Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CONSOLE-4430: Content Security Policy E2E testing with Puppeteer & Chrome #14675

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CONSOLE-4430: Content Security Policy E2E testing with Puppeteer & Chrome #14675

wants to merge 1 commit into from
+601 −30

Conversation

vojtechszocs
Copy link
Contributor

This PR adds a script to allow automated testing of Console application for CSP violations.

Console currently implements CSP via Content-Security-Policy-Report-Only HTTP response header, reporting any CSP violations detected in production env. via SecurityPolicyViolationEvent handler to telemetry service.

Summary of changes

  • Use Puppeteer to install and manage a local Chrome for Testing browser instance. All files related to Puppeteer are placed under frontend/.puppeteer directory. Chrome browser is installed only when necessary, i.e. when running yarn test-puppeteer-csp script, so the typical yarn install dependency update flow is not affected.
  • Run yarn test-puppeteer-csp in frontend directory to launch the CSP test script. This script assumes that Console Bridge server is already running locally and will test http://localhost:9000/dashboards page for CSP violations using Chrome DevTools Protocol (CDP).

General test flow

  1. Use CDP to spy on page request (resourceType = Document). Modify the request by adding custom Test-CSP-Reporting-Endpoint header, instructing the server to use the given CSP reporting endpoint for testing purposes and then resume the modified request.
  2. Use CDP to spy on potential CSP violation report requests (resourceType = CSPViolationReport). Upon receiving such request, report the error and then fulfill the request with 200 status code (i.e. avoid the need to run a server that actually handles the requests for CSP violation reports).
  3. Load page and wait until there is no network activity for at least 2s. Treat non-OK HTTP status code as error.

As a follow-up, we should add a CI job that invokes test-csp.sh as the entry point.

@vojtechszocs vojtechszocs changed the title Content Security Policy E2E testing with Puppeteer & Chrome CONSOLE-4430: Content Security Policy E2E testing with Puppeteer & Chrome Jan 9, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 9, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 9, 2025
edited by openshift-ci bot
Loading

@vojtechszocs: This pull request references CONSOLE-4430 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

This PR adds a script to allow automated testing of Console application for CSP violations.

Console currently implements CSP via Content-Security-Policy-Report-Only HTTP response header, reporting any CSP violations detected in production env. via SecurityPolicyViolationEvent handler to telemetry service.

Summary of changes

  • Use Puppeteer to install and manage a local Chrome for Testing browser instance. All files related to Puppeteer are placed under frontend/.puppeteer directory. Chrome browser is installed only when necessary, i.e. when running yarn test-puppeteer-csp script, so the typical yarn install dependency update flow is not affected.
  • Run yarn test-puppeteer-csp in frontend directory to launch the CSP test script. This script assumes that Console Bridge server is already running locally and will test http://localhost:9000/dashboards page for CSP violations using Chrome DevTools Protocol (CDP).

General test flow

  1. Use CDP to spy on page request (resourceType = Document). Modify the request by adding custom Test-CSP-Reporting-Endpoint header, instructing the server to use the given CSP reporting endpoint for testing purposes and then resume the modified request.
  2. Use CDP to spy on potential CSP violation report requests (resourceType = CSPViolationReport). Upon receiving such request, report the error and then fulfill the request with 200 status code (i.e. avoid the need to run a server that actually handles the requests for CSP violation reports).
  3. Load page and wait until there is no network activity for at least 2s. Treat non-OK HTTP status code as error.

As a follow-up, we should add a CI job that invokes test-csp.sh as the entry point.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from kyoto and rhamilto January 9, 2025 17:13
@openshift-ci openshift-ci bot added the component/backend Related to backend label Jan 9, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 9, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vojtechszocs
Once this PR has been reviewed and has the lgtm label, please assign spadgett for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@vojtechszocs vojtechszocs force-pushed the csp-e2e-testing-with-puppeteer branch from 42563ab to 4f210a5 Compare January 9, 2025 18:26
@vojtechszocs vojtechszocs force-pushed the csp-e2e-testing-with-puppeteer branch from 4f210a5 to aa52aeb Compare January 9, 2025 18:31
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 9, 2025

@vojtechszocs: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-console aa52aeb link true /test e2e-gcp-console

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@vojtechszocs
Copy link
Contributor Author

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kyoto kyoto Awaiting requested review from kyoto

@rhamilto rhamilto Awaiting requested review from rhamilto

Assignees
No one assigned
Labels
component/backend Related to backend jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vojtechszocs @openshift-ci-robot