CONSOLE-4292: Console-operator should configure console with the CSP allowed directives

Author: jhadvig

pkg/console/subresource/configmap/configmap.go

@@ -84,6 +84,7 @@ func DefaultConfigMap(
 		Monitoring(monitoringSharedConfig).
 		Plugins(getPluginsEndpointMap(availablePlugins)).
 		I18nNamespaces(pluginsWithI18nNamespace(availablePlugins)).
+		ContentSecurityPolicies(aggregateCSPDirectives(availablePlugins)).
 		Proxy(getPluginsProxyServices(availablePlugins)).
 		CustomLogoFile(operatorConfig.Spec.Customization.CustomLogoFile.Key).
 		CustomProductName(operatorConfig.Spec.Customization.CustomProductName).
@@ -131,6 +132,32 @@ func DefaultConfigMap(
 	return configMap, willMergeConfigOverrides, nil
 }
 
+func aggregateCSPDirectives(plugins []*v1.ConsolePlugin) map[v1.DirectiveType][]string {
+	aggregated := make(map[v1.DirectiveType]map[string]struct{}) // Use a map to ensure uniqueness
+
+	for _, plugin := range plugins {
+		for _, csp := range plugin.Spec.ContentSecurityPolicy {
+			if aggregated[csp.Directive] == nil {
+				aggregated[csp.Directive] = make(map[string]struct{}) // Initialize if not already done
+			}
+			for _, v := range csp.Values {
+				stringValue := string(v)
+				aggregated[csp.Directive][stringValue] = struct{}{} // Use empty struct for uniqueness
+			}
+		}
+	}
+
+	// Convert back to the desired format
+	result := make(map[v1.DirectiveType][]string)
+	for directive, valuesMap := range aggregated {
+		for value := range valuesMap {
+			result[directive] = append(result[directive], value)
+		}
+	}
+
+	return result
+}
+
 func pluginsWithI18nNamespace(availablePlugins []*v1.ConsolePlugin) []string {
 	i18nNamespaces := []string{}
 	for _, plugin := range availablePlugins {

pkg/console/subresource/configmap/configmap_test.go

@@ -8,12 +8,14 @@ import (
 	yaml "gopkg.in/yaml.v2"
 
 	"github.com/go-test/deep"
+	"github.com/google/go-cmp/cmp"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 
 	configv1 "github.com/openshift/api/config/v1"
+	consolev1 "github.com/openshift/api/console/v1"
 	v1 "github.com/openshift/api/console/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	routev1 "github.com/openshift/api/route/v1"
@@ -1295,3 +1297,85 @@ customization:
 		})
 	}
 }
+
+func TestAggregateCSPDirectives(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  []*consolev1.ConsolePlugin
+		output map[consolev1.DirectiveType][]string
+	}{
+		{
+			name: "Test aggregate CSP directives",
+			input: []*consolev1.ConsolePlugin{
+				{
+					Spec: consolev1.ConsolePluginSpec{
+						ContentSecurityPolicy: []consolev1.ConsolePluginCSP{
+							{
+								Directive: consolev1.DefaultSrc,
+								Values:    []consolev1.CSPDirectiveValue{"source1", "source2"},
+							},
+							{
+								Directive: consolev1.ScriptSrc,
+								Values:    []consolev1.CSPDirectiveValue{"script1"},
+							},
+						},
+					},
+				},
+				{
+					Spec: consolev1.ConsolePluginSpec{
+						ContentSecurityPolicy: []consolev1.ConsolePluginCSP{
+							{
+								Directive: consolev1.DefaultSrc,
+								Values:    []consolev1.CSPDirectiveValue{"source2", "source3"},
+							},
+							{
+								Directive: consolev1.StyleSrc,
+								Values:    []consolev1.CSPDirectiveValue{"style1", "style2"},
+							},
+						},
+					},
+				},
+			},
+			output: map[consolev1.DirectiveType][]string{
+				consolev1.DefaultSrc: {"source1", "source2", "source3"},
+				consolev1.ScriptSrc:  {"script1"},
+				consolev1.StyleSrc:   {"style1", "style2"},
+			},
+		},
+		{
+			name: "Test aggregate CSP directives",
+			input: []*consolev1.ConsolePlugin{
+				{
+					Spec: consolev1.ConsolePluginSpec{},
+				},
+				{
+					Spec: consolev1.ConsolePluginSpec{
+						ContentSecurityPolicy: []consolev1.ConsolePluginCSP{
+							{
+								Directive: consolev1.DefaultSrc,
+								Values:    []consolev1.CSPDirectiveValue{"source1", "source2"},
+							},
+							{
+								Directive: consolev1.StyleSrc,
+								Values:    []consolev1.CSPDirectiveValue{"style1", "style2"},
+							},
+						},
+					},
+				},
+			},
+			output: map[consolev1.DirectiveType][]string{
+				consolev1.DefaultSrc: {"source1", "source2"},
+				consolev1.StyleSrc:   {"style1", "style2"},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := aggregateCSPDirectives(tt.input)
+			if diff := cmp.Diff(tt.output, result); len(diff) > 0 {
+				t.Error(diff)
+			}
+		})
+	}
+}

