Optimized OpenProject and CSP rules

2025-10-10 10:48:10 +02:00 · 2025-09-25 14:47:28 +02:00
parent 73bcdcaf45
commit 5186eb5714
4 changed files with 54 additions and 53 deletions
--- a/roles/web-app-flowise/config/main.yml
+++ b/roles/web-app-flowise/config/main.yml
@@ -21,7 +21,8 @@ server:
      #style-src:
      #  unsafe-inline:  true
    whitelist:
-      font-src: [] 
+      font-src:
        - https://fonts.googleapis.com
      connect-src: [] 
 docker:
  services:
--- a/roles/web-app-openproject/tasks/01_ldap.yml
+++ b/roles/web-app-openproject/tasks/01_ldap.yml
@@ -9,7 +9,7 @@
    login_password: "{{ database_password }}"
    login_host: "127.0.0.1"
    login_port: "{{ database_port }}"
-    query: "SELECT id FROM ldap_auth_sources WHERE name = '{{ openproject_ldap.name }}' LIMIT 1;"
+    query: "SELECT id FROM ldap_auth_sources WHERE name = '{{ OPENPROJECT_LDAP.name }}' LIMIT 1;"
  register: ldap_check
 - name: Update existing LDAP auth source
@@ -21,23 +21,23 @@
    login_port: "{{ database_port }}"
    query: >
      UPDATE ldap_auth_sources SET
-        host = '{{ openproject_ldap.host }}',
+        host = '{{ OPENPROJECT_LDAP.host }}',
-        port = {{ openproject_ldap.port }},
+        port = {{ OPENPROJECT_LDAP.port }},
-        account = '{{ openproject_ldap.account }}',
+        account = '{{ OPENPROJECT_LDAP.account }}',
-        account_password = '{{ openproject_ldap.account_password }}',
+        account_password = '{{ OPENPROJECT_LDAP.account_password }}',
-        base_dn = '{{ openproject_ldap.base_dn }}',
+        base_dn = '{{ OPENPROJECT_LDAP.base_dn }}',
-        attr_login = '{{ openproject_ldap.attr_login }}',
+        attr_login = '{{ OPENPROJECT_LDAP.attr_login }}',
-        attr_firstname = '{{ openproject_ldap.attr_firstname }}',
+        attr_firstname = '{{ OPENPROJECT_LDAP.attr_firstname }}',
-        attr_lastname = '{{ openproject_ldap.attr_lastname }}',
+        attr_lastname = '{{ OPENPROJECT_LDAP.attr_lastname }}',
-        attr_mail = '{{ openproject_ldap.attr_mail }}',
+        attr_mail = '{{ OPENPROJECT_LDAP.attr_mail }}',
-        onthefly_register = {{ openproject_ldap.onthefly_register }},
+        onthefly_register = {{ OPENPROJECT_LDAP.onthefly_register }},
-        attr_admin = '{{ openproject_ldap.attr_admin }}',
+        attr_admin = '{{ OPENPROJECT_LDAP.attr_admin }}',
        updated_at = NOW(),
-        tls_mode = {{ openproject_ldap.tls_mode }},
+        tls_mode = {{ OPENPROJECT_LDAP.tls_mode }},
-        filter_string = '{{ openproject_ldap.filter_string }}',
+        filter_string = '{{ OPENPROJECT_LDAP.filter_string }}',
-        verify_peer = {{ openproject_ldap.verify_peer }},
+        verify_peer = {{ OPENPROJECT_LDAP.verify_peer }},
-        tls_certificate_string = '{{ openproject_ldap.tls_certificate_string }}'
+        tls_certificate_string = '{{ OPENPROJECT_LDAP.tls_certificate_string }}'
-      WHERE name = '{{ openproject_ldap.name }}';
+      WHERE name = '{{ OPENPROJECT_LDAP.name }}';
  when: ldap_check.query_result | length > 0
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
@@ -55,24 +55,24 @@
       attr_firstname, attr_lastname, attr_mail, onthefly_register, attr_admin,
       created_at, updated_at, tls_mode, filter_string, verify_peer, tls_certificate_string)
      VALUES (
-        '{{ openproject_ldap.name }}',
+        '{{ OPENPROJECT_LDAP.name }}',
-        '{{ openproject_ldap.host }}',
+        '{{ OPENPROJECT_LDAP.host }}',
-        {{ openproject_ldap.port }},
+        {{ OPENPROJECT_LDAP.port }},
-        '{{ openproject_ldap.account }}',
+        '{{ OPENPROJECT_LDAP.account }}',
-        '{{ openproject_ldap.account_password }}',
+        '{{ OPENPROJECT_LDAP.account_password }}',
-        '{{ openproject_ldap.base_dn }}',
+        '{{ OPENPROJECT_LDAP.base_dn }}',
-        '{{ openproject_ldap.attr_login }}',
+        '{{ OPENPROJECT_LDAP.attr_login }}',
-        '{{ openproject_ldap.attr_firstname }}',
+        '{{ OPENPROJECT_LDAP.attr_firstname }}',
-        '{{ openproject_ldap.attr_lastname }}',
+        '{{ OPENPROJECT_LDAP.attr_lastname }}',
-        '{{ openproject_ldap.attr_mail }}',
+        '{{ OPENPROJECT_LDAP.attr_mail }}',
-        {{ openproject_ldap.onthefly_register }},
+        {{ OPENPROJECT_LDAP.onthefly_register }},
-        '{{ openproject_ldap.attr_admin }}',
+        '{{ OPENPROJECT_LDAP.attr_admin }}',
        NOW(),
        NOW(),
-        {{ openproject_ldap.tls_mode }},
+        {{ OPENPROJECT_LDAP.tls_mode }},
-        '{{ openproject_ldap.filter_string }}',
+        '{{ OPENPROJECT_LDAP.filter_string }}',
-        {{ openproject_ldap.verify_peer }},
+        {{ OPENPROJECT_LDAP.verify_peer }},
-        '{{ openproject_ldap.tls_certificate_string }}'
+        '{{ OPENPROJECT_LDAP.tls_certificate_string }}'
      );
