CSP Configuration Trusted Domains from appsettings.json (#724)

* Integration of configurable AzureAd External Provider * Documentation Updated for AzureAD Provider * Implementation of Csp for Images * Configuration for CSP based on appsettings configuration * merge issue fixed in json * Added documentation for CSP * CSP Added in Admin project * gravatar.com trusted added domain * URI for default CSP fixed * Missing trusted domains default added * added unsafe script to csp + stylesource

CSP Configuration Trusted Domains from appsettings.json (#724)
* Integration of configurable AzureAd External Provider * Documentation Updated for AzureAD Provider * Implementation of Csp for Images * Configuration for CSP based on appsettings configuration * merge issue fixed in json * Added documentation for CSP * CSP Added in Admin project * gravatar.com trusted added domain * URI for default CSP fixed * Missing trusted domains default added * added unsafe script to csp + stylesource
e20619de · Valentin LECERF · GitHub · 4304e9e2 · e20619de · e20619de
Unverified Commit e20619de authored 4 years ago by Valentin LECERF Committed by GitHub 4 years ago
10 changed files
--- a/README.md
+++ b/README.md
@@ -441,6 +441,17 @@ In STS project - in `appsettings.json`:
    }
 ```

+## CSP - Content Security Policy
+
+- If you want to use favicon or logo not included/hosted on the same place, you need to declare trusted domain where ressources are hosted in appsettings.json.
+
+```
+  "CspTrustedDomains": [
+    "google.com",
+    "mydomain.com"
+  ],
+```
+
 ## Health checks

 - AdminUI, AdminUI Api and STS contain endpoint `health`, which check databases and IdentityServer.

--- a/src/Skoruba.IdentityServer4.Admin/Configuration/Constants/ConfigurationConsts.cs
+++ b/src/Skoruba.IdentityServer4.Admin/Configuration/Constants/ConfigurationConsts.cs
-namespace Skoruba.IdentityServer4.Admin.Configuration.Constants
+using System.Collections.Generic;
+
+namespace Skoruba.IdentityServer4.Admin.Configuration.Constants
 {
    public class ConfigurationConsts
    {
@@ -23,5 +25,8 @@
        public const string AdminAuditLogDbConnectionStringKey = "AdminAuditLogDbConnection";

        public const string DataProtectionDbConnectionStringKey = "DataProtectionDbConnection";
+
+        public const string CspTrustedDomainsKey = "CspTrustedDomains";
+
    }
 }
\ No newline at end of file
--- a/src/Skoruba.IdentityServer4.Admin/Helpers/StartupHelpers.cs
+++ b/src/Skoruba.IdentityServer4.Admin/Helpers/StartupHelpers.cs
@@ -165,7 +165,8 @@ namespace Skoruba.IdentityServer4.Admin.Helpers
        /// Using of Forwarded Headers, Hsts, XXssProtection and Csp
        /// </summary>
        /// <param name="app"></param>
-        public static void UseSecurityHeaders(this IApplicationBuilder app)
+        /// <param name="configuration"></param>
+        public static void UseSecurityHeaders(this IApplicationBuilder app, IConfiguration configuration)
        {
            var forwardingOptions = new ForwardedHeadersOptions()
            {
@@ -181,35 +182,49 @@ namespace Skoruba.IdentityServer4.Admin.Helpers
            app.UseXContentTypeOptions();
            app.UseXfo(options => options.SameOrigin());
            app.UseReferrerPolicy(options => options.NoReferrer());
-            var allowCspUrls = new List<string>
-            {
-                "https://fonts.googleapis.com/",
-                "https://fonts.gstatic.com/"
-            };
           
-            app.UseCsp(options =>
+            // CSP Configuration to be able to use external resources
+            var cspTrustedDomains = new List<string>();
+            configuration.GetSection(ConfigurationConsts.CspTrustedDomainsKey).Bind(cspTrustedDomains);
+            if (cspTrustedDomains.Any())
            {
-                options.FontSources(configuration =>
+                app.UseCsp(csp =>
                {
-                    configuration.SelfSrc = true;
-                    configuration.CustomSources = allowCspUrls;
+                    csp.ImageSources(options =>
+                    {