pkg/console/subresource/consoleserver/config_builder.go

@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	configv1 "github.com/openshift/api/config/v1"
+	v1 "github.com/openshift/api/console/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	"github.com/openshift/console-operator/pkg/api"
 	authconfigsub "github.com/openshift/console-operator/pkg/console/subresource/authentication"
@@ -75,6 +76,7 @@ type ConsoleServerCLIConfigBuilder struct {
 	sessionEncryptionFile      string
 	sessionAuthenticationFile  string
 	capabilities               []operatorv1.Capability
+	contentSecurityPolicyList  map[v1.DirectiveType][]string
 }
 
 func (b *ConsoleServerCLIConfigBuilder) Host(host string) *ConsoleServerCLIConfigBuilder {
@@ -207,6 +209,11 @@ func (b *ConsoleServerCLIConfigBuilder) Plugins(plugins map[string]string) *Cons
 	return b
 }
 
+func (b *ConsoleServerCLIConfigBuilder) ContentSecurityPolicies(cspList map[v1.DirectiveType][]string) *ConsoleServerCLIConfigBuilder {
+	b.contentSecurityPolicyList = cspList
+	return b
+}
+
 func (b *ConsoleServerCLIConfigBuilder) I18nNamespaces(i18nNamespaces []string) *ConsoleServerCLIConfigBuilder {
 	b.i18nNamespaceList = i18nNamespaces
 	return b
@@ -244,19 +251,20 @@ func (b *ConsoleServerCLIConfigBuilder) CopiedCSVsDisabled(copiedCSVsDisabled bo
 
 func (b *ConsoleServerCLIConfigBuilder) Config() Config {
 	return Config{
-		Kind:           "ConsoleConfig",
-		APIVersion:     "console.openshift.io/v1",
-		Auth:           b.auth(),
-		Session:        b.session(),
-		ClusterInfo:    b.clusterInfo(),
-		Customization:  b.customization(),
-		ServingInfo:    b.servingInfo(),
-		Providers:      b.providers(),
-		MonitoringInfo: b.monitoringInfo(),
-		Plugins:        b.plugins(),
-		I18nNamespaces: b.i18nNamespaces(),
-		Proxy:          b.proxy(),
-		Telemetry:      b.telemetry,
+		Kind:                  "ConsoleConfig",
+		APIVersion:            "console.openshift.io/v1",
+		Auth:                  b.auth(),
+		Session:               b.session(),
+		ClusterInfo:           b.clusterInfo(),
+		Customization:         b.customization(),
+		ServingInfo:           b.servingInfo(),
+		Providers:             b.providers(),
+		MonitoringInfo:        b.monitoringInfo(),
+		Plugins:               b.plugins(),
+		I18nNamespaces:        b.i18nNamespaces(),
+		Proxy:                 b.proxy(),
+		ContentSecurityPolicy: b.contentSecurityPolicy(),
+		Telemetry:             b.telemetry,
 	}
 }
 
