Add anti-XSS horizon vhost options
New header values: Header X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header always append X-Frame-Options SAMEORIGIN Disabled directory index listing. Added spec for openstack::horizon Fixed fixtures+git refs to run openstack::horizon in rspec correctly. Change-Id: I50eb6104134f98fa61283f8ddda7449f92e99783 Closes-Bug: #1496407
This commit is contained in:
parent
1514ab0fc2
commit
77ac09e275
|
@ -1,6 +1,10 @@
|
|||
fixtures:
|
||||
repositories:
|
||||
'apache':
|
||||
repo: 'https://review.fuel-infra.org/puppet-modules/puppetlabs-apache.git'
|
||||
branch: '1.6.0'
|
||||
'apt': 'https://github.com/puppetlabs/puppetlabs-apt.git'
|
||||
'concat': 'https://github.com/ripienaar/puppet-concat.git'
|
||||
'stdlib': 'https://github.com/puppetlabs/puppetlabs-stdlib.git'
|
||||
'sysctl': 'https://github.com/duritong/puppet-sysctl.git'
|
||||
'inifile': 'https://github.com/puppetlabs/puppetlabs-inifile.git'
|
||||
|
@ -8,6 +12,9 @@ fixtures:
|
|||
'openstacklib':
|
||||
repo: 'https://review.fuel-infra.org/puppet-modules/puppet-openstacklib.git'
|
||||
branch: '7.0.0-mos-rc2'
|
||||
'horizon':
|
||||
repo: 'https://review.fuel-infra.org/puppet-modules/puppet-horizon.git'
|
||||
branch: 'mos-8.0'
|
||||
'keystone':
|
||||
repo: 'https://review.fuel-infra.org/puppet-modules/puppet-keystone.git'
|
||||
branch: '7.0.0-mos-rc2'
|
||||
|
|
|
@ -44,6 +44,10 @@ class openstack::horizon (
|
|||
$cache_options = undef,
|
||||
$log_handler = 'file',
|
||||
$custom_theme_path = undef,
|
||||
$apache_options = '-Indexes',
|
||||
$headers = ['set X-XSS-Protection "1; mode=block"',
|
||||
'set X-Content-Type-Options nosniff',
|
||||
'always append X-Frame-Options SAMEORIGIN'],
|
||||
) {
|
||||
|
||||
if $debug { #syslog and nondebug case
|
||||
|
@ -108,10 +112,12 @@ class openstack::horizon (
|
|||
wsgi_threads => $wsgi_threads,
|
||||
listen_ssl => $use_ssl,
|
||||
extra_params => {
|
||||
default_vhost => true,
|
||||
add_listen => false,
|
||||
setenvif => 'X-Forwarded-Proto https HTTPS=1',
|
||||
custom_fragment => template('openstack/horizon/wsgi_vhost_custom.erb'),
|
||||
default_vhost => true,
|
||||
headers => $headers,
|
||||
options => $apache_options,
|
||||
setenvif => 'X-Forwarded-Proto https HTTPS=1',
|
||||
},
|
||||
} ~>
|
||||
Service[$::apache::params::service_name]
|
||||
|
|
|
@ -15,12 +15,13 @@ repos:
|
|||
git://github.com/saz/puppet-memcached: memcached
|
||||
git://github.com/puppetlabs/puppetlabs-rsync: rsync
|
||||
# other deps
|
||||
git://github.com/puppetlabs/puppetlabs-xinetd: xinetd
|
||||
git://github.com/saz/puppet-ssh: ssh
|
||||
git://github.com/puppetlabs/puppetlabs-stdlib: stdlib
|
||||
git://github.com/puppetlabs/puppetlabs-apache: apache
|
||||
git://github.com/puppetlabs/puppetlabs-apt: apt
|
||||
git://github.com/ripienaar/puppet-concat: concat
|
||||
git://github.com/duritong/puppet-sysctl.git: sysctl
|
||||
git://github.com/saz/puppet-ssh: ssh
|
||||
git://github.com/puppetlabs/puppetlabs-stdlib: stdlib
|
||||
git://github.com/duritong/puppet-sysctl: sysctl
|
||||
