From cc1da0773bc9088aea0c65a2ef89472db2862b2f Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Fri, 13 Sep 2019 16:02:48 +0200
Subject: [PATCH 1/4] Work around CSP form-action issue with CAS. Replace
 header with nicer values

---
 tmpl/portal-nginx.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf
index 32464a1..c753c04 100644
--- a/tmpl/portal-nginx.conf
+++ b/tmpl/portal-nginx.conf
@@ -4,6 +4,7 @@
 #  default           "";
 #  ~/CN=(?<CN>[^/]+) $CN;
 #}
+%set %%webDomain = %%authWebName.split('.',1)[1]
 
 server {
   listen 80;
@@ -40,6 +41,8 @@ server {
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
     fastcgi_param PATH_INFO  $fastcgi_path_info;
+    fastcgi_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "default-src 'self'; form-action 'self' http://*.%%webDomain https://*.%%webDomain; object-src 'none'";
 
   }
 

From 9003ecbcb337ced482326d28236e284d48aed33c Mon Sep 17 00:00:00 2001
From: Benjamin Bohard <bbohard@cadoles.com>
Date: Thu, 12 Dec 2019 11:14:54 +0100
Subject: [PATCH 2/4] nginx error pages are located in html subfolder, not www

---
 tmpl/handler-nginx.conf | 2 +-
 tmpl/manager-nginx.conf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tmpl/handler-nginx.conf b/tmpl/handler-nginx.conf
index a4c4071..726bc86 100644
--- a/tmpl/handler-nginx.conf
+++ b/tmpl/handler-nginx.conf
@@ -39,7 +39,7 @@ server {
 
   error_page   403 404 502 503 504  /nginx.html;
   location = /nginx.html{
-       root /usr/share/nginx/www;
+       root /usr/share/nginx/html;
     }
 
   location = /reload {
diff --git a/tmpl/manager-nginx.conf b/tmpl/manager-nginx.conf
index ec288e5..b1db898 100644
--- a/tmpl/manager-nginx.conf
+++ b/tmpl/manager-nginx.conf
@@ -20,7 +20,7 @@ server {
 
   error_page   403 404 502 503 504  /nginx.html;
   location = /nginx.html{
-    root /usr/share/nginx/www;
+    root /usr/share/nginx/html;
   } 
 
   root /usr/share/lemonldap-ng/manager/htdocs/;

From 20c513e4fde41b7aa79e6d913ffbdec80f0bbcef Mon Sep 17 00:00:00 2001
From: Benjamin Bohard <bbohard@cadoles.com>
Date: Thu, 12 Dec 2019 11:16:38 +0100
Subject: [PATCH 3/4] declare lmremote_custom variable in test-nginx.conf

---
 tmpl/test-nginx.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tmpl/test-nginx.conf b/tmpl/test-nginx.conf
index 87e170f..64e08bd 100644
--- a/tmpl/test-nginx.conf
+++ b/tmpl/test-nginx.conf
@@ -50,6 +50,7 @@ server {
     ##################################
     auth_request /lmauth;
     auth_request_set $lmremote_user $upstream_http_lm_remote_user;
+    auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
     auth_request_set $lmlocation $upstream_http_location;
     # If CDA is used, uncomment this
     #auth_request_set $cookie_value $upstream_http_set_cookie;

From 207dadd5cc84455cb9c7d05d3c07af8088f2a69c Mon Sep 17 00:00:00 2001
From: Benjamin Bohard <bbohard@cadoles.com>
Date: Thu, 12 Dec 2019 12:01:00 +0100
Subject: [PATCH 4/4] Add variables to defined allowed CSP targets

---
 dicos/70_lemonldap_ng.xml | 2 ++
 tmpl/portal-nginx.conf    | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml
index bfede2a..797333b 100644
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@@ -67,6 +67,7 @@
 			</variable>
 			<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
 			<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
+			<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
 		</family>
         <separators>
 		    <separator name="managerWebName">Configuration DNS</separator>
@@ -132,5 +133,6 @@
 		<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
 		<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
 		<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
+		<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
 	</help>
 </creole>
diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf
index c753c04..701f484 100644
--- a/tmpl/portal-nginx.conf
+++ b/tmpl/portal-nginx.conf
@@ -5,6 +5,8 @@
 #  ~/CN=(?<CN>[^/]+) $CN;
 #}
 %set %%webDomain = %%authWebName.split('.',1)[1]
+%set %%CSPTargets = %%custom_join(['http://*.{0} https://*.{0}'.format(d) for d in set([%%webDomain] + %%getVar('llCSPTargets'))], ' ')
+
 
 server {
   listen 80;
@@ -42,7 +44,7 @@ server {
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
     fastcgi_param PATH_INFO  $fastcgi_path_info;
     fastcgi_hide_header Content-Security-Policy;
-    add_header Content-Security-Policy "default-src 'self'; form-action 'self' http://*.%%webDomain https://*.%%webDomain; object-src 'none'";
+    add_header Content-Security-Policy "default-src 'self'; form-action 'self' %%CSPTargets; object-src 'none'";
 
   }