feat(sentry): support CSP report-uri directive

thekaveman · thekaveman · commit 2faabec10a69 · 2023-04-13T21:48:06.000Z
sentry has out of the box support for receiving CSP reports https://docs.sentry.io/product/security-policy-reporting/
diff --git a/benefits/sentry.py b/benefits/sentry.py
@@ -10,6 +10,7 @@
 
 
 SENTRY_ENVIRONMENT = os.environ.get("SENTRY_ENVIRONMENT", "local")
+SENTRY_CSP_REPORT_URI = None
 
 
 def git_available():
@@ -82,5 +83,9 @@ def configure():
             send_default_pii=False,
             event_scrubber=EventScrubber(denylist=get_denylist()),
         )
+
+        # override the module-level variable when configuration happens, if set
+        global SENTRY_CSP_REPORT_URI
+        SENTRY_CSP_REPORT_URI = os.environ.get("SENTRY_REPORT_URI", "")
     else:
         print("SENTRY_DSN not set, so won't send events")
diff --git a/benefits/settings.py b/benefits/settings.py
@@ -300,6 +300,9 @@ def _filter_empty(ls):
 
 CSP_OBJECT_SRC = ["'none'"]
 
+if sentry.SENTRY_CSP_REPORT_URI:
+    CSP_REPORT_URI = [sentry.SENTRY_CSP_REPORT_URI]
+
 CSP_SCRIPT_SRC = [
     "https://cdn.amplitude.com/libs/",
     "https://cdn.jsdelivr.net/",
diff --git a/terraform/app_service.tf b/terraform/app_service.tf
@@ -78,6 +78,7 @@ resource "azurerm_linux_web_app" "main" {
     # Sentry
     "SENTRY_DSN"         = "${local.secret_prefix}sentry-dsn)",
     "SENTRY_ENVIRONMENT" = local.env_name,
+    "SENTRY_REPORT_URI"  = "${local.secret_prefix}sentry-report-uri)",
 
     # Environment variables for data migration
     "MST_SENIOR_GROUP_ID"                            = "${local.secret_prefix}mst-senior-group-id)",
