MC-39698: Modify Magento Admin CSP for Gainsight enablement For Magento 2.3.x line

krissyhiserote · krissyhiserote · commit 9f2d5e08b16f · 2021-02-04T15:46:15.000-06:00
diff --git a/app/code/Magento/AdminAnalytics/etc/csp_whitelist.xml b/app/code/Magento/AdminAnalytics/etc/csp_whitelist.xml
@@ -11,6 +11,29 @@
             <policy id="script-src">
                 <values>
                     <value id="adobedtm" type="host">assets.adobedtm.com</value>
+                    <value id="aptrinsic" type="host">*.aptrinsic.com</value>
+                </values>
+            </policy>
+            <policy id="style-src">
+                <values>
+                    <value id="aptrinsic" type="host">*.aptrinsic.com</value>
+                    <value id="fonts_googleapis" type="host">fonts.googleapis.com</value>
+                </values>
+            </policy>
+            <policy id="img-src">
+                <values>
+                    <value id="aptrinsic" type="host">*.aptrinsic.com</value>
+                    <value id="storage_googleapis" type="host">storage.googleapis.com</value>
+                </values>
+            </policy>
+            <policy id="connect-src">
+                <values>
+                    <value id="aptrinsic" type="host">*.aptrinsic.com</value>
+                </values>
+            </policy>
+            <policy id="font-src">
+                <values>
+                    <value id="fonts_gstatic" type="host">fonts.gstatic.com</value>
                 </values>
             </policy>
         </policies>
diff --git a/app/code/Magento/Csp/Model/Collector/CspWhitelistXml/Converter.php b/app/code/Magento/Csp/Model/Collector/CspWhitelistXml/Converter.php
@@ -36,13 +36,12 @@ public function convert($source)
             /** @var \DOMElement $value */
             foreach ($policy->getElementsByTagName('value') as $value) {
                 if ($value->attributes->getNamedItem('type')->nodeValue === 'host') {
-                    $policyConfig[$id]['hosts'][] = $value->nodeValue;
+                    $policyConfig[$id]['hosts'][$value->attributes->getNamedItem('id')->nodeValue] = $value->nodeValue;
                 } else {
                     $policyConfig[$id]['hashes'][$value->nodeValue]
                         = $value->attributes->getNamedItem('algorithm')->nodeValue;
                 }
             }
-            $policyConfig[$id]['hosts'] = array_unique($policyConfig[$id]['hosts']);
         }
 
         return $policyConfig;
diff --git a/app/code/Magento/Csp/Model/Collector/FetchPolicyMerger.php b/app/code/Magento/Csp/Model/Collector/FetchPolicyMerger.php
@@ -25,12 +25,12 @@ public function merge(PolicyInterface $policy1, PolicyInterface $policy2): Polic
         return new FetchPolicy(
             $policy1->getId(),
             $policy1->isNoneAllowed() || $policy2->isNoneAllowed(),
-            array_unique(array_merge($policy1->getHostSources(), $policy2->getHostSources())),
-            array_unique(array_merge($policy1->getSchemeSources(), $policy2->getSchemeSources())),
+            array_merge($policy1->getHostSources(), $policy2->getHostSources()),
+            array_merge($policy1->getSchemeSources(), $policy2->getSchemeSources()),
             $policy1->isSelfAllowed() || $policy2->isSelfAllowed(),
             $policy1->isInlineAllowed() || $policy2->isInlineAllowed(),
             $policy1->isEvalAllowed() || $policy2->isEvalAllowed(),
-            array_unique(array_merge($policy1->getNonceValues(), $policy2->getNonceValues())),
+            array_merge($policy1->getNonceValues(), $policy2->getNonceValues()),
             array_merge($policy1->getHashes(), $policy2->getHashes()),
             $policy1->isDynamicAllowed() || $policy2->isDynamicAllowed(),
             $policy1->areEventHandlersAllowed() || $policy2->areEventHandlersAllowed()
diff --git a/app/code/Magento/Csp/Model/Collector/PluginTypesPolicyMerger.php b/app/code/Magento/Csp/Model/Collector/PluginTypesPolicyMerger.php
@@ -22,7 +22,7 @@ public function merge(PolicyInterface $policy1, PolicyInterface $policy2): Polic
     {
         /** @var PluginTypesPolicy $policy1 */
         /** @var PluginTypesPolicy $policy2 */
-        return new PluginTypesPolicy(array_unique(array_merge($policy1->getTypes(), $policy2->getTypes())));
+        return new PluginTypesPolicy(array_merge($policy1->getTypes(), $policy2->getTypes()));
     }
 
     /**
diff --git a/app/code/Magento/Csp/Model/Policy/FetchPolicy.php b/app/code/Magento/Csp/Model/Policy/FetchPolicy.php
@@ -116,12 +116,12 @@ public function __construct(
     ) {
         $this->id = $id;
         $this->noneAllowed = $noneAllowed;
-        $this->hostSources = array_unique($hostSources);
-        $this->schemeSources = array_unique($schemeSources);
+        $this->hostSources = array_values(array_unique($hostSources));
+        $this->schemeSources = array_values(array_unique($schemeSources));
         $this->selfAllowed = $selfAllowed;
         $this->inlineAllowed = $inlineAllowed;
         $this->evalAllowed = $evalAllowed;
-        $this->nonceValues = array_unique($nonceValues);
+        $this->nonceValues = array_values(array_unique($nonceValues));
         $this->hashes = $hashValues;
         $this->dynamicAllowed = $dynamicAllowed;
         $this->eventHandlersAllowed = $eventHandlersAllowed;
diff --git a/app/code/Magento/Csp/Model/Policy/PluginTypesPolicy.php b/app/code/Magento/Csp/Model/Policy/PluginTypesPolicy.php
@@ -25,7 +25,7 @@ public function __construct(array $types)
         if (!$types) {
             throw new \RuntimeException('PluginTypePolicy must be given at least 1 type.');
         }
-        $this->types = array_unique($types);
+        $this->types = array_values(array_unique($types));
     }
 
