add default enforced Content Security Policy (#135)

* add default csp.enforce block and ability to load an optional.application.properties

* remove CSP_REPORT and CSP_ENFORCE; update README

* add wiring for optional app properties file from s3

* update to match what's currently deployed

* Update README.md

Co-authored-by: labkey-stuartm <[email protected]>

---------

Co-authored-by: labkey-stuartm <[email protected]>

Author: labkey-willm

Dockerfile

@@ -89,9 +89,6 @@ ENV CERT_C="US" \
     CERT_OU="IT" \
     CERT_CN="localhost" \
     \
-    CSP_REPORT= \
-    CSP_ENFORCE= \
-    \
     SMTP_HOST="localhost" \
     SMTP_USER="root" \
     SMTP_PORT="25" \

README.md

@@ -6,6 +6,13 @@ This repo contains a Dockerfile, `docker-compose.yml`, and various other files f
 
 This repo is a work in progress. Containers created from these sources are untested. Until further work is done, integrations with LabKey products that traditionally have relied on OS configuration such as R reports or Python scripts will **NOT** work.
 
+## Content Security Policy
+February 2025 brings an enforced Content Security Policy enabled by default, the same one that LabKey uses in most if not all deployments, and is highly recommended to be left in place. It can, however, be disabled by enabling the `ExperimentalFeature.disableEnforceCsp` startup property.
+
+The policy itself can be overriden with an `optional.application.properties` file.
+
+CSP_REPORT and CSP_ENFORCE environment variables have been removed.
+
 ## Upgrading from 23.11 to 24.3
 March 2024 saw [many changes](https://github.com/LabKey/Dockerfile/commits/24.3.0) in an effort to bring this repo in line with LabKey server versioning/releases, starting with v24.3, in which the embedded tomcat version has been upgraded from 9 to 10. 
 

application.properties

@@ -162,3 +162,21 @@ info.labkey.distribution=${LABKEY_DISTRIBUTION}
 server.tomcat.max-threads=50
 server.servlet.session.timeout=60m
 context.workDirLocation=/work/Tomcat/localhost
+
+## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
+csp.enforce=\
+    default-src 'self' https: ;\
+    connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\
+    object-src 'none' ;\
+    style-src 'self' https: 'unsafe-inline' ;\
+    img-src 'self' https: data: ;\
+    font-src 'self' data: ;\
+    script-src 'self' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
+    base-uri 'self' ;\
+    upgrade-insecure-requests ;\
+    frame-ancestors 'self' ;\
+    report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
+## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
+
+## Load optional application.properties if file exists - used for one-off labkey cloud use cases etc.
+spring.config.import=optional:file:${LABKEY_HOME}/config/optional.application.properties

docker-compose.yml

@@ -80,6 +80,7 @@ services:
       - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1}
 
       - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI}
+      - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI}
       - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI}
       - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml}
       - JSON_OUTPUT=${JSON_OUTPUT-false}
@@ -192,6 +193,7 @@ services:
       - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1}
 
       - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI}
+      - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI}
       - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI}
       - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml}
       - JSON_OUTPUT=${JSON_OUTPUT-false}
@@ -302,6 +304,7 @@ services:
       - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1}
 
       - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI}
+      - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI}
       - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI}
       - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml}
       - JSON_OUTPUT=${JSON_OUTPUT-false}
@@ -377,9 +380,6 @@ services:
       - MAX_JVM_RAM_PERCENT=${MAX_JVM_RAM_PERCENT:-75.0}
       - JAVA_PRE_JAR_EXTRA=-XX:+UseSerialGC -Xss512k
 
-      - CSP_REPORT=${CSP_REPORT:-}
-      - CSP_ENFORCE=${CSP_ENFORCE:-}
-
       # - SMTP_HOST=mailhog
       # - SMTP_PORT=1025
 
@@ -416,6 +416,7 @@ services:
       - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1}
 
       - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI}
+      - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI}
       - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI}
       - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml}
       - JSON_OUTPUT=${JSON_OUTPUT-false}

entrypoint.sh

@@ -12,6 +12,7 @@ keystore_alias="${TOMCAT_KEYSTORE_ALIAS:-}"
 keystore_format="${TOMCAT_KEYSTORE_FORMAT:-}"
 
