Skip to content

Commit

Permalink
feat: [CO-756] Update defaults for proxy CSP header (#259)
Browse files Browse the repository at this point in the history 
* feat: [CO-756] add carbonioReverseProxyResponseCSPHeader to store CSP only header

* feat: [CO-756] update DomainAttrItem class to support separate CSP header

* feat: [CO-756] update ProxyConfGen to provide complete set of proxy response headers

- + fix executeCertbotDelete modifying ImmutableCollections RTE.

* feat: update default CSP policy and generate code
  • Loading branch information
@keshavbhatt
keshavbhatt authored Jul 3, 2023
1 parent 387ea3d commit 4b654c8
Show file tree
Hide file tree
Showing 7 changed files with 364 additions and 91 deletions.
23 changes: 19 additions & 4 deletions common/src/main/java/com/zimbra/common/account/ZAttrProvisioning.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2944,6 +2944,19 @@ public static TwoFactorAuthSecretEncoding fromString(String s) throws ServiceExc
@ZAttr(id=3115)
public static final String A_carbonioPrefWebUiDarkMode = "carbonioPrefWebUiDarkMode";

/**
* Content Security Policy headers to be added by the proxy. This is used
* along with the zimbraReverseProxyResponseHeaders by the ProxyConfGen
* to produce a complete set of Response Headers returned by the by the
* proxy. Usage: can be used to add a Content-Security-Policy header that
* will enforce CSP rule on the client side. Note: the value MUST be the
* entire header line (e.g. X-Foo: Bar, X-Zoo: "Bar1; Bar2").
*
* @since ZCS 23.7.0
*/
@ZAttr(id=3133)
public static final String A_carbonioReverseProxyResponseCSPHeader = "carbonioReverseProxyResponseCSPHeader";

/**
* Whether Carbonio can send analytics reports
*
Expand Down Expand Up @@ -15604,10 +15617,12 @@ public static TwoFactorAuthSecretEncoding fromString(String s) throws ServiceExc
public static final String A_zimbraReverseProxyPortSearchBase = "zimbraReverseProxyPortSearchBase";

/**
* Custom response headers to be added by the proxy. For example, can be
* used to add a HSTS header that will enforce SSL usage on the client
* side. Note: the value MUST be the entire header line (e.g. X-Foo: Bar,
* X-Zoo: "Bar1; Bar2").
* Custom response headers to be added by the proxy. The
* carbonioReverseProxyResponseCSPHeader should be used along with this
* to produce complete Proxy Response header. Usage: can be used to add a
* HSTS header that will enforce SSL usage on the client side. Note: the
* value MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo:
* "Bar1; Bar2").
*
* @since ZCS 8.7.0,9.0.0
*/
Expand Down
15 changes: 13 additions & 2 deletions store/conf/attrs/attrs.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8919,9 +8919,9 @@ TODO: delete them permanently from here
<globalConfigValue>X-XSS-Protection: "1; mode=block"</globalConfigValue>
<globalConfigValue>X-Frame-Options: "sameorigin"</globalConfigValue>
<globalConfigValue>Expect-CT: max-age=86400</globalConfigValue>
<globalConfigValue>Content-Security-Policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.zextras.tools; connect-src 'self' *.zextras.tools; img-src * blob: data:; font-src 'self' fonts.gstatic.com; object-src 'self'; media-src * blob: data:; child-src 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; form-action 'self'; frame-ancestors 'self';"</globalConfigValue>
<desc>
Custom response headers to be added by the proxy. For example, can be used to add a HSTS header
Custom response headers to be added by the proxy. The carbonioReverseProxyResponseCSPHeader should be used along with this to
produce complete Proxy Response header. Usage: can be used to add a HSTS header
that will enforce SSL usage on the client side. Note: the value
MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo: "Bar1; Bar2").
</desc>
Expand Down Expand Up @@ -10048,4 +10048,15 @@ TODO: delete them permanently from here
<defaultExternalCOSValue>FALSE</defaultExternalCOSValue>
<desc>Whether the Team feature enabled for account or COS</desc>
</attr>

