Commit 9a19db46 authored by Eugie Limpin's avatar Eugie Limpin Committed by Alper Akgun

Setup CSP to allow Snowplow Micro in development env

parent d6e94fa6
......@@ -36,6 +36,7 @@ module Gitlab
if Rails.env.development?
allow_webpack_dev_server(directives)
allow_letter_opener(directives)
allow_snowplow_micro(directives) if Gitlab::Tracking.snowplow_micro_enabled?
allow_customersdot(directives) if ENV['CUSTOMER_PORTAL_URL'].present?
end
......@@ -138,6 +139,11 @@ module Gitlab
append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/rails/letter_opener/'))
end
def self.allow_snowplow_micro(directives)
url = URI.join(Gitlab::Tracking::Destinations::SnowplowMicro.new.uri, '/').to_s
append_to_directive(directives, 'connect_src', url)
end
# Using 'self' in the CSP introduces several CSP bypass opportunities
# for this reason we list the URLs where GitLab frames itself instead
def self.allow_framed_gitlab_paths(directives)
......
......@@ -25,6 +25,10 @@ module Gitlab
snowplow.hostname
end
def snowplow_micro_enabled?
Rails.env.development? && Gitlab::Utils.to_boolean(ENV['SNOWPLOW_MICRO_ENABLE'])
end
private
def snowplow
......@@ -34,10 +38,6 @@ module Gitlab
Gitlab::Tracking::Destinations::Snowplow.new
end
end
def snowplow_micro_enabled?
Rails.env.development? && Gitlab::Utils.to_boolean(ENV['SNOWPLOW_MICRO_ENABLE'])
end
end
end
end
......@@ -23,8 +23,6 @@ module Gitlab
"#{uri.host}:#{uri.port}"
end
private
def uri
strong_memoize(:snowplow_uri) do
uri = URI(ENV['SNOWPLOW_MICRO_URI'] || DEFAULT_URI)
......@@ -33,6 +31,8 @@ module Gitlab
end
end
private
override :cookie_domain
def cookie_domain
'.gitlab.com'
......
......@@ -128,7 +128,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end
end
context 'letter_opener applicaiton URL' do
context 'letter_opener application URL' do
let(:gitlab_url) { 'http://gitlab.example.com' }
let(:letter_opener_url) { "#{gitlab_url}/rails/letter_opener/" }
......@@ -156,6 +156,46 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end
end
end
context 'Snowplow Micro event collector' do
let(:snowplow_micro_hostname) { 'localhost:9090' }
let(:snowplow_micro_url) { "http://#{snowplow_micro_hostname}/" }
before do
stub_env('SNOWPLOW_MICRO_ENABLE', 1)
allow(Gitlab::Tracking).to receive(:collector_hostname).and_return(snowplow_micro_hostname)
end
context 'when in production' do
before do
stub_rails_env('production')
end
it 'does not add Snowplow Micro URL to connect-src' do
expect(directives['connect_src']).not_to include(snowplow_micro_url)
end
end
context 'when in development' do
before do
stub_rails_env('development')
end
it 'adds Snowplow Micro URL with trailing slash to connect-src' do
expect(directives['connect_src']).to match(Regexp.new(snowplow_micro_url))
end
context 'when not enabled using ENV[SNOWPLOW_MICRO_ENABLE]' do
before do
stub_env('SNOWPLOW_MICRO_ENABLE', nil)
end
it 'does not add Snowplow Micro URL to connect-src' do
expect(directives['connect_src']).not_to include(snowplow_micro_url)
end
end
end
end
end
describe '#load' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment