Load addons-server static files and user-uploaded images from the main domain on stage and prod (#18110)

* Load addons-server static files and user-uploaded images from the main domain on stage and prod

* Adjust tests

* black
This commit is contained in:
Mathieu Pillard 2021-10-15 11:53:13 +02:00 коммит произвёл GitHub
Родитель 26386590e8
Коммит 32ba705b4b
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
5 изменённых файлов: 53 добавлений и 36 удалений

Просмотреть файл

@ -78,6 +78,8 @@ DOMAIN = SERVICES_DOMAIN = urlparse(SITE_URL).netloc
SERVICES_URL = SITE_URL SERVICES_URL = SITE_URL
INTERNAL_SITE_URL = 'http://nginx' INTERNAL_SITE_URL = 'http://nginx'
EXTERNAL_SITE_URL = SITE_URL EXTERNAL_SITE_URL = SITE_URL
STATIC_URL = '%s/static/' % EXTERNAL_SITE_URL
MEDIA_URL = '%s/user-media/' % EXTERNAL_SITE_URL
CODE_MANAGER_URL = ( CODE_MANAGER_URL = (
os.environ.get('CODE_MANAGER_URL') or 'http://olympia.test:5000') os.environ.get('CODE_MANAGER_URL') or 'http://olympia.test:5000')
@ -136,10 +138,15 @@ USE_FAKE_FXA_AUTH = True
CSP_REPORT_URI = '/csp-report' CSP_REPORT_URI = '/csp-report'
RESTRICTED_DOWNLOAD_CSP['REPORT_URI'] = CSP_REPORT_URI RESTRICTED_DOWNLOAD_CSP['REPORT_URI'] = CSP_REPORT_URI
# Allow GA over http + www subdomain in local development. # Set CSP like we do for dev/stage/prod, but also allow GA over http + www subdomain
# for local development.
HTTP_GA_SRC = 'http://www.google-analytics.com' HTTP_GA_SRC = 'http://www.google-analytics.com'
CSP_IMG_SRC += (HTTP_GA_SRC,)
CSP_SCRIPT_SRC += (HTTP_GA_SRC, "'self'") CSP_CONNECT_SRC += (SITE_URL,)
CSP_FONT_SRC += (STATIC_URL,)
CSP_IMG_SRC += (MEDIA_URL, STATIC_URL, HTTP_GA_SRC)
CSP_SCRIPT_SRC += (STATIC_URL, HTTP_GA_SRC)
CSP_STYLE_SRC += (STATIC_URL,)
# Auth token required to authorize inbound email. # Auth token required to authorize inbound email.
INBOUND_EMAIL_SECRET_KEY = 'totally-unsecure-secret-string' INBOUND_EMAIL_SECRET_KEY = 'totally-unsecure-secret-string'

Просмотреть файл

@ -78,13 +78,19 @@ class TestCSPHeaders(TestCase):
"""Check frame-src directive has same settings as child-src""" """Check frame-src directive has same settings as child-src"""
assert base_settings.CSP_FRAME_SRC == base_settings.CSP_CHILD_SRC assert base_settings.CSP_FRAME_SRC == base_settings.CSP_CHILD_SRC
def test_prod_cdn_in_common_settings(self): def test_prod_static_url_in_common_settings(self):
"""Make sure prod cdn is specified by default for statics.""" """Make sure prod cdn is specified by default for statics."""
prod_cdn_host = base_settings.PROD_CDN_HOST prod_static_url = base_settings.PROD_STATIC_URL
assert prod_cdn_host in base_settings.CSP_FONT_SRC assert prod_static_url in base_settings.CSP_FONT_SRC
assert prod_cdn_host in base_settings.CSP_IMG_SRC assert prod_static_url in base_settings.CSP_IMG_SRC
assert prod_cdn_host in base_settings.CSP_SCRIPT_SRC assert prod_static_url in base_settings.CSP_SCRIPT_SRC
assert prod_cdn_host in base_settings.CSP_STYLE_SRC assert prod_static_url in base_settings.CSP_STYLE_SRC
prod_media_url = base_settings.PROD_MEDIA_URL
assert prod_media_url not in base_settings.CSP_FONT_SRC
assert prod_media_url in base_settings.CSP_IMG_SRC
assert prod_media_url not in base_settings.CSP_SCRIPT_SRC
assert prod_media_url not in base_settings.CSP_STYLE_SRC
def test_self_in_common_settings(self): def test_self_in_common_settings(self):
"""Check 'self' is defined for common settings.""" """Check 'self' is defined for common settings."""

