Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor: read custom Content Security Policy config from env #292

Merged
merged 2 commits into from
Jan 25, 2022
Merged

Refactor: read custom Content Security Policy config from env #292

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1d956c5
refactor(settings): read custom CSP config from env
thekaveman Jan 22, 2022
76d2fe8
fix(tests): minimal CSP settings for test env
thekaveman Jan 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .devcontainer/.env.sample
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ CONFIG_FILE=??_*.json
DJANGO_ADMIN=false
DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1,[::1]
DJANGO_TRUSTED_ORIGINS=http://localhost,http://127.0.0.1
DJANGO_CSP_CONNECT_SRC=https://example1.com,https://example2.com
DJANGO_CSP_FONT_SRC=https://example1.com,https://example2.com
DJANGO_CSP_SCRIPT_SRC=https://example1.com,https://example2.com
DJANGO_CSP_STYLE_SRC=https://example1.com,https://example2.com
DJANGO_DB=django
DJANGO_DEBUG=true
DJANGO_INIT_PATH=fixtures/??_*.json
Expand Down
23 changes: 2 additions & 21 deletions .devcontainer/compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,7 @@ services:
client:
build: ..
image: benefits_client:latest
environment:
- ANALYTICS_KEY
- DJANGO_ADMIN
- DJANGO_ALLOWED_HOSTS
- DJANGO_TRUSTED_ORIGINS
- DJANGO_DB
- DJANGO_DEBUG
- DJANGO_INIT_PATH
- DJANGO_LOG_LEVEL
- DJANGO_SECRET_KEY
env_file: .env
ports:
- "8000"
volumes:
Expand All @@ -25,17 +16,7 @@ services:
context: ..
dockerfile: .devcontainer/Dockerfile
image: benefits_client:dev
environment:
- ANALYTICS_KEY
- CYPRESS_baseUrl
- DJANGO_ADMIN
- DJANGO_ALLOWED_HOSTS
- DJANGO_TRUSTED_ORIGINS
- DJANGO_DB
- DJANGO_DEBUG
- DJANGO_INIT_PATH
- DJANGO_LOG_LEVEL
- DJANGO_SECRET_KEY
env_file: .env
entrypoint: []
command: sleep infinity
depends_on:
Expand Down
35 changes: 19 additions & 16 deletions benefits/settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@
"""
import os


def _filter_empty(ls):
return [s for s in ls if s]


# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

Expand All @@ -14,7 +19,7 @@

ADMIN = os.environ.get("DJANGO_ADMIN", "False").lower() == "true"

ALLOWED_HOSTS = os.environ["DJANGO_ALLOWED_HOSTS"].split(",")
ALLOWED_HOSTS = _filter_empty(os.environ["DJANGO_ALLOWED_HOSTS"].split(","))

# Application definition

Expand Down Expand Up @@ -62,7 +67,7 @@
CSRF_COOKIE_AGE = None
CSRF_COOKIE_SAMESITE = "Strict"
CSRF_COOKIE_HTTPONLY = True
CSRF_TRUSTED_ORIGINS = os.environ["DJANGO_TRUSTED_ORIGINS"].split(",")
CSRF_TRUSTED_ORIGINS = _filter_empty(os.environ["DJANGO_TRUSTED_ORIGINS"].split(","))

SESSION_COOKIE_SAMESITE = "Strict"
SESSION_ENGINE = "django.contrib.sessions.backends.signed_cookies"
Expand Down Expand Up @@ -198,25 +203,23 @@
# In particular, note that the inner single-quotes are required!
# https://django-csp.readthedocs.io/en/latest/configuration.html#policy-settings


CSP_DEFAULT_SRC = ["'self'"]

CSP_CONNECT_SRC = ["'self'", "https://api.amplitude.com/"]
env_connect_src = _filter_empty(os.environ.get("DJANGO_CSP_CONNECT_SRC", "").split(","))
CSP_CONNECT_SRC = ["'self'"]
CSP_CONNECT_SRC.extend(env_connect_src)

CSP_FONT_SRC = ["https://california.azureedge.net/cdt/statetemplate/", "https://fonts.gstatic.com/"]
env_font_src = _filter_empty(os.environ.get("DJANGO_CSP_FONT_SRC", "").split(","))
CSP_FONT_SRC = list(env_font_src)

CSP_FRAME_ANCESTORS = ["'none'"]
CSP_FRAME_SRC = ["'none'"]

CSP_SCRIPT_SRC = [
"'unsafe-inline'",
"https://cdn.amplitude.com/libs/",
"https://code.jquery.com/",
"*.littlepay.com",
]
env_script_src = _filter_empty(os.environ.get("DJANGO_CSP_SCRIPT_SRC", "").split(","))
CSP_SCRIPT_SRC = ["'unsafe-inline'"]
CSP_SCRIPT_SRC.extend(env_script_src)

CSP_STYLE_SRC = [
"'self'",
"'unsafe-inline'",
"https://california.azureedge.net/cdt/statetemplate/",
"https://fonts.googleapis.com/css",
]
env_style_src = _filter_empty(os.environ.get("DJANGO_CSP_STYLE_SRC", "").split(","))
CSP_STYLE_SRC = ["'self'", "'unsafe-inline'"]
CSP_STYLE_SRC.extend(env_style_src)
3 changes: 3 additions & 0 deletions tests/cypress/.env.tests
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
DJANGO_ADMIN=false
DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1,[::1]
DJANGO_TRUSTED_ORIGINS=http://localhost,http://127.0.0.1
DJANGO_CSP_FONT_SRC=https://california.azureedge.net/cdt/statetemplate/,https://fonts.gstatic.com/
DJANGO_CSP_SCRIPT_SRC=https://code.jquery.com/
DJANGO_CSP_STYLE_SRC=https://california.azureedge.net/cdt/statetemplate/,https://fonts.googleapis.com/css
DJANGO_DB=django
DJANGO_DEBUG=false
DJANGO_INIT_PATH=fixtures/??_*.json
Expand Down