Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(FSADT1-1241): adding csrf support #864

Merged
merged 64 commits into from
Mar 14, 2024
Merged

fix(FSADT1-1241): adding csrf support #864

Show file tree
Hide file tree
Changes from 60 commits
Commits
Show all changes
64 commits
Select commit Hold shift + click to select a range
ddad87a
ci: adding zap on the CI for verification
paulushcgcj Mar 4, 2024
a3c36ee
fix(zap:fe): fixing Content Security Policy (CSP) Header Not Set
paulushcgcj Mar 4, 2024
ce70efd
fix: updating caddy
paulushcgcj Mar 4, 2024
e190a56
fix(FSADT1-1234): adding nonce value
paulushcgcj Mar 4, 2024
098a7ad
fix(FSADT1-1234): fixing index file permission
paulushcgcj Mar 4, 2024
4d6790b
chore: fixing nonce
paulushcgcj Mar 4, 2024
d19c405
fix: fixing nonce hash
paulushcgcj Mar 4, 2024
68f6bcc
fix: fixing sha
paulushcgcj Mar 4, 2024
8bb7c4d
fix(FSADT1-1234): adding Permission Policy header
paulushcgcj Mar 4, 2024
22d645f
fix(FSADT1-1234): adding Strict-Transport-Security header
paulushcgcj Mar 4, 2024
8973fe5
fix(FSADT1-1234): adding cache contrl and strict transport
paulushcgcj Mar 4, 2024
2844632
fix(FSADT1-1234): adding some missing headers
paulushcgcj Mar 4, 2024
16bbc4f
Merge branch 'main' into fix/FSADT1-1234
paulushcgcj Mar 5, 2024
06c9353
chore: removing some actions
paulushcgcj Mar 5, 2024
3d92817
chore: adding self url
paulushcgcj Mar 5, 2024
2f71be2
fix(FSADT1-1234): adding header customizer
paulushcgcj Mar 5, 2024
c0f7003
ci: adding mozilla observatory
paulushcgcj Mar 5, 2024
a3130ae
fix(FSADT1-1234): updating headers
paulushcgcj Mar 5, 2024
828aedb
ci: fixing ci
paulushcgcj Mar 5, 2024
319a796
chore: fixing a few bits
paulushcgcj Mar 5, 2024
0efedf5
fix(FSADT1-1234): fixing allowlist
paulushcgcj Mar 5, 2024
749d395
fix(FSADT1-1234): fixing BE headers
paulushcgcj Mar 5, 2024
d474936
fix(FSADT1-1234): updating headers
paulushcgcj Mar 5, 2024
7a69ac5
ci: fixing fe
paulushcgcj Mar 5, 2024
379f793
ci: replacing sha for nonce
paulushcgcj Mar 5, 2024
0bd554e
ci: fixing index
paulushcgcj Mar 5, 2024
5985449
ci: fixing caddy
paulushcgcj Mar 5, 2024
d468e51
Merge branch 'main' into fix/FSADT1-1234
paulushcgcj Mar 5, 2024
32aece1
Add to CSP
DerekRoberts Mar 6, 2024
2d96540
Merge branch 'main' into fix/FSADT1-1234
DerekRoberts Mar 6, 2024
3404451
Remove backend route
DerekRoberts Mar 6, 2024
84443b1
ci: fixing merge main
paulushcgcj Mar 6, 2024
1a6ab2d
Merge branch 'main' into fix/FSADT1-1234
paulushcgcj Mar 6, 2024
703b8f2
chore: adding route to backend back
paulushcgcj Mar 6, 2024
5884fc8
fix(FSADT1-1234): adding sha loading for scripts
paulushcgcj Mar 6, 2024
21c46d8
fix: fixing caddy admin port
paulushcgcj Mar 6, 2024
5be838a
fix(FSADT1-1234): removing eval
paulushcgcj Mar 8, 2024
6ff960d
