treeherder/tests/test_middleware.py

import re

import pytest

from treeherder.middleware import CustomWhiteNoise

URLS_IMMUTABLE = [
    # Assets generated by Neutrino.
    '/assets/2.379789df.css',
    '/assets/dancing_cat.fa5552a5.gif',
    '/assets/fontawesome-webfont.af7ae505.woff2',
    '/assets/fontawesome-webfont.fee66e71.woff',
    '/assets/index.1d85033a.js',
    '/assets/index.1d85033a.js.map',
    '/assets/perf.d7fea1e4.css',
    '/assets/perf.d7fea1e4.css.map',
    '/assets/treeherder-logo.3df97cff.png',
]

URLS_NOT_IMMUTABLE = [
    '/',
    '/contribute.json',
    '/perf.html',
    '/revision.txt',
    '/tree_open.png',
    '/docs/schema.js',
    # The unhashed Neutrino/webpack output if using `yarn build --mode development`.
    '/assets/runtime.js',
    '/assets/vendors~index.js',
    # The unhashed Django static asset originals (used in development).
    '/static/debug_toolbar/assets/toolbar.css',
    '/static/rest_framework/docs/js/jquery.json-view.min.js',
]


@pytest.mark.parametrize('url', URLS_IMMUTABLE)
def test_immutable_file_test_matches(url):
    assert CustomWhiteNoise().immutable_file_test('', url)


@pytest.mark.parametrize('url', URLS_NOT_IMMUTABLE)
def test_immutable_file_test_does_not_match(url):
    assert not CustomWhiteNoise().immutable_file_test('', url)


def test_content_security_policy_header(client):
    # Ideally we'd test requesting our frontend HTML, eg `/` and `/login.html`,
    # however they won't exist unless `yarn build` has been run first.
    # So instead we request an arbitrary static asset from django-rest-framework,
    # which will be served with the same headers as our frontend HTML.
    response = client.get('/static/rest_framework/css/default.css')
    assert response.has_header('Content-Security-Policy')
    policy_regex = r"default-src 'none'; script-src 'self' 'unsafe-eval' 'report-sample'; .*; report-uri /api/csp-report/"
    assert re.match(policy_regex, response['Content-Security-Policy'])