From eb92ea9069f40c9b874024451f8cdc5aa82ea7dc Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani <harshach@users.noreply.github.com>
Date: Wed, 5 Apr 2023 07:50:12 -0700
Subject: [PATCH] =?UTF-8?q?Fix=20#10808:=20Add=20configuration=20to=20enab?=
 =?UTF-8?q?le=20HSTS,=20X-Frame-Options,=20X-Cont=E2=80=A6=20(#10809)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Fix #10808: Add configuration to enable HSTS, X-Frame-Options, X-Content-Type-Options etc..

* Fix #10808: Add configuration to enable HSTS, X-Frame-Options, X-Content-Type-Options etc..
---
 conf/openmetadata.yaml                           | 16 ++++++++++++++--
 openmetadata-service/pom.xml                     |  5 +++++
 .../service/OpenMetadataApplication.java         |  9 +++++++++
 .../service/OpenMetadataApplicationConfig.java   |  6 ++++++
 pom.xml                                          |  6 ++++++
 5 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/conf/openmetadata.yaml b/conf/openmetadata.yaml
index 877ed16ca24..7b6bb9804cb 100644
--- a/conf/openmetadata.yaml
+++ b/conf/openmetadata.yaml
@@ -306,6 +306,18 @@ applicationConfig:
     accessBlockTime: ${OM_LOGIN_ACCESS_BLOCK_TIME:-600}
     jwtTokenExpiryTime: ${OM_JWT_EXPIRY_TIME:-3600}
 
-changeEventConfig:
-  omUri: ${OM_URI:- "http://localhost:8585"} #openmetadata in om uri for eg http://loclhost:8585
+
+web:
+  uriPath: /api
+  hsts:
+    enabled: true
+  frame-options:
+    enabled: true
+  content-type-options:
+    enabled: true
+  xss-protection:
+    enabled: true
+
+changeEventConfig:
+  omUri: ${OM_URI:- "http://localhost:8585"} #openmetadata in om uri for eg http://localhost:8585
 
diff --git a/openmetadata-service/pom.xml b/openmetadata-service/pom.xml
index 2513001b8c0..62e26e2b889 100644
--- a/openmetadata-service/pom.xml
+++ b/openmetadata-service/pom.xml
@@ -231,6 +231,11 @@
       <version>${awssdk.version}</version>
     </dependency>
 
+    <dependency>
+      <groupId>io.dropwizard.modules</groupId>
+      <artifactId>dropwizard-web</artifactId>
+    </dependency>
+
     <!-- Dependencies for cloudwatch monitoring -->
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java b/openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java
index 14a65c78a32..a8ceb344dec 100644
--- a/openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java
@@ -29,6 +29,8 @@ import io.dropwizard.lifecycle.Managed;
 import io.dropwizard.server.DefaultServerFactory;
 import io.dropwizard.setup.Bootstrap;
 import io.dropwizard.setup.Environment;
+import io.dropwizard.web.WebBundle;
+import io.dropwizard.web.conf.WebConfiguration;
 import io.federecio.dropwizard.swagger.SwaggerBundle;
 import io.federecio.dropwizard.swagger.SwaggerBundleConfiguration;
 import io.socket.engineio.server.EngineIoServerOptions;
@@ -274,6 +276,13 @@ public class OpenMetadataApplication extends Application<OpenMetadataApplication
           }
         });
     bootstrap.addBundle(MicrometerBundleSingleton.getInstance());
+    bootstrap.addBundle(
+        new WebBundle<>() {
+          @Override
+          public WebConfiguration getWebConfiguration(final OpenMetadataApplicationConfig configuration) {
+            return configuration.getWebConfiguration();
+          }
+        });
     super.initialize(bootstrap);
   }
 
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplicationConfig.java b/openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplicationConfig.java
index 493023194b2..42f58700843 100644
--- a/openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplicationConfig.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplicationConfig.java
@@ -17,6 +17,7 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import io.dropwizard.Configuration;
 import io.dropwizard.db.DataSourceFactory;
 import io.dropwizard.health.conf.HealthConfiguration;
+import io.dropwizard.web.conf.WebConfiguration;
 import io.federecio.dropwizard.swagger.SwaggerBundleConfiguration;
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
@@ -96,6 +97,11 @@ public class OpenMetadataApplicationConfig extends Configuration {
   @JsonProperty("email")
   private SmtpSettings smtpSettings;
 
+  @Valid
+  @NotNull
+  @JsonProperty("web")
+  private WebConfiguration webConfiguration = new WebConfiguration();
+
   @JsonProperty("changeEventConfig")
   private ChangeEventConfiguration changeEventConfiguration;
 
diff --git a/pom.xml b/pom.xml
index cc43fad9c18..4931d6b054d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -148,6 +148,7 @@
     <dropwizardkafka.version>1.8.0</dropwizardkafka.version>
     <maven-release-plugin.version>2.5.3</maven-release-plugin.version>
     <unboundsdk.version>6.0.7</unboundsdk.version>
+    <dropwizard-web.version>1.5.1</dropwizard-web.version>
   </properties>
   <dependencyManagement>
     <dependencies>
@@ -232,6 +233,11 @@
         <artifactId>jdbi3-core</artifactId>
         <version>${jdbi3.version}</version>
       </dependency>
+      <dependency>
+        <groupId>io.dropwizard.modules</groupId>
+        <artifactId>dropwizard-web</artifactId>
+        <version>${dropwizard-web.version}</version>
+      </dependency>
       <dependency>
         <groupId>commons-cli</groupId>
         <artifactId>commons-cli</artifactId>