CSP Adjustments

Author: brunobritodev

src/Backend/Jp.Application/AutoMapper/ViewModelToDomainMappingProfile.cs

@@ -70,7 +70,7 @@ public ViewModelToDomainMappingProfile()
              * Identity Resource commands
              */
             CreateMap<IdentityResource, RegisterIdentityResourceCommand>().ConstructUsing(c => new RegisterIdentityResourceCommand(c));
-            CreateMap<IdentityResource, UpdateIdentityResourceCommand>().ConstructUsing(c => new UpdateIdentityResourceCommand(c));
+            CreateMap<IdentityResourceViewModel, UpdateIdentityResourceCommand>().ConstructUsing(c => new UpdateIdentityResourceCommand(c,c.OldName));
             CreateMap<RemoveIdentityResourceViewModel, RemoveIdentityResourceCommand>().ConstructUsing(c => new RemoveIdentityResourceCommand(c.Name));
 
             /*

src/Backend/Jp.Application/ViewModels/IdentityResourceViewModels/IdentityResourceViewModel.cs

@@ -0,0 +1,9 @@
+using IdentityServer4.Models;
+
+namespace Jp.Application.ViewModels.IdentityResourceViewModels
+{
+    public class IdentityResourceViewModel : IdentityResource
+    {
+        public string OldName { get; set; }
+    }
+}

src/Backend/Jp.Domain/CommandHandlers/IdentityResourceCommandHandler.cs

@@ -62,8 +62,8 @@ public async Task<bool> Handle(UpdateIdentityResourceCommand request, Cancellati
                 NotifyValidationErrors(request);
                 return false;
             }
-
-            var savedClient = await _identityResourceRepository.GetByName(request.Resource.Name);
+            
+            var savedClient = await _identityResourceRepository.GetByName(request.OldIdentityResourceName != request.Resource.Name ? request.OldIdentityResourceName : request.Resource.Name);
             if (savedClient == null)
             {
                 await Bus.RaiseEvent(new DomainNotification("1", "Resource not found"));

src/Backend/Jp.Domain/Commands/IdentityResource/IdentityResourceCommand.cs

@@ -6,6 +6,8 @@ namespace Jp.Domain.Commands.IdentityResource
     public abstract class IdentityResourceCommand : Command
     {
         public IdentityServer4.Models.IdentityResource Resource { get; protected set; }
+        
+        public string OldIdentityResourceName { get; protected set; }
 
     }
 }

src/Backend/Jp.Domain/Commands/IdentityResource/UpdateIdentityResourceCommand.cs

@@ -4,9 +4,10 @@ namespace Jp.Domain.Commands.IdentityResource
 {
     public class UpdateIdentityResourceCommand : IdentityResourceCommand
     {
-        public UpdateIdentityResourceCommand(IdentityServer4.Models.IdentityResource resource)
+        public UpdateIdentityResourceCommand(IdentityServer4.Models.IdentityResource resource,string oldIdentityResourceName)
         {
             Resource = resource;
+            this.OldIdentityResourceName = oldIdentityResourceName;
         }
 
         public override bool IsValid()

src/Backend/Jp.UserManagement/Controllers/IdentityResourceController.cs

@@ -54,8 +54,8 @@ public async Task<ActionResult<DefaultResponse<bool>>> Save([FromBody] IdentityR
             return Response(true);
         }
 
-        [HttpPost, Route("update"), Authorize(Policy = "Admin")]
-        public async Task<ActionResult<DefaultResponse<bool>>> Update([FromBody] IdentityResource model)
+        [HttpPut, Route("update"), Authorize(Policy = "Admin")]
+        public async Task<ActionResult<DefaultResponse<bool>>> Update([FromBody] IdentityResourceViewModel model)
         {
             if (!ModelState.IsValid)
             {

src/Frontend/Jp.AdminUI/src/app/panel/identity-resources/edit/identity-resource-edit.component.ts

