Split up security middleware
With upcoming work for the feature policy header. Splitting this in smaller classes that just do 1 thing makes sense. I rather have a few small classes that are tiny and do 1 thing right (and we all understand what is going on) than have big ones. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
1ec98af3e0
commit
37a4282c7a
|
@ -457,6 +457,7 @@ return array(
|
|||
'OC\\AppFramework\\Middleware\\PublicShare\\PublicShareMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\BruteForceMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\CORSMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\CSPMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\AppNotEnabledException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/AppNotEnabledException.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/CrossSiteRequestForgeryException.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\LaxSameSiteCookieFailedException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/LaxSameSiteCookieFailedException.php',
|
||||
|
|
|
@ -491,6 +491,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
|||
'OC\\AppFramework\\Middleware\\PublicShare\\PublicShareMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\BruteForceMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\CORSMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\CSPMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\AppNotEnabledException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/AppNotEnabledException.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/CrossSiteRequestForgeryException.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\LaxSameSiteCookieFailedException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/LaxSameSiteCookieFailedException.php',
|
||||
|
|
|
@ -220,13 +220,17 @@ class DIContainer extends SimpleContainer implements IAppContainer {
|
|||
$server->getUserSession()->isLoggedIn(),
|
||||
$server->getGroupManager()->isAdmin($this->getUserId()),
|
||||
$server->getUserSession()->getUser() !== null && $server->query(ISubAdmin::class)->isSubAdmin($server->getUserSession()->getUser()),
|
||||
$server->getContentSecurityPolicyManager(),
|
||||
$server->getCsrfTokenManager(),
|
||||
$server->getContentSecurityPolicyNonceManager(),
|
||||
$server->getAppManager(),
|
||||
$server->getL10N('lib')
|
||||
);
|
||||
$dispatcher->registerMiddleware($securityMiddleware);
|
||||
$dispatcher->registerMiddleware(
|
||||
new OC\AppFramework\Middleware\Security\CSPMiddleware(
|
||||
$server->query(OC\Security\CSP\ContentSecurityPolicyManager::class),
|
||||
$server->query(OC\Security\CSP\ContentSecurityPolicyNonceManager::class),
|
||||
$server->query(OC\Security\CSRF\CsrfTokenManager::class)
|
||||
)
|
||||
);
|
||||
$dispatcher->registerMiddleware(
|
||||
new OC\AppFramework\Middleware\Security\PasswordConfirmationMiddleware(
|
||||
$c->query(IControllerMethodReflector::class),
|
||||
|
|
|
@ -0,0 +1,80 @@
|
|||
<?php
|
||||
declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl>
|
||||
*
|
||||
* @author Roeland Jago Douma <roeland@famdouma.nl>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\AppFramework\Middleware\Security;
|
||||
|
||||
use OC\Security\CSP\ContentSecurityPolicyManager;
|
||||
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
||||
use OC\Security\CSRF\CsrfTokenManager;
|
||||
use OCP\AppFramework\Controller;
|
||||
use OCP\AppFramework\Http\ContentSecurityPolicy;
|
||||
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
||||
use OCP\AppFramework\Http\Response;
|
||||
use OCP\AppFramework\Middleware;
|
||||
|
||||
class CSPMiddleware extends Middleware {
