Allow calling AddSecurityHeadersPolicies multiple times (#250)

* Add test for expected behaviour

* Add support for multiple configuration

* Alternative approach

* Revised approach

* Remove incorrect comment

Author: andrewlock

src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddlewareExtensions.cs

@@ -1,4 +1,6 @@
 using System;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using NetEscapades.AspNetCore.SecurityHeaders;
 using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
@@ -28,7 +30,7 @@ public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder ap
             throw new ArgumentNullException(nameof(policies));
         }
 
-        var opts = app.ApplicationServices.GetService(typeof(CustomHeaderOptions)) as CustomHeaderOptions;
+        var opts = GetOptions(app.ApplicationServices);
         return app.UseMiddleware(policies, opts);
     }
 
@@ -65,7 +67,7 @@ public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder ap
             throw new ArgumentNullException(nameof(app));
         }
 
-        var options = app.ApplicationServices.GetService(typeof(CustomHeaderOptions)) as CustomHeaderOptions;
+        var options = GetOptions(app.ApplicationServices);
         var policy = options?.DefaultPolicy ?? new HeaderPolicyCollection().AddDefaultSecurityHeaders();
 
         return app.UseMiddleware(policy, options);
@@ -89,7 +91,7 @@ public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder ap
             throw new ArgumentNullException(nameof(policyName));
         }
 
-        var options = app.ApplicationServices.GetService(typeof(CustomHeaderOptions)) as CustomHeaderOptions;
+        var options = GetOptions(app.ApplicationServices);
         var policy = options?.GetPolicy(policyName);
         if (policy is null)
         {
@@ -109,4 +111,44 @@ private static IApplicationBuilder UseMiddleware(
     {
         return app.UseMiddleware<SecurityHeadersMiddleware>(options ?? new(), policies);
     }
+
+    /// <summary>
+    /// Get the <see cref="CustomHeaderOptions"/> to use. Internal for testing.
+    /// </summary>
+    /// <param name="services">The <see cref="IServiceProvider"/> to use</param>
+    /// <returns>The options to use in the middleware</returns>
+    internal static CustomHeaderOptions? GetOptions(IServiceProvider services)
+    {
+        // Only choose the _last_ directly registered CustomHeaderOptions
+        var allOptions = services.GetServices<CustomHeaderOptions>();
+        if (allOptions is null)
+        {
+            return null;
+        }
+
+        CustomHeaderOptions? current = null;
+        foreach (var next in allOptions)
+        {
+            if (next is null)
+            {
+                continue;
+            }
+
+            if (current is null)
+            {
+                current = next;
+                continue;
+            }
+
+            // overwrite/merge everything
+            current.DefaultPolicy = next.DefaultPolicy ?? current.DefaultPolicy;
+            current.PolicySelector = next.PolicySelector ?? current.PolicySelector;
+            foreach (var kvp in next.NamedPolicyCollections)
+            {
+                current.NamedPolicyCollections[kvp.Key] = kvp.Value;
+            }
+        }
+
+        return current;
+    }
 }

src/NetEscapades.AspNetCore.SecurityHeaders/ServiceCollectionExtensions.cs

@@ -26,6 +26,36 @@ public static SecurityHeaderPolicyBuilder AddSecurityHeaderPolicies(this IServic
         return new SecurityHeaderPolicyBuilder(options);
     }
 
+    /// <summary>
+    /// Creates a builder for configuring security header policies.
+    /// </summary>
+    /// <param name="services">The <see cref="IServiceCollection" /> to add services to.</param>
+    /// <param name="configure">A configuration method to configure your header policies</param>
+    /// <returns>The <see cref="IServiceCollection"/> so that additional calls can be chained.</returns>
+    public static IServiceCollection AddSecurityHeaderPolicies(
+        this IServiceCollection services,
+        Action<SecurityHeaderPolicyBuilder> configure)
+    {
+        if (services == null)
+        {
+            throw new ArgumentNullException(nameof(services));
+        }
+
+        if (configure == null)
+        {
+            throw new ArgumentNullException(nameof(configure));
+        }
+
+        services.AddSingleton(_ =>
+        {
+            var options = new CustomHeaderOptions();
+            configure(new SecurityHeaderPolicyBuilder(options));
+            return options;
+        });
+
+        return services;
+    }
+
     /// <summary>
     /// Creates a builder for configuring security header policies.
     /// </summary>
@@ -47,9 +77,9 @@ public static IServiceCollection AddSecurityHeaderPolicies(
             throw new ArgumentNullException(nameof(configure));
         }
 
