updating csp headers (#852)

* removing confetti loader (we still package it, for now) * 📎-happiness * updating WASM build scripts and rebuilding * updated CSP headers to change self to 'self' and remove some insecure https: options
2025-02-23 12:37:00 +01:00 · 2022-06-22 22:30:08 +10:00 · 2022-06-22 22:30:08 +10:00 · 4b1989ee22
parent 3d9133284f
commit 4b1989ee22
15 changed files with 526 additions and 538 deletions
--- a/kanidm_tools/src/cli/group.rs
+++ b/kanidm_tools/src/cli/group.rs
@ -78,7 +78,11 @@ impl GroupOpt {
                    .await
                {
                    Err(e) => error!("Error -> {:?}", e),
-                    Ok(_) => println!("Successfully added {:?} to group \"{}\"", &new_members, gcopt.name.as_str()),
+                    Ok(_) => println!(
                        "Successfully added {:?} to group \"{}\"",
                        &new_members,
                        gcopt.name.as_str()
                    ),
                }
            }
--- a/kanidmd/score/src/https/mod.rs
+++ b/kanidmd/score/src/https/mod.rs
@ -167,7 +167,6 @@ async fn index_view(_req: tide::Request<AppState>) -> tide::Result {
            <link rel="stylesheet" href="/pkg/external/bootstrap.min.css" integrity="sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC"/>
            <link rel="stylesheet" href="/pkg/style.css"/>
            <script src="/pkg/external/bootstrap.bundle.min.js" integrity="sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM"></script>
            <script src="/pkg/external/confetti.js"></script>
            <script type="module" type="text/javascript" src="/pkg/wasmloader.js" integrity="sha384-==WASMHASH==">
            </script>
@ -282,28 +281,34 @@ impl<State: Clone + Send + Sync + 'static> tide::Middleware<State>
        // update it with the hash
        response.set_body(body_str.replace("==WASMHASH==", self.integrity_wasmloader.as_str()));
        response.insert_header(
-                /* content-security-policy headers tell the browser what to trust
+            /* content-security-policy headers tell the browser what to trust
-                    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+                https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-                    In this case we're only trusting the same server that the page is being loaded from, and adding
+                In this case we're only trusting the same server that the page is
-                    a hash of wasmloader.js, which is the main script we should be loading, and should be really secure
+                loaded from, and adding a hash of wasmloader.js, which is the main script
-                    about that!
+                we should be loading, and should be really secure about that!
-                */
+            */
-
+            // TODO: consider scraping the other js files that wasm-pack builds and including them too
-                // TODO: consider scraping the other js files that wasm-pack builds and including them too
+            "content-security-policy",
-                "content-security-policy",
+            vec![
-                vec![
+                "default-src 'self'",
-                    "default-src 'self'",
+                // we need unsafe-eval because of WASM things
-                    // we need unsafe-eval because of WASM things
+                format!(
-                    format!("script-src 'self' 'sha384-{}' 'unsafe-eval'", self.integrity_wasmloader.as_str() ).as_str(),
+                    "script-src 'self' 'sha384-{}' 'unsafe-eval'",
-                    "img-src 'self'",
+                    self.integrity_wasmloader.as_str()
-
+                )
-                    "object-src 'self'",
+                .as_str(),
-                    // not currently using workers so it can be blocked
+                "form-action https: 'self'", // to allow for OAuth posts
-                    "worker-src 'none'",
+                // we are not currently using workers so it can be blocked
-                ].join(";"),
+                "worker-src 'none'",
-            );
+                // TODO: Content-Security-Policy-Report-Only https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
                // "report-to 'none'", // unsupported by a lot of things still, but mozilla's saying report-uri is deprecated?
