tripleo

Enable SESSION_COOKIE_SECURE & CSRF_COOKIE_SECURE

Bug #1640491 reported by Luke Hinds
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Luke Hinds
tripleo pike-1 "pike-1"

Bug Description

Currently SESSION_COOKIE_SECURE & CSRF_COOKIE_SECURE are set to False. The reason for this is horizon currently listens on HTTP, with TLS connections terminated on a HAProxy front end.

If SESSION_COOKIE_SECURE & CSRF_COOKIE_SECURE are enabled on a HTTP only connection, CSRF verification will fail resulting in a 403 return code.

This launchpad is means to track that when 'TLS everywhere' is implemented and the TLS runs on the internal connection of horizon / apache too, we also enable SESSION_COOKIE_SECURE & CSRF_COOKIE_SECURE within the horizon triple-heat-template.

HTTPS redirects can also be implemented under the TLS everywhere work using SECURE_SSL_REDIRECT and *possibly* for HTTP Strict Transport Security using SECURE_HSTS_SECONDS and SECURE_HSTS_INCLUDE_SUBDOMAINS (possibly as it might require horizon core to ack this as a non breaking set of values to use).

Details of each setting type may be found in the following:

https://docs.djangoproject.com/en/1.10/topics/security/#ssl-https

See original description
Luke Hinds (lhinds)
Changed in tripleo:
status: New → Triaged
Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in tripleo:
milestone: none → ocata-3
Luke Hinds (lhinds)
description: updated
description: updated
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: ocata-3 → pike-1
Revision history for this message
Luke Hinds (lhinds) wrote :

Patches have landed for this now:

http://git.openstack.org/cgit/openstack/puppet-horizon/tree/templates/local_settings.py.erb#n52

Will close.

Changed in tripleo:
status: Triaged → Fix Committed
Julie Pichon (jpichon)
Changed in tripleo:
milestone: pike-1 → ocata-3
status: Fix Committed → Fix Released
Revision history for this message
Luke Hinds (lhinds) wrote :

I incorrectly closed this, as it still needs a THT patch to land (so far only puppet-horizon is set up), setting this to Pike.

Changed in tripleo:
status: Fix Released → Triaged
milestone: ocata-3 → pike-1
Luke Hinds (lhinds)
Changed in tripleo:
assignee: nobody → Luke Hinds (lhinds)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/442467

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/442467
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=2c4aee2a5ce08bcbf7ebe3f13c0818a8ca7a5319
Submitter: Jenkins
Branch: master

commit 2c4aee2a5ce08bcbf7ebe3f13c0818a8ca7a5319
Author: lhinds <email address hidden>
Date: Tue Mar 7 13:13:52 2017 +0000

    Adds Horizon secure cookie map.

    Puppet-horizon already contains a `secure_cookies` parameter, that
    sets `CSRF_COOKIE_SECURE` and `SESSION_COOKIE_SECURE` within
    `/templates/local_settings.py.erb`.

    This change introduces the services map for TripleO Heat Templates

    Change-Id: Ie6f6158929c33da8c5f245e2379aebe1afd524ef
    Closes-bug: #1640491

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 7.0.0.0b1

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.