From 8913292c1193c416e5a54997e3635bef87affc01 Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Sun, 2 Jan 2022 15:55:20 +0200 Subject: [PATCH] feat: add preset CSP nonce (#2096) Closes https://github.com/ory/kratos-selfservice-ui-node/issues/162 --- internal/httpclient/api/openapi.yaml | 9 ++++++ internal/httpclient/docs/UiNodeAttributes.md | 23 ++++++++++++- .../httpclient/docs/UiNodeScriptAttributes.md | 23 ++++++++++++- .../model_ui_node_script_attributes.go | 32 ++++++++++++++++++- selfservice/strategy/webauthn/login_test.go | 1 + .../strategy/webauthn/settings_test.go | 2 ++ spec/api.json | 5 +++ spec/swagger.json | 5 +++ ui/node/attributes.go | 9 ++++++ ui/node/attributes_input.go | 1 + 10 files changed, 107 insertions(+), 3 deletions(-) diff --git a/internal/httpclient/api/openapi.yaml b/internal/httpclient/api/openapi.yaml index 46d1ddf0d473..7e7e8751a0b7 100644 --- a/internal/httpclient/api/openapi.yaml +++ b/internal/httpclient/api/openapi.yaml @@ -4606,6 +4606,14 @@ components: type: string node_type: type: string + nonce: + description: |- + Nonce for CSP + + A nonce you may want to use to improve your Content Security Policy. + You do not have to use this value but if you want to improve your CSP + policies you may use it. You can also choose to use your own nonce value! + type: string referrerpolicy: description: The script referrer policy type: string @@ -4621,6 +4629,7 @@ components: - id - integrity - node_type + - nonce - referrerpolicy - src - type diff --git a/internal/httpclient/docs/UiNodeAttributes.md b/internal/httpclient/docs/UiNodeAttributes.md index 4ebd64616ea4..b1643366b35f 100644 --- a/internal/httpclient/docs/UiNodeAttributes.md +++ b/internal/httpclient/docs/UiNodeAttributes.md @@ -23,13 +23,14 @@ Name | Type | Description | Notes **Async** | **bool** | The script async type | **Crossorigin** | **string** | The script cross origin policy | **Integrity** | **string** | The script's integrity hash | +**Nonce** | **string** | Nonce for CSP A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value! | **Referrerpolicy** | **string** | The script referrer policy | ## Methods ### NewUiNodeAttributes -`func NewUiNodeAttributes(disabled bool, name string, nodeType string, type_ string, id string, text UiText, src string, href string, title UiText, async bool, crossorigin string, integrity string, referrerpolicy string, ) *UiNodeAttributes` +`func NewUiNodeAttributes(disabled bool, name string, nodeType string, type_ string, id string, text UiText, src string, href string, title UiText, async bool, crossorigin string, integrity string, nonce string, referrerpolicy string, ) *UiNodeAttributes` NewUiNodeAttributes instantiates a new UiNodeAttributes object This constructor will assign default values to properties that have it defined, @@ -469,6 +470,26 @@ and a boolean to check if the value has been set. SetIntegrity sets Integrity field to given value. +### GetNonce + +`func (o *UiNodeAttributes) GetNonce() string` + +GetNonce returns the Nonce field if non-nil, zero value otherwise. + +### GetNonceOk + +`func (o *UiNodeAttributes) GetNonceOk() (*string, bool)` + +GetNonceOk returns a tuple with the Nonce field if it's non-nil, zero value otherwise +and a boolean to check if the value has been set. + +### SetNonce + +`func (o *UiNodeAttributes) SetNonce(v string)` + +SetNonce sets Nonce field to given value. + + ### GetReferrerpolicy `func (o *UiNodeAttributes) GetReferrerpolicy() string` diff --git a/internal/httpclient/docs/UiNodeScriptAttributes.md b/internal/httpclient/docs/UiNodeScriptAttributes.md index 8d31ec697be7..d6dfa8576e78 100644 --- a/internal/httpclient/docs/UiNodeScriptAttributes.md +++ b/internal/httpclient/docs/UiNodeScriptAttributes.md @@ -9,6 +9,7 @@ Name | Type | Description | Notes **Id** | **string** | A