Append CSP frame-ancestors option & Improve unit test (#2068)

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -53,6 +53,7 @@ sub defaultValues {
         'cspDefault'                     => '\'self\'',
         'cspFont'                        => '\'self\'',
         'cspFormAction'                  => '*',
+        'cspFrameAncestors'              => '',
         'cspImg'                         => '\'self\' data:',
         'cspScript'                      => '\'self\'',
         'cspStyle'                       => '\'self\'',

lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/StatusConstants.pm

@@ -108,7 +108,7 @@ sub portalConsts {
 }
 
 # EXPORTER PARAMETERS
-our @EXPORT_OK   = ('portalConsts');
+our @EXPORT_OK = ('portalConsts');
 our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );
 
 1;

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -142,7 +142,7 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
                 eval {
                     do {
                         qr/$_[0]/;
-                    }
+                      }
                 };
                 return $@ ? ( 0, "__badRegexp__: $@" ) : 1;
             }
@@ -223,7 +223,8 @@ m[^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9/\+\r\
         },
         'select' => {
             'test' => sub {
-                my $test = grep( { $_ eq $_[0]; }
+                my $test =
+                  grep( { $_ eq $_[0]; }
                     map( { $_->{'k'}; } @{ $_[2]{'select'}; } ) );
                 return $test
                   ? 1
@@ -1048,6 +1049,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
             'default' => '*',
             'type'    => 'text'
         },
+        'cspFrameAncestors' => {
+            'default' => '',
+            'type'    => 'text'
+        },
         'cspImg' => {
             'default' => '\'self\' data:',
             'type'    => 'text'
@@ -1686,7 +1691,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
                     eval {
                         do {
                             qr/$_[0]/;
-                        }
+                          }
                     };
                     return $@ ? 0 : 1;
                 },

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -865,6 +865,11 @@ sub attributes {
             default       => "'self'",
             documentation => 'Font source for Content-Security-Policy',
         },
+        cspFrameAncestors => {
+            type          => 'text',
+            default       => '',
+            documentation => 'Frame-Ancestors for Content-Security-Policy',
+        },
         portalAntiFrame => {
             default       => 1,
             type          => 'bool',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -937,7 +937,7 @@ sub tree {
                                         'cspDefault', 'cspImg',
                                         'cspScript',  'cspStyle',
                                         'cspFont',    'cspFormAction',
-                                        'cspConnect',
+                                        'cspConnect', 'cspFrameAncestors'
                                     ]
                                 },
                                 {

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -159,13 +159,14 @@
 "contextSwitchingIdRule":"Identities use rule",
 "contextSwitchingRule":"استخدام القاعدة",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"cspConnect":"وجهات أجاكس",
 "cspDefault":"القيمة الاعتيادية ",
+"cspFont":" مصدر نوع الخط",
 "cspFormAction":"Form destinations",
+"cspFrameAncestors":"Frame ancestors URL",
 "cspImg":"مصدر الصورة",
 "cspScript":"مصدر السكربت",
 "cspStyle":"مصدر الأسلوب ",
-"cspConnect":"وجهات أجاكس",
-"cspFont":" مصدر نوع الخط",
 "crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
 "corsEnabled":"Activation",
 "corsAllow_Credentials":"Access-Control-Allow-Credentials",

lemonldap-ng-manager/site/htdocs/static/languages/de.json

@@ -159,13 +159,14 @@
 "contextSwitchingIdRule":"Identities use rule",
 "contextSwitchingRule":"Use rule",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"cspConnect":"Ajax destinations",
 "cspDefault":"Default value",
+"cspFont":"Font source",
 "cspFormAction":"Form destinations",
+"cspFrameAncestors":"Frame ancestors URL",
 "cspImg":"Image source",
 "cspScript":"Script source",
 "cspStyle":"Style source",
-"cspConnect":"Ajax destinations",
-"cspFont":"Font source",
 "crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
 "corsEnabled":"Activation",
 "corsAllow_Credentials":"Access-Control-Allow-Credentials",

