From 674cd4a88c12db5206e8df06eae99858a7a4275e Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Thu, 24 Jun 2021 13:04:53 -0500 Subject: [PATCH] Adjust our securityheader pkg to support form_post. Our Supervisor callback handler now needs to load JS and CSS from the provider endpoint, and this JS needs to make a `fetch()` call across origins (to post the form to the CLI callback). This requires a custom Content-Security-Policy compared to other pages we render. Signed-off-by: Matt Moyer --- .../httputil/securityheader/securityheader.go | 12 ++- .../securityheader/securityheader_test.go | 93 ++++++++++++------- 2 files changed, 71 insertions(+), 34 deletions(-) diff --git a/internal/httputil/securityheader/securityheader.go b/internal/httputil/securityheader/securityheader.go index 2bb3af12..e95edd0b 100644 --- a/internal/httputil/securityheader/securityheader.go +++ b/internal/httputil/securityheader/securityheader.go @@ -1,16 +1,22 @@ -// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package securityheader implements an HTTP middleware for setting security-related response headers. package securityheader -import "net/http" +import ( + "net/http" +) // Wrap the provided http.Handler so it sets appropriate security-related response headers. func Wrap(wrapped http.Handler) http.Handler { + return WrapWithCustomCSP(wrapped, "default-src 'none'; frame-ancestors 'none'") +} + +func WrapWithCustomCSP(wrapped http.Handler, cspHeader string) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { h := w.Header() - h.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'") + h.Set("Content-Security-Policy", cspHeader) h.Set("X-Frame-Options", "DENY") h.Set("X-XSS-Protection", "1; mode=block") h.Set("X-Content-Type-Options", "nosniff") diff --git a/internal/httputil/securityheader/securityheader_test.go b/internal/httputil/securityheader/securityheader_test.go index 7ee7331f..639c495c 100644 --- a/internal/httputil/securityheader/securityheader_test.go +++ b/internal/httputil/securityheader/securityheader_test.go @@ -16,40 +16,71 @@ import ( ) func TestWrap(t *testing.T) { - testServer := httptest.NewServer(Wrap(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("X-Test-Header", "test value") - _, _ = w.Write([]byte("hello world")) - }))) - t.Cleanup(testServer.Close) + for _, tt := range []struct { + name string + wrapFunc func(http.Handler) http.Handler + expectHeaders http.Header + }{ + { + name: "wrap", + wrapFunc: Wrap, + expectHeaders: http.Header{ + "X-Test-Header": []string{"test value"}, + "Content-Security-Policy": []string{"default-src 'none'; frame-ancestors 'none'"}, + "Content-Type": []string{"text/plain; charset=utf-8"}, + "Referrer-Policy": []string{"no-referrer"}, + "X-Content-Type-Options": []string{"nosniff"}, + "X-Frame-Options": []string{"DENY"}, + "X-Xss-Protection": []string{"1; mode=block"}, + "X-Dns-Prefetch-Control": []string{"off"}, + "Cache-Control": []string{"no-cache,no-store,max-age=0,must-revalidate"}, + "Pragma": []string{"no-cache"}, + "Expires": []string{"0"}, + }, + }, + { + name: "custom CSP", + wrapFunc: func(h http.Handler) http.Handler { return WrapWithCustomCSP(h, "my-custom-csp-header") }, + expectHeaders: http.Header{ + "X-Test-Header": []string{"test value"}, + "Content-Security-Policy": []string{"my-custom-csp-header"}, + "Content-Type": []string{"text/plain; charset=utf-8"}, + "Referrer-Policy": []string{"no-referrer"}, + "X-Content-Type-Options": []string{"nosniff"}, + "X-Frame-Options": []string{"DENY"}, + "X-Xss-Protection": []string{"1; mode=block"}, + "X-Dns-Prefetch-Control": []string{"off"}, + "Cache-Control": []string{"no-cache,no-store,max-age=0,must-revalidate"}, + "Pragma": []string{"no-cache"}, + "Expires": []string{"0"}, + }, + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + testServer := httptest.NewServer(tt.wrapFunc(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("X-Test-Header", "test value") + _, _ = w.Write([]byte("hello world")) + }))) + t.Cleanup(testServer.Close) - ctx, cancel := context.WithTimeout(context.Background(), time.Minute) - defer cancel() + ctx, cancel := context.WithTimeout(context.Background(), time.Minute) + defer cancel() - req, err := http.NewRequestWithContext(ctx, http.MethodGet, testServer.URL, nil) - require.NoError(t, err) - resp, err := http.DefaultClient.Do(req) - require.NoError(t, err) - defer resp.Body.Close() - require.Equal(t, http.StatusOK, resp.StatusCode) + req, err := http.NewRequestWithContext(ctx, http.MethodGet, testServer.URL, nil) + require.NoError(t, err) + resp, err := http.DefaultClient.Do(req) + require.NoError(t, err) + defer resp.Body.Close() + require.Equal(t, http.StatusOK, resp.StatusCode) - respBody, err := ioutil.ReadAll(resp.Body) - require.NoError(t, err) - require.Equal(t, "hello world", string(respBody)) + respBody, err := ioutil.ReadAll(resp.Body) + require.NoError(t, err) + require.Equal(t, "hello world", string(respBody)) - expected := http.Header{ - "X-Test-Header": []string{"test value"}, - "Content-Security-Policy": []string{"default-src 'none'; frame-ancestors 'none'"}, - "Content-Type": []string{"text/plain; charset=utf-8"}, - "Referrer-Policy": []string{"no-referrer"}, - "X-Content-Type-Options": []string{"nosniff"}, - "X-Frame-Options": []string{"DENY"}, - "X-Xss-Protection": []string{"1; mode=block"}, - "X-Dns-Prefetch-Control": []string{"off"}, - "Cache-Control": []string{"no-cache,no-store,max-age=0,must-revalidate"}, - "Pragma": []string{"no-cache"}, - "Expires": []string{"0"}, - } - for key, values := range expected { - assert.Equalf(t, values, resp.Header.Values(key), "unexpected values for header %s", key) + for key, values := range tt.expectHeaders { + assert.Equalf(t, values, resp.Header.Values(key), "unexpected values for header %s", key) + } + }) } }