fix: detected issues

HardMax71 · HardMax71 · commit 9c774fc39e10 · 2026-03-02T23:14:48.000+01:00
- index.html: aria labels for loading wheel
- worker: well-typed objs for k8s-client internal stuff
- seed user: moved pwd hasher creation to main, taking num of rounds from settings obj
- docs: update on diff between style-src-elem vs. style-src-attr
- docs: fix of identation in nginx-config doc
diff --git a/backend/app/services/k8s_worker/worker.py b/backend/app/services/k8s_worker/worker.py
@@ -1,7 +1,6 @@
 import asyncio
 import time
 from pathlib import Path
-from typing import Any
 
 import structlog
 from kubernetes_asyncio import client as k8s_client
@@ -267,7 +266,7 @@ async def ensure_namespace_security(self) -> None:
         await self._apply_psa_labels(namespace)
 
     async def _ensure_executor_network_policy(self, namespace: str) -> None:
-        """Create default-deny NetworkPolicy for executor pods."""
+        """Create or update default-deny NetworkPolicy for executor pods."""
         policy_name = "executor-deny-all"
 
         policy = k8s_client.V1NetworkPolicy(
@@ -279,31 +278,24 @@ async def _ensure_executor_network_policy(self, namespace: str) -> None:
                 labels={"app": "integr8s", "component": "security"},
             ),
             spec=k8s_client.V1NetworkPolicySpec(
-                pod_selector=k8s_client.V1LabelSelector(
-                    match_labels={"component": "executor"},
-                ),
+                pod_selector=k8s_client.V1LabelSelector(match_labels={"component": "executor"}),
                 policy_types=["Ingress", "Egress"],
                 ingress=[],
                 egress=[],
             ),
         )
 
-        try:
-            await self.networking_v1.read_namespaced_network_policy(name=policy_name, namespace=namespace)
-            await self.networking_v1.replace_namespaced_network_policy(
-                name=policy_name, namespace=namespace, body=policy,
-            )
-            self.logger.info(f"NetworkPolicy '{policy_name}' updated in namespace {namespace}")
-        except ApiException as e:
-            if e.status == 404:
-                await self.networking_v1.create_namespaced_network_policy(namespace=namespace, body=policy)
-                self.logger.info(f"NetworkPolicy '{policy_name}' created in namespace {namespace}")
-            else:
-                self.logger.error(f"Failed to apply NetworkPolicy '{policy_name}': {e.reason}")
+        await self.networking_v1.patch_namespaced_network_policy(  # type: ignore[call-arg]
+            name=policy_name, namespace=namespace, body=policy,
+            field_manager="integr8s", force=True,
+            _content_type="application/apply-patch+yaml",
+        )
+        self.logger.info(f"NetworkPolicy '{policy_name}' applied in namespace {namespace}")
 
     async def _ensure_executor_resource_quota(self, namespace: str) -> None:
-        """Create ResourceQuota to cap aggregate executor pod consumption."""
+        """Create or update ResourceQuota to cap aggregate executor pod consumption."""
         quota_name = "executor-quota"
+        n = self._settings.K8S_MAX_CONCURRENT_PODS
 
         quota = k8s_client.V1ResourceQuota(
             api_version="v1",
@@ -315,25 +307,21 @@ async def _ensure_executor_resource_quota(self, namespace: str) -> None:
             ),
             spec=k8s_client.V1ResourceQuotaSpec(
                 hard={
-                    "pods": str(self._settings.K8S_MAX_CONCURRENT_PODS),
-                    "requests.cpu": f"{self._settings.K8S_MAX_CONCURRENT_PODS}",
-                    "requests.memory": f"{self._settings.K8S_MAX_CONCURRENT_PODS * 128}Mi",
-                    "limits.cpu": f"{self._settings.K8S_MAX_CONCURRENT_PODS}",
-                    "limits.memory": f"{self._settings.K8S_MAX_CONCURRENT_PODS * 128}Mi",
+                    "pods": str(n),
+                    "requests.cpu": f"{int(self._settings.K8S_POD_CPU_REQUEST.removesuffix('m')) * n}m",
+                    "requests.memory": f"{int(self._settings.K8S_POD_MEMORY_REQUEST.removesuffix('Mi')) * n}Mi",
+                    "limits.cpu": f"{int(self._settings.K8S_POD_CPU_LIMIT.removesuffix('m')) * n}m",
+                    "limits.memory": f"{int(self._settings.K8S_POD_MEMORY_LIMIT.removesuffix('Mi')) * n}Mi",
                 },
             ),
         )
 
