A couple more CSP enhancements (#2530)

- Configure object-src for Knitr tests and remove exclusion from `CspLogUtil`
- Add regression test for script nonce in report webpart (`AbstractKnitrReportTest`)
- Remove redundant methods from `PortalHelper`
- Move some methods from `WikiHelper` to `wiki.EditPage`

Author: labkey-tchad

data/reports/knitr_no_scriptpad.rhtml

@@ -93,5 +93,11 @@ end.rcode-->
 <p>Well, everything seems to be working. Let's ask R what is the
     value of &pi;? Of course it is <!--rinline pi -->.</p>
 
+<span>Nonce check: <span id="nonce-check-result">FAIL</span></span>
+
+<script>
+    document.getElementById('nonce-check-result').innerText = "SUCCESS";
+</script>
+
 </body>
 </html>

data/reports/knitr_no_scriptpad.rmd

@@ -113,6 +113,12 @@ library(knitr)
 knit('knitr-minimal.Rmd')
 ```
 
+<span>Nonce check: <span id="nonce-check-result">FAIL</span></span>
+
+<script>
+    document.getElementById('nonce-check-result').innerText = "SUCCESS";
+</script>
+
 ## Conclusion
 
 Markdown is super easy to write. Go to **knitr** [homepage](http://yihui.name/knitr) for details.

data/reports/nonce_check.rhtml

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Test script nonce in Knitr HTML</title>
+</head>
+<body>
+
+<span>Nonce check: <span id="nonce-check-result">FAIL</span></span>
+
+<script>
+    document.getElementById('nonce-check-result').innerText = "SUCCESS";
+</script>
+
+</body>
+</html>

modules/scriptpad/resources/reports/schemas/script_rhtml.rhtml

@@ -87,5 +87,11 @@ end.rcode-->
 <p>Well, everything seems to be working. Let's ask R what is the
     value of &pi;? Of course it is <!--rinline pi -->.</p>
 
+<span>Nonce check: <span id="nonce-check-result">FAIL</span></span>
+
+<script>
+    document.getElementById('nonce-check-result').innerText = "SUCCESS";
+</script>
+
 </body>
 </html>

modules/scriptpad/resources/reports/schemas/script_rmd.rmd

@@ -108,6 +108,12 @@ library(knitr)
 knit('knitr-minimal.Rmd')
 ```
 
+<span>Nonce check: <span id="nonce-check-result">FAIL</span></span>
+
+<script>
+    document.getElementById('nonce-check-result').innerText = "SUCCESS";
+</script>
+
 ## Conclusion
 
 Markdown is super easy to write. Go to **knitr** [homepage](http://yihui.name/knitr) for details.

src/org/labkey/test/TestFileUtils.java

@@ -109,7 +109,7 @@ public static String getFileContents(Path path)
     {
         try
         {
-            return new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
+            return Files.readString(path);
         }
         catch (IOException fail)
         {
@@ -306,7 +306,7 @@ public static Set<File> getSampleDataDirs()
             if (sampledataDirsFile.exists())
             {
                 String path = getFileContents(sampledataDirsFile);
-                _sampledataDirs.addAll(Arrays.stream(path.split(";")).map(File::new).collect(Collectors.toList()));
+                _sampledataDirs.addAll(Arrays.stream(path.split(";")).map(File::new).toList());
             }
             else
             {
@@ -317,7 +317,7 @@ public static Set<File> getSampleDataDirs()
                     // We know where the modules live; no reason to insist that sampledata.dirs exists.
                     Files.walkFileTree(modulesDir, Collections.emptySet(), 2, new SimpleFileVisitor<>(){
                         @Override
-                        public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs) throws IOException
+                        public @NotNull FileVisitResult preVisitDirectory(@NotNull Path dir, @NotNull BasicFileAttributes attrs)
                         {
                             if (dir.equals(modulesDir))
                             {

src/org/labkey/test/pages/admin/ExternalSourcesPage.java

@@ -207,6 +207,7 @@ public enum Directive implements OptionSelect.SelectOption
         Frame("frame-src"),
         Image("image-src"),
         Style("style-src"),
+        Object("object-src"),
         ;
 
         private final String directiveId;

src/org/labkey/test/pages/reports/ScriptReportPage.java

@@ -11,12 +11,14 @@
 import org.labkey.test.pages.LabKeyPage;
 import org.labkey.test.util.CodeMirrorHelper;
 import org.labkey.test.util.Ext4Helper;
+import org.labkey.test.util.PipelineStatusTable;
 import org.labkey.test.util.TestLogger;
 import org.openqa.selenium.WebDriver;
 import org.openqa.selenium.WebElement;
 import org.openqa.selenium.support.ui.ExpectedConditions;
 
