chore(security): use our own server for CSP reports instead of report-uri.com

php-coder · php-coder · commit eaacb4dc9448 · 2019-07-21T17:35:21.000+01:00
Addressed to #226
diff --git a/src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java b/src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java
@@ -21,6 +21,7 @@
 import org.springframework.security.web.header.HeaderWriter;
 import ru.mystamps.web.feature.collection.CollectionUrl;
 import ru.mystamps.web.feature.series.SeriesUrl;
+import ru.mystamps.web.feature.site.SiteUrl;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -62,8 +63,7 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 	// - 'https://maxcdn.bootstrapcdn.com' is required by glyphicons-halflings-regular.woff2
 	private static final String FONT_SRC_CDN = "font-src https://maxcdn.bootstrapcdn.com";
 	
-	// CheckStyle: ignore LineLength for next 1 line
-	private static final String REPORT_URI = "report-uri https://mystamps.report-uri.com/r/d/csp/reportOnly";
+	private static final String REPORT_URI = "report-uri ";
 	
 	// - 'https://cdn.jsdelivr.net' is required by languages.min.css (FIXME: GH #246)
 	private static final String STYLE_SRC = "style-src https://cdn.jsdelivr.net";
@@ -165,6 +165,7 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 	
 	private final boolean useSingleHost;
 	private final boolean hasH2Console;
+	private final String host;
 	
 	@Override
 	public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
@@ -183,7 +184,7 @@ protected String constructDirectives(String uri) {
 		sb.append(DEFAULT_SRC).append(SEPARATOR)
 		  .append(IMG_SRC).append(useSingleHost ? IMG_SRC_SELF : IMG_SRC_CDN).append(SEPARATOR)
 		  .append(useSingleHost ? FONT_SRC_SELF : FONT_SRC_CDN).append(SEPARATOR)
-		  .append(REPORT_URI).append(SEPARATOR)
+		  .append(REPORT_URI).append(host).append(SiteUrl.CSP_REPORTS_HANDLER).append(SEPARATOR)
 		  .append(STYLE_SRC)
 		  .append(useSingleHost ? STYLES_SELF : STYLES_CDN);
 		
diff --git a/src/main/java/ru/mystamps/web/support/spring/security/SecurityConfig.java b/src/main/java/ru/mystamps/web/support/spring/security/SecurityConfig.java
@@ -82,9 +82,13 @@ public void configure(WebSecurity web) throws Exception {
 	protected void configure(HttpSecurity http) throws Exception {
 		boolean useSingleHost = !environment.acceptsProfiles("prod");
 		boolean hasH2Console = environment.acceptsProfiles("test");
+		
+		// @todo #226 Introduce app.use-public-hostname property
+		boolean usePublicHostname = environment.acceptsProfiles("prod");
+		String hostname = usePublicHostname ? SiteUrl.PUBLIC_URL : SiteUrl.SITE;
 
 		ContentSecurityPolicyHeaderWriter cspWriter =
-			new ContentSecurityPolicyHeaderWriter(useSingleHost, hasH2Console);
+			new ContentSecurityPolicyHeaderWriter(useSingleHost, hasH2Console, hostname);
 		
 		http
 			.authorizeRequests()
diff --git a/src/test/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriterTest.java b/src/test/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriterTest.java
@@ -20,6 +20,8 @@
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import ru.mystamps.web.feature.site.SiteUrl;
+import ru.mystamps.web.tests.Random;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -46,7 +48,7 @@ public class ContentSecurityPolicyHeaderWriterTest {
 	@Test
 	public void writeContentSecurityPolicyHeader() {
 		ContentSecurityPolicyHeaderWriter writer =
-			new ContentSecurityPolicyHeaderWriter(bool(), bool());
+			new ContentSecurityPolicyHeaderWriter(bool(), bool(), Random.host());
 		
 		HttpServletRequest request = new MockHttpServletRequest();
 		HttpServletResponse response = new MockHttpServletResponse();
@@ -64,7 +66,7 @@ public void writeContentSecurityPolicyHeader() {
 	@Test
 	public void onIndexPageWithLocalResources() {
 		ContentSecurityPolicyHeaderWriter writer =
-			new ContentSecurityPolicyHeaderWriter(true, bool());
+			new ContentSecurityPolicyHeaderWriter(true, bool(), SiteUrl.SITE);
 		String[] directives = writer.constructDirectives("/").split(";");
 		
 		assertThat(directives, hasItemInArray("default-src 'none'"));
@@ -78,7 +80,7 @@ public void onIndexPageWithLocalResources() {
 		
 		assertThat(
 			directives,
-			hasItemInArray("report-uri https://mystamps.report-uri.com/r/d/csp/reportOnly")
+			hasItemInArray("report-uri http://127.0.0.1:8080/site/csp/reports")
 		);
 		
 		assertThat(directives, hasItemInArray("style-src https://cdn.jsdelivr.net 'self'"));
@@ -90,7 +92,7 @@ public void onIndexPageWithLocalResources() {
 	@Test
 	public void onIndexPageWithResourcesFromCdn() {
 		ContentSecurityPolicyHeaderWriter writer
-			= new ContentSecurityPolicyHeaderWriter(false, bool());
+			= new ContentSecurityPolicyHeaderWriter(false, bool(), SiteUrl.PUBLIC_URL);
 		String[] directives = writer.constructDirectives("/").split(";");
 		
 		assertThat(directives, hasItemInArray("default-src 'none'"));
@@ -104,7 +106,7 @@ public void onIndexPageWithResourcesFromCdn() {
 		
 		assertThat(
 			directives,
-			hasItemInArray("report-uri https://mystamps.report-uri.com/r/d/csp/reportOnly")
+			hasItemInArray("report-uri https://my-stamps.ru/site/csp/reports")
 		);
 		
 		assertThat(
@@ -134,7 +136,7 @@ public void onIndexPageWithResourcesFromCdn() {
 	@Test
 	public void onCollectionInfoPageWithLocalResources() {
 		ContentSecurityPolicyHeaderWriter writer =
-			new ContentSecurityPolicyHeaderWriter(true, bool());
+			new ContentSecurityPolicyHeaderWriter(true, bool(), Random.host());
 		String[] directives = writer.constructDirectives("/collection/user").split(";");
 		