|
||||
|
||||
/** @var ContentSecurityPolicyManager */
|
||||
private $contentSecurityPolicyManager;
|
||||
/** @var ContentSecurityPolicyNonceManager */
|
||||
private $cspNonceManager;
|
||||
/** @var CsrfTokenManager */
|
||||
private $csrfTokenManager;
|
||||
|
||||
public function __construct(ContentSecurityPolicyManager $policyManager,
|
||||
ContentSecurityPolicyNonceManager $cspNonceManager,
|
||||
CsrfTokenManager $csrfTokenManager) {
|
||||
$this->contentSecurityPolicyManager = $policyManager;
|
||||
$this->cspNonceManager = $cspNonceManager;
|
||||
$this->csrfTokenManager = $csrfTokenManager;
|
||||
}
|
||||
|
||||
/**
|
||||
* Performs the default CSP modifications that may be injected by other
|
||||
* applications
|
||||
*
|
||||
* @param Controller $controller
|
||||
* @param string $methodName
|
||||
* @param Response $response
|
||||
* @return Response
|
||||
*/
|
||||
public function afterController($controller, $methodName, Response $response): Response {
|
||||
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
|
||||
|
||||
if (get_class($policy) === EmptyContentSecurityPolicy::class) {
|
||||
return $response;
|
||||
}
|
||||
|
||||
$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
|
||||
$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
|
||||
|
||||
if($this->cspNonceManager->browserSupportsCspV3()) {
|
||||
$defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
|
||||
}
|
||||
|
||||
$response->setContentSecurityPolicy($defaultPolicy);
|
||||
|
||||
return $response;
|
||||
}
|
||||
}
|
|
@ -84,12 +84,6 @@ class SecurityMiddleware extends Middleware {
|
|||
private $isAdminUser;
|
||||
/** @var bool */
|
||||
private $isSubAdmin;
|
||||
/** @var ContentSecurityPolicyManager */
|
||||
private $contentSecurityPolicyManager;
|
||||
/** @var CsrfTokenManager */
|
||||
private $csrfTokenManager;
|
||||
/** @var ContentSecurityPolicyNonceManager */
|
||||
private $cspNonceManager;
|
||||
/** @var IAppManager */
|
||||
private $appManager;
|
||||
/** @var IL10N */
|
||||
|
@ -104,9 +98,6 @@ class SecurityMiddleware extends Middleware {
|
|||
bool $isLoggedIn,
|
||||
bool $isAdminUser,
|
||||
bool $isSubAdmin,
|
||||
ContentSecurityPolicyManager $contentSecurityPolicyManager,
|
||||
CsrfTokenManager $csrfTokenManager,
|
||||
ContentSecurityPolicyNonceManager $cspNonceManager,
|
||||
IAppManager $appManager,
|
||||
IL10N $l10n
|
||||
) {
|
||||
|
@ -119,9 +110,6 @@ class SecurityMiddleware extends Middleware {
|
|||
$this->isLoggedIn = $isLoggedIn;
|
||||
$this->isAdminUser = $isAdminUser;
|
||||
$this->isSubAdmin = $isSubAdmin;
|
||||
$this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
|
||||
$this->csrfTokenManager = $csrfTokenManager;
|
||||
$this->cspNonceManager = $cspNonceManager;
|
||||
$this->appManager = $appManager;
|
||||
$this->l10n = $l10n;
|
||||
}
|
||||
|
@ -203,34 +191,6 @@ class SecurityMiddleware extends Middleware {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Performs the default CSP modifications that may be injected by other
|
||||
* applications
|
||||
*
|
||||
* @param Controller $controller
|
||||
* @param string $methodName
|
||||
* @param Response $response
|
||||
* @return Response
|
||||
*/
|
||||
public function afterController($controller, $methodName, Response $response): Response {
|
||||
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
|
||||
|
||||
if (get_class($policy) === EmptyContentSecurityPolicy::class) {
|
||||
return $response;
|
||||
}
|
||||
|
||||
$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
|
||||
$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
|
||||
|
||||
if($this->cspNonceManager->browserSupportsCspV3()) {
