Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rails CSP nonce auto inject #2544

Merged
merged 9 commits into from
Apr 18, 2024
Merged

Rails CSP nonce auto inject #2544

merged 9 commits into from
Apr 18, 2024

Conversation

baldarn
Copy link
Contributor

@baldarn baldarn commented Apr 9, 2024

Overview

The idea is to allow apps with auto_instrument: true and CSP with nonce enforced to still have newrelic working

Submitter Checklist:

Testing

The agent includes a suite of unit and functional tests which should be used to
verify your changes don't break existing functionality. These tests will run with
GitHub Actions when a pull request is made. More details on running the tests locally can be found
here for our unit tests,
and here for our functional tests.
For most contributions it is strongly recommended to add additional tests which
exercise your changes.

Reviewer Checklist

@CLAassistant
Copy link

CLAassistant commented Apr 9, 2024

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the community To tag external issues and PRs submitted by the community label Apr 9, 2024
@baldarn
Copy link
Contributor Author

baldarn commented Apr 9, 2024

I'v submitted this to have your opinion for this feature. the code is not ready, that's just something like a monkey patch I did in my code to have this working without disabling the auto_instrument: true.

I think, with some more work and tests we could have this working for rails and other frameworks as well!

@baldarn baldarn marked this pull request as ready for review April 9, 2024 15:06
@kaylareopelle kaylareopelle self-assigned this Apr 11, 2024
@kaylareopelle
Copy link
Contributor

Hi @baldarn! Thanks for sharing your idea with us! ✨

I'll bring this up with the other maintainers and get back to you soon!

@kaylareopelle
Copy link
Contributor

Hi @baldarn, the maintainers agree and we'd like to move forward with your idea! Thank you for your contribution! 🚀

As you mentioned earlier, we'll need tests, etc. before including this in a release, but that's something we could handle if you want to stop here. What next steps would you like to take?

@baldarn
Copy link
Contributor Author

baldarn commented Apr 12, 2024

Hi @baldarn, the maintainers agree and we'd like to move forward with your idea! Thank you for your contribution! 🚀

As you mentioned earlier, we'll need tests, etc. before including this in a release, but that's something we could handle if you want to stop here. What next steps would you like to take?

Great news! I'll try to do something. I have 2 options in my mind, but I first have to try to do some code ;)

baldarn and others added 2 commits April 12, 2024 09:10
adding csp configuration for rails after 5.2
default_value to enable csp nonce set to false
@baldarn
Copy link
Contributor Author

baldarn commented Apr 12, 2024

@kaylareopelle I did something but I'm struggling to add the tests. maybe you can point me the right direction or just commit something that tests the code?

It's also not super clear how the configuration works, I added something in
lib/new_relic/agent/configuration/default_source.rb
but I really don't know what I'm doing XD

@kaylareopelle
Copy link
Contributor

Thanks, @baldarn! This looks great! Your instincts were spot on with adding a configuration to default_source. That will provide users with a config option and also generate documentation for it!

We can take care of the tests, thanks for updating the environments!

Copy link
Contributor

@kaylareopelle kaylareopelle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a few suggestions before approval. Thanks again for you contribution!

lib/new_relic/agent/configuration/default_source.rb Outdated Show resolved Hide resolved
lib/new_relic/agent/configuration/default_source.rb Outdated Show resolved Hide resolved
lib/new_relic/rack/browser_monitoring.rb Outdated Show resolved Hide resolved
newrelic.yml Outdated Show resolved Hide resolved
@kaylareopelle kaylareopelle linked an issue Apr 15, 2024 that may be closed by this pull request
Co-authored-by: Kayla Reopelle (she/her) <[email protected]>
@baldarn baldarn requested a review from kaylareopelle April 16, 2024 06:42
@baldarn
Copy link
Contributor Author

baldarn commented Apr 16, 2024

After the PR is merged, this doc should also be updated ;)

https://docs.newrelic.com/docs/apm/agents/ruby-agent/features/new-relic-browser-ruby-agent/

(to avoid forgetting, I added a check list in the PR description ;) )

- Defined a dedicated `nonce` method for the nonce logic
- Added unit tests to confirm a nonce is or isn't added to the output
@fallwith
Copy link
Contributor

Hi @baldarn! With dd5cc7b I have gone ahead and added some simple unit tests to verify the nonce/no-nonce logic you established.

