Merge pull request #428 from UiP9AV6Y/feature_use_strict_csp

add support for the Content Security Policy (CSP) security config

Author: Lennart Betz

REFERENCE.md

@@ -218,6 +218,7 @@ The following parameters are available in the `icingaweb2` class:
 * [`conf_group`](#-icingaweb2--conf_group)
 * [`default_domain`](#-icingaweb2--default_domain)
 * [`cookie_path`](#-icingaweb2--cookie_path)
+* [`use_strict_csp`](#-icingaweb2--use_strict_csp)
 * [`admin_role`](#-icingaweb2--admin_role)
 * [`default_admin_username`](#-icingaweb2--default_admin_username)
 * [`default_admin_password`](#-icingaweb2--default_admin_password)
@@ -476,6 +477,14 @@ Path to where cookies are stored.
 
 Default value: `undef`
 
+##### <a name="-icingaweb2--use_strict_csp"></a>`use_strict_csp`
+
+Data type: `Optional[Boolean]`
+
+Enable the inclusion of Content Security Policy (CSP) headers in application responses.
+
+Default value: `undef`
+
 ##### <a name="-icingaweb2--admin_role"></a>`admin_role`
 
 Data type: `Variant[Icingaweb2::AdminRole, Boolean[false]]`

manifests/config.pp

@@ -21,6 +21,8 @@
 
   $cookie_path          = $icingaweb2::cookie_path
 
+  $use_strict_csp       = $icingaweb2::use_strict_csp
+
   $resources            = $icingaweb2::resources
   $default_auth_backend = $icingaweb2::default_auth_backend
   $user_backends        = $icingaweb2::user_backends
@@ -103,6 +105,16 @@
     }
   }
 
+  if $use_strict_csp =~ NotUndef {
+    icingaweb2::inisection { 'config-security':
+      section_name => 'security',
+      target       => "${conf_dir}/config.ini",
+      settings     => {
+        'use_strict_csp' => $use_strict_csp,
+      },
+    }
+  }
+
   # Additional resources
   $resources.each |String $res, Hash $cfg| {
     case $cfg['type'] {

manifests/init.pp

@@ -110,6 +110,9 @@
 # @param cookie_path
 #   Path to where cookies are stored.
 #
+# @param use_strict_csp
+#   Enable the inclusion of Content Security Policy (CSP) headers in application responses.
+#
 # @param admin_role
 #   Manage a role for admin access.
 #
@@ -255,6 +258,7 @@
   Optional[Array[String[1]]]                      $extra_packages      = undef,
   Optional[String[1]]                             $default_domain      = undef,
   Optional[Stdlib::Absolutepath]                  $cookie_path         = undef,
+  Optional[Boolean]                               $use_strict_csp      = undef,
 ) {
   require icingaweb2::globals
 

spec/classes/icingaweb2_spec.rb

@@ -68,6 +68,7 @@
             )
         }
         it { is_expected.not_to contain_icingaweb2__inisection('config-authentication') }
+        it { is_expected.not_to contain_icingaweb2__inisection('config-security') }
         it { is_expected.not_to contain_icingaweb2__inisection('config-cookie') }
         it {
           is_expected.to contain_icingaweb2__resource__database('icingaweb2')
@@ -120,6 +121,38 @@
         }
       end
 
+      context "#{os} with use_strict_csp 'true'" do
+        let(:params) do
+          {
+            use_strict_csp: true,
+            db_type: 'mysql',
+          }
+        end
+
+        it {
+          is_expected.to contain_icingaweb2__inisection('config-security')
+            .with_section_name('security')
+            .with_target('/etc/icingaweb2/config.ini')
+            .with_settings({ 'use_strict_csp' => true })
+        }
+      end
+
+      context "#{os} with use_strict_csp 'false'" do
+        let(:params) do
+          {
+            use_strict_csp: false,
+            db_type: 'mysql',
+          }
+        end
+
+        it {
+          is_expected.to contain_icingaweb2__inisection('config-security')
+            .with_section_name('security')
+            .with_target('/etc/icingaweb2/config.ini')
+            .with_settings({ 'use_strict_csp' => false })
+        }
+      end
+
       context "#{os} with default_auth_backend 'false', additional resources, user and group backend" do
         let(:params) do
           {