<attr id="3133" name="carbonioReverseProxyResponseCSPHeader" type="string" cardinality="single" optionalIn="globalConfig,domain" flags="domainInfo,domainInherited" requiresRestart="nginxproxy" since="23.7.0">
<globalConfigValue>Content-Security-Policy: "default-src 'self' data: blob: cid:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.zextras.tools; style-src * 'unsafe-inline'; img-src * data: blob: cid:; font-src * data:; connect-src 'self' *.zextras.tools; media-src * blob: data: cid:; object-src 'self'; child-src 'self' blob: data: cid:; frame-src 'self' blob: data: cid:; frame-ancestors 'self'; form-action 'self';"</globalConfigValue>
<desc>
Content Security Policy headers to be added by the proxy. This is used along with the zimbraReverseProxyResponseHeaders by the ProxyConfGen
to produce a complete set of Response Headers returned by the by the proxy.
Usage: can be used to add a Content-Security-Policy header
that will enforce CSP rule on the client side. Note: the value
MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo: "Bar1; Bar2").
</desc>
</attr>
</attrs>
189 changes: 152 additions & 37 deletions store/src/main/java/com/zimbra/cs/account/ZAttrConfig.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1512,6 +1512,103 @@ public Map<String,Object> unsetCarbonioNotificationRecipients(Map<String,Object>
return attrs;
}

/**
* Content Security Policy headers to be added by the proxy. This is used
* along with the zimbraReverseProxyResponseHeaders by the ProxyConfGen
* to produce a complete set of Response Headers returned by the by the
* proxy. Usage: can be used to add a Content-Security-Policy header that
* will enforce CSP rule on the client side. Note: the value MUST be the
* entire header line (e.g. X-Foo: Bar, X-Zoo: &quot;Bar1; Bar2&quot;).
*
* @return carbonioReverseProxyResponseCSPHeader, or "Content-Security-Policy: \"default-src 'self' data: blob: cid:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.zextras.tools; style-src * 'unsafe-inline'; img-src * data: blob: cid:; font-src * data:; connect-src 'self' *.zextras.tools; media-src * blob: data: cid:; object-src 'self'; child-src 'self' blob: data: cid:; frame-src 'self' blob: data: cid:; frame-ancestors 'self'; form-action 'self';\"" if unset
*
* @since ZCS 23.7.0
*/
@ZAttr(id=3133)
public String getCarbonioReverseProxyResponseCSPHeader() {
return getAttr(ZAttrProvisioning.A_carbonioReverseProxyResponseCSPHeader, "Content-Security-Policy: \"default-src 'self' data: blob: cid:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.zextras.tools; style-src * 'unsafe-inline'; img-src * data: blob: cid:; font-src * data:; connect-src 'self' *.zextras.tools; media-src * blob: data: cid:; object-src 'self'; child-src 'self' blob: data: cid:; frame-src 'self' blob: data: cid:; frame-ancestors 'self'; form-action 'self';\"", true);
}

/**
* Content Security Policy headers to be added by the proxy. This is used
* along with the zimbraReverseProxyResponseHeaders by the ProxyConfGen
* to produce a complete set of Response Headers returned by the by the
* proxy. Usage: can be used to add a Content-Security-Policy header that
* will enforce CSP rule on the client side. Note: the value MUST be the
* entire header line (e.g. X-Foo: Bar, X-Zoo: &quot;Bar1; Bar2&quot;).
*
* @param carbonioReverseProxyResponseCSPHeader new value
* @throws com.zimbra.common.service.ServiceException if error during update
*
* @since ZCS 23.7.0
*/
@ZAttr(id=3133)
public void setCarbonioReverseProxyResponseCSPHeader(String carbonioReverseProxyResponseCSPHeader) throws com.zimbra.common.service.ServiceException {
HashMap<String,Object> attrs = new HashMap<>();
attrs.put(ZAttrProvisioning.A_carbonioReverseProxyResponseCSPHeader, carbonioReverseProxyResponseCSPHeader);
getProvisioning().modifyAttrs(this, attrs);
}