     /**
diff --git a/dev/tests/integration/_files/Magento/TestModuleCspConfig/etc/adminhtml/csp_whitelist.xml b/dev/tests/integration/_files/Magento/TestModuleCspConfig/etc/adminhtml/csp_whitelist.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp/etc/csp_whitelist.xsd">
+    <policies>
+        <policy id="object-src">
+            <values>
+                <value id="example-base" type="host">example.magento.com</value>
+                <value id="mage-base" type="host">https://admin.magento.com</value>
+            </values>
+        </policy>
+        <policy id="media-src">
+            <values>
+                <value id="example-base" type="host">example.magento.com</value>
+                <value id="mage-base" type="host">https://admin.magento.com</value>
+            </values>
+        </policy>
+    </policies>
+</csp_whitelist>
diff --git a/dev/tests/integration/testsuite/Magento/Csp/Model/Collector/CspWhitelistXmlCollectorTest.php b/dev/tests/integration/testsuite/Magento/Csp/Model/Collector/CspWhitelistXmlCollectorTest.php
@@ -72,4 +72,63 @@ public function testCollecting(): void
         $this->assertTrue($objectSrcChecked);
         $this->assertTrue($mediaSrcChecked);
     }
+
+    /**
+     * Test collecting configurations from multiple XML files for adminhtml area.
+     *
+     * @magentoAppArea adminhtml
+     * @return void
+     */
+    public function testCollectingForAdminhtmlArea(): void
+    {
+        $policies = $this->collector->collect([]);
+
+        $mediaSrcChecked = false;
+        $objectSrcChecked = false;
+        $this->assertNotEmpty($policies);
+        /** @var FetchPolicy $policy */
+        foreach ($policies as $policy) {
+            $this->assertFalse($policy->isNoneAllowed());
+            $this->assertFalse($policy->isSelfAllowed());
+            $this->assertFalse($policy->isInlineAllowed());
+            $this->assertFalse($policy->isEvalAllowed());
+            $this->assertFalse($policy->isDynamicAllowed());
+            $this->assertEmpty($policy->getSchemeSources());
+            $this->assertEmpty($policy->getNonceValues());
+            if ($policy->getId() === 'object-src') {
+                $this->assertInstanceOf(FetchPolicy::class, $policy);
+                $this->assertEquals(
+                    [
+                        'https://admin.magento.com',
+                        'https://devdocs.magento.com',
+                        'example.magento.com'
+                    ],
+                    $policy->getHostSources()
+                );
+                $this->assertEquals(
+                    [
+                        'B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=' => 'sha256',
+                        'B3yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=' => 'sha256',
+                        'B4yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=' => 'sha256'
+                    ],
+                    $policy->getHashes()
+                );
+                $objectSrcChecked = true;
+            } elseif ($policy->getId() === 'media-src') {
+                $this->assertInstanceOf(FetchPolicy::class, $policy);
+                $this->assertEquals(
+                    [
+                        'https://admin.magento.com',
+                        'https://devdocs.magento.com',
+                        'example.magento.com'
+                    ],
+                    $policy->getHostSources()
+                );
+                $this->assertEmpty($policy->getHashes());
+                $mediaSrcChecked = true;
+            }
+        }
+        $this->assertTrue($objectSrcChecked);
+        $this->assertTrue($mediaSrcChecked);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -36,13 +36,12 @@ public function convert($source)`
`36`	`36`	`/** @var \DOMElement $value */`
`37`	`37`	`foreach ($policy->getElementsByTagName('value') as $value) {`
`38`	`38`	`if ($value->attributes->getNamedItem('type')->nodeValue === 'host') {`
`39`		`- $policyConfig[$id]['hosts'][] = $value->nodeValue;`
	`39`	`+ $policyConfig[$id]['hosts'][$value->attributes->getNamedItem('id')->nodeValue] = $value->nodeValue;`
`40`	`40`	`} else {`
`41`	`41`	`$policyConfig[$id]['hashes'][$value->nodeValue]`
`42`	`42`	`= $value->attributes->getNamedItem('algorithm')->nodeValue;`
`43`	`43`	`}`
`44`	`44`	`}`
`45`		`- $policyConfig[$id]['hosts'] = array_unique($policyConfig[$id]['hosts']);`
`46`	`45`	`}`
`47`	`46`
`48`	`47`	`return $policyConfig;`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ public function merge(PolicyInterface $policy1, PolicyInterface $policy2): Polic`
`22`	`22`	`{`
`23`	`23`	`/** @var PluginTypesPolicy $policy1 */`
`24`	`24`	`/** @var PluginTypesPolicy $policy2 */`
`25`		`- return new PluginTypesPolicy(array_unique(array_merge($policy1->getTypes(), $policy2->getTypes())));`
	`25`	`+ return new PluginTypesPolicy(array_merge($policy1->getTypes(), $policy2->getTypes()));`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ public function __construct(array $types)`
`25`	`25`	`if (!$types) {`
`26`	`26`	`throw new \RuntimeException('PluginTypePolicy must be given at least 1 type.');`
`27`	`27`	`}`
`28`		`- $this->types = array_unique($types);`
	`28`	`+ $this->types = array_values(array_unique($types));`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`/**`