flancer32
diff --git a/‎Cli/Analyze.php‎
Lines changed: 19 additions & 11 deletions b/‎Cli/Analyze.php‎
Lines changed: 19 additions & 11 deletions
diff --git a/‎Config.php‎
Lines changed: 3 additions & 0 deletions b/‎Config.php‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎Controller/Adminhtml/Report/Index.php‎
Lines changed: 15 additions & 9 deletions b/‎Controller/Adminhtml/Report/Index.php‎
Lines changed: 15 additions & 9 deletions
diff --git a/‎Controller/Report/Index.php‎
Lines changed: 15 additions & 9 deletions b/‎Controller/Report/Index.php‎
Lines changed: 15 additions & 9 deletions
diff --git a/‎Helper/Config.php‎
Lines changed: 96 additions & 0 deletions b/‎Helper/Config.php‎
Lines changed: 96 additions & 0 deletions
diff --git a/‎Model/Collector/Db.php‎
Lines changed: 12 additions & 6 deletions b/‎Model/Collector/Db.php‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎Plugin/Magento/Csp/Observer/Render.php‎
Lines changed: 37 additions & 17 deletions b/‎Plugin/Magento/Csp/Observer/Render.php‎
Lines changed: 37 additions & 17 deletions
@@ -17,18 +17,21 @@ class Analyze
 {
     private const DESC = 'Analyze CSP violation reports and compose policy rules.';
     private const NAME = 'fl32:csp:analyze';
-
+    /** @var \Flancer32\Csp\Helper\Config */
+    private $hlpCfg;
     /** @var \Magento\Framework\App\ResourceConnection */
     private $resource;
     /** @var \Flancer32\Csp\Service\Report\Analyze */
     private $srvAnalyze;
 
     public function __construct(
         \Magento\Framework\App\ResourceConnection $resource,
+        \Flancer32\Csp\Helper\Config $hlpCfg,
         \Flancer32\Csp\Service\Report\Analyze $srvAnalyze
     ) {
         parent::__construct(self::NAME, self::DESC);
         $this->resource = $resource;
+        $this->hlpCfg = $hlpCfg;
         $this->srvAnalyze = $srvAnalyze;
     }
 
@@ -38,16 +41,21 @@ protected function execute(InputInterface $input, OutputInterface $output)
 
         $output->writeln("<info>Command '" . $this->getName() . "': " . $this->getDescription() . "<info>");
         $this->checkAreaCode();
-        $conn = $this->resource->getConnection();
-        $conn->beginTransaction();
-        $req = new \Flancer32\Csp\Service\Report\Analyze\Request();
-        $resp = $this->srvAnalyze->execute($req);
-        $conn->commit();
-        $added = $resp->getRulesAdded();
-        $deleted = $resp->getReportsDeleted();
-        $min = $resp->getReportsIdMin();
-        $max = $resp->getReportsIdMax();
-        $output->writeln("<info>$added rules were added. $deleted reports were deleted (id: $min-$max).<info>");
+        if ($this->hlpCfg->getEnabled()) {
+            $conn = $this->resource->getConnection();
+            $conn->beginTransaction();
+            $req = new \Flancer32\Csp\Service\Report\Analyze\Request();
+            $resp = $this->srvAnalyze->execute($req);
+            $conn->commit();
+            $added = $resp->getRulesAdded();
+            $deleted = $resp->getReportsDeleted();
+            $min = $resp->getReportsIdMin();
+            $max = $resp->getReportsIdMax();
+            $output->writeln("<info>$added rules were added. $deleted reports were deleted (id: $min-$max).<info>");
+        } else {
+            $output->writeln("<info>CSP reports processing is disabled. "
+                . "Please, enable it at 'Configuration / Security / CSP / General / Enable'.<info>");
+        }
         $output->writeln('<info>Command \'' . $this->getName() . '\' is completed.<info>');
     }
 
 
@@ -37,6 +37,9 @@ class Config
         'worker-src'
     ];
 
+    const HTTP_HEAD_CSP = 'Content-Security-Policy';
+    const HTTP_HEAD_CSP_REPORT_ONLY = 'Content-Security-Policy-Report-Only';
+
     /** This module name. */
     const MODULE = self::MODULE_VENDOR . '_' . self::MODULE_PACKAGE;
     const MODULE_PACKAGE = 'Csp';
 
