Merge branch 'override-csp-for-jira-connect' into 'master'

Override CSP for Jira Connect page in iframe See merge request gitlab-org/gitlab-ee!16069

Merge branch 'override-csp-for-jira-connect' into 'master'
Override CSP for Jira Connect page in iframe See merge request gitlab-org/gitlab-ee!16069
80b9575d · Stan Hu · bb46d14e · 5fec2992 · 80b9575d · 80b9575d
Commit 80b9575d authored Sep 05, 2019 by Stan Hu
2 changed files
--- a/ee/app/controllers/jira_connect/subscriptions_controller.rb
+++ b/ee/app/controllers/jira_connect/subscriptions_controller.rb
@@ -3,6 +3,19 @@
 class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController
  layout 'jira_connect'

+  content_security_policy do |p|
+    next if p.directives.blank?
+
+    # rubocop: disable Lint/PercentStringArray
+    script_src_values = Array.wrap(p.directives['script-src']) | %w('self' https://connect-cdn.atl-paas.net https://unpkg.com/jquery@3.3.1/)
+    style_src_values = Array.wrap(p.directives['style-src']) | %w('self' 'unsafe-inline' https://unpkg.com/@atlaskit/)
+    # rubocop: enable Lint/PercentStringArray
+
+    p.frame_ancestors :self, 'https://*.atlassian.net'
+    p.script_src(*script_src_values)
+    p.style_src(*style_src_values)
+  end
+
  before_action :allow_rendering_in_iframe, only: :index
  before_action :verify_qsh_claim!, only: :index
  before_action :authenticate_user!, only: :create

--- a/ee/spec/features/jira_connect/subscriptions_spec.rb
+++ b/ee/spec/features/jira_connect/subscriptions_spec.rb
+require 'spec_helper'
+
+describe 'Subscriptions Content Security Policy' do
+  before do
+    stub_feature_flags(jira_connect_app: true)
+  end
+
+  let(:installation) { create(:jira_connect_installation) }
+  let(:qsh) { Atlassian::Jwt.create_query_string_hash('https://gitlab.test/subscriptions', 'GET', 'https://gitlab.test') }
+  let(:jwt) { Atlassian::Jwt.encode({ iss: installation.client_key, qsh: qsh }, installation.shared_secret) }
+
+  subject { response_headers['Content-Security-Policy'] }
+
+  context 'when there is no global config' do
+    before do
+      expect_next_instance_of(JiraConnect::SubscriptionsController) do |controller|
+        expect(controller).to receive(:current_content_security_policy)
+          .and_return(ActionDispatch::ContentSecurityPolicy.new)
+      end
+    end
+
+    it 'does not add CSP directives' do
+      visit jira_connect_subscriptions_path(jwt: jwt)
+
+      is_expected.to be_blank
+    end
+  end
+
+  context 'when a global CSP config exists' do
+    before do
+      csp = ActionDispatch::ContentSecurityPolicy.new do |p|
+        p.script_src :self, 'https://some-cdn.test'
+        p.style_src :self, 'https://some-cdn.test'
+      end
+
+      expect_next_instance_of(JiraConnect::SubscriptionsController) do |controller|
+        expect(controller).to receive(:current_content_security_policy).and_return(csp)
+      end
+    end
+
+    it 'appends to CSP directives' do
+      visit jira_connect_subscriptions_path(jwt: jwt)
+
+      is_expected.to include("frame-ancestors 'self' https://*.atlassian.net")
+      is_expected.to include("script-src 'self' https://some-cdn.test https://connect-cdn.atl-paas.net https://unpkg.com/jquery@3.3.1/")
+      is_expected.to include("style-src 'self' https://some-cdn.test 'unsafe-inline' https://unpkg.com/@atlaskit/")
+    end
+  end
+end