Add middleware test for CSP whitelist
This commit is contained in:
Andrew Kingston
parent
f7d592e5e8
commit
6b817d1fdb
|
|
@ -1,10 +1,19 @@
|
||||||
import crypto from "crypto"
|
import crypto from "crypto"
|
||||||
import contentSecurityPolicy from "../contentSecurityPolicy"
|
import contentSecurityPolicy from "../contentSecurityPolicy"
|
||||||
|
import { app } from "../../cache"
|
||||||
|
import { Feature, App } from "@budibase/types"
|
||||||
|
import { users, licenses } from "../../../tests/core/utilities/structures"
|
||||||
|
import { doInAppContext } from "../../context"
|
||||||
|
|
||||||
jest.mock("crypto", () => ({
|
jest.mock("crypto", () => ({
|
||||||
randomBytes: jest.fn(),
|
randomBytes: jest.fn(),
|
||||||
randomUUID: jest.fn(),
|
randomUUID: jest.fn(),
|
||||||
}))
|
}))
|
||||||
|
jest.mock("../../cache", () => ({
|
||||||
|
app: {
|
||||||
|
getAppMetadata: jest.fn(),
|
||||||
|
},
|
||||||
|
}))
|
||||||
|
|
||||||
describe("contentSecurityPolicy middleware", () => {
|
describe("contentSecurityPolicy middleware", () => {
|
||||||
let ctx: any
|
let ctx: any
|
||||||
|
|
@ -57,19 +66,71 @@ describe("contentSecurityPolicy middleware", () => {
|
||||||
})
|
})
|
||||||
|
|
||||||
it("should handle errors and log an error message", async () => {
|
it("should handle errors and log an error message", async () => {
|
||||||
|
// Ctx setup to let us try and use CSP whitelist
|
||||||
|
const fakeAppId = "app_sdfdsfsdfsdf"
|
||||||
|
ctx.appId = fakeAppId
|
||||||
|
ctx.user = {
|
||||||
|
license: {
|
||||||
|
features: [Feature.CUSTOM_APP_SCRIPTS],
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
const consoleSpy = jest.spyOn(console, "error").mockImplementation()
|
const consoleSpy = jest.spyOn(console, "error").mockImplementation()
|
||||||
const error = new Error("Test error")
|
const error = new Error("Test error")
|
||||||
// @ts-ignore
|
// @ts-ignore
|
||||||
crypto.randomBytes.mockImplementation(() => {
|
app.getAppMetadata.mockImplementation(() => {
|
||||||
throw error
|
throw error
|
||||||
})
|
})
|
||||||
|
await contentSecurityPolicy(ctx, next)
|
||||||
|
|
||||||
|
expect(app.getAppMetadata).toHaveBeenCalledWith(fakeAppId)
|
||||||
|
expect(consoleSpy).toHaveBeenCalledWith(
|
||||||
|
`Error occurred in Content-Security-Policy middleware: ${error}`
|
||||||
|
)
|
||||||
|
expect(next).toHaveBeenCalled()
|
||||||
|
consoleSpy.mockRestore()
|
||||||
|
})
|
||||||
|
|
||||||
|
it("should add custom CSP whitelist", async () => {
|
||||||
|
const appId = "app_foo"
|
||||||
|
const domain = "https://*.foo.bar"
|
||||||
|
|
||||||
|
// Ctx setup to let us try and use CSP whitelist
|
||||||
|
ctx.appId = appId
|
||||||
|
ctx.user = users.user()
|
||||||
|
ctx.user.license = licenses.license({
|
||||||
|
features: [Feature.CUSTOM_APP_SCRIPTS],
|
||||||
|
})
|
||||||
|
|
||||||
|
// @ts-ignore
|
||||||
|
app.getAppMetadata.mockImplementation(function (): App {
|
||||||
|
return {
|
||||||
|
appId,
|
||||||
|
type: "foo",
|
||||||
|
version: "1",
|
||||||
|
componentLibraries: [],
|
||||||
|
name: "foo",
|
||||||
|
url: "/foo",
|
||||||
|
template: undefined,
|
||||||
|
instance: { _id: appId },
|
||||||
|
tenantId: ctx.user.tenantId,
|
||||||
|
status: "foo",
|
||||||
|
scripts: [
|
||||||
|
{
|
||||||
|
id: "foo",
|
||||||
|
name: "Test",
|
||||||
|
location: "Head",
|
||||||
|
cspWhitelist: domain,
|
||||||
|
},
|
||||||
|
],
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
await contentSecurityPolicy(ctx, next)
|
await contentSecurityPolicy(ctx, next)
|
||||||
|
|
||||||
expect(consoleSpy).toHaveBeenCalledWith(
|
const cspHeader = ctx.set.mock.calls[0][1]
|
||||||
`Error occurred in Content-Security-Policy middleware: ${error}`
|
expect(cspHeader).toContain(`default-src 'self' ${domain};`)
|
||||||
)
|
expect(app.getAppMetadata).toHaveBeenCalledWith(appId)
|
||||||
expect(next).not.toHaveBeenCalled()
|
expect(next).toHaveBeenCalled()
|
||||||
consoleSpy.mockRestore()
|
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue