MC-19927: Implement hash-whitelisting, dynamic CSP

Oleksandr Gorkun · Oleksandr Gorkun · commit 4d3b05186510 · 2019-12-04T16:40:34.000-06:00
diff --git a/app/code/Magento/Csp/Model/CompositePolicyCollector.php b/app/code/Magento/Csp/Model/CompositePolicyCollector.php
@@ -53,7 +53,7 @@ private function merge(array $collected): array
             if (array_key_exists($policy->getId(), $merged)) {
                 foreach ($this->mergers as $merger) {
                     if ($merger->canMerge($merged[$policy->getId()], $policy)) {
-                        $result[$policy->getId()] = $merger->merge($merged[$policy->getId()], $policy);
+                        $merged[$policy->getId()] = $merger->merge($merged[$policy->getId()], $policy);
                         continue 2;
                     }
                 }
diff --git a/app/code/Magento/Csp/Plugin/CspAwareControllerPlugin.php b/app/code/Magento/Csp/Plugin/CspAwareControllerPlugin.php
@@ -34,12 +34,12 @@ public function __construct(ControllerCollector $collector)
      * Register matched action instance.
      *
      * @param RouterInterface $router
-     * @param ActionInterface $matched
-     * @return ActionInterface
+     * @param ActionInterface|null $matched
+     * @return ActionInterface|null
      */
-    public function afterMatch(RouterInterface $router, ActionInterface $matched): ActionInterface
+    public function afterMatch(RouterInterface $router, ?ActionInterface $matched): ?ActionInterface
     {
-        if ($matched instanceof CspAwareActionInterface) {
+        if ($matched && $matched instanceof CspAwareActionInterface) {
             $this->collector->setCurrentActionInstance($matched);
         }
 
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspUtil/Controller/Csp/Aware.php b/dev/tests/integration/_files/Magento/TestModuleCspUtil/Controller/Csp/Aware.php
@@ -0,0 +1,52 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\TestModuleCspUtil\Controller\Csp;
+
+use Magento\Csp\Api\CspAwareActionInterface;
+use Magento\Csp\Model\Policy\FetchPolicy;
+use Magento\Framework\App\Action\Action;
+use Magento\Framework\Controller\ResultFactory;
+
+/**
+ * CSP Aware controller.
+ */
+class Aware extends Action implements CspAwareActionInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function execute()
+    {
+        return $this->resultFactory->create(ResultFactory::TYPE_PAGE);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function modifyCsp(array $appliedPolicies): array
+    {
+        $policies = [];
+        foreach ($appliedPolicies as $policy) {
+            if ($policy instanceof FetchPolicy && in_array('http://controller.magento.com', $policy->getHostSources(), true)) {
+                $policies[] = new FetchPolicy(
+                    'script-src',
+                    false,
+                    ['https://controller.magento.com'],
+                    [],
+                    true,
+                    false,
+                    false,
+                    [],
+                    ['H4RRnauTM2X2Xg/z9zkno1crqhsaY3uKKu97uwmnXXE=' => 'sha256']
+                );
+            }
+        }
+
+        return $policies;
+    }
+}
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspUtil/Controller/Csp/Helper.php b/dev/tests/integration/_files/Magento/TestModuleCspUtil/Controller/Csp/Helper.php
@@ -0,0 +1,26 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\TestModuleCspUtil\Controller\Csp;
+
+use Magento\Framework\App\Action\Action;
+use Magento\Framework\Controller\ResultFactory;
+use Magento\Framework\View\Result\PageFactory;
+
+/**
+ * .phtml templates utilizes CSP helper.
+ */
+class Helper extends Action
+{
+    /**
+     * @inheritDoc
+     */
+    public function execute()
+    {
+        return $this->resultFactory->create(ResultFactory::TYPE_PAGE);
+    }
+}
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspUtil/composer.json b/dev/tests/integration/_files/Magento/TestModuleCspUtil/composer.json
@@ -0,0 +1,21 @@
+{
+  "name": "magento/module-csp-util",
+  "description": "test csp module",
+  "config": {
+    "sort-packages": true
+  },
+  "require": {
+    "php": "~7.1.3||~7.2.0||~7.3.0",
+    "magento/framework": "*",
+    "magento/module-integration": "*"
+  },
+  "type": "magento2-module",
+  "extra": {
+    "map": [
+      [
+        "*",
+        "Magento/TestModuleCspUtil"
+      ]
+    ]
+  }
+}
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspUtil/etc/csp_whitelist.xml b/dev/tests/integration/_files/Magento/TestModuleCspUtil/etc/csp_whitelist.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp/etc/csp_whitelist.xsd">
+    <policies>
+        <policy id="script-src">
+            <values>
+                <value id="devdocs-base" type="host">https://devdocs.magento.com</value>
+            </values>
+        </policy>
+    </policies>
+</csp_whitelist>
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspUtil/etc/frontend/routes.xml b/dev/tests/integration/_files/Magento/TestModuleCspUtil/etc/frontend/routes.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
+    <router id="standard">
+        <route id="csputil" frontName="csputil">
+            <module name="Magento_TestModuleCspUtil" />
+        </route>
+    </router>
+</config>
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspUtil/etc/module.xml b/dev/tests/integration/_files/Magento/TestModuleCspUtil/etc/module.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
+    <module name="Magento_TestModuleCspUtil" active="true" />
+</config>
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspUtil/registration.php b/dev/tests/integration/_files/Magento/TestModuleCspUtil/registration.php
@@ -0,0 +1,12 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+use Magento\Framework\Component\ComponentRegistrar;
+
+$registrar = new ComponentRegistrar();
+if ($registrar->getPath(ComponentRegistrar::MODULE, 'Magento_TestModuleCspUtil') === null) {
+    ComponentRegistrar::register(ComponentRegistrar::MODULE, 'Magento_TestModuleCspUtil', __DIR__);
+}
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspUtil/view/frontend/layout/csputil_csp_aware.xml b/dev/tests/integration/_files/Magento/TestModuleCspUtil/view/frontend/layout/csputil_csp_aware.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">
+    <body>
+        <referenceContainer name="content">
+            <block class="Magento\Framework\View\Element\Template"
+                   name="csp_helper"
+                   cacheable="false"
+                   template="Magento_TestModuleCspUtil::helper.phtml" />
+        </referenceContainer>
+    </body>
+</page>
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspUtil/view/frontend/layout/csputil_csp_helper.xml b/dev/tests/integration/_files/Magento/TestModuleCspUtil/view/frontend/layout/csputil_csp_helper.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">
+    <body>
+        <referenceContainer name="content">
+            <block class="Magento\Framework\View\Element\Template"
+                   name="csp_helper"
+                   cacheable="false"
+                   template="Magento_TestModuleCspUtil::helper.phtml" />
+        </referenceContainer>
+    </body>
+</page>
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspUtil/view/frontend/templates/helper.phtml b/dev/tests/integration/_files/Magento/TestModuleCspUtil/view/frontend/templates/helper.phtml
@@ -0,0 +1,7 @@
+<?php
+/** @var \Magento\Csp\Api\InlineUtilInterface $csp */
+?>
+<h1>Hello there!</h1>
+<?= $csp->renderTag('script', ['src' => 'http://my.magento.com/static/script.js']); ?>
+<?= $csp->renderTag('script', [], "\n    let myVar = 1;\n") ?>
+
diff --git a/dev/tests/integration/testsuite/Magento/Csp/CspAwareActionTest.php b/dev/tests/integration/testsuite/Magento/Csp/CspAwareActionTest.php
@@ -0,0 +1,45 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp;
+
+use Magento\TestFramework\TestCase\AbstractController;
+
+/**
+ * Test that controllers can modify CSPs for a page.
+ *
+ * @magentoAppArea frontend
+ */
+class CspAwareActionTest extends AbstractController
+{
+    /**
+     * Check that a CSP aware action can modify CSPs after ALL other policies had been gathered.