unique identifier | **Integrity** | **string** | The script's integrity hash | **NodeType** | **string** | | +**Nonce** | **string** | Nonce for CSP A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value! | **Referrerpolicy** | **string** | The script referrer policy | **Src** | **string** | The script source | **Type** | **string** | The script MIME type | @@ -17,7 +18,7 @@ Name | Type | Description | Notes ### NewUiNodeScriptAttributes -`func NewUiNodeScriptAttributes(async bool, crossorigin string, id string, integrity string, nodeType string, referrerpolicy string, src string, type_ string, ) *UiNodeScriptAttributes` +`func NewUiNodeScriptAttributes(async bool, crossorigin string, id string, integrity string, nodeType string, nonce string, referrerpolicy string, src string, type_ string, ) *UiNodeScriptAttributes` NewUiNodeScriptAttributes instantiates a new UiNodeScriptAttributes object This constructor will assign default values to properties that have it defined, @@ -132,6 +133,26 @@ and a boolean to check if the value has been set. SetNodeType sets NodeType field to given value. +### GetNonce + +`func (o *UiNodeScriptAttributes) GetNonce() string` + +GetNonce returns the Nonce field if non-nil, zero value otherwise. + +### GetNonceOk + +`func (o *UiNodeScriptAttributes) GetNonceOk() (*string, bool)` + +GetNonceOk returns a tuple with the Nonce field if it's non-nil, zero value otherwise +and a boolean to check if the value has been set. + +### SetNonce + +`func (o *UiNodeScriptAttributes) SetNonce(v string)` + +SetNonce sets Nonce field to given value. + + ### GetReferrerpolicy `func (o *UiNodeScriptAttributes) GetReferrerpolicy() string` diff --git a/internal/httpclient/model_ui_node_script_attributes.go b/internal/httpclient/model_ui_node_script_attributes.go index 9449867c871c..a077823a78b7 100644 --- a/internal/httpclient/model_ui_node_script_attributes.go +++ b/internal/httpclient/model_ui_node_script_attributes.go @@ -26,6 +26,8 @@ type UiNodeScriptAttributes struct { // The script's integrity hash Integrity string `json:"integrity"` NodeType string `json:"node_type"` + // Nonce for CSP A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value! + Nonce string `json:"nonce"` // The script referrer policy Referrerpolicy string `json:"referrerpolicy"` // The script source @@ -38,13 +40,14 @@ type UiNodeScriptAttributes struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUiNodeScriptAttributes(async bool, crossorigin string, id string, integrity string, nodeType string, referrerpolicy string, src string, type_ string) *UiNodeScriptAttributes { +func NewUiNodeScriptAttributes(async bool, crossorigin string, id string, integrity string, nodeType string, nonce string, referrerpolicy string, src string, type_ string) *UiNodeScriptAttributes { this := UiNodeScriptAttributes{} this.Async = async this.Crossorigin = crossorigin this.Id = id this.Integrity = integrity this.NodeType = nodeType + this.Nonce = nonce this.Referrerpolicy = referrerpolicy this.Src = src this.Type = type_ @@ -179,6 +182,30 @@ func (o *UiNodeScriptAttributes) SetNodeType(v string) { o.NodeType = v } +// GetNonce returns the Nonce field value +func (o *UiNodeScriptAttributes) GetNonce() string { + if o == nil { + var ret string + return ret + } + + return o.Nonce +} + +// GetNonceOk returns a tuple with the Nonce field value +// and a boolean to check if the value has been set. +func (o *UiNodeScriptAttributes) GetNonceOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Nonce, true +} + +// SetNonce sets field value +func (o *UiNodeScriptAttributes) SetNonce(v string) { + o.Nonce = v +} + // GetReferrerpolicy returns the Referrerpolicy field value func (o *UiNodeScriptAttributes) GetReferrerpolicy() string { if o == nil { @@ -268,6 +295,9 @@ func (o