Merge branch 'main' into fix/FSADT1-1234
paulushcgcj Mar 11, 2024
6690538
fix(FSADT1-1234): adding fam domain to connect-src
paulushcgcj Mar 11, 2024
3296780
Merge branch 'main' into fix/FSADT1-1234
paulushcgcj Mar 11, 2024
c293535
Merge branch 'main' into fix/FSADT1-1234
paulushcgcj Mar 11, 2024
51f60a8
fix: fixing caddy
paulushcgcj Mar 11, 2024
7e7a471
test: fixing tests
paulushcgcj Mar 11, 2024
6386dec
Merge branch 'main' into fix/FSADT1-1234
paulushcgcj Mar 11, 2024
efd3858
chore: fixing missing comma
paulushcgcj Mar 11, 2024
8cc32b6
Merge branch 'main' into fix/FSADT1-1234
mamartinezmejia Mar 11, 2024
fb19a89
fix: fixing notfound not returning 404
paulushcgcj Mar 11, 2024
c0525f1
Merge branch 'main' into fix/FSADT1-1234
paulushcgcj Mar 12, 2024
2c4ecd9
chore: removing zap from pr
paulushcgcj Mar 12, 2024
1e07d0d
Merge branch 'main' into fix/FSADT1-1234
paulushcgcj Mar 12, 2024
bc21d8d
Merge branch 'main' into fix/FSADT1-1234
paulushcgcj Mar 12, 2024
8456b48
fix(FSADT1-1241): adding csrf again
paulushcgcj Mar 12, 2024
5501ce4
Merge branch 'main' into fix/FSADT1-1241
paulushcgcj Mar 12, 2024
f571f62
chore: changing ches message
paulushcgcj Mar 12, 2024
1b8c68d
Merge branch 'main' into fix/FSADT1-1241
paulushcgcj Mar 13, 2024
c70b919
fix(FSADT1-1125): fixing logout issues
paulushcgcj Mar 13, 2024
a7f523e
fix: removing unwanted parameters
paulushcgcj Mar 13, 2024
ae64b8f
fix: fixing backend parameter
paulushcgcj Mar 13, 2024
c5e3685
chore: updating parameters
paulushcgcj Mar 13, 2024
332c31d
fix: adding fallback in case of missing provider
paulushcgcj Mar 13, 2024
60456cb
- Removed code due recent security changes
mamartinezmejia Mar 13, 2024
0038f76
Merge branch 'main' into fix/FSADT1-1241
paulushcgcj Mar 13, 2024
8ede155
Merge branch 'main' into fix/FSADT1-1241
mamartinezmejia Mar 14, 2024
a80ef2c
fix(FSADT1-1241): fixing test
paulushcgcj Mar 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 6 additions & 16 deletions .github/workflows/merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,8 @@ jobs:
-p CHES_CLIENT_SECRET=${{ secrets.CHES_CLIENT_SECRET }}
-p ADDRESS_COMPLETE_KEY=${{ secrets.ADDRESS_COMPLETE_KEY }}
-p DB_PASSWORD=${{ secrets.DB_PASSWORD }}
-p COGNITO_REGION=${{ secrets.COGNITO_REGION }}
-p COGNITO_CLIENT_ID=${{ secrets.COGNITO_CLIENT_ID }}
-p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }}
-p COGNITO_DOMAIN=${{ secrets.COGNITO_DOMAIN }}
-p COGNITO_ENVIRONMENT=TEST
-p COGNITO_REDIRECT_URI=https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}/dashboard
-p COGNITO_LOGOUT_URI='https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi?retnow=1&returl=https://test.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?redirect_uri=${{ secrets.COGNITO_LOGOUT_URI }}'
-p CHES_MAIL_COPY=${{ secrets.CHES_MAIL_COPY }}