I think these unit tests are sufficient for now. As such, would you please git rm all of the initializers/[content_security_policy.rb files?

As for the changes to newrelic.yml, yes, please delete those and the lines will be added back later via autogeneration. Feel free to ever revert the changes or simply add another commit that removes the lines. Either way is fine.

I think after you do those 2 things (delete the Rails initializer files, remove the content from newrelic.yml), we'll be ready to merge.

@baldarn
Copy link
Contributor Author

baldarn commented Apr 18, 2024

@fallwith done
I also used the ActionDispatch::ContentSecurityPolicy::Request::NONCE to get the env string to get the nonce ;)

@fallwith fallwith dismissed kaylareopelle’s stale review April 18, 2024 08:06

taking over for Kayla

guard against `ActionDispatch` and `Rails` not being defined. in the
tests, the `norails` suite reaches the nonce tests, so skip them
@fallwith
Copy link
Contributor

Thanks, @baldarn. Everything looks great. We can ignore the "unit_tests" test failures as those exist in dev right now and are not related to browser monitoring. As long as the "rails" tests pass we'll be ok to merge.

Regarding your suggested documentation update... the text for that page is in a different open source repo here. We can't apply changes there until the changes here have made their way into a new agent release. We will make a note of it for our next release, but if you don't see that page get changed after we next release a new agent version, please feel free to reach out back here or on the docs repo with a new GitHub issue to remind us.

Copy link
Contributor

@fallwith fallwith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again for these changes, @baldarn! They will go out in the next version of the Ruby agent.

@fallwith fallwith merged commit 2f0d1e2 into newrelic:dev Apr 18, 2024
25 of 27 checks passed
@kaylareopelle kaylareopelle mentioned this pull request Apr 18, 2024
4 tasks
@kaylareopelle
Copy link
Contributor

Hi @baldarn! I wanted to let you know this change is part of newrelic_rpm version 9.10.0, which was released yesterday.

I've also updated the browser docs to mention this feature. If there's anything you'd like to see changed about this doc, on the righthand pane, there's an option to edit the doc. This will take you to the New Relic docs-website repository to make changes to the file.

Thanks again for your contribution!

@baldarn
Copy link
Contributor Author

baldarn commented May 31, 2024

Hi @kaylareopelle , this was a pleasure xD

In the doc is written that this default is default true, but I'm not sure if this is correct

I don't understand well the config file XD

@kaylareopelle
Copy link
Contributor

@baldarn, thank you for this catch! 😅

You're absolutely right, the default is false. I've updated our changelog and have a PR open to the docs website to make the changes there too.

@sgessa
Copy link

sgessa commented May 31, 2024

We just updated to 9.10 and we didn't change the newrelic.yml file.
This is what we get:

irb> NewRelic::Agent.config[:'browser_monitoring.content_security_policy_nonce']
=> true
irb> NewRelic::Agent.config[:'browser_monitoring.auto_instrument']
=> true

I am confused now 😓
Seems enabled by default.

@kaylareopelle
Copy link
Contributor

We just updated to 9.10...

@sgessa, you're totally right. Thanks for chiming in here. 🙇

Our config can get a little tricky, especially when there's dynamic values at play.

What happened was I looked at the documentation_default in our default_source.rb file, which includes all our configurations. However, that wasn't the genuine default, because it's set dynamically based on the value of rum.enabled, which is a private config, set to true by default. 😅

We're reverting the changelog updates made this morning and fortunately caught the docs PR before it was merged.

This has made for an exciting Friday!

Let us know if you run into any issues with the new feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community To tag external issues and PRs submitted by the community
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Follow-ups for Rails CSP nonce, #2544
5 participants