backend-common: add support for passing false as a CSP field value, to drop it from the defaults (#3437)

.changeset/few-kings-agree.md

@@ -0,0 +1,5 @@
+---
+'@backstage/backend-common': patch
+---
+
+Added support for passing false as a CSP field value, to drop it from the defaults in the backend

packages/backend-common/config.d.ts

@@ -79,8 +79,15 @@ export interface Config {
       optionsSuccessStatus?: number;
     };
 
-    /**  */
-    csp?: object;
+    /**
+     * Content Security Policy options.
+     *
+     * The keys are the plain policy ID, e.g. "upgrade-insecure-requests". The
+     * values are on the format that the helmet library expects them, as an
+     * array of strings. There is also the special value false, which means to
+     * remove the default value that Backstage puts in place for that policy.
+     */
+    csp?: { [policyId: string]: string[] | false };
   };
 
   /** Configuration for integrations towards various external repository provider systems */

packages/backend-common/src/service/lib/ServiceBuilderImpl.test.ts

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2020 Spotify AB
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { applyCspDirectives } from './ServiceBuilderImpl';
+
+describe('ServiceBuilderImpl', () => {
+  describe('applyCspDirectives', () => {
+    it('copies actual values', () => {
+      const result = applyCspDirectives({ key: ['value'] });
+      expect(result).toEqual(
+        expect.objectContaining({
+          'default-src': ["'self'"],
+          key: ['value'],
+        }),
+      );
+    });
+
+    it('removes false value keys', () => {
+      const result = applyCspDirectives({ 'upgrade-insecure-requests': false });
+      expect(result!['upgrade-insecure-requests']).toBeUndefined();
+    });
+  });
+});

packages/backend-common/src/service/lib/ServiceBuilderImpl.ts

@@ -18,7 +18,7 @@ import { Config } from '@backstage/config';
 import compression from 'compression';
 import cors from 'cors';
 import express, { Router } from 'express';
-import helmet from 'helmet';
+import helmet, { HelmetOptions } from 'helmet';
 import * as http from 'http';
 import stoppable from 'stoppable';
 import { Logger } from 'winston';
@@ -56,7 +56,7 @@ const DEFAULT_CSP = {
   'script-src': ["'self'"],
   'script-src-attr': ["'none'"],
   'style-src': ["'self'", 'https:', "'unsafe-inline'"],
-  'upgrade-insecure-requests': [],
+  'upgrade-insecure-requests': [] as string[],
 };
 
 export class ServiceBuilderImpl implements ServiceBuilder {
@@ -64,7 +64,7 @@ export class ServiceBuilderImpl implements ServiceBuilder {
   private host: string | undefined;
   private logger: Logger | undefined;
   private corsOptions: cors.CorsOptions | undefined;
-  private cspOptions: CspOptions | undefined;
+  private cspOptions: Record<string, string[] | false> | undefined;
   private httpsSettings: HttpsSettings | undefined;
   private enableMetrics: boolean = true;
   private routers: [string, Router][];
@@ -154,20 +154,11 @@ export class ServiceBuilderImpl implements ServiceBuilder {
       host,
       logger,
       corsOptions,
-      cspOptions,
       httpsSettings,
+      helmetOptions,
     } = this.getOptions();
 
-    app.use(
-      helmet({
-        contentSecurityPolicy: {
-          directives: {
-            ...DEFAULT_CSP,
-            ...cspOptions,
-          },
-        },
-      }),
-    );
+    app.use(helmet(helmetOptions));
     if (corsOptions) {
       app.use(cors(corsOptions));
     }
@@ -214,16 +205,38 @@ export class ServiceBuilderImpl implements ServiceBuilder {
     host: string;
     logger: Logger;
     corsOptions?: cors.CorsOptions;
-    cspOptions?: CspOptions;
     httpsSettings?: HttpsSettings;
+    helmetOptions: HelmetOptions;
   } {
     return {
       port: this.port ?? DEFAULT_PORT,
       host: this.host ?? DEFAULT_HOST,
       logger: this.logger ?? getRootLogger(),
       corsOptions: this.corsOptions,
-      cspOptions: this.cspOptions,
       httpsSettings: this.httpsSettings,
+      helmetOptions: {
+        contentSecurityPolicy: {
+          directives: applyCspDirectives(this.cspOptions),
+        },
+      },
     };
   }
 }
+
+export function applyCspDirectives(
+  directives: Record<string, string[] | false> | undefined,
+): CspOptions | undefined {
+  const result: CspOptions = { ...DEFAULT_CSP };
+
+  if (directives) {
+    for (const [key, value] of Object.entries(directives)) {
+      if (value === false) {
+        delete result[key];
+      } else {
+        result[key] = value;
+      }
+    }
+  }
+
+  return result;
+}

packages/backend-common/src/service/lib/config.test.ts

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2020 Spotify AB
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { ConfigReader } from '@backstage/config';
+import { readCspOptions } from './config';
+
+describe('config', () => {
+  describe('readCspOptions', () => {
+    it('reads valid values', () => {
+      const config = ConfigReader.fromConfigs([
+        { context: '', data: { csp: { key: ['value'] } } },
+      ]);
+      expect(readCspOptions(config)).toEqual(
+        expect.objectContaining({
+          key: ['value'],
+        }),
+      );
+    });
+
+    it('accepts false', () => {
+      const config = ConfigReader.fromConfigs([
+        { context: '', data: { csp: { key: false } } },
+      ]);
+      expect(readCspOptions(config)).toEqual(
+        expect.objectContaining({
+          key: false,
+        }),
+      );
+    });
+
+    it('rejects invalid value types', () => {
+      const config = ConfigReader.fromConfigs([
+        { context: '', data: { csp: { key: [4] } } },
+      ]);
+      expect(() => readCspOptions(config)).toThrow(/wanted string-array/);
+    });
+  });
+});

packages/backend-common/src/service/lib/config.ts

@@ -134,24 +134,33 @@ export function readCorsOptions(config: Config): CorsOptions | undefined {
  * Attempts to read a CSP options object from the root of a config object.
  *
  * @param config The root of a backend config object
- * @returns A CSP options object, or undefined if not specified
+ * @returns A CSP options object, or undefined if not specified. Values can be
+ *          false as well, which means to remove the default behavior for that
+ *          key.
  *
  * @example
  * ```yaml
  * backend:
  *   csp:
  *     connect-src: ["'self'", 'http:', 'https:']
+ *     upgrade-insecure-requests: false
  * ```
  */
-export function readCspOptions(config: Config): CspOptions | undefined {
+export function readCspOptions(
+  config: Config,
+): Record<string, string[] | false> | undefined {
   const cc = config.getOptionalConfig('csp');
   if (!cc) {
     return undefined;
   }
 
-  const result: CspOptions = {};
+  const result: Record<string, string[] | false> = {};
   for (const key of cc.keys()) {
-    result[key] = cc.getStringArray(key);
+    if (cc.get(key) === false) {
+      result[key] = false;
+    } else {
+      result[key] = cc.getStringArray(key);
+    }
   }
 
   return result;