+                        options.SelfSrc = true;
+                        options.CustomSources = cspTrustedDomains;
+                        options.Enabled = true;
                    });
-
-                //TODO: consider remove unsafe sources - currently using for toastr inline scripts in Notification.cshtml
-                options.ScriptSources(configuration =>
+                    csp.FontSources(options =>
                    {
-                    configuration.SelfSrc = true;
-                    configuration.UnsafeInlineSrc = true;
-                    configuration.UnsafeEvalSrc = true;
+                        options.SelfSrc = true;
+                        options.CustomSources = cspTrustedDomains;
+                        options.Enabled = true;
                    });
-
-                options.StyleSources(configuration =>
+                    csp.ScriptSources(options =>
                    {
-                    configuration.SelfSrc = true;
-                    configuration.CustomSources = allowCspUrls;
-                    configuration.UnsafeInlineSrc = true;
+                        options.SelfSrc = true;
+                        options.CustomSources = cspTrustedDomains;
+                        options.Enabled = true;
+                        options.UnsafeInlineSrc = true;
+                        options.UnsafeEvalSrc = true;
                    });
+                    csp.StyleSources(options =>
+                    {
+                        options.SelfSrc = true;
+                        options.CustomSources = cspTrustedDomains;
+                        options.Enabled = true;
+                        options.UnsafeInlineSrc = true;
+                    });
+                    csp.DefaultSources(options =>
+                    {
+                        options.SelfSrc = true;
+                        options.CustomSources = cspTrustedDomains;
+                        options.Enabled = true;
                    });
+                });
+            }
        }

        /// <summary>

--- a/src/Skoruba.IdentityServer4.Admin/Startup.cs
+++ b/src/Skoruba.IdentityServer4.Admin/Startup.cs
@@ -107,7 +107,7 @@ namespace Skoruba.IdentityServer4.Admin
            app.UsePathBase(Configuration.GetValue<string>("BasePath"));

            // Add custom security headers
-            app.UseSecurityHeaders();
+            app.UseSecurityHeaders(Configuration);

            app.UseStaticFiles();


--- a/src/Skoruba.IdentityServer4.Admin/appsettings.json
+++ b/src/Skoruba.IdentityServer4.Admin/appsettings.json
@@ -38,6 +38,10 @@
    "AdministrationRole": "SkorubaIdentityAdminAdministrator",
    "HideUIForMSSqlErrorLogging": false
  },
+  "CspTrustedDomains": [
+    "fonts.googleapis.com",
+    "fonts.gstatic.com"
+  ],
  "SmtpConfiguration": {
    "Host": "",
    "Login": "",

--- a/src/Skoruba.IdentityServer4.STS.Identity/Configuration/Constants/ConfigurationConsts.cs
+++ b/src/Skoruba.IdentityServer4.STS.Identity/Configuration/Constants/ConfigurationConsts.cs
@@ -19,5 +19,7 @@
        public const string RegisterConfigurationKey = "RegisterConfiguration";

        public const string AdvancedConfigurationKey = "AdvancedConfiguration";
+
+        public const string CspTrustedDomainsKey = "CspTrustedDomains";
    }
 }
\ No newline at end of file
--- a/src/Skoruba.IdentityServer4.STS.Identity/Helpers/StartupHelpers.cs
+++ b/src/Skoruba.IdentityServer4.STS.Identity/Helpers/StartupHelpers.cs
 using System;
+using System.Collections.Generic;
 using System.Globalization;
 using IdentityServer4.EntityFramework.Storage;
 using Microsoft.AspNetCore.Authentication;
@@ -95,7 +96,8 @@ namespace Skoruba.IdentityServer4.STS.Identity.Helpers
        /// Using of Forwarded Headers and Referrer Policy
        /// </summary>
        /// <param name="app"></param>
-        public static void UseSecurityHeaders(this IApplicationBuilder app)
+        /// <param name="configuration"></param>
+        public static void UseSecurityHeaders(this IApplicationBuilder app, IConfiguration configuration)
