From 566bbe9c71c470bfc0827461dad9caadf0ae8124 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Placzy=C5=84ski?= <placzynski.pawel@gmail.com>
Date: Mon, 26 Feb 2024 08:56:25 +0100
Subject: [PATCH 1/3] [#291] Allow Sentry error reporting in CSP settings
 across environments

Updated CSP settings in Traefik configuration for beta, dev, staging,
and test environments to include Sentry's domain without the ingest
subdomain. This change permits Sentry error logging and reporting to
function correctly without being blocked by the CSP. The adjustment
ensures Sentry can capture and report runtime errors, facilitating
better monitoring and debugging capabilities across our development,
testing, and staging phases.

- Modified CSP `connect-src` directive to set
  `o4506155985141760.ingest.sentry.io` replacing old Sentry
  sources.
- Ensured that the updated settings adhere to our security policies by
  only allowing necessary and trusted sources.

This update addresses the need for comprehensive error reporting through
Sentry, enhancing our ability to quickly identify and resolve issues in
our application's environments.
---
 scripts/govtool/docker-compose.beta.yml    | 2 +-
 scripts/govtool/docker-compose.dev.yml     | 2 +-
 scripts/govtool/docker-compose.staging.yml | 2 +-
 scripts/govtool/docker-compose.test.yml    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/govtool/docker-compose.beta.yml b/scripts/govtool/docker-compose.beta.yml
index 0a608601f..9e4e9e41f 100644
--- a/scripts/govtool/docker-compose.beta.yml
+++ b/scripts/govtool/docker-compose.beta.yml
@@ -209,7 +209,7 @@ services:
       - "traefik.http.routers.frontend.rule=Host(`sanchogov.tools`)"
       - "traefik.http.routers.frontend.entrypoints=websecure"
       - "traefik.http.routers.frontend.tls.certresolver=myresolver"
-      - "traefik.http.middlewares.frontend-csp.headers.contentSecurityPolicy=default-src 'self'; img-src *.usersnap.com 'self' data:; script-src *.usersnap.com 'self' 'unsafe-inline' https://www.googletagmanager.com https://browser.sentry-cdn.com; style-src *.usersnap.com *.googleapis.com 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src *.usersnap.com https://s3.eu-central-1.amazonaws.com/upload.usersnap.com 'self' https://o4506155985141760.ingest.sentry.io/api/4506156032196608/envelope/ *.google-analytics.com; font-src *.usersnap.com *.gstatic.com 'self' 'unsafe-inline' https://fonts.gstatic.com; worker-src blob:"
+      - "traefik.http.middlewares.frontend-csp.headers.contentSecurityPolicy=default-src 'self'; img-src *.usersnap.com 'self' data:; script-src *.usersnap.com 'self' 'unsafe-inline' https://www.googletagmanager.com https://browser.sentry-cdn.com; style-src *.usersnap.com *.googleapis.com 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src *.usersnap.com https://s3.eu-central-1.amazonaws.com/upload.usersnap.com 'self' o4506155985141760.ingest.sentry.io *.google-analytics.com; font-src *.usersnap.com *.gstatic.com 'self' 'unsafe-inline' https://fonts.gstatic.com; worker-src blob:"
       - "traefik.http.routers.frontend.middlewares=frontend-csp@docker"
       - "traefik.http.services.frontend.loadbalancer.server.port=80"
 
diff --git a/scripts/govtool/docker-compose.dev.yml b/scripts/govtool/docker-compose.dev.yml
index a43d63137..ea64ba147 100644
--- a/scripts/govtool/docker-compose.dev.yml
+++ b/scripts/govtool/docker-compose.dev.yml
@@ -209,7 +209,7 @@ services:
       - "traefik.http.routers.frontend.rule=Host(`dev-sanchonet.govtool.byron.network`)"
       - "traefik.http.routers.frontend.entrypoints=websecure"
       - "traefik.http.routers.frontend.tls.certresolver=myresolver"
-      - "traefik.http.middlewares.frontend-csp.headers.contentSecurityPolicy=default-src 'self'; img-src *.usersnap.com 'self' data:; script-src *.usersnap.com 'self' 'unsafe-inline' https://www.googletagmanager.com https://browser.sentry-cdn.com; style-src *.usersnap.com *.googleapis.com 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src *.usersnap.com https://s3.eu-central-1.amazonaws.com/upload.usersnap.com 'self' https://o4506155985141760.ingest.sentry.io/api/4506156032196608/envelope/ *.google-analytics.com; font-src *.usersnap.com *.gstatic.com 'self' 'unsafe-inline' https://fonts.gstatic.com; worker-src blob:"
+      - "traefik.http.middlewares.frontend-csp.headers.contentSecurityPolicy=default-src 'self'; img-src *.usersnap.com 'self' data:; script-src *.usersnap.com 'self' 'unsafe-inline' https://www.googletagmanager.com https://browser.sentry-cdn.com; style-src *.usersnap.com *.googleapis.com 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src *.usersnap.com https://s3.eu-central-1.amazonaws.com/upload.usersnap.com 'self' o4506155985141760.ingest.sentry.io *.google-analytics.com; font-src *.usersnap.com *.gstatic.com 'self' 'unsafe-inline' https://fonts.gstatic.com; worker-src blob:"
       - "traefik.http.routers.frontend.middlewares=frontend-csp@docker"
       - "traefik.http.services.frontend.loadbalancer.server.port=80"
 
