aboutsummaryrefslogtreecommitdiffstats
path: root/catalog-fe
diff options
context:
space:
mode:
authorvasraz <vasyl.razinkov@est.tech>2022-10-04 18:16:26 +0100
committerVasyl Razinkov <vasyl.razinkov@est.tech>2022-10-04 18:54:54 +0000
commit0899720f168c09d037e577109d7cab665fe1fb91 (patch)
treec6c210914a6fb029841d28de92cb760cdad6088d /catalog-fe
parentca487f60c2ca67794b16c0ff0cf5cc6deca556fc (diff)
Fix bug 'X-Frame-Options not configured: Lack of clickjacking protection'
Add new Filter (ContentSecurityPolicyHeaderFilter) Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech> Change-Id: Ic8151df64e4b95b3d59b44a5f74dd12210f55e87 Issue-ID: SDC-4192
Diffstat (limited to 'catalog-fe')
-rw-r--r--catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb1
-rw-r--r--catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb3
-rw-r--r--catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java40
-rw-r--r--catalog-fe/src/main/webapp/WEB-INF/web.xml27
4 files changed, 53 insertions, 18 deletions
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb
index 819638ac08..73176ed1c3 100644
--- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb
+++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb
@@ -13,6 +13,7 @@ template "catalog-fe-config" do
:basic_auth_flag => node['basic_auth']['enabled'],
:user_name => node['basic_auth'][:user_name],
:user_pass => node['basic_auth'][:user_pass],
+ :permittedAncestors => "#{ENV['permittedAncestors']}",
:dcae_fe_vip => node['DCAE_FE_VIP']
})
end
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb
index 8dc3c51df3..1b10845aaa 100644
--- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb
+++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb
@@ -124,3 +124,6 @@ healthStatusExclude:
- PORTAL
- CATALOG_FACADE_MS
- External API
+
+#Space separated list of permitted ancestors
+permittedAncestors: <%= @permittedAncestors %>
diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java
new file mode 100644
index 0000000000..a49f625e54
--- /dev/null
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java
@@ -0,0 +1,40 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.fe.filters;
+
+import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract;
+import org.openecomp.sdc.fe.config.Configuration;
+import org.openecomp.sdc.fe.config.ConfigurationManager;
+
+public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract {
+
+ @Override
+ protected String getPermittedAncestors() {
+ final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager();
+ if (configurationManager != null) {
+ final Configuration configuration = configurationManager.getConfiguration();
+ if (configuration != null) {
+ return configuration.getPermittedAncestors();
+ }
+ }
+ return "";
+ }
+}
diff --git a/catalog-fe/src/main/webapp/WEB-INF/web.xml b/catalog-fe/src/main/webapp/WEB-INF/web.xml
index de133ac8ec..895dfd8690 100644
--- a/catalog-fe/src/main/webapp/WEB-INF/web.xml
+++ b/catalog-fe/src/main/webapp/WEB-INF/web.xml
@@ -47,8 +47,6 @@
<load-on-startup>1</load-on-startup>
<async-supported>true</async-supported>
-
-
</servlet>
<servlet-mapping>
@@ -72,6 +70,15 @@
<param-value>false</param-value>
</context-param>
+ <filter>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <filter-class>org.openecomp.sdc.fe.filters.ContentSecurityPolicyHeaderFilter</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+ <filter-mapping>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<filter>
<filter-name>AuditLogServletFilter</filter-name>
@@ -79,17 +86,6 @@
<async-supported>true</async-supported>
</filter>
- <!-- <filter>-->
- <!-- <filter-name>SecurityFilter</filter-name>-->
- <!-- <filter-class>org.openecomp.sdc.fe.filters.SecurityFilter</filter-class>-->
- <!-- <async-supported>true</async-supported>-->
- <!-- <init-param>-->
- <!-- <param-name>excludedUrls</param-name>-->
- <!-- &lt;!&ndash; Comma separated list of excluded servlet URLs &ndash;&gt;-->
- <!-- <param-value>/config,/configmgr,/rest</param-value>-->
- <!-- </init-param>-->
- <!-- </filter>-->
-
<filter>
<filter-name>gzipFilter</filter-name>
<filter-class>org.openecomp.sdc.fe.filters.GzipFilter</filter-class>
@@ -101,11 +97,6 @@
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!-- <filter-mapping>-->
- <!-- <filter-name>SecurityFilter</filter-name>-->
- <!-- <url-pattern>/*</url-pattern>-->
- <!-- </filter-mapping>-->
-
<filter-mapping>
<filter-name>gzipFilter</filter-name>
<url-pattern>*.jsgz</url-pattern>