#921: read CSP (connect.src) from Properties

puzzle · Jul 11, 2024 · ee7ae43 · ee7ae43
1 parent 19ef323
commit ee7ae43
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 2 deletions.
diff --git a/backend/src/main/java/ch/puzzle/okr/SecurityConfig.java b/backend/src/main/java/ch/puzzle/okr/SecurityConfig.java
@@ -7,6 +7,7 @@
 import com.nimbusds.jwt.proc.JWTProcessor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -36,9 +37,14 @@
 public class SecurityConfig {
     private static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);
 
+    private String connectSrc;
+
     @Bean
     @Order(1) // Must be First order! Otherwise unauthorized Requests are sent to Controllers
-    public SecurityFilterChain apiSecurityFilterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain apiSecurityFilterChain(HttpSecurity http, @Value("${connect.src}") String connectSrc)
+            throws Exception {
+        this.connectSrc = connectSrc;
+
         setHeaders(http);
         http.addFilterAfter(new ForwardFilter(), BasicAuthenticationFilter.class);
         logger.debug("*** apiSecurityFilterChain reached");
@@ -93,7 +99,7 @@ private String okrContentSecurityPolicy() {
                 + "        style-src 'self' 'unsafe-inline';" //
                 + "        object-src 'none';" //
                 + "        base-uri 'self';" //
-                + "        connect-src 'self' https://sso.puzzle.ch http://localhost:8544;" //
+                + "        connect-src 'self' " + connectSrc + ";" //
                 + "        font-src 'self';" //
                 + "        frame-src 'self';" //
                 + "        img-src 'self' data: ;" //

diff --git a/backend/src/main/resources/application-dev.properties b/backend/src/main/resources/application-dev.properties
@@ -13,6 +13,9 @@ spring.flyway.locations=classpath:db/migration,classpath:db/data-migration,class
 okr.tenant-ids=pitc,acme
 okr.datasource.driver-class-name=org.postgresql.Driver
 
+# security
+connect.src=http://localhost:8544 http://localhost:8545
+
 # hibernate
 hibernate.connection.url=jdbc:postgresql://localhost:5432/okr
 hibernate.connection.username=user

diff --git a/backend/src/main/resources/application-integration-test.properties b/backend/src/main/resources/application-integration-test.properties
@@ -16,6 +16,9 @@ spring.flyway.locations=classpath:db/h2-db/database-h2-schema,classpath:db/h2-db
 okr.tenant-ids=pitc,acme
 okr.datasource.driver-class-name=org.h2.Driver
 
+# security
+connect.src=http://localhost:8544 http://localhost:8545
+
 # hibernate
 hibernate.connection.url=jdbc:h2:mem:db;DB_CLOSE_DELAY=-1;
 hibernate.connection.username=user

diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
@@ -54,3 +54,6 @@ okr.clientcustomization.title=Puzzle OKR
 
 okr.quarter.business.year.start=7
 okr.quarter.label.format=GJ xx/yy-Qzz
+
+# security
+connect.src=https://sso.puzzle.ch