CSP: extract logic for adding headers to a separate class.

php-coder · php-coder · commit f270eb3fb6c0 · 2017-09-22T00:22:09.000+02:00
Addressed to #226 No functional changes.
diff --git a/src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java b/src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2009-2017 Slava Semushin <slava.semushin@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package ru.mystamps.web.support.spring.security;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.web.header.HeaderWriter;
+
+import ru.mystamps.web.Url;
+
+/**
+ * Implementation of {@link HeaderWriter} that is adding CSP header depending on the current URL.
+ */
+class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
+
+	private static final String COLLECTION_INFO_PAGE_PATTERN =
+		Url.INFO_COLLECTION_PAGE.replace("{slug}", "");
+	
+	// default policy prevents loading resources from any source
+	private static final String DEFAULT_SRC = "default-src 'none'";
+	
+	// - 'self' is required for uploaded images and its previews
+	// - 'https://cdn.rawgit.com' is required by languages.png (TODO: GH #246)
+	// - 'https://raw.githubusercontent.com' is required by languages.png
+	// CheckStyle: ignore LineLength for next 1 line
+	private static final String IMG_SRC = "img-src 'self' https://cdn.rawgit.com https://raw.githubusercontent.com";
+	
+	// - 'self' is required by glyphicons-halflings-regular.woff2 from bootstrap
+	private static final String FONT_SRC = "font-src 'self'";
+	
+	// CheckStyle: ignore LineLength for next 1 line
+	private static final String REPORT_URI = "report-uri https://mystamps.report-uri.io/r/default/csp/reportOnly";
+	
+	// - 'self' is required for our own CSS files
+	// - 'https://cdn.rawgit.com' is required by languages.min.css (TODO: GH #246)
+	// - 'sha256-Dpm...' is required for 'box-shadow: none; border: 0px;' inline CSS
+	// that are using on /series/add and /series/{id} pages.
+	private static final String STYLE_SRC =
+		"style-src 'self' https://cdn.rawgit.com"
+		+ " 'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='";
+	
+	// - 'https://www.gstatic.com' is required by Google Charts
+	// - 'sha256-/kX...' is required for 'overflow: hidden;' inline CSS that is using
+	// by Google Charts.
+	private static final String STYLE_COLLECTION_INFO =
+		" https://www.gstatic.com 'sha256-/kXZODfqoc2myS1eI6wr0HH8lUt+vRhW8H/oL+YJcMg='";
+	
+	// - 'self' is required for our own JS files
+	// - 'unsafe-inline' is required by jquery.min.js (that is using code inside of
+	// event handlers. We can't use hashing algorithms because they aren't supported
+	// for handlers. In future, we should get rid of jQuery or use
+	// 'unsafe-hashed-attributes' from CSP3. Details:
+	// https://github.com/jquery/jquery/blob/d71f6a53927ad02d/jquery.js#L1441-L1447
+	// and https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage)
+	private static final String SCRIPT_SRC = "script-src 'self' 'unsafe-inline'";
+	
+	// - 'unsafe-eval' is required by loader.js from Google Charts
+	// - 'https://www.gstatic.com' is required by Google Charts
+	private static final String SCRIPT_COLLECTION_INFO = " 'unsafe-eval' https://www.gstatic.com";
+	
+	// - 'self' is required for AJAX requests from our scripts (country suggestions)
+	private static final String CONNECT_SRC = "connect-src 'self'";
+	
+	private static final char SEPARATOR = ';';
+	
+	private static final int MIN_HEADER_LENGTH =
+		DEFAULT_SRC.length()
+		+ IMG_SRC.length()
+		+ FONT_SRC.length()
+		+ REPORT_URI.length()
+		+ STYLE_SRC.length()
+		+ SCRIPT_SRC.length()
+		+ CONNECT_SRC.length()
+		// number of separators between directives
+		+ 6;
+	
+	@Override
+	public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
+		response.setHeader("Content-Security-Policy-Report-Only", constructDirectives(request));
+	}
+
+	private static String constructDirectives(HttpServletRequest request) {
+		boolean onCollectionInfoPage =
+			request.getRequestURI().startsWith(COLLECTION_INFO_PAGE_PATTERN);
+		
+		StringBuilder sb = new StringBuilder(MIN_HEADER_LENGTH);
+		
+		sb.append(DEFAULT_SRC).append(SEPARATOR)
+		  .append(IMG_SRC).append(SEPARATOR)
+		  .append(FONT_SRC).append(SEPARATOR)
+		  .append(REPORT_URI).append(SEPARATOR)
+		  .append(STYLE_SRC);
+		
+		if (onCollectionInfoPage) {
+			sb.append(STYLE_COLLECTION_INFO);
+		}
+		sb.append(SEPARATOR)
+		  .append(SCRIPT_SRC);
+		
+		if (onCollectionInfoPage) {
+			sb.append(SCRIPT_COLLECTION_INFO);
+		}
+		
+		sb.append(SEPARATOR)
+		  .append(CONNECT_SRC);
+		
+		return sb.toString();
+	}
+	
+}
diff --git a/src/main/java/ru/mystamps/web/support/spring/security/SecurityConfig.java b/src/main/java/ru/mystamps/web/support/spring/security/SecurityConfig.java
@@ -46,11 +46,6 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
-import org.springframework.security.web.header.HeaderWriter;
-import org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter;
-import org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
 
