From 5186eb57143e377aad366cc6bf4c073c282fed48 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 25 Sep 2025 14:47:28 +0200 Subject: [PATCH] Optimized OpenProject and CSP rules --- roles/web-app-flowise/config/main.yml | 3 +- roles/web-app-openproject/tasks/01_ldap.yml | 66 ++++++++++----------- roles/web-app-openproject/vars/ldap.yml | 34 +++++------ roles/web-app-openproject/vars/main.yml | 4 +- 4 files changed, 54 insertions(+), 53 deletions(-) diff --git a/roles/web-app-flowise/config/main.yml b/roles/web-app-flowise/config/main.yml index 9f809cc0..9d5eef25 100644 --- a/roles/web-app-flowise/config/main.yml +++ b/roles/web-app-flowise/config/main.yml @@ -21,7 +21,8 @@ server: #style-src: # unsafe-inline: true whitelist: - font-src: [] + font-src: + - https://fonts.googleapis.com connect-src: [] docker: services: diff --git a/roles/web-app-openproject/tasks/01_ldap.yml b/roles/web-app-openproject/tasks/01_ldap.yml index e2f4a144..31bf0b4e 100644 --- a/roles/web-app-openproject/tasks/01_ldap.yml +++ b/roles/web-app-openproject/tasks/01_ldap.yml @@ -9,7 +9,7 @@ login_password: "{{ database_password }}" login_host: "127.0.0.1" login_port: "{{ database_port }}" - query: "SELECT id FROM ldap_auth_sources WHERE name = '{{ openproject_ldap.name }}' LIMIT 1;" + query: "SELECT id FROM ldap_auth_sources WHERE name = '{{ OPENPROJECT_LDAP.name }}' LIMIT 1;" register: ldap_check - name: Update existing LDAP auth source @@ -21,23 +21,23 @@ login_port: "{{ database_port }}" query: > UPDATE ldap_auth_sources SET - host = '{{ openproject_ldap.host }}', - port = {{ openproject_ldap.port }}, - account = '{{ openproject_ldap.account }}', - account_password = '{{ openproject_ldap.account_password }}', - base_dn = '{{ openproject_ldap.base_dn }}', - attr_login = '{{ openproject_ldap.attr_login }}', - attr_firstname = '{{ openproject_ldap.attr_firstname }}', - attr_lastname = '{{ openproject_ldap.attr_lastname }}', - attr_mail = '{{ openproject_ldap.attr_mail }}', - onthefly_register = {{ openproject_ldap.onthefly_register }}, - attr_admin = '{{ openproject_ldap.attr_admin }}', + host = '{{ OPENPROJECT_LDAP.host }}', + port = {{ OPENPROJECT_LDAP.port }}, + account = '{{ OPENPROJECT_LDAP.account }}', + account_password = '{{ OPENPROJECT_LDAP.account_password }}', + base_dn = '{{ OPENPROJECT_LDAP.base_dn }}', + attr_login = '{{ OPENPROJECT_LDAP.attr_login }}', + attr_firstname = '{{ OPENPROJECT_LDAP.attr_firstname }}', + attr_lastname = '{{ OPENPROJECT_LDAP.attr_lastname }}', + attr_mail = '{{ OPENPROJECT_LDAP.attr_mail }}', + onthefly_register = {{ OPENPROJECT_LDAP.onthefly_register }}, + attr_admin = '{{ OPENPROJECT_LDAP.attr_admin }}', updated_at = NOW(), - tls_mode = {{ openproject_ldap.tls_mode }}, - filter_string = '{{ openproject_ldap.filter_string }}', - verify_peer = {{ openproject_ldap.verify_peer }}, - tls_certificate_string = '{{ openproject_ldap.tls_certificate_string }}' - WHERE name = '{{ openproject_ldap.name }}'; + tls_mode = {{ OPENPROJECT_LDAP.tls_mode }}, + filter_string = '{{ OPENPROJECT_LDAP.filter_string }}', + verify_peer = {{ OPENPROJECT_LDAP.verify_peer }}, + tls_certificate_string = '{{ OPENPROJECT_LDAP.tls_certificate_string }}' + WHERE name = '{{ OPENPROJECT_LDAP.name }}'; when: ldap_check.query_result | length > 0 async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}" poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}" @@ -55,24 +55,24 @@ attr_firstname, attr_lastname, attr_mail, onthefly_register, attr_admin, created_at, updated_at, tls_mode, filter_string, verify_peer, tls_certificate_string) VALUES ( - '{{ openproject_ldap.name }}', - '{{ openproject_ldap.host }}', - {{ openproject_ldap.port }}, - '{{ openproject_ldap.account }}', - '{{ openproject_ldap.account_password }}', - '{{ openproject_ldap.base_dn }}', - '{{ openproject_ldap.attr_login }}', - '{{ openproject_ldap.attr_firstname }}', - '{{ openproject_ldap.attr_lastname }}', - '{{ openproject_ldap.attr_mail }}', - {{ openproject_ldap.onthefly_register }}, - '{{ openproject_ldap.attr_admin }}', + '{{ OPENPROJECT_LDAP.name }}', + '{{ OPENPROJECT_LDAP.host }}', + {{ OPENPROJECT_LDAP.port }}, + '{{ OPENPROJECT_LDAP.account }}', + '{{ OPENPROJECT_LDAP.account_password }}', + '{{ OPENPROJECT_LDAP.base_dn }}', + '{{ OPENPROJECT_LDAP.attr_login }}', + '{{ OPENPROJECT_LDAP.attr_firstname }}', + '{{ OPENPROJECT_LDAP.attr_lastname }}', + '{{ OPENPROJECT_LDAP.attr_mail }}', + {{ OPENPROJECT_LDAP.onthefly_register }}, + '{{ OPENPROJECT_LDAP.attr_admin }}', NOW(), NOW(), - {{ openproject_ldap.tls_mode }}, - '{{ openproject_ldap.filter_string }}', - {{ openproject_ldap.verify_peer }}, - '{{ openproject_ldap.tls_certificate_string }}' + {{ OPENPROJECT_LDAP.tls_mode }}, + '{{ OPENPROJECT_LDAP.filter_string }}', + {{ OPENPROJECT_LDAP.verify_peer }}, + '{{ OPENPROJECT_LDAP.tls_certificate_string }}' ); when: ldap_check.query_result | length == 0 async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}" diff --git a/roles/web-app-openproject/vars/ldap.yml b/roles/web-app-openproject/vars/ldap.yml index dfba65d3..9fe77d03 100644 --- a/roles/web-app-openproject/vars/ldap.yml +++ b/roles/web-app-openproject/vars/ldap.yml @@ -1,17 +1,17 @@ -openproject_ldap: - name: "{{ PRIMARY_DOMAIN }}" # Display name for the LDAP connection in OpenProject - host: "{{ LDAP.SERVER.DOMAIN }}" # LDAP server address - port: "{{ LDAP.SERVER.PORT }}" # LDAP server port (typically 389 or 636) - account: "{{ LDAP.DN.ADMINISTRATOR.DATA }}" # Bind DN (used for authentication) - account_password: "{{ LDAP.BIND_CREDENTIAL }}" # Bind password - base_dn: "{{ LDAP.DN.OU.USERS }}" # Base DN for user search - attr_login: "{{ LDAP.USER.ATTRIBUTES.ID }}" # LDAP attribute used for login - attr_firstname: "givenName" # LDAP attribute for first name - attr_lastname: "{{ LDAP.USER.ATTRIBUTES.SURNAME }}" # LDAP attribute for last name - attr_mail: "{{ LDAP.USER.ATTRIBUTES.MAIL }}" # LDAP attribute for email - attr_admin: "{{ OPENPROJECT_LDAP_FILTERS.ADMINISTRATORS }}" # Optional: LDAP attribute for admin group (leave empty if unused) - onthefly_register: true # Automatically create users on first login - tls_mode: 0 # 0 = No TLS, 1 = TLS, 2 = STARTTLS - verify_peer: false # Whether to verify the SSL certificate - filter_string: "{{ OPENPROJECT_LDAP_FILTERS.USERS }}" # Optional: Custom filter for users (e.g., "(objectClass=person)") - tls_certificate_string: "" # Optional: Client certificate string for TLS (usually left empty) \ No newline at end of file +OPENPROJECT_LDAP: + name: "{{ PRIMARY_DOMAIN }}" # Display name for the LDAP connection in OpenProject + host: "{{ LDAP.SERVER.DOMAIN }}" # LDAP server address + port: "{{ LDAP.SERVER.PORT }}" # LDAP server port (typically 389 or 636) + account: "{{ LDAP.DN.ADMINISTRATOR.DATA }}" # Bind DN (used for authentication) + account_password: "{{ LDAP.BIND_CREDENTIAL }}" # Bind password + base_dn: "{{ LDAP.DN.OU.USERS }}" # Base DN for user search + attr_login: "{{ LDAP.USER.ATTRIBUTES.ID }}" # LDAP attribute used for login + attr_firstname: "givenName" # LDAP attribute for first name + attr_lastname: "{{ LDAP.USER.ATTRIBUTES.SURNAME }}" # LDAP attribute for last name + attr_mail: "{{ LDAP.USER.ATTRIBUTES.MAIL }}" # LDAP attribute for email + attr_admin: "{{ OPENPROJECT_LDAP_FILTERS.ADMINISTRATORS }}" # Optional: LDAP attribute for admin group (leave empty if unused) + onthefly_register: true # Automatically create users on first login + tls_mode: 0 # 0 = No TLS, 1 = TLS, 2 = STARTTLS + verify_peer: false # Whether to verify the SSL certificate + filter_string: "{{ OPENPROJECT_LDAP_FILTERS.USERS }}" # Optional: Custom filter for users (e.g., "(objectClass=person)") + tls_certificate_string: "" # Optional: Client certificate string for TLS (usually left empty) \ No newline at end of file diff --git a/roles/web-app-openproject/vars/main.yml b/roles/web-app-openproject/vars/main.yml index a6c6bf14..ea0549c5 100644 --- a/roles/web-app-openproject/vars/main.yml +++ b/roles/web-app-openproject/vars/main.yml @@ -61,5 +61,5 @@ OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED: "{{ applications | get_app_conf( OPENPROJECT_LDAP_FILTER_USERS_ENABLED: "{{ applications | get_app_conf(application_id, 'ldap.filters.users') }}" OPENPROJECT_LDAP_FILTERS: # The administrator filter just works in the Enterprise edition - ADMINISTRATORS: "{{ '(memberOf=cn=openproject-admins,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED else '' }}" - USERS: "{{ '(memberOf=cn=openproject-users,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_USERS_ENABLED else '' }}" + ADMINISTRATORS: "{{ '(memberOf=cn=openproject-admins,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED | bool else '' }}" + USERS: "{{ '(memberOf=cn=openproject-users,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_USERS_ENABLED | bool else '' }}"