 		// test only the directives that differ from the index page
@@ -167,7 +169,7 @@ public void onCollectionInfoPageWithLocalResources() {
 	@Test
 	public void onCollectionInfoPageWithResourcesFromCdn() {
 		ContentSecurityPolicyHeaderWriter writer =
-			new ContentSecurityPolicyHeaderWriter(false, bool());
+			new ContentSecurityPolicyHeaderWriter(false, bool(), Random.host());
 		String[] directives = writer.constructDirectives("/collection/user").split(";");
 		
 		// test only the directives that differ from the index page
@@ -203,7 +205,7 @@ public void onCollectionInfoPageWithResourcesFromCdn() {
 	@Test
 	public void onSeriesAddImagePageWithLocalResources() {
 		ContentSecurityPolicyHeaderWriter writer =
-			new ContentSecurityPolicyHeaderWriter(true, bool());
+			new ContentSecurityPolicyHeaderWriter(true, bool(), Random.host());
 		
 		for (String page : new String[]{"/series/11", "/series/12/ask", "/series/13/image"}) {
 			String[] directives = writer.constructDirectives(page).split(";");
@@ -229,7 +231,7 @@ public void onSeriesAddImagePageWithLocalResources() {
 	@Test
 	public void onSeriesAddImagePageWithResourcesFromCdn() {
 		ContentSecurityPolicyHeaderWriter writer =
-			new ContentSecurityPolicyHeaderWriter(false, bool());
+			new ContentSecurityPolicyHeaderWriter(false, bool(), Random.host());
 		
 		for (String page : new String[]{"/series/11", "/series/12/ask", "/series/13/image"}) {
 			String[] directives = writer.constructDirectives(page).split(";");
@@ -268,7 +270,7 @@ public void onSeriesAddImagePageWithResourcesFromCdn() {
 	@Test
 	public void onSeriesAddPageWithLocalResources() {
 		ContentSecurityPolicyHeaderWriter writer =
-			new ContentSecurityPolicyHeaderWriter(true, bool());
+			new ContentSecurityPolicyHeaderWriter(true, bool(), Random.host());
 		String[] directives = writer.constructDirectives("/series/add").split(";");
 		
 		// test only the directives that differ from the index page
@@ -302,7 +304,7 @@ public void onSeriesAddPageWithLocalResources() {
 	@Test
 	public void onSeriesAddPageWithResourcesFromCdn() {
 		ContentSecurityPolicyHeaderWriter writer =
-			new ContentSecurityPolicyHeaderWriter(false, bool());
+			new ContentSecurityPolicyHeaderWriter(false, bool(), Random.host());
 		String[] directives = writer.constructDirectives("/series/add").split(";");
 		
 		// test only the directives that differ from the index page
@@ -339,7 +341,7 @@ public void onSeriesAddPageWithResourcesFromCdn() {
 	@Test
 	public void onH2ConsoleWithLocalResources() {
 		ContentSecurityPolicyHeaderWriter writer =
-			new ContentSecurityPolicyHeaderWriter(true, true);
+			new ContentSecurityPolicyHeaderWriter(true, true, Random.host());
 		String[] directives = writer.constructDirectives("/console/").split(";");
 		
 		// test only the directives that are differ from the index page
@@ -374,7 +376,7 @@ public void onH2ConsoleWithLocalResources() {
 	@Test
 	public void onH2ConsoleWithResourcesFromCdn() {
 		ContentSecurityPolicyHeaderWriter writer =
-			new ContentSecurityPolicyHeaderWriter(false, false);
+			new ContentSecurityPolicyHeaderWriter(false, false, Random.host());
 		String[] directives = writer.constructDirectives("/console/").split(";");
 		
 		// "style-src" directive should be the same as for the index page
diff --git a/src/test/java/ru/mystamps/web/tests/Random.java b/src/test/java/ru/mystamps/web/tests/Random.java
@@ -32,6 +32,7 @@
 import ru.mystamps.web.feature.series.SeriesValidation;
 import ru.mystamps.web.feature.series.importing.ImportRequestFullInfo;
 import ru.mystamps.web.feature.series.importing.SeriesImportDb.SeriesImportRequestStatus;
+import ru.mystamps.web.feature.site.SiteUrl;
 import ru.mystamps.web.service.TestObjects;
 
 import java.math.BigDecimal;
@@ -299,6 +300,10 @@ public static String jsoupLocator() {
 		return sample("#id", "a[href]", "img[src$=.png]", "div#logo");
 	}
 	
+	public static String host() {
+		return sample(SiteUrl.SITE, SiteUrl.PUBLIC_URL);
+	}
+	
 	private static Set<String> catalogNumbers() {
 		final int minSize = 1;
 		final int maxSize = 7;
