Move CSP whitelisting to external module

yireo · Aug 23, 2024 · 8f1e36a · 8f1e36a
1 parent 0ef22c6
commit 8f1e36a
Show file tree

Hide file tree

Showing 11 changed files with 48 additions and 205 deletions.
diff --git a/.github/workflows/extdn-integration-tests.yml b/.github/workflows/extdn-integration-tests.yml
@@ -47,3 +47,11 @@ jobs:
         with:
           magento_pre_install_script: .github/workflows/extdn-integration-tests-pre-install.sh
           magento_post_install_script: .github/workflows/extdn-integration-tests-post-install.sh
+
+      - uses: extdn/github-actions-m2/magento-integration-tests/8.3@master
+        env:
+          MAGENTO_VERSION: '2.4.7-p1'
+          COMPOSER_VERSION: 2
+        with:
+          magento_pre_install_script: .github/workflows/extdn-integration-tests-pre-install.sh
+          magento_post_install_script: .github/workflows/extdn-integration-tests-post-install.sh
diff --git a/Observer/FixNonExistingSecureRenderer.php b/Observer/FixNonExistingSecureRenderer.php
diff --git a/Plugin/AddCspInlineScripts.php b/Plugin/AddCspInlineScripts.php
@@ -3,38 +3,24 @@
 namespace Yireo\GoogleTagManager2\Plugin;
 
 use Magento\Framework\View\Element\Template;
-use Yireo\GoogleTagManager2\Util\ScriptFinder;
-use Yireo\GoogleTagManager2\Util\SecureHtmlRendererStub;
+use Yireo\CspUtilities\Util\ReplaceInlineScripts;
 
 class AddCspInlineScripts
 {
-    private ScriptFinder $scriptFinder;
-    private SecureHtmlRendererStub $secureHtmlRendererStub;
+    private ReplaceInlineScripts $replaceInlineScripts;
 
     public function __construct(
-        ScriptFinder $scriptFinder,
-        SecureHtmlRendererStub $secureHtmlRendererStub
+        ReplaceInlineScripts $replaceInlineScripts
     ) {
-        $this->scriptFinder = $scriptFinder;
-        $this->secureHtmlRendererStub = $secureHtmlRendererStub;
+        $this->replaceInlineScripts = $replaceInlineScripts;
     }
 
     public function afterToHtml(Template $block, $html): string
     {
-        if (empty($html)) {
-            return '';
-        }
-
         if (false === strstr((string)$block->getNameInLayout(), 'yireo_googletagmanager2.')) {
             return $html;
         }
 
-        $scripts = $this->scriptFinder->find($html);
-        foreach ($scripts as $fullScript => $inlineJs) {
-            $newScript = $this->secureHtmlRendererStub->renderTag('script', [], $inlineJs, false);
-            $html = str_replace($fullScript, $newScript, $html);
-        }
-
-        return $html;
+        return $this->replaceInlineScripts->replace((string)$html);
     }
 }
diff --git a/Test/Integration/Block/ScriptTest.php b/Test/Integration/Block/ScriptTest.php
@@ -2,6 +2,9 @@
 
 namespace Yireo\GoogleTagManager2\Test\Integration\Block;
 
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\View\Element\Template;
+use Yireo\GoogleTagManager2\DataLayer\Event\BeginCheckout;
 use Yireo\GoogleTagManager2\Test\Integration\PageTestCase;
 use Yireo\IntegrationTestHelper\Test\Integration\Traits\Layout\AssertContainerInLayout;
 