/**
* Content Security Policy headers to be added by the proxy. This is used
* along with the zimbraReverseProxyResponseHeaders by the ProxyConfGen
* to produce a complete set of Response Headers returned by the by the
* proxy. Usage: can be used to add a Content-Security-Policy header that
* will enforce CSP rule on the client side. Note: the value MUST be the
* entire header line (e.g. X-Foo: Bar, X-Zoo: &quot;Bar1; Bar2&quot;).
*
* @param carbonioReverseProxyResponseCSPHeader new value
* @param attrs existing map to populate, or null to create a new map
* @return populated map to pass into Provisioning.modifyAttrs
*
* @since ZCS 23.7.0
*/
@ZAttr(id=3133)
public Map<String,Object> setCarbonioReverseProxyResponseCSPHeader(String carbonioReverseProxyResponseCSPHeader, Map<String,Object> attrs) {
if (attrs == null) attrs = new HashMap<>();
attrs.put(ZAttrProvisioning.A_carbonioReverseProxyResponseCSPHeader, carbonioReverseProxyResponseCSPHeader);
return attrs;
}

/**
* Content Security Policy headers to be added by the proxy. This is used
* along with the zimbraReverseProxyResponseHeaders by the ProxyConfGen
* to produce a complete set of Response Headers returned by the by the
* proxy. Usage: can be used to add a Content-Security-Policy header that
* will enforce CSP rule on the client side. Note: the value MUST be the
* entire header line (e.g. X-Foo: Bar, X-Zoo: &quot;Bar1; Bar2&quot;).
*
* @throws com.zimbra.common.service.ServiceException if error during update
*
* @since ZCS 23.7.0
*/
@ZAttr(id=3133)
public void unsetCarbonioReverseProxyResponseCSPHeader() throws com.zimbra.common.service.ServiceException {
HashMap<String,Object> attrs = new HashMap<>();
attrs.put(ZAttrProvisioning.A_carbonioReverseProxyResponseCSPHeader, "");
getProvisioning().modifyAttrs(this, attrs);
}

/**
* Content Security Policy headers to be added by the proxy. This is used
* along with the zimbraReverseProxyResponseHeaders by the ProxyConfGen
* to produce a complete set of Response Headers returned by the by the
* proxy. Usage: can be used to add a Content-Security-Policy header that
* will enforce CSP rule on the client side. Note: the value MUST be the
* entire header line (e.g. X-Foo: Bar, X-Zoo: &quot;Bar1; Bar2&quot;).
*
* @param attrs existing map to populate, or null to create a new map
* @return populated map to pass into Provisioning.modifyAttrs
*
* @since ZCS 23.7.0
*/
@ZAttr(id=3133)
public Map<String,Object> unsetCarbonioReverseProxyResponseCSPHeader(Map<String,Object> attrs) {
if (attrs == null) attrs = new HashMap<>();
attrs.put(ZAttrProvisioning.A_carbonioReverseProxyResponseCSPHeader, "");
return attrs;
}

/**
* Whether Carbonio can send analytics reports
*
Expand Down Expand Up @@ -61526,25 +61623,29 @@ public Map<String,Object> unsetReverseProxyPortSearchBase(Map<String,Object> att
}

