Update CSP handler to only query and modify frame ancestors instead of all CSP directives

[tianleh]

Description

We get some feedback from security engineers that allowing customers to modify all CSP directives could accidentally expose OSD to attacks. They suggest us to only allow modifying frame-ancestors and do not modify other CSP directives unless reviewed case by case.

Issues Resolved

Screenshot

Testing the changes

call get API

curl -X GET 'http://localhost:5601/api/appconfig/csp.rules.frame_ancestors'

{"statusCode":404,"error":"Not Found","message":"index_not_found_exception: [index_not_found_exception] Reason: no such index [.opensearch_dashboards_config]"}%

Confirm that frame ancestors have a default value 'self'.

Confirm a local html file which embeds using iframe doesn't open OSD.

call update API

curl 'http://localhost:5601/api/appconfig/csp.rules.frame_ancestors' -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'osd-xsrf: osd-fetch' -H 'Sec-Fetch-Dest: empty' --data-raw '{"newValue":"file://* filesystem: https://example-site.org"}'

{"newValue":"file://* filesystem: https://example-site.org"}%

We can see that new CSP is taking effect.

Confirm the html file can now open OSD.

call get API again

curl -X GET 'http://localhost:5601/api/appconfig/csp.rules.frame_ancestors'

{"value":"file://* filesystem: https://example-site.org"}%

call the get API for all configs

curl -X GET 'http://localhost:5601/api/appconfig'
{"value":{"csp.rules.frame_ancestors":"file://* filesystem: https://example-site.org"}}%

call delete API

curl 'http://localhost:5601/api/appconfig/csp.rules.frame_ancestors' -X DELETE -H 'osd-xsrf: osd-fetch' -H 'Sec-Fetch-Dest: empty'

{"deletedEntity":"csp.rules.frame_ancestors"}%

See that CSP is back to default.

The local html file cannot open OSD.

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[yujin-emma]

overall LGTM, left one small comment but not a blocker

[seraphjiang]

might be i missed, i didn't see update logic, but PR said only allow updating frame ancestors, doesn't seem match with the code change.

another general comment, it looks we rely on manually test every time make change to these files, could we automate the test.

[tianleh]

might be i missed, i didn't see update logic, but PR said only allow updating frame ancestors, doesn't seem match with the code change.

another general comment, it looks we really on manually test every time make change to these files, could we automate the test.

The key change is at this line https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6398/files#diff-5cedee9d03c8765c4adb43d8196e75dfe8daec51ced75b9fe9b5df1ded5c8a57R55

We use the new configuration csp.rules.frame_ancestors instead of the previous csp.rules. Then the CSP handler logic is changed accordingly to consume it and set to frame_ancestors in CSP.

I will follow up on the test automation separately as it involves both API testing and UI testing.

@seraphjiang

[zhongnansu]

lgtm