Merge pull request #370 from martijnc/bugfix/369

Fix BC break introduced in 3.5

Author: Seldaek

phpstan-baseline.neon

@@ -71,3 +71,19 @@ parameters:
 			"""
 			count: 1
 			path: tests/Listener/XssProtectionListenerTest.php
+
+		-
+			message: """
+				#^Call to deprecated method getEnforcement\\(\\) of class Nelmio\\\\SecurityBundle\\\\EventListener\\\\ContentSecurityPolicyListener\\:
+				Use `nelmio_security\\.directive_set_builder\\.enforce` instead\\.$#
+			"""
+			count: 1
+			path: tests/Listener/ContentSecurityPolicyListenerTest.php
+
+		-
+			message: """
+				#^Call to deprecated method getReport\\(\\) of class Nelmio\\\\SecurityBundle\\\\EventListener\\\\ContentSecurityPolicyListener\\:
+				Use `nelmio_security\\.directive_set_builder\\.report` instead\\.$#
+			"""
+			count: 1
+			path: tests/Listener/ContentSecurityPolicyListenerTest.php

src/ContentSecurityPolicy/ConfigurationDirectiveSetBuilder.php

@@ -15,20 +15,7 @@
 
 class ConfigurationDirectiveSetBuilder implements DirectiveSetBuilderInterface
 {
-    private PolicyManager $policyManager;
-
-    /**
-     * @phpstan-var array{
-     *       enforce?: array<string, mixed>,
-     *       report?: array<string, mixed>,
-     *   } $config
-     */
-    private array $config;
-
-    /**
-     * @phpstan-var 'enforce'|'report' $kind
-     */
-    private string $kind;
+    private DirectiveSet $directiveSet;
 
     /**
      * @phpstan-param array{
@@ -39,14 +26,12 @@ class ConfigurationDirectiveSetBuilder implements DirectiveSetBuilderInterface
      */
     public function __construct(PolicyManager $policyManager, array $config, string $kind)
     {
-        $this->policyManager = $policyManager;
-        $this->config = $config;
-        $this->kind = $kind;
+        $this->directiveSet = DirectiveSet::fromConfig($policyManager, $config, $kind);
     }
 
     public function buildDirectiveSet(): DirectiveSet
     {
-        return DirectiveSet::fromConfig($this->policyManager, $this->config, $this->kind);
+        return $this->directiveSet;
     }
 
     /**

tests/Listener/ContentSecurityPolicyListenerTest.php

@@ -13,6 +13,7 @@
 
 namespace Nelmio\SecurityBundle\Tests\Listener;
 
+use Nelmio\SecurityBundle\ContentSecurityPolicy\ConfigurationDirectiveSetBuilder;
 use Nelmio\SecurityBundle\ContentSecurityPolicy\DirectiveSet;
 use Nelmio\SecurityBundle\ContentSecurityPolicy\DirectiveSetBuilderInterface;
 use Nelmio\SecurityBundle\ContentSecurityPolicy\NonceGeneratorInterface;
@@ -481,6 +482,42 @@ public function testLegacyConstructorCreatesDirectiveSetBuilder(): void
         $this->assertSame('script-src https://enforce.deprecation-test.example.com', $response->headers->get('Content-Security-Policy'));
     }
 
+    public function testChangesThroughGetReportAreReflectedInTheHeader(): void
+    {
+        $listener = new ContentSecurityPolicyListener(
+            new ConfigurationDirectiveSetBuilder(new PolicyManager(), [], 'report'),
+            new ConfigurationDirectiveSetBuilder(new PolicyManager(), [], 'enforce'),
+            $this->nonceGenerator,
+            $this->shaComputer
+        );
+
+        $report = $listener->getReport();
+        $report->setDirective('script-src', 'https://example.test');
+
+        $response = $this->callListener($listener, '/', true);
+
+        $header = $response->headers->get('Content-Security-Policy-Report-Only');
+        $this->assertSame('script-src https://example.test', $header);
+    }
+
+    public function testChangesThroughGetEnforcementAreReflectedInTheHeader(): void
+    {
+        $listener = new ContentSecurityPolicyListener(
+            new ConfigurationDirectiveSetBuilder(new PolicyManager(), [], 'report'),
+            new ConfigurationDirectiveSetBuilder(new PolicyManager(), [], 'enforce'),
+            $this->nonceGenerator,
+            $this->shaComputer
+        );
+
+        $enforce = $listener->getEnforcement();
+        $enforce->setDirective('script-src', 'https://example.test');
+
+        $response = $this->callListener($listener, '/', true);
+
+        $header = $response->headers->get('Content-Security-Policy');
+        $this->assertSame('script-src https://example.test', $header);
+    }
+
     /**
      * @param array<string, string|true> $directives
      * @param list<string>               $contentTypes