OWN-150 Add custom policies to CSP header

Author: flancer64

Config.php

@@ -10,9 +10,35 @@
 
 class Config
 {
+    /** @var array https://www.w3.org/TR/CSP3/#iana-registry */
+    const CSP_DIRECTIVES = [
+        'base-uri',
+        'child-src',
+        'connect-src',
+        'default-src',
+        'font-src',
+        'form-action',
+        'frame-ancestors',
+        'frame-src',
+        'img-src',
+        'manifest-src',
+        'media-src',
+        'object-src',
+        'plugin-types',
+        'report-uri',
+        'report-to',
+        'sandbox',
+        'script-src',
+        'script-src-attr',
+        'script-src-elem',
+        'style-src',
+        'style-src-attr',
+        'style-src-elem',
+        'worker-src'
+    ];
+
     /** This module name. */
     const MODULE = self::MODULE_VENDOR . '_' . self::MODULE_PACKAGE;
     const MODULE_PACKAGE = 'Csp';
     const MODULE_VENDOR = 'Flancer32';
-
 }

Model/Collector/Db.php

@@ -5,22 +5,40 @@
  */
 
 namespace Flancer32\Csp\Model\Collector;
+use Flancer32\Csp\Model\Collector\Db\A\Query\GetRules as QGetRules;
 
 /**
  * Collect policy rules from DB.
  */
 class Db
     implements \Magento\Csp\Api\PolicyCollectorInterface
 {
+    /** @var \Flancer32\Csp\Model\Collector\Db\A\Query\GetRules */
+    private $aQGetRules;
+
+    public function __construct(
+        \Flancer32\Csp\Model\Collector\Db\A\Query\GetRules $aQGetRules
+    ) {
+        $this->aQGetRules = $aQGetRules;
+    }
 
     public function collect(array $defaultPolicies = []): array
     {
-        $policy = new \Magento\Csp\Model\Policy\FetchPolicy(
-            'img-src',
-            false,
-            ['*.medium.com']
-        );
-        $defaultPolicies[] = $policy;
+        $rules = $this->getRules();
+        foreach ($rules as $rule) {
+            $id = $rule[QGetRules::A_TYPE];
+            $source = $rule[QGetRules::A_SOURCE];
+            $policy = new \Magento\Csp\Model\Policy\FetchPolicy($id, false, [$source]);
+            $defaultPolicies[] = $policy;
+        }
         return $defaultPolicies;
     }
+
+    private function getRules()
+    {
+        $query = $this->aQGetRules->build();
+        $conn = $query->getConnection();
+        $result = $conn->fetchAll($query);
+        return $result;
+    }
 }

Model/Collector/Db/A/Query/GetRules.php

@@ -0,0 +1,74 @@
+<?php
+/**
+ * Authors: Alex Gusev <[email protected]>
+ * Since: 2020
+ */
+
+namespace Flancer32\Csp\Model\Collector\Db\A\Query;
+
+use Flancer32\Csp\Api\Repo\Data\Rule as ERule;
+use Flancer32\Csp\Api\Repo\Data\Type\Policy as EType;
+
+class GetRules
+    implements \Flancer32\Base\Api\Repo\Query\Select
+{
+    /** Tables aliases for external usage ('camelCase' naming) */
+    const AS_RULE = 'rule';
+    const AS_TYPE = 'type';
+
+    /** Columns/expressions aliases for external usage ('camelCase' naming) */
+    const A_AREA = 'area';
+    const A_SOURCE = 'source';
+    const A_TYPE = 'type';
+
+    /** Entities are used in the query (table names w/o prefix) */
+    const E_RULE = \Flancer32\Csp\Api\Repo\Dao\Rule::ENTITY_NAME;
+    const E_TYPE = \Flancer32\Csp\Api\Repo\Dao\Type\Policy::ENTITY_NAME;
+
+
+    /** @var  \Magento\Framework\DB\Adapter\AdapterInterface */
+    private $conn; // default connection
+
+    /** @var \Magento\Framework\App\ResourceConnection */
+    private $resource;
+
+    public function __construct(
+        \Magento\Framework\App\ResourceConnection $resource
+    ) {
+        $this->resource = $resource;
+        $this->conn = $resource->getConnection();
+    }
+
+    public function build($source = null)
+    {
+        /* this is root query builder (started from SELECT) */
+        $result = $this->conn->select();
+        /* define tables aliases for internal usage (in this method) */
+        $asRule = self::AS_RULE;
+        $asType = self::AS_TYPE;
+
+        /* FROM fl32_csp_rule (FROM - for root builder, JOIN - for $source chained builder) */
+        $tbl = $this->resource->getTableName(self::E_RULE);    // name with prefix
+        $as = $asRule;    // alias for 'current table' (currently processed in this block of code)
+        $cols = [
+            self::A_AREA => ERule::ADMIN_AREA,
+            self::A_SOURCE => ERule::SOURCE
+        ];
+        $result->from([$as => $tbl], $cols);    // standard names for the variables
+
+        /* LEFT JOIN fl32_csp_type_policy */
+        $tbl = $this->resource->getTableName(self::E_TYPE);
+        $as = $asType;
+        $cols = [
+            self::A_TYPE => EType::KEY
+        ];
+        $cond = "$as." . EType::ID . "=$asRule." . ERule::TYPE_ID;
+        $result->joinLeft([$as => $tbl], $cond, $cols);
+
+        /* WHERE */
+        $byEnabled = "$asRule." . ERule::ENABLED . "=TRUE";
+        $result->where($byEnabled);
+
+        return $result;
+    }
+}

Setup/Patch/Data/InsertPolicyTypes.php

@@ -5,6 +5,7 @@
  */
 
 namespace Flancer32\Csp\Setup\Patch\Data;
+use Flancer32\Csp\Config as Cfg;
 
 /**
  * Add policy types to codifier.
@@ -32,14 +33,27 @@ public function __construct(
 
     public function apply()
     {
-        foreach (\Magento\Csp\Model\Policy\FetchPolicy::POLICIES as $one) {
+        $directives = $this->getDirectives();
+        foreach ($directives as $one) {
             $data = new \Flancer32\Csp\Api\Repo\Data\Type\Policy();
             $key = trim(strtolower($one));
             $data->setKey($key);
             $this->daoTypePolicy->create($data);
         }
     }
 
+    /**
+     * @return array CSP directives to save in 'fl32_csp_type_policy'
+     */
+    private function getDirectives()
+    {
+        $mage = \Magento\Csp\Model\Policy\FetchPolicy::POLICIES;
+        $own = Cfg::CSP_DIRECTIVES;
+        $merged = array_merge($own, $mage);
+        $result = array_unique($merged);
+        return $result;
+    }
+
     public function getAliases()
     {
         return [];