 LABKEY_CUSTOM_PROPERTIES_S3_URI="${LABKEY_CUSTOM_PROPERTIES_S3_URI:=none}"
+LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI="${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI:=none}"
 LABKEY_DEFAULT_PROPERTIES_S3_URI="${LABKEY_DEFAULT_PROPERTIES_S3_URI:=none}"
 
 # set below to 'labkeywebapp/WEB-INF/classes/log4j2.xml' to use embedded tomcat version from the built .jar
@@ -20,10 +21,6 @@ LOG4J_CONFIG_FILE="${LOG4J_CONFIG_FILE:=log4j2.xml}"
 # below assumes using local log4j2.xml file, as the embedded version is not available for edits until after server is running
 JSON_OUTPUT="${JSON_OUTPUT:-false}"
 
-# Content Security Policy settings
-CSP_REPORT="${CSP_REPORT:-}"
-CSP_ENFORCE="${CSP_ENFORCE:-}"
-
 # for ecs/datadog, optionally enable APM and JMX metrics
 DD_COLLECT_APM="${DD_COLLECT_APM:-false}"
 JAVA_RMI_SERVER_HOSTNAME="${JAVA_RMI_SERVER_HOSTNAME:-}"
@@ -145,6 +142,11 @@ main() {
     awsclibin/aws s3 cp $LABKEY_CUSTOM_PROPERTIES_S3_URI startup/
   fi
 
+  if [ $LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI != 'none' ]; then
+    echo "trying to s3 cp '$LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI'"
+    awsclibin/aws s3 cp $LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI config/
+  fi
+
   echo "sleeping for $SLEEP seconds..."
   sleep $SLEEP
 
@@ -212,15 +214,6 @@ main() {
   sed -i "s/@@jdbcUser@@/${POSTGRES_USER:-postgres}/" config/application.properties
   sed -i "s/@@jdbcPassword@@/${POSTGRES_PASSWORD:-}/" config/application.properties
 
-  # note: leave newlines out of CSP_REPORT/ENFORCE env vars
-  #       ex: "default-src 'self' https: ; connect-src 'self' https: ; ...""
-  if [ -n "$CSP_REPORT" ]; then
-    echo "csp.report=$CSP_REPORT\n" >> config/application.properties
-  fi
-  if [ -n "$CSP_ENFORCE" ]; then
-    echo "csp.enforce=$CSP_ENFORCE\n" >> config/application.properties
-  fi
-
   sed -i "s/@@smtpHost@@/${SMTP_HOST}/" config/application.properties
   sed -i "s/@@smtpUser@@/${SMTP_USER}/" config/application.properties
   sed -i "s/@@smtpPort@@/${SMTP_PORT}/" config/application.properties
@@ -261,7 +254,7 @@ main() {
   fi
 
   echo "Purging secrets and other bits from environment variables..."
-  unset POSTGRES_USER POSTGRES_PASSWORD POSTGRES_HOST POSTGRES_PORT POSTGRES_DB POSTGRES_PARAMETERS CSP_REPORT CSP_ENFORCE
+  unset POSTGRES_USER POSTGRES_PASSWORD POSTGRES_HOST POSTGRES_PORT POSTGRES_DB POSTGRES_PARAMETERS
   unset SMTP_HOST SMTP_USER SMTP_PORT SMTP_PASSWORD SMTP_AUTH SMTP_FROM SMTP_STARTTLS
   unset LABKEY_CREATE_INITIAL_USER LABKEY_CREATE_INITIAL_USER_APIKEY LABKEY_INITIAL_USER_APIKEY LABKEY_INITIAL_USER_EMAIL LABKEY_INITIAL_USER_GROUP LABKEY_INITIAL_USER_ROLE
   unset LABKEY_EK SLEEP CONTAINER_PRIVATE_IP

quickstart_envs.sh

@@ -18,3 +18,4 @@ export LABKEY_CREATE_INITIAL_USER_APIKEY=""
 
 export LABKEY_DEFAULT_PROPERTIES_S3_URI="none"
 export LABKEY_CUSTOM_PROPERTIES_S3_URI="none"
+export LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI="none"