116 lines
3 KiB
Ruby
116 lines
3 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "spec_helper"
|
|
|
|
# Based on https://github.com/rails/rails/pull/45115/files#diff-35ef6d1bd8b8d3b037ec819a704cd78db55db916a57abfc2859882826fc679b6
|
|
RSpec.describe ContentSecurityPolicyPatch, feature_category: :shared do
|
|
include Rack::Test::Methods
|
|
|
|
let(:routes) do
|
|
ActionDispatch::Routing::RouteSet.new.tap do |routes|
|
|
routes.draw do
|
|
# Using Testing module defined below
|
|
scope module: "testing" do
|
|
get "/", to: "policy#index"
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
let(:csp) do
|
|
ActionDispatch::ContentSecurityPolicy.new do |p|
|
|
p.default_src -> { :self }
|
|
p.script_src -> { :https }
|
|
end
|
|
end
|
|
|
|
let(:policy_middleware) do
|
|
Module.new do
|
|
def self.new(app, policy)
|
|
->(env) do
|
|
env["action_dispatch.content_security_policy"] = policy
|
|
|
|
app.call(env)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
subject(:app) do
|
|
build_app(routes) do |middleware|
|
|
middleware.use policy_middleware, csp
|
|
middleware.use ActionDispatch::ContentSecurityPolicy::Middleware
|
|
end
|
|
end
|
|
|
|
def setup_controller
|
|
application_controller = Class.new(ActionController::Base) do # rubocop:disable Rails/ApplicationController
|
|
helper_method :sky_is_blue?
|
|
def sky_is_blue?
|
|
true
|
|
end
|
|
end
|
|
|
|
policy_controller = Class.new(application_controller) do
|
|
extend ContentSecurityPolicyPatch
|
|
|
|
content_security_policy_with_context do |p|
|
|
p.default_src "https://example.com"
|
|
p.script_src "https://example.com" if helpers.sky_is_blue?
|
|
end
|
|
|
|
def index
|
|
head :ok
|
|
end
|
|
end
|
|
|
|
stub_const("Testing::ApplicationController", application_controller)
|
|
stub_const("Testing::PolicyController", policy_controller)
|
|
end
|
|
|
|
def build_app(routes)
|
|
stack = ActionDispatch::MiddlewareStack.new do |middleware|
|
|
middleware.use ActionDispatch::DebugExceptions
|
|
middleware.use ActionDispatch::ActionableExceptions
|
|
middleware.use ActionDispatch::Callbacks
|
|
middleware.use ActionDispatch::Cookies
|
|
middleware.use ActionDispatch::Flash
|
|
middleware.use Rack::MethodOverride
|
|
middleware.use Rack::Head
|
|
|
|
yield(middleware) if block_given?
|
|
end
|
|
|
|
app = stack.build(routes)
|
|
|
|
->(env) { app.call(env) }
|
|
end
|
|
|
|
it "calls helper method" do
|
|
setup_controller
|
|
|
|
response = get "/"
|
|
|
|
csp_header = response.headers["Content-Security-Policy"]
|
|
|
|
expect(csp_header).to include "default-src https://example.com"
|
|
expect(csp_header).to include "script-src https://example.com"
|
|
end
|
|
|
|
it "does not emit any warnings" do
|
|
expect { setup_controller }.not_to output.to_stderr
|
|
end
|
|
|
|
context "with Rails version 7.2" do
|
|
before do
|
|
version = Gem::Version.new("7.2.0")
|
|
allow(Rails).to receive(:gem_version).and_return(version)
|
|
end
|
|
|
|
it "emits a deprecation warning" do
|
|
expect { setup_controller }
|
|
.to output(/Use content_security_policy instead/)
|
|
.to_stderr
|
|
end
|
|
end
|
|
end
|