@@ -32,4 +35,25 @@ public function testValidBlockContent()
         $body = $this->getResponse()->getBody(); // @phpstan-ignore-line
         $this->assertTrue((bool)strpos($body, 'yireoGoogleTagManager'), 'Script not found in HTML body: ' . $body);
     }
+
+    /**
+     * @magentoConfigFixture current_store googletagmanager2/settings/enabled 1
+     * @magentoConfigFixture current_store googletagmanager2/settings/method 1
+     * @magentoConfigFixture current_store googletagmanager2/settings/id test
+     */
+    public function testCspNonceInScript()
+    {
+        $this->assertEnabledFlagIsWorking();
+
+        $this->layout->getUpdate()->addPageHandles(['empty', '1column']);
+        $this->layout->generateXml();
+
+        $block = $this->layout->createBlock(Template::class);
+        $block->setNameInLayout('yireo_googletagmanager2.hyva_checkout.data-layer.component');
+        $block->setTemplate('Yireo_GoogleTagManager2::hyva_checkout/data-layer.phtml');
+        $block->setData('begin_checkout_event', ObjectManager::getInstance()->get(BeginCheckout::class));
+
+        $html = $block->toHtml();
+        $this->assertStringContainsString('nonce="', $html);
+    }
 }
diff --git a/Test/Integration/Page/ProductPageTest.php b/Test/Integration/Page/ProductPageTest.php
@@ -22,6 +22,7 @@ class ProductPageTest extends PageTestCase
      * @magentoConfigFixture current_store googletagmanager2/settings/method 1
      * @magentoConfigFixture current_store googletagmanager2/settings/id test
      * @magentoConfigFixture current_store catalog/seo/generate_category_product_rewrites 0
+     * @magentoConfigFixture static_content_on_demand_in_production 1
      * @magentoAppArea frontend
      * @magentoCache full_page disabled
      * @magentoDbIsolation enabled

diff --git a/Test/Unit/Util/ScriptFinderTest.php b/Test/Unit/Util/ScriptFinderTest.php
diff --git a/Util/ScriptFinder.php b/Util/ScriptFinder.php
diff --git a/Util/SecureHtmlRendererStub.php b/Util/SecureHtmlRendererStub.php
diff --git a/composer.json b/composer.json
@@ -19,14 +19,19 @@
     "magento/framework": "^102.0 || ^103.0",
     "magento/module-backend": "^100.0 || ^101.0 || ^102.0",
     "magento/module-catalog": "^100.0 || ^101.0 || ^102.0 || ^103.0 || ^104.0",
+    "magento/module-catalog-search": "^100.0 || ^101.0 || ^102.0",
     "magento/module-checkout": "^100.1",
     "magento/module-config": "^100.0 || ^101.0",
+    "magento/module-configurable-product": "^100.0",
     "magento/module-cookie": "^100.0",
     "magento/module-customer": "^100.0 || ^101.0 || ^102.0 || ^103.0",
     "magento/module-eav": "^100.0 || ^101.0 || ^102.0",
+    "magento/module-payment": "^100.0",
     "magento/module-quote": "^101.0",
     "magento/module-sales": "^100.0 || ^101.0 || ^102.0 || ^103.0",
     "magento/module-store": "^100.0 || ^101.0",
+    "magento/module-tax": "^100.0",
+    "yireo/magento2-csp-utilities": "^1.0",
     "psr/log": "^1 || ^2 || ^3",
     "php": "^7.4|^8.1",
     "ext-json": "*",

diff --git a/etc/frontend/events.xml b/etc/frontend/events.xml
@@ -31,8 +31,4 @@
     <event name="sales_order_place_after">
         <observer name="Yireo_GoogleTagManager2::triggerPurchaseDataLayerEvent" instance="Yireo\GoogleTagManager2\Observer\TriggerPurchaseDataLayerEvent" />
     </event>
-
-    <event name="view_block_abstract_to_html_before">
-        <observer name="Yireo_GoogleTagManager2::fixNonExistingSecureRenderer" instance="Yireo\GoogleTagManager2\Observer\FixNonExistingSecureRenderer" />
-    </event>
 </config>
diff --git a/etc/module.xml b/etc/module.xml
@@ -4,14 +4,19 @@
         <sequence>
             <module name="Magento_Backend"/>
             <module name="Magento_Catalog"/>
+            <module name="Magento_CatalogSearch"/>
             <module name="Magento_Checkout"/>
+            <module name="Magento_ConfigurableProduct"/>
             <module name="Magento_Config"/>
             <module name="Magento_Cookie"/>
             <module name="Magento_Customer"/>
             <module name="Magento_Eav"/>
+            <module name="Magento_Payment"/>
             <module name="Magento_Quote"/>
             <module name="Magento_Sales"/>
             <module name="Magento_Store"/>
+            <module name="Magento_Tax"/>
+            <module name="Yireo_CspUtilities"/>
         </sequence>
     </module>
 </config>