Manage disallow_iframe_embed with puppet manifest

DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded within an iframe. Legacy browsers are still vulnerable to a Cross-Frame Scripting (XFS) vulnerability, so this option allows extra security hardening where iframes are not used in deployment Change-Id: I5c540e552efe738bdec8598f9257fa22ae651a76 Related-Bug: #1641882
2016-12-09 08:28:57 +00:00 · 2016-12-09 08:28:57 +00:00 · 218c35ea7b
parent d454208d7e
commit 218c35ea7b
4 changed files with 30 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -299,6 +299,12 @@
 #    recommended if you're running horizon behind a proxy.
 #    Defaults to false
 #
+#  [*disallow_iframe_embed*]
+#    (optional)DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+#    within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
+#    Scripting (XFS) vulnerability, so this option allows extra security hardening
+#    where iframes are not used in deployment. Default setting is True.
+#
 # === DEPRECATED group/name
 #
 #  [*fqdn*]
@ -398,6 +404,7 @@ class horizon(
  $disable_password_reveal             = false,
  $enforce_password_check              = false,
  $enable_secure_proxy_ssl_header      = false,
+  $disallow_iframe_embed               = true,
  # DEPRECATED PARAMETERS
  $custom_theme_path                   = undef,
  $fqdn                                = undef,
--- a/releasenotes/notes/disallow_iframe_embed-f0ffa1cabeca5b1e.yaml
+++ b/releasenotes/notes/disallow_iframe_embed-f0ffa1cabeca5b1e.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - Making DISALLOW_IFRAME_EMBED in local_settings.py a configurable value
+    DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+    within an iframe
--- a/spec/classes/horizon_init_spec.rb
+++ b/spec/classes/horizon_init_spec.rb
@ -442,6 +442,20 @@ describe 'horizon' do
        ])
      end
    end
+
+    context 'with disallow iframe embed enabled' do
+      before do
+        params.merge!({
+                        :disallow_iframe_embed => true
+                      })
+      end
+
+      it 'disallow_iframe_embed is configured' do
+        verify_concat_fragment_contents(catalogue, 'local_settings.py', [
+                                          'HORIZON_CONFIG["disallow_iframe_embed"] = True',
+                                        ])
+      end
+    end
  end

  shared_examples_for 'horizon on RedHat' do
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@ -968,3 +968,7 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
 # For more information see:
 # http://tinyurl.com/anticlickjack
 #DISALLOW_IFRAME_EMBED = True
+<% if @disallow_iframe_embed == true %>
+HORIZON_CONFIG["disallow_iframe_embed"] = True
+<% end %>
+