feat: csp secu (#101)

* feat: csp dynamic header in nginx.conf

* bump: 2.2.0-rc.0

* ci: change branches

* ci: update deps

* ci: change to pogues-ci

* fix: nginx conf (not multi-line allowed)

* bump: 2.2.0-rc.1

* fix: csp for font (load as data) & bump to 2.2.0-rc.2

Author: laurentC35

.github/workflows/release-develop.yml

@@ -1,112 +1,102 @@
-name: Build release candidate
+name: Main CI
 
 on:
   push:
-    branches:
-      - main
+    branches: ['main']
+  pull_request:
+    types: [opened, synchronize, reopened]
 
 jobs:
-  check-version:
+  build:
     runs-on: ubuntu-latest
-    outputs:
-      release-version: ${{ steps.version.outputs.pe-version }}
-      tag-already-exists: ${{ steps.checkTag.outputs.exists }}
+    if: github.event.head_commit.author.name != 'github-actions[bot]'
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Get version
-        id: version
-        run: echo "pe-version=$(cat package.json | jq -r '.version')" >> $GITHUB_OUTPUT
-
-      - name: Print version
-        run: echo ${{ steps.version.outputs.pe-version }}
-
-      - uses: mukunku/tag-exists-action@v1.2.0
-        id: checkTag
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          tag: ${{ steps.version.outputs.pe-version }}
-
-      - if: ${{ steps.checkTag.outputs.exists == 'true' }}
-        name: "Skip release"
-        run: echo "Nothing to tag/release, the release ${{ steps.version.outputs.pe-version }} already exists"
+          node-version: '20'
+      - run: yarn && yarn build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: public-enemy
+          path: dist
 
-  create-release:
-    needs: check-version
+  check_if_version_upgraded:
+    needs: build
     runs-on: ubuntu-latest
-    if: ${{ needs.check-version.outputs.tag-already-exists == 'false' }}
+    if: |
+      github.event_name == 'push' || 
+      github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    outputs:
+      version: ${{ steps.version.outputs.prop }}
+      is_version_changed: ${{ steps.check.outputs.exists == 'false' }}
+      is_pre_release: ${{ contains(steps.version.outputs.prop, '-rc' ) }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - id: version
+        uses: notiz-dev/github-action-json-property@release
         with:
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-
-      - name: Get previous tag
-        id: previousTag
-        run: echo "previousTag=$(git --no-pager tag --sort=creatordate --merged ${{ github.ref_name }} | grep '^[0-9]\+\.[0-9]\+\.[0-9]\+$' | tail -1)" >> $GITHUB_OUTPUT
-
-      - name: Create release note
-        id: changelog
-        uses: requarks/changelog-action@v1
-        with:
-          fromTag: ${{ github.sha }}
-          toTag: ${{ steps.previousTag.outputs.previousTag}}
-          token: ${{ secrets.GITHUB_TOKEN }}
-          writeToFile: false
-
-      - uses: softprops/action-gh-release@v1
+          path: 'package.json'
+          prop_path: 'version'
+      ## we check if repo contains already this tag, if not version, has changed
+      - uses: mukunku/tag-exists-action@v1.6.0
+        id: check
         with:
-          tag_name: ${{ needs.check-version.outputs.release-version }}
-          target_commitish: ${{ github.head_ref || github.ref }}
-          name: ${{ needs.check-version.outputs.release-version }}
-          body: ${{steps.changelog.outputs.changes}}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ steps.version.outputs.prop }}
 