- name: Conventional Changelog Update
Expand Down Expand Up @@ -168,8 +163,8 @@ jobs:
-p CHES_API_URL='https://ches.api.gov.bc.ca/api/v1/email'
-p BCREGISTRY_URI='https://bcregistry-prod.apigee.net'
-p COGNITO_REGION=ca-central-1
-p COGNITO_COOKIE_DOMAIN=gov.bc.ca
-p URL_ZONE=${{ env.ZONE }}
-p FRONTEND_URL='${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}' # change for vanity url later

- name: Dev data replacement
uses: bcgov-nr/[email protected]
Expand Down Expand Up @@ -214,8 +209,8 @@ jobs:
-p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }}
-p COGNITO_DOMAIN=${{ secrets.COGNITO_DOMAIN }}
-p COGNITO_ENVIRONMENT=TEST
-p COGNITO_REDIRECT_URI=https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}/dashboard
-p COGNITO_LOGOUT_URI='https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi?retnow=1&returl=https://test.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?redirect_uri=${{ secrets.COGNITO_LOGOUT_URI }}'
-p LANDING_URL='${{ secrets.COGNITO_LOGOUT_URI }}'
-p FRONTEND_URL='${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}' # change for vanity url later

- name: Deploy Processor
uses: bcgov-nr/[email protected]
Expand Down Expand Up @@ -282,13 +277,8 @@ jobs:
-p CHES_CLIENT_SECRET=${{ secrets.CHES_CLIENT_SECRET }}
-p ADDRESS_COMPLETE_KEY=${{ secrets.ADDRESS_COMPLETE_KEY }}
-p DB_PASSWORD=${{ secrets.DB_PASSWORD }}
-p COGNITO_REGION=${{ secrets.COGNITO_REGION }}
-p COGNITO_CLIENT_ID=${{ secrets.COGNITO_CLIENT_ID }}
-p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }}
-p COGNITO_DOMAIN=${{ secrets.COGNITO_DOMAIN }}
-p COGNITO_ENVIRONMENT=PROD
-p COGNITO_REDIRECT_URI=https://forestclient.nrs.gov.bc.ca/dashboard
-p COGNITO_LOGOUT_URI='https://logon7.gov.bc.ca/clp-cgi/logoff.cgi?retnow=1&returl=https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?redirect_uri=${{ secrets.COGNITO_LOGOUT_URI }}'
-p CHES_MAIL_COPY=${{ secrets.CHES_MAIL_COPY }}

prod-deploy:
Expand Down Expand Up @@ -351,8 +341,8 @@ jobs:
-p CHES_API_URL='https://ches.api.gov.bc.ca/api/v1/email'
-p BCREGISTRY_URI='https://bcregistry-prod.apigee.net'
-p COGNITO_REGION=ca-central-1
-p COGNITO_COOKIE_DOMAIN=gov.bc.ca
-p URL_ZONE=${{ env.ZONE }}
-p FRONTEND_URL='${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}' # change for vanity url later

- name: Deploy Legacy
uses: bcgov-nr/[email protected]
Expand Down Expand Up @@ -387,8 +377,8 @@ jobs:
-p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }}
-p COGNITO_DOMAIN=${{ secrets.COGNITO_DOMAIN }}
-p COGNITO_ENVIRONMENT=PROD
-p COGNITO_REDIRECT_URI=https://forestclient.nrs.gov.bc.ca/dashboard
-p COGNITO_LOGOUT_URI='https://logon7.gov.bc.ca/clp-cgi/logoff.cgi?retnow=1&returl=https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?redirect_uri=${{ secrets.COGNITO_LOGOUT_URI }}'
-p LANDING_URL='${{ secrets.COGNITO_LOGOUT_URI }}'
-p FRONTEND_URL='${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}' # change for vanity url later

- name: Deploy Processor
uses: bcgov-nr/[email protected]
Expand Down
13 changes: 4 additions & 9 deletions .github/workflows/pr-open.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,13 +100,8 @@ jobs:
-p CHES_CLIENT_SECRET=${{ secrets.CHES_CLIENT_SECRET }}
-p ADDRESS_COMPLETE_KEY=${{ secrets.ADDRESS_COMPLETE_KEY }}
-p DB_PASSWORD=$(echo ${{github.ref}}${{github.event.number}}|md5sum|cut -d' ' -f1)
-p COGNITO_REGION=${{ secrets.COGNITO_REGION }}
-p COGNITO_CLIENT_ID=${{ secrets.COGNITO_CLIENT_ID }}
-p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }}
-p COGNITO_DOMAIN=${{ secrets.COGNITO_DOMAIN }}
-p COGNITO_ENVIRONMENT=DEV
-p COGNITO_REDIRECT_URI=https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}/dashboard
-p COGNITO_LOGOUT_URI='https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi?retnow=1&returl=https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?redirect_uri=https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}'
-p COGNITO_ENVIRONMENT=DEV
-p CHES_MAIL_COPY=${{ secrets.CHES_MAIL_COPY }}

- name: Deploy Database Backup
Expand Down Expand Up @@ -159,8 +154,8 @@ jobs:
-p CHES_API_URL='https://ches.api.gov.bc.ca/api/v1/email'
-p BCREGISTRY_URI='https://bcregistry-prod.apigee.net'
-p COGNITO_REGION=ca-central-1
-p COGNITO_COOKIE_DOMAIN=gov.bc.ca
-p URL_ZONE=${{ needs.vars.outputs.url_zone }}
-p FRONTEND_URL='${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}'

- name: Dev data replacement
uses: bcgov-nr/[email protected]
Expand Down Expand Up @@ -205,8 +200,8 @@ jobs:
-p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }}
-p COGNITO_DOMAIN=${{ secrets.COGNITO_DOMAIN }}
-p COGNITO_ENVIRONMENT=DEV
-p COGNITO_REDIRECT_URI=https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}/dashboard
-p COGNITO_LOGOUT_URI='https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi?retnow=1&returl=https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?redirect_uri=https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}'
-p LANDING_URL='https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}'
-p FRONTEND_URL='https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}'

