From 01edcb2e7f989e9979d9e08a8c92dab3eeb6ca60 Mon Sep 17 00:00:00 2001 From: Will Mooreston Date: Wed, 5 Feb 2025 15:38:54 -0800 Subject: [PATCH 1/5] add default csp.enforce block and ability to load an optional.application.properties --- application.properties | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/application.properties b/application.properties index b589543..89330da 100644 --- a/application.properties +++ b/application.properties @@ -162,3 +162,22 @@ info.labkey.distribution=${LABKEY_DISTRIBUTION} server.tomcat.max-threads=50 server.servlet.session.timeout=60m context.workDirLocation=/work/Tomcat/localhost + +## START OF CSP COPY BLOCK (DO NOT CHANGE THIS TEXT) +csp.enforce=\ + default-src 'self';\ + connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\ + object-src 'none' ;\ + style-src 'self' 'unsafe-inline' ;\ + img-src 'self' data: ;\ + font-src 'self' data: ;\ + script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\ + base-uri 'self' ;\ + upgrade-insecure-requests ;\ + frame-ancestors 'self' ;\ + report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ; + +## END OF CSP COPY BLOCK (DO NOT CHANGE THIS TEXT) + +## Load optional application.properties if file exists - used for one-off labkey cloud use cases etc. +spring.config.import=optional:file:${LABKEY_HOME}/config/optional.application.properties From 6b11e3fcde4a6a77f80c7063609d57ae05f4d910 Mon Sep 17 00:00:00 2001 From: Will Mooreston Date: Wed, 5 Feb 2025 15:39:45 -0800 Subject: [PATCH 2/5] remove CSP_REPORT and CSP_ENFORCE; update README --- Dockerfile | 3 --- README.md | 5 +++++ docker-compose.yml | 3 --- entrypoint.sh | 15 +-------------- 4 files changed, 6 insertions(+), 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index d7f0a5e..4592efc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -89,9 +89,6 @@ ENV CERT_C="US" \ CERT_OU="IT" \ CERT_CN="localhost" \ \ - CSP_REPORT= \ - CSP_ENFORCE= \ - \ SMTP_HOST="localhost" \ SMTP_USER="root" \ SMTP_PORT="25" \ diff --git a/README.md b/README.md index b43fc3a..01a8eb9 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,11 @@ This repo contains a Dockerfile, `docker-compose.yml`, and various other files f This repo is a work in progress. Containers created from these sources are untested. Until further work is done, integrations with LabKey products that traditionally have relied on OS configuration such as R reports or Python scripts will **NOT** work. +## Content Security Policy +February 2025 brings an enforced Content Security Policy enabled by default. It is the one LabKey uses in most if not all deployments, and is highly recommended to be left in place. In can, however, be disabled by enabling the ExperimentalFeature.disableEnforceCsp startup property. + +CSP_REPORT and CSP_ENFORCE environment variables have been removed. + ## Upgrading from 23.11 to 24.3 March 2024 saw [many changes](https://github.com/LabKey/Dockerfile/commits/24.3.0) in an effort to bring this repo in line with LabKey server versioning/releases, starting with v24.3, in which the embedded tomcat version has been upgraded from 9 to 10. diff --git a/docker-compose.yml b/docker-compose.yml index eece112..ad9054c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -377,9 +377,6 @@ services: - MAX_JVM_RAM_PERCENT=${MAX_JVM_RAM_PERCENT:-75.0} - JAVA_PRE_JAR_EXTRA=-XX:+UseSerialGC -Xss512k - - CSP_REPORT=${CSP_REPORT:-} - - CSP_ENFORCE=${CSP_ENFORCE:-} - # - SMTP_HOST=mailhog # - SMTP_PORT=1025 diff --git a/entrypoint.sh b/entrypoint.sh index 4cd9b57..10a382c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,10 +20,6 @@ LOG4J_CONFIG_FILE="${LOG4J_CONFIG_FILE:=log4j2.xml}" # below assumes using local log4j2.xml file, as the embedded version is not available for edits until after server is running JSON_OUTPUT="${JSON_OUTPUT:-false}" -# Content Security Policy settings -CSP_REPORT="${CSP_REPORT:-}" -CSP_ENFORCE="${CSP_ENFORCE:-}" - # for ecs/datadog, optionally enable APM and JMX metrics DD_COLLECT_APM="${DD_COLLECT_APM:-false}" JAVA_RMI_SERVER_HOSTNAME="${JAVA_RMI_SERVER_HOSTNAME:-}" @@ -212,15 +208,6 @@ main() { sed -i "s/@@jdbcUser@@/${POSTGRES_USER:-postgres}/" config/application.properties sed -i "s/@@jdbcPassword@@/${POSTGRES_PASSWORD:-}/" config/application.properties - # note: leave newlines out of CSP_REPORT/ENFORCE env vars - # ex: "default-src 'self' https: ; connect-src 'self' https: ; ..."" - if [ -n "$CSP_REPORT" ]; then - echo "csp.report=$CSP_REPORT\n" >> config/application.properties - fi - if [ -n "$CSP_ENFORCE" ]; then - echo "csp.enforce=$CSP_ENFORCE\n" >> config/application.properties - fi - sed -i "s/@@smtpHost@@/${SMTP_HOST}/" config/application.properties sed -i "s/@@smtpUser@@/${SMTP_USER}/" config/application.properties sed -i "s/@@smtpPort@@/${SMTP_PORT}/" config/application.properties @@ -261,7 +248,7 @@ main() { fi echo "Purging secrets and other bits from environment variables..." - unset POSTGRES_USER POSTGRES_PASSWORD POSTGRES_HOST POSTGRES_PORT POSTGRES_DB POSTGRES_PARAMETERS CSP_REPORT CSP_ENFORCE + unset POSTGRES_USER POSTGRES_PASSWORD POSTGRES_HOST POSTGRES_PORT POSTGRES_DB POSTGRES_PARAMETERS unset SMTP_HOST SMTP_USER SMTP_PORT SMTP_PASSWORD SMTP_AUTH SMTP_FROM SMTP_STARTTLS unset LABKEY_CREATE_INITIAL_USER LABKEY_CREATE_INITIAL_USER_APIKEY LABKEY_INITIAL_USER_APIKEY LABKEY_INITIAL_USER_EMAIL LABKEY_INITIAL_USER_GROUP LABKEY_INITIAL_USER_ROLE unset LABKEY_EK SLEEP CONTAINER_PRIVATE_IP From b13ebc01e56f47ee32b3dcc16c1b5c56eb071605 Mon Sep 17 00:00:00 2001 From: Will Mooreston Date: Wed, 5 Feb 2025 15:47:45 -0800 Subject: [PATCH 3/5] add wiring for optional app properties file from s3 --- README.md | 4 +++- docker-compose.yml | 4 ++++ entrypoint.sh | 6 ++++++ quickstart_envs.sh | 1 + 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 01a8eb9..e54a75f 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,9 @@ This repo contains a Dockerfile, `docker-compose.yml`, and various other files f This repo is a work in progress. Containers created from these sources are untested. Until further work is done, integrations with LabKey products that traditionally have relied on OS configuration such as R reports or Python scripts will **NOT** work. ## Content Security Policy -February 2025 brings an enforced Content Security Policy enabled by default. It is the one LabKey uses in most if not all deployments, and is highly recommended to be left in place. In can, however, be disabled by enabling the ExperimentalFeature.disableEnforceCsp startup property. +February 2025 brings an enforced Content Security Policy enabled by default, the same one that LabKey uses in most if not all deployments, and is highly recommended to be left in place. In can, however, be disabled by enabling the `ExperimentalFeature.disableEnforceCsp` startup property. + +The policy itself can be overriden with an `optional.application.properties` file. CSP_REPORT and CSP_ENFORCE environment variables have been removed. diff --git a/docker-compose.yml b/docker-compose.yml index ad9054c..10b6d0f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -80,6 +80,7 @@ services: - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1} - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI} + - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI} - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI} - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml} - JSON_OUTPUT=${JSON_OUTPUT-false} @@ -192,6 +193,7 @@ services: - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1} - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI} + - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI} - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI} - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml} - JSON_OUTPUT=${JSON_OUTPUT-false} @@ -302,6 +304,7 @@ services: - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1} - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI} + - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI} - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI} - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml} - JSON_OUTPUT=${JSON_OUTPUT-false} @@ -413,6 +416,7 @@ services: - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1} - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI} + - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI} - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI} - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml} - JSON_OUTPUT=${JSON_OUTPUT-false} diff --git a/entrypoint.sh b/entrypoint.sh index 10a382c..5665132 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -12,6 +12,7 @@ keystore_alias="${TOMCAT_KEYSTORE_ALIAS:-}" keystore_format="${TOMCAT_KEYSTORE_FORMAT:-}" LABKEY_CUSTOM_PROPERTIES_S3_URI="${LABKEY_CUSTOM_PROPERTIES_S3_URI:=none}" +LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI="${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI:=none}" LABKEY_DEFAULT_PROPERTIES_S3_URI="${LABKEY_DEFAULT_PROPERTIES_S3_URI:=none}" # set below to 'labkeywebapp/WEB-INF/classes/log4j2.xml' to use embedded tomcat version from the built .jar @@ -141,6 +142,11 @@ main() { awsclibin/aws s3 cp $LABKEY_CUSTOM_PROPERTIES_S3_URI startup/ fi + if [ $LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI != 'none' ]; then + echo "trying to s3 cp '$LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI'" + awsclibin/aws s3 cp $LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI config/ + fi + echo "sleeping for $SLEEP seconds..." sleep $SLEEP diff --git a/quickstart_envs.sh b/quickstart_envs.sh index 053b026..e7cde42 100644 --- a/quickstart_envs.sh +++ b/quickstart_envs.sh @@ -18,3 +18,4 @@ export LABKEY_CREATE_INITIAL_USER_APIKEY="" export LABKEY_DEFAULT_PROPERTIES_S3_URI="none" export LABKEY_CUSTOM_PROPERTIES_S3_URI="none" +export LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI="none" From bb8d5a448b70a09f9dc2be0cdf2feb9591bb842e Mon Sep 17 00:00:00 2001 From: Will Mooreston Date: Fri, 7 Feb 2025 15:38:01 -0800 Subject: [PATCH 4/5] update to match what's currently deployed --- application.properties | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/application.properties b/application.properties index 89330da..01033e4 100644 --- a/application.properties +++ b/application.properties @@ -163,21 +163,20 @@ server.tomcat.max-threads=50 server.servlet.session.timeout=60m context.workDirLocation=/work/Tomcat/localhost -## START OF CSP COPY BLOCK (DO NOT CHANGE THIS TEXT) +## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT) csp.enforce=\ - default-src 'self';\ - connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\ - object-src 'none' ;\ - style-src 'self' 'unsafe-inline' ;\ - img-src 'self' data: ;\ - font-src 'self' data: ;\ - script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\ - base-uri 'self' ;\ - upgrade-insecure-requests ;\ - frame-ancestors 'self' ;\ - report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ; - -## END OF CSP COPY BLOCK (DO NOT CHANGE THIS TEXT) + default-src 'self' https: ;\ + connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\ + object-src 'none' ;\ + style-src 'self' https: 'unsafe-inline' ;\ + img-src 'self' https: data: ;\ + font-src 'self' data: ;\ + script-src 'self' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\ + base-uri 'self' ;\ + upgrade-insecure-requests ;\ + frame-ancestors 'self' ;\ + report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ; +## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT) ## Load optional application.properties if file exists - used for one-off labkey cloud use cases etc. spring.config.import=optional:file:${LABKEY_HOME}/config/optional.application.properties From c5600f92ff211806359738636e192348b5e2bf45 Mon Sep 17 00:00:00 2001 From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com> Date: Fri, 14 Feb 2025 13:02:01 -0800 Subject: [PATCH 5/5] Update README.md Co-authored-by: labkey-stuartm <32204841+labkey-stuartm@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e54a75f..fcb2f7e 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ This repo contains a Dockerfile, `docker-compose.yml`, and various other files f This repo is a work in progress. Containers created from these sources are untested. Until further work is done, integrations with LabKey products that traditionally have relied on OS configuration such as R reports or Python scripts will **NOT** work. ## Content Security Policy -February 2025 brings an enforced Content Security Policy enabled by default, the same one that LabKey uses in most if not all deployments, and is highly recommended to be left in place. In can, however, be disabled by enabling the `ExperimentalFeature.disableEnforceCsp` startup property. +February 2025 brings an enforced Content Security Policy enabled by default, the same one that LabKey uses in most if not all deployments, and is highly recommended to be left in place. It can, however, be disabled by enabling the `ExperimentalFeature.disableEnforceCsp` startup property. The policy itself can be overriden with an `optional.application.properties` file.