Merge branch 'dcouture-eks-csp' into 'master'

Dynamically add AWS URLs to CSP on EKS auth page See merge request gitlab-org/gitlab!80576

Merge branch 'dcouture-eks-csp' into 'master'
Dynamically add AWS URLs to CSP on EKS auth page See merge request gitlab-org/gitlab!80576
c29c5e4a · Alex Pooley · 3320965b · 6f448c03 · c29c5e4a · c29c5e4a
Commit c29c5e4a authored Feb 18, 2022 by Alex Pooley
4 changed files
--- a/app/controllers/clusters/clusters_controller.rb
+++ b/app/controllers/clusters/clusters_controller.rb
@@ -18,6 +18,15 @@ class Clusters::ClustersController < Clusters::BaseController
  helper_method :token_in_session

  STATUS_POLLING_INTERVAL = 10_000
+  AWS_CSP_DOMAINS = %w[https://ec2.ap-east-1.amazonaws.com https://ec2.ap-northeast-1.amazonaws.com https://ec2.ap-northeast-2.amazonaws.com https://ec2.ap-northeast-3.amazonaws.com https://ec2.ap-south-1.amazonaws.com https://ec2.ap-southeast-1.amazonaws.com https://ec2.ap-southeast-2.amazonaws.com https://ec2.ca-central-1.amazonaws.com https://ec2.eu-central-1.amazonaws.com https://ec2.eu-north-1.amazonaws.com https://ec2.eu-west-1.amazonaws.com https://ec2.eu-west-2.amazonaws.com https://ec2.eu-west-3.amazonaws.com https://ec2.me-south-1.amazonaws.com https://ec2.sa-east-1.amazonaws.com https://ec2.us-east-1.amazonaws.com https://ec2.us-east-2.amazonaws.com https://ec2.us-west-1.amazonaws.com https://ec2.us-west-2.amazonaws.com https://ec2.af-south-1.amazonaws.com https://iam.amazonaws.com].freeze
+
+  content_security_policy do |p|
+    next if p.directives.blank?
+
+    default_connect_src = p.directives['connect-src'] || p.directives['default-src']
+    connect_src_values = Array.wrap(default_connect_src) | AWS_CSP_DOMAINS
+    p.connect_src(*connect_src_values)
+  end

  def index
    @clusters = cluster_list

--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -15,7 +15,7 @@ module Gitlab
        directives = {
          'default_src' => "'self'",
          'base_uri' => "'self'",
-          'connect_src' => "'self'",
+          'connect_src' => ContentSecurityPolicy::Directives.connect_src,
          'font_src' => "'self'",
          'form_action' => "'self' https: http:",
          'frame_ancestors' => "'self'",

--- a/lib/gitlab/content_security_policy/directives.rb
+++ b/lib/gitlab/content_security_policy/directives.rb
@@ -7,6 +7,10 @@
 module Gitlab
  module ContentSecurityPolicy
    module Directives
+      def self.connect_src
+        "'self'"
+      end
+
      def self.frame_src
        "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html"
      end

--- a/spec/features/clusters/cluster_detail_page_spec.rb
+++ b/spec/features/clusters/cluster_detail_page_spec.rb
@@ -36,6 +36,20 @@ RSpec.describe 'Clusterable > Show page' do

      expect(page).not_to have_selector('[data-testid="cluster-environments-tab"]')
    end
+
+    context 'content-security policy' do
+      it 'has AWS domains in the CSP' do
+        visit cluster_path
+
+        expect(response_headers['Content-Security-Policy']).to include(::Clusters::ClustersController::AWS_CSP_DOMAINS.join(' '))
+      end
+
+      it 'keeps existing connect-src in the CSP' do
+        visit cluster_path
+
+        expect(response_headers['Content-Security-Policy']).to include("connect-src #{Gitlab::ContentSecurityPolicy::Directives.connect_src}")
+      end
+    end
  end

  shared_examples 'editing a GCP cluster' do