2016-01-28 08:33:02 -05:00
|
|
|
<?php
|
2019-12-03 13:57:53 -05:00
|
|
|
|
2018-03-05 09:27:05 -05:00
|
|
|
declare(strict_types=1);
|
2019-12-03 13:57:53 -05:00
|
|
|
|
2016-01-28 08:33:02 -05:00
|
|
|
/**
|
2024-05-23 03:26:56 -04:00
|
|
|
* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
|
|
|
|
|
* SPDX-FileCopyrightText: 2016 ownCloud, Inc.
|
|
|
|
|
* SPDX-License-Identifier: AGPL-3.0-only
|
2016-01-28 08:33:02 -05:00
|
|
|
*/
|
|
|
|
|
namespace OC\Security\CSP;
|
|
|
|
|
|
|
|
|
|
use OCP\AppFramework\Http\ContentSecurityPolicy;
|
|
|
|
|
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
2019-05-24 15:42:37 -04:00
|
|
|
use OCP\EventDispatcher\IEventDispatcher;
|
|
|
|
|
use OCP\Security\CSP\AddContentSecurityPolicyEvent;
|
2016-01-28 08:33:02 -05:00
|
|
|
use OCP\Security\IContentSecurityPolicyManager;
|
|
|
|
|
|
|
|
|
|
class ContentSecurityPolicyManager implements IContentSecurityPolicyManager {
|
|
|
|
|
/** @var ContentSecurityPolicy[] */
|
2023-06-26 05:58:09 -04:00
|
|
|
private array $policies = [];
|
2016-01-28 08:33:02 -05:00
|
|
|
|
2023-06-26 05:58:09 -04:00
|
|
|
public function __construct(
|
|
|
|
|
private IEventDispatcher $dispatcher,
|
|
|
|
|
) {
|
2019-05-24 15:42:37 -04:00
|
|
|
}
|
|
|
|
|
|
2016-01-28 08:33:02 -05:00
|
|
|
/** {@inheritdoc} */
|
2023-06-26 05:58:09 -04:00
|
|
|
public function addDefaultPolicy(EmptyContentSecurityPolicy $policy): void {
|
2016-01-28 08:33:02 -05:00
|
|
|
$this->policies[] = $policy;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get the configured default policy. This is not in the public namespace
|
|
|
|
|
* as it is only supposed to be used by core itself.
|
|
|
|
|
*/
|
2018-03-05 09:27:05 -05:00
|
|
|
public function getDefaultPolicy(): ContentSecurityPolicy {
|
2019-05-24 15:42:37 -04:00
|
|
|
$event = new AddContentSecurityPolicyEvent($this);
|
2020-08-10 08:29:21 -04:00
|
|
|
$this->dispatcher->dispatchTyped($event);
|
2019-05-24 15:42:37 -04:00
|
|
|
|
2016-01-28 08:33:02 -05:00
|
|
|
$defaultPolicy = new \OC\Security\CSP\ContentSecurityPolicy();
|
|
|
|
|
foreach ($this->policies as $policy) {
|
|
|
|
|
$defaultPolicy = $this->mergePolicies($defaultPolicy, $policy);
|
|
|
|
|
}
|
|
|
|
|
return $defaultPolicy;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Merges the first given policy with the second one
|
|
|
|
|
*/
|
2023-06-26 05:58:09 -04:00
|
|
|
public function mergePolicies(
|
|
|
|
|
ContentSecurityPolicy $defaultPolicy,
|
|
|
|
|
EmptyContentSecurityPolicy $originalPolicy,
|
|
|
|
|
): ContentSecurityPolicy {
|
2016-01-28 08:33:02 -05:00
|
|
|
foreach ((object)(array)$originalPolicy as $name => $value) {
|
|
|
|
|
$setter = 'set' . ucfirst($name);
|
2018-03-05 09:27:05 -05:00
|
|
|
if (\is_array($value)) {
|
2016-01-28 08:33:02 -05:00
|
|
|
$getter = 'get' . ucfirst($name);
|
2018-03-05 09:27:05 -05:00
|
|
|
$currentValues = \is_array($defaultPolicy->$getter()) ? $defaultPolicy->$getter() : [];
|
2016-01-28 08:33:02 -05:00
|
|
|
$defaultPolicy->$setter(array_values(array_unique(array_merge($currentValues, $value))));
|
2018-03-05 09:27:05 -05:00
|
|
|
} elseif (\is_bool($value)) {
|
2022-04-01 07:56:15 -04:00
|
|
|
$getter = 'is' . ucfirst($name);
|
|
|
|
|
$currentValue = $defaultPolicy->$getter();
|
|
|
|
|
// true wins over false
|
|
|
|
|
if ($value > $currentValue) {
|
|
|
|
|
$defaultPolicy->$setter($value);
|
|
|
|
|
}
|
2016-01-28 08:33:02 -05:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $defaultPolicy;
|
|
|
|
|
}
|
|
|
|
|
}
|