|
||||
$defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
|
||||
}
|
||||
|
||||
$response->setContentSecurityPolicy($defaultPolicy);
|
||||
|
||||
return $response;
|
||||
}
|
||||
|
||||
/**
|
||||
* If an SecurityException is being caught, ajax requests return a JSON error
|
||||
* response and non ajax requests redirect to the index
|
||||
|
|
|
@ -0,0 +1,149 @@
|
|||
<?php
|
||||
declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl>
|
||||
*
|
||||
* @author Roeland Jago Douma <roeland@famdouma.nl>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Test\AppFramework\Middleware\Security;
|
||||
|
||||
use OC\AppFramework\Middleware\Security\CSPMiddleware;
|
||||
use OC\Security\CSP\ContentSecurityPolicy;
|
||||
use OC\Security\CSP\ContentSecurityPolicyManager;
|
||||
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
||||
use OC\Security\CSRF\CsrfToken;
|
||||
use OC\Security\CSRF\CsrfTokenManager;
|
||||
use OCP\AppFramework\Controller;
|
||||
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
||||
use OCP\AppFramework\Http\Response;
|
||||
use PHPUnit\Framework\MockObject\MockObject;
|
||||
|
||||
class CSPMiddlewareTest extends \Test\TestCase {
|
||||
|
||||
/** @var CSPMiddleware|MockObject */
|
||||
private $middleware;
|
||||
/** @var Controller|MockObject */
|
||||
private $controller;
|
||||
/** @var ContentSecurityPolicyManager|MockObject */
|
||||
private $contentSecurityPolicyManager;
|
||||
/** @var CsrfTokenManager|MockObject */
|
||||
private $csrfTokenManager;
|
||||
/** @var ContentSecurityPolicyNonceManager|MockObject */
|
||||
private $cspNonceManager;
|
||||
|
||||
protected function setUp() {
|
||||
parent::setUp();
|
||||
|
||||
$this->controller = $this->createMock(Controller::class);
|
||||
$this->contentSecurityPolicyManager = $this->createMock(ContentSecurityPolicyManager::class);
|
||||
$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
|
||||
$this->cspNonceManager = $this->createMock(ContentSecurityPolicyNonceManager::class);
|
||||
$this->middleware = new CSPMiddleware(
|
||||
$this->contentSecurityPolicyManager,
|
||||
$this->cspNonceManager,
|
||||
$this->csrfTokenManager
|
||||
);
|
||||
}
|
||||
|
||||
public function testAfterController() {
|
||||
$this->cspNonceManager
|
||||
->expects($this->once())
|
||||
->method('browserSupportsCspV3')
|
||||
->willReturn(false);
|
||||
$response = $this->createMock(Response::class);
|
||||
$defaultPolicy = new ContentSecurityPolicy();
|
||||
$defaultPolicy->addAllowedImageDomain('defaultpolicy');
|
||||
$currentPolicy = new ContentSecurityPolicy();
|
||||
$currentPolicy->addAllowedConnectDomain('currentPolicy');
|
||||
$mergedPolicy = new ContentSecurityPolicy();
|
||||
$mergedPolicy->addAllowedMediaDomain('mergedPolicy');
|
||||
$response
|
||||
->expects($this->exactly(2))
|
||||
->method('getContentSecurityPolicy')
|
||||
->willReturn($currentPolicy);
|
||||
$this->contentSecurityPolicyManager
|
||||
->expects($this->once())
|
||||
->method('getDefaultPolicy')
|
||||
->willReturn($defaultPolicy);
|
||||
$this->contentSecurityPolicyManager
|
||||
->expects($this->once())
|
||||
->method('mergePolicies')
|
||||
->with($defaultPolicy, $currentPolicy)
|
||||
->willReturn($mergedPolicy);
|
||||
$response->expects($this->once())
|
||||
->method('setContentSecurityPolicy')
|
||||
->with($mergedPolicy);
|
||||
|
||||
$this->middleware->afterController($this->controller, 'test', $response);
|
||||
}
|
||||
|
||||
public function testAfterControllerEmptyCSP() {
|
||||
$response = $this->createMock(Response::class);
|
||||
$emptyPolicy = new EmptyContentSecurityPolicy();
|
||||
