Merge pull request #4779 from gchq/csp_update

Csp update

Author: stroomdev66

Diff for: stroom-app/src/main/java/stroom/app/App.java

@@ -72,19 +72,15 @@
 import io.dropwizard.jersey.sessions.SessionFactoryProvider;
 import io.dropwizard.servlets.tasks.LogConfigurationTask;
 import jakarta.inject.Inject;
-import jakarta.servlet.DispatcherType;
-import jakarta.servlet.FilterRegistration;
 import jakarta.validation.ValidatorFactory;
 import org.eclipse.jetty.http.HttpCookie;
 import org.eclipse.jetty.server.handler.ContextHandler;
 import org.eclipse.jetty.server.session.SessionHandler;
-import org.eclipse.jetty.servlets.CrossOriginFilter;
 
 import java.io.IOException;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.time.Duration;
-import java.util.EnumSet;
 import java.util.Objects;
 
 public class App extends Application<Config> {
@@ -230,14 +226,15 @@ public void run(final Config configuration, final Environment environment) {
         // and configuration only holds the YAML view of the config, not the DB view.
         final ConfigMapper configMapper = bootStrapInjector.getInstance(ConfigMapper.class);
         final SessionCookieConfig sessionCookieConfig = configMapper.getConfigObject(SessionCookieConfig.class);
+//        final CorsConfig corsConfig = configMapper.getConfigObject(CorsConfig.class);
         final SessionConfig sessionConfig = configMapper.getConfigObject(SessionConfig.class);
 
         // Set up a session handler for Jetty
         configureSessionHandling(environment, sessionConfig);
         configureSessionCookie(environment, sessionCookieConfig);
 
-        // Configure Cross-Origin Resource Sharing.
-        configureCors(environment);
+//        // Configure Cross-Origin Resource Sharing.
+//        configureCors(environment, corsConfig);
 
         LOGGER.info("Starting Stroom Application");
 
@@ -400,14 +397,30 @@ private void configureSessionCookie(final Environment environment,
                 sessionCookieConfig.getSameSite().getAttributeValue());
     }
 
-    private static void configureCors(io.dropwizard.core.setup.Environment environment) {
-        final FilterRegistration.Dynamic cors = environment.servlets()
-                .addFilter("CORS", CrossOriginFilter.class);
-        cors.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
-        cors.setInitParameter(CrossOriginFilter.ALLOWED_METHODS_PARAM, "GET,PUT,POST,DELETE,OPTIONS,PATCH");
-        cors.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM, "*");
-        cors.setInitParameter(CrossOriginFilter.ALLOWED_HEADERS_PARAM, "*");
-    }
+//    private static void configureCors(final Environment environment,
+//                                      final CorsConfig corsConfig) {
+//        // Enable CORS headers
+//        final FilterRegistration.Dynamic cors =
+//                environment.servlets().addFilter("CORS", CrossOriginFilter.class);
+//
+//        // Configure CORS parameters
+//        cors.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM,
+//                "*"); // Same as default.
+//        cors.setInitParameter(CrossOriginFilter.ALLOWED_HEADERS_PARAM,
+//                "X-Requested-With,Content-Type,Accept,Origin"); // Same as default.
+//        cors.setInitParameter(CrossOriginFilter.ALLOWED_METHODS_PARAM,
+//                "GET,POST,HEAD"); // Same as default.
+//
+//        // Add other overrides from config.
+//        if (corsConfig != null && corsConfig.getParameters() != null && !corsConfig.getParameters().isEmpty()) {
+//            corsConfig.getParameters().forEach(param -> {
+//                cors.setInitParameter(param.getName(), param.getValue());
+//            });
+//        }
+//
+//        // Add URL mapping
+//        cors.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
+//    }
 
     private void registerLogConfiguration(final Environment environment) {
         // Task to allow configuration of log levels at runtime

Diff for: stroom-config/stroom-config-app/build.gradle

@@ -47,6 +47,7 @@ dependencies {
     implementation project(':stroom-search:stroom-search-impl')
     implementation project(':stroom-search:stroom-search-solr')
     implementation project(':stroom-search:stroom-searchable-impl')
+    implementation project(':stroom-security:stroom-security-common-impl')
     implementation project(':stroom-security:stroom-security-identity')
     implementation project(':stroom-security:stroom-security-impl')
     implementation project(':stroom-security:stroom-security-impl-db')

