feat: add CSP and other security related headers in the oCIS proxy service

[DeepDiver1975]

Description

CSP headers and other security related headers are now added to http responses in the proxy service.

The default settings are loaded from https://github.com/owncloud/ocis/pull/8777/files#diff-106b7ab6229528e8a62323d217f101db7000e6918aefb124cea4c845d6b9d1c8

This default yaml config file can be overwritten by specifying an alternative yaml file path in the env var PROXY_CSP_CONFIG_FILE_LOCATION
The ocis_wopi example deployment shows how to do this - refs https://github.com/owncloud/ocis/pull/8777/files#diff-bfedf12f7818c318b754f308bff1d6139afd701f2fc7bb43f07fd865a0d85039

Related Issue

• Fixes csp and other sec relevant headers .... #8761

Motivation and Context

How Has This Been Tested?

• test environment:
• test case 1:
• test case 2:
• ...

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests only (no source changes)

Checklist:

• Code changes
• Unit tests added
• Acceptance tests added
• Documentation ticket raised:

[micbar]

We need to be very thorough with regresssions here.

@wkloucek Tested that via the reverse proxy and this broke all web client, app provider and web office features.

[micbar]

I like this elegant approach. 😍

[DeepDiver1975]

This is just a starting point.... Needs a lot of testing and finally adjustments in web and integrated systems....

[DeepDiver1975]

We might want to consider to add CSP only on the front end service...
Because CSP is only relevant on the web Frontend delivering endpoint

[micbar]

web assets (js and config) are coming from the web service in ocis.

What about the apis?
We have graph, webdav, ocs, settings, apps

[DeepDiver1975]

CSP is only relevant for web hosting endpoints.
This defines the scope for the web page on browser.

[DeepDiver1975]

@micbar where can I get following information

• Is draw.io enabled?
• Is OO enabled? And where is the url available?
• Is Collabora enabled? And where to get the url from?

[kobergj]

like it 👍 some questions and please comment exported funcs

[phil-davis]

Just a tiny error message text suggestion.

[DeepDiver1975]

Oh come on ...... replacement are not allowed: github.com/unrolled/secure
https://sonarcloud.io/project/issues?open=AY8QWu1wICG_leOl4WV_&id=owncloud_ocis

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
3.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[kobergj]

LGTM 👍

[micbar]

Sorry to intervene, but now we have different env var parsers, the ocis yaml files parse with gookit, the csp yaml with the new lib. We should align.

[DeepDiver1975]

Sorry to intervene, but now we have different env var parsers, the ocis yaml files parse with gookit, the csp yaml with the new lib. We should align.

Use gookit for csp.yaml:

Have two different syntax in the docker compose setup?

Use os.ExpandEnv

https://pkg.go.dev/os#ExpandEnv
... can be used for simple substitutions

Question on gookit usage

Which syntax for car substitution is used in ocis?

[micbar]

I think we should use your new lib (envsubst) in ocis for the ocis yaml config.

There is one ParseConfig method which is used in all services. Should be a one liner.

[micbar]

Here https://github.com/owncloud/ocis/blob/master/ocis-pkg/config/helpers.go#L21

We should be able to pass the config as []bytes to our gookit/config via LoadSources()

[DeepDiver1975]

Any example config files at hand which hold env vars?
Are these hand crafted by users or do we generate them as well.
I did not find any reference/example. Thx

[micbar]

All ocis config vars can also be set by yaml files. A rendered version is located in the dev docs in every service.

[kjeldahl]

@DeepDiver1975
Shouldn't ONLYOFFICE_DOMAIN and COLLABORA_DOMAIN be set here as well in order for the substitution in etc/ocis/csp.yaml to take effect?

ONLYOFFICE_DOMAIN: ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.owncloud.test}

[DeepDiver1975]

see https://github.com/owncloud/ocis/pull/8777/files#diff-bfedf12f7818c318b754f308bff1d6139afd701f2fc7bb43f07fd865a0d85039R15

[kjeldahl]

@DeepDiver1975 Yes, I mean the csp.yaml is being loaded inside the containers environment, so if the ONLYOFFICE_DOMAIN and COLLABORA_DOMAIN are not set in the docker-compose.yml file they will be empty during runtime and the default values are used. (This is at least what happened when I tried it.)

[DeepDiver1975]

Ah. I see your point now.let me have a look .....

[micbar]

These two variables need to be set in the .env file.

https://github.com/owncloud/ocis/blob/master/deployments/examples/ocis_wopi/.env#L46

[DeepDiver1975]

yes - but the env vars are not forwarded into the ocis container and will always be set to the default.
pr coming ...

[micbar]

Yes, right

[DeepDiver1975]

#9007 @micbar @kjeldahl

[DeepDiver1975]

THX a lot @kjeldahl for bringing this to our attention! 🙏

[kjeldahl]

@DeepDiver1975 You are most welcome. And thanks a lot for solving the CSP issue 4 hours before I ran into it 👍