csp-report: ensure Sentry requests are made with SNI

files/nginx/odk.conf.template

@@ -189,5 +189,6 @@ server {
 
   location /csp-report {
     proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY};
+    proxy_ssl_server_name on;
   }
 }

test/nginx/mock-http-server/index.js

@@ -1,6 +1,10 @@
+const { execSync } = require('node:child_process');
+
 const express = require('express');
 
 const port = process.env.PORT || 80;
+const mode = process.env.MODE || 'http';
+const httpsHost = process.env.HTTPS_HOST;
 const log = (...args) => console.log('[mock-http-server]', ...args);
 
 const requests = [];
@@ -9,6 +13,16 @@ const app = express();
 
 app.use((req, res, next) => {
   console.log(new Date(), req.method, req.originalUrl);
+  if(req.socket.encrypted) {
+    const certificate = req.socket.getCertificate();
+    if(certificate) {
+      if(certificate.subject.CN !== httpsHost) {
+        // try to simulate an SNI / connection error
+        console.log('Bad HTTPS cert used; destroying connection...');
+        return req.socket.destroy();
+      }
+    }
+  }
   next();
 });
 
@@ -47,6 +61,63 @@ app.get('/v1/projects', (_, res) => {
   res.send('OK');
 }));
 
-app.listen(port, () => {
-  log(`Listening on port: ${port}`);
+const server = (() => {
+  switch(mode) {
+    case 'http':  return app;
+    case 'https': return initHttpsServer();
+    default:
+      console.error(`Unrecognised mode: '${mode}'; should be one of http, https.  Cannot start server.`);
+      process.exit(1);
+  }
+})();
+
+server.listen(port, () => {
+  log(`Listening with ${mode} on port: ${port}`, server === app);
 });
+
+
+function initHttpsServer() {
+  if(!httpsHost) throw new Error('Env var HTTPS_HOST is required for MODE=https');
+
+  const { readFileSync } = require('node:fs');
+  const { createServer } = require('node:https');
+  const { createSecureContext } = require('node:tls');
+
+  const encoding = 'utf8';
+
+  const creds = commonName => {
+    const keyPath  = `${commonName}-key.pem`;
+    const certPath = `${commonName}-cert.pem`;
+
+    execSync(
+      [
+        'openssl',
+        'req -x509',
+        '-nodes',
+        '-days 365',
+        '-newkey rsa:2048',
+        `-keyout ${keyPath}`,
+        `-out    ${certPath}`,
+        `-subj /CN=${commonName}`,
+      ].join(' '),
+      { encoding },
+    );
+
+    return {
+      key:  readFileSync(keyPath,  { encoding }),
+      cert: readFileSync(certPath, { encoding }),
+    };
+  };
+
+  const goodCreds = creds(httpsHost);
+
+  const opts = {
+    ...creds('localhost'),
+    SNICallback: (servername, cb) => {
+      if(servername !== httpsHost) return cb(new Error(`Unexpected SNI host: ${servername}`));
+      cb(null, createSecureContext(goodCreds));
+    },
+  };
+
+  return createServer(opts, app);
+}

test/nginx/mock-http-service.dockerfile

@@ -1,5 +1,10 @@
 FROM node:22.21.0-slim
 
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        openssl \
+    && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /workspace
 
 COPY ./mock-http-server .

test/nginx/nginx.test.docker-compose.yml

@@ -13,6 +13,15 @@ services:
       - "8383:8383"
     environment:
       - PORT=8383
+  sentry-mock:
+    build:
+      dockerfile: mock-http-service.dockerfile
+    ports:
+      - "443:443"
+    environment:
+      - MODE=https
+      - HTTPS_HOST=o-fake-dsn.ingest.sentry.io
+      - PORT=443
   nginx:
     build:
       context: ../..
@@ -22,10 +31,13 @@ services:
     depends_on:
       - service
       - enketo
+      - sentry-mock
+    extra_hosts:
+      - o-fake-dsn.ingest.sentry.io:host-gateway
     environment:
       - DOMAIN=odk-nginx.example.test
       - SENTRY_KEY=example-sentry-key
-      - SENTRY_ORG_SUBDOMAIN=example-sentry-org-subdomain
+      - SENTRY_ORG_SUBDOMAIN=o-fake-dsn
       - SENTRY_PROJECT=example-sentry-project
       - SSL_TYPE=selfsign
       - OIDC_ENABLED=false

test/nginx/test-nginx.js

@@ -1,3 +1,4 @@
+const https = require('node:https');
 const tls = require('node:tls');
 const { Readable } = require('stream');
 const { assert } = require('chai');
@@ -590,6 +591,64 @@ describe('nginx config', () => {
       });
     });
   });
+
+  describe('CSP reports', () => {
+    describe('Sentry behaviour', () => {
+      // These tests are a control to demonstrate that the local fake Sentry is
+      // behaving similarly to sentry.io.
+
+      const requestWithSniHost = servername => new Promise((resolve, reject) => {
+        const opts = { hostname:'127.0.0.1', servername };
+
+        const req = https.request(opts, res => {
+          res.on('data', () => {}); // ensure response stream is consumed
+          res.on('end', resolve);
+          res.on('error', reject);
+        });
+
+        req.on('error', reject);
+
+        req.end();
+      });
+
+      it('should accept requests with correct SNI host', async () => {
+        // when
+        await requestWithSniHost('o-fake-dsn.ingest.sentry.io');
+
+        // then
+        // No error was thrown :¬)
+      });
+
+      it('should reject requests without SNI host', async () => {
+        // given
+        let caught;
+
+        // when
+        try {
+          await requestWithSniHost(undefined);
+        } catch(err) {
+          caught = err;
+        }
+
+        // then
+        assert.isOk(caught);
+        assert.equal(caught.code, 'ECONNRESET');
+      });
+    });
+
+    it('/csp-report should successfully forward requests to Sentry', async () => {
+      // when
+      const res = await fetchHttps('/csp-report', {
+        method: 'POST',
+        headers: { 'Content-Type':'application/json' },
+        body: JSON.stringify({}),
+      });
+
+      // then
+      assert.equal(res.status, 200);
+      assert.equal(await res.text(), 'OK');
+    });
+  });
 });
 
 function fetchHttp(path, options) {