console icon indicating copy to clipboard operation
console copied to clipboard

Published 20 hours ago verified publisher icon openshift

CONSOLE-4264: Notify users of Console plugin related Content Security Policy violations

Open vojtechszocs opened this issue 1 year ago • 10 comments

When a Content Security Policy (CSP) violation occurs at Console runtime, we attempt to infer the name of Console dynamic plugin that might have caused the violation.

If the CSP violation seems to originate from a Console dynamic plugin, we store this information in the PluginStore and show a warning :warning: toast notification to make the user aware of the violation. This toast notification is shown only in non-production builds of Console application.

ConsolePlugin resource list page was modified to show a "CSP violations" column per each plugin instance, informing users whether any CSP violation(s) have occurred for the given plugin.

csp

The relevant PluginStore API changes will need to be ported over to https://github.com/openshift/dynamic-plugin-sdk

cc @jhadvig

vojtechszocs avatar Oct 04 '24 17:10 vojtechszocs

@vojtechszocs: This pull request references CONSOLE-4264 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Depends on #14156

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Oct 04 '24 17:10 openshift-ci-robot

@vojtechszocs: This pull request references CONSOLE-4264 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Depends on #14156

When a Content Security Policy (CSP) violation occurs at Console runtime, we attempt to infer the name of Console dynamic plugin that might have caused the violation.

If the CSP violation seems to originate from a Console dynamic plugin, we store this information in the PluginStore and show a warning :warning: toast notification to make the user aware of the violation. This toast notification is shown only in non-production builds of Console application.

ConsolePlugin resource list page was modified to show a "CSP violations" column per each plugin instance, informing users whether any CSP violation(s) have occurred for the given plugin.

The relevant PluginStore API changes will need to be ported over to https://github.com/openshift/dynamic-plugin-sdk

cc @jhadvig

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Oct 04 '24 17:10 openshift-ci-robot

@vojtechszocs: This pull request references CONSOLE-4264 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

When a Content Security Policy (CSP) violation occurs at Console runtime, we attempt to infer the name of Console dynamic plugin that might have caused the violation.

If the CSP violation seems to originate from a Console dynamic plugin, we store this information in the PluginStore and show a warning :warning: toast notification to make the user aware of the violation. This toast notification is shown only in non-production builds of Console application.

ConsolePlugin resource list page was modified to show a "CSP violations" column per each plugin instance, informing users whether any CSP violation(s) have occurred for the given plugin.

The relevant PluginStore API changes will need to be ported over to https://github.com/openshift/dynamic-plugin-sdk

cc @jhadvig

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Oct 09 '24 15:10 openshift-ci-robot

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vojtechszocs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Oct 09 '24 17:10 openshift-ci[bot]

/test e2e-gcp-console

vojtechszocs avatar Oct 10 '24 14:10 vojtechszocs

/retest

vojtechszocs avatar Oct 11 '24 14:10 vojtechszocs

@vojtechszocs: This pull request references CONSOLE-4264 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

When a Content Security Policy (CSP) violation occurs at Console runtime, we attempt to infer the name of Console dynamic plugin that might have caused the violation.

If the CSP violation seems to originate from a Console dynamic plugin, we store this information in the PluginStore and show a warning :warning: toast notification to make the user aware of the violation. This toast notification is shown only in non-production builds of Console application.

ConsolePlugin resource list page was modified to show a "CSP violations" column per each plugin instance, informing users whether any CSP violation(s) have occurred for the given plugin.

csp

The relevant PluginStore API changes will need to be ported over to https://github.com/openshift/dynamic-plugin-sdk

cc @jhadvig

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Oct 11 '24 17:10 openshift-ci-robot

@vojtechszocs @jhadvig I have a WIP PR up that refactors this component and makes some pretty drastic changes. Just something to consider.

https://github.com/openshift/console/pull/14403

TheRealJon avatar Oct 16 '24 15:10 TheRealJon

/retest

vojtechszocs avatar Oct 17 '24 14:10 vojtechszocs

@vojtechszocs: This pull request references CONSOLE-4264 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

When a Content Security Policy (CSP) violation occurs at Console runtime, we attempt to infer the name of Console dynamic plugin that might have caused the violation.

If the CSP violation seems to originate from a Console dynamic plugin, we store this information in the PluginStore and show a warning :warning: toast notification to make the user aware of the violation. This toast notification is shown only in non-production builds of Console application.

ConsolePlugin resource list page was modified to show a "CSP violations" column per each plugin instance, informing users whether any CSP violation(s) have occurred for the given plugin.