/**
* Custom response headers to be added by the proxy. For example, can be
* used to add a HSTS header that will enforce SSL usage on the client
* side. Note: the value MUST be the entire header line (e.g. X-Foo: Bar,
* X-Zoo: &quot;Bar1; Bar2&quot;).
* Custom response headers to be added by the proxy. The
* carbonioReverseProxyResponseCSPHeader should be used along with this
* to produce complete Proxy Response header. Usage: can be used to add a
* HSTS header that will enforce SSL usage on the client side. Note: the
* value MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo:
* &quot;Bar1; Bar2&quot;).
*
* @return zimbraReverseProxyResponseHeaders, or empty array if unset
*
* @since ZCS 8.7.0,9.0.0
*/
@ZAttr(id=1973)
public String[] getReverseProxyResponseHeaders() {
String[] value = getMultiAttr(ZAttrProvisioning.A_zimbraReverseProxyResponseHeaders, true, true); return value.length > 0 ? value : new String[] {"Strict-Transport-Security: \"max-age=31536000; includeSubDomains; preload\"","Permissions-Policy: \"geolocation=(self), microphone=(self)\"","Referrer-Policy: \"same-origin\"","X-Content-Type-Options: \"nosniff\"","X-Robots-Tag: \"noindex, nofollow\"","X-XSS-Protection: \"1; mode=block\"","X-Frame-Options: \"sameorigin\"","Expect-CT: max-age=86400","Content-Security-Policy: \"default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.zextras.tools; connect-src 'self' *.zextras.tools; img-src * blob: data:; font-src 'self' fonts.gstatic.com; object-src 'self'; media-src * blob: data:; child-src 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; form-action 'self'; frame-ancestors 'self';\""};
String[] value = getMultiAttr(ZAttrProvisioning.A_zimbraReverseProxyResponseHeaders, true, true); return value.length > 0 ? value : new String[] {"Strict-Transport-Security: \"max-age=31536000; includeSubDomains; preload\"","Permissions-Policy: \"geolocation=(self), microphone=(self)\"","Referrer-Policy: \"same-origin\"","X-Content-Type-Options: \"nosniff\"","X-Robots-Tag: \"noindex, nofollow\"","X-XSS-Protection: \"1; mode=block\"","X-Frame-Options: \"sameorigin\"","Expect-CT: max-age=86400"};
}

/**
* Custom response headers to be added by the proxy. For example, can be
* used to add a HSTS header that will enforce SSL usage on the client
* side. Note: the value MUST be the entire header line (e.g. X-Foo: Bar,
* X-Zoo: &quot;Bar1; Bar2&quot;).
* Custom response headers to be added by the proxy. The
* carbonioReverseProxyResponseCSPHeader should be used along with this
* to produce complete Proxy Response header. Usage: can be used to add a
* HSTS header that will enforce SSL usage on the client side. Note: the
* value MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo:
* &quot;Bar1; Bar2&quot;).
*
* @param zimbraReverseProxyResponseHeaders new value
* @throws com.zimbra.common.service.ServiceException if error during update
Expand All @@ -61559,10 +61660,12 @@ public void setReverseProxyResponseHeaders(String[] zimbraReverseProxyResponseHe
}

/**
* Custom response headers to be added by the proxy. For example, can be
* used to add a HSTS header that will enforce SSL usage on the client
* side. Note: the value MUST be the entire header line (e.g. X-Foo: Bar,
* X-Zoo: &quot;Bar1; Bar2&quot;).
* Custom response headers to be added by the proxy. The
* carbonioReverseProxyResponseCSPHeader should be used along with this
* to produce complete Proxy Response header. Usage: can be used to add a
* HSTS header that will enforce SSL usage on the client side. Note: the
* value MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo:
* &quot;Bar1; Bar2&quot;).
*
* @param zimbraReverseProxyResponseHeaders new value
* @param attrs existing map to populate, or null to create a new map
Expand All @@ -61578,10 +61681,12 @@ public Map<String,Object> setReverseProxyResponseHeaders(String[] zimbraReverseP
}

/**
* Custom response headers to be added by the proxy. For example, can be
* used to add a HSTS header that will enforce SSL usage on the client
* side. Note: the value MUST be the entire header line (e.g. X-Foo: Bar,
* X-Zoo: &quot;Bar1; Bar2&quot;).
* Custom response headers to be added by the proxy. The
* carbonioReverseProxyResponseCSPHeader should be used along with this
* to produce complete Proxy Response header. Usage: can be used to add a
* HSTS header that will enforce SSL usage on the client side. Note: the
* value MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo:
* &quot;Bar1; Bar2&quot;).
*
* @param zimbraReverseProxyResponseHeaders new to add to existing values
* @throws com.zimbra.common.service.ServiceException if error during update
Expand All @@ -61596,10 +61701,12 @@ public void addReverseProxyResponseHeaders(String zimbraReverseProxyResponseHead
}