Diff for: stroom-config/stroom-config-app/src/main/java/stroom/config/app/AppConfig.java

@@ -87,6 +87,7 @@ public class AppConfig extends AbstractConfig implements IsStroomConfig {
     public static final String PROP_NAME_COMMON_DB_DETAILS = "commonDbDetails";
     public static final String PROP_NAME_CONTENT_PACK_IMPORT = "contentPackImport";
     public static final String PROP_NAME_CORE = "core";
+    public static final String PROP_NAME_CORS = "cors";
     public static final String PROP_NAME_DASHBOARD = "dashboard";
     public static final String PROP_NAME_DATA = "data";
     public static final String PROP_NAME_DOCSTORE = "docstore";
@@ -135,6 +136,7 @@ public class AppConfig extends AbstractConfig implements IsStroomConfig {
     private final ClusterLockConfig clusterLockConfig;
     private final CommonDbConfig commonDbConfig;
     private final ContentPackImportConfig contentPackImportConfig;
+    //    private final CorsConfig corsConfig;
     private final LegacyConfig legacyConfig;
     private final DashboardConfig dashboardConfig;
     private final DataConfig dataConfig;
@@ -186,6 +188,7 @@ public AppConfig() {
                 new ClusterLockConfig(),
                 new CommonDbConfig(),
                 new ContentPackImportConfig(),
+//                new CorsConfig(),
                 new LegacyConfig(),
                 new DashboardConfig(),
                 new DataConfig(),
@@ -236,6 +239,7 @@ public AppConfig(@JsonProperty(PROP_NAME_HALT_BOOT_ON_CONFIG_VALIDATION_FAILURE)
                      @JsonProperty(PROP_NAME_CLUSTER_LOCK) final ClusterLockConfig clusterLockConfig,
                      @JsonProperty(PROP_NAME_COMMON_DB_DETAILS) final CommonDbConfig commonDbConfig,
                      @JsonProperty(PROP_NAME_CONTENT_PACK_IMPORT) final ContentPackImportConfig contentPackImportConfig,
+//                     @JsonProperty(PROP_NAME_CORS) final CorsConfig corsConfig,
                      @JsonProperty(PROP_NAME_CORE) final LegacyConfig legacyConfig,
                      @JsonProperty(PROP_NAME_DASHBOARD) final DashboardConfig dashboardConfig,
                      @JsonProperty(PROP_NAME_DATA) final DataConfig dataConfig,
@@ -282,6 +286,7 @@ public AppConfig(@JsonProperty(PROP_NAME_HALT_BOOT_ON_CONFIG_VALIDATION_FAILURE)
         this.clusterLockConfig = clusterLockConfig;
         this.commonDbConfig = commonDbConfig;
         this.contentPackImportConfig = contentPackImportConfig;
+//        this.corsConfig = corsConfig;
         this.legacyConfig = legacyConfig;
         this.dashboardConfig = dashboardConfig;
         this.dataConfig = dataConfig;
@@ -381,6 +386,11 @@ public ContentPackImportConfig getContentPackImportConfig() {
         return contentPackImportConfig;
     }
 
+//    @JsonProperty(PROP_NAME_CORS)
+//    public CorsConfig getCorsConfig() {
+//        return corsConfig;
+//    }
+
     @JsonProperty(PROP_NAME_CORE)
     @JsonPropertyDescription("Configuration for the core stroom DB")
     public LegacyConfig getLegacyConfig() {

Diff for: stroom-config/stroom-config-app/src/main/java/stroom/config/app/SecurityConfig.java

@@ -1,10 +1,10 @@
 package stroom.config.app;
 
 import stroom.search.elastic.CryptoConfig;
+import stroom.security.common.impl.ContentSecurityConfig;
 import stroom.security.identity.config.IdentityConfig;
 import stroom.security.impl.AuthenticationConfig;
 import stroom.security.impl.AuthorisationConfig;
-import stroom.security.impl.ContentSecurityConfig;
 import stroom.util.shared.AbstractConfig;
 import stroom.util.shared.IsStroomConfig;
 

