Merge pull request #39 from PDOK/pdok-17865-csp-header-middleware-v3

Content-Security-Policy header middleware toevoegen aan nieuwe atom-o…

Author: jelledijkstra97

cmd/main.go

@@ -22,8 +22,11 @@ import (
 	"flag"
 	"os"
 
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
 	"github.com/go-logr/zapr"
 	"github.com/pdok/smooth-operator/pkg/integrations/logging"
+	"github.com/peterbourgon/ff"
 	"go.uber.org/zap/zapcore"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
@@ -84,6 +87,7 @@ func main() {
 	var tlsOpts []func(*tls.Config)
 	var slackWebhookURL string
 	var logLevel int
+	var csp string
 
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metrics endpoint binds to. "+
 		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
@@ -102,8 +106,18 @@ func main() {
 	flag.StringVar(&lighttpdImage, "lighttpd-image", defaultLighttpdImage, "The image to use in the Atom pod.")
 	flag.StringVar(&slackWebhookURL, "slack-webhook-url", "", "The webhook url for sending slack messages. Disabled if left empty")
 	flag.IntVar(&logLevel, "log-level", 0, "The zapcore loglevel. 0 = info, 1 = warn, 2 = error")
+	flag.StringVar(&csp, "csp", "", "Content-Security-Policy to serve as a HTTP header")
+	opts := zap.Options{
+		Development: true,
+	}
+	opts.BindFlags(flag.CommandLine)
+
+	if err := ff.Parse(flag.CommandLine, os.Args[1:], ff.WithEnvVarNoPrefix()); err != nil {
+		setupLog.Error(err, "unable to parse flags")
+		os.Exit(1)
+	}
 
-	flag.Parse()
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
 	//nolint:gosec
 	levelEnabler := zapcore.Level(logLevel)
@@ -177,6 +191,7 @@ func main() {
 		Scheme:             mgr.GetScheme(),
 		AtomGeneratorImage: atomGeneratorImage,
 		LighttpdImage:      lighttpdImage,
+		CSP:                csp,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Atom")
 		os.Exit(1)

config/crd/content-security-policy.txt

@@ -0,0 +1,7 @@
+default-src 'self';
+script-src 'self' 'unsafe-inline';
+frame-ancestors 'none';
+style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net;
+connect-src 'self' https://*.pdok.nl;
+img-src 'self' data: https://*.pdok.nl;
+font-src 'self' https://cdn.jsdelivr.net;

config/crd/kustomization.yaml

@@ -5,6 +5,11 @@ resources:
 - bases/pdok.nl_atoms.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
+configMapGenerator:
+  - name: atom-operator-config
+    files:
+      - CSP=content-security-policy.txt
+
 patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD

config/manager/manager.yaml

@@ -86,6 +86,12 @@ spec:
             cpu: 10m
             memory: 64Mi
         volumeMounts: []
+        env:
+          - name: CSP
+            valueFrom:
+              configMapKeyRef:
+                name: atom-operator-config
+                key: CSP
       volumes: []
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10

go.mod

@@ -81,6 +81,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
+	github.com/peterbourgon/ff v1.7.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.21.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect

go.sum

@@ -1,5 +1,6 @@
 cel.dev/expr v0.19.1 h1:NciYrtDRIR0lNCnH1LFJegdjspNx9fI59O7TWcua/W4=
 cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
 github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
@@ -135,6 +136,7 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
 github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
+github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -152,6 +154,9 @@ github.com/pdok/atom-generator v0.6.3 h1:wg491zQAokf6ePr1HcfVpF3mhMG2WroFPFpu14c
 github.com/pdok/atom-generator v0.6.3/go.mod h1:IlPwti5ocXDTjB4xmz0ZpHCOW/suuW5gQMfjfwPX6uM=
 github.com/pdok/smooth-operator v0.0.19 h1:ky7rmKkqm4R1H1TjOJZJ+TkdU/nSp2AbdtiLAkqt1QU=
 github.com/pdok/smooth-operator v0.0.19/go.mod h1:ohDqrUnmS7wK8TrNHJnFS/mDgf26Yhb8mtRBX3ixdr4=
+github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
+github.com/peterbourgon/ff v1.7.1 h1:xt1lxTG+Nr2+tFtysY7abFgPoH3Lug8CwYJMOmJRXhk=
+github.com/peterbourgon/ff v1.7.1/go.mod h1:fYI5YA+3RDqQRExmFbHnBjEeWzh9TrS8rnRpEq7XIg0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -331,6 +336,7 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSP
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

