Add the ability to define CSRF_TRUSTED_ORIGINS

This change adds the ability within horizon to define a list of domains
which are trusted through the CSRF functions of django.

Change-Id: Ib92480e6caa74e050a99b36a54b2032714efb509
Signed-off-by: Kevin Carter <kevin@cloudnull.com>

defaults/main.yml

@@ -278,6 +278,12 @@ horizon_show_keystone_v2_rc: True
 ## alternatively, you can set horizon to turn off ssl verification for Keystone
 horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"
 
+## Horizon Cross-Site Request Forgery Trusted Hosts
+# add a list of domains that are trusted when evaluated requests for Cross-Site Request Forgery
+# This is useful when terminating SSL outside of the cloud on a domain that isn't directly tied
+# to the hosts that are operating the cloud.
+horizon_ssl_csrf_trusted_origins: []
+
 ## The role which Horizon should use as a default for users
 horizon_default_role_name: _member_
 

releasenotes/notes/horizon_ssl_csrf_trusted_origins-15643e2b6e6eea3c.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The ability to define trusted Cross-Site Request Forgery domains hsa been
+    added with the `horizon_ssl_csrf_trusted_origins` variable. The new variable
+    is a array of strings and when defined will render the django built-in
+    variable **CSRF_TRUSTED_ORIGINS**.
+
+    https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins

templates/horizon_local_settings.py.j2

@@ -57,6 +57,9 @@ SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR'
 # If Horizon is being served through SSL, then uncomment the following two
 # settings to better secure the cookies from security exploits
 CSRF_COOKIE_SECURE = True
+{%   if (horizon_ssl_csrf_trusted_origins | length) > 0 %}
+CSRF_TRUSTED_ORIGINS = {{ horizon_ssl_csrf_trusted_origins | to_json }}
+{%   endif %}
 SESSION_COOKIE_SECURE = True
 {% else %}
 # If Horizon is being served through SSL, then uncomment the following two