# frozen_string_literal: true

module Observability
  module ContentSecurityPolicy
    extend ActiveSupport::Concern

    included do
      content_security_policy_with_context do |p|
        current_group = if defined?(group)
                          group
                        else
                          defined?(project) ? project&.group : nil
                        end

        next if p.directives.blank? || !Gitlab::Observability.observability_enabled?(current_user, current_group)

        default_frame_src = p.directives['frame-src'] || p.directives['default-src']

        # When ObservabilityUI is not authenticated, it needs to be able
        # to redirect to the GL sign-in page, hence '/users/sign_in' and '/oauth/authorize'
        frame_src_values = Array.wrap(default_frame_src) | [Gitlab::Observability.observability_url,
                                                            Gitlab::Utils.append_path(Gitlab.config.gitlab.url,
'/users/sign_in'),
                                                            Gitlab::Utils.append_path(Gitlab.config.gitlab.url,
'/oauth/authorize')]

        p.frame_src(*frame_src_values)
      end
    end
  end
end