grafana/pkg/tests/web/index_view_test.go

package web

import (
	"fmt"
	"io"
	"net/http"
	"strings"
	"testing"

	"github.com/grafana/grafana/pkg/tests/testinfra"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

// TestIndexView tests the Grafana index view.
func TestIndexView(t *testing.T) {
	t.Run("CSP enabled", func(t *testing.T) {
		grafDir, cfgPath := testinfra.CreateGrafDir(t, testinfra.GrafanaOpts{
			EnableCSP: true,
		})
		addr, _ := testinfra.StartGrafana(t, grafDir, cfgPath)

		// nolint:bodyclose
		resp, html := makeRequest(t, addr)
		assert.Regexp(t, `script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' 'nonce-[^']+';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src \* data:;base-uri 'self';connect-src 'self' grafana.com ws://localhost:3000/ wss://localhost:3000/;manifest-src 'self';media-src 'none';form-action 'self';`, resp.Header.Get("Content-Security-Policy"))
		assert.Regexp(t, `<script nonce="[^"]+"`, html)
	})

	t.Run("CSP disabled", func(t *testing.T) {
		grafDir, cfgPath := testinfra.CreateGrafDir(t)
		addr, _ := testinfra.StartGrafana(t, grafDir, cfgPath)

		// nolint:bodyclose
		resp, html := makeRequest(t, addr)

		assert.Empty(t, resp.Header.Get("Content-Security-Policy"))
		assert.Regexp(t, `<script nonce=""`, html)
	})
}

func makeRequest(t *testing.T, addr string) (*http.Response, string) {
	t.Helper()

	u := fmt.Sprintf("http://%s", addr)
	t.Logf("Making GET request to %s", u)
	// nolint:gosec
	resp, err := http.Get(u)
	require.NoError(t, err)
	require.NotNil(t, resp)
	t.Cleanup(func() {
		err := resp.Body.Close()
		assert.NoError(t, err)
	})

	var b strings.Builder
	_, err = io.Copy(&b, resp.Body)
	require.NoError(t, err)
	require.Equal(t, 200, resp.StatusCode)

	return resp, b.String()
}
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen 2021-01-12 00:42:32 -06:00			`package web`

			`import (`
			`"fmt"`
			`"io"`
			`"net/http"`
			`"strings"`
			`"testing"`

			`"github.com/grafana/grafana/pkg/tests/testinfra"`
			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`)`

			`// TestIndexView tests the Grafana index view.`
			`func TestIndexView(t *testing.T) {`
			`t.Run("CSP enabled", func(t *testing.T) {`
			`grafDir, cfgPath := testinfra.CreateGrafDir(t, testinfra.GrafanaOpts{`
			`EnableCSP: true,`
			`})`
Migrate to Wire for dependency injection (#32289) Fixes #30144 Co-authored-by: dsotirakis <sotirakis.dim@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com> Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> Co-authored-by: Leon Sorokin <leeoniya@gmail.com> Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com> Co-authored-by: spinillos <selenepinillos@gmail.com> Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com> 2021-08-25 08:11:22 -05:00			`addr, _ := testinfra.StartGrafana(t, grafDir, cfgPath)`
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen 2021-01-12 00:42:32 -06:00
			`// nolint:bodyclose`
			`resp, html := makeRequest(t, addr)`
Security: Update default CSP template and fix firefox CSP issues (#34836) * Security: Update default content_security_policy_template - Add 'strict-dynamic' back to script-src - Add ws(s)://$ROOT_PATH to connect-src - Change onEvent to on-event in angular templates to fix CSP issues in firefox. - Add blob: to style-src 2021-05-28 10:01:10 -05:00			assert.Regexp(t, `script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' 'nonce-[^']+';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src \* data:;base-uri 'self';connect-src 'self' grafana.com ws://localhost:3000/ wss://localhost:3000/;manifest-src 'self';media-src 'none';form-action 'self';`, resp.Header.Get("Content-Security-Policy"))
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen 2021-01-12 00:42:32 -06:00			assert.Regexp(t, `<script nonce="[^"]+"`, html)
			`})`

			`t.Run("CSP disabled", func(t *testing.T) {`
			`grafDir, cfgPath := testinfra.CreateGrafDir(t)`
Migrate to Wire for dependency injection (#32289) Fixes #30144 Co-authored-by: dsotirakis <sotirakis.dim@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com> Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> Co-authored-by: Leon Sorokin <leeoniya@gmail.com> Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com> Co-authored-by: spinillos <selenepinillos@gmail.com> Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com> 2021-08-25 08:11:22 -05:00			`addr, _ := testinfra.StartGrafana(t, grafDir, cfgPath)`
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen 2021-01-12 00:42:32 -06:00
			`// nolint:bodyclose`
			`resp, html := makeRequest(t, addr)`

			`assert.Empty(t, resp.Header.Get("Content-Security-Policy"))`
			assert.Regexp(t, `<script nonce=""`, html)
			`})`
			`}`

			`func makeRequest(t testing.T, addr string) (http.Response, string) {`
			`t.Helper()`

			`u := fmt.Sprintf("http://%s", addr)`
			`t.Logf("Making GET request to %s", u)`
			`// nolint:gosec`
			`resp, err := http.Get(u)`
			`require.NoError(t, err)`
			`require.NotNil(t, resp)`
			`t.Cleanup(func() {`
			`err := resp.Body.Close()`
			`assert.NoError(t, err)`
			`})`

			`var b strings.Builder`
			`_, err = io.Copy(&b, resp.Body)`
			`require.NoError(t, err)`
			`require.Equal(t, 200, resp.StatusCode)`

			`return resp, b.String()`
			`}`