openstack
/
fuel-library
Code Issues Proposed changes

Add anti-XSS horizon vhost options 

New header values:
Header X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN

Disabled directory index listing.

Added spec for openstack::horizon

Fixed fixtures+git refs to run openstack::horizon
in rspec correctly.

Change-Id: I50eb6104134f98fa61283f8ddda7449f92e99783
Closes-Bug: #1496407
This commit is contained in:
Matthew Mosesohn 2015-10-16 16:55:18 +03:00
parent 1514ab0fc2
commit 77ac09e275
5 changed files with 104 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
deployment/puppet/openstack/.fixtures.yml
View File

@ -1,6 +1,10 @@
fixtures:
repositories:
'apache':
repo: 'https://review.fuel-infra.org/puppet-modules/puppetlabs-apache.git'
branch: '1.6.0'
'apt': 'https://github.com/puppetlabs/puppetlabs-apt.git'
'concat': 'https://github.com/ripienaar/puppet-concat.git'
'stdlib': 'https://github.com/puppetlabs/puppetlabs-stdlib.git'
'sysctl': 'https://github.com/duritong/puppet-sysctl.git'
'inifile': 'https://github.com/puppetlabs/puppetlabs-inifile.git'
@ -8,6 +12,9 @@ fixtures:
'openstacklib':
repo: 'https://review.fuel-infra.org/puppet-modules/puppet-openstacklib.git'
branch: '7.0.0-mos-rc2'
'horizon':
repo: 'https://review.fuel-infra.org/puppet-modules/puppet-horizon.git'
branch: 'mos-8.0'
'keystone':
repo: 'https://review.fuel-infra.org/puppet-modules/puppet-keystone.git'
branch: '7.0.0-mos-rc2'

10
deployment/puppet/openstack/manifests/horizon.pp
View File

@ -44,6 +44,10 @@ class openstack::horizon (
$cache_options = undef,
$log_handler = 'file',
$custom_theme_path = undef,
$apache_options = '-Indexes',
$headers = ['set X-XSS-Protection "1; mode=block"',
'set X-Content-Type-Options nosniff',
'always append X-Frame-Options SAMEORIGIN'],
) {
if $debug { #syslog and nondebug case
@ -108,10 +112,12 @@ class openstack::horizon (
wsgi_threads => $wsgi_threads,
listen_ssl => $use_ssl,
extra_params => {
default_vhost => true,
add_listen => false,
setenvif => 'X-Forwarded-Proto https HTTPS=1',
custom_fragment => template('openstack/horizon/wsgi_vhost_custom.erb'),
default_vhost => true,
headers => $headers,
options => $apache_options,
setenvif => 'X-Forwarded-Proto https HTTPS=1',
},
} ~>
Service[$::apache::params::service_name]

9
deployment/puppet/openstack/other_repos.yaml
View File

@ -15,12 +15,13 @@ repos:
git://github.com/saz/puppet-memcached: memcached
git://github.com/puppetlabs/puppetlabs-rsync: rsync
# other deps
git://github.com/puppetlabs/puppetlabs-xinetd: xinetd
git://github.com/saz/puppet-ssh: ssh
git://github.com/puppetlabs/puppetlabs-stdlib: stdlib
git://github.com/puppetlabs/puppetlabs-apache: apache
git://github.com/puppetlabs/puppetlabs-apt: apt
git://github.com/ripienaar/puppet-concat: concat
git://github.com/duritong/puppet-sysctl.git: sysctl
git://github.com/saz/puppet-ssh: ssh
git://github.com/puppetlabs/puppetlabs-stdlib: stdlib
git://github.com/duritong/puppet-sysctl: sysctl
git://github.com/puppetlabs/puppetlabs-xinetd: xinetd
checkout_branches:
# keystone: dev
# glance: dev

84
deployment/puppet/openstack/spec/classes/openstack_horizon_spec.rb Normal file
View File

@ -0,0 +1,84 @@
require 'spec_helper'
describe 'openstack::horizon' do
let(:default_params) { {
:debug => false,
:fqdn => 'some.host.tld'
} }
let(:params) { {
:secret_key => 'very_secret_key'
} }
let :facts do
{ :concat_basedir => '/var/lib/puppet/concat',
:fqdn => 'some.host.tld'
}
end
shared_examples_for 'horizon configuration' do
let :p do
default_params.merge(params)
end
context 'with a default config' do
it 'contains openstack::horizon' do
should contain_class('openstack::horizon')
end
it 'contains horizon::wsgi::apache' do
if facts[:osfamily] == 'Debian'
custom_fragment = "\n<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>\n Order allow,deny\n Allow from all\n</Directory>\n\n"
elsif facts[:osfamily] == 'RedHat'
custom_fragment = "\n<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>\n <IfModule mod_deflate.c>\n SetOutputFilter DEFLATE\n <IfModule mod_headers.c>\n # Make sure proxies dont deliver the wrong content\n Header append Vary User-Agent env=!dont-vary\n </IfModule>\n </IfModule>\n\n Order allow,deny\n Allow from all\n</Directory>\n\n<Directory /usr/share/openstack-dashboard/static>\n <IfModule mod_expires.c>\n ExpiresActive On\n ExpiresDefault \"access 6 month\"\n </IfModule>\n <IfModule mod_deflate.c>\n SetOutputFilter DEFLATE\n </IfModule>\n\n Order allow,deny\n Allow from all\n</Directory>\n\n"
end
should contain_class('horizon::wsgi::apache').with(
:extra_params => {
'add_listen' => false,
'custom_fragment' => custom_fragment,
'default_vhost' => true,
'headers' => ["set X-XSS-Protection \"1; mode=block\"", "set X-Content-Type-Options nosniff", "always append X-Frame-Options SAMEORIGIN"],
'options' => '-Indexes',
'setenvif' => 'X-Forwarded-Proto https HTTPS=1' }
)
end
end
end
context 'on Debian platforms' do
before do
facts.merge!(
{ :osfamily => 'Debian',
:operatingsystem => 'Debian',
:operatingsystemrelease => '8',
:hostname => 'hostname.example.com',
:physicalprocessorcount => 2,
:memorysize_mb => 1024,
:openstack_version => {'nova' => 'present' },
})
end
it_configures 'horizon configuration'
end
context 'on RedHat platforms' do
before do
facts.merge!(
{ :osfamily => 'RedHat',
:operatingsystem => 'RedHat',
:operatingsystemrelease => '6.6',
:hostname => 'hostname.example.com',
:physicalprocessorcount => 2,
:memorysize_mb => 1024,
:openstack_version => {'nova' => 'present' },
})
end
it_configures 'horizon configuration'
end
end

0
deployment/puppet/openstack/spec/fixtures/manifests/site.pp vendored
View File