mozillaGH-36 Update settings format to handle multiple policies

DylanYoung · Mar 6, 2020 · 44b9863 · 44b9863
1 parent cbff891
commit 44b9863
Showing 1 changed file with 110 additions and 32 deletions.
diff --git a/csp/utils.py b/csp/utils.py
@@ -13,44 +13,122 @@
     'child-src is deprecated in CSP v3. Use frame-src and worker-src.'
 
 
-def from_settings():
-    return {
+DEFAULT_CSP_POLICIES = ['default']
+
+DEFAULT_CSP_UPDATE_TEMPLATE = 'default'
+
+_DIRECTIVES = (
+    # Available Directives
+    'child-src',
+    'connect-src',
+    'default-src',
+    'script-src',
+    'script-src-attr',
+    'script-src-elem',
+    'object-src',
+    'style-src',
+    'style-src-attr',
+    'style-src-elem',
+    'font-src',
+    'frame-src',
+    'img-src',
+    'manifest-src',
+    'media-src',
+    'prefetch-src',
+    'worker-src',
+    # Document Directives
+    'base-uri',
+    'plugin-types',
+    'sandbox',
+    # Navigation Directives
+    'form-action',
+    'frame-ancestors',
+    'navigate-to',
+    # Reporting Directives
+    'report-uri',
+    'report-to',
+    'require-sri-for',
+    # Other Directives
+    'upgrade-insecure-requests',
+    'block-all-mixed-content',
+)
+
+def setting_to_directive(setting, prefix='CSP_'):
+    return setting[len(prefix):].replace('_', '-').lower()
+
+
+def directive_to_setting(directive, prefix='CSP_'):
+    return '{}{}'.format(
+        prefix,
+        directive.replace('-', '_').upper()
+    )
+
+
+_LEGACY_SETTINGS = set(
+       directive_to_setting(directive)
+        for directive in _DIRECTIVES
+)
+
+
+DEFAULT_CSP_POLICY_DEFINITIONS = {
+    'default': {
         # Fetch Directives
-        'child-src': getattr(settings, 'CSP_CHILD_SRC', None),
-        'connect-src': getattr(settings, 'CSP_CONNECT_SRC', None),
-        'default-src': getattr(settings, 'CSP_DEFAULT_SRC', ["'self'"]),
-        'script-src': getattr(settings, 'CSP_SCRIPT_SRC', None),
-        'script-src-attr': getattr(settings, 'CSP_SCRIPT_SRC_ATTR', None),
-        'script-src-elem': getattr(settings, 'CSP_SCRIPT_SRC_ELEM', None),
-        'object-src': getattr(settings, 'CSP_OBJECT_SRC', None),
-        'style-src': getattr(settings, 'CSP_STYLE_SRC', None),
-        'style-src-attr': getattr(settings, 'CSP_STYLE_SRC_ATTR', None),
-        'style-src-elem': getattr(settings, 'CSP_STYLE_SRC_ELEM', None),
-        'font-src': getattr(settings, 'CSP_FONT_SRC', None),
-        'frame-src': getattr(settings, 'CSP_FRAME_SRC', None),
-        'img-src': getattr(settings, 'CSP_IMG_SRC', None),
-        'manifest-src': getattr(settings, 'CSP_MANIFEST_SRC', None),
-        'media-src': getattr(settings, 'CSP_MEDIA_SRC', None),
-        'prefetch-src': getattr(settings, 'CSP_PREFETCH_SRC', None),
-        'worker-src': getattr(settings, 'CSP_WORKER_SRC', None),
+        'child-src': None,
+        'connect-src': None,
+        'default-src': ["'self'"],
+        'script-src': None,
+        'script-src-attr': None,
+        'script-src-elem': None,
+        'object-src': None,
+        'style-src': None,
+        'style-src-attr': None,
+        'style-src-elem': None,
+        'font-src': None,
+        'frame-src': None,
+        'img-src': None,
+        'manifest-src': None,
+        'media-src': None,
+        'prefetch-src': None,
+        'worker-src': None,
         # Document Directives
-        'base-uri': getattr(settings, 'CSP_BASE_URI', None),
-        'plugin-types': getattr(settings, 'CSP_PLUGIN_TYPES', None),
-        'sandbox': getattr(settings, 'CSP_SANDBOX', None),
+        'base-uri': None,
+        'plugin-types': None,
+        'sandbox': None,
         # Navigation Directives
-        'form-action': getattr(settings, 'CSP_FORM_ACTION', None),
-        'frame-ancestors': getattr(settings, 'CSP_FRAME_ANCESTORS', None),
-        'navigate-to': getattr(settings, 'CSP_NAVIGATE_TO', None),
+        'form-action': None,
+        'frame-ancestors': None,
+        'navigate-to': None,
         # Reporting Directives
-        'report-uri': getattr(settings, 'CSP_REPORT_URI', None),
-        'report-to': getattr(settings, 'CSP_REPORT_TO', None),
-        'require-sri-for': getattr(settings, 'CSP_REQUIRE_SRI_FOR', None),
+        'report-uri': None,
+        'report-to': None,
+        'require-sri-for': None,
         # Other Directives
-        'upgrade-insecure-requests': getattr(
-            settings, 'CSP_UPGRADE_INSECURE_REQUESTS', False),
-        'block-all-mixed-content': getattr(
-            settings, 'CSP_BLOCK_ALL_MIXED_CONTENT', False),
+        'upgrade-insecure-requests': False,
+        'block-all-mixed-content': False,
     }
+}
+
+
+def _handle_legacy_settings(definitions, defer_to_legacy=True):
+    legacy_names = _LEGACY_SETTINGS & set(s for s in dir(settings) if s.isupper())
+    if not legacy_names:
+        return
+    # TODO: raise deprecation warning
+    csp = definitions['default']
+    legacy_csp = ((setting_to_directive(name), getattr(settings, name)) for name in legacy_names)
+    if defer_to_legacy:
+        csp.update(legacy_csp)
+    else:
+        csp.update((key, val) for key, val in legacy_csp if key not in csp)
+
+
+def from_settings():
+    policies = getattr(settings, 'CSP_POLICIES', DEFAULT_CSP_POLICIES)
+    definitions = DEFAULT_CSP_POLICY_DEFINITIONS.copy()
+    definitions.update(getattr(settings, 'CSP_POLICY_DEFINITIONS', {}))
+    return OrderedDict(
+        (name, definitions[name]) for name in policies
+    )
 
 
 def build_policy(config=None, update=None, replace=None, nonce=None):