diff --git a/.changeset/few-kings-agree.md b/.changeset/few-kings-agree.md new file mode 100644 index 0000000000..0019611503 --- /dev/null +++ b/.changeset/few-kings-agree.md @@ -0,0 +1,5 @@ +--- +'@backstage/backend-common': patch +--- + +Added support for passing false as a CSP field value, to drop it from the defaults in the backend diff --git a/packages/backend-common/config.d.ts b/packages/backend-common/config.d.ts index 7a134ac506..c4ec84ab62 100644 --- a/packages/backend-common/config.d.ts +++ b/packages/backend-common/config.d.ts @@ -79,8 +79,15 @@ export interface Config { optionsSuccessStatus?: number; }; - /** */ - csp?: object; + /** + * Content Security Policy options. + * + * The keys are the plain policy ID, e.g. "upgrade-insecure-requests". The + * values are on the format that the helmet library expects them, as an + * array of strings. There is also the special value false, which means to + * remove the default value that Backstage puts in place for that policy. + */ + csp?: { [policyId: string]: string[] | false }; }; /** Configuration for integrations towards various external repository provider systems */ diff --git a/packages/backend-common/src/service/lib/ServiceBuilderImpl.test.ts b/packages/backend-common/src/service/lib/ServiceBuilderImpl.test.ts new file mode 100644 index 0000000000..cffb0a88de --- /dev/null +++ b/packages/backend-common/src/service/lib/ServiceBuilderImpl.test.ts @@ -0,0 +1,36 @@ +/* + * Copyright 2020 Spotify AB + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { applyCspDirectives } from './ServiceBuilderImpl'; + +describe('ServiceBuilderImpl', () => { + describe('applyCspDirectives', () => { + it('copies actual values', () => { + const result = applyCspDirectives({ key: ['value'] }); + expect(result).toEqual( + expect.objectContaining({ + 'default-src': ["'self'"], + key: ['value'], + }), + ); + }); + + it('removes false value keys', () => { + const result = applyCspDirectives({ 'upgrade-insecure-requests': false }); + expect(result!['upgrade-insecure-requests']).toBeUndefined(); + }); + }); +}); diff --git a/packages/backend-common/src/service/lib/ServiceBuilderImpl.ts b/packages/backend-common/src/service/lib/ServiceBuilderImpl.ts index 710de6f1d7..d8b9ffa2d9 100644 --- a/packages/backend-common/src/service/lib/ServiceBuilderImpl.ts +++ b/packages/backend-common/src/service/lib/ServiceBuilderImpl.ts @@ -18,7 +18,7 @@ import { Config } from '@backstage/config'; import compression from 'compression'; import cors from 'cors'; import express, { Router } from 'express'; -import helmet from 'helmet'; +import helmet, { HelmetOptions } from 'helmet'; import * as http from 'http'; import stoppable from 'stoppable'; import { Logger } from 'winston'; @@ -56,7 +56,7 @@ const DEFAULT_CSP = { 'script-src': ["'self'"], 'script-src-attr': ["'none'"], 'style-src': ["'self'", 'https:', "'unsafe-inline'"], - 'upgrade-insecure-requests': [], + 'upgrade-insecure-requests': [] as string[], }; export class ServiceBuilderImpl implements ServiceBuilder { @@ -64,7 +64,7 @@ export class ServiceBuilderImpl implements ServiceBuilder { private host: string | undefined; private logger: Logger | undefined; private corsOptions: cors.CorsOptions | undefined; - private cspOptions: CspOptions | undefined; + private cspOptions: Record | undefined; private httpsSettings: HttpsSettings | undefined; private enableMetrics: boolean = true; private routers: [string, Router][]; @@ -154,20 +154,11 @@ export class ServiceBuilderImpl implements ServiceBuilder { host, logger, corsOptions, - cspOptions, httpsSettings, + helmetOptions, } = this.getOptions(); - app.use( - helmet({ - contentSecurityPolicy: { - directives: { - ...DEFAULT_CSP, - ...cspOptions, - }, - }, - }), - ); + app.use(helmet(helmetOptions)); if (corsOptions) { app.use(cors(corsOptions)); } @@ -214,16 +205,38 @@ export class ServiceBuilderImpl implements ServiceBuilder { host: string; logger: Logger; corsOptions?: cors.CorsOptions; - cspOptions?: CspOptions; httpsSettings?: HttpsSettings; + helmetOptions: HelmetOptions; } { return { port: this.port ?? DEFAULT_PORT, host: this.host ?? DEFAULT_HOST, logger: this.logger ?? getRootLogger(), corsOptions: this.corsOptions, - cspOptions: this.cspOptions, httpsSettings: this.httpsSettings, + helmetOptions: { + contentSecurityPolicy: { + directives: applyCspDirectives(this.cspOptions), + }, + }, }; } } + +export function applyCspDirectives( + directives: Record | undefined, +): CspOptions | undefined { + const result: CspOptions = { ...DEFAULT_CSP }; + + if (directives) { + for (const [key, value] of Object.entries(directives)) { + if (value === false) { + delete result[key]; + } else { + result[key] = value; + } + } + } + + return result; +} diff --git a/packages/backend-common/src/service/lib/config.test.ts b/packages/backend-common/src/service/lib/config.test.ts new file mode 100644 index 0000000000..8a35f147ca --- /dev/null +++ b/packages/backend-common/src/service/lib/config.test.ts @@ -0,0 +1,51 @@ +/* + * Copyright 2020 Spotify AB + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { ConfigReader } from '@backstage/config'; +import { readCspOptions } from './config'; + +describe('config', () => { + describe('readCspOptions', () => { + it('reads valid values', () => { + const config = ConfigReader.fromConfigs([ + { context: '', data: { csp: { key: ['value'] } } }, + ]); + expect(readCspOptions(config)).toEqual( + expect.objectContaining({ + key: ['value'], + }), + ); + }); + + it('accepts false', () => { + const config = ConfigReader.fromConfigs([ + { context: '', data: { csp: { key: false } } }, + ]); + expect(readCspOptions(config)).toEqual( + expect.objectContaining({ + key: false, + }), + ); + }); + + it('rejects invalid value types', () => { + const config = ConfigReader.fromConfigs([ + { context: '', data: { csp: { key: [4] } } }, + ]); + expect(() => readCspOptions(config)).toThrow(/wanted string-array/); + }); + }); +}); diff --git a/packages/backend-common/src/service/lib/config.ts b/packages/backend-common/src/service/lib/config.ts index bfd966b499..541170b704 100644 --- a/packages/backend-common/src/service/lib/config.ts +++ b/packages/backend-common/src/service/lib/config.ts @@ -134,24 +134,33 @@ export function readCorsOptions(config: Config): CorsOptions | undefined { * Attempts to read a CSP options object from the root of a config object. * * @param config The root of a backend config object - * @returns A CSP options object, or undefined if not specified + * @returns A CSP options object, or undefined if not specified. Values can be + * false as well, which means to remove the default behavior for that + * key. * * @example * ```yaml * backend: * csp: * connect-src: ["'self'", 'http:', 'https:'] + * upgrade-insecure-requests: false * ``` */ -export function readCspOptions(config: Config): CspOptions | undefined { +export function readCspOptions( + config: Config, +): Record | undefined { const cc = config.getOptionalConfig('csp'); if (!cc) { return undefined; } - const result: CspOptions = {}; + const result: Record = {}; for (const key of cc.keys()) { - result[key] = cc.getStringArray(key); + if (cc.get(key) === false) { + result[key] = false; + } else { + result[key] = cc.getStringArray(key); + } } return result;