updating csp headers (#852)

* removing confetti loader (we still package it, for now)
* 📎-happiness
* updating WASM build scripts and rebuilding
* updated CSP headers to change self to 'self' and remove some insecure https: options

kanidm_tools/src/cli/group.rs

@@ -78,7 +78,11 @@ impl GroupOpt {
                     .await
                 {
                     Err(e) => error!("Error -> {:?}", e),
-                    Ok(_) => println!("Successfully added {:?} to group \"{}\"", &new_members, gcopt.name.as_str()),
+                    Ok(_) => println!(
+                        "Successfully added {:?} to group \"{}\"",
+                        &new_members,
+                        gcopt.name.as_str()
+                    ),
                 }
             }
 

kanidmd/score/src/https/mod.rs

@@ -167,7 +167,6 @@ async fn index_view(_req: tide::Request<AppState>) -> tide::Result {
             <link rel="stylesheet" href="/pkg/external/bootstrap.min.css" integrity="sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC"/>
             <link rel="stylesheet" href="/pkg/style.css"/>
             <script src="/pkg/external/bootstrap.bundle.min.js" integrity="sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM"></script>
-            <script src="/pkg/external/confetti.js"></script>
             <script type="module" type="text/javascript" src="/pkg/wasmloader.js" integrity="sha384-==WASMHASH==">
             </script>
 
@@ -282,28 +281,34 @@ impl<State: Clone + Send + Sync + 'static> tide::Middleware<State>
         // update it with the hash
         response.set_body(body_str.replace("==WASMHASH==", self.integrity_wasmloader.as_str()));
         response.insert_header(
-                /* content-security-policy headers tell the browser what to trust
-                    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+            /* content-security-policy headers tell the browser what to trust
+                https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-                    In this case we're only trusting the same server that the page is being loaded from, and adding
-                    a hash of wasmloader.js, which is the main script we should be loading, and should be really secure
-                    about that!
+                In this case we're only trusting the same server that the page is
+                loaded from, and adding a hash of wasmloader.js, which is the main script
+                we should be loading, and should be really secure about that!
 
-                */
-
-                // TODO: consider scraping the other js files that wasm-pack builds and including them too
-                "content-security-policy",
-                vec![
-                    "default-src 'self'",
-                    // we need unsafe-eval because of WASM things
-                    format!("script-src 'self' 'sha384-{}' 'unsafe-eval'", self.integrity_wasmloader.as_str() ).as_str(),
-                    "img-src 'self'",
-
-                    "object-src 'self'",
-                    // not currently using workers so it can be blocked
-                    "worker-src 'none'",
-                ].join(";"),
-            );
+            */
+            // TODO: consider scraping the other js files that wasm-pack builds and including them too
+            "content-security-policy",
+            vec![
+                "default-src 'self'",
+                // we need unsafe-eval because of WASM things
+                format!(
+                    "script-src 'self' 'sha384-{}' 'unsafe-eval'",
+                    self.integrity_wasmloader.as_str()
+                )
+                .as_str(),
+                "form-action https: 'self'", // to allow for OAuth posts
+                // we are not currently using workers so it can be blocked
+                "worker-src 'none'",
+                // TODO: Content-Security-Policy-Report-Only https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+                // "report-to 'none'", // unsupported by a lot of things still, but mozilla's saying report-uri is deprecated?
+                "report-uri 'none'",
+                "base-uri 'self'",
+            ]
+            .join(";"),
+        );
 
         Ok(response)
     }

kanidmd/score/src/https/oauth2.rs

@@ -261,7 +261,10 @@ async fn oauth2_authorise(
                 .append_pair("code", &code);
             res.insert_header("Location", redirect_uri.as_str());
             // I think the client server needs this
-            res.insert_header("Access-Control-Allow-Origin", redirect_uri.origin().ascii_serialization());
+            res.insert_header(
+                "Access-Control-Allow-Origin",
+                redirect_uri.origin().ascii_serialization(),
+            );
             tide::Body::from_json(&AuthorisationResponse::Permitted).map(|b| {
                 res.set_body(b);
                 res
@@ -358,7 +361,10 @@ async fn oauth2_authorise_permit(
                 .append_pair("code", &code);
             res.insert_header("Location", redirect_uri.as_str());
             // I think the client server needs this
-            res.insert_header("Access-Control-Allow-Origin", redirect_uri.origin().ascii_serialization());
+            res.insert_header(
+                "Access-Control-Allow-Origin",
+                redirect_uri.origin().ascii_serialization(),
+            );
             res
         }
         Err(_e) => {

kanidmd_web_ui/build_wasm_dev.sh

@@ -1,10 +1,3 @@
 #!/bin/sh
-wasm-pack build --dev --target web || exit 1
-
-touch ./pkg/ANYTHING_HERE_WILL_BE_DELETED_ADD_TO_SRC && \
-    cp -R ./src/img ./pkg/ && \
-    cp ./src/style.css ./pkg/style.css && \
-    cp ./src/wasmloader.js ./pkg/wasmloader.js && \
-    cp -a ./src/external ./pkg/external && \
-    rm ./pkg/.gitignore
 