-        try:
-            await self.v1.read_namespaced_resource_quota(name=quota_name, namespace=namespace)
-            await self.v1.replace_namespaced_resource_quota(name=quota_name, namespace=namespace, body=quota)
-            self.logger.info(f"ResourceQuota '{quota_name}' updated in namespace {namespace}")
-        except ApiException as e:
-            if e.status == 404:
-                await self.v1.create_namespaced_resource_quota(namespace=namespace, body=quota)
-                self.logger.info(f"ResourceQuota '{quota_name}' created in namespace {namespace}")
-            else:
-                self.logger.error(f"Failed to apply ResourceQuota '{quota_name}': {e.reason}")
+        await self.v1.patch_namespaced_resource_quota(  # type: ignore[call-arg]
+            name=quota_name, namespace=namespace, body=quota,
+            field_manager="integr8s", force=True,
+            _content_type="application/apply-patch+yaml",
+        )
+        self.logger.info(f"ResourceQuota '{quota_name}' applied in namespace {namespace}")
 
     async def _apply_psa_labels(self, namespace: str) -> None:
         """Apply Pod Security Admission labels to the executor namespace."""
@@ -344,69 +332,54 @@ async def _apply_psa_labels(self, namespace: str) -> None:
             "pod-security.kubernetes.io/audit": "restricted",
         }
 
-        patch_body = {"metadata": {"labels": psa_labels}}
-        try:
-            await self.v1.patch_namespace(name=namespace, body=patch_body)
-            self.logger.info(f"Pod Security Admission labels applied to namespace {namespace}")
-        except ApiException as e:
-            self.logger.error(f"Failed to apply PSA labels to namespace {namespace}: {e.reason}")
+        await self.v1.patch_namespace(name=namespace, body={"metadata": {"labels": psa_labels}})
+        self.logger.info(f"Pod Security Admission labels applied to namespace {namespace}")
 
     async def ensure_image_pre_puller_daemonset(self) -> None:
         """Ensure the runtime image pre-puller DaemonSet exists."""
         daemonset_name = "runtime-image-pre-puller"
         namespace = self._settings.K8S_NAMESPACE
 
         try:
-            init_containers = []
+            init_containers: list[k8s_client.V1Container] = []
             all_images = {config.image for lang in RUNTIME_REGISTRY.values() for config in lang.values()}
 
             for i, image_ref in enumerate(sorted(all_images)):
                 sanitized_image_ref = image_ref.split("/")[-1].replace(":", "-").replace(".", "-").replace("_", "-")
                 self.logger.info(f"DAEMONSET: before: {image_ref} -> {sanitized_image_ref}")
-                container_name = f"pull-{i}-{sanitized_image_ref}"
-                init_containers.append(
-                    {
-                        "name": container_name,
-                        "image": image_ref,
-                        "command": ["/bin/sh", "-c", f'echo "Image {image_ref} pulled."'],
-                        "imagePullPolicy": "Always",
-                    }
-                )
-
-            manifest: dict[str, Any] = {
-                "apiVersion": "apps/v1",
-                "kind": "DaemonSet",
-                "metadata": {"name": daemonset_name, "namespace": namespace},
-                "spec": {
-                    "selector": {"matchLabels": {"name": daemonset_name}},
-                    "template": {
-                        "metadata": {"labels": {"name": daemonset_name}},
-                        "spec": {
-                            "initContainers": init_containers,
-                            "containers": [{"name": "pause", "image": "registry.k8s.io/pause:3.9"}],
-                            "tolerations": [{"operator": "Exists"}],
-                        },
-                    },
-                    "updateStrategy": {"type": "RollingUpdate"},
-                },
-            }
+                init_containers.append(k8s_client.V1Container(
+                    name=f"pull-{i}-{sanitized_image_ref}",
+                    image=image_ref,
+                    command=["/bin/sh", "-c", f'echo "Image {image_ref} pulled."'],
+                    image_pull_policy="Always",
+                ))
+
+            daemonset = k8s_client.V1DaemonSet(
+                api_version="apps/v1",
+                kind="DaemonSet",
+                metadata=k8s_client.V1ObjectMeta(name=daemonset_name, namespace=namespace),
+                spec=k8s_client.V1DaemonSetSpec(
+                    selector=k8s_client.V1LabelSelector(match_labels={"name": daemonset_name}),
+                    template=k8s_client.V1PodTemplateSpec(
+                        metadata=k8s_client.V1ObjectMeta(labels={"name": daemonset_name}),
+                        spec=k8s_client.V1PodSpec(
+                            init_containers=init_containers,
+                            containers=[k8s_client.V1Container(
+                                name="pause", image="registry.k8s.io/pause:3.9",
+                            )],
+                            tolerations=[k8s_client.V1Toleration(operator="Exists")],
+                        ),
+                    ),
+                    update_strategy=k8s_client.V1DaemonSetUpdateStrategy(type="RollingUpdate"),
+                ),
+            )
 