-        var options = new CustomHeaderOptions();
-        services.AddSingleton<CustomHeaderOptions>(provider =>
+        services.AddSingleton(provider =>
         {
+            var options = new CustomHeaderOptions();
             configure(new SecurityHeaderPolicyBuilder(options), provider);
             return options;
         });

test/NetEscapades.AspNetCore.SecurityHeaders.Test/PublicApiTest.PublicApiHasNotChanged.verified.txt

@@ -289,6 +289,7 @@ namespace Microsoft.Extensions.DependencyInjection
     public static class ServiceCollectionExtensions
     {
         public static NetEscapades.AspNetCore.SecurityHeaders.Infrastructure.SecurityHeaderPolicyBuilder AddSecurityHeaderPolicies(this Microsoft.Extensions.DependencyInjection.IServiceCollection services) { }
+        public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddSecurityHeaderPolicies(this Microsoft.Extensions.DependencyInjection.IServiceCollection services, System.Action<NetEscapades.AspNetCore.SecurityHeaders.Infrastructure.SecurityHeaderPolicyBuilder> configure) { }
         public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddSecurityHeaderPolicies(this Microsoft.Extensions.DependencyInjection.IServiceCollection services, System.Action<NetEscapades.AspNetCore.SecurityHeaders.Infrastructure.SecurityHeaderPolicyBuilder, System.IServiceProvider> configure) { }
     }
 }

test/NetEscapades.AspNetCore.SecurityHeaders.Test/SecurityHeadersMiddlewareExtensionsTests.cs

