From fe1d41f852caa1c9aa1a4ef6ee55db63393038c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Fri, 20 May 2022 14:37:29 +0200 Subject: Move remaining policy adjustments to a trait MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julius Härtl --- lib/AppConfig.php | 3 +- lib/Controller/DirectViewController.php | 12 ++------ lib/Controller/DocumentController.php | 51 ++++----------------------------- lib/Controller/DocumentTrait.php | 42 +++++++++++++++++++++++++++ lib/Service/FederationService.php | 4 +-- 5 files changed, 53 insertions(+), 59 deletions(-) create mode 100644 lib/Controller/DocumentTrait.php diff --git a/lib/AppConfig.php b/lib/AppConfig.php index 9cdf0bc4..f8f54f59 100644 --- a/lib/AppConfig.php +++ b/lib/AppConfig.php @@ -134,5 +134,4 @@ class AppConfig { public function getCollaboraUrlInternal(): string { return $this->config->getAppValue(Application::APPNAME, self::WOPI_URL, ''); } - - } +} diff --git a/lib/Controller/DirectViewController.php b/lib/Controller/DirectViewController.php index a36ac287..343cf231 100644 --- a/lib/Controller/DirectViewController.php +++ b/lib/Controller/DirectViewController.php @@ -32,7 +32,6 @@ use OCA\Richdocuments\TokenManager; use OCP\AppFramework\Controller; use OCP\AppFramework\Db\DoesNotExistException; use OCP\AppFramework\Http; -use OCP\AppFramework\Http\ContentSecurityPolicy; use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\TemplateResponse; @@ -45,6 +44,7 @@ use OCP\ILogger; use OCP\IRequest; class DirectViewController extends Controller { + use DocumentTrait; /** @var IRootFolder */ private $rootFolder; @@ -180,10 +180,7 @@ class DirectViewController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $policy = new ContentSecurityPolicy(); - $policy->allowInlineScript(true); - $policy->addAllowedFrameDomain($this->appConfig->getAppValue('public_wopi_url')); - $response->setContentSecurityPolicy($policy); + $this->applyPolicies($response); return $response; } catch (\Exception $e) { $this->logger->logException($e); @@ -236,10 +233,7 @@ class DirectViewController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $policy = new ContentSecurityPolicy(); - $policy->allowInlineScript(true); - $policy->addAllowedFrameDomain($this->appConfig->getAppValue('public_wopi_url')); - $response->setContentSecurityPolicy($policy); + $this->applyPolicies($response); return $response; } } catch (\Exception $e) { diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php index e70bcae5..399f702e 100644 --- a/lib/Controller/DocumentController.php +++ b/lib/Controller/DocumentController.php @@ -27,8 +27,6 @@ use OCP\Files\NotPermittedException; use \OCP\IRequest; use \OCP\IConfig; use \OCP\ILogger; -use \OCP\AppFramework\Http\ContentSecurityPolicy; -use \OCP\AppFramework\Http\FeaturePolicy; use \OCP\AppFramework\Http\TemplateResponse; use \OCA\Richdocuments\AppConfig; use OCP\ISession; @@ -36,6 +34,7 @@ use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IManager; class DocumentController extends Controller { + use DocumentTrait; /** @var string */ private $uid; @@ -134,37 +133,6 @@ class DocumentController extends Controller { ]; } - /** - * Strips the path and query parameters from the URL. - * - * @param string $url - * @return string - */ - private function domainOnly($url) { - $parsed_url = parse_url($url); - $scheme = isset($parsed_url['scheme']) ? $parsed_url['scheme'] . '://' : ''; - $host = isset($parsed_url['host']) ? $parsed_url['host'] : ''; - $port = isset($parsed_url['port']) ? ':' . $parsed_url['port'] : ''; - return "$scheme$host$port"; - } - - /** - * Setup policy headers for the response - */ - private function setupPolicy($response) { - $wopiDomain = $this->domainOnly($this->appConfig->getAppValue('public_wopi_url')); - - $policy = new ContentSecurityPolicy(); - $policy->addAllowedFrameDomain($wopiDomain); - $policy->allowInlineScript(true); - $policy->addAllowedFormActionDomain($wopiDomain); - $response->setContentSecurityPolicy($policy); - - $featurePolicy = new FeaturePolicy(); - $featurePolicy->addAllowedFullScreenDomain($wopiDomain); - $response->setFeaturePolicy($featurePolicy); - } - /** * @NoAdminRequired * @@ -230,7 +198,7 @@ class DocumentController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $this->setupPolicy($response); + $this->applyPolicies($response); return $response; } catch (\Exception $e) { $this->logger->logException($e, ['app' => 'richdocuments']); @@ -289,7 +257,7 @@ class DocumentController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $this->setupPolicy($response); + $this->applyPolicies($response); return $response; } @@ -348,7 +316,7 @@ class DocumentController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $this->setupPolicy($response); + $this->applyPolicies($response); return $response; } } catch (\Exception $e) { @@ -421,16 +389,7 @@ class DocumentController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $remoteWopi = $this->domainOnly($this->appConfig->getAppValue('wopi_url')); - $policy = new ContentSecurityPolicy(); - $policy->addAllowedFrameDomain($remoteWopi); - $policy->allowInlineScript(true); - $policy->addAllowedFrameAncestorDomain('https://*'); - $response->setContentSecurityPolicy($policy); - $featurePolicy = new FeaturePolicy(); - $featurePolicy->addAllowedFullScreenDomain($remoteWopi); - $response->setFeaturePolicy($featurePolicy); - $response->addHeader('X-Frame-Options', 'ALLOW'); + $this->applyPolicies($response); return $response; } } catch (ShareNotFound $e) { diff --git a/lib/Controller/DocumentTrait.php b/lib/Controller/DocumentTrait.php new file mode 100644 index 00000000..992bbad9 --- /dev/null +++ b/lib/Controller/DocumentTrait.php @@ -0,0 +1,42 @@ +domainOnly($this->appConfig->getCollaboraUrlPublic()); + + // FIXME We can skip inline source once templates/documents.php is migrated to IInitialState + $policy = new ContentSecurityPolicy(); + $policy->allowInlineScript(true); + $response->setContentSecurityPolicy($policy); + + $featurePolicy = new FeaturePolicy(); + $featurePolicy->addAllowedFullScreenDomain($collaboraHost); + $response->setFeaturePolicy($featurePolicy); + + $response->addHeader('X-Frame-Options', 'ALLOW'); + } + + /** + * Strips the path and query parameters from the URL. + * + * @param string $url + * @return string + */ + private function domainOnly(string $url): string { + $parsed_url = parse_url($url); + $scheme = isset($parsed_url['scheme']) ? $parsed_url['scheme'] . '://' : ''; + $host = isset($parsed_url['host']) ? $parsed_url['host'] : ''; + $port = isset($parsed_url['port']) ? ':' . $parsed_url['port'] : ''; + return "$scheme$host$port"; + } +} diff --git a/lib/Service/FederationService.php b/lib/Service/FederationService.php index 9716229f..5d00c5e6 100644 --- a/lib/Service/FederationService.php +++ b/lib/Service/FederationService.php @@ -1,4 +1,5 @@ trustedServers->getServers()); } -- cgit v1.2.3