-            try:
-                await self.apps_v1.read_namespaced_daemon_set(name=daemonset_name, namespace=namespace)
-                self.logger.info(f"DaemonSet '{daemonset_name}' exists. Replacing to ensure it is up-to-date.")
-                await self.apps_v1.replace_namespaced_daemon_set(
-                    name=daemonset_name, namespace=namespace, body=manifest  # type: ignore[arg-type]
-                )
-                self.logger.info(f"DaemonSet '{daemonset_name}' replaced successfully.")
-            except ApiException as e:
-                if e.status == 404:
-                    self.logger.info(f"DaemonSet '{daemonset_name}' not found. Creating...")
-                    await self.apps_v1.create_namespaced_daemon_set(
-                        namespace=namespace, body=manifest  # type: ignore[arg-type]
-                    )
-                    self.logger.info(f"DaemonSet '{daemonset_name}' created successfully.")
-                else:
-                    raise
+            await self.apps_v1.patch_namespaced_daemon_set(  # type: ignore[call-arg]
+                name=daemonset_name, namespace=namespace, body=daemonset,
+                field_manager="integr8s", force=True,
+                _content_type="application/apply-patch+yaml",
+            )
+            self.logger.info(f"DaemonSet '{daemonset_name}' applied successfully")
 
         except ApiException as e:
             self.logger.error(f"K8s API error applying DaemonSet '{daemonset_name}': {e.reason}", exc_info=True)
diff --git a/backend/scripts/seed_users.py b/backend/scripts/seed_users.py
@@ -23,11 +23,10 @@
 from pymongo.asynchronous.database import AsyncDatabase
 from pymongo.asynchronous.mongo_client import AsyncMongoClient
 
-pwd_hasher = PasswordHash((BcryptHasher(rounds=12),))
-
 
 async def upsert_user(
     db: AsyncDatabase[dict[str, Any]],
+    pwd_hasher: PasswordHash,
     username: str,
     email: str,
     password: str,
@@ -71,6 +70,7 @@ async def upsert_user(
 
 async def seed_users(settings: Settings) -> None:
     """Seed default users using provided settings for MongoDB connection."""
+    pwd_hasher = PasswordHash((BcryptHasher(rounds=settings.BCRYPT_ROUNDS),))
     default_password = os.environ.get("DEFAULT_USER_PASSWORD", "user123")
     admin_password = os.environ.get("ADMIN_USER_PASSWORD", "admin123")
 
@@ -81,6 +81,7 @@ async def seed_users(settings: Settings) -> None:
     # Default user
     await upsert_user(
         db,
+        pwd_hasher,
         username="user",
         email="user@integr8scode.com",
         password=default_password,
@@ -91,6 +92,7 @@ async def seed_users(settings: Settings) -> None:
     # Admin user
     await upsert_user(
         db,
+        pwd_hasher,
         username="admin",
         email="admin@integr8scode.com",
         password=admin_password,
diff --git a/docs/operations/nginx-configuration.md b/docs/operations/nginx-configuration.md
@@ -192,11 +192,20 @@ All security headers are defined at the `server` level so they apply to every re
 execute. With the nonce, only scripts carrying the per-request nonce are allowed. An attacker cannot predict the nonce
 value (it changes on every request), so injected scripts are blocked.
 
