yaml_csp_config 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 7c1a15cf473158e7caa531c124ef6d3b916aea37e2935836e091d45e1a577005
+  data.tar.gz: d58ca4a23c4f0c9a00c083b3fc53bb05436de96e53f2eb0c49ebbaaecf89553b
+SHA512:
+  metadata.gz: b3086d40d76804167f12b22bed3efa8e50267f8e6060a7715769e7fc0a949e5c5bf3a6c0f2e2173c7b5401d76c83a6385e320916d43b7f4cc043848542311c57
+  data.tar.gz: 0d83c01baa01b4026b0da4c804bdfe3adf1ae3ed2a196d85dc6b10b36cb662306f645a6620382b7b182d8dcf732324e9debc65fc88195247ad1492c725dfdece

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2020 Stephen Ierodiaconou
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,276 @@
+# `yaml_csp_config`: Rails content security policy configuration in YAML
+
+### What?
+
+This Rails plugin gem is designed to allow you to be able to specify your content security policy 
+for Rails 5.2+ in a YAML file, instead of using the Rails DSL. 
+
+This makes the configuration  of your content security policy more akin to configuring other things 
+through YAML files. 
+  
+The gem also contains a extra few features. These allow you to add content security policy configuration
+via environment variables, either by configuring a specific addition for a specific directive or by 
+configuring the name of a group of configurations to be applied from the configuration file in the 
+application. This is useful for deployed environments where the content security policy may be slightly 
+different per deployment.
+
+### Why?
+
+* Configure your CSP in YAML
+* Provide additional CSP configuration which is applied according to environment variables
+
+## Example
+
+Below is an artificial example of a security policy before and after converting DSL to YAML, 
+making use of YAML aliases to allow sharing of policy  configurations:
+
+### Before (Without this gem):
+
+`config/initializers/content_security_policy.rb`
+
+```ruby
+GOOGLE_STATIC = ["https://*.googleapis.com", "https://*.gstatic.com"].freeze
+
+CSP_SCRIPT_HOSTS = %w[
+  https://cdnjs.cloudflare.com
+  https://www.google-analytics.com
+  https://maps.googleapis.com
+].freeze
+
+CSP_FONT_HOSTS = (["https://fonts.gstatic.com"] + GOOGLE_STATIC).freeze
+
+CSP_IMAGE_HOSTS =  (["https://s3.amazonaws.com"] + GOOGLE_STATIC).freeze
+  
+CSP_WEBPACKER_HOST = "http://localhost:3035"
+
+CSP_DEV_CONNECT_SRC = %w[
+  http://localhost:3035
+  ws://localhost:3000
+  ws://localhost:3035
+  ws://127.0.0.1:35729
+].freeze
+
+CSP_REVIEW_CONNECT_SRC = %w[
+  wss://*.herokuapp.com
+].freeze
+
+Rails.application.config.content_security_policy do |policy|
+  policy.report_uri("/csp-violation-report-endpoint")
+
+  policy.default_src(:self)
+
+  policy.object_src(:none)
+    
+  policy.font_src(:self, *CSP_FONT_HOSTS)
+  
+  policy.style_src(:self, :data, :unsafe_inline)
+
+  if Rails.env.development?
+    policy.img_src(:self, :data, CSP_WEBPACKER_HOST, *CSP_IMAGE_HOSTS)
+
+    policy.script_src(:self, :unsafe_eval, CSP_WEBPACKER_HOST, *CSP_SCRIPT_HOSTS)
+     
+    policy.connect_src(:self, *CSP_DEV_CONNECT_SRC)
+  else
+    policy.img_src(:self, :data, *CSP_IMAGE_HOSTS)
+
+    policy.script_src(:self, *CSP_SCRIPT_HOSTS)
+  
+    if ENV["IN_REVIEW_APP"].present?
+      policy.connect_src(:self, *CSP_REVIEW_CONNECT_SRC)
+    else
+      policy.connect_src(:self)
+    end
+  end
+end
+
+# ...
+```
+
+### After (With this gem):
+
+`config/content_security_policy.yml`
+
+```yaml
+self_and_data_uri_policy: &SELF_AND_DATA
+  - :self
+  - :data
+
+google_static_hosts: &GOOGLE_STATIC
+  - https://*.googleapis.com
+  - https://*.gstatic.com
+
+content_security_policy:
+  # Base config
+  report_uri: "/csp-violation-report-endpoint"
+
+  default_src: :self
+
+  object_src: :none
+
+  font_src: 
+    - :self
+    - *GOOGLE_STATIC
+    - https://fonts.gstatic.com
+  
+  style_src: 
+    - *SELF_AND_DATA
+    - :unsafe_inline
+  
+  img_src:
+    - *SELF_AND_DATA
+    - *GOOGLE_STATIC
+    - https://s3.amazonaws.com
+
+  script_src:
+    - :self
+    - https://cdnjs.cloudflare.com
+    - https://www.google-analytics.com
+    - https://maps.googleapis.com
+
+  connect_src:
+    - :self
+
+development:
+  img_src:
+    - http://localhost:3035
+
+  script_src:
+    - http://localhost:3035
+
+  connect_src:
+    - http://localhost:3035
+    - ws://localhost:3000
+    - ws://localhost:3035
+    - ws://127.0.0.1:35729
+
+review_apps:
+  connect_src: 
+    - wss://*.herokuapp.com
