Move remaining policy adjustments to a traitbugfix/noid/csp-reload

Signed-off-by: Julius Härtl <jus@bitgrid.net>

5 files changed, 53 insertions, 59 deletions

diff --git a/lib/AppConfig.php b/lib/AppConfig.php
index 9cdf0bc4..f8f54f59 100644
--- a/lib/AppConfig.php
+++ b/lib/AppConfig.php
@@ -134,5 +134,4 @@ class AppConfig {
 	public function getCollaboraUrlInternal(): string {
 		return $this->config->getAppValue(Application::APPNAME, self::WOPI_URL, '');
 	}
-
- }
+}
diff --git a/lib/Controller/DirectViewController.php b/lib/Controller/DirectViewController.php
index a36ac287..343cf231 100644
--- a/lib/Controller/DirectViewController.php
+++ b/lib/Controller/DirectViewController.php
@@ -32,7 +32,6 @@ use OCA\Richdocuments\TokenManager;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Http;
-use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\TemplateResponse;
@@ -45,6 +44,7 @@ use OCP\ILogger;
 use OCP\IRequest;
 
 class DirectViewController extends Controller {
+	use DocumentTrait;
 
 	/** @var IRootFolder */
 	private $rootFolder;
@@ -180,10 +180,7 @@ class DirectViewController extends Controller {
 
 			$this->initialState->provideDocument($wopi);
 			$response = new TemplateResponse('richdocuments', 'documents', $params, 'base');
-			$policy = new ContentSecurityPolicy();
-			$policy->allowInlineScript(true);
-			$policy->addAllowedFrameDomain($this->appConfig->getAppValue('public_wopi_url'));
-			$response->setContentSecurityPolicy($policy);
+			$this->applyPolicies($response);
 			return $response;
 		} catch (\Exception $e) {
 			$this->logger->logException($e);
@@ -236,10 +233,7 @@ class DirectViewController extends Controller {
 
 				$this->initialState->provideDocument($wopi);
 				$response = new TemplateResponse('richdocuments', 'documents', $params, 'base');
-				$policy = new ContentSecurityPolicy();
-				$policy->allowInlineScript(true);
-				$policy->addAllowedFrameDomain($this->appConfig->getAppValue('public_wopi_url'));
-				$response->setContentSecurityPolicy($policy);
+				$this->applyPolicies($response);
 				return $response;
 			}
 		} catch (\Exception $e) {
diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php
index e70bcae5..399f702e 100644
--- a/lib/Controller/DocumentController.php
+++ b/lib/Controller/DocumentController.php
@@ -27,8 +27,6 @@ use OCP\Files\NotPermittedException;
 use \OCP\IRequest;
 use \OCP\IConfig;
 use \OCP\ILogger;
-use \OCP\AppFramework\Http\ContentSecurityPolicy;
-use \OCP\AppFramework\Http\FeaturePolicy;
 use \OCP\AppFramework\Http\TemplateResponse;
 use \OCA\Richdocuments\AppConfig;
 use OCP\ISession;
@@ -36,6 +34,7 @@ use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager;
 
 class DocumentController extends Controller {
+	use DocumentTrait;
 
 	/** @var string */
 	private $uid;
@@ -135,37 +134,6 @@ class DocumentController extends Controller {
 	}
 
 	/**
-	 * Strips the path and query parameters from the URL.
-	 *
-	 * @param string $url
-	 * @return string
-	 */
-	private function domainOnly($url) {
-		$parsed_url = parse_url($url);
-		$scheme = isset($parsed_url['scheme']) ? $parsed_url['scheme'] . '://' : '';
-		$host = isset($parsed_url['host']) ? $parsed_url['host'] : '';
-		$port = isset($parsed_url['port']) ? ':' . $parsed_url['port'] : '';
-		return "$scheme$host$port";
-	}
-
-	/**
-	 * Setup policy headers for the response
-	 */
-	private function setupPolicy($response) {
-		$wopiDomain = $this->domainOnly($this->appConfig->getAppValue('public_wopi_url'));
-
-		$policy = new ContentSecurityPolicy();
-		$policy->addAllowedFrameDomain($wopiDomain);
-		$policy->allowInlineScript(true);
-		$policy->addAllowedFormActionDomain($wopiDomain);
-		$response->setContentSecurityPolicy($policy);
-
-		$featurePolicy = new FeaturePolicy();
-		$featurePolicy->addAllowedFullScreenDomain($wopiDomain);
-		$response->setFeaturePolicy($featurePolicy);
-	}
-
-	/**
 	 * @NoAdminRequired
 	 *
 	 * @param string $fileId
@@ -230,7 +198,7 @@ class DocumentController extends Controller {
 