+BUILD_FLAGS="--dev" ./build_wasm.sh

kanidmd_web_ui/build_wasm_release.sh

@@ -1,10 +1,14 @@
 #!/bin/sh
-wasm-pack build --release --target web || exit 1
+
+if [ -z "${BUILD_FLAGS}" ]; then
+    BUILD_FLAGS="--release"
+fi
+
+wasm-pack build ${BUILD_FLAGS} --target web || exit 1
 
 touch ./pkg/ANYTHING_HERE_WILL_BE_DELETED_ADD_TO_SRC && \
-    cp -R ./src/img ./pkg/ &&
+    rsync --delete-after -av ./src/img/ ./pkg/img/ && \
+    rsync --delete-after -av ./src/external/ ./pkg/external/ && \
     cp ./src/style.css ./pkg/style.css && \
     cp ./src/wasmloader.js ./pkg/wasmloader.js && \
     rm ./pkg/.gitignore
-
-

kanidmd_web_ui/pkg/kanidmd_web_ui.d.ts

@@ -12,14 +12,23 @@ export interface InitOutput {
   readonly __wbindgen_malloc: (a: number) => number;
   readonly __wbindgen_realloc: (a: number, b: number, c: number) => number;
   readonly __wbindgen_export_2: WebAssembly.Table;
-  readonly _dyn_core__ops__function__Fn__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h517d7fce3d158796: (a: number, b: number, c: number) => void;
-  readonly _dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h6c41bce435f08bdb: (a: number, b: number, c: number) => void;
-  readonly _dyn_core__ops__function__FnMut___A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__hea19f293916f5b3a: (a: number, b: number, c: number) => void;
+  readonly _dyn_core__ops__function__FnMut___A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__hab3be56b8155b388: (a: number, b: number, c: number) => void;
+  readonly _dyn_core__ops__function__Fn__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h17af29331a011f5b: (a: number, b: number, c: number) => void;
+  readonly _dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h67ec72bbd39c79bf: (a: number, b: number, c: number) => void;
   readonly __wbindgen_add_to_stack_pointer: (a: number) => number;
   readonly __wbindgen_free: (a: number, b: number) => void;
   readonly __wbindgen_exn_store: (a: number) => void;
 }
 
+/**
+* Synchronously compiles the given `bytes` and instantiates the WebAssembly module.
+*
+* @param {BufferSource} bytes
+*
+* @returns {InitOutput}
+*/
+export function initSync(bytes: BufferSource): InitOutput;
+
 /**
 * If `module_or_path` is {RequestInfo} or {URL}, makes a request and
 * for everything else, calls `WebAssembly.instantiate` directly.

kanidmd_web_ui/pkg/kanidmd_web_ui_bg.wasm.d.ts

@@ -5,9 +5,9 @@ export function run_app(a: number): void;
 export function __wbindgen_malloc(a: number): number;
 export function __wbindgen_realloc(a: number, b: number, c: number): number;
 export const __wbindgen_export_2: WebAssembly.Table;
-export function _dyn_core__ops__function__Fn__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h517d7fce3d158796(a: number, b: number, c: number): void;
-export function _dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h6c41bce435f08bdb(a: number, b: number, c: number): void;
-export function _dyn_core__ops__function__FnMut___A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__hea19f293916f5b3a(a: number, b: number, c: number): void;
+export function _dyn_core__ops__function__FnMut___A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__hab3be56b8155b388(a: number, b: number, c: number): void;
+export function _dyn_core__ops__function__Fn__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h17af29331a011f5b(a: number, b: number, c: number): void;
+export function _dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h67ec72bbd39c79bf(a: number, b: number, c: number): void;
 export function __wbindgen_add_to_stack_pointer(a: number): number;
 export function __wbindgen_free(a: number, b: number): void;
 export function __wbindgen_exn_store(a: number): void;

kanidmd_web_ui/src/credential/delete.rs

@@ -5,17 +5,14 @@ use super::eventbus::{EventBus, EventBusMsg};
 use super::reset::ModalProps;
 
 use gloo::console;
-use web_sys::Node;
 use yew::prelude::*;
-use yew_agent::{Dispatched, Dispatcher};
+use yew_agent::Dispatched;
 
 use wasm_bindgen::{JsCast, JsValue, UnwrapThrowExt};
 use wasm_bindgen_futures::JsFuture;
 use web_sys::{Request, RequestInit, RequestMode, Response};
 