@@ -0,0 +1,151 @@
+using System;
+using FluentAssertions;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.DependencyInjection;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
+
+namespace NetEscapades.AspNetCore.SecurityHeaders.Test;
+
+public class SecurityHeadersMiddlewareExtensionsTests
+{
+    [Test]
+    public void AddSecurityHeaderPolicies_NullPolicyByDefault()
+    {
+        var serviceCollection = new ServiceCollection();
+        var provider = serviceCollection.BuildServiceProvider();
+        var opts = SecurityHeadersMiddlewareExtensions.GetOptions(provider);
+        
+        opts.Should().BeNull();
+    }
+
+    [Test]
+    [MatrixDataSource]
+    public void AddSecurityHeaderPolicies_OverwritesPreviousDefault(
+        [Matrix] RegistrationType first,
+        [Matrix] RegistrationType second)
+    {
+        var serviceCollection = new ServiceCollection();
+        HeaderPolicyCollection? policy1 = null;
+        switch (first)
+        {
+            case RegistrationType.Direct:
+                serviceCollection.AddSecurityHeaderPolicies().SetDefaultPolicy(p => { policy1 = p; });
+                break;
+            case RegistrationType.Func:
+                serviceCollection.AddSecurityHeaderPolicies(o => o.SetDefaultPolicy(p => { policy1 = p; }));
+                break;
+            case RegistrationType.FuncWithProvider:
+                serviceCollection.AddSecurityHeaderPolicies((o, _) => o.SetDefaultPolicy(p => { policy1 = p; }));
+                break;
+        }
+        
+        HeaderPolicyCollection? policy2 = null;
+        switch (first)
+        {
+            case RegistrationType.Direct:
+                serviceCollection.AddSecurityHeaderPolicies().SetDefaultPolicy(p => { policy2 = p; });
+                break;
+            case RegistrationType.Func:
+                serviceCollection.AddSecurityHeaderPolicies(o => o.SetDefaultPolicy(p => { policy2 = p; }));
+                break;
+            case RegistrationType.FuncWithProvider:
+                serviceCollection.AddSecurityHeaderPolicies((o, _) => o.SetDefaultPolicy(p => { policy2 = p; }));
+                break;
+        }
+
+        var provider = serviceCollection.BuildServiceProvider();
+        var opts = SecurityHeadersMiddlewareExtensions.GetOptions(provider);
+        
+        policy1.Should().NotBeNull();
+        policy2.Should().NotBeNull();
+        opts.Should().NotBeNull();
+        opts.DefaultPolicy.Should().BeSameAs(policy2);
+    }
+
+    [Test]
+    public void AddSecurityHeaderPolicies_OverwritesMultiplePreviousDefault()
+    {
+        var serviceCollection = new ServiceCollection();
+        HeaderPolicyCollection? policy1 = null;
+        serviceCollection.AddSecurityHeaderPolicies().SetDefaultPolicy(p => { policy1 = p; });
+        HeaderPolicyCollection? policy2 = null;
+        serviceCollection.AddSecurityHeaderPolicies(o => o.SetDefaultPolicy(p => { policy2 = p; }));
+        HeaderPolicyCollection? policy3 = null;
+        serviceCollection.AddSecurityHeaderPolicies((o, _) => o.SetDefaultPolicy(p => { policy3 = p; }));
+
+        var provider = serviceCollection.BuildServiceProvider();
+        var opts = SecurityHeadersMiddlewareExtensions.GetOptions(provider);
+        
+        policy1.Should().NotBeNull();
+        policy2.Should().NotBeNull();
+        policy3.Should().NotBeNull();
+        opts.Should().NotBeNull();
+        opts.DefaultPolicy.Should().BeSameAs(policy3);
+    }
+
+    [Test]
+    [MatrixDataSource]
+    public void AddSecurityHeaderPolicies_OverwritesPreviousPolicySelector(
+        [Matrix] RegistrationType first,
+        [Matrix] RegistrationType second)
+    {
+        var serviceCollection = new ServiceCollection();
+        Func<PolicySelectorContext, IReadOnlyHeaderPolicyCollection> selector1 = x => x.DefaultPolicy;
+        Func<PolicySelectorContext, IReadOnlyHeaderPolicyCollection> selector2 = x => x.DefaultPolicy;
+        SetSelector(serviceCollection, first, selector1);
+        SetSelector(serviceCollection, second, selector2);
+        var provider = serviceCollection.BuildServiceProvider();
+        var opts = SecurityHeadersMiddlewareExtensions.GetOptions(provider);
+        
+        opts.Should().NotBeNull();
+        opts.PolicySelector.Should().BeSameAs(selector2);
+
+        static void SetSelector(ServiceCollection services, RegistrationType type,
+            Func<PolicySelectorContext, IReadOnlyHeaderPolicyCollection> selector)
+        {
+            switch (type)
+            {
+                case RegistrationType.Direct:
+                    services.AddSecurityHeaderPolicies().SetPolicySelector(selector);
+                    break;
+                case RegistrationType.Func:
+                    services.AddSecurityHeaderPolicies(o => o.SetPolicySelector(selector));
+                    break;
+                case RegistrationType.FuncWithProvider:
+                    services.AddSecurityHeaderPolicies((o, _) => o.SetPolicySelector(selector));
+                    break;
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(type), type, null);
+            }
+        }
+    }
+
+    [Test]
+    public void AddSecurityHeaderPolicies_OverwritesAndIncludesPreviousNamedPolicies()
+    {
+        var serviceCollection = new ServiceCollection();
+
+        var name1 = "name1";
+        var name2 = "name2";
+        var name3 = "name3";
+        var replacement = new HeaderPolicyCollection();
+        serviceCollection.AddSecurityHeaderPolicies().AddPolicy(name1, new HeaderPolicyCollection());
+        serviceCollection.AddSecurityHeaderPolicies(o => o.AddPolicy(name2, new HeaderPolicyCollection()));
+        serviceCollection.AddSecurityHeaderPolicies((o, _) => o.AddPolicy(name3, new HeaderPolicyCollection()));
+        serviceCollection.AddSecurityHeaderPolicies().AddPolicy(name3, replacement);
+
+        var provider = serviceCollection.BuildServiceProvider();
+        var opts = SecurityHeadersMiddlewareExtensions.GetOptions(provider);
+        
+        opts.Should().NotBeNull();
+        opts.NamedPolicyCollections.Should().ContainKeys(name1, name2, name3).And.HaveCount(3);
+        opts.NamedPolicyCollections[name3].Should().BeSameAs(replacement);
+    }
+
+    public enum RegistrationType
+    {
+        Direct,
+        Func,
+        FuncWithProvider
+    }
+}