Add/Fix tests

jlledom · claude · jlledom · commit 0a95ae6a3688 · 2025-12-09T12:09:37.000+01:00
Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/features/step_definitions/asset_host_steps.rb b/features/step_definitions/asset_host_steps.rb
@@ -3,12 +3,36 @@
 Given /^the asset host is unset$/ do
   Rails.configuration.three_scale.asset_host = nil
   Rails.configuration.asset_host = nil
+
+  # Reconfigure CSP with original policy (without CDN URL)
+  policy_config = ThreeScale::ContentSecurityPolicy::AdminPortal.policy_config
+  Rails.application.config.content_security_policy do |policy|
+    ThreeScale::ContentSecurityPolicy::AdminPortal.add_policy_config(policy, policy_config)
+    Rails.application.instance_variable_get(:@app_env_config)&.[]=('action_dispatch.content_security_policy', policy)
+  end
 end
 
 Given /^the asset host is set to "(.*)"$/ do |asset_host|
   cdn_url = "#{asset_host}:#{Capybara.current_session.server.port}"
   Rails.configuration.three_scale.asset_host = cdn_url
   Rails.configuration.asset_host = cdn_url
+
+  # Get original policy and add CDN URL to CSP directives
+  original_policy = ThreeScale::ContentSecurityPolicy::AdminPortal.policy_config
+  policy_with_cdn = original_policy.deep_dup
+
+  # Append CDN URL to script_src, style_src, and font_src
+  policy_with_cdn[:script_src] = (policy_with_cdn[:script_src] || []) + [cdn_url]
+  policy_with_cdn[:style_src] = (policy_with_cdn[:style_src] || []) + [cdn_url]
+  policy_with_cdn[:font_src] = (policy_with_cdn[:font_src] || []) + [cdn_url]
+
+  # Reconfigure CSP with CDN URL included
+  # Rails set the CSP configuration just once during initialization,
+  # This hack is needed to make it change between tests
+  Rails.application.config.content_security_policy do |policy|
+    ThreeScale::ContentSecurityPolicy::AdminPortal.add_policy_config(policy, policy_with_cdn)
+    Rails.application.instance_variable_get(:@app_env_config)&.[]=('action_dispatch.content_security_policy', policy)
+  end
 end
 
 Then /^(?:javascript\s)?assets should be loaded from the asset host$/ do
diff --git a/test/integration/developer_portal/content_security_policy_test.rb b/test/integration/developer_portal/content_security_policy_test.rb
@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class DeveloperPortal::ContentSecurityPolicyTest < ActionDispatch::IntegrationTest
+
+  class TestController < ApplicationController
+    def html
+      render html: '<html><body>Test</body></html>'.html_safe
+    end
+
+    def json
+      render json: { test: true }
+    end
+
+    def not_modified
+      head :not_modified
+    end
+  end
+
+  def with_test_routes
+    DeveloperPortal::Engine.routes.draw do
+      get '/test/csp/html' => 'content_security_policy_test/test#html'
+      get '/test/csp/json' => 'content_security_policy_test/test#json'
+      get '/test/csp/304' => 'content_security_policy_test/test#not_modified'
+    end
+    yield
+  ensure
+    Rails.application.routes_reloader.reload!
+  end
+
+  def setup
+    @provider = FactoryBot.create(:provider_account)
+    @buyer = FactoryBot.create(:buyer_account, provider_account: @provider)
+    host! @provider.internal_domain
+  end
+
+  test 'includes configured directives from YAML' do
+    with_test_routes do
+      get '/test/csp/html'
+
+      assert_response :success
+      csp_header = response.headers['Content-Security-Policy']
+
+      # Verify it contains the permissive default_src directive from developer_portal_policy
+      assert_includes csp_header, "default-src"
+      assert_includes csp_header, "*"
+      assert_includes csp_header, "'unsafe-eval'"
+      assert_includes csp_header, "'unsafe-inline'"
+    end
+  end
+
+  test 'does not apply CSP headers to non-HTML responses' do
+    with_test_routes do
+      get '/test/csp/json', params: { format: :json }
+
+      assert_response :success
+      # JSON responses should not have CSP headers
+      assert_nil response.headers['Content-Security-Policy']
+      assert_nil response.headers['Content-Security-Policy-Report-Only']
+    end
+  end
+
+  test 'middleware handles 304 Not Modified responses correctly' do
+    # The middleware has special handling for 304 responses to avoid
+    # nonce mismatches with cached content. This test verifies the middleware
+    # returns early for 304 responses and does not add CSP headers.
+
+    with_test_routes do
+      get '/test/csp/304'
+
+      assert_response :not_modified
+      # CSP middleware should not add headers to 304 responses
+      assert_nil response.headers['Content-Security-Policy']
+      assert_nil response.headers['Content-Security-Policy-Report-Only']
+    end
+  end
+end
diff --git a/test/integration/secure_headers_test.rb b/test/integration/secure_headers_test.rb
@@ -15,7 +15,6 @@ def setup
     assert_equal 'DENY', response.headers['X-Frame-Options']
     assert_equal 'nosniff', response.headers['X-Content-Type-Options']
     assert_equal '1; mode=block', response.headers['X-XSS-Protection']
-    assert_equal "default-src * data: mediastream: blob: filesystem: ws: wss: 'unsafe-eval' 'unsafe-inline'", response.headers['Content-Security-Policy']
   end
 
