Task GivenSettingsDoesContainACsp_AndTheDataRecordDoesExist_ThenARe
         Assert.That(updatedRecord.UseInternalReporting, Is.EqualTo(settings.Csp.UseInternalReporting));
         Assert.That(updatedRecord.UseExternalReporting, Is.EqualTo(settings.Csp.UseExternalReporting));
         Assert.That(updatedRecord.ExternalReportToUrl, Is.EqualTo(settings.Csp.ExternalReportToUrl));
-        Assert.That(updatedRecord.ExternalReportUriUrl, Is.EqualTo(settings.Csp.ExternalReportUriUrl));
     }
 
     [Test]

src/Stott.Security.Optimizely.Test/Features/Csp/Reporting/ViolationReportSummaryTestCases.cs

@@ -20,7 +20,11 @@ public static class CspConstants
 
     public const int TwoYearsInSeconds = 63072000;
 
-    public const int MaxHeaderSize = 8192;
+    public const int SplitThreshold = 8000;
+
+    public const int SimplifyThreshold = 12000;
+
+    public const int TerminalThreshold = 15500;
 
     /// <summary>
     /// A collection of directives which can take URL style sources.
@@ -38,7 +42,6 @@ public static class CspConstants
         Directives.ImageSource,
         Directives.ManifestSource,
         Directives.MediaSource,
-        Directives.NavigateTo,
         Directives.ObjectSource,
         Directives.PreFetchSource,
         Directives.ScriptSourceAttribute,
@@ -136,14 +139,10 @@ public static class Directives
 
         public const string MediaSource = "media-src";
 
-        public const string NavigateTo = "navigate-to";
-
         public const string ObjectSource = "object-src";
 
         public const string PreFetchSource = "prefetch-src";
 
-        // public const string RequireTrustedTypes = "require-trusted-types-for";
-
         public const string Sandbox = "sandbox";
 
         public const string ScriptSourceAttribute = "script-src-attr";
@@ -158,13 +157,9 @@ public static class Directives
 
         public const string StyleSource = "style-src";
 
-        // public const string TrustedTypes = "trusted-types";
-
         public const string UpgradeInsecureRequests = "upgrade-insecure-requests";
 
         public const string WorkerSource = "worker-src";
-
-        public const string ReportUri = "report-uri";
 
         public const string ReportTo = "report-to";
     }