Diff for: stroom-config/stroom-config-app/src/main/java/stroom/config/app/SuperDevUtil.java

@@ -1,6 +1,6 @@
 package stroom.config.app;
 
-import stroom.security.impl.ContentSecurityConfig;
+import stroom.security.common.impl.ContentSecurityConfig;
 import stroom.util.ColouredStringBuilder;
 import stroom.util.ConsoleColour;
 import stroom.util.shared.AbstractConfig;

Diff for: stroom-config/stroom-config-app/src/test/resources/stroom/config/app/expected.yaml

@@ -933,7 +933,7 @@ appConfig:
     webContent:
       contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-eval'\
         \ 'unsafe-inline'; img-src 'self' data:; style-src 'self' 'unsafe-inline';\
-        \ connect-src 'self' wss:; frame-ancestors 'self';"
+        \ frame-ancestors 'self';"
       contentTypeOptions: "nosniff"
       frameOptions: "sameorigin"
       strictTransportSecurity: "max-age=31536000; includeSubDomains; preload"

Diff for: stroom-config/stroom-config-global-impl/build.gradle

@@ -43,6 +43,7 @@ dependencies {
     implementation project(':stroom-search:stroom-search-solr')
     implementation project(':stroom-search:stroom-searchable-impl')
     implementation project(':stroom-security:stroom-security-api')
+    implementation project(':stroom-security:stroom-security-common-impl')
     implementation project(':stroom-security:stroom-security-identity')
     implementation project(':stroom-security:stroom-security-impl')
     implementation project(':stroom-security:stroom-security-openid-api')

Diff for: stroom-config/stroom-config-global-impl/src/main/java/stroom/config/global/impl/ConfigProvidersModule.java

@@ -636,6 +636,15 @@ stroom.search.solr.search.SolrSearchConfig getSolrSearchConfig(
                 stroom.search.solr.search.SolrSearchConfig.class);
     }
 
+    @Generated("stroom.config.global.impl.GenerateConfigProvidersModule")
+    @Provides
+    @SuppressWarnings("unused")
+    stroom.security.common.impl.ContentSecurityConfig getContentSecurityConfig(
+            final ConfigMapper configMapper) {
+        return configMapper.getConfigObject(
+                stroom.security.common.impl.ContentSecurityConfig.class);
+    }
+
     @Generated("stroom.config.global.impl.GenerateConfigProvidersModule")
     @Provides
     @SuppressWarnings("unused")
@@ -699,15 +708,6 @@ stroom.security.impl.AuthorisationConfig getAuthorisationConfig(
                 stroom.security.impl.AuthorisationConfig.class);
     }
 
-    @Generated("stroom.config.global.impl.GenerateConfigProvidersModule")
-    @Provides
-    @SuppressWarnings("unused")
-    stroom.security.impl.ContentSecurityConfig getContentSecurityConfig(
-            final ConfigMapper configMapper) {
-        return configMapper.getConfigObject(
-                stroom.security.impl.ContentSecurityConfig.class);
-    }
-
     @Generated("stroom.config.global.impl.GenerateConfigProvidersModule")
     @Provides
     @SuppressWarnings("unused")

Diff for: stroom-config/stroom-config-global-impl/src/test/java/stroom/config/global/impl/TestConfigMapper.java

@@ -76,12 +76,7 @@
 import stroom.util.time.StroomDuration;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonInclude.Include;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.DeserializationFeature;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.SerializationFeature;
-import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
 import com.google.common.reflect.TypeToken;
 import io.dropwizard.configuration.ConfigurationException;
 import io.dropwizard.core.Configuration;
@@ -930,6 +925,7 @@ public TestConfig(
                 @JsonProperty(PROP_NAME_CLUSTER_LOCK) final ClusterLockConfig clusterLockConfig,
                 @JsonProperty(PROP_NAME_COMMON_DB_DETAILS) final CommonDbConfig commonDbConfig,
                 @JsonProperty(PROP_NAME_CONTENT_PACK_IMPORT) final ContentPackImportConfig contentPackImportConfig,
+//                @JsonProperty(PROP_NAME_CORS) final CorsConfig corsConfig,
                 @JsonProperty(PROP_NAME_CORE) final LegacyConfig legacyConfig,
                 @JsonProperty(PROP_NAME_DASHBOARD) final DashboardConfig dashboardConfig,
                 @JsonProperty(PROP_NAME_DATA) final DataConfig dataConfig,
@@ -991,6 +987,7 @@ public TestConfig(
                     clusterLockConfig,
                     commonDbConfig,
                     contentPackImportConfig,
+//                    corsConfig,
                     legacyConfig,
                     dashboardConfig,
                     dataConfig,