+     *
+     * @return void
+     * @magentoConfigFixture default_store csp/mode/storefront/report_only 0
+     * @magentoConfigFixture default_store csp/policies/storefront/script/policy_id script-src
+     * @magentoConfigFixture default_store csp/policies/storefront/script/none 0
+     * @magentoConfigFixture default_store csp/policies/storefront/script/hosts/example http://controller.magento.com
+     * @magentoConfigFixture default_store csp/policies/storefront/script/self 0
+     * @magentoConfigFixture default_store csp/policies/storefront/script/inline 0
+     */
+    public function testAwareAction(): void
+    {
+        $this->getRequest()->setMethod('GET');
+        $this->dispatch('csputil/csp/aware');
+        $headers = '';
+        foreach ($this->getResponse()->getHeaders() as $header) {
+            $headers .= $header->getFieldName() .': ' .$header->getFieldValue() .PHP_EOL;
+        }
+
+        $this->assertContains(
+            'Content-Security-Policy: script-src https://controller.magento.com'
+                .' \'self\' \'sha256-H4RRnauTM2X2Xg/z9zkno1crqhsaY3uKKu97uwmnXXE=\'',
+            $headers
+        );
+    }
+}
diff --git a/dev/tests/integration/testsuite/Magento/Csp/CspUtilTest.php b/dev/tests/integration/testsuite/Magento/Csp/CspUtilTest.php
@@ -0,0 +1,39 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp;
+
+use Magento\TestFramework\TestCase\AbstractController;
+
+/**
+ * Test CSP util use cases.
+ *
+ * @magentoAppArea frontend
+ */
+class CspUtilTest extends AbstractController
+{
+    /**
+     * Test that CSP helper for templates works.
+     *
+     * @return void
+     */
+    public function testPhtmlHelper(): void
+    {
+        $this->getRequest()->setMethod('GET');
+        $this->dispatch('csputil/csp/helper');
+        $content = $this->getResponse()->getContent();
+
+        $this->assertContains('<script src="http://my.magento.com/static/script.js" />', $content);
+        $this->assertContains("<script>\n    let myVar = 1;\n</script>", $content);
+        $headers = '';
+        foreach ($this->getResponse()->getHeaders() as $header) {
+            $headers .= $header->getFieldName() .': ' .$header->getFieldValue() .PHP_EOL;
+        }
+        $this->assertContains('http://my.magento.com', $headers);
+        $this->assertContains('\'sha256-H4RRnauTM2X2Xg/z9zkno1crqhsaY3uKKu97uwmnXXE=\'', $headers);
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ private function merge(array $collected): array`
`53`	`53`	`if (array_key_exists($policy->getId(), $merged)) {`
`54`	`54`	`foreach ($this->mergers as $merger) {`
`55`	`55`	`if ($merger->canMerge($merged[$policy->getId()], $policy)) {`
`56`		`- $result[$policy->getId()] = $merger->merge($merged[$policy->getId()], $policy);`
	`56`	`+ $merged[$policy->getId()] = $merger->merge($merged[$policy->getId()], $policy);`
`57`	`57`	`continue 2;`
`58`	`58`	`}`
`59`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,12 +34,12 @@ public function __construct(ControllerCollector $collector)`
`34`	`34`	`* Register matched action instance.`
`35`	`35`	`*`
`36`	`36`	`* @param RouterInterface $router`
`37`		`- * @param ActionInterface $matched`
`38`		`- * @return ActionInterface`
	`37`	`+ * @param ActionInterface\|null $matched`
	`38`	`+ * @return ActionInterface\|null`
`39`	`39`	`*/`
`40`		`- public function afterMatch(RouterInterface $router, ActionInterface $matched): ActionInterface`
	`40`	`+ public function afterMatch(RouterInterface $router, ?ActionInterface $matched): ?ActionInterface`
`41`	`41`	`{`
`42`		`- if ($matched instanceof CspAwareActionInterface) {`
	`42`	`+ if ($matched && $matched instanceof CspAwareActionInterface) {`
`43`	`43`	`$this->collector->setCurrentActionInstance($matched);`
`44`	`44`	`}`
`45`	`45`