MC-38782: Modify Magento Admin CSP for Gainsight enablement

Author: fascinosum

app/code/Magento/AdminAnalytics/etc/adminhtml/csp_whitelist.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
+        <policies>
+            <policy id="script-src">
+                <values>
+                    <value id="aptrinsic" type="host">*.aptrinsic.com</value>
+                </values>
+            </policy>
+            <policy id="style-src">
+                <values>
+                    <value id="aptrinsic" type="host">*.aptrinsic.com</value>
+                    <value id="fonts_googleapis" type="host">fonts.googleapis.com</value>
+                </values>
+            </policy>
+            <policy id="img-src">
+                <values>
+                    <value id="aptrinsic" type="host">*.aptrinsic.com</value>
+                    <value id="storage_googleapis" type="host">storage.googleapis.com</value>
+                </values>
+            </policy>
+            <policy id="connect-src">
+                <values>
+                    <value id="aptrinsic" type="host">*.aptrinsic.com</value>
+                </values>
+            </policy>
+            <policy id="font-src">
+                <values>
+                    <value id="fonts_gstatic" type="host">fonts.gstatic.com</value>
+                </values>
+            </policy>
+        </policies>
+</csp_whitelist>

app/code/Magento/Csp/Model/Collector/CspWhitelistXml/Converter.php

@@ -36,13 +36,12 @@ public function convert($source)
             /** @var \DOMElement $value */
             foreach ($policy->getElementsByTagName('value') as $value) {
                 if ($value->attributes->getNamedItem('type')->nodeValue === 'host') {
-                    $policyConfig[$id]['hosts'][] = $value->nodeValue;
+                    $policyConfig[$id]['hosts'][$value->attributes->getNamedItem('id')->nodeValue] = $value->nodeValue;
                 } else {
                     $policyConfig[$id]['hashes'][$value->nodeValue]
                         = $value->attributes->getNamedItem('algorithm')->nodeValue;
                 }
             }
-            $policyConfig[$id]['hosts'] = array_unique($policyConfig[$id]['hosts']);
         }
 
         return $policyConfig;

app/code/Magento/Csp/Model/Collector/FetchPolicyMerger.php

@@ -25,12 +25,12 @@ public function merge(PolicyInterface $policy1, PolicyInterface $policy2): Polic
         return new FetchPolicy(
             $policy1->getId(),
             $policy1->isNoneAllowed() || $policy2->isNoneAllowed(),
-            array_unique(array_merge($policy1->getHostSources(), $policy2->getHostSources())),
-            array_unique(array_merge($policy1->getSchemeSources(), $policy2->getSchemeSources())),
+            array_merge($policy1->getHostSources(), $policy2->getHostSources()),
+            array_merge($policy1->getSchemeSources(), $policy2->getSchemeSources()),
             $policy1->isSelfAllowed() || $policy2->isSelfAllowed(),
             $policy1->isInlineAllowed() || $policy2->isInlineAllowed(),
             $policy1->isEvalAllowed() || $policy2->isEvalAllowed(),
-            array_unique(array_merge($policy1->getNonceValues(), $policy2->getNonceValues())),
+            array_merge($policy1->getNonceValues(), $policy2->getNonceValues()),
             array_merge($policy1->getHashes(), $policy2->getHashes()),
             $policy1->isDynamicAllowed() || $policy2->isDynamicAllowed(),
             $policy1->areEventHandlersAllowed() || $policy2->areEventHandlersAllowed()

app/code/Magento/Csp/Model/Collector/PluginTypesPolicyMerger.php

@@ -22,7 +22,7 @@ public function merge(PolicyInterface $policy1, PolicyInterface $policy2): Polic
     {
         /** @var PluginTypesPolicy $policy1 */
         /** @var PluginTypesPolicy $policy2 */
-        return new PluginTypesPolicy(array_unique(array_merge($policy1->getTypes(), $policy2->getTypes())));
+        return new PluginTypesPolicy(array_merge($policy1->getTypes(), $policy2->getTypes()));
     }
 
     /**

app/code/Magento/Csp/Model/Policy/FetchPolicy.php

@@ -116,12 +116,12 @@ public function __construct(
     ) {
         $this->id = $id;
         $this->noneAllowed = $noneAllowed;
-        $this->hostSources = array_unique($hostSources);
-        $this->schemeSources = array_unique($schemeSources);
+        $this->hostSources = array_values(array_unique($hostSources));
+        $this->schemeSources = array_values(array_unique($schemeSources));
         $this->selfAllowed = $selfAllowed;
         $this->inlineAllowed = $inlineAllowed;
         $this->evalAllowed = $evalAllowed;
-        $this->nonceValues = array_unique($nonceValues);
+        $this->nonceValues = array_values(array_unique($nonceValues));
         $this->hashes = $hashValues;
         $this->dynamicAllowed = $dynamicAllowed;
         $this->eventHandlersAllowed = $eventHandlersAllowed;

app/code/Magento/Csp/Model/Policy/PluginTypesPolicy.php

@@ -25,7 +25,7 @@ public function __construct(array $types)
         if (!$types) {
             throw new \RuntimeException('PluginTypePolicy must be given at least 1 type.');
         }
-        $this->types = array_unique($types);
+        $this->types = array_values(array_unique($types));
     }
 
     /**

dev/tests/integration/testsuite/Magento/Csp/Model/Collector/CspWhitelistXmlCollectorTest.php

@@ -71,4 +71,62 @@ public function testCollecting(): void
         $this->assertTrue($objectSrcChecked);
         $this->assertTrue($mediaSrcChecked);
     }
+
+    /**
+     * Test collecting configurations from multiple XML files for adminhtml area.
+     *
+     * @magentoAppArea adminhtml
+     * @return void
+     */
+    public function testCollectingForAdminhtmlArea(): void
+    {
+        $policies = $this->collector->collect([]);
+
+        $mediaSrcChecked = false;
+        $objectSrcChecked = false;
+        $this->assertNotEmpty($policies);
+        /** @var FetchPolicy $policy */
+        foreach ($policies as $policy) {
+            $this->assertFalse($policy->isNoneAllowed());
+            $this->assertFalse($policy->isSelfAllowed());
+            $this->assertFalse($policy->isInlineAllowed());
+            $this->assertFalse($policy->isEvalAllowed());
+            $this->assertFalse($policy->isDynamicAllowed());
+            $this->assertEmpty($policy->getSchemeSources());
+            $this->assertEmpty($policy->getNonceValues());
+            if ($policy->getId() === 'object-src') {
+                $this->assertInstanceOf(FetchPolicy::class, $policy);
+                $this->assertEquals(
+                    [
+                        'https://admin.magento.com',
+                        'https://devdocs.magento.com',
+                        'example.magento.com'
+                    ],
+                    $policy->getHostSources()
+                );
+                $this->assertEquals(
+                    [
+                        'B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=' => 'sha256',
+                        'B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF9=' => 'sha256'
+                    ],
+                    $policy->getHashes()
+                );
+                $objectSrcChecked = true;
+            } elseif ($policy->getId() === 'media-src') {
+                $this->assertInstanceOf(FetchPolicy::class, $policy);
+                $this->assertEquals(
+                    [
+                        'https://admin.magento.com',
+                        'https://devdocs.magento.com',
+                        'example.magento.com'
+                    ],
+                    $policy->getHostSources()
+                );
+                $this->assertEmpty($policy->getHashes());
+                $mediaSrcChecked = true;
+            }
+        }
+        $this->assertTrue($objectSrcChecked);
+        $this->assertTrue($mediaSrcChecked);
+    }
 }