OCPBUGS-49291: Improving the DevExp for passing the CSP directives to console per flag + Make use of connect-src and object-src directives #14701
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@jhadvig: This pull request references Jira Issue OCPBUGS-49291, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-bug
openshift-ci
bot
added
component/backend
pkg/utils/utils.go
Outdated
| // If the objectSrc directive is not set, add 'none' to it. | ||
| if len(objectSrcDirective) == 1 && objectSrcDirective[0] == "object-src" { | ||
| objectSrcDirective = append(objectSrcDirective, none) | ||
| } | ||
|
|
||
| // If the connectSrc directive is not set, add 'none' to it. | ||
| if len(connectSrcDirective) == 1 && connectSrcDirective[0] == "connect-src" { | ||
| connectSrcDirective = append(connectSrcDirective, none) | ||
| } |
There was a problem hiding this comment.
I think specifying none overrides default-src so things like self would no longer work.
There was a problem hiding this comment.
ok, I see, in that case we should only set self, for both object-src and connect-src
pkg/utils/utils.go
Outdated
|
|
||
| // If the connectSrc directive is not set, add 'none' to it. | ||
| if len(connectSrcDirective) == 1 && connectSrcDirective[0] == "connect-src" { | ||
| connectSrcDirective = append(connectSrcDirective, none) |
There was a problem hiding this comment.
For connect-src, we want self and also a directive for console.redhat.com
cmd/bridge/main.go
Outdated
| fContentSecurityPolicy := fs.String("content-security-policy", "", "Content security policy for the console. (JSON as string)") | ||
|
|
||
| consoleCSPFlags := serverconfig.MultiKeyValue{} | ||
| fs.Var(&consoleCSPFlags, "content-security-policy", "List of CSP directives that are enabled for the console. Each entry consist of csp-directive-name as a key and csp-directive-value as a value.") |
There was a problem hiding this comment.
nit: An example here would be nice (like we provide for i18n-namespaces above)
README.md
Outdated
| Example: | ||
|
|
||
| ``` | ||
| ./bin/bridge --content-security-policy ScriptSrc="localhost:1234 localhost:2345" --content-security-policy FontSrc="localhost:3456 localhost:4567" |
There was a problem hiding this comment.
Here I would probably the directive name font-src instead of FontSrc
| ./bin/bridge --content-security-policy ScriptSrc="localhost:1234 localhost:2345" --content-security-policy FontSrc="localhost:3456 localhost:4567" | |
| ./bin/bridge --content-security-policy ScriptSrc="localhost:1234 localhost:2345" --content-security-policy font-src="localhost:3456 localhost:4567" |
There was a problem hiding this comment.
I was thinking about it, but then we would need to change the console-config.yaml representation, or accept both formats FontSrc & font-src. Here I would rather go with the first option.
There was a problem hiding this comment.
I don't know if we need to change console-config.yaml. Can we just translate between the names in config.go instead?
I wouldn't accept both formats. Let's pick one and go with it. If it's difficult, we can stick with PascalCase.
There was a problem hiding this comment.
We will need the change to the console-config.yaml representation. Currently the in console-config/yaml CSPs are set in FontSrc="localhost:3456 localhost:4567" format. Thats how they are passed to the --content-security-policy flag by bridge. OR we need to update the addContentSecurityPolicy() in pkg/serverconfig/config.go so the cspDirectiveName is transformed into the font-src format.
There was a problem hiding this comment.
OR we need to update the
addContentSecurityPolicy()inpkg/serverconfig/config.goso thecspDirectiveNameis transformed into thefont-srcformat.
This is what I was thinking. We have only a handful of well-defined directives we support, so it doesn't seem too bad?
There was a problem hiding this comment.
I think its reasonable 👍
pkg/utils/utils.go
Outdated
| default: | ||
| klog.Warningf("ignored invalid CSP directive: %v", directive) | ||
| klog.Infof("ignored invalid CSP directive: %v", directive) |
There was a problem hiding this comment.
nit: This isn't necessarily an invalid directive since there are many we don't allow to be set
| klog.Infof("ignored invalid CSP directive: %v", directive) | |
| klog.Infof("ignored unsupported CSP directive: %v", directive) |
|
@spadgett I've vendor the |
openshift-merge-robot
added
the
needs-rebase
jhadvig
force-pushed
the
OCPBUGS-49291
branch
from
30a8269 to
9f0d2e6
Compare
openshift-merge-robot
removed
the
needs-rebase
|
@spadgett thanks for review. Addressed your comments. PTAL |
|
/retest |
pkg/utils/utils.go
Outdated
| styleSrcDirective = append(styleSrcDirective, httpLocalHost) | ||
| directives := map[string][]string{ | ||
| baseURI: {self}, | ||
| defaultSrc: {self, consoleDot}, |
There was a problem hiding this comment.
Can we get away with only adding consoleDot to scriptSrc and connectSrc? It would be better if we can avoid putting it in defaultSrc.
|
Hmm, looks like there's a build failure anyway |
|
@spadgett squashed last two commits. |
jhadvig
force-pushed
the
OCPBUGS-49291
branch
from
a9ee068 to
63fcc2c
Compare
|
/retest |
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
|
/retest |
|
/retest |
|
@jhadvig: once the present PR merges, I will cherry-pick it on top of In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
jhadvig
force-pushed
the
OCPBUGS-49291
branch
2 times, most recently
from
81d9465 to
ac59501
Compare
pkg/utils/utils.go
Outdated
| case connectSrc: | ||
| connectSrcDirective = append(connectSrcDirective, sources) | ||
| default: | ||
| klog.Infof("ignored invalid CSP directive: %v", directive) |
… console per flag + Make use of connect-src directive
|
Thank you @spadgett I've addressed your comment and removed unnecessary API bumps. Also added additional commit which is using |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jhadvig, spadgett The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
6 similar comments
3 similar comments
|
@jhadvig: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@jhadvig: Jira Issue OCPBUGS-49291: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-49291 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@jhadvig: new pull request created: #15030 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Improving the DevExp for passing the CSP directives to console per flag instead of JSON.
New usage will be:
Also adding connect-src and object-src directives. These will be set to
'none'if no plugin will specifysource-expression-listfor them. This API was added by https://issues.redhat.com/browse/OCPBUGS-48740/assign @TheRealJon @spadgett