        {
            var forwardingOptions = new ForwardedHeadersOptions()
            {
@@ -108,6 +110,48 @@ namespace Skoruba.IdentityServer4.STS.Identity.Helpers
            app.UseForwardedHeaders(forwardingOptions);

            app.UseReferrerPolicy(options => options.NoReferrer());
+
+            // CSP Configuration to be able to use external resources
+            var cspTrustedDomains = new List<string>();
+            configuration.GetSection(ConfigurationConsts.CspTrustedDomainsKey).Bind(cspTrustedDomains);
+            if (cspTrustedDomains.Any())
+            {
+                app.UseCsp(csp =>
+                {
+                    csp.ImageSources(options =>
+                    {
+                        options.SelfSrc = true;
+                        options.CustomSources = cspTrustedDomains;
+                        options.Enabled = true;
+                    });
+                    csp.FontSources(options =>
+                    {
+                        options.SelfSrc = true;
+                        options.CustomSources = cspTrustedDomains;
+                        options.Enabled = true;
+                    });
+                    csp.ScriptSources(options =>
+                    {
+                        options.SelfSrc = true;
+                        options.CustomSources = cspTrustedDomains;
+                        options.Enabled = true;
+                    });
+                    csp.StyleSources(options =>
+                    {
+                        options.SelfSrc = true;
+                        options.CustomSources = cspTrustedDomains;
+                        options.Enabled = true;
+                        options.UnsafeInlineSrc = true;
+                    });
+                    csp.DefaultSources(options =>
+                    {
+                        options.SelfSrc = true;
+                        options.CustomSources = cspTrustedDomains;
+                        options.Enabled = true;
+                    });
+                });
+            }
+
        }

        /// <summary>

--- a/src/Skoruba.IdentityServer4.STS.Identity/Startup.cs
+++ b/src/Skoruba.IdentityServer4.STS.Identity/Startup.cs
@@ -74,7 +74,7 @@ namespace Skoruba.IdentityServer4.STS.Identity
            app.UsePathBase(Configuration.GetValue<string>("BasePath"));

            // Add custom security headers
-            app.UseSecurityHeaders();
+            app.UseSecurityHeaders(Configuration);

            app.UseStaticFiles();
            UseAuthentication(app);

--- a/src/Skoruba.IdentityServer4.STS.Identity/Views/Home/Index.cshtml
+++ b/src/Skoruba.IdentityServer4.STS.Identity/Views/Home/Index.cshtml
@@ -4,7 +4,7 @@
 @inject IViewLocalizer Localizer
 @inject IRootConfiguration RootConfiguration
 <div class="welcome-block px-3 py-3 pt-md-5 pb-md-4 mx-auto text-center">
-    <h1 class="display-4"><img class="icon" alt="Logo" src="@UrlHelper.Content(RootConfiguration.AdminConfiguration.HomePageLogoUri)"><br />@RootConfiguration.AdminConfiguration.PageTitle</h1>
+    <h1 class="display-4"><img class="img-fluid" alt="Logo" src="@UrlHelper.Content(RootConfiguration.AdminConfiguration.HomePageLogoUri)"><br />@RootConfiguration.AdminConfiguration.PageTitle</h1>
    <p class="lead">@Localizer["SubTitle", RootConfiguration.AdminConfiguration.PageTitle]</p>
 </div>


--- a/src/Skoruba.IdentityServer4.STS.Identity/appsettings.json
+++ b/src/Skoruba.IdentityServer4.STS.Identity/appsettings.json
@@ -67,6 +67,11 @@
    "IdentityAdminBaseUrl": "https://localhost:44303",
    "AdministrationRole": "SkorubaIdentityAdminAdministrator"
  },
+  "CspTrustedDomains": [
+    "www.gravatar.com",
+    "fonts.googleapis.com",
+    "fonts.gstatic.com"
+  ],
  "CultureConfiguration": {
    "Cultures": [],
    "DefaultCulture": null
@@ -86,6 +91,12 @@
      "RequireConfirmedAccount": false
    }
  },
+  "User": {
+    "RequireUniqueEmail": true
+  },
+  "SignIn": {
+    "RequireConfirmedAccount": false
+  },
  "DataProtectionConfiguration": {
    "ProtectKeysWithAzureKeyVault": false
  },