Просмотреть файл

@ -16,7 +16,6 @@ ENV = env('ENV')
API_THROTTLING = True API_THROTTLING = True
CDN_HOST = 'https://addons.cdn.mozilla.net'
DOMAIN = env('DOMAIN', default='addons.mozilla.org') DOMAIN = env('DOMAIN', default='addons.mozilla.org')
SERVER_EMAIL = 'zprod@addons.mozilla.org' SERVER_EMAIL = 'zprod@addons.mozilla.org'
SITE_URL = 'https://' + DOMAIN SITE_URL = 'https://' + DOMAIN
@ -24,8 +23,12 @@ INTERNAL_SITE_URL = env('INTERNAL_SITE_URL', default='https://addons.mozilla.org
EXTERNAL_SITE_URL = env('EXTERNAL_SITE_URL', default='https://addons.mozilla.org') EXTERNAL_SITE_URL = env('EXTERNAL_SITE_URL', default='https://addons.mozilla.org')
SERVICES_URL = env('SERVICES_URL', default='https://services.addons.mozilla.org') SERVICES_URL = env('SERVICES_URL', default='https://services.addons.mozilla.org')
CODE_MANAGER_URL = env('CODE_MANAGER_URL', default='https://code.addons.mozilla.org') CODE_MANAGER_URL = env('CODE_MANAGER_URL', default='https://code.addons.mozilla.org')
STATIC_URL = '%s/static/' % CDN_HOST CDN_HOST = 'https://addons.cdn.mozilla.net'
MEDIA_URL = '%s/user-media/' % CDN_HOST STATIC_URL = PROD_STATIC_URL
MEDIA_URL = PROD_MEDIA_URL
# user_media_url('addons') will use ADDONS_URL setting if present to build URLs
# to xpi files. We want those on the dedicated CDN domain.
ADDONS_URL = '%s/user-media/addons/' % CDN_HOST
SESSION_COOKIE_DOMAIN = '.%s' % DOMAIN SESSION_COOKIE_DOMAIN = '.%s' % DOMAIN

Просмотреть файл

@ -1,17 +1,6 @@
from olympia.lib.settings_base import * # noqa from olympia.lib.settings_base import * # noqa
CSP_BASE_URI += (
# Required for the legacy discovery pane.
'https://addons.allizom.org',
)
CDN_HOST = 'https://addons-stage-cdn.allizom.org'
CSP_CONNECT_SRC += (CDN_HOST,)
CSP_FONT_SRC += (CDN_HOST,)
CSP_IMG_SRC += (CDN_HOST,)
CSP_SCRIPT_SRC += (CDN_HOST,)
CSP_STYLE_SRC += (CDN_HOST,)
ENGAGE_ROBOTS = False ENGAGE_ROBOTS = False
EMAIL_URL = env.email_url('EMAIL_URL') EMAIL_URL = env.email_url('EMAIL_URL')
@ -32,8 +21,20 @@ INTERNAL_SITE_URL = env('INTERNAL_SITE_URL', default='https://addons.allizom.org
EXTERNAL_SITE_URL = env('EXTERNAL_SITE_URL', default='https://addons.allizom.org') EXTERNAL_SITE_URL = env('EXTERNAL_SITE_URL', default='https://addons.allizom.org')
SERVICES_URL = env('SERVICES_URL', default='https://services.addons.allizom.org') SERVICES_URL = env('SERVICES_URL', default='https://services.addons.allizom.org')
CODE_MANAGER_URL = env('CODE_MANAGER_URL', default='https://code.addons.allizom.org') CODE_MANAGER_URL = env('CODE_MANAGER_URL', default='https://code.addons.allizom.org')
STATIC_URL = '%s/static/' % CDN_HOST CDN_HOST = 'https://addons-stage-cdn.allizom.org'
MEDIA_URL = '%s/user-media/' % CDN_HOST STATIC_URL = '%s/static-server/' % EXTERNAL_SITE_URL
MEDIA_URL = '%s/user-media/' % EXTERNAL_SITE_URL
# user_media_url('addons') will use ADDONS_URL setting if present to build URLs
# to xpi files. We want those on the dedicated CDN domain.
ADDONS_URL = '%s/user-media/addons/' % CDN_HOST
CSP_CONNECT_SRC += (SITE_URL,)
CSP_FONT_SRC += (STATIC_URL,)
# CSP_IMG_SRC already contains 'self', but we could be on reviewers or admin
# domain and want to load things from the regular domain.
CSP_IMG_SRC += (MEDIA_URL, STATIC_URL)
CSP_SCRIPT_SRC += (STATIC_URL,)
CSP_STYLE_SRC += (STATIC_URL,)
SESSION_COOKIE_DOMAIN = '.%s' % DOMAIN SESSION_COOKIE_DOMAIN = '.%s' % DOMAIN