diff --git a/scripts/govtool/docker-compose.staging.yml b/scripts/govtool/docker-compose.staging.yml
index 24de7ae0a..6ab455d3a 100644
--- a/scripts/govtool/docker-compose.staging.yml
+++ b/scripts/govtool/docker-compose.staging.yml
@@ -209,7 +209,7 @@ services:
       - "traefik.http.routers.frontend.rule=Host(`staging.govtool.byron.network`)"
       - "traefik.http.routers.frontend.entrypoints=websecure"
       - "traefik.http.routers.frontend.tls.certresolver=myresolver"
-      - "traefik.http.middlewares.frontend-csp.headers.contentSecurityPolicy=default-src 'self'; img-src *.usersnap.com 'self' data:; script-src *.usersnap.com 'self' 'unsafe-inline' https://www.googletagmanager.com https://browser.sentry-cdn.com; style-src *.usersnap.com *.googleapis.com 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src *.usersnap.com https://s3.eu-central-1.amazonaws.com/upload.usersnap.com 'self' https://o4506155985141760.ingest.sentry.io/api/4506156032196608/envelope/ *.google-analytics.com; font-src *.usersnap.com *.gstatic.com 'self' 'unsafe-inline' https://fonts.gstatic.com; worker-src blob:"
+      - "traefik.http.middlewares.frontend-csp.headers.contentSecurityPolicy=default-src 'self'; img-src *.usersnap.com 'self' data:; script-src *.usersnap.com 'self' 'unsafe-inline' https://www.googletagmanager.com https://browser.sentry-cdn.com; style-src *.usersnap.com *.googleapis.com 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src *.usersnap.com https://s3.eu-central-1.amazonaws.com/upload.usersnap.com 'self' o4506155985141760.ingest.sentry.io *.google-analytics.com; font-src *.usersnap.com *.gstatic.com 'self' 'unsafe-inline' https://fonts.gstatic.com; worker-src blob:"
       - "traefik.http.routers.frontend.middlewares=frontend-csp@docker"
       - "traefik.http.services.frontend.loadbalancer.server.port=80"
 
diff --git a/scripts/govtool/docker-compose.test.yml b/scripts/govtool/docker-compose.test.yml
index 08aa25dd2..d35544e82 100644
--- a/scripts/govtool/docker-compose.test.yml
+++ b/scripts/govtool/docker-compose.test.yml
@@ -209,7 +209,7 @@ services:
       - "traefik.http.routers.frontend.rule=Host(`test-sanchonet.govtool.byron.network`)"
       - "traefik.http.routers.frontend.entrypoints=websecure"
       - "traefik.http.routers.frontend.tls.certresolver=myresolver"
-      - "traefik.http.middlewares.frontend-csp.headers.contentSecurityPolicy=default-src 'self'; img-src *.usersnap.com 'self' data:; script-src *.usersnap.com 'self' 'unsafe-inline' https://www.googletagmanager.com https://browser.sentry-cdn.com; style-src *.usersnap.com *.googleapis.com 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src *.usersnap.com https://s3.eu-central-1.amazonaws.com/upload.usersnap.com 'self' https://o4506155985141760.ingest.sentry.io/api/4506156032196608/envelope/ *.google-analytics.com; font-src *.usersnap.com *.gstatic.com 'self' 'unsafe-inline' https://fonts.gstatic.com; worker-src blob:"
+      - "traefik.http.middlewares.frontend-csp.headers.contentSecurityPolicy=default-src 'self'; img-src *.usersnap.com 'self' data:; script-src *.usersnap.com 'self' 'unsafe-inline' https://www.googletagmanager.com https://browser.sentry-cdn.com; style-src *.usersnap.com *.googleapis.com 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src *.usersnap.com https://s3.eu-central-1.amazonaws.com/upload.usersnap.com 'self' o4506155985141760.ingest.sentry.io *.google-analytics.com; font-src *.usersnap.com *.gstatic.com 'self' 'unsafe-inline' https://fonts.gstatic.com; worker-src blob:"
       - "traefik.http.routers.frontend.middlewares=frontend-csp@docker"
       - "traefik.http.services.frontend.loadbalancer.server.port=80"
 