UiNodeScriptAttributes) MarshalJSON() ([]byte, error) { if true { toSerialize["node_type"] = o.NodeType } + if true { + toSerialize["nonce"] = o.Nonce + } if true { toSerialize["referrerpolicy"] = o.Referrerpolicy } diff --git a/selfservice/strategy/webauthn/login_test.go b/selfservice/strategy/webauthn/login_test.go index 3d249f5b27ce..fc60e89bd520 100644 --- a/selfservice/strategy/webauthn/login_test.go +++ b/selfservice/strategy/webauthn/login_test.go @@ -67,6 +67,7 @@ func TestCompleteLogin(t *testing.T) { "1.attributes.onclick", "1.attributes.onload", "3.attributes.src", + "3.attributes.nonce", }) ensureReplacement(t, "1", f.Ui, "allowCredentials") }) diff --git a/selfservice/strategy/webauthn/settings_test.go b/selfservice/strategy/webauthn/settings_test.go index 715f73333320..4708ae649ed2 100644 --- a/selfservice/strategy/webauthn/settings_test.go +++ b/selfservice/strategy/webauthn/settings_test.go @@ -133,6 +133,7 @@ func TestCompleteSettings(t *testing.T) { "0.attributes.value", "4.attributes.onclick", "6.attributes.src", + "6.attributes.nonce", }) ensureReplacement(t, "4", f.Ui, "Ory Corp") }) @@ -149,6 +150,7 @@ func TestCompleteSettings(t *testing.T) { "2.attributes.onload", "2.attributes.onclick", "4.attributes.src", + "4.attributes.nonce", }) ensureReplacement(t, "2", f.Ui, "Ory Corp") }) diff --git a/spec/api.json b/spec/api.json index 4a0a17f61125..afee92988f97 100755 --- a/spec/api.json +++ b/spec/api.json @@ -1763,6 +1763,10 @@ "node_type": { "$ref": "#/components/schemas/uiNodeType" }, + "nonce": { + "description": "Nonce for CSP\n\nA nonce you may want to use to improve your Content Security Policy.\nYou do not have to use this value but if you want to improve your CSP\npolicies you may use it. You can also choose to use your own nonce value!", + "type": "string" + }, "referrerpolicy": { "description": "The script referrer policy", "type": "string" @@ -1784,6 +1788,7 @@ "integrity", "type", "id", + "nonce", "node_type" ], "title": "ScriptAttributes represent script nodes which load javascript.", diff --git a/spec/swagger.json b/spec/swagger.json index 3e3d79fad90c..d317c09cfb43 100755 --- a/spec/swagger.json +++ b/spec/swagger.json @@ -3600,6 +3600,7 @@ "integrity", "type", "id", + "nonce", "node_type" ], "properties": { @@ -3622,6 +3623,10 @@ "node_type": { "$ref": "#/definitions/uiNodeType" }, + "nonce": { + "description": "Nonce for CSP\n\nA nonce you may want to use to improve your Content Security Policy.\nYou do not have to use this value but if you want to improve your CSP\npolicies you may use it. You can also choose to use your own nonce value!", + "type": "string" + }, "referrerpolicy": { "description": "The script referrer policy", "type": "string" diff --git a/ui/node/attributes.go b/ui/node/attributes.go index eb91804b84f8..386a7a4c3e5e 100644 --- a/ui/node/attributes.go +++ b/ui/node/attributes.go @@ -197,6 +197,15 @@ type ScriptAttributes struct { // required: true Identifier string `json:"id"` + // Nonce for CSP + // + // A nonce you may want to use to improve your Content Security Policy. + // You do not have to use this value but if you want to improve your CSP + // policies you may use it. You can also choose to use your own nonce value! + // + // required: true + Nonce string `json:"nonce"` + // NodeType represents this node's types. It is a mirror of `node.type` and // is primarily used to allow compatibility with OpenAPI 3.0. // diff --git a/ui/node/attributes_input.go b/ui/node/attributes_input.go index bf489691f1fe..b57c2c6c1175 100644 --- a/ui/node/attributes_input.go +++ b/ui/node/attributes_input.go @@ -137,6 +137,7 @@ func NewScriptField(name string, src string, group Group, integrity string, opts ReferrerPolicy: "no-referrer", CrossOrigin: "anonymous", Integrity: integrity, + Nonce: x.NewUUID().String(), }), Meta: &Meta{}, }