Improve testing of django-csp integration

Some of these changes are stylistic, such as renaming _get_ns to get_namespaces.

Important changes:
- Adds tests for specific panels that use scripts
- Fixes redirects panel to actually use the nonce
- Fetches the toolbar instance from the store rather than context

Author: tim-schilling

debug_toolbar/panels/redirects.py

@@ -21,7 +21,11 @@ def process_request(self, request):
             if redirect_to:
                 status_line = f"{response.status_code} {response.reason_phrase}"
                 cookies = response.cookies
-                context = {"redirect_to": redirect_to, "status_line": status_line}
+                context = {
+                    "redirect_to": redirect_to,
+                    "status_line": status_line,
+                    "toolbar": self.toolbar,
+                }
                 # Using SimpleTemplateResponse avoids running global context processors.
                 response = SimpleTemplateResponse(
                     "debug_toolbar/redirect.html", context

debug_toolbar/toolbar.py

@@ -5,6 +5,8 @@
 import re
 import uuid
 from functools import lru_cache
+
+# Can be removed when python3.8 is dropped
 from typing import OrderedDict
 
 from django.apps import apps

requirements_dev.txt

@@ -11,6 +11,7 @@ html5lib
 selenium
 tox
 black
+django-csp # Used in tests/test_csp_rendering
 
 # Integration support
 

tests/test_csp_rendering.py

@@ -2,15 +2,16 @@
 from xml.etree.ElementTree import Element
 
 from django.conf import settings
-from django.http.response import HttpResponse
 from django.test.utils import ContextList, override_settings
 from html5lib.constants import E
 from html5lib.html5parser import HTMLParser
 
+from debug_toolbar.toolbar import DebugToolbar
+
 from .base import BaseTestCase
 
 
-def _get_ns(element: Element) -> Dict[str, str]:
+def get_namespaces(element: Element) -> Dict[str, str]:
     """
     Return the default `xmlns`. See
     https://docs.python.org/3/library/xml.etree.elementtree.html#parsing-xml-with-namespaces
@@ -20,10 +21,12 @@ def _get_ns(element: Element) -> Dict[str, str]:
     return {"": element.tag[1:].split("}", maxsplit=1)[0]}
 
 
+@override_settings(DEBUG=True)
 class CspRenderingTestCase(BaseTestCase):
-    "Testing if `csp-nonce` renders."
+    """Testing if `csp-nonce` renders."""
 
-    panel_id = "StaticFilesPanel"
+    def setUp(self):
+        self.parser = HTMLParser()
 
     def _fail_if_missing(
         self, root: Element, path: str, namespaces: Dict[str, str], nonce: str
@@ -46,50 +49,90 @@ def _fail_if_found(self, root: Element, path: str, namespaces: Dict[str, str]):
                 raise self.failureException(f"{item} has no nonce attribute.")
 
     def _fail_on_invalid_html(self, content: bytes, parser: HTMLParser):
-        "Fail if the passed HTML is invalid."
+        """Fail if the passed HTML is invalid."""
         if parser.errors:
             default_msg = ["Content is invalid HTML:"]
             lines = content.split(b"\n")
-            for position, errorcode, datavars in parser.errors:
-                default_msg.append("  %s" % E[errorcode] % datavars)
+            for position, error_code, data_vars in parser.errors:
+                default_msg.append("  %s" % E[error_code] % data_vars)
                 default_msg.append("    %r" % lines[position[0] - 1])
             msg = self._formatMessage(None, "\n".join(default_msg))
             raise self.failureException(msg)
 
