darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2025-12-13 16:43:54 -05:00
Code Issues Packages Projects Releases Wiki Activity

update csp using variables and testing

Browse Source
This commit is contained in:
Beverly Nguyen
2025-05-22 12:03:18 -07:00
parent 444800fbda
commit 790fe2d6f9
12 changed files with 50 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.ds.baseline
View File

@@ -171,7 +171,7 @@
"filename": "app/config.py",
"hashed_secret": "577a4c667e4af8682ca431857214b3a920883efc",
"is_verified": false,
"line_number": 122,
"line_number": 123,
"is_secret": false
}
],
@@ -644,5 +644,5 @@
}
]
},
"generated_at": "2025-05-19T21:41:23Z"
"generated_at": "2025-05-22T19:03:11Z"
}

2
.github/workflows/deploy-demo.yml vendored
View File

@@ -64,6 +64,7 @@ jobs:
LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-demo.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=STATE"
LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs"
API_PUBLIC_URL: ${{ secrets.API_PUBLIC_URL }}
API_PUBLIC_WS_URL: ${{ secrets.API_PUBLIC_WS_URL }}
with:
cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
@@ -89,6 +90,7 @@ jobs:
--var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL"
--var LOGIN_PEM="$LOGIN_PEM"
--var API_PUBLIC_URL="$API_PUBLIC_URL"
--var API_PUBLIC_WS_URL="$API_PUBLIC_WS_URL"
--strategy rolling
- name: Deploy egress proxy

2
.github/workflows/deploy-prod.yml vendored
View File

@@ -64,6 +64,7 @@ jobs:
LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://beta.notify.gov/sign-in&response_type=code&scope=openid+email&state=STATE"
LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs"
API_PUBLIC_URL: ${{ secrets.API_PUBLIC_URL }}
API_PUBLIC_WS_URL: ${{ secrets.API_PUBLIC_WS_URL }}
with:
cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
@@ -89,6 +90,7 @@ jobs:
--var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL"
--var LOGIN_PEM="$LOGIN_PEM"
--var API_PUBLIC_URL="$API_PUBLIC_URL"
--var API_PUBLIC_WS_URL="$API_PUBLIC_WS_URL"
--strategy rolling
- name: Deploy egress proxy

2
.github/workflows/deploy.yml vendored
View File

@@ -70,6 +70,7 @@ jobs:
LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-staging.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=STATE"
LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs"
API_PUBLIC_URL: ${{ secrets.API_PUBLIC_URL }}
API_PUBLIC_WS_URL: ${{ secrets.API_PUBLIC_WS_URL }}
with:
cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
@@ -95,6 +96,7 @@ jobs:
--var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL"
--var LOGIN_PEM="$LOGIN_PEM"
--var API_PUBLIC_URL="$API_PUBLIC_URL"
--var API_PUBLIC_WS_URL="$API_PUBLIC_WS_URL"
--strategy rolling

12
app/__init__.py
View File

@@ -141,6 +141,8 @@ navigation = {
def _csp(config):
asset_domain = config["ASSET_DOMAIN"]
logo_domain = config["LOGO_CDN_DOMAIN"]
api_public_url = config["API_PUBLIC_URL"]
api_public_ws_url = config["API_PUBLIC_WS_URL"]
return {
"default-src": ["'self'", asset_domain],
@@ -166,14 +168,8 @@ def _csp(config):
"'self'",
"https://gov-bam.nr-data.net",
"https://www.google-analytics.com",
"http://localhost:6011",
"ws://localhost:6011",
"https://notify-api-staging.app.cloud.gov",
"wss://notify-api-staging.app.cloud.gov",
"https://notify-api-demo.app.cloud.gov",
"wss://notify-api-demo.app.cloud.gov",
"https://notify-api-production.app.cloud.gov",
"wss://notify-api-production.app.cloud.gov",
f"{api_public_url}",
f"{api_public_ws_url}",
],
"style-src": ["'self'", asset_domain],
"img-src": ["'self'", asset_domain, logo_domain],

8
app/assets/javascripts/socketio.js
View File

@@ -20,6 +20,14 @@ document.addEventListener('DOMContentLoaded', function () {
if (featureEnabled) {
const socket = io(apiHost);
socket.on('connect_error', (err) => {
console.error('Socket connect_error:', err);
});
socket.on('error', (err) => {
console.error('Socket error:', err);
});
socket.on('connect', () => {
socket.emit('join', { room: `job-${jobId}` });
});

