Admin UI for adding external hosts to a variety of directives

api/src/org/labkey/api/ApiModule.java

@@ -254,6 +254,7 @@ protected void doStartup(ModuleContext moduleContext)
     {
         SystemMaintenance.addTask(new ApiKeyMaintenanceTask());
         AuthenticationManager.registerMetricsProvider();
+        ContentSecurityPolicyFilter.registerMetricsProvider();
         ApiKeyManager.get().handleStartupProperties();
         MailHelper.init();
         // Handle optional feature and system maintenance startup properties as late as possible; we want all optional

api/src/org/labkey/api/collections/CaseInsensitiveHashSetValuedMap.java

@@ -17,22 +17,22 @@
 
 import org.apache.commons.collections4.multimap.AbstractSetValuedMap;
 
-import java.util.HashSet;
+import java.util.HashMap;
 import java.util.Set;
 
 /**
- * A case-insensitive version of org.apache.commons.collections4.multimap.HashSetValuedHashMap
+ * An org.apache.commons.collections4.multimap.HashSetValuedHashMap with case-insensitive String values
  */
-public class CaseInsensitiveHashSetValuedMap<V> extends AbstractSetValuedMap<String, V> implements CaseInsensitiveCollection
+public class CaseInsensitiveHashSetValuedMap<K> extends AbstractSetValuedMap<K, String> implements CaseInsensitiveCollection
 {
     public CaseInsensitiveHashSetValuedMap()
     {
-        super(new CaseInsensitiveHashMap<>());
+        super(new HashMap<>());
     }
 
     @Override
-    protected Set<V> createCollection()
+    protected Set<String> createCollection()
     {
-        return new HashSet<>();
+        return new CaseInsensitiveHashSet();
     }
 }

api/src/org/labkey/api/collections/CaseInsensitiveKeyedHashSetValuedMap.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2016 LabKey Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.labkey.api.collections;
+
+import org.apache.commons.collections4.multimap.AbstractSetValuedMap;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * An org.apache.commons.collections4.multimap.HashSetValuedHashMap with case-insensitive String keys
+ */
+public class CaseInsensitiveKeyedHashSetValuedMap<V> extends AbstractSetValuedMap<String, V> implements CaseInsensitiveCollection
+{
+    public CaseInsensitiveKeyedHashSetValuedMap()
+    {
+        super(new CaseInsensitiveHashMap<>());
+    }
+
+    @Override
+    protected Set<V> createCollection()
+    {
+        return new HashSet<>();
+    }
+}

api/src/org/labkey/api/module/ModuleLoader.java

@@ -30,7 +30,7 @@
 import org.labkey.api.action.UrlProviderService;
 import org.labkey.api.collections.CaseInsensitiveHashMap;
 import org.labkey.api.collections.CaseInsensitiveHashSet;
-import org.labkey.api.collections.CaseInsensitiveHashSetValuedMap;
+import org.labkey.api.collections.CaseInsensitiveKeyedHashSetValuedMap;
 import org.labkey.api.collections.CaseInsensitiveTreeMap;
 import org.labkey.api.collections.CaseInsensitiveTreeSet;
 import org.labkey.api.collections.CopyOnWriteHashMap;
@@ -229,7 +229,7 @@ public enum ModuleState
 
     // Allow multiple StartupPropertyHandlers with the same scope as long as the StartupProperty impl class is different.
     private final Set<StartupPropertyHandler<? extends StartupProperty>> _startupPropertyHandlers = new ConcurrentSkipListSet<>(Comparator.comparing((StartupPropertyHandler<?> sph)->sph.getScope(), String.CASE_INSENSITIVE_ORDER).thenComparing(StartupPropertyHandler::getStartupPropertyClassName));
-    private final MultiValuedMap<String, StartupPropertyEntry> _startupPropertyMap = new CaseInsensitiveHashSetValuedMap<>();
+    private final MultiValuedMap<String, StartupPropertyEntry> _startupPropertyMap = new CaseInsensitiveKeyedHashSetValuedMap<>();
 
     private ModuleLoader()
     {

api/src/org/labkey/api/security/Directive.java

@@ -1,22 +1,27 @@
 package org.labkey.api.security;
 
+import org.labkey.api.settings.StartupProperty;
+import org.labkey.api.util.SafeToRenderEnum;
+
 /**
  * All CSP directives that support substitutions. These constant names are persisted to the database, so be careful with
  * any changes. If adding a Directive, make sure to add the corresponding substitutions to application.properties.
  */
-public enum Directive
+public enum Directive implements StartupProperty, SafeToRenderEnum
 {
-    Connection("connect-src"),
-    Font("font-src"),
-    Frame("frame-src"),
-    Image("image-src"),
-    Style("style-src");
+    Connection("connect-src", "Sources for fetch/XHR requests"),
+    Font("font-src", "Sources for fonts"),
+    Frame("frame-src", "Sources for iframes"),
+    Image("image-src", "Sources for images"),
+    Style("style-src", "Sources for stylesheets");
 
     private final String _cspDirective;
+    private final String _description;
 
