checker-http/checker/rules_sri_test.go

// This file is part of the happyDomain (R) project.
// Copyright (c) 2020-2026 happyDomain
// Authors: Pierre-Olivier Mercier, et al.

package checker

import (
	"testing"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

func TestSRIRule_NoHTML(t *testing.T) {
	// A probe without Resources is treated as "no parsed body".
	data := &HTTPData{Probes: []HTTPProbe{httpsProbe("a:443")}}
	states := runRule(t, &sriRule{}, data, nil)
	mustStatus(t, states, sdk.StatusUnknown)
	if !hasCode(states, "http.sri.no_html") {
		t.Errorf("expected no_html: %+v", states)
	}
}

func TestSRIRule_NoCrossOrigin(t *testing.T) {
	p := httpsProbe("a:443")
	p.Resources = []HTMLResource{
		{Tag: "script", URL: "/local.js", CrossOrigin: false},
		{Tag: "link", URL: "/style.css", CrossOrigin: false, Rel: "stylesheet"},
	}
	states := runRule(t, &sriRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
	mustStatus(t, states, sdk.StatusOK)
	if !hasCode(states, "http.sri.no_cross_origin") {
		t.Errorf("expected no_cross_origin: %+v", states)
	}
}

func TestSRIRule_AllCovered(t *testing.T) {
	p := httpsProbe("a:443")
	p.Resources = []HTMLResource{
		{Tag: "script", URL: "https://cdn.example/lib.js", CrossOrigin: true, Integrity: "sha384-abc"},
		{Tag: "link", URL: "https://cdn.example/style.css", CrossOrigin: true, Integrity: "sha384-def"},
	}
	states := runRule(t, &sriRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
	mustStatus(t, states, sdk.StatusOK)
	if !hasCode(states, "http.sri.ok") {
		t.Errorf("expected ok: %+v", states)
	}
}

func TestSRIRule_SomeMissing(t *testing.T) {
	p := httpsProbe("a:443")
	p.Resources = []HTMLResource{
		{Tag: "script", URL: "https://cdn.example/lib.js", CrossOrigin: true},
		{Tag: "link", URL: "https://cdn.example/style.css", CrossOrigin: true, Integrity: "sha384-def"},
		{Tag: "script", URL: "/local.js", CrossOrigin: false},
	}
	states := runRule(t, &sriRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
	if len(states) != 1 {
		t.Fatalf("expected 1 missing-state, got %d: %+v", len(states), states)
	}
	mustStatus(t, states, sdk.StatusWarn)
	if states[0].Code != "http.sri.missing" {
		t.Errorf("unexpected code: %q", states[0].Code)
	}
	if states[0].Meta["url"] != "https://cdn.example/lib.js" {
		t.Errorf("meta.url = %v, want lib.js", states[0].Meta["url"])
	}
}

func TestSRIRule_PicksFirstHTTPSWithResources(t *testing.T) {
	a := httpsProbe("a:443")
	b := httpsProbe("b:443")
	b.Resources = []HTMLResource{{Tag: "script", URL: "https://cdn/x.js", CrossOrigin: true, Integrity: "sha384-abc"}}
	states := runRule(t, &sriRule{}, &HTTPData{Probes: []HTTPProbe{a, b}}, nil)
	mustStatus(t, states, sdk.StatusOK)
	if !hasCode(states, "http.sri.ok") {
		t.Errorf("expected ok with resources from second probe, got %+v", states)
	}
}