/**
* Custom response headers to be added by the proxy. For example, can be
* used to add a HSTS header that will enforce SSL usage on the client
* side. Note: the value MUST be the entire header line (e.g. X-Foo: Bar,
* X-Zoo: &quot;Bar1; Bar2&quot;).
* Custom response headers to be added by the proxy. The
* carbonioReverseProxyResponseCSPHeader should be used along with this
* to produce complete Proxy Response header. Usage: can be used to add a
* HSTS header that will enforce SSL usage on the client side. Note: the
* value MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo:
* &quot;Bar1; Bar2&quot;).
*
* @param zimbraReverseProxyResponseHeaders new to add to existing values
* @param attrs existing map to populate, or null to create a new map
Expand All @@ -61615,10 +61722,12 @@ public Map<String,Object> addReverseProxyResponseHeaders(String zimbraReversePro
}

/**
* Custom response headers to be added by the proxy. For example, can be
* used to add a HSTS header that will enforce SSL usage on the client
* side. Note: the value MUST be the entire header line (e.g. X-Foo: Bar,
* X-Zoo: &quot;Bar1; Bar2&quot;).
* Custom response headers to be added by the proxy. The
* carbonioReverseProxyResponseCSPHeader should be used along with this
* to produce complete Proxy Response header. Usage: can be used to add a
* HSTS header that will enforce SSL usage on the client side. Note: the
* value MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo:
* &quot;Bar1; Bar2&quot;).
*
* @param zimbraReverseProxyResponseHeaders existing value to remove
* @throws com.zimbra.common.service.ServiceException if error during update
Expand All @@ -61633,10 +61742,12 @@ public void removeReverseProxyResponseHeaders(String zimbraReverseProxyResponseH
}

/**
* Custom response headers to be added by the proxy. For example, can be
* used to add a HSTS header that will enforce SSL usage on the client
* side. Note: the value MUST be the entire header line (e.g. X-Foo: Bar,
* X-Zoo: &quot;Bar1; Bar2&quot;).
* Custom response headers to be added by the proxy. The
* carbonioReverseProxyResponseCSPHeader should be used along with this
* to produce complete Proxy Response header. Usage: can be used to add a
* HSTS header that will enforce SSL usage on the client side. Note: the
* value MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo:
* &quot;Bar1; Bar2&quot;).
*
* @param zimbraReverseProxyResponseHeaders existing value to remove
* @param attrs existing map to populate, or null to create a new map
Expand All @@ -61652,10 +61763,12 @@ public Map<String,Object> removeReverseProxyResponseHeaders(String zimbraReverse
}

/**
* Custom response headers to be added by the proxy. For example, can be
* used to add a HSTS header that will enforce SSL usage on the client
* side. Note: the value MUST be the entire header line (e.g. X-Foo: Bar,
* X-Zoo: &quot;Bar1; Bar2&quot;).
* Custom response headers to be added by the proxy. The
* carbonioReverseProxyResponseCSPHeader should be used along with this
* to produce complete Proxy Response header. Usage: can be used to add a
* HSTS header that will enforce SSL usage on the client side. Note: the
* value MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo:
* &quot;Bar1; Bar2&quot;).
*
* @throws com.zimbra.common.service.ServiceException if error during update
*
Expand All @@ -61669,10 +61782,12 @@ public void unsetReverseProxyResponseHeaders() throws com.zimbra.common.service.
}

/**
* Custom response headers to be added by the proxy. For example, can be
* used to add a HSTS header that will enforce SSL usage on the client
* side. Note: the value MUST be the entire header line (e.g. X-Foo: Bar,
* X-Zoo: &quot;Bar1; Bar2&quot;).
* Custom response headers to be added by the proxy. The
* carbonioReverseProxyResponseCSPHeader should be used along with this
* to produce complete Proxy Response header. Usage: can be used to add a
* HSTS header that will enforce SSL usage on the client side. Note: the
* value MUST be the entire header line (e.g. X-Foo: Bar, X-Zoo:
* &quot;Bar1; Bar2&quot;).
*
* @param attrs existing map to populate, or null to create a new map
* @return populated map to pass into Provisioning.modifyAttrs
Expand Down
Loading

0 comments on commit 4b654c8

Please sign in to comment.