Diff for: stroom-proxy/stroom-proxy-app/src/main/java/stroom/proxy/app/App.java

@@ -56,15 +56,11 @@
 import io.dropwizard.core.setup.Environment;
 import io.dropwizard.servlets.tasks.LogConfigurationTask;
 import jakarta.inject.Inject;
-import jakarta.servlet.DispatcherType;
-import jakarta.servlet.FilterRegistration;
 import jakarta.validation.ValidatorFactory;
 import org.eclipse.jetty.server.session.SessionHandler;
-import org.eclipse.jetty.servlets.CrossOriginFilter;
 
 import java.io.IOException;
 import java.nio.file.Path;
-import java.util.EnumSet;
 import java.util.Objects;
 
 public class App extends Application<Config> {
@@ -164,9 +160,6 @@ public void run(final Config configuration, final Environment environment) {
         // Set up a session handler for Jetty
         environment.servlets().setSessionHandler(new SessionHandler());
 
-        // Configure Cross-Origin Resource Sharing.
-        configureCors(environment);
-
         LOGGER.info("Starting Stroom Proxy");
 
         final ProxyModule proxyModule = new ProxyModule(configuration, environment, configFile);
@@ -236,14 +229,6 @@ private void warnAboutDefaultOpenIdCreds(final Config configuration, final Injec
         }
     }
 
-    private static void configureCors(io.dropwizard.core.setup.Environment environment) {
-        FilterRegistration.Dynamic cors = environment.servlets().addFilter("CORS", CrossOriginFilter.class);
-        cors.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
-        cors.setInitParameter(CrossOriginFilter.ALLOWED_METHODS_PARAM, "GET,PUT,POST,DELETE,OPTIONS,PATCH");
-        cors.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM, "*");
-        cors.setInitParameter(CrossOriginFilter.ALLOWED_HEADERS_PARAM, "*");
-    }
-
     private void registerLogConfiguration(final Environment environment) {
         // Task to allow configuration of log levels at runtime
         String path = environment.getAdminContext().getContextPath();

Diff for: stroom-proxy/stroom-proxy-app/src/main/java/stroom/proxy/app/ProxyConfig.java

@@ -73,25 +73,23 @@ public class ProxyConfig extends AbstractConfig implements IsProxyConfig {
     private final List<SqsConnectorConfig> sqsConnectors;
 
     public ProxyConfig() {
-        haltBootOnConfigValidationFailure = DEFAULT_HALT_BOOT_ON_CONFIG_VALIDATION_FAILURE;
-        proxyId = null;
-        contentDir = DEFAULT_CONTENT_DIR;
-
-        pathConfig = new ProxyPathConfig();
-        receiveDataConfig = new ReceiveDataConfig();
-        eventStoreConfig = new EventStoreConfig();
-        aggregatorConfig = new AggregatorConfig();
-        forwardFileDestinations = new ArrayList<>();
-        forwardHttpDestinations = new ArrayList<>();
-        logStreamConfig = new LogStreamConfig();
-        contentSyncConfig = new ContentSyncConfig();
-        feedStatusConfig = new FeedStatusConfig();
-        threadConfig = new ThreadConfig();
-        proxySecurityConfig = new ProxySecurityConfig();
-        sqsConnectors = new ArrayList<>();
+        this(DEFAULT_HALT_BOOT_ON_CONFIG_VALIDATION_FAILURE,
+                null,
+                DEFAULT_CONTENT_DIR,
+                new ProxyPathConfig(),
+                new ReceiveDataConfig(),
+                new EventStoreConfig(),
+                new AggregatorConfig(),
+                new ArrayList<>(),
+                new ArrayList<>(),
+                new LogStreamConfig(),
+                new ContentSyncConfig(),
+                new FeedStatusConfig(),
+                new ThreadConfig(),
+                new ProxySecurityConfig(),
+                new ArrayList<>());
     }
 
