ISTI-ansible-roles
/
ansible-role-redmine
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

support for CORS and security-content.

This commit is contained in:
Andrea Dell'Amico 2021-07-28 12:48:24 +02:00
parent 7b28ddc8b9
commit 791cef5f21
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
4 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
defaults/main.yml
View File

@ -41,6 +41,7 @@ redmine_nginx_cors_enabled: False
redmine_nginx_cors_global: '{{ redmine_nginx_cors_enabled }}' redmine_nginx_cors_global: '{{ redmine_nginx_cors_enabled }}'
redmine_nginx_serveraliases: [] redmine_nginx_serveraliases: []
redmine_inside_iframe: False
redmine_log_level: warn redmine_log_level: warn
# Minutes, from 1 to 60 # Minutes, from 1 to 60
redmine_ldap_sync_freq: 10 redmine_ldap_sync_freq: 10

17
tasks/redmine.yml
View File

@ -112,10 +112,25 @@
- Reload unicorn when needed - Reload unicorn when needed
- name: Install the additional environment file - name: Install the additional environment file
template: src=redmine_additional_environment.rb.j2 dest=/{{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}/config/additional_environment.rb owner=root group={{ redmine_group }} mode=0440 template:
src: redmine_additional_environment.rb.j2
dest: '/{{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}/config/additional_environment.rb'
owner: root
group: '{{ redmine_group }}'
mode: 0440
notify: Bundle install notify: Bundle install
tags: [ 'redmine', 'redmine_additional_env' ] tags: [ 'redmine', 'redmine_additional_env' ]
- name: Install the config content security policy file
template:
src: redmine_csp.rb.j2
dest: '/{{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}/config/initializers/csp.rb'
owner: root
group: '{{ redmine_group }}'
mode: 0440
notify: Reload unicorn
tags: [ 'redmine', 'redmine_additional_env' ]
- name: Install the gems required by redmine - name: Install the gems required by redmine
shell: cd {{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}; bundle install --without development test sqlite mysql && touch {{ redmine_glob_root_dir }}/.{{ redmine_inst_dir }}_gems_installed shell: cd {{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}; bundle install --without development test sqlite mysql && touch {{ redmine_glob_root_dir }}/.{{ redmine_inst_dir }}_gems_installed
args: args:

6
templates/redmine_additional_environment.rb.j2
View File

@ -1,5 +1,9 @@
{% if redmine_inside_iframe %}
config.action_controller.allow_forgery_protection = false config.action_controller.allow_forgery_protection = false
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'ALLOWALL'
}
{% endif %}
config.log_level = :{{ redmine_log_level }} config.log_level = :{{ redmine_log_level }}
{% if redmine_memcached %} {% if redmine_memcached %}

15
templates/redmine_csp.rb.j2 Normal file
View File

@ -0,0 +1,15 @@
{% if redmine_inside_iframe %}
Rails.application.config.content_security_policy do |policy|
policy.default_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
policy.font_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
policy.img_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
policy.object_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
policy.script_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
policy.style_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
# Specify URI for violation reports
# policy.report_uri "/csp-violation-report-endpoint"
end
#Rails.application.config.content_security_policy_report_only = true
{% endif %}