$response->expects($this->any())
|
||||
->method('getContentSecurityPolicy')
|
||||
->willReturn($emptyPolicy);
|
||||
$response->expects($this->never())
|
||||
->method('setContentSecurityPolicy');
|
||||
|
||||
$this->middleware->afterController($this->controller, 'test', $response);
|
||||
}
|
||||
|
||||
public function testAfterControllerWithContentSecurityPolicy3Support() {
|
||||
$this->cspNonceManager
|
||||
->expects($this->once())
|
||||
->method('browserSupportsCspV3')
|
||||
->willReturn(true);
|
||||
$token = $this->createMock(CsrfToken::class);
|
||||
$token
|
||||
->expects($this->once())
|
||||
->method('getEncryptedValue')
|
||||
->willReturn('MyEncryptedToken');
|
||||
$this->csrfTokenManager
|
||||
->expects($this->once())
|
||||
->method('getToken')
|
||||
->willReturn($token);
|
||||
$response = $this->createMock(Response::class);
|
||||
$defaultPolicy = new ContentSecurityPolicy();
|
||||
$defaultPolicy->addAllowedImageDomain('defaultpolicy');
|
||||
$currentPolicy = new ContentSecurityPolicy();
|
||||
$currentPolicy->addAllowedConnectDomain('currentPolicy');
|
||||
$mergedPolicy = new ContentSecurityPolicy();
|
||||
$mergedPolicy->addAllowedMediaDomain('mergedPolicy');
|
||||
$response
|
||||
->expects($this->exactly(2))
|
||||
->method('getContentSecurityPolicy')
|
||||
->willReturn($currentPolicy);
|
||||
$this->contentSecurityPolicyManager
|
||||
->expects($this->once())
|
||||
->method('getDefaultPolicy')
|
||||
->willReturn($defaultPolicy);
|
||||
$this->contentSecurityPolicyManager
|
||||
->expects($this->once())
|
||||
->method('mergePolicies')
|
||||
->with($defaultPolicy, $currentPolicy)
|
||||
->willReturn($mergedPolicy);
|
||||
$response->expects($this->once())
|
||||
->method('setContentSecurityPolicy')
|
||||
->with($mergedPolicy);
|
||||
|
||||
$this->assertEquals($response, $this->middleware->afterController($this->controller, 'test', $response));
|
||||
}
|
||||
}
|
|
@ -72,12 +72,6 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
|||
private $navigationManager;
|
||||
/** @var IURLGenerator|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $urlGenerator;
|
||||
/** @var ContentSecurityPolicyManager|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $contentSecurityPolicyManager;
|
||||
/** @var CsrfTokenManager|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $csrfTokenManager;
|
||||
/** @var ContentSecurityPolicyNonceManager|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $cspNonceManager;
|
||||
/** @var IAppManager|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $appManager;
|
||||
/** @var IL10N|\PHPUnit_Framework_MockObject_MockObject */
|
||||
|
@ -92,9 +86,6 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
|||
$this->navigationManager = $this->createMock(INavigationManager::class);
|
||||
$this->urlGenerator = $this->createMock(IURLGenerator::class);
|
||||
$this->request = $this->createMock(IRequest::class);
|
||||
$this->contentSecurityPolicyManager = $this->createMock(ContentSecurityPolicyManager::class);
|
||||
$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
|
||||
$this->cspNonceManager = $this->createMock(ContentSecurityPolicyNonceManager::class);
|
||||
$this->l10n = $this->createMock(IL10N::class);
|
||||
$this->middleware = $this->getMiddleware(true, true, false);
|
||||
$this->secException = new SecurityException('hey', false);
|
||||
|
@ -118,9 +109,6 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
|||
$isLoggedIn,
|
||||
$isAdminUser,
|
||||
$isSubAdmin,
|
||||
$this->contentSecurityPolicyManager,
|
||||
$this->csrfTokenManager,
|
||||
$this->cspNonceManager,
|
||||
$this->appManager,
|
||||
$this->l10n
|
||||