-
     @SuppressWarnings("checkstyle:LineLength")
     @JsonCreator
     public ProxyConfig(

Diff for: stroom-proxy/stroom-proxy-app/src/main/java/stroom/proxy/app/guice/ProxyModule.java

@@ -60,6 +60,8 @@
 
 public class ProxyModule extends AbstractModule {
 
+    private static final String MATCH_ALL_PATHS = "/*";
+
     private final Config configuration;
     private final Environment environment;
     private final ProxyConfigHolder proxyConfigHolder;
@@ -95,7 +97,7 @@ protected void configure() {
                 .bind(RemoteFeedStatusService.class);
 
         FilterBinder.create(binder())
-                .bind(new FilterInfo(ProxySecurityFilter.class.getSimpleName(), "/*"),
+                .bind(new FilterInfo(ProxySecurityFilter.class.getSimpleName(), MATCH_ALL_PATHS),
                         ProxySecurityFilter.class);
 
         ServletBinder.create(binder())

Diff for: stroom-security/stroom-security-common-impl/build.gradle

@@ -11,6 +11,7 @@ dependencies {
     implementation libs.caffeine
     implementation libs.dropwizard.metrics.healthchecks
     implementation libs.dropwizard.lifecycle
+    implementation libs.guava
     implementation libs.http.client
     implementation libs.jackson.core
     implementation libs.jackson.databind

Diff for: stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/ContentSecurityConfig.java renamed to stroom-security/stroom-security-common-impl/src/main/java/stroom/security/common/impl/ContentSecurityConfig.java

@@ -15,9 +15,10 @@
  * you may not use this file except in compliance with the License.
  */
 
-package stroom.security.impl;
+package stroom.security.common.impl;
 
 import stroom.util.shared.AbstractConfig;
+import stroom.util.shared.IsProxyConfig;
 import stroom.util.shared.IsStroomConfig;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
@@ -27,7 +28,7 @@
 
 
 @JsonPropertyOrder(alphabetic = true)
-public class ContentSecurityConfig extends AbstractConfig implements IsStroomConfig {
+public class ContentSecurityConfig extends AbstractConfig implements IsStroomConfig, IsProxyConfig {
 
     public static final String PROP_NAME_CONTENT_SECURITY_POLICY = "contentSecurityPolicy";
     public static final String PROP_NAME_STRICT_TRANSPORT_SECURITY = "strictTransportSecurity";
@@ -44,7 +45,6 @@ public ContentSecurityConfig() {
                 "script-src 'self' 'unsafe-eval' 'unsafe-inline'; " +
                 "img-src 'self' data:; " +
                 "style-src 'self' 'unsafe-inline'; " +
-                "connect-src 'self' wss:; " +
                 "frame-ancestors 'self';";
         contentTypeOptions = "nosniff";
         frameOptions = "sameorigin";

Diff for: stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/ContentSecurityFilter.java renamed to stroom-security/stroom-security-common-impl/src/main/java/stroom/security/common/impl/ContentSecurityFilter.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package stroom.security.impl;
+package stroom.security.common.impl;
 
 import stroom.util.NullSafe;
 import stroom.util.logging.LambdaLogger;

Diff for: stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/SecurityModule.java

@@ -21,6 +21,7 @@
 import stroom.security.api.DocumentPermissionService;
 import stroom.security.api.ServiceUserFactory;
 import stroom.security.api.UserIdentityFactory;
+import stroom.security.common.impl.ContentSecurityFilter;
 import stroom.security.common.impl.DelegatingServiceUserFactory;
 import stroom.security.common.impl.ExternalIdpConfigurationProvider;
 import stroom.security.common.impl.ExternalServiceUserFactory;
@@ -46,7 +47,6 @@
 import stroom.util.guice.GuiceUtil;
 import stroom.util.guice.HasHealthCheckBinder;
 import stroom.util.guice.RestResourcesBinder;
-import stroom.util.http.HttpClientFactory;
 import stroom.util.shared.Clearable;
 
 import com.google.inject.AbstractModule;