lemonldap-ng-manager/site/htdocs/static/languages/en.json

@@ -159,13 +159,14 @@
 "contextSwitchingIdRule":"Identities use rule",
 "contextSwitchingRule":"Use rule",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"cspConnect":"Ajax destinations",
 "cspDefault":"Default value",
+"cspFont":"Font source",
 "cspFormAction":"Form destinations",
+"cspFrameAncestors":"Frame ancestors URL",
 "cspImg":"Image source",
 "cspScript":"Script source",
 "cspStyle":"Style source",
-"cspConnect":"Ajax destinations",
-"cspFont":"Font source",
 "crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
 "corsEnabled":"Activation",
 "corsAllow_Credentials":"Access-Control-Allow-Credentials",

lemonldap-ng-manager/site/htdocs/static/languages/fr.json

@@ -159,13 +159,14 @@
 "contextSwitchingIdRule":"Règle d'utilisation des identités",
 "contextSwitchingRule":"Règle d'utilisation",
 "contextSwitchingStopWithLogout":"Arrêt par déconnexion",
+"cspConnect":"Destinations des requêtes AJAX",
 "cspDefault":"Valeur par défaut",
+"cspFont":"Sources des polices",
 "cspFormAction":"Destinations des formulaires",
+"cspFrameAncestors":"URL parentes des iFrames",
 "cspImg":"Sources des images",
 "cspScript":"Sources des scripts",
 "cspStyle":"Sources des styles",
-"cspConnect":"Destinations des requêtes AJAX",
-"cspFont":"Sources des polices",
 "crossOrigineResourceSharing":"Partage des ressources entre origines multiples",
 "corsEnabled":"Activation",
 "corsAllow_Credentials":"Access-Control-Allow-Credentials",

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -159,13 +159,14 @@
 "contextSwitchingIdRule":"Le identità usano la regola",
 "contextSwitchingRule":"Utilizza la regola",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"cspConnect":"Destinazioni Ajax",
 "cspDefault":"Valore di default",
+"cspFont":"Origine carattere",
 "cspFormAction":"Formare le destinazioni",
+"cspFrameAncestors":"Frame ancestors URL",
 "cspImg":"Origine immagine",
 "cspScript":"Origine script",
 "cspStyle":"Origine di stile",
-"cspConnect":"Destinazioni Ajax",
-"cspFont":"Origine carattere",
 "crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
 "corsEnabled":"Attivazione",
 "corsAllow_Credentials":"Access-Control-Allow-Credentials",

lemonldap-ng-manager/site/htdocs/static/languages/tr.json

@@ -159,13 +159,14 @@
 "contextSwitchingIdRule":"Kimlik kullanım kuralı",
 "contextSwitchingRule":"Kuralı kullan",
 "contextSwitchingStopWithLogout":"Çıkış yapmayı durdur",
+"cspConnect":"Ajax hedefleri",
 "cspDefault":"Varsayılan değer",
+"cspFont":"Font kaynağı",
 "cspFormAction":"Hedefleri biçimlendir",
+"cspFrameAncestors":"Frame ancestors URL",
 "cspImg":"Görüntü kaynağı",
 "cspScript":"Betik kaynağı",
 "cspStyle":"Stil kaynağı",
-"cspConnect":"Ajax hedefleri",
-"cspFont":"Font kaynağı",
 "crossOrigineResourceSharing":"Kökler Arası Kaynak Paylaşımı (CORS)",
 "corsEnabled":"Aktivasyon",
 "corsAllow_Credentials":"Access-Control-Allow-Credentials",

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -159,13 +159,14 @@
 "contextSwitchingIdRule":"Identities use rule",
 "contextSwitchingRule":"Quy tắc sử dụng",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"cspConnect":"Đích cúa Ajax",
 "cspDefault":"Giá trị mặc định",
+"cspFont":"Nguồn phông chữ",
 "cspFormAction":"Form destinations",
+"cspFrameAncestors":"Frame ancestors URL",
 "cspImg":"Nguồn ảnh",
 "cspScript":"Nguồn kịch bản",
 "cspStyle":"Nguồn phong cách",
-"cspConnect":"Đích cúa Ajax",
-"cspFont":"Nguồn phông chữ",
 "crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
 "corsEnabled":"Kích hoạt",
 "corsAllow_Credentials":"Access-Control-Allow-Credentials",

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -159,13 +159,14 @@
 "contextSwitchingIdRule":"Identities use rule",
 "contextSwitchingRule":"Use rule",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"cspConnect":"Ajax destinations",
 "cspDefault":"Default value",
+"cspFont":"字体源",
 "cspFormAction":"Form destinations",
+"cspFrameAncestors":"Frame ancestors URL",
 "cspImg":"Image source",
 "cspScript":"Script source",
 "cspStyle":"Style source",
-"cspConnect":"Ajax destinations",
-"cspFont":"字体源",
 "crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
 "corsEnabled":"Activation",
 "corsAllow_Credentials":"Access-Control-Allow-Credentials",

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm

@@ -863,10 +863,18 @@ sub sendHtml {
     $csp .= ';';
 
     # Deny using portal in frame except if it is required
-    unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) {
+    unless ( $req->frame
+        or $self->conf->{portalAntiFrame} == 0
+        or $self->conf->{cspFrameAncestors} )
+    {
         push @{ $res->[1] }, 'X-Frame-Options' => 'DENY';
         $csp .= "frame-ancestors 'none';";
     }
+    if ( $self->conf->{cspFrameAncestors} ) {
+        push @{ $res->[1] }, 'X-Frame-Options' => 'ALLOW-FROM '
+          . "$self->{conf}->{cspFrameAncestors};";
+        $csp .= "frame-ancestors $self->{conf}->{cspFrameAncestors};";
+    }
 
     # Check if frames need to be embedded
     my @url;

lemonldap-ng-portal/site/htdocs/static/common/js/autoRenew.min.js

@@ -1 +1,2 @@
-(function(){$(document).ready(function(){return $("#upgrd").submit()})}).call(this);
+(function(){$(document).ready(function(){return $("#upgrd").submit()})}).call(this);
+//# sourceMappingURL=lemonldap-ng-portal/site/htdocs/static/common/js/autoRenew.min.js.map

lemonldap-ng-portal/site/htdocs/static/common/js/autoRenew.min.js.map

@@ -1 +1 @@
-{"version":3,"sources":["lemonldap-ng-portal/site/htdocs/static/common/js/autoRenew.js"],"names":["$","document","ready","submit","call","this"],"mappings":"CACA,WACEA,EAAEC,UAAUC,MAAM,WAChB,OAAOF,EAAE,UAAUG,aAGpBC,KAAKC"}
+{"version":3,"sources":["lemonldap-ng-portal/site/htdocs/static/common/js/autoRenew.js"],"names":["$","document","ready","submit","call","this"],"mappings":"CACA,WACEA,EAAEC,UAAUC,MAAM,WAChB,MAAOF,GAAE,UAAUG,aAGpBC,KAAKC","file":"lemonldap-ng-portal/site/htdocs/static/common/js/autoRenew.min.js"}

lemonldap-ng-portal/t/01-CSP-and-CORS-headers.t

@@ -13,7 +13,8 @@ my $client = LLNG::Manager::Test->new( {
             corsAllow_Origin  => '',
             corsAllow_Methods => 'POST',
             cspFormAction     => '*',
-            customToTrace     => 'mail'
+            cspFrameAncestors => 'test.example.com',
+            customToTrace     => 'mail',
         }
     }
 );
@@ -54,10 +55,13 @@ my %headers = @{ $res->[1] };
 #CSP
 ok(
     $headers{'Content-Security-Policy'} =~
-/default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action \*;frame-ancestors 'none'/,
-    'CSP header value found'
+m%default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action \*;frame-ancestors test\.example\.com;%,
+    'CSP header values found'
 ) or print STDERR Dumper( $res->[1] );
-count(1);
+ok( $headers{'X-Frame-Options'} eq 'ALLOW-FROM test.example.com;',
+    'X-Frame-Options "ALLOW-FROM" found' )
+  or print STDERR Dumper( $res->[1] );
+count(2);
 
 # Try to authenticate with good password
 # --------------------------------------
@@ -106,7 +110,10 @@ ok( $headers{'Lm-Remote-User'} eq 'dwho', "Lm-Remote-User found" )
 ok( $headers{'Lm-Remote-Custom'} eq 'dwho@badwolf.org',
     "Lm-Remote-Custom found" )
   or print STDERR Dumper( $res->[1] );
-count(2);
+ok( $headers{'X-Frame-Options'} eq 'ALLOW-FROM test.example.com;',
+    'X-Frame-Options "ALLOW-FROM" found' )
+  or print STDERR Dumper( $res->[1] );
+count(3);
 
 checkCorsPolicy($res);