-**Why `style-src-elem` + `style-src-attr` split instead of blanket `style-src`?** The `elem`/`attr` split is strictly
-tighter. `style-src-elem 'nonce-...'` blocks injected `<style>` tags (the more dangerous CSS vector for `@font-face` +
-attribute-selector exfiltration). `style-src-attr 'unsafe-inline'` allows `style=""` attributes, which Svelte
-transitions, CodeMirror, and inline style bindings require. CSS attribute injection can only exfiltrate data if
-`img-src`/`connect-src` allow attacker URLs — `default-src 'self'` blocks that channel entirely.
+**Why `style-src-elem` + `style-src-attr` split instead of blanket `style-src`?** CSP Level 3 splits the old
+`style-src` into two directives. `style-src-elem` governs `<style>` tags and `<link rel="stylesheet">` — the dangerous
+vector where an injected `<style>` tag can use `@font-face` + attribute selectors to exfiltrate secrets
+character-by-character. We lock this down with nonces. `style-src-attr` governs `style=""` attributes on elements —
+much lower risk because exfiltration (e.g., `background-image: url(...)`) requires `img-src`/`connect-src` to allow
+attacker domains, and our `default-src 'self'` blocks that channel entirely. We allow `'unsafe-inline'` only on
+`style-src-attr` because Svelte transitions, CodeMirror, and inline style bindings inject `style=""` attributes at
+runtime, where nonces/hashes are impossible (CSP has no mechanism for per-attribute nonces).
+
+!!! note "Scanner false positives"
+    Security scanners that only understand CSP Level 2 (`style-src`) will flag `'unsafe-inline'` without recognizing
+    the Level 3 `style-src-elem` / `style-src-attr` split. Since `style-src-elem` is nonce-locked, the
+    `'unsafe-inline'` on `style-src-attr` does not weaken the policy — the dangerous CSS vector (`<style>` tag
+    injection) is already blocked.
 
 #### Other security headers
 
@@ -256,10 +265,10 @@ the `server` level apply uniformly to all responses:
 | `location /`                  | No                | Yes                         |
 
 !!! warning "Adding `add_header` to a location"
-If you need to add a response header in a specific location, you must **repeat all five security headers** in that
-same block, or use the `always` parameter with an `include` file. Prefer solving the problem without `add_header`
-when possible (e.g., use `proxy_set_header` for upstream-facing headers, or let the backend set its own response
-headers).
+    If you need to add a response header in a specific location, you must **repeat all five security headers** in that
+    same block, or use the `always` parameter with an `include` file. Prefer solving the problem without `add_header`
+    when possible (e.g., use `proxy_set_header` for upstream-facing headers, or let the backend set its own response
+    headers).
 
 ### `proxy_set_header` vs `add_header`
 
diff --git a/frontend/public/index.html b/frontend/public/index.html
@@ -23,6 +23,7 @@
         .app-loading-inner { text-align: center; }
         .app-loading-spinner { width: 40px; height: 40px; border: 3px solid #f3f4f6; border-top-color: #3b82f6; border-radius: 50%; animation: spin 1s linear infinite; margin: 0 auto; }
         .app-loading-hidden { display: none; }
+        .sr-only { position: absolute; width: 1px; height: 1px; padding: 0; margin: -1px; overflow: hidden; clip: rect(0,0,0,0); white-space: nowrap; border: 0; }
         @keyframes spin { to { transform: rotate(360deg); } }
     </style>
 
@@ -31,9 +32,10 @@
 </head>
 
 <body>
-    <div id="app-loading" class="app-loading">
+    <div id="app-loading" class="app-loading" role="status" aria-live="polite" aria-busy="true">
         <div class="app-loading-inner">
-            <div class="app-loading-spinner"></div>
+            <div class="app-loading-spinner" aria-hidden="true"></div>
+            <span class="sr-only">Loading…</span>
         </div>
     </div>
     <script nonce="**CSP_NONCE**">