+```
+
+
+## Installation
+Add to your Gemfile:
+
+```ruby
+gem 'yaml_csp_config'
+```
+
+Or install it yourself as:
+```bash
+$ gem install yaml_csp_config
+```
+Then run the **generator to add the initializer**
+
+    rails yaml_csp_config:install
+
+
+## Usage
+
+### `ActionDispatch::ContentSecurityPolicy.load_from_file`
+
+`YamlCspConfig` extends `ActionDispatch::ContentSecurityPolicy` with a method to 
+load configuration from a YAML file. By default the initializer will add the `load_from_file`
+instance method and call it on initialisation.
+ 
+If you wish instead to call it explicitly  make sure to comment it out from the initializer. 
+
+### YAML file format
+
+**Note: The YAML file can also be an ERB template.**
+
+The file must contain at at least the 'base' configuration group, containing the base or common CSP 
+configuration.
+
+This key of this group by default is `content_security_policy` but can be configured via the `yaml_config_base_key`
+config value in the initializer.
+
+Directive configurations are then specified as keys named after the directive 
+(see `YamlCspConfig::YamlLoader::DIRECTIVES` for a list)  and then either an array of  policy values, 
+or a single value (note that if you use aliases you may end up creating nested arrays of values this 
+is no problem as it will be flattened). Values can either be strings or symbols.
+
+```yaml
+# example
+content_security_policy:
+  object_src: :none
+  connect_src:
+    - :self
+  font_src: *SELF_AND_DATA
+  script_src:
+    - :self
+    - *GOOGLE
+  img_src: "host"
+```
+
+The file can contain any number of other configuration groups. If the group is named after an environment of your Rails 
+application it will be mixed in automatically if the application is running in that environment.
+
+### Adding to configuration based on current Rails environment
+
+A configuration group named after rails environment will be mixed in in that environment:
+
+```yaml
+# example
+development:
+  connect_src: "host.dev"
+test:
+  connect_src: "host.test"
+```
+
+### Adding a named configuration group using an environment variable
+
+The name of the environment variable that can be set with the name of the group to add is by default 
+`CSP_CONFIGURATION_GROUP_KEY`. It can be changed using the configuration variable `default_env_var_group_key` 
+from the initializer.
+
+ for example given the following environment variables set on the application's  environmentY
+
+    CSP_CONFIGURATION_GROUP_KEY=staging_app
+
+the following configuration group will be mixed in:
+
+```yaml
+# example
+staging_app:
+  connect_src: "host.staging"
+```
+
+### Adding to configuration based with environment variables
+
+The CSP configuration can also be extended  directly by environment variables. The environment variable names are 
+prefixed with a standard prefix. This prefix is by default `CSP_CONFIGURATION_ADDITIONS_`. It can be changed using 
+the configuration variable `default_env_var_additions_key_prefix` from the initializer.
+
+After the prefix comes the name of the directive in uppercase. The value of the environment variable will then be added
+automatically to the configuration of that directive.
+   
+For example:
+
+    CSP_CONFIGURATION_ADDITIONS_SCRIPT_SRC=host.cdn
+
+will add `host.cdn` to the `script_src`  directive.
+
+## Run type check (RBS & steep)
+
+First copy the signatures for Rails from `https://github.com/pocke/rbs_rails/tree/master/assets/sig`
+to the project `sig/rbs_rails` directory. Then run
+
+    bundle exec steep check
+    
+## Run tests
+
+     ./bin/test
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Contributing
+
+Contributors welcome! Any contribution appreciated Pull requests, issues, and feature requests.
+
+## Contributors
+
+[Stephen Ierodiaconou](https://github.com/stevegeek/)

data/Rakefile

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+begin
+  require "bundler/setup"
+rescue LoadError
+  puts "You must `gem install bundler` and `bundle install` to run rake tasks"
+end
+
+require "rdoc/task"
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = "rdoc"
+  rdoc.title    = "YamlCspConfig"
+  rdoc.options << "--line-numbers"
+  rdoc.rdoc_files.include("README.md")
+  rdoc.rdoc_files.include("lib/**/*.rb")
+end
+
+require "bundler/gem_tasks"
+
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
+  t.verbose = false
+end
+
+task default: :test

