Merge branch 'snowplow-micro-csp' into 'master'

Setup CSP to allow Snowplow Micro in development env

See merge request gitlab-org/gitlab!74887

lib/gitlab/content_security_policy/config_loader.rb

@@ -36,6 +36,7 @@ module Gitlab
         if Rails.env.development?
           allow_webpack_dev_server(directives)
           allow_letter_opener(directives)
+          allow_snowplow_micro(directives) if Gitlab::Tracking.snowplow_micro_enabled?
           allow_customersdot(directives) if ENV['CUSTOMER_PORTAL_URL'].present?
         end
 
@@ -138,6 +139,11 @@ module Gitlab
         append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/rails/letter_opener/'))
       end
 
+      def self.allow_snowplow_micro(directives)
+        url = URI.join(Gitlab::Tracking::Destinations::SnowplowMicro.new.uri, '/').to_s
+        append_to_directive(directives, 'connect_src', url)
+      end
+
       # Using 'self' in the CSP introduces several CSP bypass opportunities
       # for this reason we list the URLs where GitLab frames itself instead
       def self.allow_framed_gitlab_paths(directives)

lib/gitlab/tracking.rb

@@ -25,6 +25,10 @@ module Gitlab
         snowplow.hostname
       end
 
+      def snowplow_micro_enabled?
+        Rails.env.development? && Gitlab::Utils.to_boolean(ENV['SNOWPLOW_MICRO_ENABLE'])
+      end
+
       private
 
       def snowplow
@@ -34,10 +38,6 @@ module Gitlab
                         Gitlab::Tracking::Destinations::Snowplow.new
                       end
       end
-
-      def snowplow_micro_enabled?
-        Rails.env.development? && Gitlab::Utils.to_boolean(ENV['SNOWPLOW_MICRO_ENABLE'])
-      end
     end
   end
 end

lib/gitlab/tracking/destinations/snowplow_micro.rb

@@ -23,8 +23,6 @@ module Gitlab
           "#{uri.host}:#{uri.port}"
         end
 
-        private
-
         def uri
           strong_memoize(:snowplow_uri) do
             uri = URI(ENV['SNOWPLOW_MICRO_URI'] || DEFAULT_URI)
@@ -33,6 +31,8 @@ module Gitlab
           end
         end
 
+        private
+
         override :cookie_domain
         def cookie_domain
           '.gitlab.com'

spec/lib/gitlab/content_security_policy/config_loader_spec.rb

@@ -128,7 +128,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
       end
     end
 
-    context 'letter_opener applicaiton URL' do
+    context 'letter_opener application URL' do
       let(:gitlab_url) { 'http://gitlab.example.com' }
       let(:letter_opener_url) { "#{gitlab_url}/rails/letter_opener/" }
 
@@ -156,6 +156,46 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
         end
       end
     end
+
+    context 'Snowplow Micro event collector' do
+      let(:snowplow_micro_hostname) { 'localhost:9090' }
+      let(:snowplow_micro_url) { "http://#{snowplow_micro_hostname}/" }
+
+      before do
+        stub_env('SNOWPLOW_MICRO_ENABLE', 1)
+        allow(Gitlab::Tracking).to receive(:collector_hostname).and_return(snowplow_micro_hostname)
+      end
+
+      context 'when in production' do
+        before do
+          stub_rails_env('production')
+        end
+
+        it 'does not add Snowplow Micro URL to connect-src' do
+          expect(directives['connect_src']).not_to include(snowplow_micro_url)
+        end
+      end
+
+      context 'when in development' do
+        before do
+          stub_rails_env('development')
+        end
+
+        it 'adds Snowplow Micro URL with trailing slash to connect-src' do
+          expect(directives['connect_src']).to match(Regexp.new(snowplow_micro_url))
+        end
+
+        context 'when not enabled using ENV[SNOWPLOW_MICRO_ENABLE]' do
+          before do
+            stub_env('SNOWPLOW_MICRO_ENABLE', nil)
+          end
+
+          it 'does not add Snowplow Micro URL to connect-src' do
+            expect(directives['connect_src']).not_to include(snowplow_micro_url)
+          end
+        end
+      end
+    end
   end
 
   describe '#load' do