bcgov · DerekRoberts · Mar 4, 2024 · Mar 4, 2024 · Mar 4, 2024 · Mar 4, 2024
@@ -24,23 +24,7 @@ jobs:
         id: calculate
         run: |
           echo "url_zone=$((${{ github.event.number }} % 50))" >> $GITHUB_OUTPUT
-
-      - uses: actions/checkout@v4
-
-      - name: Pull request size and stability labels
-        uses: actions/labeler@v5
-        continue-on-error: true
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
-
-      - name: Conventional Label
-        uses: bcoe/conventional-release-labels@v1
-        continue-on-error: true
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          ignored_types: '["chore","pr"]'
-          type_labels: '{"feat": "feature", "fix": "fix", "bug": "fix", "doc": "documentation", "ci": "ci", "chore": "chore", "breaking": "breaking", "BREAKING CHANGE": "breaking"}'
-
+
       - name: Checkout branch
         uses: actions/checkout@v4
         with:
@@ -347,3 +331,26 @@ jobs:
           name: cypress-videos
           path: cypress/cypress/videos
           retention-days: 7
+
+  post-validation:
+    name: Post Validation
+    runs-on: ubuntu-22.04
+    needs:
+      - deploy
+      - cypress-run
+      - pr-validation
+    env:
+      DOMAIN: apps.silver.devops.gov.bc.ca
+      PREFIX: ${{ github.event.repository.name }}-${{ needs.pr-validation.outputs.url_zone }}
+    strategy:
+      matrix:
+        name: [backend, frontend]
+    steps:
+      - name: ZAP Scan
+        uses: zaproxy/[email protected]
+        with:
+          allow_issue_writing: true
+          artifact_name: "zap_${{ github.event.number }}_${{ matrix.name }}"
+          cmd_options: "-a"
+          issue_title: "ZAP PR #${{ github.event.number }}: ${{ matrix.name }}"
+          target: "https://${{ env.PREFIX }}-${{ matrix.name }}.${{ env.DOMAIN }}"
@@ -109,6 +109,8 @@ objects:
                   value: https://${NAME}-${URL_ZONE}-frontend.${DOMAIN}
                 - name: LEGACY_URL
                   value: http://${NAME}-${ZONE}-legacy/api
+                - name: SELF_URI
+                  value: https://${NAME}-${URL_ZONE}-${COMPONENT}.${DOMAIN}
                 - name: CHES_CLIENT_ID
                   valueFrom:
                     secretKeyRef:
@@ -229,20 +231,3 @@ objects:
           targetPort: 8080
       selector:
         deploymentconfig: ${NAME}-${ZONE}-${COMPONENT}
-  - kind: Route
-    apiVersion: route.openshift.io/v1
-    metadata:
-      labels:
-        app: ${NAME}-${ZONE}
-      name: ${NAME}-${ZONE}-${COMPONENT}
-    spec:
-      host: ${NAME}-${URL_ZONE}-${COMPONENT}.${DOMAIN}
-      port:
-        targetPort: 8080-tcp
-      to:
-        kind: Service
-        name: ${NAME}-${ZONE}-${COMPONENT}
-        weight: 100
-      tls:
-        termination: edge
-        insecureEdgeTerminationPolicy: Redirect
@@ -3,6 +3,7 @@
 import ca.bc.gov.app.ApplicationConstant;
 import ca.bc.gov.app.security.ForestCorsCustomizer;
 import ca.bc.gov.app.security.ForestExchangeCustomizer;
+import ca.bc.gov.app.security.ForestHeadersCustomizer;
 import ca.bc.gov.app.security.ForestOauth2Customizer;
 import java.util.List;
 import org.springframework.context.annotation.Bean;
@@ -37,18 +38,20 @@ public class SecurityConfiguration {
    * @param http                 The ServerHttpSecurity object to be customized.
    * @param corsSpecCustomizer   The customizer for the CORS settings.
    * @param exchangeCustomizer   The customizer for the authorization rules.
-   * @param csrfSpecCustomizer   The customizer for the CSRF settings.
    * @param oauth2SpecCustomizer The customizer for the OAuth2 resource server settings.
+   * @param headersCustomizer    The customizer for the headers settings.
    * @return The configured SecurityWebFilterChain.
    */
   @Bean
   SecurityWebFilterChain springSecurityFilterChain(
       ServerHttpSecurity http,
       ForestCorsCustomizer corsSpecCustomizer,
       ForestExchangeCustomizer exchangeCustomizer,
-      ForestOauth2Customizer oauth2SpecCustomizer
+      ForestOauth2Customizer oauth2SpecCustomizer,
+      ForestHeadersCustomizer headersCustomizer
   ) {
     http
+        .headers(headersCustomizer)
         .authorizeExchange(exchangeCustomizer)
         .oauth2ResourceServer(oauth2SpecCustomizer)
         .cors(corsSpecCustomizer)