   test 'do not add non used secure headers in the response' do
diff --git a/test/unit/three_scale/content_security_policy_test.rb b/test/unit/three_scale/content_security_policy_test.rb
@@ -0,0 +1,116 @@
+require 'test_helper'
+
+class ThreeScale::ContentSecurityPolicy::AdminPortalTest < ActiveSupport::TestCase
+  test 'config returns Rails configuration for CSP' do
+    config = ThreeScale::ContentSecurityPolicy::AdminPortal.config
+
+    assert_not_nil config
+    assert_kind_of ActiveSupport::OrderedOptions, config
+  end
+
+  test 'enabled? returns true in test environment' do
+    assert_equal true, ThreeScale::ContentSecurityPolicy::AdminPortal.enabled?
+  end
+
+  test 'policy_config returns hash of CSP directives from YAML' do
+    policy_hash = ThreeScale::ContentSecurityPolicy::AdminPortal.policy_config
+
+    assert_kind_of Hash, policy_hash
+    assert policy_hash.present?
+
+    # Verify it contains restrictive directives
+    assert policy_hash.key?(:default_src)
+    assert_includes policy_hash[:default_src], "'self'"
+    assert policy_hash.key?(:script_src)
+    assert_includes policy_hash[:script_src], "'self'"
+  end
+
+  test 'report_only? returns false from YAML config' do
+    assert_equal false, ThreeScale::ContentSecurityPolicy::AdminPortal.report_only?
+  end
+
+  test 'policy_config returns empty hash when config.admin_portal_policy is nil' do
+    ThreeScale::ContentSecurityPolicy::AdminPortal.config.stubs(:admin_portal_policy).returns(nil)
+    policy_hash = ThreeScale::ContentSecurityPolicy::AdminPortal.policy_config
+
+    assert_equal({}, policy_hash)
+  end
+end
+
+class ThreeScale::ContentSecurityPolicy::DeveloperPortalTest < ActiveSupport::TestCase
+  test 'config returns Rails configuration for CSP' do
+    config = ThreeScale::ContentSecurityPolicy::DeveloperPortal.config
+
+    assert_not_nil config
+    assert_kind_of ActiveSupport::OrderedOptions, config
+  end
+
+  test 'enabled? returns true in test environment' do
+    assert_equal true, ThreeScale::ContentSecurityPolicy::DeveloperPortal.enabled?
+  end
+
+  test 'policy_config returns hash of CSP directives from YAML' do
+    policy_hash = ThreeScale::ContentSecurityPolicy::DeveloperPortal.policy_config
+
+    assert_kind_of Hash, policy_hash
+    assert policy_hash.present?
+
+    # Verify it contains the permissive default_src directive
+    assert policy_hash.key?(:default_src)
+    assert_includes policy_hash[:default_src], "*"
+    assert_includes policy_hash[:default_src], "'unsafe-eval'"
+    assert_includes policy_hash[:default_src], "'unsafe-inline'"
+  end
+
+  test 'report_only? returns false from YAML config' do
+    assert_equal false, ThreeScale::ContentSecurityPolicy::DeveloperPortal.report_only?
+  end
+
+  test 'policy_config returns empty hash when config.developer_portal_policy is nil' do
+    ThreeScale::ContentSecurityPolicy::DeveloperPortal.config.stubs(:developer_portal_policy).returns(nil)
+    policy_hash = ThreeScale::ContentSecurityPolicy::DeveloperPortal.policy_config
+
+    assert_equal({}, policy_hash)
+  end
+end
+
+class ThreeScale::ContentSecurityPolicyWithoutYAMLTest < ActiveSupport::TestCase
+  test 'AdminPortal enabled? returns false when config is missing' do
+    empty_config = ActiveSupport::OrderedOptions.new
+    ThreeScale::ContentSecurityPolicy::AdminPortal.stubs(:config).returns(empty_config)
+
+    assert_equal false, ThreeScale::ContentSecurityPolicy::AdminPortal.enabled?
+  end
+
+  test 'AdminPortal policy_config returns empty hash when config is missing' do
+    empty_config = ActiveSupport::OrderedOptions.new
+    ThreeScale::ContentSecurityPolicy::AdminPortal.stubs(:config).returns(empty_config)
+
+    policy_hash = ThreeScale::ContentSecurityPolicy::AdminPortal.policy_config
+
+    assert_equal({}, policy_hash)
+  end
+
+  test 'AdminPortal report_only? returns false when config is missing' do
+    empty_config = ActiveSupport::OrderedOptions.new
+    ThreeScale::ContentSecurityPolicy::AdminPortal.stubs(:config).returns(empty_config)
+
+    assert_equal false, ThreeScale::ContentSecurityPolicy::AdminPortal.report_only?
+  end
+
+  test 'AdminPortal enabled? handles nil config values gracefully' do
+    config = ActiveSupport::OrderedOptions.new
+    config.enabled = nil
+    ThreeScale::ContentSecurityPolicy::AdminPortal.stubs(:config).returns(config)
+
+    assert_equal false, ThreeScale::ContentSecurityPolicy::AdminPortal.enabled?
+  end
+
+  test 'AdminPortal report_only? handles nil config values gracefully' do
+    config = ActiveSupport::OrderedOptions.new
+    config.report_only = nil
+    ThreeScale::ContentSecurityPolicy::AdminPortal.stubs(:config).returns(config)
+
+    assert_equal false, ThreeScale::ContentSecurityPolicy::AdminPortal.report_only?
+  end
+end