                "report-uri 'none'",
                "base-uri 'self'",
            ]
            .join(";"),
        );
        Ok(response)
    }
--- a/kanidmd/score/src/https/oauth2.rs
+++ b/kanidmd/score/src/https/oauth2.rs
@ -261,7 +261,10 @@ async fn oauth2_authorise(
                .append_pair("code", &code);
            res.insert_header("Location", redirect_uri.as_str());
            // I think the client server needs this
-            res.insert_header("Access-Control-Allow-Origin", redirect_uri.origin().ascii_serialization());
+            res.insert_header(
                "Access-Control-Allow-Origin",
                redirect_uri.origin().ascii_serialization(),
            );
            tide::Body::from_json(&AuthorisationResponse::Permitted).map(|b| {
                res.set_body(b);
                res
@ -358,7 +361,10 @@ async fn oauth2_authorise_permit(
                .append_pair("code", &code);
            res.insert_header("Location", redirect_uri.as_str());
            // I think the client server needs this
-            res.insert_header("Access-Control-Allow-Origin", redirect_uri.origin().ascii_serialization());
+            res.insert_header(
                "Access-Control-Allow-Origin",
                redirect_uri.origin().ascii_serialization(),
            );
            res
        }
        Err(_e) => {
--- a/kanidmd_web_ui/build_wasm_dev.sh
+++ b/kanidmd_web_ui/build_wasm_dev.sh
@ -1,10 +1,3 @@
 #!/bin/sh
 wasm-pack build --dev --target web || exit 1
 touch ./pkg/ANYTHING_HERE_WILL_BE_DELETED_ADD_TO_SRC && \
    cp -R ./src/img ./pkg/ && \
    cp ./src/style.css ./pkg/style.css && \
    cp ./src/wasmloader.js ./pkg/wasmloader.js && \
    cp -a ./src/external ./pkg/external && \
    rm ./pkg/.gitignore
 BUILD_FLAGS="--dev" ./build_wasm.sh
--- a/kanidmd_web_ui/build_wasm_release.sh
+++ b/kanidmd_web_ui/build_wasm_release.sh
@ -1,10 +1,14 @@
 #!/bin/sh
-wasm-pack build --release --target web || exit 1
+
 if [ -z "${BUILD_FLAGS}" ]; then
    BUILD_FLAGS="--release"
 fi
 wasm-pack build ${BUILD_FLAGS} --target web || exit 1
 touch ./pkg/ANYTHING_HERE_WILL_BE_DELETED_ADD_TO_SRC && \
-    cp -R ./src/img ./pkg/ &&
+    rsync --delete-after -av ./src/img/ ./pkg/img/ && \
    rsync --delete-after -av ./src/external/ ./pkg/external/ && \
    cp ./src/style.css ./pkg/style.css && \
    cp ./src/wasmloader.js ./pkg/wasmloader.js && \
    rm ./pkg/.gitignore
--- a/kanidmd_web_ui/pkg/kanidmd_web_ui.d.ts
+++ b/kanidmd_web_ui/pkg/kanidmd_web_ui.d.ts
@ -12,14 +12,23 @@ export interface InitOutput {
  readonly __wbindgen_malloc: (a: number) => number;
  readonly __wbindgen_realloc: (a: number, b: number, c: number) => number;
  readonly __wbindgen_export_2: WebAssembly.Table;
-  readonly _dyn_core__ops__function__Fn__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h517d7fce3d158796: (a: number, b: number, c: number) => void;
+  readonly _dyn_core__ops__function__FnMut___A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__hab3be56b8155b388: (a: number, b: number, c: number) => void;
-  readonly _dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h6c41bce435f08bdb: (a: number, b: number, c: number) => void;
+  readonly _dyn_core__ops__function__Fn__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h17af29331a011f5b: (a: number, b: number, c: number) => void;
-  readonly _dyn_core__ops__function__FnMut___A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__hea19f293916f5b3a: (a: number, b: number, c: number) => void;
+  readonly _dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h67ec72bbd39c79bf: (a: number, b: number, c: number) => void;
  readonly __wbindgen_add_to_stack_pointer: (a: number) => number;
  readonly __wbindgen_free: (a: number, b: number) => void;
  readonly __wbindgen_exn_store: (a: number) => void;
 }
 /**
 * Synchronously compiles the given `bytes` and instantiates the WebAssembly module.
 *
 * @param {BufferSource} bytes
 *
 * @returns {InitOutput}
 */
 export function initSync(bytes: BufferSource): InitOutput;
 /**
 * If `module_or_path` is {RequestInfo} or {URL}, makes a request and
 * for everything else, calls `WebAssembly.instantiate` directly.
--- a/kanidmd_web_ui/pkg/kanidmd_web_ui.js
+++ b/kanidmd_web_ui/pkg/kanidmd_web_ui.js
--- a/kanidmd_web_ui/pkg/kanidmd_web_ui_bg.wasm
+++ b/kanidmd_web_ui/pkg/kanidmd_web_ui_bg.wasm
--- a/kanidmd_web_ui/pkg/kanidmd_web_ui_bg.wasm.d.ts
+++ b/kanidmd_web_ui/pkg/kanidmd_web_ui_bg.wasm.d.ts
@ -5,9 +5,9 @@ export function run_app(a: number): void;
 export function __wbindgen_malloc(a: number): number;
 export function __wbindgen_realloc(a: number, b: number, c: number): number;
 export const __wbindgen_export_2: WebAssembly.Table;