 import ru.mystamps.web.Url;
 import ru.mystamps.web.config.ServicesConfig;
@@ -122,22 +117,7 @@ protected void configure(HttpSecurity http) throws Exception {
 				.disable()
 			.headers()
 				.defaultsDisabled() // TODO
-				.addHeaderWriter(
-					new DelegatingRequestMatcherHeaderWriter(
-						new NegatedRequestMatcher(
-							new AntPathRequestMatcher(
-								Url.INFO_COLLECTION_PAGE.replace("{slug}", "**")
-							)
-						),
-						getCspForCommonPages()
-					)
-				)
-				.addHeaderWriter(
-					new DelegatingRequestMatcherHeaderWriter(
-						new AntPathRequestMatcher(Url.INFO_COLLECTION_PAGE.replace("{slug}", "**")),
-						getCspForCollectionInfoPage()
-					)
-				);
+				.addHeaderWriter(new ContentSecurityPolicyHeaderWriter());
 	}
 	
 	// Used in ServicesConfig.getUserService()
@@ -198,74 +178,4 @@ private UserDetailsService getUserDetailsService() {
 		return new CustomUserDetailsService(servicesConfig.getUserService());
 	}
 	
-	private HeaderWriter getCspForCommonPages() {
-		ContentSecurityPolicyHeaderWriter writer = new ContentSecurityPolicyHeaderWriter(
-			// default policy prevents loading resources from any source
-			"default-src 'none'; "
-			// 'self' is required for: our own CSS files
-			// 'https://cdn.rawgit.com' is required for: languages.min.css (TODO: GH #246)
-			// 'sha256-Dpm...' is required for: 'box-shadow: none; border: 0px;' inline CSS
-			// that are using on /series/add and /series/{id} pages.
-			+ "style-src 'self' https://cdn.rawgit.com "
-				+ "'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='; "
-			// 'self' is required for: our own JS files
-			// 'unsafe-inline' is required for: jquery.min.js (that is using code inside of
-			// event handlers. We can't use hashing algorithms because they aren't supported
-			// for handlers. In future, we should get rid of jQuery or use
-			// 'unsafe-hashed-attributes' from CSP3. Details:
-			// https://github.com/jquery/jquery/blob/d71f6a53927ad02d/jquery.js#L1441-L1447
-			// and https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage)
-			+ "script-src 'self' 'unsafe-inline'; "
-			// 'self' is required for: AJAX requests from our scripts (country suggestions)
-			+ "connect-src 'self'; "
-			// 'self' is required for: uploaded images and its previews
-			// 'https://cdn.rawgit.com' is required for: languages.png (TODO: GH #246)
-			// 'https://raw.githubusercontent.com' is required for: languages.png
-			+ "img-src 'self' https://cdn.rawgit.com https://raw.githubusercontent.com; "
-			// 'self' is required for: glyphicons-halflings-regular.woff2 from bootstrap
-			+ "font-src 'self'; "
-			+ "report-uri https://mystamps.report-uri.io/r/default/csp/reportOnly"
-		);
-		writer.setReportOnly(true);
-		return writer;
-	}
-	
-	private HeaderWriter getCspForCollectionInfoPage() {
-		ContentSecurityPolicyHeaderWriter writer = new ContentSecurityPolicyHeaderWriter(
-			// default policy prevents loading resources from any source
-			"default-src 'none'; "
-			// 'self' is required for: our own CSS files
-			// 'https://cdn.rawgit.com' is required for: languages.min.css (TODO: GH #246)
-			// 'https://www.gstatic.com' is required for: Google Charts on collection page.
-			// 'sha256-Dpm...' is required for: 'box-shadow: none; border: 0px;' inline CSS
-			// that are using on /series/add and /series/{id} pages.
-			// 'sha256-/kX...' is required for: 'overflow: hidden;' inline CSS that is using
-			// bg Google Charts on collection page.
-			+ "style-src 'self' https://cdn.rawgit.com https://www.gstatic.com "
-				+ "'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU=' "
-				+ "'sha256-/kXZODfqoc2myS1eI6wr0HH8lUt+vRhW8H/oL+YJcMg='; "
-			// 'self' is required for: our own JS files
-			// 'unsafe-inline' is required for: jquery.min.js (that is using code inside of
-			// event handlers. We can't use hashing algorithms because they aren't supported
-			// for handlers. In future, we should get rid of jQuery or use
-			// 'unsafe-hashed-attributes' from CSP3. Details:
-			// https://github.com/jquery/jquery/blob/d71f6a53927ad02d/jquery.js#L1441-L1447
-			// and https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage)
-			// 'unsafe-eval' is required for: loader.js (for Google Charts)
-			// 'https://www.gstatic.com' is required for: Google Charts on collection page.
-			+ "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com; "
-			// 'self' is required for: AJAX requests from our scripts (country suggestions)
-			+ "connect-src 'self'; "
-			// 'self' is required for: uploaded images and its previews
-			// 'https://cdn.rawgit.com' is required for: languages.png (TODO: GH #246)
-			// 'https://raw.githubusercontent.com' is required for: languages.png
-			+ "img-src 'self' https://cdn.rawgit.com https://raw.githubusercontent.com; "
-			// 'self' is required for: glyphicons-halflings-regular.woff2 from bootstrap
-			+ "font-src 'self'; "
-			+ "report-uri https://mystamps.report-uri.io/r/default/csp/reportOnly"
-		);
-		writer.setReportOnly(true);
-		return writer;
-	}
-	
 }
