Feat : allow to update CSP

Was needed to download mabox GL dependencies

internal/mocks/mocks.go

@@ -7,7 +7,7 @@ import (
 	"os"
 	"strconv"
 
-	"forge.grandlyon.com/systemes-dinformation/project-template/sdk-go/pkg/middlewares"
+	"forge.grandlyon.com/gestion-des-assemblees/elections/pkg/middlewares"
 )
 
 const literralContentType = "Content-Type"

internal/rootmux/rootmux.go

@@ -6,7 +6,7 @@ import (
 
 	"forge.grandlyon.com/gestion-des-assemblees/elections/internal/auth"
 	"forge.grandlyon.com/gestion-des-assemblees/elections/internal/models"
-	"forge.grandlyon.com/systemes-dinformation/project-template/sdk-go/pkg/middlewares"
+	"forge.grandlyon.com/gestion-des-assemblees/elections/pkg/middlewares"
 
 	"forge.grandlyon.com/systemes-dinformation/project-template/sdk-go/pkg/common"
 )
@@ -47,6 +47,6 @@ func CreateRootMux(port int, staticDir string) RootMux {
 	mainMux.Handle("/", middlewares.NoCache(http.FileServer(&common.FallBackWrapper{Assets: http.Dir(staticDir)})))
 	// Put it together into the main handler
 	mux := http.NewServeMux()
-	mux.Handle(hostname+"/", middlewares.WebSecurity(mainMux, "*."+hostname+":*", false))
+	mux.Handle(hostname+"/", middlewares.WebSecurity(mainMux, "*."+hostname+":* *.mapbox.com *.grandlyon.com ", false))
 	return RootMux{mux, &m}
 }

main.go

@@ -11,7 +11,7 @@ import (
 	"syscall"
 	"time"
 
-	"forge.grandlyon.com/systemes-dinformation/project-template/sdk-go/pkg/middlewares"
+	"forge.grandlyon.com/gestion-des-assemblees/elections/pkg/middlewares"
 	"forge.grandlyon.com/systemes-dinformation/project-template/sdk-go/pkg/tokens"
 
 	"forge.grandlyon.com/gestion-des-assemblees/elections/internal/mocks"

pkg/middlewares/middlewares.go

+package middlewares
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+)
+
+// Cors enables CORS Request on server (for development purposes)
+func Cors(next http.Handler, allowedOrigin string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		w.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
+		w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE, PROPFIND, MKCOL, MOVE, COPY")
+		w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, XSRF-TOKEN, Authorization, Depth, Destination")
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
+		next.ServeHTTP(w, req)
+	})
+}
+
+// WebSecurity adds good practices security headers on http responses
+func WebSecurity(next http.Handler, source string, allowEvalInlineScript bool) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		w.Header().Set("Strict-Transport-Security", "max-age=63072000")
+		var inline string
+		if allowEvalInlineScript {
+			inline = "'unsafe-inline' 'unsafe-eval'"
+		}
+		w.Header().Set("Content-Security-Policy", fmt.Sprintf("default-src %[1]v 'self'; img-src %[1]v 'self' data: blob:; script-src %[1]v 'self' %[2]v; style-src %[1]v 'self' 'unsafe-inline'; frame-src %[1]v; frame-ancestors %[1]v; worker-src blob: ;child-src blob: ;", source, inline))
+		//w.Header().Set("X-Frame-Options", "SAMEORIGIN") // Works fine with chrome but is not obsoleted by frame-src in firefox 72.0.2
+		w.Header().Set("X-XSS-Protection", "1; mode=block")
+		w.Header().Set("Referrer-Policy", "strict-origin")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		next.ServeHTTP(w, req)
+	})
+}
+
+// NoCache disable caching
+func NoCache(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		w.Header().Set("Cache-Control", "no-store, must-revalidate")
+		next.ServeHTTP(w, req)
+	})
+}
+
+// GetFullHostname returns the full hostname of the server
+func GetFullHostname(hostname string, port int) string {
+	if port == 80 || port == 443 {
+		return "https://" + hostname
+	}
+	return "https://" + hostname + ":" + strconv.Itoa(port)
+}