Content Security Policy (CSP) Not Implemented (DataBiosphere/azul-private#6)

[dsotirho-ucsc]

Connected issues: DataBiosphere/azul-private#6

Checklist

Author

• PR is a draft
• Target branch is develop
• Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
• On ZenHub, PR is connected to all issues it (partially) resolves
• PR description links to connected issues
• PR title matches¹ that of a connected issue _{or comment in PR explains why they're different}
• PR title references all connected issues
• For each connected issue, there is at least one commit whose title references that issue

¹ when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (partiality)

• Added p tag to titles of partial commits
• This PR is labeled partial _{or completely resolves all connected issues}
• This PR partially resolves each of the connected issues _{or does not have the partial label}

Author (chains)

• This PR is blocked by previous PR in the chain _{or is not chained to another PR}
• The blocking PR is labeled base _{or this PR is not chained to another PR}
• This PR is labeled chained _{or is not chained to another PR}

Author (reindex, API changes)

• Added r tag to commit title _{or the changes introduced by this PR will not require reindexing of any deployment}
• This PR is labeled reindex:dev _{or the changes introduced by it will not require reindexing of dev}
• This PR is labeled reindex:anvildev _{or the changes introduced by it will not require reindexing of anvildev}
• This PR is labeled reindex:anvilprod _{or the changes introduced by it will not require reindexing of anvilprod}
• This PR is labeled reindex:prod _{or the changes introduced by it will not require reindexing of prod}
• This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod _{or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod}
• This PR and its connected issues are labeled API _{or this PR does not modify a REST API}
• Added a (A) tag to commit title for backwards (in)compatible changes _{or this PR does not modify a REST API}
• Updated REST API version number in app.py _{or this PR does not modify a REST API}

Author (upgrading deployments)

• Ran make image_manifests.json and committed the resulting changes _{or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable}
• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading deployments}
• Added u tag to commit title _{or this PR does not require upgrading deployments}
• This PR is labeled upgrade _{or does not require upgrading deployments}
• This PR is labeled deploy:shared _{or does not modify image_manifests.json, and does not require deploying the shared component for any other reason}
• This PR is labeled deploy:gitlab _{or does not require deploying the gitlab component}
• This PR is labeled deploy:runner _{or does not require deploying the runner image}

Author (hotfixes)

• Added F tag to main commit title _{or this PR does not include permanent fix for a temporary hotfix}
• Reverted the temporary hotfixes for any connected issues _{or the none of the stable branches (anvilprod and prod) have temporary hotfixes for any of the issues connected to this PR}

Author (before every review)

• Rebased PR branch on develop, squashed old fixups
• Ran make requirements_update _{or this PR does not modify requirements*.txt, common.mk, Makefile and Dockerfile}
• Added R tag to commit title _{or this PR does not modify requirements*.txt}
• This PR is labeled reqs _{or does not modify requirements*.txt}
• make integration_test passes in personal deployment _{or this PR does not modify functionality that could affect the IT outcome}

Peer reviewer (after approval)

• PR is not a draft
• Ticket is in Review requested column
• PR is awaiting requested review from system administrator
• PR is assigned to only the system administrator

System administrator (after approval)

• Actually approved the PR
• Labeled connected issues as demo or no demo
• Commented on connected issues about demo expectations _{or all connected issues are labeled no demo}
• Decided if PR can be labeled no sandbox
• A comment to this PR details the completed security design review
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Moved ticket to Approved column
• PR is assigned to only the operator

Operator (before pushing merge the commit)

• Checked reindex:… labels and r commit title tag
• Checked that demo expectations are clear _{or all connected issues are labeled no demo}
• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub
• Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Checked the items in the next section _{or this PR is labeled deploy:gitlab}
• PR is assigned to only the system administrator _{or this PR is not labeled deploy:gitlab}

System administrator

• Background migrations for dev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• Background migrations for anvildev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• PR is assigned to only the operator

Operator (before pushing merge the commit)

• Ran _select dev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Ran _select anvildev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Added sandbox label _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab dev _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes in sandbox deployment _{or PR is labeled no sandbox}
• Build passes in anvilbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in sandbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in anvilbox deployment _{or PR is labeled no sandbox}
• Deleted unreferenced indices in sandbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in dev}
• Deleted unreferenced indices in anvilbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in anvildev}
• Started reindex in sandbox _{or this PR is not labeled reindex:dev}
• Started reindex in anvilbox _{or this PR is not labeled reindex:anvildev}
• Checked for failures in sandbox _{or this PR is not labeled reindex:dev}
• Checked for failures in anvilbox _{or this PR is not labeled reindex:anvildev}
• The title of the merge commit starts with the title of this PR
• Added PR # reference to merge commit title
• Collected commit title tags in merge commit title _{but only included p if the PR is also labeled partial}
• Moved connected issues to Merged lower column in ZenHub
• Moved blocked issues to Triage _{or no issues are blocked on the connected issues}
• Pushed merge commit to GitHub

Operator (chain shortening)

• Changed the target branch of the blocked PR to develop _{or this PR is not labeled base}
• Removed the chained label from the blocked PR _{or this PR is not labeled base}
• Removed the blocking relationship from the blocked PR _{or this PR is not labeled base}
• Removed the base label from this PR _{or this PR is not labeled base}

Operator (after pushing the merge commit)

• Pushed merge commit to GitLab dev
• Pushed merge commit to GitLab anvildev
• Build passes on GitLab dev
• Reviewed build logs for anomalies on GitLab dev
• Build passes on GitLab anvildev
• Reviewed build logs for anomalies on GitLab anvildev
• Ran _select dev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Deleted PR branch from GitHub
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev

Operator (reindex)

• Deindexed all unreferenced catalogs in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed all unreferenced catalogs in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Deindexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Indexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Indexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Started reindex in dev _{or this PR does not require reindexing dev}
• Started reindex in anvildev _{or this PR does not require reindexing anvildev}
• Checked for, triaged and possibly requeued messages in both fail queues in dev _{or this PR does not require reindexing dev}
• Checked for, triaged and possibly requeued messages in both fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Emptied fail queues in dev _{or this PR does not require reindexing dev}
• Emptied fail queues in anvildev _{or this PR does not require reindexing anvildev}

Operator

• Propagated the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels to the next promotion PRs _{or this PR carries none of these labels}
• Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels, from the description of this PR to that of the next promotion PRs _{or this PR carries none of these labels}
• PR is assigned to no one

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[coveralls]

coverage: 85.39% (-0.009%) from 85.399%
when pulling a45d3ad on issues/dsotirho-ucsc/6-azul-csp-header-2
into bbff541 on develop.

[codecov]

Codecov Report

Attention: Patch coverage is 72.91667% with 13 lines in your changes missing coverage. Please review.

Project coverage is 85.37%. Comparing base (bbff541) to head (a45d3ad).

Files with missing lines	Patch %	Lines
src/azul/chalice.py	60.86%	9 Missing ⚠️
test/integration_test.py	0.00%	3 Missing ⚠️
test/service/test_app_logging.py	95.45%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #6483      +/-   ##
===========================================
- Coverage    85.38%   85.37%   -0.02%     
===========================================
  Files          155      155              
  Lines        20788    20807      +19     
===========================================
+ Hits         17749    17763      +14     
- Misses        3039     3044       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dsotirho-ucsc]

6483_IT_2024-08-13.txt

Swagger UI & successful authorization with nonce value in CSP header:

[nadove-ucsc]

For consistency

Suggested change

	def content_security_policy(self, nonce: Optional[str] = None) -> str:
	def content_security_policy(self, nonce: str | None = None) -> str:

[nadove-ucsc]

Contributing guide says to prefer concatenation over f-strings when the expressions are of equal length, as they are here:

Suggested change

	nonce = q(f'nonce-{nonce}')
	nonce = q('nonce-' + nonce)

[nadove-ucsc]

Is it possible for the string to contain quote characters that need to be escaped?