@@ -17,16 +17,20 @@ class Index
     const HTTP_NO_CONTENT = 204;
     /** @var \Magento\Framework\App\Response\HttpFactory */
     private $factHttpResponse;
+    /** @var \Flancer32\Csp\Helper\Config */
+    private $hlpCfg;
     /** @var \Flancer32\Csp\Service\Report\Save */
     private $srvReportSave;
 
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
         \Magento\Framework\App\Response\HttpFactory $factHttpResponse,
+        \Flancer32\Csp\Helper\Config $hlpCfg,
         \Flancer32\Csp\Service\Report\Save $srvReportSave
     ) {
         parent::__construct($context);
         $this->factHttpResponse = $factHttpResponse;
+        $this->hlpCfg = $hlpCfg;
         $this->srvReportSave = $srvReportSave;
     }
 
@@ -51,16 +55,18 @@ public function createCsrfValidationException(RequestInterface $request): ?Inval
 
     public function execute()
     {
-        // Read POSTed data and convert it into PHP object.
-        $rawBody = file_get_contents('php://input');
-        $data = json_decode($rawBody);
-        if (isset($data->{'csp-report'})) {
-            $req = new \Flancer32\Csp\Service\Report\Save\Request();
-            $req->setIsAdmin(true);
-            $req->setReport($data->{'csp-report'});
-            $this->srvReportSave->execute($req);
+        if ($this->hlpCfg->getEnabled()) {
+            // Read POSTed data and convert it into PHP object.
+            $rawBody = file_get_contents('php://input');
+            $data = json_decode($rawBody);
+            if (isset($data->{'csp-report'})) {
+                $req = new \Flancer32\Csp\Service\Report\Save\Request();
+                $req->setIsAdmin(true);
+                $req->setReport($data->{'csp-report'});
+                $this->srvReportSave->execute($req);
+            }
         }
-        // ... then create response
+        // ... then create NO_CONTENT response
         /** @var \Magento\Framework\App\Response\Http $result */
         $result = $this->factHttpResponse->create();
         $result->setHttpResponseCode(self::HTTP_NO_CONTENT);
 
@@ -18,17 +18,21 @@ class Index
 
     /** @var \Magento\Framework\App\Response\HttpFactory */
     private $factHttpResponse;
+    /** @var \Flancer32\Csp\Helper\Config */
+    private $hlpCfg;
     /** @var \Flancer32\Csp\Service\Report\Save */
     private $srvReportSave;
 
     public function __construct(
         \Magento\Framework\App\Action\Context $context,
         \Psr\Log\LoggerInterface $logger,
         \Magento\Framework\App\Response\HttpFactory $factHttpResponse,
+        \Flancer32\Csp\Helper\Config $hlpCfg,
         \Flancer32\Csp\Service\Report\Save $srvReportSave
     ) {
         parent::__construct($context);
         $this->factHttpResponse = $factHttpResponse;
+        $this->hlpCfg = $hlpCfg;
         $this->srvReportSave = $srvReportSave;
     }
 
@@ -39,16 +43,18 @@ public function createCsrfValidationException(RequestInterface $request): ?Inval
 
     public function execute()
     {
-        // Read POSTed data and convert it into PHP object.
-        $rawBody = file_get_contents('php://input');
-        $data = json_decode($rawBody);
-        if (isset($data->{'csp-report'})) {
-            $req = new \Flancer32\Csp\Service\Report\Save\Request();
-            $req->setIsAdmin(false);
-            $req->setReport($data->{'csp-report'});
-            $this->srvReportSave->execute($req);
+        if ($this->hlpCfg->getEnabled()) {
+            // Read POSTed data and convert it into PHP object.
+            $rawBody = file_get_contents('php://input');
+            $data = json_decode($rawBody);
+            if (isset($data->{'csp-report'})) {
+                $req = new \Flancer32\Csp\Service\Report\Save\Request();
+                $req->setIsAdmin(false);
+                $req->setReport($data->{'csp-report'});
+                $this->srvReportSave->execute($req);
+            }
         }
-        // ... then create response
+        // ... then create NO_CONTENT response
         /** @var \Magento\Framework\App\Response\Http $result */
         $result = $this->factHttpResponse->create();
         $result->setHttpResponseCode(self::HTTP_NO_CONTENT);
 