-  build-release:
-    needs: create-release
+  docker_public_enemy:
+    needs: check_if_version_upgraded
+    if: |
+      (github.event_name == 'push' || needs.check_if_version_upgraded.outputs.is_pre_release == 'true') && 
+      needs.check_if_version_upgraded.outputs.is_version_changed == 'true'
     runs-on: ubuntu-latest
     steps:
-      - name: Extract branch name
-        shell: bash
-        run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >>$GITHUB_OUTPUT
-        id: extract_branch
-
-      - uses: actions/checkout@v3
-        with:
-          ref: ${{ steps.extract_branch.outputs.branch }}
-
-      - name: Use Node.js 18
-        uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
         with:
-          node-version: 18
-      - run: yarn
-      - run: yarn build
-
-      - name: Upload build
-        uses: actions/upload-artifact@v3
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: actions/download-artifact@v4
         with:
-          name: build
+          name: public-enemy
           path: dist
-  docker:
-    needs:
-      - check-version
-      - build-release
+      - uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          context: '.'
+          push: true
+          tags: |
+            inseefr/public-enemy:latest,
+            inseefr/public-enemy:${{ needs.check_if_version_upgraded.outputs.version }}
+
+  release:
     runs-on: ubuntu-latest
+    needs: check_if_version_upgraded
+    # We create release only if the version in the package.json have been upgraded and this CI is running against the main branch.
+    # We allow branches with a PR open on main to publish pre-release (x.y.z-rc.u) but not actual releases.
+    if: |
+      (github.event_name == 'push' || needs.check_if_version_upgraded.outputs.is_pre_release == 'true') && 
+      needs.check_if_version_upgraded.outputs.is_version_changed == 'true'
     steps:
-      - uses: actions/checkout@v3
-
-      - name: Download build
-        id: download
-        uses: actions/download-artifact@v3
+      - uses: actions/checkout@v4
         with:
-          name: build
+          ref: ${{ github.ref }}
+      - uses: actions/download-artifact@v4
+        with:
+          name: public-enemy
           path: dist
-
-      - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@v5
+      - name: Zip bundle
+        run: cd dist && zip -r ../public-enemy.zip ./*
+      - uses: softprops/action-gh-release@v2
         with:
-          name: inseefr/public-enemy
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-          tags: "${{ needs.check-version.outputs.release-version }}"
+          name: Release ${{ needs.check_if_version_upgraded.outputs.version }}
+          tag_name: ${{ needs.check_if_version_upgraded.outputs.version }}
+          target_commitish: ${{ github.head_ref || github.ref }}
+          generate_release_notes: true
+          draft: false
+          prerelease: ${{ needs.check_if_version_upgraded.outputs.is_pre_release == 'true' }}
+          files: ./public-enemy.zip
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-main.yml

@@ -14,12 +14,12 @@ COPY --chown=$NGINX_USER:$NGINX_USER dist /usr/share/nginx/html
 
 # Copy nginx configuration
 RUN rm etc/nginx/conf.d/default.conf
-COPY --chown=$NGINX_USER:$NGINX_USER container/nginx.conf etc/nginx/conf.d/
+COPY --chown=$NGINX_USER:$NGINX_USER container/nginx.conf etc/nginx/conf.d/nginx.conf.template
 
 
 # Add entrypoint
 COPY --chown=$NGINX_USER:$NGINX_USER container/entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
+COPY --chown=$NGINX_USER:$NGINX_USER container/nginx-envs.sh /nginx-envs.sh
+RUN chmod 755 /entrypoint.sh && chmod 755 /nginx-envs.sh
 
-ENTRYPOINT [ "/entrypoint.sh" ]
-CMD ["nginx", "-g", "daemon off;"]
+ENTRYPOINT sh -c "/entrypoint.sh && /nginx-envs.sh && nginx -g 'daemon off;'"

Dockerfile

@@ -0,0 +1,27 @@
+#!/bin/sh
+function originOf(){
+    if [[ ! -z $1 ]]; then echo "$(echo "$1" | awk -F[/] '{print $1 "//" $3 }')"; fi
+}
+function originsOf(){
+    origins=""; for url in $1; do origins="$origins $(originOf $url)";done; echo $origins
+}
+
+# If you are in Micro-front-end environnement i.e, you need to load script from other origin to run your app, you must provide MFE_URL var
+export DEFAULT_SRC="'self'"
+# Please, avoid inline script, prefer use <script src="my-script.js"/> (be careful with vite-envs library <= 4.6.0)
+export SCRIPT_SRC="$DEFAULT_SRC 'unsafe-inline'"
+# Some css library inject style as inline, so we allow that.
+export STYLE_SRC="$DEFAULT_SRC 'unsafe-inline'"
+export FONT_SRC="$DEFAULT_SRC data:"
+# Keep 'data:' if you load img as blob inside src attribute of img, remove if not
+export IMG_SRC="$DEFAULT_SRC data:"
+# Keep 'blob:' if you load dynamically a worker as blob, remove if not
+export WORKER_SRC="$DEFAULT_SRC blob:"
+# Connect src CSP header is all origin of:
+# fetch, XHR, WebSocket, origin appears in ping attribute of <a/>, So all origin of http/ws requests you made (oidc server, api, etc..)
+export CONNECT_SRC="$DEFAULT_SRC $(originsOf "$VITE_API_URL $VITE_AUTH_URL")"
+# Frame src: the workflow of oidc auth in frontend needs having server auth origin as frame-src (iframe is temporarily created)
+export FRAME_SRC="$DEFAULT_SRC $(originOf $VITE_AUTH_URL)"
+
+envsubst '${DEFAULT_SRC} ${SCRIPT_SRC} ${STYLE_SRC} ${FONT_SRC} ${IMG_SRC} ${WORKER_SRC} ${CONNECT_SRC} ${FRAME_SRC}' < /etc/nginx/conf.d/nginx.conf.template > /etc/nginx/conf.d/default.conf
+