Add modern security header rules

checker/rules_modern_headers_test.go

@@ -0,0 +1,172 @@
+// This file is part of the happyDomain (R) project.
+// Copyright (c) 2020-2026 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+
+package checker
+
+import (
+	"strings"
+	"testing"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// runHeaderRule looks up a registered rule by name and evaluates it
+// against an HTTPS probe whose only set header is the one under test.
+// The collector publishes headers as a lowercase-keyed map (see
+// collect.go), so we mirror that here regardless of the casing the
+// caller passed in.
+func runHeaderRule(t *testing.T, ruleName, header, value string) []sdk.CheckState {
+	t.Helper()
+	p := httpsProbe("a:443")
+	if strings.TrimSpace(value) != "" {
+		p.Headers[strings.ToLower(header)] = value
+	}
+	return runRule(t, ruleByName(t, ruleName), &HTTPData{Probes: []HTTPProbe{p}}, nil)
+}
+
+func TestReferrerPolicyRule(t *testing.T) {
+	cases := []struct {
+		name  string
+		value string
+		want  sdk.Status
+		code  string
+	}{
+		{"missing", "", sdk.StatusInfo, "http.referrer_policy.missing"},
+		{"strict-origin-when-cross-origin", "strict-origin-when-cross-origin", sdk.StatusOK, "http.referrer_policy.ok"},
+		{"no-referrer", "no-referrer", sdk.StatusOK, "http.referrer_policy.ok"},
+		{"unsafe-url", "unsafe-url", sdk.StatusWarn, "http.referrer_policy.invalid"},
+		{"no-referrer-when-downgrade", "no-referrer-when-downgrade", sdk.StatusInfo, "http.referrer_policy.invalid"},
+		{"unrecognised token", "totally-made-up", sdk.StatusWarn, "http.referrer_policy.invalid"},
+		// Per spec the UA picks the last *recognised* token, so the
+		// `bogus` is ignored and `same-origin` wins.
+		{"list with fallback", "bogus, same-origin", sdk.StatusOK, "http.referrer_policy.ok"},
+		// Unknown token after a known one: UA falls back to the last
+		// recognised one (`strict-origin`).
+		{"list with unknown trailing", "strict-origin, bogus", sdk.StatusOK, "http.referrer_policy.ok"},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			states := runHeaderRule(t, "http.referrer_policy", "Referrer-Policy", c.value)
+			mustStatus(t, states, c.want)
+			if !hasCode(states, c.code) {
+				t.Errorf("value=%q: missing code %q in %+v", c.value, c.code, states)
+			}
+		})
+	}
+}
+
+func TestPermissionsPolicyRule(t *testing.T) {
+	// Permissions-Policy has no Validate function: presence alone is OK,
+	// absence is Info (Required=false).
+	cases := []struct {
+		name  string
+		value string
+		want  sdk.Status
+		code  string
+	}{
+		{"missing", "", sdk.StatusInfo, "http.permissions_policy.missing"},
+		{"present", "camera=(), microphone=()", sdk.StatusOK, "http.permissions_policy.ok"},
+		{"empty value treated as missing", "   ", sdk.StatusInfo, "http.permissions_policy.missing"},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			states := runHeaderRule(t, "http.permissions_policy", "Permissions-Policy", c.value)
+			mustStatus(t, states, c.want)
+			if !hasCode(states, c.code) {
+				t.Errorf("value=%q: missing code %q in %+v", c.value, c.code, states)
+			}
+		})
+	}
+}
+
+func TestCOOPRule(t *testing.T) {
+	cases := []struct {
+		name  string
+		value string
+		want  sdk.Status
+		code  string
+	}{
+		{"missing", "", sdk.StatusInfo, "http.coop.missing"},
+		{"same-origin", "same-origin", sdk.StatusOK, "http.coop.ok"},
+		{"same-origin-allow-popups", "same-origin-allow-popups", sdk.StatusOK, "http.coop.ok"},
+		{"unsafe-none", "unsafe-none", sdk.StatusWarn, "http.coop.invalid"},
+		{"unrecognised", "bogus", sdk.StatusWarn, "http.coop.invalid"},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			states := runHeaderRule(t, "http.coop", "Cross-Origin-Opener-Policy", c.value)
+			mustStatus(t, states, c.want)
+			if !hasCode(states, c.code) {
+				t.Errorf("value=%q: missing code %q in %+v", c.value, c.code, states)
+			}
+		})
+	}
+}
+
+func TestCOEPRule(t *testing.T) {
+	cases := []struct {
+		name  string
+		value string
+		want  sdk.Status
+		code  string
+	}{
+		{"missing", "", sdk.StatusInfo, "http.coep.missing"},
+		{"require-corp", "require-corp", sdk.StatusOK, "http.coep.ok"},
+		{"credentialless", "credentialless", sdk.StatusOK, "http.coep.ok"},
+		{"unsafe-none", "unsafe-none", sdk.StatusWarn, "http.coep.invalid"},
+		{"unrecognised", "bogus", sdk.StatusWarn, "http.coep.invalid"},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			states := runHeaderRule(t, "http.coep", "Cross-Origin-Embedder-Policy", c.value)
+			mustStatus(t, states, c.want)
+			if !hasCode(states, c.code) {
+				t.Errorf("value=%q: missing code %q in %+v", c.value, c.code, states)
+			}
+		})
+	}
+}
+
+func TestCORPRule(t *testing.T) {
+	cases := []struct {
+		name  string
+		value string
+		want  sdk.Status
+		code  string
+	}{
+		{"missing", "", sdk.StatusInfo, "http.corp.missing"},
+		{"same-origin", "same-origin", sdk.StatusOK, "http.corp.ok"},
+		{"same-site", "same-site", sdk.StatusOK, "http.corp.ok"},
+		{"cross-origin", "cross-origin", sdk.StatusOK, "http.corp.ok"},
+		{"unrecognised", "bogus", sdk.StatusWarn, "http.corp.invalid"},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			states := runHeaderRule(t, "http.corp", "Cross-Origin-Resource-Policy", c.value)
+			mustStatus(t, states, c.want)
+			if !hasCode(states, c.code) {
+				t.Errorf("value=%q: missing code %q in %+v", c.value, c.code, states)
+			}
+		})
+	}
+}
+
+func TestModernHeaders_NoHTTPS(t *testing.T) {
+	// Each modern header rule must emit Unknown when there are no
+	// successful HTTPS probes — the no_https path comes from EvalPerHTTPS.
+	rules := []string{
+		"http.referrer_policy",
+		"http.permissions_policy",
+		"http.coop",
+		"http.coep",
+		"http.corp",
+	}
+	data := &HTTPData{Probes: []HTTPProbe{httpProbe("a:80")}}
+	for _, name := range rules {
+		t.Run(name, func(t *testing.T) {
+			states := runRule(t, ruleByName(t, name), data, nil)
+			mustStatus(t, states, sdk.StatusUnknown)
+		})
+	}
+}