kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-05-18 10:40:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimized more CSP policies and recaptcha

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-05-15 19:36:46 +02:00
parent 2302cbfeb4
commit 9c65c320f9
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
8 changed files with 48 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -20,7 +20,7 @@ install: build
@echo "⚙️ Install complete." @echo "⚙️ Install complete."
test: test:
@echo "\n🧪 Running Unit Tests..." @echo "🧪 Running Unit Tests..."
python -m unittest discover -s tests/unit python -m unittest discover -s tests/unit
@echo "\n🔬 Running Integration Tests..." @echo "🔬 Running Integration Tests..."
python -m unittest discover -s tests/integration python -m unittest discover -s tests/integration

7
filter_plugins/csp_filters.py
View File

@ -113,6 +113,13 @@ class FilterModule(object):
if matomo_domain: if matomo_domain:
tokens.append(f"{web_protocol}://{matomo_domain}") tokens.append(f"{web_protocol}://{matomo_domain}")
# ReCaptcha integration: allow loading scripts from Google if feature enabled
if (
self.is_feature_enabled(applications, 'recaptcha', application_id)
and directive == 'script-src'
):
tokens.append('https://www.google.com')
# whitelist # whitelist
tokens += self.get_csp_whitelist(applications, application_id, directive) tokens += self.get_csp_whitelist(applications, application_id, directive)

10
roles/docker-keycloak/vars/configuration.yml
View File

@ -4,12 +4,14 @@ users:
username: "{{users.administrator.username}}" # Administrator Username for Keycloak username: "{{users.administrator.username}}" # Administrator Username for Keycloak
import_realm: True # If True realm will be imported. If false skip. import_realm: True # If True realm will be imported. If false skip.
credentials: credentials:
# database_password: # Needs to be defined in inventory file
# administrator_password: # Needs to be defined in inventory file
features: features:
matomo: true matomo: true
css: true css: true
portfolio_iframe: true portfolio_iframe: true
ldap: true ldap: true
central_database: true central_database: true
recaptcha: true recaptcha: true
csp:
flags:
script-src:
unsafe-inline: true

2
roles/docker-keycloak/vars/main.yml
View File

@ -1,4 +1,4 @@
application_id: "keycloak" application_id: "keycloak"
database_type: "postgres" database_type: "postgres"
container_name: "{{application_id}}_application" container_name: "{{application_id}}_application"
realm: "{{primary_domain}}" # This is the name of the default realm which is used by the applications realm: "{{primary_domain}}" # This is the name of the default realm which is used by the applications

19
roles/docker-moodle/vars/configuration.yml
View File

@ -1,23 +1,24 @@
site_titel: "Global Learning Academy on {{primary_domain}}" site_titel: "Global Learning Academy on {{primary_domain}}"
users: users:
administrator: administrator:
username: "{{users.administrator.username}}" username: "{{users.administrator.username}}"
email: "{{users.administrator.email}}" email: "{{users.administrator.email}}"
version: "latest" version: "latest"
features: features:
matomo: true matomo: true
css: true css: false
portfolio_iframe: false portfolio_iframe: false
central_database: true central_database: true
csp: csp:
flags: flags:
script-src: script-src:
unsafe-inline: true unsafe-inline: true
unsafe-eval: true unsafe-eval: true
style-src: style-src:
unsafe-inline: true unsafe-inline: true
whitelist: whitelist:
font-src: font-src:
- "data:" - "data:"
- "blob:" - "blob:"
script-src:
- "https://cdn.jsdelivr.net" - "https://cdn.jsdelivr.net"

2
roles/docker-peertube/vars/configuration.yml
View File

@ -2,7 +2,7 @@ version: "bookworm"
features: features:
matomo: true matomo: true
css: true css: true
portfolio_iframe: false portfolio_iframe: false
central_database: true central_database: true
csp: csp:
flags: flags:

3
roles/docker-wordpress/vars/configuration.yml
View File

@ -28,10 +28,9 @@ csp:
- "blob:" - "blob:"
font-src: font-src:
- "data:" - "data:"
- "https://fonts.bunny.net"
script-src: script-src:
- "https://cdn.gtranslate.net" - "https://cdn.gtranslate.net"
- "{{ domains.wordpress[0] }}" - "{{ domains.wordpress[0] }}"
frame-src:
- "{{ domains.peertube }}"
style-src: style-src:
- "https://fonts.bunny.net" - "https://fonts.bunny.net"

20
tests/unit/test_csp_filters.py
View File

@ -137,5 +137,25 @@ class TestCspFilters(unittest.TestCase):
style_hash = self.filter.get_csp_hash("body { background: #fff; }") style_hash = self.filter.get_csp_hash("body { background: #fff; }")
self.assertNotIn(style_hash, header) self.assertNotIn(style_hash, header)
def test_build_csp_header_recaptcha_toggle(self):
"""
When the 'recaptcha' feature is enabled, 'https://www.google.com'
must be included in script-src; when disabled, it must not be.
"""
# enabled case
self.apps['app1']['features']['recaptcha'] = True
header_enabled = self.filter.build_csp_header(
self.apps, 'app1', self.domains, web_protocol='https'
)
self.assertIn("https://www.google.com", header_enabled)
# disabled case
self.apps['app1']['features']['recaptcha'] = False
header_disabled = self.filter.build_csp_header(
self.apps, 'app1', self.domains, web_protocol='https'
)
self.assertNotIn("https://www.google.com", header_disabled)
if __name__ == '__main__': if __name__ == '__main__':
unittest.main() unittest.main()