@@ -0,0 +1,96 @@
+<?php
+/**
+ * Authors: Alex Gusev <[email protected]>
+ * Since: 2020
+ */
+
+namespace Flancer32\Csp\Helper;
+
+use Magento\Framework\App\Config\ScopeConfigInterface as AScopeCfg;
+
+/**
+ * Helper to get store configuration parameters related to the module.
+ *
+ * @SuppressWarnings(PHPMD.BooleanGetMethodName)
+ */
+class Config
+{
+    /** @var \Magento\Framework\App\State */
+    private $appState;
+    /** @var \Magento\Framework\App\Config\ScopeConfigInterface */
+    private $scopeConfig;
+
+    public function __construct(
+        \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
+        \Magento\Framework\App\State $appState
+    ) {
+        $this->scopeConfig = $scopeConfig;
+        $this->appState = $appState;
+    }
+
+    /**
+     * Cron activity.
+     *
+     * @param string $scopeType
+     * @param string $scopeCode
+     * @return bool
+     */
+    public function getCronEnabled($scopeType = AScopeCfg::SCOPE_TYPE_DEFAULT, $scopeCode = null)
+    {
+        $result = $this->getEnabled($scopeType, $scopeCode);
+        if ($result) {
+            $result = $this->scopeConfig->getValue('fl32_csp/cron/enabled', $scopeType, $scopeCode);
+            $result = filter_var($result, FILTER_VALIDATE_BOOLEAN);
+        }
+        return $result;
+    }
+
+    /**
+     * Activity of the module.
+     *
+     * @param string $scopeType
+     * @param string $scopeCode
+     * @return bool
+     */
+    public function getEnabled($scopeType = AScopeCfg::SCOPE_TYPE_DEFAULT, $scopeCode = null)
+    {
+        $result = $this->scopeConfig->getValue('fl32_csp/general/enabled', $scopeType, $scopeCode);
+        $result = filter_var($result, FILTER_VALIDATE_BOOLEAN);
+        return $result;
+    }
+
+    /**
+     * Should new rules be active by default?
+     *
+     * @param string $scopeType
+     * @param string $scopeCode
+     * @return bool
+     */
+    public function getRulesNewAreActive($scopeType = AScopeCfg::SCOPE_TYPE_DEFAULT, $scopeCode = null)
+    {
+        $result = $this->getEnabled($scopeType, $scopeCode);
+        if ($result) {
+            $result = $this->scopeConfig->getValue('fl32_csp/rules/new_rules_active', $scopeType, $scopeCode);
+            $result = filter_var($result, FILTER_VALIDATE_BOOLEAN);
+        }
+        return $result;
+    }
+
+    /**
+     * Use 'Content-Security-Policy-Report-Only' or 'Content-Security-Policy'.
+     *
+     * @param string $scopeType
+     * @param string $scopeCode
+     * @return bool
+     */
+    public function getRulesReportOnly($scopeType = AScopeCfg::SCOPE_TYPE_DEFAULT, $scopeCode = null)
+    {
+        $result = $this->getEnabled($scopeType, $scopeCode);
+        if ($result) {
+            $result = $this->scopeConfig->getValue('fl32_csp/rules/report_only', $scopeType, $scopeCode);
+            $result = filter_var($result, FILTER_VALIDATE_BOOLEAN);
+        }
+        return $result;
+    }
+
+}
@@ -25,21 +25,27 @@ class Db
     ];
     /** @var \Flancer32\Csp\Model\Collector\Db\A\Query\GetRules */
     private $aQGetRules;
+    /** @var \Flancer32\Csp\Helper\Config */
+    private $hlpCfg;
 
     public function __construct(
+        \Flancer32\Csp\Helper\Config $hlpCfg,
         \Flancer32\Csp\Model\Collector\Db\A\Query\GetRules $aQGetRules
     ) {
+        $this->hlpCfg = $hlpCfg;
         $this->aQGetRules = $aQGetRules;
     }
 
