From fbb4776faf4c5d110ad91d5074d4791be10a0bf9 Mon Sep 17 00:00:00 2001 From: haburger Date: Fri, 29 Nov 2024 06:56:43 +0000 Subject: [PATCH] new configuration version --- ...instance-idm-3bc06037962ad13be0a3a95d.yaml | 2 +- .../WEB-INF/csp_security_response_headers.lua | 18 ++++++++ .../WEB-INF/web.xml | 46 ++++++++++++++++--- ...oxy-instance-bd83dfbd467e8211ffe71d28.yaml | 2 +- .../WEB-INF/csp_security_response_headers.lua | 18 ++++++++ .../WEB-INF/web.xml | 46 ++++++++++++++++--- 6 files changed, 118 insertions(+), 14 deletions(-) create mode 100644 DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/var/opt/nevisproxy/default/host-admin.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua create mode 100644 DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/etc/nevis/k8s-nevisproxy-instance-idm-3bc06037962ad13be0a3a95d.yaml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/etc/nevis/k8s-nevisproxy-instance-idm-3bc06037962ad13be0a3a95d.yaml index 17aed9b..1c0737e 100644 --- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/etc/nevis/k8s-nevisproxy-instance-idm-3bc06037962ad13be0a3a95d.yaml +++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/etc/nevis/k8s-nevisproxy-instance-idm-3bc06037962ad13be0a3a95d.yaml @@ -46,7 +46,7 @@ spec: podDisruptionBudget: maxUnavailable: "50%" git: - tag: "r-cd771331fc5533d563e060e912962ba97444b86b" + tag: "r-6cf60cd5531f9aed26896314800fd102f3af114f" dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm" credentials: "git-credentials" keystores: diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/var/opt/nevisproxy/default/host-admin.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/var/opt/nevisproxy/default/host-admin.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua new file mode 100644 index 0000000..ba9b8be --- /dev/null +++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/var/opt/nevisproxy/default/host-admin.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua @@ -0,0 +1,18 @@ +function outputHeader(request, response) + trace = request:getTracer() + + cspHeader = response:getHeader("content-security-policy") + if (cspHeader ~= nil) then + trace:debug("AGOV CSP: Header set by backend, keep it as is (" .. cspHeader .. ").") + else + trace:debug("AGOV CSP: Header not set by backend, default AGOV csp set (" .. param_csp .. ").") + response:setHeader("content-security-policy", param_csp) + end + + if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then + trace:debug("AGOV CSP: Additionl report only CSP-header set (" .. param_report_only_csp .. ")") + response:setHeader("content-security-policy-report-only", param_report_only_csp) + else + trace:debug("AGOV CSP: No report only CSP-header set") + end +end \ No newline at end of file diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/var/opt/nevisproxy/default/host-admin.agov-w.azure.adnovum.net/WEB-INF/web.xml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/var/opt/nevisproxy/default/host-admin.agov-w.azure.adnovum.net/WEB-INF/web.xml index 587a64f..993f1ff 100644 --- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/var/opt/nevisproxy/default/host-admin.agov-w.azure.adnovum.net/WEB-INF/web.xml +++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/var/opt/nevisproxy/default/host-admin.agov-w.azure.adnovum.net/WEB-INF/web.xml @@ -100,6 +100,36 @@ + + + Lua_CSP_Security_Response_Headers + ch::nevis::isiweb4::filter::lua::LuaFilter + + + Script.Namespace + param_ + + + + Script.OutputHeaderFunctionName + outputHeader + + + + Script.Path + /var/opt/nevisproxy/default/host-admin.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua + + + + param_csp + default-src 'none'; script-src 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM=' 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo=' 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/ https://me.agov-d.azure.adnovum.net/; font-src 'self'; + + + + param_report_only_csp + default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/ https://me.agov-d.azure.adnovum.net/; font-src 'self'; + + ModSecurity_nevisIDM_Administration_GUI @@ -175,15 +205,14 @@ false - + - ResponseHeader_Security_Response_Headers + ResponseHeader_Base_Security_Response_Headers ch::nevis::isiweb4::filter::delegation::HeaderDelegationFilter - + DelegateToFrontend - Content-Security-Policy-Report-Only:default-src 'none'; script-src 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM=' 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo=' 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; img-src 'self'; style-src 'self' 'sha256-/yxYnm5QjS5hz1/KbfNQ/Deyfb9rK1xZefYJGNT9UmU=' 'sha256-2diQqrANllVP9IWjXj1A6fjjvlPtpN6NXlmTiRJneCU=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-DHdp+1g/LIFDKreGcezYZywjzyvqUEbmjv4fv+nEQeE=' 'sha256-DtJ0G5eArSV7tvvFUUeV7iyiWfBGflIkRW64/tmMWUk=' 'sha256-JhfXJ5URuB/EAqhZ9vqgEO6trOuCE0w2/ChmfrVzxFo=' 