- name: Deploy Processor
uses: bcgov-nr/[email protected]
Expand Down
14 changes: 5 additions & 9 deletions backend/openshift.deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,13 +44,12 @@ parameters:
- name: COGNITO_REGION
description: Cognito region to be used
required: true
- name: COGNITO_COOKIE_DOMAIN
description: Cognito cookie domain to be used
required: true
default: gov.bc.ca
- name: URL_ZONE
description: Zone to use for URL
required: true
- name: FRONTEND_URL
description: Frontend URL
required: true
objects:
- kind: ImageStream
apiVersion: v1
Expand Down Expand Up @@ -106,7 +105,7 @@ objects:
name: ${NAME}
env:
- name: FRONTEND_URL
value: https://${NAME}-${URL_ZONE}-frontend.${DOMAIN}
value: https://${FRONTEND_URL}
- name: LEGACY_URL
value: http://${NAME}-${ZONE}-legacy/api
- name: SELF_URI
Expand Down Expand Up @@ -175,10 +174,7 @@ objects:
name: ${NAME}-${ZONE}
key: cognito-environment
- name: COGNITO_REGION
valueFrom:
secretKeyRef:
name: ${NAME}-${ZONE}
key: cognito-region
value: ${COGNITO_REGION}
- name: PROCESSOR_SERVICE_ACCOUNT_NAME
valueFrom:
secretKeyRef:
Expand Down
67 changes: 34 additions & 33 deletions backend/src/main/java/ca/bc/gov/app/configuration/SecurityConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
package ca.bc.gov.app.configuration;

import ca.bc.gov.app.ApplicationConstant;
import ca.bc.gov.app.security.ForestHeadersCustomizer;
import ca.bc.gov.app.security.CorsCustomizer;
import ca.bc.gov.app.security.ApiAuthorizationCustomizer;
import ca.bc.gov.app.security.CorsCustomizer;
import ca.bc.gov.app.security.CsrfCustomizer;
import ca.bc.gov.app.security.HeadersCustomizer;
import ca.bc.gov.app.security.Oauth2Customizer;
import java.util.List;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
Expand All @@ -29,36 +29,37 @@
@EnableWebFluxSecurity
public class SecurityConfiguration {

/**
* This method configures the SecurityWebFilterChain, which is the main security filter for the
* application. It customizes the ServerHttpSecurity object by setting the authorization rules,
* OAuth2 resource server settings, CORS settings, CSRF settings, and HTTP Basic settings. It then
* builds the ServerHttpSecurity object into a SecurityWebFilterChain and returns it.
*
* @param http The ServerHttpSecurity object to be customized.
* @param corsSpecCustomizer The customizer for the CORS settings.
* @param apiAuthorizationCustomizer The customizer for the authorization rules.
* @param oauth2SpecCustomizer The customizer for the OAuth2 resource server settings.
* @param headersCustomizer The customizer for the headers settings.
* @return The configured SecurityWebFilterChain.
*/
@Bean
SecurityWebFilterChain springSecurityFilterChain(
ServerHttpSecurity http,
ForestHeadersCustomizer headersCustomizer,
CorsCustomizer corsSpecCustomizer,
ApiAuthorizationCustomizer apiAuthorizationCustomizer,
Oauth2Customizer oauth2SpecCustomizer
) {
http
.headers(headersCustomizer)
.authorizeExchange(apiAuthorizationCustomizer)
.oauth2ResourceServer(oauth2SpecCustomizer)
.cors(corsSpecCustomizer)
.csrf(CsrfSpec::disable)
.httpBasic(Customizer.withDefaults());
return http.build();
}
/**
* This method is a Spring Bean that configures the Spring Security filter chain.
* The filter chain is a mechanism that Spring Security uses to apply security features to HTTP requests.
*
* @param http The ServerHttpSecurity instance that is used to build the security filter chain.
* @param headersCustomizer A customizer for the HTTP headers security settings.
* @param corsSpecCustomizer A customizer for the Cross-Origin Resource Sharing (CORS) security settings.
* @param apiAuthorizationCustomizer A customizer for the API authorization security settings.
* @param oauth2SpecCustomizer A customizer for the OAuth2 resource server security settings.
* @param csrfSpecCustomizer A customizer for the Cross-Site Request Forgery (CSRF) security settings.
*
* @return The configured SecurityWebFilterChain.
*/
@Bean
SecurityWebFilterChain springSecurityFilterChain(
ServerHttpSecurity http,
HeadersCustomizer headersCustomizer,
CorsCustomizer corsSpecCustomizer,
ApiAuthorizationCustomizer apiAuthorizationCustomizer,
Oauth2Customizer oauth2SpecCustomizer,
CsrfCustomizer csrfSpecCustomizer
) {
http
.headers(headersCustomizer)
.authorizeExchange(apiAuthorizationCustomizer)
.oauth2ResourceServer(oauth2SpecCustomizer)
.cors(corsSpecCustomizer)
.csrf(csrfSpecCustomizer)
.httpBasic(Customizer.withDefaults());
return http.build();
}

/**
* This method creates a ReactiveJwtDecoder bean. The ReactiveJwtDecoder is used to decode JWTs in
Expand Down
Loading
Loading