);
|
||||
|
@ -611,91 +599,6 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
|||
$this->assertTrue($response instanceof JSONResponse);
|
||||
}
|
||||
|
||||
public function testAfterController() {
|
||||
$this->cspNonceManager
|
||||
->expects($this->once())
|
||||
->method('browserSupportsCspV3')
|
||||
->willReturn(false);
|
||||
$response = $this->createMock(Response::class);
|
||||
$defaultPolicy = new ContentSecurityPolicy();
|
||||
$defaultPolicy->addAllowedImageDomain('defaultpolicy');
|
||||
$currentPolicy = new ContentSecurityPolicy();
|
||||
$currentPolicy->addAllowedConnectDomain('currentPolicy');
|
||||
$mergedPolicy = new ContentSecurityPolicy();
|
||||
$mergedPolicy->addAllowedMediaDomain('mergedPolicy');
|
||||
$response
|
||||
->expects($this->exactly(2))
|
||||
->method('getContentSecurityPolicy')
|
||||
->willReturn($currentPolicy);
|
||||
$this->contentSecurityPolicyManager
|
||||
->expects($this->once())
|
||||
->method('getDefaultPolicy')
|
||||
->willReturn($defaultPolicy);
|
||||
$this->contentSecurityPolicyManager
|
||||
->expects($this->once())
|
||||
->method('mergePolicies')
|
||||
->with($defaultPolicy, $currentPolicy)
|
||||
->willReturn($mergedPolicy);
|
||||
$response->expects($this->once())
|
||||
->method('setContentSecurityPolicy')
|
||||
->with($mergedPolicy);
|
||||
|
||||
$this->middleware->afterController($this->controller, 'test', $response);
|
||||
}
|
||||
|
||||
public function testAfterControllerEmptyCSP() {
|
||||
$response = $this->createMock(Response::class);
|
||||
$emptyPolicy = new EmptyContentSecurityPolicy();
|
||||
$response->expects($this->any())
|
||||
->method('getContentSecurityPolicy')
|
||||
->willReturn($emptyPolicy);
|
||||
$response->expects($this->never())
|
||||
->method('setContentSecurityPolicy');
|
||||
|
||||
$this->middleware->afterController($this->controller, 'test', $response);
|
||||
}
|
||||
|
||||
public function testAfterControllerWithContentSecurityPolicy3Support() {
|
||||
$this->cspNonceManager
|
||||
->expects($this->once())
|
||||
->method('browserSupportsCspV3')
|
||||
->willReturn(true);
|
||||
$token = $this->createMock(CsrfToken::class);
|
||||
$token
|
||||
->expects($this->once())
|
||||
->method('getEncryptedValue')
|
||||
->willReturn('MyEncryptedToken');
|
||||
$this->csrfTokenManager
|
||||
->expects($this->once())
|
||||
->method('getToken')
|
||||
->willReturn($token);
|
||||
$response = $this->createMock(Response::class);
|
||||
$defaultPolicy = new ContentSecurityPolicy();
|
||||
$defaultPolicy->addAllowedImageDomain('defaultpolicy');
|
||||
$currentPolicy = new ContentSecurityPolicy();
|
||||
$currentPolicy->addAllowedConnectDomain('currentPolicy');
|
||||
$mergedPolicy = new ContentSecurityPolicy();
|
||||
$mergedPolicy->addAllowedMediaDomain('mergedPolicy');
|
||||
$response
|
||||
->expects($this->exactly(2))
|
||||
->method('getContentSecurityPolicy')
|
||||
->willReturn($currentPolicy);
|
||||
$this->contentSecurityPolicyManager
|
||||
->expects($this->once())
|
||||
->method('getDefaultPolicy')
|
||||
->willReturn($defaultPolicy);
|
||||
$this->contentSecurityPolicyManager
|
||||
->expects($this->once())
|
||||
->method('mergePolicies')
|
||||
->with($defaultPolicy, $currentPolicy)
|
||||
->willReturn($mergedPolicy);
|
||||
$response->expects($this->once())
|
||||
->method('setContentSecurityPolicy')
|
||||
->with($mergedPolicy);
|
||||
|
||||
$this->assertEquals($response, $this->middleware->afterController($this->controller, 'test', $response));
|
||||
}
|
||||
|
||||
public function dataRestrictedApp() {
|
||||
return [
|
||||
[false, false, false,],
|
||||
|
|
Loading…
Reference in New Issue