@@ -520,6 +528,10 @@ func (b *ConsoleServerCLIConfigBuilder) i18nNamespaces() []string {
 	return b.i18nNamespaceList
 }
 
+func (b *ConsoleServerCLIConfigBuilder) contentSecurityPolicy() map[v1.DirectiveType][]string {
+	return b.contentSecurityPolicyList
+}
+
 func (b *ConsoleServerCLIConfigBuilder) proxy() Proxy {
 	return Proxy{
 		Services: b.proxyServices,

pkg/console/subresource/consoleserver/config_builder_test.go

@@ -1288,6 +1288,8 @@ customization:
           resource: namespaces
           subresource: ""
           name: ""
+          fieldselector: null
+          labelselector: null
         missing:
         - namespace: ""
           verb: list
@@ -1296,6 +1298,8 @@ customization:
           resource: clusterroles
           subresource: ""
           name: ""
+          fieldselector: null
+          labelselector: null
   - id: perspective2
     visibility:
       state: Disabled
@@ -1354,6 +1358,8 @@ customization:
           resource: namespaces
           subresource: ""
           name: ""
+          fieldselector: null
+          labelselector: null
         missing:
         - namespace: ""
           verb: list
@@ -1362,6 +1368,8 @@ customization:
           resource: clusterroles
           subresource: ""
           name: ""
+          fieldselector: null
+          labelselector: null
     pinnedResources:
     - group: apps
       version: v1
@@ -1424,6 +1432,8 @@ customization:
           resource: namespaces
           subresource: ""
           name: ""
+          fieldselector: null
+          labelselector: null
         missing:
         - namespace: ""
           verb: list
@@ -1432,6 +1442,8 @@ customization:
           resource: clusterroles
           subresource: ""
           name: ""
+          fieldselector: null
+          labelselector: null
     pinnedResources: []
   - id: perspective2
     visibility:

pkg/console/subresource/consoleserver/types.go

@@ -2,6 +2,7 @@ package consoleserver
 
 import (
 	configv1 "github.com/openshift/api/config/v1"
+	v1 "github.com/openshift/api/console/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	authorizationv1 "k8s.io/api/authorization/v1"
 )
@@ -17,19 +18,20 @@ import (
 
 // Config is the top-level console server cli configuration.
 type Config struct {
-	APIVersion     string `yaml:"apiVersion"`
-	Kind           string `yaml:"kind"`
-	ServingInfo    `yaml:"servingInfo"`
-	ClusterInfo    `yaml:"clusterInfo"`
-	Auth           `yaml:"auth"`
-	Session        `yaml:"session"`
-	Customization  `yaml:"customization"`
-	Providers      `yaml:"providers"`
-	MonitoringInfo `yaml:"monitoringInfo,omitempty"`
-	Plugins        map[string]string `yaml:"plugins,omitempty"`
-	I18nNamespaces []string          `yaml:"i18nNamespaces,omitempty"`
-	Proxy          Proxy             `yaml:"proxy,omitempty"`
-	Telemetry      map[string]string `yaml:"telemetry,omitempty"`
+	APIVersion            string `yaml:"apiVersion"`
+	Kind                  string `yaml:"kind"`
+	ServingInfo           `yaml:"servingInfo"`
+	ClusterInfo           `yaml:"clusterInfo"`
+	Auth                  `yaml:"auth"`
+	Session               `yaml:"session"`
+	Customization         `yaml:"customization"`
+	Providers             `yaml:"providers"`
+	MonitoringInfo        `yaml:"monitoringInfo,omitempty"`
+	Plugins               map[string]string             `yaml:"plugins,omitempty"`
+	I18nNamespaces        []string                      `yaml:"i18nNamespaces,omitempty"`
+	Proxy                 Proxy                         `yaml:"proxy,omitempty"`
+	ContentSecurityPolicy map[v1.DirectiveType][]string `yaml:"contentSecurityPolicy,omitempty"`
+	Telemetry             map[string]string             `yaml:"telemetry,omitempty"`
 }
 
 type Proxy struct {