data/lib/generators/USAGE

@@ -0,0 +1,3 @@
+Creates an initial basic YAML configuration, an initialiser and configures Rails to use the gem
+
+    rails generate yaml_csp_config:install

data/lib/generators/install_generator.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+
+module YamlCspConfig
+  module Generators
+    # The Install generator `yaml_csp_config:install`
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path(__dir__)
+
+      desc "Creates an initial basic YAML configuration, an initializer and configures Rails to use the gem."
+
+      copy_file "yaml_csp_config.rb", "config/initializers/yaml_csp_config.rb"
+      copy_file "content_security_policy.yml", "config/content_security_policy.yml"
+    end
+  end
+end

data/lib/generators/templates/content_security_policy.yml

@@ -0,0 +1,26 @@
+# Base config example
+content_security_policy:
+  report_uri: "/csp-violation-report-endpoint"
+
+  default_src: :self
+
+  object_src: :none
+
+  connect_src:
+    - :self
+
+  font_src:
+    - :self
+    - :data
+
+  script_src:
+    - :self
+
+  img_src:
+    - :self
+    - :data
+
+# In 'development' Rails env
+development:
+  script_src:
+    - :unsafe_eval

data/lib/generators/templates/yaml_csp_config.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+YamlCspConfig.configure do |config|
+  # The path to the configuration file
+  # config.configuration_file_path = Rails.root.join("config", "content_security_policy.yml")
+
+  # The prefix to the environment variables that can be used to add to specific directives, for example
+  # `CSP_CONFIGURATION_ADDITIONS_SCRIPT_SRC = 'self https://host'`
+  # config.default_env_var_additions_key_prefix = "CSP_CONFIGURATION_ADDITIONS_"
+
+  # The environment variable that contains the name of the YAML k/v group to add to the base rules.
+  # If this is set any rules in the given named group will add to the default base ones.
+  # config.default_env_var_group_key = "CSP_CONFIGURATION_GROUP_KEY"
+
+  # The route the YAML file key which contains the base rules.
+  # config.yaml_config_base_key = "content_security_policy"
+end
+
+# Load the configuration file and configure the content security policy.
+Rails.application.config.content_security_policy(&:load_from_yml)

data/lib/tasks/yaml_csp_config_tasks.rake

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+desc "Output the final CSP configuration in this environment"
+namespace :yaml_csp_config do
+  task view: :environment do
+    YamlCspConfig.configure
+    policy = ActionDispatch::ContentSecurityPolicy.new.load_from_yml
+    puts "\nDirective\t\t: Directive Value"
+    puts "---------\t\t  ---------------"
+    policy.directives.each do |k, v|
+      puts "#{k}\t\t: #{v.join(' ')}"
+    end
+
+    puts "\n\nConfiguration\t\t: Value"
+    puts "-------------\t\t  -----"
+    YamlCspConfig.configuration.instance_variables.each do |k|
+      puts "#{k[1..]}\t\t: '#{YamlCspConfig.configuration.instance_variable_get(k)}'"
+    end
+  end
+end

data/lib/yaml_csp_config.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "yaml_csp_config/railtie"
+require "yaml_csp_config/csp_ext"
+require "yaml_csp_config/yaml_loader"
+
+# Exposes a configuration class for initializer
+module YamlCspConfig
+  class << self
+    attr_reader :configuration
+
+    def configure
+      @configuration ||= Configuration.new
+      yield(configuration) if block_given?
+      configuration
+    end
+  end
+
+  # Configuration class for initializer
+  class Configuration
+    # @dynamic configuration_file_path, yaml_config_base_key
+    attr_accessor :configuration_file_path,
+                  :yaml_config_base_key
+    # @dynamic default_env_var_additions_key_prefix, default_env_var_group_key
+    attr_accessor :default_env_var_additions_key_prefix,
+                  :default_env_var_group_key
+
+    def initialize
+      @configuration_file_path = Rails.root.join("config", "content_security_policy.yml")
+      @default_env_var_additions_key_prefix = "CSP_CONFIGURATION_ADDITIONS_"
+      @default_env_var_group_key = "CSP_CONFIGURATION_GROUP_KEY"
+      @yaml_config_base_key = "content_security_policy"
+    end
+  end
+end

data/lib/yaml_csp_config/csp_ext.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  # Reopen class and add new method
+  class ContentSecurityPolicy
+    def load_from_yml
+      YamlCspConfig::YamlLoader.call(self)
+    end
+  end
+end

data/lib/yaml_csp_config/railtie.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module YamlCspConfig
+  # Include rake tasks
+  class Railtie < ::Rails::Railtie
+    rake_tasks do
+      load "tasks/yaml_csp_config_tasks.rake"
+    end
+  end
+end

