First Last Prev Next    This bug is not in your last search results.
Bug 51211 - Make Content-Security-Policy configurable for SAML, UMC and Self-Service
Make Content-Security-Policy configurable for SAML, UMC and Self-Service
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Portal
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-4-errata
Assigned To: Florian Best
Johannes Keiser
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-04 12:04 CEST by Florian Best
Modified: 2020-08-03 13:15 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2020-05-04 12:04:56 CEST 
For the functionality of embedding iframes in the Portal we must make the Content-Security-Policy of SAML, UMC-login and Self-Service configurable via UCR.
Comment 1 Florian Best univentionstaff 2020-05-04 12:33:21 CEST 
Example UCR-Variables:
saml/apache2/content-security-policy/frame-ancestors: 'self' https://ucs-sso.school.dev https://master90.school.dev
umc/http/content-security-policy/frame-ancestors: 'self' https://ucs-sso.school.dev https://master90.school.dev
umc/login/content-security-policy/frame-ancestors: 'self' https://ucs-sso.school.dev https://master90.school.dev
umc/self-service/content-security-policy/frame-ancestors: 'self'

univention-management-console (11.0.4-65)
2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4
52c904966fa4 | Bug #51211: make Content-Security-Policy configurable

univention-saml.yaml
2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4
089bb4aab080 | YAML Bug #51211

univention-self-service (4.0.3-26)
2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4
7878cab84c66 | Bug #51211: make Content-Security-Policy configurable

univention-saml (6.0.2-38)
2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4
fa43886efa44 | Bug #51211: make Content-Security-Policy configurable

univention-management-console.yaml
2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4
089bb4aab080 | YAML Bug #51211

univention-self-service.yaml
2b6653c417f8 | Bug #51211: Merge branch 'fbest/content-security-policy' into 4.4-4
089bb4aab080 | YAML Bug #51211
Comment 2 Johannes Keiser univentionstaff 2020-05-04 19:19:39 CEST 
OK: X-Frame-Options converted to Content-Security-Policy frame-ancestors
OK: saml iframe for login (check) still works the same
OK: self service still works the same
OK: UMC still works the same
OK: umc/login/content-security-policy/.*
OK: umc/self-service/content-security-policy/.*
OK: saml/apache2/content-security-policy/.*
OK: yaml (4959380d6e Bug #51211: yaml)
-> verified
Comment 3 Julia Bremer univentionstaff 2020-05-05 11:23:37 CEST 
http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-4/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/03_ucr/63checkucrwarning/master091/

03_ucr.63checkucrwarning.master091 fails for /etc/apache2/sites-available/univention-self-service.conf
Comment 4 Florian Best univentionstaff 2020-05-05 11:33:21 CEST 
(In reply to Julia Bremer from comment #3)
> http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-4/job/
> AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/
> testReport/03_ucr/63checkucrwarning/master091/
> 
> 03_ucr.63checkucrwarning.master091 fails for
> /etc/apache2/sites-available/univention-self-service.conf

hmm, the first line contains the warning:
1 @%@UCRWARNING=# @%@
Comment 5 Florian Best univentionstaff 2020-05-05 14:41:32 CEST 
fixed in:

univention-self-service (4.0.3-28)
61b917b7616f | Bug #51211: fix missing UCRWARNING header
Comment 6 Florian Best univentionstaff 2020-05-05 15:08:37 CEST 
ucs-test (9.0.3-198)
843cc97b3914 | Bug #51211: adjust test case
Comment 7 Johannes Keiser univentionstaff 2020-05-05 15:58:06 CEST 
50d7d004e7 Bug #51211: adjust test case

Successful build
Package: ucs-test
Version: 9.0.3-199A~4.4.0.202005051551

Tests were successful on test vm
-> verified
Comment 8 Erik Damrose univentionstaff 2020-05-06 14:56:30 CEST 
(In reply to Johannes Keiser from comment #7)
> Tests were successful on test vm
> -> verified

https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-4/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=backup/testReport/60_umc/102_test_umc_security/backup093/

Please, do always check if the tests were successful in jenkins, too. Reopening due to failing test 60_umc/102_test_umc_security.py on all roles.
Comment 9 Florian Best univentionstaff 2020-05-07 09:38:15 CEST 
It seems the test runs before any apache2 reload is done, that's why there are other UCR variables set in the template? Should we add a "service apache2 reload" into the joinscript?
Comment 10 Felix Botner univentionstaff 2020-05-11 09:49:14 CEST 
60_umc.102_test_umc_security still fails, please fix this test (or we will deactivate the test)
Comment 11 Florian Best univentionstaff 2020-05-12 10:58:17 CEST 
The problem was that changing the UCR variable ucs/server/sso/fqdn did not trigger a UCR commit of some apache templates - so the rules never got enabled.

univention-management-console (11.0.4-75)
0dbc66393a52 | Bug #51211: fix ucr commit trigger for univention.conf

univention-portal.yaml
97bd6ba301c4 | YAML Bug #51211

univention-portal (3.0.2-5)
a7b47b3befe9 | Bug #51211: fix ucr commit trigger
Comment 12 Johannes Keiser univentionstaff 2020-05-13 13:19:50 CEST 
OK: missing ucr trigger
OK: test is green
-> verified
First Last Prev Next    This bug is not in your last search results.