'sha256-MdFWcEIx4V82/ap9SUt01BxZMN4eFGEl8hNDFEGIzJU=' 'sha256-dnsMWK7eeuHUJm/wLL2CXCibJJV0lnUxjpqlu5fcUsg=' 'sha256-iKyiqXXi2KXxNcOUCr+VCUo09ipHFWuIkztLNvUXhd0=' 'sha256-ifPclQYYwRDXSPQgB9/6UgAgEICBpwegJBWNhOI8dOA='; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls; font-src 'self'; connect-src 'self'; Cross-Origin-Embedder-Policy:require-corp Cross-Origin-Opener-Policy:same-origin Cross-Origin-Resource-Policy:same-site @@ -377,9 +406,14 @@ URLHandler_Virtual_Host_idmOperations-Loggedout /* - + - ResponseHeader_Security_Response_Headers + Lua_CSP_Security_Response_Headers + /* + + + + ResponseHeader_Base_Security_Response_Headers /* diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/etc/nevis/k8s-operations-nevisproxy-instance-bd83dfbd467e8211ffe71d28.yaml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/etc/nevis/k8s-operations-nevisproxy-instance-bd83dfbd467e8211ffe71d28.yaml index eb60fb5..9a731ff 100644 --- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/etc/nevis/k8s-operations-nevisproxy-instance-bd83dfbd467e8211ffe71d28.yaml +++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/etc/nevis/k8s-operations-nevisproxy-instance-bd83dfbd467e8211ffe71d28.yaml @@ -46,7 +46,7 @@ spec: podDisruptionBudget: maxUnavailable: "50%" git: - tag: "r-868174843070c36c5da54e3a43d558da046b6ce7" + tag: "r-6cf60cd5531f9aed26896314800fd102f3af114f" dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp" credentials: "git-credentials" keystores: diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua new file mode 100644 index 0000000..ba9b8be --- /dev/null +++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua @@ -0,0 +1,18 @@ +function outputHeader(request, response) + trace = request:getTracer() + + cspHeader = response:getHeader("content-security-policy") + if (cspHeader ~= nil) then + trace:debug("AGOV CSP: Header set by backend, keep it as is (" .. cspHeader .. ").") + else + trace:debug("AGOV CSP: Header not set by backend, default AGOV csp set (" .. param_csp .. ").") + response:setHeader("content-security-policy", param_csp) + end + + if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then + trace:debug("AGOV CSP: Additionl report only CSP-header set (" .. param_report_only_csp .. ")") + response:setHeader("content-security-policy-report-only", param_report_only_csp) + else + trace:debug("AGOV CSP: No report only CSP-header set") + end +end \ No newline at end of file diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/web.xml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/web.xml index 33861f9..0596f47 100644 --- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/web.xml +++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/web.xml @@ -175,6 +175,36 @@ + + + Lua_CSP_Security_Response_Headers + ch::nevis::isiweb4::filter::lua::LuaFilter + + + Script.Namespace + param_ + + + + Script.OutputHeaderFunctionName + outputHeader + + + + Script.Path + /var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua + + + + param_csp + default-src 'none'; script-src 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM=' 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo=' 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/ https://me.agov-d.azure.adnovum.net/; font-src 'self'; + + + + param_report_only_csp + default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/ https://me.agov-d.azure.adnovum.net/; font-src 'self'; + + ModSecurity_GreenMail @@ -270,15 +300,14 @@ false - + - ResponseHeader_Security_Response_Headers + ResponseHeader_Base_Security_Response_Headers ch::nevis::isiweb4::filter::delegation::HeaderDelegationFilter - + DelegateToFrontend - Content-Security-Policy-Report-Only:default-src 'none'; script-src 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM=' 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo=' 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; img-src 'self'; style-src 'self' 'sha256-/yxYnm5QjS5hz1/KbfNQ/Deyfb9rK1xZefYJGNT9UmU=' 'sha256-2diQqrANllVP9IWjXj1A6fjjvlPtpN6NXlmTiRJneCU=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-DHdp+1g/LIFDKreGcezYZywjzyvqUEbmjv4fv+nEQeE=' 'sha256-DtJ0G5eArSV7tvvFUUeV7iyiWfBGflIkRW64/tmMWUk=' 'sha256-JhfXJ5URuB/EAqhZ9vqgEO6trOuCE0w2/ChmfrVzxFo=' 'sha256-MdFWcEIx4V82/ap9SUt01BxZMN4eFGEl8hNDFEGIzJU=' 'sha256-dnsMWK7eeuHUJm/wLL2CXCibJJV0lnUxjpqlu5fcUsg=' 'sha256-iKyiqXXi2KXxNcOUCr+VCUo09ipHFWuIkztLNvUXhd0=' 'sha256-ifPclQYYwRDXSPQgB9/6UgAgEICBpwegJBWNhOI8dOA='; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls; font-src 'self'; connect-src 'self'; Cross-Origin-Embedder-Policy:require-corp Cross-Origin-Opener-Policy:same-origin Cross-Origin-Resource-Policy:same-site @@ -517,9 +546,14 @@ URLHandler_Virtual_Host_idmOperations-Loggedout /* - + - ResponseHeader_Security_Response_Headers + ResponseHeader_Base_Security_Response_Headers + /* + + + + Lua_CSP_Security_Response_Headers /*