The relevant PluginStore API changes will need to be ported over to https://github.com/openshift/dynamic-plugin-sdk

cc @jhadvig

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Nov 05 '24 16:11 openshift-ci-robot

@vojtechszocs: This pull request references CONSOLE-4264 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

When a Content Security Policy (CSP) violation occurs at Console runtime, we attempt to infer the name of Console dynamic plugin that might have caused the violation.

If the CSP violation seems to originate from a Console dynamic plugin, we store this information in the PluginStore and show a warning :warning: toast notification to make the user aware of the violation. This toast notification is shown only in non-production builds of Console application.

ConsolePlugin resource list page was modified to show a "CSP violations" column per each plugin instance, informing users whether any CSP violation(s) have occurred for the given plugin.

The relevant PluginStore API changes will need to be ported over to https://github.com/openshift/dynamic-plugin-sdk

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Nov 05 '24 16:11 openshift-ci-robot

@vojtechszocs, looks like you've got some broken integration tests:

"before all" hook for "test Dashboard Card nav item": Demo dynamic plugin test "before all" hook for "test Dashboard Card nav item" 

"after all" hook for "test Dashboard Card nav item": Demo dynamic plugin test "after all" hook for "test Dashboard Card nav item"

rhamilto avatar Nov 05 '24 21:11 rhamilto

@rhamilto Thanks, will take a look at those broken tests.

vojtechszocs avatar Nov 05 '24 21:11 vojtechszocs

/test e2e-gcp-console

vojtechszocs avatar Nov 07 '24 19:11 vojtechszocs

@vojtechszocs: This pull request references CONSOLE-4264 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

When a Content Security Policy (CSP) violation occurs at Console runtime, we attempt to infer the name of Console dynamic plugin that might have caused the violation.

If the CSP violation seems to originate from a Console dynamic plugin, we store this information in the PluginStore and show a warning :warning: toast notification to make the user aware of the violation. This toast notification is shown only in non-production builds of Console application.

ConsolePlugin resource list page was modified to show a "CSP violations" column per each plugin instance, informing users whether any CSP violation(s) have occurred for the given plugin.

The relevant PluginStore API changes will need to be ported over to https://github.com/openshift/dynamic-plugin-sdk

Testing setup:

To force a CSP violation in console-demo-plugin, add fetch('https://catfact.ninja/fact') to line 4 of https://github.com/openshift/console/blob/master/dynamic-demo-plugin/src/utils/example-navs.tsx, rebuild and restart the plugin, and visit http://localhost:9000/dynamic-route-1.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Nov 07 '24 20:11 openshift-ci-robot

I was able to successfully run the failing integration tests locally. It looks like there is a problem getting the plugin deployed in CI. I am doubtful that had anything to do with your changes.

rhamilto avatar Nov 07 '24 20:11 rhamilto

I was able to successfully run the failing integration tests locally. It looks like there is a problem getting the plugin deployed in CI. I am doubtful that had anything to do with your changes.

It looks like these failures are not limited to this PR.

rhamilto avatar Nov 07 '24 21:11 rhamilto

Needs text changes in the jsx so the source matches the i18n json.

rhamilto avatar Nov 08 '24 13:11 rhamilto

PR updated, this should address the update of i18n JSON files.

vojtechszocs avatar Nov 08 '24 15:11 vojtechszocs

Thanks for the updates!

/label docs-approved

opayne1 avatar Nov 08 '24 19:11 opayne1

PR rebased and updated to include the change described at https://github.com/openshift/console/pull/14475#discussion_r1834933251

vojtechszocs avatar Nov 11 '24 21:11 vojtechszocs

As @rhamilto wrote above, we have CI e2e test issues related to installing dynamic demo plugin on the cluster :disappointed:

vojtechszocs avatar Nov 11 '24 21:11 vojtechszocs

/test e2e-gcp-console

rhamilto avatar Nov 11 '24 23:11 rhamilto

@vojtechszocs: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-console d054036a0969d6fa40a90e9e3e52eb8858aeef16 link true /test e2e-gcp-console

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Nov 12 '24 03:11 openshift-ci[bot]

@vojtechszocs it looks like we have regression issue on Console plugins tab, only Enabled plugin can be shown in the table

https://github.com/user-attachments/assets/2fec02a3-ec8f-4113-923e-70c7d884c529

yapei avatar Nov 12 '24 03:11 yapei

Based on the failing demo-dynamic-plugin recording the issue is related to the regression which @yapei mentioned in the comment above.

jhadvig avatar Nov 12 '24 12:11 jhadvig

/label px-approved

reestr avatar Nov 15 '24 08:11 reestr