5
app/config.py
View File

@@ -13,6 +13,7 @@ class Config(object):
NOTIFY_ENVIRONMENT = getenv("NOTIFY_ENVIRONMENT", "development")
API_HOST_NAME = getenv("API_HOST_NAME", "localhost")
API_PUBLIC_URL = getenv("API_PUBLIC_URL", "localhost")
API_PUBLIC_WS_URL = getenv("API_PUBLIC_WS_URL", "localhost")
ADMIN_BASE_URL = getenv("ADMIN_BASE_URL", "http://localhost:6012")
HEADER_COLOUR = (
@@ -132,9 +133,9 @@ class Test(Development):
WTF_CSRF_ENABLED = False
ASSET_DOMAIN = "static.example.com"
ASSET_PATH = "https://static.example.com/"
API_HOST_NAME = "http://you-forgot-to-mock-an-api-call-to"
API_PUBLIC_URL = "http://you-forgot-to-mock-an-api-call-to"
API_PUBLIC_WS_URL = "ws://you-forgot-to-mock-an-api-call-to"
REDIS_URL = "redis://you-forgot-to-mock-a-redis-call-to"
LOGO_CDN_DOMAIN = "static-logos.test.com"

1
deploy-config/demo.yml
View File

@@ -9,3 +9,4 @@ nr_agent_id: '1134302465'
nr_app_id: '1083160688'
FEATURE_SOCKET_ENABLED: true
API_PUBLIC_URL: https://notify-api-demo.app.cloud.gov
API_PUBLIC_WS_URL: wss://notify-api-demo.app.cloud.gov

1
deploy-config/production.yml
View File

@@ -9,3 +9,4 @@ nr_agent_id: '1050708682'
nr_app_id: '1050708682'
FEATURE_SOCKET_ENABLED: false
API_PUBLIC_URL: https://notify-api-production.app.cloud.gov
API_PUBLIC_WS_URL: wss://notify-api-production.app.cloud.gov

1
deploy-config/staging.yml
View File

@@ -9,3 +9,4 @@ nr_agent_id: '1134291385'
nr_app_id: '1031640326'
FEATURE_SOCKET_ENABLED: false
API_PUBLIC_URL: https://notify-api-staging.app.cloud.gov
API_PUBLIC_WS_URL: wss://notify-api-staging.app.cloud.gov

2
manifest.yml
View File

@@ -62,6 +62,6 @@ applications:
LOGIN_DOT_GOV_CERTS_URL: ((LOGIN_DOT_GOV_CERTS_URL))
API_PUBLIC_URL: ((API_PUBLIC_URL))
API_PUBLIC_WS_URL: ((API_PUBLIC_WS_URL))
# feature flagging
FEATURE_SOCKET_ENABLED: ((FEATURE_SOCKET_ENABLED))

30
tests/app/main/views/test_headers.py
View File

@@ -25,12 +25,28 @@ def test_owasp_useful_headers_set(
csp,
)
assert search(r"'nonce-[^']+';", csp)
assert search(r"connect-src", csp)
assert search(r"https:\/\/gov-bam\.nr-data\.net", csp)
assert search(r"https:\/\/www\.google-analytics\.com", csp)
assert search(r"http:\/\/localhost:6011", csp)
assert search(r"ws:\/\/localhost:6011", csp)
assert search(r"https:\/\/notify-api-.*\.app\.cloud\.gov", csp)
assert search(r"wss:\/\/notify-api-.*\.app\.cloud\.gov", csp)
connect_src = next(
(
directive
for directive in csp.split(";")
if directive.strip().startswith("connect-src")
),
None,
)
assert connect_src is not None, "connect-src directive is missing"
from flask import current_app
config = current_app.config
expected_sources = {
"'self'",
"https://gov-bam.nr-data.net",
"https://www.google-analytics.com",
config["API_PUBLIC_URL"],
config["API_PUBLIC_WS_URL"],
}
actual_sources = set(connect_src.strip().split()[1:])
assert (
expected_sources <= actual_sources
), f"Missing sources in connect-src: {expected_sources - actual_sources}"
assert search(r"style-src 'self' static\.example\.com 'nonce-.*';", csp)
assert search(r"img-src 'self' static\.example\.com static-logos\.test\.com", csp)