From 3aeef7ebdd4e05e93090dd57573d920481e6b22a Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Fri, 13 Oct 2023 13:19:03 +0200
Subject: [PATCH] CSP: Refactor custom settings to ease further expansion

* This change is introduced due to a corresponding change in CodeHarbor to allow SSO there.
---
 .../initializers/content_security_policy.rb   | 35 ++++++++++++-------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 0c979f9f..361a1d6e 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -14,24 +14,33 @@ module CSP
     csp_settings = CodeOcean::Config.new(:content_security_policy)
 
     csp_settings.read.each do |directive, additional_settings|
-      existing_settings = if directive == 'report_uri'
-                            ''
-                          else
-                            policy.public_send(directive) || []
-                          end
-      all_settings = additional_settings
-      all_settings += existing_settings unless existing_settings == ["'none'"]
-      policy.public_send(directive, *all_settings)
+      add_policy(policy, directive, additional_settings)
     end
   end
 
   def self.apply_sentry_settings_for(policy)
-    sentry_domain = URI.parse SentryJavascript.dsn
-    additional_setting = "#{sentry_domain.scheme}://#{sentry_domain.host}"
-    existing_settings = policy.connect_src || []
-    all_settings = existing_settings + [additional_setting]
-    policy.connect_src(*all_settings)
+    sentry_host_source = get_host_source(SentryJavascript.dsn)
+    add_policy(policy, :connect_src, [sentry_host_source])
   end
+
+  def self.add_policy(policy, directive, additional_settings)
+    all_settings = additional_settings
+    existing_settings = if directive == 'report_uri'
+                          ''
+                        else
+                          policy.public_send(directive) || []
+                        end
+    all_settings += existing_settings unless existing_settings == ["'none'"]
+    all_settings.uniq! unless directive == 'report_uri'
+    policy.public_send(directive, *all_settings)
+  end
+  private_class_method :add_policy
+
+  def self.get_host_source(url)
+    uri = URI.parse(url)
+    "#{uri.scheme}://#{uri.host}"
+  end
+  private_class_method :get_host_source
 end
 
 Rails.application.configure do