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 
 import static org.labkey.test.components.ext4.Checkbox.Ext4Checkbox;
@@ -79,13 +81,19 @@ public CodeMirrorHelper getEditor()
 
     public String saveReport(String name, boolean isSaveAs, int wait)
     {
+        String reportIdBeforeSave = getReportId();
         WebElement saveButton = Ext4Helper.Locators.ext4Button(isSaveAs ? "Save As" : "Save").findElement(getDriver());
         scrollIntoView(saveButton, true);
         clickAndWait(saveButton, wait);
         if (null != name)
         {
             saveReportWithName(name, isSaveAs);
         }
+        return Objects.requireNonNullElse(getReportId(), reportIdBeforeSave);
+    }
+
+    public String getReportId()
+    {
         return getUrlParam("reportId", true);
     }
 
@@ -141,6 +149,7 @@ public void clearOption(ReportOption option)
 
     private void _selectOption(ReportOption option, boolean checked)
     {
+        clickSourceTab();
         ensureFieldSetExpanded(option.getSection());
         Checkbox checkbox;
         if (option.isCheckbox())
@@ -202,6 +211,17 @@ public WebElement findReportElement()
         return Locator.byClass("reportView").findElement(getDriver());
     }
 
+    public void startPipelineJobAndWait()
+    {
+        clickReportTab();
+
+        waitAndClick(Locator.lkButton("Start Job"));
+        waitAndClickAndWait(Locator.linkWithText("click here"));
+        new PipelineStatusTable(this)
+            .clickStatusLink(0)
+            .waitForComplete();
+    }
+
     @Override
     protected ElementCache newElementCache()
     {

src/org/labkey/test/pages/wiki/EditPage.java

@@ -100,10 +100,48 @@ public EditPage setTitle(String title)
 
     public EditPage setBody(String body)
     {
+        switchWikiToSourceView();
         elementCache().bodyTextArea.set(body);
         return this;
     }
 
+    /**
+     * Switches the wiki edit page to source view when the format type is HTML.
+     */
+    public void switchWikiToSourceView()
+    {
+        String curFormat = executeScript("return LABKEY._wiki.getProps().rendererType;", String.class);
+        if (curFormat.equalsIgnoreCase("HTML"))
+        {
+            if (isElementPresent(Locator.css("#wiki-tab-source.labkey-tab-inactive")))
+            {
+                Locator tab = Locator.css("#wiki-tab-source > a");
+                waitForElementToBeVisible(tab);
+                click(tab);
+                waitForElement(Locator.css("#wiki-tab-source.labkey-tab-active"));
+            }
+        }
+    }
+
+    public void switchWikiToVisualView()
+    {
+        String curFormat = (String) executeScript("return LABKEY._wiki.getProps().rendererType;");
+        if (curFormat.equalsIgnoreCase("HTML"))
+        {
+            if (isElementPresent(Locator.css("#wiki-tab-visual.labkey-tab-inactive")))
+            {
+                Locator tab = Locator.css("#wiki-tab-visual > a");
+                waitForElementToBeVisible(tab);
+                click(tab);
+
+                Locator yesButton = Locator.tagWithText("span","Yes");
+                waitForElementToBeVisible(yesButton);
+                waitAndClick(yesButton);
+                waitForElement(Locator.css("#wiki-tab-visual.labkey-tab-active"));
+            }
+        }
+    }
+
     public EditPage setShouldIndex(boolean shouldIndex)
     {
         elementCache().shouldIndexCheckbox.set(shouldIndex);

src/org/labkey/test/tests/AbstractKnitrReportTest.java

@@ -17,6 +17,7 @@
 
 import org.junit.Assume;
 import org.junit.BeforeClass;
+import org.junit.Test;
 import org.labkey.remoteapi.CommandException;
 import org.labkey.test.BaseWebDriverTest;
 import org.labkey.test.Locator;
@@ -25,12 +26,16 @@
 import org.labkey.test.pages.admin.ExternalSourcesPage;
 import org.labkey.test.pages.core.admin.logger.ManagerPage;
 import org.labkey.test.pages.reports.ManageViewsPage;
+import org.labkey.test.pages.reports.ScriptReportPage;
+import org.labkey.test.pages.reports.ScriptReportPage.StandardReportOption;
 import org.labkey.test.util.CodeMirrorHelper;
+import org.labkey.test.util.CspLogUtil;
 import org.labkey.test.util.Log4jUtils;
 import org.labkey.test.util.LogMethod;
 import org.labkey.test.util.LoggedParam;
 import org.labkey.test.util.PortalHelper;
 import org.labkey.test.util.RReportHelper;
+import org.labkey.test.util.WikiHelper;
 import org.labkey.test.util.core.admin.CspConfigHelper;
 import org.openqa.selenium.WebElement;
 