     @override_settings(
-        DEBUG=True, MIDDLEWARE=settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"]
+        MIDDLEWARE=settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"]
     )
     def test_exists(self):
-        "A `nonce` should exists when using the `CSPMiddleware`."
+        """A `nonce` should exist when using the `CSPMiddleware`."""
         response = self.client.get(path="/regular/basic/")
-        if not isinstance(response, HttpResponse):
-            raise self.failureException(f"{response!r} is not a HttpResponse")
         self.assertEqual(response.status_code, 200)
-        parser = HTMLParser()
-        el_htmlroot: Element = parser.parse(stream=response.content)
-        self._fail_on_invalid_html(content=response.content, parser=parser)
+
+        html_root: Element = self.parser.parse(stream=response.content)
+        self._fail_on_invalid_html(content=response.content, parser=self.parser)
         self.assertContains(response, "djDebug")
-        namespaces = _get_ns(element=el_htmlroot)
-        context: ContextList = response.context  # pyright: ignore[reportAttributeAccessIssue]
+
+        namespaces = get_namespaces(element=html_root)
+        toolbar = list(DebugToolbar._store.values())[0]
+        nonce = str(toolbar.request.csp_nonce)
+        self._fail_if_missing(
+            root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
+        )
+        self._fail_if_missing(
+            root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
+        )
+
+    @override_settings(
+        DEBUG_TOOLBAR_CONFIG={"DISABLE_PANELS": set()},
+        MIDDLEWARE=settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"],
+    )
+    def test_redirects_exists(self):
+        response = self.client.get("/redirect/")
+        self.assertEqual(response.status_code, 200)
+
+        html_root: Element = self.parser.parse(stream=response.content)
+        self._fail_on_invalid_html(content=response.content, parser=self.parser)
+        self.assertContains(response, "djDebug")
+
+        namespaces = get_namespaces(element=html_root)
+        context: ContextList = response.context
         nonce = str(context["toolbar"].request.csp_nonce)
         self._fail_if_missing(
-            root=el_htmlroot, path=".//link", namespaces=namespaces, nonce=nonce
+            root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
         )
         self._fail_if_missing(
-            root=el_htmlroot, path=".//script", namespaces=namespaces, nonce=nonce
+            root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
         )
 
-    @override_settings(DEBUG=True)
+    @override_settings(
+        MIDDLEWARE=settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"]
+    )
+    def test_panel_content_nonce_exists(self):
+        response = self.client.get("/regular/basic/")
+        self.assertEqual(response.status_code, 200)
+
+        toolbar = list(DebugToolbar._store.values())[0]
+        panels_to_check = ["HistoryPanel", "TimerPanel"]
+        for panel in panels_to_check:
+            content = toolbar.get_panel_by_id(panel).content
+            html_root: Element = self.parser.parse(stream=content)
+            namespaces = get_namespaces(element=html_root)
+            nonce = str(toolbar.request.csp_nonce)
+            self._fail_if_missing(
+                root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
+            )
+            self._fail_if_missing(
+                root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
+            )
+
     def test_missing(self):
-        "A `nonce` should not exist when not using the `CSPMiddleware`."
+        """A `nonce` should not exist when not using the `CSPMiddleware`."""
         response = self.client.get(path="/regular/basic/")
-        if not isinstance(response, HttpResponse):
-            raise self.failureException(f"{response!r} is not a HttpResponse")
         self.assertEqual(response.status_code, 200)
-        parser = HTMLParser()
-        el_htmlroot: Element = parser.parse(stream=response.content)
-        self._fail_on_invalid_html(content=response.content, parser=parser)
+
+        html_root: Element = self.parser.parse(stream=response.content)
+        self._fail_on_invalid_html(content=response.content, parser=self.parser)
         self.assertContains(response, "djDebug")
-        namespaces = _get_ns(element=el_htmlroot)
-        self._fail_if_found(root=el_htmlroot, path=".//link", namespaces=namespaces)
-        self._fail_if_found(root=el_htmlroot, path=".//script", namespaces=namespaces)
+
+        namespaces = get_namespaces(element=html_root)
+        self._fail_if_found(root=html_root, path=".//link", namespaces=namespaces)
+        self._fail_if_found(root=html_root, path=".//script", namespaces=namespaces)