add tests

spatie · Feb 17, 2018 · b31476b · b31476b
1 parent 6237431
commit b31476b
Show file tree

Hide file tree

Showing 6 changed files with 112 additions and 26 deletions.
diff --git a/config/csp.php b/config/csp.php
@@ -5,7 +5,7 @@
     /*
      * A csp profile will determine which csp headers will be set.
      */
-    'profile' => \Spatie\Csp\Profiles\Strict::class,
+    'profile' => \Spatie\Csp\Profiles\Basic::class,
 
     /*
      * Headers will only be added if this setting is enabled

diff --git a/src/AddCspHeaders.php b/src/AddCspHeaders.php
@@ -5,29 +5,31 @@
 use Closure;
 use Illuminate\Http\Request;
 use Spatie\Csp\Exceptions\InvalidCspProfile;
-use Symfony\Component\HttpFoundation\Response;
+use Spatie\Csp\Profiles\Profile;
 
 class AddCspHeaders
 {
     public function handle(Request $request, Closure $next)
     {
         $response = $next($request);
 
-        if (config('csp.enabled')) {
-            $this->addCspHeaders($response);
+        $profile = $this->getProfile();
+
+        if ($profile->shouldBeApplied($request, $response)) {
+            $profile->applyTo($response);
         }
 
         return $response;
     }
 
-    protected function addCspHeaders(Response $response)
+    protected function getProfile(): Profile
     {
         $profile = app(Profile::class);
 
-        if (! is_a($profile, Profile::class, true)) {
+        if (!is_a($profile, Profile::class, true)) {
             throw InvalidCspProfile::create($profile);
         }
 
-        $profile->applyTo($response);
+        return $profile;
     }
 }
diff --git a/src/CspServiceProvider.php b/src/CspServiceProvider.php
@@ -3,7 +3,7 @@
 namespace Spatie\Csp;
 
 use Illuminate\Support\ServiceProvider;
-use Spatie\Csp\Profiles\Profile\Profile;
+use Spatie\Csp\Profiles\Profile;
 
 class CspServiceProvider extends ServiceProvider
 {
@@ -21,7 +21,7 @@ public function boot()
             $profile = app($profileClass);
 
             if (! empty(config('csp.report_uri'))) {
-                $profile->reportTo(config('report_uri'));
+                $profile->reportTo(config('csp.report_uri'));
             }
 
             if (config('csp.report_only')) {

diff --git a/src/Profiles/Basic.php b/src/Profiles/Basic.php
@@ -1,18 +1,20 @@
 <?php
 
-namespace Spatie\Csp\Profiles\Profile;
+namespace Spatie\Csp\Profiles;
+
+use Spatie\Csp\Directive;
 
 class Basic extends Profile
 {
     public function registerDirectives()
     {
         $this
-            ->addDirective(Directive::DEFAULT, 'none')
-            ->addDirective(Directive::CONNECT, 'self')
-            ->addDirective(Directive::FORM, 'self')
-            ->addDirective(Directive::IMG, 'self')
-            ->addDirective(Directive::SCRIPT, 'self')
-            ->addDirective(Directive::STYLE, 'self')
-            ->addDirective(Directive::MEDIA, 'self');
+            ->addDirective(Directive::CONNECT, "'self'")
+            ->addDirective(Directive::DEFAULT, "'self'")
+            ->addDirective(Directive::FORM, "'self'")
+            ->addDirective(Directive::IMG, "'self'")
+            ->addDirective(Directive::MEDIA, "'self'")
+            ->addDirective(Directive::SCRIPT, "'self'")
+            ->addDirective(Directive::STYLE, "'self'");
     }
 }
diff --git a/src/Profiles/Profile.php b/src/Profiles/Profile.php
@@ -1,7 +1,8 @@
 <?php
 
-namespace Spatie\Csp\Profiles\Profile;
+namespace Spatie\Csp\Profiles;
 