-export function _dyn_core__ops__function__Fn__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h517d7fce3d158796(a: number, b: number, c: number): void;
+export function _dyn_core__ops__function__FnMut___A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__hab3be56b8155b388(a: number, b: number, c: number): void;
-export function _dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h6c41bce435f08bdb(a: number, b: number, c: number): void;
+export function _dyn_core__ops__function__Fn__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h17af29331a011f5b(a: number, b: number, c: number): void;
-export function _dyn_core__ops__function__FnMut___A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__hea19f293916f5b3a(a: number, b: number, c: number): void;
+export function _dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h67ec72bbd39c79bf(a: number, b: number, c: number): void;
 export function __wbindgen_add_to_stack_pointer(a: number): number;
 export function __wbindgen_free(a: number, b: number): void;
 export function __wbindgen_exn_store(a: number): void;
--- a/kanidmd_web_ui/src/credential/delete.rs
+++ b/kanidmd_web_ui/src/credential/delete.rs
@ -5,17 +5,14 @@ use super::eventbus::{EventBus, EventBusMsg};
 use super::reset::ModalProps;
 use gloo::console;
 use web_sys::Node;
 use yew::prelude::*;
-use yew_agent::{Dispatched, Dispatcher};
+use yew_agent::Dispatched;
 use wasm_bindgen::{JsCast, JsValue, UnwrapThrowExt};
 use wasm_bindgen_futures::JsFuture;
 use web_sys::{Request, RequestInit, RequestMode, Response};
-use kanidm_proto::v1::{
+use kanidm_proto::v1::{CURequest, CUSessionToken, CUStatus};
    CURegState, CURequest, CUSessionToken, CUStatus, OperationError, PasswordFeedback, TotpSecret,
 };
 enum State {
    Init,
--- a/kanidmd_web_ui/src/credential/pwmodal.rs
+++ b/kanidmd_web_ui/src/credential/pwmodal.rs
@ -6,7 +6,7 @@ use super::reset::ModalProps;
 use gloo::console;
 use yew::prelude::*;
-use yew_agent::{Dispatched, Dispatcher};
+use yew_agent::Dispatched;
 use wasm_bindgen::{JsCast, JsValue, UnwrapThrowExt};
 use wasm_bindgen_futures::JsFuture;
--- a/kanidmd_web_ui/src/credential/totpmodal.rs
+++ b/kanidmd_web_ui/src/credential/totpmodal.rs
@ -7,15 +7,13 @@ use super::reset::ModalProps;
 use gloo::console;
 use web_sys::Node;
 use yew::prelude::*;
-use yew_agent::{Dispatched, Dispatcher};
+use yew_agent::Dispatched;
 use wasm_bindgen::{JsCast, JsValue, UnwrapThrowExt};
 use wasm_bindgen_futures::JsFuture;
 use web_sys::{Request, RequestInit, RequestMode, Response};
-use kanidm_proto::v1::{
+use kanidm_proto::v1::{CURegState, CURequest, CUSessionToken, CUStatus, TotpSecret};
    CURegState, CURequest, CUSessionToken, CUStatus, OperationError, PasswordFeedback, TotpSecret,
 };
 use qrcode::{render::svg, QrCode};
 enum TotpState {
@ -196,9 +194,14 @@ impl Component for TotpModalApp {
                self.check = TotpCheck::Invalid;
                self.state = TotpState::Init;
            }
            // TODO: which status do we want to return?
            Msg::TotpClearInvalid => {
                self.check = TotpCheck::Init;
            }
            // this was originally lower in the code
            // Msg::TotpClearInvalid => {
            //     self.check = TotpCheck::Invalid;
            // }
            Msg::TotpInvalidSha1 => {
                self.check = TotpCheck::Sha1Accept;
                self.state = TotpState::Init;
@ -213,9 +216,6 @@ impl Component for TotpModalApp {
                self.state = TotpState::Waiting;
            }
            Msg::TotpClearInvalid => {
                self.check = TotpCheck::Invalid;
            }
            Msg::TotpSuccess => {
                // Nothing to do but close and hide!
                self.reset_and_hide();
--- a/kanidmd_web_ui/src/login.rs
+++ b/kanidmd_web_ui/src/login.rs
@ -17,11 +17,6 @@ use kanidm_proto::v1::{
 use webauthn_rs::proto::PublicKeyCredential;
 #[wasm_bindgen]
 extern "C" {
    fn startConfetti();
 }
 pub struct LoginApp {
    inputvalue: String,
    session_id: String,
--- a/kanidmd_web_ui/src/views/mod.rs
+++ b/kanidmd_web_ui/src/views/mod.rs
@ -9,7 +9,7 @@ use yew_router::prelude::*;
 use serde::{Deserialize, Serialize};
-use wasm_bindgen::{JsCast, JsValue, UnwrapThrowExt};
+use wasm_bindgen::{JsCast, UnwrapThrowExt};
 use wasm_bindgen_futures::JsFuture;
 use web_sys::{Request, RequestInit, RequestMode, Response};
--- a/kanidmd_web_ui/src/views/security.rs
+++ b/kanidmd_web_ui/src/views/security.rs
@ -13,7 +13,7 @@ use yew_router::prelude::*;
 use kanidm_proto::v1::{CUSessionToken, CUStatus, UserAuthToken};
-use wasm_bindgen::{JsCast, JsValue, UnwrapThrowExt};
+use wasm_bindgen::{JsCast, UnwrapThrowExt};
 use wasm_bindgen_futures::JsFuture;
 use web_sys::{Request, RequestInit, RequestMode, Response};