Consider creating a dedicated, non-local function for this in src/azul/strings.py. I'm pretty sure there are other places in the codebase where we use this logic.

[nadove-ucsc]

To avoid overriding the reference to the self parameter.

Suggested change

	self = q('self')
	self_ = q('self')

[dsotirho-ucsc]

6483_IT_2024-08-14.txt

[nadove-ucsc]

There is at least one other place this function could be used

[nadove-ucsc]

Also here?

[nadove-ucsc]

There are other places. Search for f'" and f"' (that's a single quote and double quote in either order)

[nadove-ucsc]

azul.bigquery.backtick could make use of this function

[dsotirho-ucsc]

I believe the issue we saw on Friday regarding a circular import error when importing from azul.strings into azul.bigquery was due to a problem with my PyCharm configuration. After a reboot & reset of my Python interpreter path I am no longer able to reproduce the error.

[nadove-ucsc]

Alright, as long as the build's green on GitHub I think we're okay.

[nadove-ucsc]

I don't think this is a good idea. Filtering and joining the strings in the same function was okay when it was a local function that could only be used in one place, but a public function like this shouldn't be so fine-tuned to a single call site. There may be other call sites someday where the filtering isn't necessary or appropriate (it could hide bugs, for example).

[nadove-ucsc]

If I understand correctly, the only word that actually needs to be filtered is the nonce variable. How about this approach instead to eliminate the call to filter altogether?

Subject: [PATCH] review
---
Index: src/azul/chalice.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/src/azul/chalice.py b/src/azul/chalice.py
--- a/src/azul/chalice.py	(revision a36f7c5062b20fb1b79c21140c5bdb2c8db92fdf)
+++ b/src/azul/chalice.py	(date 1723684328983)
@@ -478,14 +478,13 @@
     def content_security_policy(self, nonce: str | None = None) -> str:
         self_ = sq('self')
         none = sq('none')
-        if nonce is not None:
-            nonce = sq('nonce-' + nonce)
+        nonce = [] if nonce is None else [sq('nonce-' + nonce)]
 
         return ';'.join([
             jw('default-src', self_),
             jw('img-src', self_, 'data:'),
-            jw('script-src', self_, nonce),
-            jw('style-src', self_, nonce),
+            jw('script-src', self_, *nonce),
+            jw('style-src', self_, *nonce),
             jw('frame-ancestors', none),
         ])

[dsotirho-ucsc]

6483_IT_2024-08-19.txt

[nadove-ucsc]

Suggested change

	require(end not in string, string)
	reject(end in string, string)

[nadove-ucsc]

Alright, as long as the build's green on GitHub I think we're okay.

[nadove-ucsc]

Nitpick, but I think the English can be streamlined a bit

Suggested change

	Prefix and postfix a string with another. The pre/postfix cannot be a
	substring of the source string.
	Prepend and append an affix to a string. The affix cannot be a
	substring of the base string.

[nadove-ucsc]

(feel free to disregard if you feel "affix" is too obscure a word to be helpful here)

[dsotirho-ucsc]

6483_IT_2024-10-04.txt

[achave11-ucsc]

LGTM ✅

🔎👁️ Consider moving the commit 'Move import statement above docstring' closer to the beginning, perhaps after the quotes change, preceding the refactor. Keeps the semantically neutral changes closer together.

[nadove-ucsc]

With the inner quotes extracted, the double quotes in these paragraphs should be converted to single quotes in this commit.

[nadove-ucsc]

Nitpick: I would refactor this from a variable to a method in a separate commit. This makes it easier to read the changes by isolating the noisy insertion of () away from the semantic changes.

[nadove-ucsc]

Quotes again

[dsotirho-ucsc]

6483_IT_2024-10-04.txt

[nadove-ucsc]

Comments were thumbs-upped but requested changes were not implemented:

a45d3ad#r1788392095
a45d3ad#r1788396246