@@ -0,0 +1,52 @@
+package ca.bc.gov.app.security;
+
+import java.time.Duration;
+import java.util.UUID;
+import lombok.RequiredArgsConstructor;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec;
+import org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.XssProtectionSpec;
+import org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy;
+import org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode;
+import org.springframework.stereotype.Component;
+
+@Component
+@RequiredArgsConstructor
+public class ForestHeadersCustomizer implements Customizer<HeaderSpec> {
+
+  @Value("${ca.bc.gov.nrs.self-uri}")
+  String selfUri;
+  @Value("${ca.bc.gov.nrs.security.environment:PROD}")
+  String environment;
+
+  @Override
+  public void customize(HeaderSpec headerSpec) {
+
+    String policyDirectives = String.join("; ",
+        "default-src 'none'",
+        "connect-src 'self' " + selfUri,
+        "script-src 'strict-dynamic' 'nonce-" + UUID.randomUUID()
+        + "' " + ( "local".equalsIgnoreCase(environment) ? "http: " : StringUtils.EMPTY) + "https:",
+        "object-src 'none'",
+        "base-uri 'none'",
+        "frame-ancestors 'none'",
+        "require-trusted-types-for 'script'",
+        "report-uri " + selfUri
+    );
+
+    headerSpec
+        .frameOptions(frameOptionsSpec -> frameOptionsSpec.mode(Mode.DENY))
+        .contentSecurityPolicy(
+            contentSecurityPolicySpec -> contentSecurityPolicySpec.policyDirectives(
+                policyDirectives))
+        .hsts(hstsSpec -> hstsSpec.maxAge(Duration.ofDays(30)).includeSubdomains(true))
+        .xssProtection(XssProtectionSpec::disable)
+        .contentTypeOptions(Customizer.withDefaults())
+        .referrerPolicy(referrerPolicySpec -> referrerPolicySpec.policy(ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN))
+        .permissionsPolicy(permissionsPolicySpec -> permissionsPolicySpec.policy(
+            "geolocation=(), microphone=(), camera=(), speaker=(), usb=(), bluetooth=(), payment=(), interest-cohort=()"))
+    ;
+  }
+}
@@ -94,6 +94,7 @@ ca:
     gov:
       nrs:
         submissionLimit: ${SUBMISSION_LIMIT:7D}
+        self-uri: ${SELF_URI:http://localhost:8080}
         ches:
           uri: ${CHES_API_URL:http://127.0.0.1:10010/chess/uri}
           tokenUrl: ${CHES_TOKEN_URL:http://127.0.0.1:10010/token/uri}