-use kanidm_proto::v1::{
-    CURegState, CURequest, CUSessionToken, CUStatus, OperationError, PasswordFeedback, TotpSecret,
-};
+use kanidm_proto::v1::{CURequest, CUSessionToken, CUStatus};
 
 enum State {
     Init,

kanidmd_web_ui/src/credential/pwmodal.rs

@@ -6,7 +6,7 @@ use super::reset::ModalProps;
 
 use gloo::console;
 use yew::prelude::*;
-use yew_agent::{Dispatched, Dispatcher};
+use yew_agent::Dispatched;
 
 use wasm_bindgen::{JsCast, JsValue, UnwrapThrowExt};
 use wasm_bindgen_futures::JsFuture;

kanidmd_web_ui/src/credential/totpmodal.rs

@@ -7,15 +7,13 @@ use super::reset::ModalProps;
 use gloo::console;
 use web_sys::Node;
 use yew::prelude::*;
-use yew_agent::{Dispatched, Dispatcher};
+use yew_agent::Dispatched;
 
 use wasm_bindgen::{JsCast, JsValue, UnwrapThrowExt};
 use wasm_bindgen_futures::JsFuture;
 use web_sys::{Request, RequestInit, RequestMode, Response};
 
-use kanidm_proto::v1::{
-    CURegState, CURequest, CUSessionToken, CUStatus, OperationError, PasswordFeedback, TotpSecret,
-};
+use kanidm_proto::v1::{CURegState, CURequest, CUSessionToken, CUStatus, TotpSecret};
 use qrcode::{render::svg, QrCode};
 
 enum TotpState {
@@ -196,9 +194,14 @@ impl Component for TotpModalApp {
                 self.check = TotpCheck::Invalid;
                 self.state = TotpState::Init;
             }
+            // TODO: which status do we want to return?
             Msg::TotpClearInvalid => {
                 self.check = TotpCheck::Init;
             }
+            // this was originally lower in the code
+            // Msg::TotpClearInvalid => {
+            //     self.check = TotpCheck::Invalid;
+            // }
             Msg::TotpInvalidSha1 => {
                 self.check = TotpCheck::Sha1Accept;
                 self.state = TotpState::Init;
@@ -213,9 +216,6 @@ impl Component for TotpModalApp {
 
                 self.state = TotpState::Waiting;
             }
-            Msg::TotpClearInvalid => {
-                self.check = TotpCheck::Invalid;
-            }
             Msg::TotpSuccess => {
                 // Nothing to do but close and hide!
                 self.reset_and_hide();

kanidmd_web_ui/src/login.rs

@@ -17,11 +17,6 @@ use kanidm_proto::v1::{
 
 use webauthn_rs::proto::PublicKeyCredential;
 
-#[wasm_bindgen]
-extern "C" {
-    fn startConfetti();
-}
-
 pub struct LoginApp {
     inputvalue: String,
     session_id: String,

kanidmd_web_ui/src/views/mod.rs

@@ -9,7 +9,7 @@ use yew_router::prelude::*;
 
 use serde::{Deserialize, Serialize};
 
-use wasm_bindgen::{JsCast, JsValue, UnwrapThrowExt};
+use wasm_bindgen::{JsCast, UnwrapThrowExt};
 use wasm_bindgen_futures::JsFuture;
 use web_sys::{Request, RequestInit, RequestMode, Response};
 

kanidmd_web_ui/src/views/security.rs

@@ -13,7 +13,7 @@ use yew_router::prelude::*;
 
 use kanidm_proto::v1::{CUSessionToken, CUStatus, UserAuthToken};
 
-use wasm_bindgen::{JsCast, JsValue, UnwrapThrowExt};
+use wasm_bindgen::{JsCast, UnwrapThrowExt};
 use wasm_bindgen_futures::JsFuture;
 use web_sys::{Request, RequestInit, RequestMode, Response};