Просмотреть файл

@ -220,6 +220,11 @@ SERVICES_URL = 'http://%s' % SERVICES_DOMAIN
# https://github.com/mozilla/addons-code-manager # https://github.com/mozilla/addons-code-manager
CODE_MANAGER_URL = f'https://code.{DOMAIN}' CODE_MANAGER_URL = f'https://code.{DOMAIN}'
# Static and media URL for prod are hardcoded here to allow them to be set in
# the base CSP shared by all envs.
PROD_STATIC_URL = 'https://addons.mozilla.org/static/'
PROD_MEDIA_URL = 'https://addons.mozilla.org/user-media/'
# Filter IP addresses of allowed clients that can post email through the API. # Filter IP addresses of allowed clients that can post email through the API.
ALLOWED_CLIENTS_EMAIL_API = env.list('ALLOWED_CLIENTS_EMAIL_API', default=[]) ALLOWED_CLIENTS_EMAIL_API = env.list('ALLOWED_CLIENTS_EMAIL_API', default=[])
# Auth token required to authorize inbound email. # Auth token required to authorize inbound email.
@ -1263,7 +1268,6 @@ LOGGING = {
# CSP Settings # CSP Settings
PROD_CDN_HOST = 'https://addons.cdn.mozilla.net'
ANALYTICS_HOST = 'https://www.google-analytics.com' ANALYTICS_HOST = 'https://www.google-analytics.com'
CSP_REPORT_URI = '/__cspreport__' CSP_REPORT_URI = '/__cspreport__'
@ -1273,21 +1277,16 @@ CSP_EXCLUDE_URL_PREFIXES = ()
# NOTE: CSP_DEFAULT_SRC MUST be set otherwise things not set # NOTE: CSP_DEFAULT_SRC MUST be set otherwise things not set
# will default to being open to anything. # will default to being open to anything.
CSP_DEFAULT_SRC = ("'self'",) CSP_DEFAULT_SRC = ("'self'",)
CSP_BASE_URI = ( CSP_BASE_URI = ("'self'",)
"'self'",
# Required for the legacy discovery pane.
'https://addons.mozilla.org',
)
CSP_CONNECT_SRC = ( CSP_CONNECT_SRC = (
"'self'", "'self'",
'https://sentry.prod.mozaws.net', 'https://sentry.prod.mozaws.net',
ANALYTICS_HOST, ANALYTICS_HOST,
PROD_CDN_HOST,
) )
CSP_FORM_ACTION = ("'self'",) CSP_FORM_ACTION = ("'self'",)
CSP_FONT_SRC = ( CSP_FONT_SRC = (
"'self'", "'self'",
PROD_CDN_HOST, PROD_STATIC_URL,
) )
CSP_CHILD_SRC = ( CSP_CHILD_SRC = (
"'self'", "'self'",
@ -1299,7 +1298,8 @@ CSP_IMG_SRC = (
"'self'", "'self'",
'data:', # Used in inlined mobile css. 'data:', # Used in inlined mobile css.
'blob:', # Needed for image uploads. 'blob:', # Needed for image uploads.
PROD_CDN_HOST, PROD_STATIC_URL,
PROD_MEDIA_URL,
'https://static.addons.mozilla.net', # CDN origin server. 'https://static.addons.mozilla.net', # CDN origin server.
'https://sentry.prod.mozaws.net', 'https://sentry.prod.mozaws.net',
) )
@ -1312,12 +1312,12 @@ CSP_SCRIPT_SRC = (
'https://www.recaptcha.net/recaptcha/', 'https://www.recaptcha.net/recaptcha/',
'https://www.gstatic.com/recaptcha/', 'https://www.gstatic.com/recaptcha/',
'https://www.gstatic.cn/recaptcha/', 'https://www.gstatic.cn/recaptcha/',
PROD_CDN_HOST, PROD_STATIC_URL,
) )
CSP_STYLE_SRC = ( CSP_STYLE_SRC = (
"'self'", "'self'",
"'unsafe-inline'", "'unsafe-inline'",
PROD_CDN_HOST, PROD_STATIC_URL,
) )
RESTRICTED_DOWNLOAD_CSP = { RESTRICTED_DOWNLOAD_CSP = {