import re

import pytest


@pytest.mark.django_db
def test_security_headers_present(client, home_page):
    resp = client.get("/")
    assert resp.status_code == 200
    assert "Content-Security-Policy" in resp
    assert "Permissions-Policy" in resp
    assert "unsafe-inline" not in resp["Content-Security-Policy"]
    assert "script-src" in resp["Content-Security-Policy"]


@pytest.mark.django_db
def test_csp_nonce_applied_to_inline_script(client, home_page):
    resp = client.get("/")
    csp = resp["Content-Security-Policy"]
    match = re.search(r"nonce-([^' ;]+)", csp)
    assert match
    nonce = match.group(1)
    html = resp.content.decode()
    assert f'nonce="{nonce}"' in html