Commit b25d1190 authored by Alper Akgun's avatar Alper Akgun

Merge branch 'snowplow-micro-csp' into 'master'

Setup CSP to allow Snowplow Micro in development env

See merge request gitlab-org/gitlab!74887
parents 2fcaaf65 9a19db46
No related merge requests found
...@@ -36,6 +36,7 @@ module Gitlab ...@@ -36,6 +36,7 @@ module Gitlab
if Rails.env.development? if Rails.env.development?
allow_webpack_dev_server(directives) allow_webpack_dev_server(directives)
allow_letter_opener(directives) allow_letter_opener(directives)
allow_snowplow_micro(directives) if Gitlab::Tracking.snowplow_micro_enabled?
allow_customersdot(directives) if ENV['CUSTOMER_PORTAL_URL'].present? allow_customersdot(directives) if ENV['CUSTOMER_PORTAL_URL'].present?
end end
...@@ -138,6 +139,11 @@ module Gitlab ...@@ -138,6 +139,11 @@ module Gitlab
append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/rails/letter_opener/')) append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/rails/letter_opener/'))
end end
def self.allow_snowplow_micro(directives)
url = URI.join(Gitlab::Tracking::Destinations::SnowplowMicro.new.uri, '/').to_s
append_to_directive(directives, 'connect_src', url)
end
# Using 'self' in the CSP introduces several CSP bypass opportunities # Using 'self' in the CSP introduces several CSP bypass opportunities
# for this reason we list the URLs where GitLab frames itself instead # for this reason we list the URLs where GitLab frames itself instead
def self.allow_framed_gitlab_paths(directives) def self.allow_framed_gitlab_paths(directives)
......
...@@ -25,6 +25,10 @@ module Gitlab ...@@ -25,6 +25,10 @@ module Gitlab
snowplow.hostname snowplow.hostname
end end
def snowplow_micro_enabled?
Rails.env.development? && Gitlab::Utils.to_boolean(ENV['SNOWPLOW_MICRO_ENABLE'])
end
private private
def snowplow def snowplow
...@@ -34,10 +38,6 @@ module Gitlab ...@@ -34,10 +38,6 @@ module Gitlab
Gitlab::Tracking::Destinations::Snowplow.new Gitlab::Tracking::Destinations::Snowplow.new
end end
end end
def snowplow_micro_enabled?
Rails.env.development? && Gitlab::Utils.to_boolean(ENV['SNOWPLOW_MICRO_ENABLE'])
end
end end
end end
end end
...@@ -23,8 +23,6 @@ module Gitlab ...@@ -23,8 +23,6 @@ module Gitlab
"#{uri.host}:#{uri.port}" "#{uri.host}:#{uri.port}"
end end
private
def uri def uri
strong_memoize(:snowplow_uri) do strong_memoize(:snowplow_uri) do
uri = URI(ENV['SNOWPLOW_MICRO_URI'] || DEFAULT_URI) uri = URI(ENV['SNOWPLOW_MICRO_URI'] || DEFAULT_URI)
...@@ -33,6 +31,8 @@ module Gitlab ...@@ -33,6 +31,8 @@ module Gitlab
end end
end end
private
override :cookie_domain override :cookie_domain
def cookie_domain def cookie_domain
'.gitlab.com' '.gitlab.com'
......
...@@ -128,7 +128,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -128,7 +128,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end end
end end
context 'letter_opener applicaiton URL' do context 'letter_opener application URL' do
let(:gitlab_url) { 'http://gitlab.example.com' } let(:gitlab_url) { 'http://gitlab.example.com' }
let(:letter_opener_url) { "#{gitlab_url}/rails/letter_opener/" } let(:letter_opener_url) { "#{gitlab_url}/rails/letter_opener/" }
...@@ -156,6 +156,46 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -156,6 +156,46 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end end
end end
end end
context 'Snowplow Micro event collector' do
let(:snowplow_micro_hostname) { 'localhost:9090' }
let(:snowplow_micro_url) { "http://#{snowplow_micro_hostname}/" }
before do
stub_env('SNOWPLOW_MICRO_ENABLE', 1)
allow(Gitlab::Tracking).to receive(:collector_hostname).and_return(snowplow_micro_hostname)
end
context 'when in production' do
before do
stub_rails_env('production')
end
it 'does not add Snowplow Micro URL to connect-src' do
expect(directives['connect_src']).not_to include(snowplow_micro_url)
end
end
context 'when in development' do
before do
stub_rails_env('development')
end
it 'adds Snowplow Micro URL with trailing slash to connect-src' do
expect(directives['connect_src']).to match(Regexp.new(snowplow_micro_url))
end
context 'when not enabled using ENV[SNOWPLOW_MICRO_ENABLE]' do
before do
stub_env('SNOWPLOW_MICRO_ENABLE', nil)
end
it 'does not add Snowplow Micro URL to connect-src' do
expect(directives['connect_src']).not_to include(snowplow_micro_url)
end
end
end
end
end end
describe '#load' do describe '#load' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment