Univention Bugzilla – Bug 51211
Make Content-Security-Policy configurable for SAML, UMC and Self-Service
Last modified: 2020-08-03 13:15:06 CEST
For the functionality of embedding iframes in the Portal we must make the Content-Security-Policy of SAML, UMC-login and Self-Service configurable via UCR.
Example UCR-Variables: saml/apache2/content-security-policy/frame-ancestors: 'self' https://ucs-sso.school.dev https://master90.school.dev umc/http/content-security-policy/frame-ancestors: 'self' https://ucs-sso.school.dev https://master90.school.dev umc/login/content-security-policy/frame-ancestors: 'self' https://ucs-sso.school.dev https://master90.school.dev umc/self-service/content-security-policy/frame-ancestors: 'self' univention-management-console (11.0.4-65) 2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4 52c904966fa4 | Bug #51211: make Content-Security-Policy configurable univention-saml.yaml 2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4 089bb4aab080 | YAML Bug #51211 univention-self-service (4.0.3-26) 2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4 7878cab84c66 | Bug #51211: make Content-Security-Policy configurable univention-saml (6.0.2-38) 2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4 fa43886efa44 | Bug #51211: make Content-Security-Policy configurable univention-management-console.yaml 2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4 089bb4aab080 | YAML Bug #51211 univention-self-service.yaml 2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4 089bb4aab080 | YAML Bug #51211
OK: X-Frame-Options converted to Content-Security-Policy frame-ancestors OK: saml iframe for login (check) still works the same OK: self service still works the same OK: UMC still works the same OK: umc/login/content-security-policy/.* OK: umc/self-service/content-security-policy/.* OK: saml/apache2/content-security-policy/.* OK: yaml (4959380d6e Bug #51211: yaml) -> verified
http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-4/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/03_ucr/63checkucrwarning/master091/ 03_ucr.63checkucrwarning.master091 fails for /etc/apache2/sites-available/univention-self-service.conf
(In reply to Julia Bremer from comment #3) > http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-4/job/ > AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/ > testReport/03_ucr/63checkucrwarning/master091/ > > 03_ucr.63checkucrwarning.master091 fails for > /etc/apache2/sites-available/univention-self-service.conf hmm, the first line contains the warning: 1 @%@UCRWARNING=# @%@
fixed in: univention-self-service (4.0.3-28) 61b917b7616f | Bug #51211: fix missing UCRWARNING header
ucs-test (9.0.3-198) 843cc97b3914 | Bug #51211: adjust test case
50d7d004e7 Bug #51211: adjust test case Successful build Package: ucs-test Version: 9.0.3-199A~4.4.0.202005051551 Tests were successful on test vm -> verified
(In reply to Johannes Keiser from comment #7) > Tests were successful on test vm > -> verified https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-4/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=backup/testReport/60_umc/102_test_umc_security/backup093/ Please, do always check if the tests were successful in jenkins, too. Reopening due to failing test 60_umc/102_test_umc_security.py on all roles.
It seems the test runs before any apache2 reload is done, that's why there are other UCR variables set in the template? Should we add a "service apache2 reload" into the joinscript?
60_umc.102_test_umc_security still fails, please fix this test (or we will deactivate the test)
The problem was that changing the UCR variable ucs/server/sso/fqdn did not trigger a UCR commit of some apache templates - so the rules never got enabled. univention-management-console (11.0.4-75) 0dbc66393a52 | Bug #51211: fix ucr commit trigger for univention.conf univention-portal.yaml 97bd6ba301c4 | YAML Bug #51211 univention-portal (3.0.2-5) a7b47b3befe9 | Bug #51211: fix ucr commit trigger
OK: missing ucr trigger OK: test is green -> verified
<http://errata.software-univention.de/ucs/4.4/607.html> <http://errata.software-univention.de/ucs/4.4/610.html> <http://errata.software-univention.de/ucs/4.4/611.html> <http://errata.software-univention.de/ucs/4.4/612.html>