Skip to content

Commit d313c9a

Browse files
committed
feat: migrate to django-csp 4.0
Use constants from django-csp-library directly. Refs: PT-1961
1 parent 0ed736a commit d313c9a

4 files changed

Lines changed: 31 additions & 47 deletions

File tree

notification_importers/admin.py

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
import importlib
22
import logging
33

4+
from csp.constants import UNSAFE_INLINE as CSP_UNSAFE_INLINE
45
from csp.decorators import csp_update
56
from django.conf import settings
67
from django.contrib import admin, messages
@@ -11,8 +12,6 @@
1112
from django_ilmoitin.admin import NotificationTemplateAdmin
1213
from django_ilmoitin.models import NotificationTemplate
1314

14-
from palvelutarjotin.consts import CSP
15-
1615
from .notification_importer import (
1716
AbstractNotificationImporter,
1817
NotificationImporterException,
@@ -113,7 +112,10 @@ def _send_error_message(self, request, message):
113112
# Acecpt CSP_UNSAFE_INLINE for the changeform view to allow
114113
# the preview template to work correctly.
115114
@csp_update(
116-
SCRIPT_SRC=settings.CSP_SCRIPT_SRC + [CSP.UNSAFE_INLINE],
115+
{
116+
"script-src": settings.CONTENT_SECURITY_POLICY["DIRECTIVES"]["script-src"]
117+
+ [CSP_UNSAFE_INLINE],
118+
}
117119
)
118120
def changeform_view(self, request, object_id=None, form_url="", extra_context=None):
119121
return super().changeform_view(

palvelutarjotin/consts.py

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -25,16 +25,3 @@
2525
INVALID_TOKEN_ERROR = "INVALID_TOKEN_ERROR"
2626
INVALID_STUDY_GROUP_UNIT_INFO_ERROR = "INVALID_STUDY_GROUP_UNIT_INFO_ERROR"
2727
QUEUEING_NOT_ALLOWED_ERROR = "QUEUEING_NOT_ALLOWED_ERROR"
28-
29-
30-
class CSP:
31-
"""The “special” source values of 'self', 'unsafe-inline', 'unsafe-eval', 'none'
32-
and hash-source ('sha256-...') must be quoted! e.g.: CSP_DEFAULT_SRC = ("'self'",).
33-
Without quotes they will not work as intended.
34-
Ref. https://django-csp.readthedocs.io/en/stable/configuration.html.
35-
"""
36-
37-
SELF = "'self'"
38-
NONE = "'none'"
39-
UNSAFE_INLINE = "'unsafe-inline'"
40-
UNSAFE_EVAL = "'unsafe-eval'"

palvelutarjotin/settings.py

Lines changed: 21 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,13 @@
55

66
import environ
77
import sentry_sdk
8+
from csp.constants import SELF as CSP_SELF
9+
from csp.constants import UNSAFE_INLINE as CSP_UNSAFE_INLINE
810
from django.core.exceptions import ImproperlyConfigured
911
from django.utils.translation import gettext_lazy as _
1012
from sentry_sdk.integrations.django import DjangoIntegration
1113

1214
from palvelutarjotin import __version__
13-
from palvelutarjotin.consts import CSP
1415

1516
checkout_dir = environ.Path(__file__) - 2
1617
assert os.path.exists(checkout_dir("manage.py"))
@@ -268,33 +269,25 @@
268269
CORS_ALLOWED_ORIGIN_REGEXES = env.list("CORS_ALLOWED_ORIGIN_REGEXES")
269270
CORS_ALLOW_ALL_ORIGINS = env.bool("CORS_ALLOW_ALL_ORIGINS")
270271

271-
# Configure the default CSP rule for different source types
272-
CSP_DEFAULT_SRC = [CSP.SELF]
273-
274-
# CSP_STYLE_SRC includes 'unsafe-inline' for inline styles added by `django-helusers`.
275-
CSP_STYLE_SRC = [
276-
CSP.SELF,
277-
CSP.UNSAFE_INLINE,
278-
"cdn.jsdelivr.net",
279-
"blob:",
280-
]
281-
282-
CSP_SCRIPT_SRC = [
283-
CSP.SELF,
284-
"cdn.jsdelivr.net", # /graphql/ endpoint
285-
"blob:",
286-
]
287-
288-
CSP_FONT_SRC = [
289-
CSP.SELF,
290-
"data:", # /graphql/ endpoint uses "data:font/woff2"
291-
]
292-
293-
CSP_IMG_SRC = [
294-
CSP.SELF,
295-
"blob:",
296-
"data:",
297-
]
272+
# Configure default CSP rules for different source types
273+
CSP_BLOB = "blob:"
274+
CSP_DATA = "data:"
275+
CSP_CDN = "cdn.jsdelivr.net"
276+
277+
CONTENT_SECURITY_POLICY = {
278+
"DIRECTIVES": {
279+
"default-src": [CSP_SELF],
280+
"font-src": [CSP_SELF, CSP_DATA], # /graphql/ endpoint uses "data:font/woff2"
281+
"img-src": [CSP_SELF, CSP_BLOB, CSP_DATA],
282+
"script-src": [CSP_SELF, CSP_CDN, CSP_BLOB], # /graphql/ endpoint
283+
"style-src": [
284+
CSP_SELF,
285+
CSP_UNSAFE_INLINE,
286+
CSP_CDN,
287+
CSP_BLOB,
288+
], # 'unsafe-inline' needed for `django-helusers`.
289+
}
290+
}
298291

299292
AUTHENTICATION_BACKENDS = [
300293
"axes.backends.AxesBackend",

palvelutarjotin/urls.py

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
from csp.constants import UNSAFE_INLINE as CSP_UNSAFE_INLINE
12
from csp.decorators import csp_update
23
from django.conf import settings
34
from django.conf.urls.static import static
@@ -15,7 +16,6 @@
1516
from common.utils import get_api_version
1617
from custom_health_checks.views import HealthCheckJSONView
1718
from palvelutarjotin import __version__
18-
from palvelutarjotin.consts import CSP
1919
from palvelutarjotin.views import SentryGraphQLView
2020

2121
admin.site.index_title = " ".join([gettext("Kultus API"), get_api_version()])
@@ -25,8 +25,10 @@
2525

2626
# Add unsafe-inline to enable GraphiQL interface at /graphql/
2727
@csp_update(
28-
SCRIPT_SRC=settings.CSP_SCRIPT_SRC
29-
+ ([CSP.UNSAFE_INLINE] if IS_GRAPHIQL_ENABLED else [])
28+
{
29+
"script-src": settings.CONTENT_SECURITY_POLICY["DIRECTIVES"]["script-src"]
30+
+ ([CSP_UNSAFE_INLINE] if IS_GRAPHIQL_ENABLED else []),
31+
}
3032
)
3133
@csrf_exempt
3234
def graphql_view(request, *args, **kwargs):

0 commit comments

Comments
 (0)