@@ -1,6 +1,6 @@
 import { Component, OnInit } from "@angular/core";
 import { TranslatorService } from "@core/translator/translator.service";
-import { flatMap } from "rxjs/operators";
+import { flatMap,tap } from "rxjs/operators";
 import { ActivatedRoute, Router } from "@angular/router";
 import { ToasterConfig, ToasterService } from "angular2-toaster";
 import { DefaultResponse } from "@shared/viewModel/default-response.model";
@@ -26,6 +26,7 @@ export class IdentityResourceEditComponent implements OnInit {
     });
     public showButtonLoading: boolean;
     standardClaims: string[];
+    public name:string;
 
     constructor(
         private route: ActivatedRoute,
@@ -35,7 +36,13 @@ export class IdentityResourceEditComponent implements OnInit {
         public toasterService: ToasterService) { }
 
     public ngOnInit() {
-        this.route.params.pipe(flatMap(p => this.identityResourceService.getIdentityResourceDetails(p["name"]))).subscribe(result => this.model = result.data);
+        
+        this.route.params
+        .pipe(tap(p => this.name = p["name"]))
+        .pipe(flatMap(p => 
+            this.identityResourceService.getIdentityResourceDetails(p["name"])
+        ))
+        .subscribe(result => this.model = result.data);
         this.errors = [];
         this.showButtonLoading = false;
         this.standardClaims = StandardClaims.claims;
@@ -46,7 +53,7 @@ export class IdentityResourceEditComponent implements OnInit {
         this.showButtonLoading = true;
         this.errors = [];
         try {
-
+            this.model.oldName = this.name;
             this.identityResourceService.update(this.model).subscribe(
                 registerResult => {
                     if (registerResult.data) {

src/Frontend/Jp.AdminUI/src/app/shared/viewModel/identity-resource.model.ts

@@ -13,4 +13,5 @@ export class IdentityResource {
     displayName: string;
     description: string;
     userClaims: string[];
+    oldName:string;
 }

src/Frontend/Jp.UI.SSO/Configuration/SecurityHeadersConfiguration.cs

@@ -1,14 +1,14 @@
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.HttpOverrides;
-using System.Collections.Generic;
 
 namespace Jp.UI.SSO.Configuration
 {
     public static class SecurityHeadersConfiguration
     {
         public static void UseSecurityHeaders(this IApplicationBuilder app, IHostingEnvironment env)
         {
+
             app.UseForwardedHeaders(new ForwardedHeadersOptions()
             {
                 ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
@@ -22,22 +22,28 @@ public static void UseSecurityHeaders(this IApplicationBuilder app, IHostingEnvi
             app.UseCsp(options =>
             {
                 options.DefaultSources(o => o.Self());
+                options.ObjectSources(o => o.None());
+                options.FrameAncestors(o => o.None());
+                options.Sandbox(directive => directive.AllowForms().AllowSameOrigin().AllowScripts());
+                options.BaseUris(configuration => configuration.Self());
                 options.FrameSources(o => o.Self()
                     // this custom source can be removed in your build
                     .CustomSources("https://ghbtns.com"));
-                options.FrameAncestors(o => o.CustomSources("http:"));
-                options.StyleSources(o => o.Self());
-                options.ObjectSources(o => o.None());
+
+                if (env.IsProduction())
+                    options.UpgradeInsecureRequests();
                 options.ImageSources(a =>
                 {
                     a.Self();
                     a.CustomSources = new[] { "data: https:" };
                 });
                 options.FontSources(configuration => configuration.Self().CustomSources("https://fonts.googleapis.com/", "https://fonts.gstatic.com/"));
-                options.ConnectSources(s => s.CustomSources("https://dc.services.visualstudio.com"));
-                options.ScriptSources(s => s.UnsafeInline().CustomSources("https://az416426.vo.msecnd.net", @"sha256-ZT3q7lL9GXNGhPTB1Vvrvds2xw/kOV0zoeok2tiV23I="));
+                options.ConnectSources(s => s.Self().CustomSources("https://dc.services.visualstudio.com"));
+                options.ScriptSources(s => s.Self().UnsafeInline().CustomSources("https://az416426.vo.msecnd.net"));
 
             });
+
+
         }
 
     }

src/Frontend/Jp.UI.SSO/Startup.cs

@@ -30,7 +30,7 @@ public Startup(IHostingEnvironment environment, ILogger<Startup> logger)
             {
                 builder.AddUserSecrets<Startup>();
             }
-            
+
 
             Configuration = builder.Build();
             _environment = environment;
@@ -86,7 +86,7 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env)
                 app.UseHttpsRedirection();
             }
 
-            //app.UseSecurityHeaders(env);
+            app.UseSecurityHeaders(env);
             app.UseStaticFiles();
             app.UseIdentityServer();
             app.UseLocalization();