@@ -6,32 +6,43 @@
   }
 }
 
-:3000
-root * /srv
-respond /config 200 {
-	body `{"APP_TITLE":{$VITE_APP_TITLE}}`
-	close
-}
+:3000 {
+	header Content-Security-Policy "default-src 'self'; script-src 'self' {$BACKEND_URL} 'sha256-78ZXazjC54Vyx/bLgKdM8JyK8U1O4A8TfYVLwFADf5o=' 'sha256-Qs6++yhvyp3S1k2F02oXxvTs1oQRWRgd1/4EUgvgWlc='; img-src 'self'; connect-src 'self' {$BACKEND_URL} https://cognito-idp.{$COGNITO_REGION}.amazonaws.com https://*.auth.ca-central-1.amazoncognito.com/; frame-ancestors 'none';"
+	header Permissions-Policy "geolocation=(), microphone=(), camera=(), speaker=(), usb=(), bluetooth=(), payment=(), interest-cohort=()"
+	header Strict-Transport-Security "max-age=2592000; includeSubDomains;"
+	header Cache-Control "public, max-age=31536000"
+	header Referrer-Policy "no-referrer, strict-origin-when-cross-origin"
+	header X-Content-Type-Options "nosniff"
+	header X-Frame-Options "DENY"
+	header -Server
 
-file_server
+	root * /srv
 
-@www_host {
-	host www.{$HOST_ROUTE}
-}
-redir @www_host http://{$HOST_ROUTE}{path}
+	respond /config 200 {
+		body `{"APP_TITLE":{$VITE_APP_TITLE}}`
+		close
+	}
 
-@unspecified_path {
-	not path_regexp ^\/0.0.0.0
-}
-handle @unspecified_path {
-	try_files {path} {path}/ /?_url={uri}
-}
+	file_server
 
-encode {
-	gzip 7
-}
+	@www_host {
+		host www.{$HOST_ROUTE}
+	}
+	redir @www_host http://{$HOST_ROUTE}{path}
+
+	@unspecified_path {
+		not path_regexp ^\/0.0.0.0
+	}
+	handle @unspecified_path {
+		try_files {path} {path}/ /?_url={uri}
+	}
+
+	encode {
+		gzip 7
+	}
 
-log {
-	output stdout
-	level {$LOG_LEVEL}
+	log {
+		output stdout
+		level {$LOG_LEVEL}
+	}
 }
@@ -15,12 +15,13 @@ FROM caddy:2.7.6-alpine
 # Copy static files and config
 COPY --from=build /app/dist /srv
 COPY Caddyfile /etc/caddy/Caddyfile
+COPY robots.txt /srv/robots.txt
 
 # Packages and caddy format
 RUN apk add --no-cache ca-certificates && \
-    caddy fmt --overwrite /etc/caddy/Caddyfile
+    caddy fmt --overwrite /etc/caddy/Caddyfile 
 
 # Port, health check and non-root user
 EXPOSE 3000
 HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost:3000/
-USER 1001
+USER 1001
@@ -4,13 +4,17 @@
     <meta charset="UTF-8" />
     <link rel="icon" href="/img/favicon.ico" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0" />
+    <meta http-equiv="Cache-Control" content="public, max-age=31536000">
     <script src="/data/config.js"></script>
     <title>Forest Client</title>
   </head>
 
   <body>
     <div id="app"></div>
-    <script type="module" src="/src/main.ts"></script>
+    <script 
+      type="module" 
+      src="/src/main.ts"
+    ></script>
     <script>
       window.global = window
       var exports = {}

@@ -154,6 +154,12 @@ objects:
               env:
                 - name: LOG_LEVEL
                   value: ${LOG_LEVEL}
+                - name: BACKEND_URL
+                  value: https://${NAME}-${URL_ZONE}-backend.${DOMAIN}
+                - name: FRONTEND_URL
+                  value: https://${NAME}-${URL_ZONE}-frontend.${DOMAIN}
+                - name: COGNITO_REGION
+                  value: ${COGNITO_REGION}
               imagePullPolicy: Always
               name: ${NAME}
               volumeMounts:

@@ -0,0 +1,3 @@
+# Stop all search engines from crawling this site
+User-agent: *
+Disallow: /