add ability to completely override csp config

Signed-off-by: Christian Richter <c.richter@opencloud.eu>
2026-01-07 21:00:30 -06:00 · 2025-11-14 13:31:27 +01:00
parent 63603679a5
commit 8007e8a269
3 changed files with 32 additions and 26 deletions
--- a/services/proxy/pkg/config/config.go
+++ b/services/proxy/pkg/config/config.go
@@ -24,27 +24,28 @@ type Config struct {
 	GRPCClientTLS *shared.GRPCClientTLS `yaml:"grpc_client_tls"`
 	GrpcClient    client.Client         `yaml:"-"`

-	RoleQuotas            map[string]uint64   `yaml:"role_quotas"`
-	Policies              []Policy            `yaml:"policies"`
-	AdditionalPolicies    []Policy            `yaml:"additional_policies"`
-	OIDC                  OIDC                `yaml:"oidc"`
-	ServiceAccount        ServiceAccount      `yaml:"service_account"`
-	RoleAssignment        RoleAssignment      `yaml:"role_assignment"`
-	PolicySelector        *PolicySelector     `yaml:"policy_selector"`
-	PreSignedURL          PreSignedURL        `yaml:"pre_signed_url"`
-	AccountBackend        string              `yaml:"account_backend" env:"PROXY_ACCOUNT_BACKEND_TYPE" desc:"Account backend the PROXY service should use. Currently only 'cs3' is possible here." introductionVersion:"1.0.0"`
-	UserOIDCClaim         string              `yaml:"user_oidc_claim" env:"PROXY_USER_OIDC_CLAIM" desc:"The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim." introductionVersion:"1.0.0"`
-	UserCS3Claim          string              `yaml:"user_cs3_claim" env:"PROXY_USER_CS3_CLAIM" desc:"The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'." introductionVersion:"1.0.0"`
-	MachineAuthAPIKey     string              `yaml:"machine_auth_api_key" env:"OC_MACHINE_AUTH_API_KEY;PROXY_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary to access resources from other services." introductionVersion:"1.0.0" mask:"password"`
-	AutoprovisionAccounts bool                `yaml:"auto_provision_accounts" env:"PROXY_AUTOPROVISION_ACCOUNTS" desc:"Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running." introductionVersion:"1.0.0"`
-	AutoProvisionClaims   AutoProvisionClaims `yaml:"auto_provision_claims"`
-	EnableBasicAuth       bool                `yaml:"enable_basic_auth" env:"PROXY_ENABLE_BASIC_AUTH" desc:"Set this to true to enable 'basic authentication' (username/password)." introductionVersion:"1.0.0"`
-	InsecureBackends      bool                `yaml:"insecure_backends" env:"PROXY_INSECURE_BACKENDS" desc:"Disable TLS certificate validation for all HTTP backend connections." introductionVersion:"1.0.0"`
-	BackendHTTPSCACert    string              `yaml:"backend_https_cacert" env:"PROXY_HTTPS_CACERT" desc:"Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services." introductionVersion:"1.0.0"`
-	AuthMiddleware        AuthMiddleware      `yaml:"auth_middleware"`
-	PoliciesMiddleware    PoliciesMiddleware  `yaml:"policies_middleware"`
-	CSPConfigFileLocation string              `yaml:"csp_config_file_location" env:"PROXY_CSP_CONFIG_FILE_LOCATION" desc:"The location of the CSP configuration file." introductionVersion:"1.0.0"`
-	Events                Events              `yaml:"events"`
+	RoleQuotas                    map[string]uint64   `yaml:"role_quotas"`
+	Policies                      []Policy            `yaml:"policies"`
+	AdditionalPolicies            []Policy            `yaml:"additional_policies"`
+	OIDC                          OIDC                `yaml:"oidc"`
+	ServiceAccount                ServiceAccount      `yaml:"service_account"`
+	RoleAssignment                RoleAssignment      `yaml:"role_assignment"`
+	PolicySelector                *PolicySelector     `yaml:"policy_selector"`
+	PreSignedURL                  PreSignedURL        `yaml:"pre_signed_url"`
+	AccountBackend                string              `yaml:"account_backend" env:"PROXY_ACCOUNT_BACKEND_TYPE" desc:"Account backend the PROXY service should use. Currently only 'cs3' is possible here." introductionVersion:"1.0.0"`
+	UserOIDCClaim                 string              `yaml:"user_oidc_claim" env:"PROXY_USER_OIDC_CLAIM" desc:"The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim." introductionVersion:"1.0.0"`
+	UserCS3Claim                  string              `yaml:"user_cs3_claim" env:"PROXY_USER_CS3_CLAIM" desc:"The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'." introductionVersion:"1.0.0"`
+	MachineAuthAPIKey             string              `yaml:"machine_auth_api_key" env:"OC_MACHINE_AUTH_API_KEY;PROXY_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary to access resources from other services." introductionVersion:"1.0.0" mask:"password"`
+	AutoprovisionAccounts         bool                `yaml:"auto_provision_accounts" env:"PROXY_AUTOPROVISION_ACCOUNTS" desc:"Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running." introductionVersion:"1.0.0"`
+	AutoProvisionClaims           AutoProvisionClaims `yaml:"auto_provision_claims"`
+	EnableBasicAuth               bool                `yaml:"enable_basic_auth" env:"PROXY_ENABLE_BASIC_AUTH" desc:"Set this to true to enable 'basic authentication' (username/password)." introductionVersion:"1.0.0"`
+	InsecureBackends              bool                `yaml:"insecure_backends" env:"PROXY_INSECURE_BACKENDS" desc:"Disable TLS certificate validation for all HTTP backend connections." introductionVersion:"1.0.0"`
+	BackendHTTPSCACert            string              `yaml:"backend_https_cacert" env:"PROXY_HTTPS_CACERT" desc:"Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services." introductionVersion:"1.0.0"`
+	AuthMiddleware                AuthMiddleware      `yaml:"auth_middleware"`
+	PoliciesMiddleware            PoliciesMiddleware  `yaml:"policies_middleware"`
+	CSPConfigFileLocation         string              `yaml:"csp_config_file_location" env:"PROXY_CSP_CONFIG_FILE_LOCATION" desc:"The location of the CSP configuration file." introductionVersion:"1.0.0"`
+	CSPConfigFileOverrideLocation string              `yaml:"csp_config_file_override_location" env:"PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION" desc:"The location of the CSP configuration file override." introductionVersion:"%%NEXT%%"`
+	Events                        Events              `yaml:"events"`

