AC-10686: [PCI] SRI enabled on payment pages

Author: dvoskoboinikov

app/code/Magento/Csp/Model/Deploy/Package/Processor/PostProcessor/Integrity.php

@@ -0,0 +1,89 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Model\Deploy\Package\Processor\PostProcessor;
+
+use Magento\Framework\Filesystem;
+use Magento\Deploy\Package\Package;
+use Magento\Csp\Model\SubresourceIntegrityFactory;
+use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Csp\Model\SubresourceIntegrityCollector;
+use Magento\Deploy\Package\Processor\ProcessorInterface;
+use Magento\Csp\Model\SubresourceIntegrity\HashGenerator;
+
+/**
+ * Post-processor that generates integrity hashes after static content package deployed.
+ */
+class Integrity implements ProcessorInterface
+{
+    /**
+     * @var Filesystem
+     */
+    private Filesystem $filesystem;
+
+    /**
+     * @var HashGenerator
+     */
+    private HashGenerator $hashGenerator;
+
+    /**
+     * @var SubresourceIntegrityFactory
+     */
+    private SubresourceIntegrityFactory $integrityFactory;
+
+    /**
+     * @var SubresourceIntegrityCollector
+     */
+    private SubresourceIntegrityCollector $integrityCollector;
+
+    /**
+     * @param Filesystem $filesystem
+     * @param HashGenerator $hashGenerator
+     * @param SubresourceIntegrityFactory $integrityFactory
+     * @param SubresourceIntegrityCollector $integrityCollector
+     */
+    public function __construct(
+        Filesystem $filesystem,
+        HashGenerator $hashGenerator,
+        SubresourceIntegrityFactory $integrityFactory,
+        SubresourceIntegrityCollector $integrityCollector
+    ) {
+        $this->filesystem = $filesystem;
+        $this->hashGenerator = $hashGenerator;
+        $this->integrityFactory = $integrityFactory;
+        $this->integrityCollector = $integrityCollector;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function process(Package $package, array $options): bool
+    {
+        $staticDir = $this->filesystem->getDirectoryRead(
+            DirectoryList::STATIC_VIEW
+        );
+
+        foreach ($package->getFiles() as $file) {
+            if ($file->getExtension() == "js") {
+                $integrity = $this->integrityFactory->create(
+                    [
+                        "data" => [
+                            'hash' => $this->hashGenerator->generate(
+                                $staticDir->readFile($file->getDeployedFilePath())
+                            ),
+                            'path' => $file->getDeployedFilePath()
+                        ]
+                    ]
+                );
+
+                $this->integrityCollector->collect($integrity);
+            }
+        }
+
+        return true;
+    }
+}

app/code/Magento/Csp/Plugin/GenerateAssetIntegrity.php

@@ -9,9 +9,6 @@
 
 use Magento\Framework\View\Asset\File;
 use Magento\RequireJs\Model\FileManager;
-use Magento\Framework\App\View\Asset\Publisher;
-use Magento\Framework\View\Asset\LocalInterface;
-use Magento\Framework\View\Asset\AssetInterface;
 use Magento\Csp\Model\SubresourceIntegrityFactory;
 use Magento\Csp\Model\SubresourceIntegrityCollector;
 use Magento\Csp\Model\SubresourceIntegrity\HashGenerator;
@@ -58,31 +55,6 @@ public function __construct(
         $this->integrityCollector = $integrityCollector;
     }
 
-    /**
-     * Generates integrity after publishing of static assets is complete.
-     *
-     * @param Publisher $subject
-     * @param bool $result
-     * @param AssetInterface $asset
-     *
-     * @return bool
-     *
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     */
-    public function afterPublish(
-        Publisher $subject,
-        bool $result,
-        AssetInterface $asset
-    ): bool {
-        if (PHP_SAPI == 'cli' && $asset instanceof LocalInterface) {
-            if (in_array($asset->getContentType(), self::CONTENT_TYPES)) {
-                $this->generateIntegrity($asset);
-            }
-        }
-
-        return $result;
-    }
-
     /**
      * Generates integrity for RequireJs config.
      *
@@ -99,33 +71,21 @@ public function afterCreateRequireJsConfigAsset(
     ): File {
         if (PHP_SAPI == 'cli') {
             if (in_array($result->getContentType(), self::CONTENT_TYPES)) {
-                $this->generateIntegrity($result);
+                $integrity = $this->integrityFactory->create(
+                    [
+                        "data" => [
+                            'hash' => $this->hashGenerator->generate(
+                                $result->getContent()
+                            ),
+                            'path' => $result->getPath()
+                        ]
+                    ]
+                );
+
+                $this->integrityCollector->collect($integrity);
             }
         }
 
         return $result;
     }
-
-    /**
-     * Generates and stores integrity for a given asset.
-     *
-     * @param LocalInterface $asset
-     *
-     * @return void
-     */
-    private function generateIntegrity(LocalInterface $asset): void
-    {
-        $integrity = $this->integrityFactory->create(
-            [
-                "data" => [
-                    'hash' => $this->hashGenerator->generate(
-                        $asset->getContent()
-                    ),
-                    'path' => $asset->getPath()
-                ]
-            ]
-        );
-
-        $this->integrityCollector->collect($integrity);
-    }
 }

app/code/Magento/Csp/etc/di.xml

@@ -111,15 +111,19 @@
             <argument name="cache" xsi:type="object">Magento\Csp\Model\BlockCache</argument>
         </arguments>
     </type>
+    <type name="Magento\Deploy\Package\Package">
+        <arguments>
+            <argument name="postProcessors" xsi:type="array">
+                <item name="integrity" xsi:type="object">Magento\Csp\Model\Deploy\Package\Processor\PostProcessor\Integrity</item>
+            </argument>
+        </arguments>
+    </type>
     <type name="Magento\Framework\View\Asset\GroupedCollection">
         <plugin name="addDefaultPropertiesToGroup" type="Magento\Csp\Plugin\AddDefaultPropertiesToGroupPlugin" />
     </type>
     <type name="Magento\Deploy\Service\DeployStaticContent">
         <plugin name="removeAllAssetIntegrityHashes" type="Magento\Csp\Plugin\RemoveAllAssetIntegrityHashes" />
     </type>
-    <type name="Magento\Framework\App\View\Asset\Publisher">
-        <plugin name="addResourceIntegrityAfterAssetPublish" type="Magento\Csp\Plugin\GenerateAssetIntegrity"/>
-    </type>
     <type name="Magento\RequireJs\Model\FileManager">
         <plugin name="addResourceIntegrityAfterAssetCreate" type="Magento\Csp\Plugin\GenerateAssetIntegrity"/>
     </type>