+use Illuminate\Http\Request;
 use Spatie\Csp\Directive;
 use Spatie\Csp\Exceptions\InvalidDirective;
 use Symfony\Component\HttpFoundation\Response;
@@ -39,18 +40,23 @@ public function enforce(): self
 
     public function reportTo(string $uri): self
     {
-        $this->directives['report-uri'] = $uri;
+        $this->directives['report-uri'] = [$uri];
 
-        $this->directives['report-to'] = json_encode([
-           'url' => $uri,
-           'group-name' => class_basename(static::class),
-           'max-age => 60 * 60 * 24 * 7 * 30',
+        $reportToContents = json_encode([
+            'url' => $uri,
+            'group-name' => class_basename(static::class),
+            'max-age' => 60 * 60 * 24 * 7 * 30,
         ]);
 
+        $this->directives['report-to'] = [$reportToContents];
+
         return $this;
     }
 
-
+    public function shouldBeApplied(Request $request, Response $response): bool
+    {
+        return config('csp.enabled');
+    }
 
     public function applyTo(Response $response)
     {
@@ -60,12 +66,12 @@ public function applyTo(Response $response)
             ? 'Content-Security-Policy-Report-Only'
             : 'Content-Security-Policy';
 
-        $response->headers->set($headerName, (string) $this);
+        $response->headers->set($headerName, (string)$this);
     }
 
     protected function guardAgainstInvalidDirectives(string $directive)
     {
-        if (! Directive::isValid($directive)) {
+        if (!Directive::isValid($directive)) {
             throw InvalidDirective::notSupported($directive);
         }
     }

diff --git a/tests/AddCspHeadersTest.php b/tests/AddCspHeadersTest.php
@@ -0,0 +1,76 @@
+<?php
+
+namespace Spatie\Csp\Tests;
+
+use Illuminate\Support\Facades\Route;
+use Spatie\Csp\AddCspHeaders;
+use Symfony\Component\HttpFoundation\HeaderBag;
+
+class AddCspHeadersTest extends TestCase
+{
+    public function setUp()
+    {
+        parent::setUp();
+
+        Route::get('test', function () {
+            return 'ok';
+        })->middleware(AddCspHeaders::class);
+    }
+
+    /** @test */
+    public function it_can_set_the_basic_csp_headers()
+    {
+        $headers = $this->getResponseHeaders();
+
+        $this->assertContains("default-src 'self';", $headers->get('Content-Security-Policy'));
+    }
+
+    /** @test */
+    public function it_wont_set_any_headers_if_not_enabled_in_the_config()
+    {
+        config(['csp.enabled' => false]);
+
+        $headers = $this->getResponseHeaders();
+
+        $this->assertNull($headers->get('Content-Security-Policy'));
+    }
+
+    /** @test */
+    public function it_can_be_set_in_report_only_mode_via_the_config()
+    {
+        config(['csp.report_only' => true]);
+
+        $headers = $this->getResponseHeaders();
+
+        $this->assertNotNull($headers->get('Content-Security-Policy-Report-Only'));
+
+        $this->assertNull($headers->get('Content-Security-Policy'));
+    }
+
+    /** @test */
+    public function a_report_uri_can_be_set_in_the_config()
+    {
+        config(['csp.report_uri' => 'https://report-uri.com']);
+
+        $headers = $this->getResponseHeaders();
+
+        $this
+            ->assertCspHeaderContains($headers, 'report-uri https://report-uri.com;')
+            ->assertCspHeaderContains($headers, 'report-to {"url":"https:\/\/report-uri.com","group-name":"Basic","max-age":18144000};');
+    }
+
+    protected function assertCspHeaderContains(HeaderBag $headerBag, string $needle): self
+    {
+        $this->assertContains($needle, $headerBag->get('Content-Security-Policy'));
+
+        return $this;
+    }
+
+    protected function getResponseHeaders(): HeaderBag
+    {
+        return $this
+            ->get('test')
+            ->assertSuccessful()
+            ->headers;
+    }
+}