fixup! mozillaGH-36 Add tests for multi-policy support and csp_append…

…/csp_select decorators

csp/tests/test_decorators.py

@@ -224,7 +224,7 @@ def view_with_decorator(request):
     response = view_with_decorator(REQUEST)
     mw.process_response(REQUEST, response)
     assert response._csp_select == ('new_policy', 'default')
-    assert response[HEADER] == "font-src bar.com; default-src 'self'"
+    assert response[HEADER] == "font-src bar.com, default-src 'self'"
     assert REPORT_ONLY_HEADER not in response
 
 

csp/tests/test_middleware.py

@@ -1,3 +1,4 @@
+from django.conf import settings
 from django.http import (
     HttpResponse,
     HttpResponseServerError,
@@ -40,14 +41,17 @@ def test_exempt():
 
 @override_settings(
     CSP_POLICIES=('default', 'report'),
-    CSP_EXCLUDE_URL_PREFIXES=('/inlines-r-us',),
 )
 def test_exclude():
+    settings.CSP_POLICY_DEFINITIONS['default']['exclude_url_prefixes'] = (
+        '/inlines-r-us',
+    )
     request = rf.get('/inlines-r-us/foo')
     response = HttpResponse()
     mw.process_response(request, response)
     assert HEADER not in response
     assert response[REPORT_ONLY_HEADER] == "default-src 'self'"
+    settings.CSP_POLICY_DEFINITIONS['default']['exclude_url_prefixes'] = ()
 
 
 @override_settings(CSP_REPORT_ONLY=True)
@@ -107,7 +111,7 @@ def test_use_complex_config():
     assert response[REPORT_ONLY_HEADER] == 'img-src test.example.com'
 
 
-def test_use_order():
+def test_use_select():
     request = rf.get('/')
     response = HttpResponse()
     response._csp_config = {
@@ -124,12 +128,12 @@ def test_use_order():
     }
     response._csp_select = ('child', 'default', 'report_test')
     mw.process_response(request, response)
-    policy_list = sorted(response[HEADER].split('; '))
-    assert policy_list == ["child-src child.example.com", "default-src 'self'"]
+    policies = sorted(response[HEADER].split(', '))
+    assert policies == ["child-src child.example.com", "default-src 'self'"]
     assert response[REPORT_ONLY_HEADER] == 'img-src test.example.com'
 
 
-def test_use_order_dne():
+def test_use_select_dne():
     request = rf.get('/')
     response = HttpResponse()
     response._csp_select = ('does_not_exist',)
@@ -259,15 +263,12 @@ def test_nonce_regenerated_on_new_request():
 
 
 @override_settings(
-    CSP_POLICIES=("default", "report"),
+    CSP_INCLUDE_NONCE_IN=[],
 )
-@override_settings(CSP_INCLUDE_NONCE_IN=[])
 def test_no_nonce_when_disabled_by_settings():
     request = rf.get('/')
     mw.process_request(request)
     nonce = str(request.csp_nonce)
     response = HttpResponse()
     mw.process_response(request, response)
     assert nonce not in response[HEADER]
-    # Legacy settings only apply to default
-    assert nonce in response[REPORT_ONLY_HEADER]

csp/tests/test_utils.py

@@ -20,11 +20,14 @@ def policy_eq(
     if not isinstance(a, list):
         b = [(b, report_only, exclude_url_prefixes)]
 
-    for csp_a, csp_b in zip(a, b):
-        assert csp_a[1] == csp_b[1]
-        assert sorted(csp_a[2]) == sorted(csp_b[2])
-        parts_a = sorted(csp_a[0].split('; '))
-        parts_b = sorted(csp_b[0].split('; '))
+    for (
+        (csp_a, report_only_a, exclude_prefixes_a),
+        (csp_b, report_only_b, exclude_prefixes_b),
+     ) in zip(a, b):
+        assert report_only_a == report_only_b
+        assert sorted(exclude_prefixes_a) == sorted(exclude_prefixes_b)
+        parts_a = sorted(csp_a.split('; '))
+        parts_b = sorted(csp_b.split('; '))
         assert parts_a == parts_b, msg % (a, b)
 
 
@@ -301,11 +304,11 @@ def test_nonce_include_in():
                "style-src 'nonce-abc123'"), policy)
 
 
-@override_settings()
+@override_settings(CSP_POLICIES=('report',))
 def test_nonce_include_in_absent():
-    del settings.CSP_INCLUDE_NONCE_IN
+    assert 'include_nonce_in' not in settings.CSP_POLICY_DEFINITIONS['report']
     policy = build_policy(nonce='abc123')
-    policy_eq("default-src 'self' 'nonce-abc123'", policy)
+    policy_eq("default-src 'self' 'nonce-abc123'", policy, report_only=True)
 
 
 def test_policies_from_names_and_kwargs():