internal/controller/atom_controller.go

@@ -75,6 +75,7 @@ type AtomReconciler struct {
 	Scheme             *runtime.Scheme
 	AtomGeneratorImage string
 	LighttpdImage      string
+	CSP                string
 }
 
 // +kubebuilder:rbac:groups=pdok.nl,resources=atoms,verbs=get;list;watch;create;update;patch;delete
@@ -195,7 +196,7 @@ func (r *AtomReconciler) createOrUpdateAllForAtom(ctx context.Context, atom *pdo
 
 	corsHeadersMiddleware := getBareHeadersMiddleware(atom)
 	operationResults[smoothutil.GetObjectFullName(r.Client, corsHeadersMiddleware)], err = controllerutil.CreateOrUpdate(ctx, r.Client, corsHeadersMiddleware, func() error {
-		return r.mutateHeadersMiddleware(atom, corsHeadersMiddleware)
+		return r.mutateHeadersMiddleware(atom, corsHeadersMiddleware, r.CSP)
 	})
 	if err != nil {
 		return operationResults, fmt.Errorf("could not create or update resource %s: %w", smoothutil.GetObjectFullName(c, corsHeadersMiddleware), err)

internal/controller/atom_controller_test.go

@@ -335,7 +335,7 @@ func testAtomMutates(name string) {
 
 	It("Should generate a correct Headers Middleware", func() {
 		testMutate("Headers Middleware", getBareHeadersMiddleware(&atom), outputPath+"middleware-headers.yaml", func(m *traefikiov1alpha1.Middleware) error {
-			return reconciler.mutateHeadersMiddleware(&atom, m)
+			return reconciler.mutateHeadersMiddleware(&atom, m, "default-src 'self';")
 		})
 	})
 

internal/controller/middleware.go

@@ -51,13 +51,17 @@ func getBareHeadersMiddleware(obj metav1.Object) *traefikiov1alpha1.Middleware {
 	}
 }
 
-func (r *AtomReconciler) mutateHeadersMiddleware(atom *pdoknlv3.Atom, middleware *traefikiov1alpha1.Middleware) error {
+func (r *AtomReconciler) mutateHeadersMiddleware(atom *pdoknlv3.Atom, middleware *traefikiov1alpha1.Middleware, csp string) error {
 	labels := getLabels(atom)
 	if err := smoothutil.SetImmutableLabels(r.Client, middleware, labels); err != nil {
 		return err
 	}
 	middleware.Spec = traefikiov1alpha1.MiddlewareSpec{
 		Headers: &dynamic.Headers{
+			// CSP
+			ContentSecurityPolicy: csp,
+			// Frame-Options
+			FrameDeny: true,
 			CustomResponseHeaders: map[string]string{
 				"Access-Control-Allow-Headers": "Content-Type",
 				"Access-Control-Allow-Method":  "GET, OPTIONS, HEAD",

internal/controller/test_data/maximum-atom/expected-output/middleware-headers.yaml

@@ -19,5 +19,5 @@ spec:
       Access-Control-Allow-Headers: Content-Type
       Access-Control-Allow-Method: GET, OPTIONS, HEAD
       Access-Control-Allow-Origin: "*"
-#    contentSecurityPolicy: # TODO
+    contentSecurityPolicy: "default-src 'self';"
     frameDeny: true