-    Directive(String cspDirective)
+    Directive(String cspDirective, String description)
     {
         _cspDirective = cspDirective;
+        _description = description;
     }
 
     public String getCspDirective()
@@ -28,4 +33,10 @@ public String getSubstitutionKey()
     {
         return name().toUpperCase() + ".SOURCES";
     }
+
+    @Override
+    public String getDescription()
+    {
+        return _description + " (" + _cspDirective + "). Multiple hosts, separated by a space, can be provided.";
+    }
 }

api/src/org/labkey/api/settings/AppProps.java

@@ -47,6 +47,7 @@ public interface AppProps
     String EXPERIMENTAL_BLOCKER = "blockMaliciousClients";
     String EXPERIMENTAL_RESOLVE_PROPERTY_URI_COLUMNS = "resolve-property-uri-columns";
     String DEPRECATED_OBJECT_LEVEL_DISCUSSIONS = "deprecatedObjectLevelDiscussions";
+    String ALLOWED_EXTERNAL_RESOURCES = "allowedExternalResources";
 
     String UNKNOWN_VERSION = "Unknown Release Version";
 
@@ -237,16 +238,15 @@ static WriteableAppProps getWriteableInstance()
     boolean isIncludeServerHttpHeader();
 
     /**
-     *
      * @return List of configured external redirect hosts
      */
     @NotNull
     List<String> getExternalRedirectHosts();
 
     /**
-     *
      * @return List of configured external resource hosts
      */
+    @Deprecated // Left for upgrade code only
     @NotNull
     List<String> getExternalSourceHosts();
 
@@ -259,4 +259,6 @@ static WriteableAppProps getWriteableInstance()
     @NotNull Set<SupportedDatabase> getDistributionSupportedDatabases();
 
     @NotNull List<String> getAllowedExtensions();
+
+    @NotNull String getAllowedExternalResourceHosts();
 }

api/src/org/labkey/api/settings/AppPropsImpl.java

@@ -667,13 +667,6 @@ public List<String> getExternalRedirectHosts()
         return getExternalHosts(externalRedirectHostURLs);
     }
 
-    @Override
-    @NotNull
-    public List<String> getExternalSourceHosts()
-    {
-        return getExternalHosts(externalSourceHostURLs);
-    }
-
     @Override
     @NotNull
     public List<String> getAllowedExtensions()
@@ -732,4 +725,23 @@ public Map<StashedStartupProperties, StartupPropertyEntry> getStashedStartupProp
     {
         return DISTRIBUTION_SUPPORTED_DATABASES;
     }
+
+    @Deprecated
+    @Override
+    @NotNull
+    public List<String> getExternalSourceHosts()
+    {
+        String urls = lookupStringValue("externalSourceHostURLs", "");
+        if (StringUtils.isNotBlank(urls))
+        {
+            return new ArrayList<>(Arrays.asList(urls.split(EXTERNAL_HOST_DELIMITER)));
+        }
+        return new ArrayList<>();
+    }
+
+    @Override
+    public @NotNull String getAllowedExternalResourceHosts()
+    {
+        return lookupStringValue(ALLOWED_EXTERNAL_RESOURCES, "[]");
+    }
 }

api/src/org/labkey/api/settings/RandomStartupProperties.java

@@ -28,14 +28,6 @@ public void setValue(WriteableAppProps writeable, String value)
             writeable.setExternalRedirectHosts(Arrays.asList(StringUtils.split(value, AppPropsImpl.EXTERNAL_HOST_DELIMITER)));
         }
     },
-    externalSourceHostURLs("Allowed external source hosts")
-    {
-        @Override
-        public void setValue(WriteableAppProps writeable, String value)
-        {
-            writeable.setExternalSourceHosts(Arrays.asList(StringUtils.split(value, AppPropsImpl.EXTERNAL_HOST_DELIMITER)));
-        }
-    },
     allowedFileExtensions("Allowed file extensions")
     {
         @Override

api/src/org/labkey/api/settings/WriteableAppProps.java

@@ -232,11 +232,6 @@ public void setExternalRedirectHosts(@NotNull Collection<String> externalRedirec
         setExternalHosts(externalRedirectHostURLs, externalRedirectHosts);
     }
 
-    public void setExternalSourceHosts(@NotNull Collection<String> externalSourceHosts)
-    {
-        setExternalHosts(externalSourceHostURLs, externalSourceHosts);
-    }
-
     private void setExternalHosts(RandomStartupProperties propName, @NotNull Collection<String> externalSourceHosts)
     {
         storeStringValue(propName, String.join(EXTERNAL_HOST_DELIMITER, externalSourceHosts));
@@ -247,4 +242,9 @@ public void setAllowedFileExtensions(Collection<String> allowedFileExtensions)
         setExternalHosts(RandomStartupProperties.allowedFileExtensions, allowedFileExtensions);
         FileUtil.setExtensionChecker(AppProps.getInstance());
     }
+
+    public void setAllowedExternalResourceHosts(String jsonArray)
+    {
+        storeStringValue(ALLOWED_EXTERNAL_RESOURCES, jsonArray);
+    }
 }