 	Context context.Context `json:"-" yaml:"-"`
 }
--- a/services/proxy/pkg/config/defaults/defaultconfig.go
+++ b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -92,9 +92,10 @@ func DefaultConfig() *config.Config {
 			DisplayName: "name",
 			Groups:      "groups",
 		},
-		EnableBasicAuth:       false,
-		InsecureBackends:      false,
-		CSPConfigFileLocation: "",
+		EnableBasicAuth:               false,
+		InsecureBackends:              false,
+		CSPConfigFileLocation:         "",
+		CSPConfigFileOverrideLocation: "",
 		Events: config.Events{
 			Endpoint:  "127.0.0.1:9233",
 			Cluster:   "opencloud-cluster",
--- a/services/proxy/pkg/middleware/security.go
+++ b/services/proxy/pkg/middleware/security.go
@@ -19,7 +19,11 @@ func LoadCSPConfig(proxyCfg *config.Config) (*config.CSP, error) {
 	if err != nil {
 		return nil, err
 	}
-	return loadCSPConfig(presetYamlContent, customYamlContent)
+	if proxyCfg.CSPConfigFileOverrideLocation == "" {
+		return loadCSPConfig(presetYamlContent, customYamlContent)
+	} else {
+		return loadCSPConfig(presetYamlContent, []byte{})
+	}
 }

 // LoadCSPConfig loads CSP header configuration from a yaml file.
@@ -27,7 +31,7 @@ func loadCSPConfig(presetYamlContent, customYamlContent []byte) (*config.CSP, er
 	// substitute env vars and load to struct
 	gofig.WithOptions(gofig.ParseEnv)
 	gofig.AddDriver(yaml.Driver)
-	
+
 	presetMap := map[string]interface{}{}
 	err := yamlv3.Unmarshal(presetYamlContent, &presetMap)
 	if err != nil {