  when: ldap_check.query_result | length == 0
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
--- a/roles/web-app-openproject/vars/ldap.yml
+++ b/roles/web-app-openproject/vars/ldap.yml
@@ -1,17 +1,17 @@
-openproject_ldap:
+OPENPROJECT_LDAP:
-  name:                   "{{ PRIMARY_DOMAIN }}"                      # Display name for the LDAP connection in OpenProject
+  name:                   "{{ PRIMARY_DOMAIN }}"                          # Display name for the LDAP connection in OpenProject
-  host:                   "{{ LDAP.SERVER.DOMAIN }}"                  # LDAP server address
+  host:                   "{{ LDAP.SERVER.DOMAIN }}"                      # LDAP server address
-  port:                   "{{ LDAP.SERVER.PORT }}"                    # LDAP server port (typically 389 or 636)
+  port:                   "{{ LDAP.SERVER.PORT }}"                        # LDAP server port (typically 389 or 636)
-  account:                "{{ LDAP.DN.ADMINISTRATOR.DATA }}"          # Bind DN (used for authentication)
+  account:                "{{ LDAP.DN.ADMINISTRATOR.DATA }}"              # Bind DN (used for authentication)
-  account_password:       "{{ LDAP.BIND_CREDENTIAL }}"                # Bind password
+  account_password:       "{{ LDAP.BIND_CREDENTIAL }}"                    # Bind password
-  base_dn:                "{{ LDAP.DN.OU.USERS }}"                       # Base DN for user search
+  base_dn:                "{{ LDAP.DN.OU.USERS }}"                        # Base DN for user search
-  attr_login:             "{{ LDAP.USER.ATTRIBUTES.ID }}"             # LDAP attribute used for login
+  attr_login:             "{{ LDAP.USER.ATTRIBUTES.ID }}"                 # LDAP attribute used for login
-  attr_firstname:         "givenName"                                 # LDAP attribute for first name
+  attr_firstname:         "givenName"                                     # LDAP attribute for first name
-  attr_lastname:          "{{ LDAP.USER.ATTRIBUTES.SURNAME }}"             # LDAP attribute for last name
+  attr_lastname:          "{{ LDAP.USER.ATTRIBUTES.SURNAME }}"            # LDAP attribute for last name
-  attr_mail:              "{{ LDAP.USER.ATTRIBUTES.MAIL }}"                # LDAP attribute for email
+  attr_mail:              "{{ LDAP.USER.ATTRIBUTES.MAIL }}"               # LDAP attribute for email
-  attr_admin:             "{{ OPENPROJECT_LDAP_FILTERS.ADMINISTRATORS }}"  # Optional: LDAP attribute for admin group (leave empty if unused)
+  attr_admin:             "{{ OPENPROJECT_LDAP_FILTERS.ADMINISTRATORS }}" # Optional: LDAP attribute for admin group (leave empty if unused)
-  onthefly_register:      true                                        # Automatically create users on first login
+  onthefly_register:      true                                            # Automatically create users on first login
-  tls_mode:               0                                           # 0 = No TLS, 1 = TLS, 2 = STARTTLS
+  tls_mode:               0                                               # 0 = No TLS, 1 = TLS, 2 = STARTTLS
-  verify_peer:            false                                       # Whether to verify the SSL certificate
+  verify_peer:            false                                           # Whether to verify the SSL certificate
-  filter_string:          "{{ OPENPROJECT_LDAP_FILTERS.USERS }}"           # Optional: Custom filter for users (e.g., "(objectClass=person)")
+  filter_string:          "{{ OPENPROJECT_LDAP_FILTERS.USERS }}"          # Optional: Custom filter for users (e.g., "(objectClass=person)")
-  tls_certificate_string: ""                                          # Optional: Client certificate string for TLS (usually left empty)
+  tls_certificate_string: ""                                              # Optional: Client certificate string for TLS (usually left empty)
--- a/roles/web-app-openproject/vars/main.yml
+++ b/roles/web-app-openproject/vars/main.yml
@@ -61,5 +61,5 @@ OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED: "{{ applications | get_app_conf(
 OPENPROJECT_LDAP_FILTER_USERS_ENABLED:          "{{ applications | get_app_conf(application_id, 'ldap.filters.users') }}"
 OPENPROJECT_LDAP_FILTERS:
  # The administrator filter just works in the Enterprise edition
-  ADMINISTRATORS: "{{ '(memberOf=cn=openproject-admins,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED else '' }}"
+  ADMINISTRATORS: "{{ '(memberOf=cn=openproject-admins,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_ADMINISTRATORS_ENABLED | bool else '' }}"
-  USERS: "{{ '(memberOf=cn=openproject-users,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_USERS_ENABLED else '' }}"
+  USERS:          "{{ '(memberOf=cn=openproject-users,' ~ LDAP.DN.OU.ROLES ~ ')' if OPENPROJECT_LDAP_FILTER_USERS_ENABLED | bool else '' }}"