git://github.com/puppetlabs/puppetlabs-xinetd: xinetd
|
||||
checkout_branches:
|
||||
# keystone: dev
|
||||
# glance: dev
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe 'openstack::horizon' do
|
||||
|
||||
let(:default_params) { {
|
||||
:debug => false,
|
||||
:fqdn => 'some.host.tld'
|
||||
} }
|
||||
|
||||
let(:params) { {
|
||||
:secret_key => 'very_secret_key'
|
||||
} }
|
||||
|
||||
let :facts do
|
||||
{ :concat_basedir => '/var/lib/puppet/concat',
|
||||
:fqdn => 'some.host.tld'
|
||||
}
|
||||
end
|
||||
|
||||
shared_examples_for 'horizon configuration' do
|
||||
let :p do
|
||||
default_params.merge(params)
|
||||
end
|
||||
|
||||
|
||||
context 'with a default config' do
|
||||
it 'contains openstack::horizon' do
|
||||
should contain_class('openstack::horizon')
|
||||
end
|
||||
|
||||
it 'contains horizon::wsgi::apache' do
|
||||
if facts[:osfamily] == 'Debian'
|
||||
custom_fragment = "\n<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>\n Order allow,deny\n Allow from all\n</Directory>\n\n"
|
||||
elsif facts[:osfamily] == 'RedHat'
|
||||
custom_fragment = "\n<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>\n <IfModule mod_deflate.c>\n SetOutputFilter DEFLATE\n <IfModule mod_headers.c>\n # Make sure proxies don’t deliver the wrong content\n Header append Vary User-Agent env=!dont-vary\n </IfModule>\n </IfModule>\n\n Order allow,deny\n Allow from all\n</Directory>\n\n<Directory /usr/share/openstack-dashboard/static>\n <IfModule mod_expires.c>\n ExpiresActive On\n ExpiresDefault \"access 6 month\"\n </IfModule>\n <IfModule mod_deflate.c>\n SetOutputFilter DEFLATE\n </IfModule>\n\n Order allow,deny\n Allow from all\n</Directory>\n\n"
|
||||
end
|
||||
|
||||
should contain_class('horizon::wsgi::apache').with(
|
||||
:extra_params => {
|
||||
'add_listen' => false,
|
||||
'custom_fragment' => custom_fragment,
|
||||
'default_vhost' => true,
|
||||
'headers' => ["set X-XSS-Protection \"1; mode=block\"", "set X-Content-Type-Options nosniff", "always append X-Frame-Options SAMEORIGIN"],
|
||||
'options' => '-Indexes',
|
||||
'setenvif' => 'X-Forwarded-Proto https HTTPS=1' }
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'on Debian platforms' do
|
||||
before do
|
||||
facts.merge!(
|
||||
{ :osfamily => 'Debian',
|
||||
:operatingsystem => 'Debian',
|
||||
:operatingsystemrelease => '8',
|
||||
:hostname => 'hostname.example.com',
|
||||
:physicalprocessorcount => 2,
|
||||
:memorysize_mb => 1024,
|
||||
:openstack_version => {'nova' => 'present' },
|
||||
})
|
||||
end
|
||||
|
||||
it_configures 'horizon configuration'
|
||||
end
|
||||
|
||||
context 'on RedHat platforms' do
|
||||
before do
|
||||
facts.merge!(
|
||||
{ :osfamily => 'RedHat',
|
||||
:operatingsystem => 'RedHat',
|
||||
:operatingsystemrelease => '6.6',
|
||||
:hostname => 'hostname.example.com',
|
||||
:physicalprocessorcount => 2,
|
||||
:memorysize_mb => 1024,
|
||||
:openstack_version => {'nova' => 'present' },
|
||||
})
|
||||
end
|
||||
|
||||
it_configures 'horizon configuration'
|
||||
end
|
||||
|
||||
end
|
||||
|
Loading…
Reference in New Issue