From 7d0751d13c291c241f048dcdf56470d874dfea41 Mon Sep 17 00:00:00 2001 From: Micke Nordin <kano@sunet.se> Date: Mon, 19 Aug 2024 15:21:01 +0200 Subject: [PATCH] Add csp in a better way Signed-off-by: Micke Nordin <kano@sunet.se> --- Makefile | 4 +- integration_jupyterhub/appinfo/info.xml | 2 +- .../lib/AppInfo/Application.php | 24 +++++++--- .../lib/Controller/PageController.php | 11 ----- .../lib/Listener/CSPListener.php | 45 +++++++++++++++++++ integration_jupyterhub/package.json | 2 +- 6 files changed, 68 insertions(+), 20 deletions(-) create mode 100644 integration_jupyterhub/lib/Listener/CSPListener.php diff --git a/Makefile b/Makefile index 273e96f..9615d14 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ project_dir=$(CURDIR)/$(app_name) build_dir=$(CURDIR)/build/artifacts sign_dir=$(build_dir)/sign package_name=$(app_name) -version+=0.1.1 +version+=0.1.2 all: appstore release: appstore @@ -31,7 +31,7 @@ sign: package docker cp nextcloud:/var/www/html/custom_apps/$(app_name)-$(version).tar.gz $(build_dir)/$(app_name)-$(version).tar.gz sleep 3 docker kill nextcloud - openssl dgst -sha512 -sign $(cert_dir)/$(app_name).key $(build_dir)/$(app_name)-0.1.1.tar.gz | openssl base64 + openssl dgst -sha512 -sign $(cert_dir)/$(app_name).key $(build_dir)/$(app_name)-$(version).tar.gz | openssl base64 appstore: sign diff --git a/integration_jupyterhub/appinfo/info.xml b/integration_jupyterhub/appinfo/info.xml index c1d3f4d..3aa11a1 100644 --- a/integration_jupyterhub/appinfo/info.xml +++ b/integration_jupyterhub/appinfo/info.xml @@ -11,7 +11,7 @@ <description> <![CDATA[Integrate Jupyther Hub into Nextcloud]]> </description> - <version>0.1.1</version> + <version>0.1.2</version> <licence>agpl</licence> <author mail="kano@sunet.se" homepage="https://github.com/SUNET/nextcloud-jupyter">Mikael Nordin</author> <namespace>Jupyter</namespace> diff --git a/integration_jupyterhub/lib/AppInfo/Application.php b/integration_jupyterhub/lib/AppInfo/Application.php index 090e3aa..00de2ed 100644 --- a/integration_jupyterhub/lib/AppInfo/Application.php +++ b/integration_jupyterhub/lib/AppInfo/Application.php @@ -1,16 +1,30 @@ <?php + declare(strict_types=1); // SPDX-FileCopyrightText: Mikael Nordin <kano@sunet.se> // SPDX-License-Identifier: AGPL-3.0-or-later namespace OCA\Jupyter\AppInfo; +use OCA\Jupyter\Listener\CSPListener; + use OCP\AppFramework\App; +use OCP\AppFramework\Bootstrap\IBootContext; +use OCP\AppFramework\Bootstrap\IBootstrap; +use OCP\AppFramework\Bootstrap\IRegistrationContext; +use OCP\Security\CSP\AddContentSecurityPolicyEvent; -class Application extends App { - public const APP_ID = 'integration_jupyterhub'; +class Application extends App implements IBootstrap +{ + public const APP_ID = 'integration_jupyterhub'; - public function __construct() { - parent::__construct(self::APP_ID); - } + public function __construct() + { + parent::__construct(self::APP_ID); + } + public function register(IRegistrationContext $context): void + { + $context->registerEventListener(AddContentSecurityPolicyEvent::class, CSPListener::class); + } + public function boot(IBootContext $context): void {} } diff --git a/integration_jupyterhub/lib/Controller/PageController.php b/integration_jupyterhub/lib/Controller/PageController.php index 444b220..0cb3234 100644 --- a/integration_jupyterhub/lib/Controller/PageController.php +++ b/integration_jupyterhub/lib/Controller/PageController.php @@ -42,17 +42,6 @@ public function __construct( */ public function index(): TemplateResponse { - //Util::addScript(Application::APP_ID, 'jupyter-main'); - $policy = new \OCP\AppFramework\Http\EmptyContentSecurityPolicy(); - - $parsed_url = parse_url($this->jupyter_url); - - $http = $parsed_url["scheme"] . "://" . $parsed_url["host"]; - $policy->addAllowedConnectDomain($http); - $policy->addAllowedScriptDomain($http); - $policy->addAllowedFrameDomain($http); - \OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy); - $params = [ 'user_id' => $this->userId, diff --git a/integration_jupyterhub/lib/Listener/CSPListener.php b/integration_jupyterhub/lib/Listener/CSPListener.php new file mode 100644 index 0000000..b05d375 --- /dev/null +++ b/integration_jupyterhub/lib/Listener/CSPListener.php @@ -0,0 +1,45 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Jupyter\Listener; + +use OCP\AppFramework\Http\ContentSecurityPolicy; +use OCP\EventDispatcher\Event; +use OCP\EventDispatcher\IEventListener; +use OCP\Security\CSP\AddContentSecurityPolicyEvent; +use Psr\Log\LoggerInterface; +use OCP\IConfig; + +class CSPListener implements IEventListener +{ + protected string $appName; + private string $jupyter_url; + public function __construct( + private IConfig $config, + private LoggerInterface $logger + ) { + $this->jupyter_url = $config->getAppValue($this->appName, 'jupyter_url') . '/hub/home'; + $this->appName = "integration_jupyterhub"; + } + + public function handle(Event $event): void + { + $this->logger->debug('Adding CSP for Jupyter', ['app' => 'integration_jupyterhub']); + if (!($event instanceof AddContentSecurityPolicyEvent)) { + return; + } + $csp = new ContentSecurityPolicy(); + $url = parse_url($this->jupyter_url); + $http = $url["scheme"] . "://" . $url["host"]; + $csp->addAllowedConnectDomain($http); + $csp->addAllowedScriptDomain($http); + $csp->addAllowedFrameDomain($http); + + $event->addPolicy($csp); + } +} diff --git a/integration_jupyterhub/package.json b/integration_jupyterhub/package.json index 305b648..9ea7f38 100644 --- a/integration_jupyterhub/package.json +++ b/integration_jupyterhub/package.json @@ -1,7 +1,7 @@ { "name": "integration_jupyterhub", "description": "Integrate Jupyther Hub into Nextcloud", - "version": "0.1.1", + "version": "0.1.2", "author": "Micke Nordin <kano@sunet.se>", "contributors": [], "bugs": {