From 854f5a1c401e9555ba73c965921f935e1920e5a9 Mon Sep 17 00:00:00 2001
From: Alex Chapellon <alxgomz@gmail.com>
Date: Mon, 10 Jul 2023 17:57:59 +0200
Subject: [PATCH] OPSEXP-2188: add nginx specific annotation to use from repo a
 share (#70)

---
 charts/alfresco-common/Chart.yaml             |  2 +-
 charts/alfresco-common/README.md              |  2 +-
 .../templates/_helpers-nginx.tpl              | 23 ++++++++++
 .../templates/_helpers-url.tpl                | 45 +++++++++++++++++++
 4 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 charts/alfresco-common/templates/_helpers-nginx.tpl
 create mode 100644 charts/alfresco-common/templates/_helpers-url.tpl

diff --git a/charts/alfresco-common/Chart.yaml b/charts/alfresco-common/Chart.yaml
index 07c0b175..1105053d 100644
--- a/charts/alfresco-common/Chart.yaml
+++ b/charts/alfresco-common/Chart.yaml
@@ -5,7 +5,7 @@ description: |
   A helper subchart to avoid duplication in alfresco charts and set common
   external dependencies
 type: library
-version: 2.0.0
+version: 2.1.0-alpha.0
 dependencies:
   - name: common
     repository: >-
diff --git a/charts/alfresco-common/README.md b/charts/alfresco-common/README.md
index 1df52815..17dc9252 100644
--- a/charts/alfresco-common/README.md
+++ b/charts/alfresco-common/README.md
@@ -1,6 +1,6 @@
 # alfresco-common
 
-![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square)
+![Version: 2.1.0-alpha.0](https://img.shields.io/badge/Version-2.1.0--alpha.0-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square)
 
 A helper subchart to avoid duplication in alfresco charts and set common
 external dependencies
diff --git a/charts/alfresco-common/templates/_helpers-nginx.tpl b/charts/alfresco-common/templates/_helpers-nginx.tpl
new file mode 100644
index 00000000..89ccd865
--- /dev/null
+++ b/charts/alfresco-common/templates/_helpers-nginx.tpl
@@ -0,0 +1,23 @@
+{{/*
+Define annotations as provided in values
+Skip ANY server-snippet annotation (CVE-2021-25742)
+*/}}
+{{- define "alfresco-common.nginx.annotations" }}
+{{- range $annotation, $value := .ingress.annotations }}
+  {{- if ne $annotation "nginx.ingress.kubernetes.io/server-snippet" }}
+  {{- $annotation | nindent 4 }}: |-
+    {{- $value | nindent 6 }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define required annotations for secure ACS/SHARE API access
+*/}}
+{{- define "alfresco-common.nginx.secure.annotations" }}
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;}
+      location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;}
+      location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;}
+      location ~ ^/.*/s/prometheus$ {return 403;}
+{{- end }}
diff --git a/charts/alfresco-common/templates/_helpers-url.tpl b/charts/alfresco-common/templates/_helpers-url.tpl
new file mode 100644
index 00000000..b9b47521
--- /dev/null
+++ b/charts/alfresco-common/templates/_helpers-url.tpl
@@ -0,0 +1,45 @@
+{{/*
+Build up CSRF referer
+*/}}
+{{- define "alfresco-common.csrf.referer" -}}
+{{- $known_urls := . }}
+{{- $csrf_referers := list }}
+{{- if kindIs "string" . }}
+  {{- $known_urls = splitList "," . }}
+{{- end }}
+{{- range $known_urls }}
+  {{- $parsed_url := urlParse . }}
+  {{- $known_url := urlJoin (dict "host" $parsed_url.host "path" $parsed_url.path "scheme" $parsed_url.scheme) }}
+  {{- $csrf_referers = append $csrf_referers $known_url }}
+{{- end }}
+{{- $csrf_referers | join "/.*\\|" }}/.*
+{{- end -}}
+
+{{/*
+Build up CSRF Origin
+*/}}
+{{- define "alfresco-common.csrf.origin" -}}
+{{- $known_urls := . }}
+{{- $csrf_origins := list }}
+{{- if kindIs "string" . }}
+  {{- $known_urls = splitList "," . }}
+{{- end }}
+{{- range $known_urls }}
+  {{- $parsed_url := urlParse . }}
+  {{- $known_url := urlJoin (dict "host" $parsed_url.host "scheme" $parsed_url.scheme) }}
+  {{- $csrf_origins = append $csrf_origins $known_url }}
+{{- end }}
+{{- $csrf_origins | join "," }}
+{{- end -}}
+
+{{/*
+Pick the main external host
+*/}}
+{{- define "alfresco-common.external.url" -}}
+{{- $known_urls := .}}
+{{- if kindIs "string" . }}
+  {{- $known_urls = splitList "," . }}
+{{- end }}
+{{- $parsed_url := urlParse (first $known_urls) }}
+{{- urlJoin (dict "host" $parsed_url.host "scheme" $parsed_url.scheme) }}
+{{- end -}}