 			$this->initialState->provideDocument($wopi);
 			$response = new TemplateResponse('richdocuments', 'documents', $params, 'base');
-			$this->setupPolicy($response);
+			$this->applyPolicies($response);
 			return $response;
 		} catch (\Exception $e) {
 			$this->logger->logException($e, ['app' => 'richdocuments']);
@@ -289,7 +257,7 @@ class DocumentController extends Controller {
 
 		$this->initialState->provideDocument($wopi);
 		$response = new TemplateResponse('richdocuments', 'documents', $params, 'base');
-		$this->setupPolicy($response);
+		$this->applyPolicies($response);
 		return $response;
 	}
 
@@ -348,7 +316,7 @@ class DocumentController extends Controller {
 
 				$this->initialState->provideDocument($wopi);
 				$response = new TemplateResponse('richdocuments', 'documents', $params, 'base');
-				$this->setupPolicy($response);
+				$this->applyPolicies($response);
 				return $response;
 			}
 		} catch (\Exception $e) {
@@ -421,16 +389,7 @@ class DocumentController extends Controller {
 
 				$this->initialState->provideDocument($wopi);
 				$response = new TemplateResponse('richdocuments', 'documents', $params, 'base');
-				$remoteWopi = $this->domainOnly($this->appConfig->getAppValue('wopi_url'));
-				$policy = new ContentSecurityPolicy();
-				$policy->addAllowedFrameDomain($remoteWopi);
-				$policy->allowInlineScript(true);
-				$policy->addAllowedFrameAncestorDomain('https://*');
-				$response->setContentSecurityPolicy($policy);
-				$featurePolicy = new FeaturePolicy();
-				$featurePolicy->addAllowedFullScreenDomain($remoteWopi);
-				$response->setFeaturePolicy($featurePolicy);
-				$response->addHeader('X-Frame-Options', 'ALLOW');
+				$this->applyPolicies($response);
 				return $response;
 			}
 		} catch (ShareNotFound $e) {
diff --git a/lib/Controller/DocumentTrait.php b/lib/Controller/DocumentTrait.php
new file mode 100644
index 00000000..992bbad9
--- /dev/null
+++ b/lib/Controller/DocumentTrait.php
@@ -0,0 +1,42 @@
+<?php
+
+namespace OCA\Richdocuments\Controller;
+
+use OCP\AppFramework\Http\ContentSecurityPolicy;
+use OCP\AppFramework\Http\FeaturePolicy;
+
+trait DocumentTrait {
+	private $appConfig;
+
+	/**
+	 * Setup policy headers for the response
+	 */
+	private function applyPolicies($response) {
+		$collaboraHost = $this->domainOnly($this->appConfig->getCollaboraUrlPublic());
+
+		// FIXME We can skip inline source once templates/documents.php is migrated to IInitialState
+		$policy = new ContentSecurityPolicy();
+		$policy->allowInlineScript(true);
+		$response->setContentSecurityPolicy($policy);
+
+		$featurePolicy = new FeaturePolicy();
+		$featurePolicy->addAllowedFullScreenDomain($collaboraHost);
+		$response->setFeaturePolicy($featurePolicy);
+
+		$response->addHeader('X-Frame-Options', 'ALLOW');
+	}
+
+	/**
+	 * Strips the path and query parameters from the URL.
+	 *
+	 * @param string $url
+	 * @return string
+	 */
+	private function domainOnly(string $url): string {
+		$parsed_url = parse_url($url);
+		$scheme = isset($parsed_url['scheme']) ? $parsed_url['scheme'] . '://' : '';
+		$host = isset($parsed_url['host']) ? $parsed_url['host'] : '';
+		$port = isset($parsed_url['port']) ? ':' . $parsed_url['port'] : '';
+		return "$scheme$host$port";
+	}
+}
diff --git a/lib/Service/FederationService.php b/lib/Service/FederationService.php
index 9716229f..5d00c5e6 100644
--- a/lib/Service/FederationService.php
+++ b/lib/Service/FederationService.php
@@ -1,4 +1,5 @@
 <?php
+
 declare(strict_types=1);
 
 /**
@@ -78,7 +79,6 @@ class FederationService {
 		} catch (ContainerExceptionInterface $e) {
 		} catch (AutoloadNotAllowedException $e) {
 		}
-
 	}
 
 	public function getTrustedServers(): array {
@@ -86,7 +86,7 @@ class FederationService {
 			return [];
 		}
 
-		return array_map(function(array $server) {
+		return array_map(function (array $server) {
 			return $server['url'];
 		}, $this->trustedServers->getServers());
 	}