Adding an IContentSecurityPolicyProvider to allow tenant admin login

Lombiq.Hosting.Tenants.Admin.Login/Filters/TenantsIndexFilter.cs

@@ -38,18 +38,11 @@ public TenantsIndexFilter(
 
     public async Task OnResultExecutionAsync(ResultExecutingContext context, ResultExecutionDelegate next)
     {
-        var actionRouteController = context.ActionDescriptor.RouteValues["Controller"];
-        var actionRouteArea = context.ActionDescriptor.RouteValues["Area"];
-        var actionRouteValue = context.ActionDescriptor.RouteValues["Action"];
-
-        if (actionRouteController == typeof(AdminController).ControllerName() &&
-            actionRouteArea == $"{nameof(OrchardCore)}.{nameof(OrchardCore.Tenants)}" &&
-            actionRouteValue is nameof(AdminController.Edit) &&
+        if (IsTenantsEditAction(context) &&
             context.Result is ViewResult &&
             await _authorizationService.AuthorizeAsync(
                 _hca.HttpContext.User,
-                TenantAdminPermissions.LoginAsAdmin)
-            )
+                TenantAdminPermissions.LoginAsAdmin))
         {
             var shellSettings = _shellHost.GetSettings(context.RouteData.Values["Id"].ToString());
             if (shellSettings != null &&
@@ -70,4 +63,9 @@ await contentZone.AddAsync(
 
         await next();
     }
+
+    public static bool IsTenantsEditAction(ActionContext context) =>
+        context.ActionDescriptor.RouteValues["Controller"] == typeof(AdminController).ControllerName() &&
+        context.ActionDescriptor.RouteValues["Area"] == $"{nameof(OrchardCore)}.{nameof(OrchardCore.Tenants)}" &&
+        context.ActionDescriptor.RouteValues["Action"] is nameof(AdminController.Edit);
 }

Lombiq.Hosting.Tenants.Admin.Login/Services/TenantLoginSecurityPolicyProvider.cs

@@ -0,0 +1,40 @@
+using Lombiq.HelpfulLibraries.AspNetCore.Security;
+using Lombiq.Hosting.Tenants.Admin.Login.Filters;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc.Infrastructure;
+using OrchardCore.Environment.Shell;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+
+namespace Lombiq.Hosting.Tenants.Admin.Login.Services;
+
+internal sealed class TenantLoginSecurityPolicyProvider : IContentSecurityPolicyProvider
+{
+    private readonly IActionContextAccessor _actionContextAccessor;
+    private readonly IShellHost _shellHost;
+
+    public TenantLoginSecurityPolicyProvider(IActionContextAccessor actionContextAccessor, IShellHost shellHost)
+    {
+        _actionContextAccessor = actionContextAccessor;
+        _shellHost = shellHost;
+    }
+
+    public ValueTask UpdateAsync(IDictionary<string, string> securityPolicies, HttpContext context)
+    {
+        var actionContext = _actionContextAccessor.ActionContext;
+
+        if (!TenantsIndexFilter.IsTenantsEditAction(actionContext))
+        {
+            return ValueTask.CompletedTask;
+        }
+
+        var shellName = actionContext.RouteData.Values["Id"].ToString();
+
+        if (_shellHost.TryGetSettings(shellName, out var shellSettings))
+        {
+            CspHelper.MergeValues(securityPolicies, ContentSecurityPolicyDirectives.FormAction, shellSettings.RequestUrlHosts);
+        }
+
+        return ValueTask.CompletedTask;
+    }
+}

Lombiq.Hosting.Tenants.Admin.Login/Startup.cs

@@ -17,5 +17,6 @@ public override void ConfigureServices(IServiceCollection services)
         services.Configure<MvcOptions>(options => options.Filters.Add(typeof(TenantsIndexFilter)));
         services.AddScoped<IPermissionProvider, TenantAdminPermissions>();
         services.AddSingleton<ITenantLoginPasswordValidator, TenantLoginKeyValidator>();
+        services.AddContentSecurityPolicyProvider<TenantLoginSecurityPolicyProvider>();
     }
 }