     public function collect(array $defaultPolicies = []): array
     {
-        $rules = $this->getRules();
-        foreach ($rules as $rule) {
-            $id = $rule[QGetRules::A_TYPE];
-            $source = $rule[QGetRules::A_SOURCE];
-            $policy = new \Magento\Csp\Model\Policy\FetchPolicy($id, false, [$source]);
-            $defaultPolicies[] = $policy;
+        if ($this->hlpCfg->getEnabled()) {
+            $rules = $this->getRules();
+            foreach ($rules as $rule) {
+                $id = $rule[QGetRules::A_TYPE];
+                $source = $rule[QGetRules::A_SOURCE];
+                $policy = new \Magento\Csp\Model\Policy\FetchPolicy($id, false, [$source]);
+                $defaultPolicies[] = $policy;
+            }
         }
         return $defaultPolicies;
     }
 
@@ -10,6 +10,8 @@
 
 class Render
 {
+    /** @var \Flancer32\Csp\Helper\Config */
+    private $hlpCfg;
     /** @var \Magento\Framework\App\State */
     private $state;
     /** @var \Magento\Backend\Model\Url */
@@ -20,11 +22,13 @@ class Render
     public function __construct(
         \Magento\Framework\App\State $state,
         \Magento\Backend\Model\Url $urlBack,
-        \Magento\Framework\Url $urlFront
+        \Magento\Framework\Url $urlFront,
+        \Flancer32\Csp\Helper\Config $hlpCfg
     ) {
         $this->state = $state;
         $this->urlBack = $urlBack;
         $this->urlFront = $urlFront;
+        $this->hlpCfg = $hlpCfg;
     }
 
     /**
@@ -41,22 +45,38 @@ public function aroundExecute(
     ) {
         // Collect all CSP rules and compose HTTP header.
         $proceed($observer);
-
-        // Setup reporting in HTTP header.
-        /** @var \Magento\Framework\App\Response\HttpInterface $response */
-        $response = $observer->getEvent()->getData('response');
-
-        $uri = $this->getReportUri();
-
-        // 'Report-To' is not widely supported yet, so remove it.
-        // (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to)
-        $response->clearHeader('Report-To');
-        // TODO: we should get 'Content-Security-Policy-Report-Only' or 'Content-Security-Policy'
-        $cspHeader = $response->getHeader('Content-Security-Policy-Report-Only');
-        $value = $cspHeader->getFieldValue();
-        $value = str_replace('report-to report-endpoint;', '', $value);
-        $value .= " report-uri $uri;";
-        $response->setHeader('Content-Security-Policy-Report-Only', $value);
+        // ... then modify HTTP header
+        if ($this->hlpCfg->getEnabled()) {
+            // Setup reporting in HTTP header.
+            /** @var \Magento\Framework\App\Response\HttpInterface $response */
+            $response = $observer->getEvent()->getData('response');
+            // URI to get CSP violation reports for admin/front areas
+            $uri = $this->getReportUri();
+            // 'Report-To' is not widely supported yet, so remove it. Use 'report-uri' directive instead.
+            // (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to)
+            $response->clearHeader('Report-To');
+            // Get current CSP header and clear it.
+            $cspHeader = $response->getHeader(Cfg::HTTP_HEAD_CSP_REPORT_ONLY);
+            if ($cspHeader) {
+                $response->clearHeader(Cfg::HTTP_HEAD_CSP_REPORT_ONLY);
+            } else {
+                $cspHeader = $response->getHeader(Cfg::HTTP_HEAD_CSP);
+                $response->clearHeader(Cfg::HTTP_HEAD_CSP);
+            }
+            // Modify CSP header if exists.
+            if ($cspHeader) {
+                $value = $cspHeader->getFieldValue();
+                // use deprecated 'report-uri' instead of 'report-to' because Chrome doesn't work correctly with
+                // new 'report'to' or with both directives.
+                $value = str_replace('report-to report-endpoint;', '', $value);
+                // only one 'report-uri' directive is allowed
+                $pattern = '/report-uri\s*.*;/';
+                $value = preg_replace($pattern, '', $value);
+                $value .= "report-uri $uri;";
+                $header = $this->hlpCfg->getRulesReportOnly() ? Cfg::HTTP_HEAD_CSP_REPORT_ONLY : Cfg::HTTP_HEAD_CSP;
+                $response->setHeader($header, $value);
+            }
+        }
     }
 
     private function getReportUri()