@@ -54,6 +59,10 @@ public abstract class AbstractKnitrReportTest extends BaseWebDriverTest
     protected static final Path rmdReport_no_scriptpad = TestFileUtils.getSampleData("reports/knitr_no_scriptpad.rmd").toPath();
     private static final Path rhtmlReport = scriptpadReports.resolve("script_rhtml.rhtml");
     private static final Path rhtmlReport_no_scriptpad = TestFileUtils.getSampleData("reports/knitr_no_scriptpad.rhtml").toPath();
+    private static final Path rhtmlNonceCheck = TestFileUtils.getSampleData("reports/nonce_check.rhtml").toPath();
+    private static final Locator.XPathLocator nonceCheckLoc = Locator.id("nonce-check-result");
+    private static final Locator.XPathLocator nonceCheckSuccessLoc = nonceCheckLoc.withText("SUCCESS");
+
     protected final RReportHelper _rReportHelper = new RReportHelper(this);
 
     private static String readReport(final Path reportFile)
@@ -81,6 +90,7 @@ protected void setupProject()
         try
         {
             new CspConfigHelper(this).setAllowedHosts(Map.of(
+                ExternalSourcesPage.Directive.Object, List.of("'self'"), // Issue 53226: reports-streamFile is blocked by object-src CSP directive
                 ExternalSourcesPage.Directive.Style, List.of("https://cdn.datatables.net"),
                 ExternalSourcesPage.Directive.Font, List.of("https://mathjax.rstudio.com")));
         }
@@ -166,7 +176,9 @@ protected void htmlFormat()
                                     Locator.tag("pre").containing("## \"1\",249318596,\"2008-05-17\",86,36,129,76,64"),
                                     Locator.tag("pre").withText("## knitr says hello to HTML!"),
                                     Locator.tag("pre").startsWith("## Error").containing(": non-numeric argument to binary operator"),
-                                    Locator.tag("p").startsWith("Well, everything seems to be working. Let's ask R what is the value of \u03C0? Of course it is 3.141")};
+                                    Locator.tag("p").startsWith("Well, everything seems to be working. Let's ask R what is the value of \u03C0? Of course it is 3.141"),
+                                    nonceCheckSuccessLoc // Inline script should run
+        };
         String[] reportNotContains = {"<html>",                          // Uninterpreted html
                                       "<!--",                            // ditto
                                       "A minimal knitr example in HTML", // report title element
@@ -195,7 +207,8 @@ protected void markdownV2()
                 Locator.tag("h2").withText("R code chunks"),
                 Locator.tag("code").containing("set.seed(123)"),       // Echoed R code
                 Locator.css("p").containing("2 x pi = 6.283"),
-                Locator.tag("sup").withText("write") //should not contain the hat markdown v2 closing tag
+                Locator.tag("sup").withText("write"), //should not contain the hat markdown v2 closing tag
+                nonceCheckSuccessLoc // Inline script should run
         };
 
         String[] reportNotContains = {"```",              // Markdown for R code chunks
@@ -224,4 +237,66 @@ protected void moduleReportDependencies()
         _ext4Helper.waitForMaskToDisappear(3 * BaseWebDriverTest.WAIT_FOR_JAVASCRIPT);
         waitForElement(Locator.id("mtcars_table"));
     }
+
+    /**
+     * Issue 53211: CSP reports when an R/Plotly graph is displayed in Reports web part, same thing wrapped in a wiki works fine with strict csp
+     */
+    @Test
+    public void testEmbeddedReportNonce()
+    {
+        CspConfigHelper.debugCspWarnings();
+        new CspConfigHelper(this).setEnforceCsp(false);
+
+        String name = "rhtml nonce check";
+        Locator[] reportContains = {nonceCheckSuccessLoc};
+
+        createAndVerifyKnitrReport(rhtmlNonceCheck, RReportHelper.ReportOption.knitrHtml, reportContains,
+            null, true, name);
+        assertNonceSuccess();
+
+        log("Create wiki with embedded report");
+        new WikiHelper(this).createNewWikiPage()
+            .setName(name)
+            .setBody("""
+                ${labkey.webPart(partName='Report',
+                    reportName='%s',
+                    showFrame='false'
+                )}
+            """.formatted(name))
+            .saveAndClose();
+        clickAndWait(Locator.linkWithText(name));
+        assertNonceSuccess();
+
+        log("Add report webpart");
+        new PortalHelper(this).doInAdminMode(ph -> {
+            ph.addTab(name + " tab"); // Use a separate tab to ensure report isn't run accidentally
+            ph.addReportWebPart(name);
+            assertNonceSuccess();
+        });
+
+        log("Re-verify with report run as pipeline job");
+        goToManageViews();
+        waitAndClickAndWait(Locator.linkWithText(name));
+        ScriptReportPage reportPage = _rReportHelper.getReportPage();
+        reportPage.selectOption(StandardReportOption.runInPipeline);
+        String reportId = reportPage.saveReport(null, false, WAIT_FOR_PAGE);
+        goBack();
+        reportPage.startPipelineJobAndWait();
+
+        ScriptReportPage.beginAtReport(this, getCurrentContainerPath(), reportId);
+        assertNonceSuccess();
+
+        clickTab(name + " tab");
+        assertNonceSuccess();
+
+        goToModule("Wiki");
+        clickAndWait(Locator.linkWithText(name));
+        assertNonceSuccess();
+    }
+
+    private void assertNonceSuccess()
+    {
+        assertEquals("Nonce check result", "SUCCESS", getText(nonceCheckLoc));
+        CspLogUtil.checkNewCspWarnings(getArtifactCollector());
+    }
 }