From ca27ef65e3612755aeeb63ca12e433418a792ee0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Placzy=C5=84ski?= <placzynski.pawel@gmail.com>
Date: Mon, 26 Feb 2024 07:48:38 +0100
Subject: [PATCH 2/3] Updated CHANGELOG.md to include recent enhancements

- Integrated OAuth for secure Slack deployment notifications #194.
- Streamlined build and deployment process for faster CD and reduced
  resource use #246.
- Allow Sentry error reporting in CSP settings across environments #291.
---
 CHANGELOG.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 90954bacd..9c21eed47 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,7 +23,8 @@ changes.
 - Fixed vote calculation problems related to NoConfidence DRep [Issue 59](https://github.com/IntersectMBO/govtool/issues/59)
 - Fixed ada-holder/get-current-delegation error when delegated to NoConfidence or AlwaysAbstain dreps. [Issue 82](https://github.com/IntersectMBO/govtool/issues/82)
 - Fixed deployment scripts to address [Issue 171](https://github.com/IntersectMBO/govtool/issues/171).
-- Fixed get drep voting power incorrectly executed endpoint [Issue 280](https://github.com/IntersectMBO/govtool/issues/280)
+- Fixed get drep voting power incorrectly executed endpoint [Issue 280](https://github.com/IntersectMBO/govtool/issues/280).
+- Fixed CSP settings to allow error reports with Sentry [Issue 291](https://github.com/IntersectMBO/govtool/issues/291).
 
 ### Changed
 - Update Cardano-Serialization-Lib to 12.0.0-alpha.16 [Issue 156](https://github.com/IntersectMBO/govtool/issues/156)
@@ -33,6 +34,8 @@ changes.
 - Renamed project from VVA to GovTool [Issue 97](https://github.com/IntersectMBO/govtool/issues/97).
 - (`docs/update-working-conventions`) Addressing [Issue 25](https://github.com/IntersectMBO/govtool/issues/25) changed working conventions documentation to improve intended flows.
 - Adjusted Nix configuration to meet projects needs [Issue 187](https://github.com/IntersectMBO/govtool/issues/187).
+- Integrated OAuth to securely notify about deployment status in Slack [Issue 194](https://github.com/IntersectMBO/govtool/issues/194).
+- Streamlined the application build and deployment process, thereby accelerating continuous delivery (CD) and reducing the resource burden [Issue 246](https://github.com/IntersectMBO/govtool/issues/246).
 
 ### Removed
 -

From f389129fd76a5c1632c1b9c172c6a52e850df5d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Placzy=C5=84ski?= <placzynski.pawel@gmail.com>
Date: Mon, 26 Feb 2024 11:20:32 +0100
Subject: [PATCH 3/3] Add environment-specific warning to .env.example for
 clarity and safety

This commit introduces a significant update to the `.env.example` file
within the `scripts/govtool` directory to enhance usability and prevent
configuration mistakes. Key changes include:

- Addition of Vim modeline at the beginning of the file (`# vim: set
  ft=bash`) to ensure that when editing the file with Vim, the correct
  filetype (bash) is automatically set. This facilitates syntax
  highlighting and other filetype-specific features, improving the editing
  experience.
- Introduction of a conditional warning mechanism that activates when
  the environment is not set to 'dev'. This mechanism employs bash
  scripting to alert to users, especially those working in
  non-development environments, to proceed with caution and be aware of
  their current configuration context. The warning message explicitly
  states the current environment value, reinforcing the need for
  attentiveness.

These enhancements are designed to minimize the risk of misconfiguration
by providing clear, environment-specific warnings and improving file
readability and editing support.
---
 scripts/govtool/.env.example | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/scripts/govtool/.env.example b/scripts/govtool/.env.example
index 47fb60653..adc906cb9 100644
--- a/scripts/govtool/.env.example
+++ b/scripts/govtool/.env.example
@@ -1,3 +1,5 @@
+# vim: set ft=bash
+
 use nix shell.nix
 
 export AWS_PROFILE=govtool
@@ -27,3 +29,13 @@ export GRAFANA_ADMIN_PASSWORD=<grafana_admin_password>
 export GRAFANA_SLACK_RECIPIENT=<grafana_slack_recipient>
 export GRAFANA_SLACK_WEBHOOK=<grafana_slack_webhook>
 export GRAFANA_SLACK_OAUTH_TOKEN=<grafana_slack_oauth_token>
+export DOMAIN="${ENVIRONMENT}-${CARDANO_NETWORK}.govtool.byron.network"
+#export DOMAIN="staging.govtool.byron.network"
+#export DOMAIN="sanchogov.tools"
+
+if [ "$ENVIRONMENT" != "dev" ]; then
+  tput setaf 1 # set text color to red
+  tput bold
+  echo "THIS IS NOT A DEVELOPMENT ENVIRONMENT! It is '$ENVIRONMENT'. BE CAREFUL…"
+  tput sgr0 # reset text formatting to normal
+fi