data/lib/yaml_csp_config/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module YamlCspConfig
+  VERSION = "1.0.0"
+end

data/lib/yaml_csp_config/yaml_loader.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+module YamlCspConfig
+  # The entity that is responsible for loading the YAML and applying overrides
+  class YamlLoader
+    DIRECTIVES = %i[
+      base_uri
+      child_src
+      connect_src
+      default_src
+      font_src
+      form_action
+      frame_ancestors
+      frame_src
+      img_src
+      manifest_src
+      media_src
+      object_src
+      prefetch_src
+      script_src
+      style_src
+      worker_src
+    ].freeze
+
+    class << self
+      def call(policy, config_file = YamlCspConfig.configuration.configuration_file_path)
+        new(policy, config_file).configure
+      end
+    end
+
+    def initialize(
+      policy,
+      config_file_path,
+      group_key: YamlCspConfig.configuration.default_env_var_group_key,
+      var_key_prefix: YamlCspConfig.configuration.default_env_var_additions_key_prefix
+    )
+      raise ArgumentError, "Config file doesn't exist" unless File.exist?(config_file_path)
+
+      @policy = policy
+      @config_file_path = config_file_path
+      @env_var_group_key = group_key
+      @env_var_key_prefix = var_key_prefix
+    end
+
+    def configure
+      configure_with_overrides.each do |rule, values|
+        unless policy.respond_to?(rule.to_sym)
+          raise StandardError, "A CSP configuration was defined for an unsupported directive/setting: #{rule}"
+        end
+
+        policy.send(rule, *values)
+      end
+
+      policy
+    end
+
+    private
+
+    attr_reader :policy, :config_file_path, :env_var_group_key, :env_var_key_prefix
+
+    def raw_configuration
+      parsed = ERB.new(File.read(config_file_path.to_s)).result(binding)
+      YAML.safe_load(parsed, permitted_classes: [Symbol], aliases: true)
+    end
+
+    def configure_with_overrides
+      config = raw_configuration
+      policies = config[config_key_base].transform_values { |v| parse_policies_config(v) }
+      env_var_direct_override(
+        env_var_group_override(
+          config,
+          env_override(config, policies)
+        )
+      )
+    end
+
+    # Override with any Rails env specific config
+    def env_override(config, policies)
+      d = config[Rails.env.to_s]
+      return policies unless d
+      raise(StandardError, "The config is invalid for env #{Rails.env}") unless d.is_a?(Hash)
+      d.each { |k, v| add_to_csp(policies, k, v) }
+      policies
+    end
+
+    # Optional an overriding config group can be specified by name in an environment variable
+    def env_var_group_override(config, policies)
+      group_name = ENV[env_var_group_key]
+      return policies if group_name.nil? || group_name.empty? || group_name == Rails.env
+      d = config[group_name]
+      raise(StandardError, "The config is invalid for #{group_name}") unless d.is_a?(Hash)
+      d.each { |k, v| add_to_csp(policies, k, v) }
+      policies
+    end
+
+    # Allow environment variables to add to rules
+    def env_var_direct_override(policies)
+      DIRECTIVES.each do |rule|
+        d = rule.to_s
+        k = env_var_key_prefix + d.upcase
+        add_to_csp(policies, d, ENV[k].split(" ")) if ENV[k].present?
+      end
+      policies
+    end
+
+    def add_to_csp(policies, rule, value)
+      policies[rule] ||= []
+      policies[rule] += parse_policies_config(value)
+    end
+
+    def parse_policies_config(policy)
+      Array.wrap(policy).flatten
+    end
+
+    def config_key_base
+      @config_key_base ||= YamlCspConfig.configuration.yaml_config_base_key.to_s
+    end
+  end
+end

metadata

@@ -0,0 +1,127 @@
+--- !ruby/object:Gem::Specification
+name: yaml_csp_config
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Stephen Ierodiaconou
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-09-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.2'
+- !ruby/object:Gem::Dependency
+  name: rbs_rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: steep
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: The CSP configuration can also be extended by environment variables.
+email:
+- stevegeek@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/generators/USAGE
+- lib/generators/install_generator.rb
+- lib/generators/templates/content_security_policy.yml
+- lib/generators/templates/yaml_csp_config.rb
+- lib/tasks/yaml_csp_config_tasks.rake
+- lib/yaml_csp_config.rb
+- lib/yaml_csp_config/csp_ext.rb
+- lib/yaml_csp_config/railtie.rb
+- lib/yaml_csp_config/version.rb
+- lib/yaml_csp_config/yaml_loader.rb
+homepage: https://github.com/stevegeek/yaml_csp_config
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.6'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: yaml_csp_config provides you with a way to manage your Rails CSP configuration
+  via a YAML file.
+test_files: []