From 218c35ea7bc08dd88d936ab79b14e5ce2b94ea44 Mon Sep 17 00:00:00 2001
From: Luke Hinds <lhinds@redhat.com>
Date: Fri, 9 Dec 2016 08:28:57 +0000
Subject: [PATCH] Manage disallow_iframe_embed with puppet manifest

DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
Scripting (XFS) vulnerability, so this option allows extra security hardening
where iframes are not used in deployment

Change-Id: I5c540e552efe738bdec8598f9257fa22ae651a76
Related-Bug: #1641882
---
 manifests/init.pp                                  |  7 +++++++
 .../disallow_iframe_embed-f0ffa1cabeca5b1e.yaml    |  5 +++++
 spec/classes/horizon_init_spec.rb                  | 14 ++++++++++++++
 templates/local_settings.py.erb                    |  4 ++++
 4 files changed, 30 insertions(+)
 create mode 100644 releasenotes/notes/disallow_iframe_embed-f0ffa1cabeca5b1e.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index 09229fd5..73810a7c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -299,6 +299,12 @@
 #    recommended if you're running horizon behind a proxy.
 #    Defaults to false
 #
+#  [*disallow_iframe_embed*]
+#    (optional)DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+#    within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
+#    Scripting (XFS) vulnerability, so this option allows extra security hardening
+#    where iframes are not used in deployment. Default setting is True.
+#
 # === DEPRECATED group/name
 #
 #  [*fqdn*]
@@ -398,6 +404,7 @@ class horizon(
   $disable_password_reveal             = false,
   $enforce_password_check              = false,
   $enable_secure_proxy_ssl_header      = false,
+  $disallow_iframe_embed               = true,
   # DEPRECATED PARAMETERS
   $custom_theme_path                   = undef,
   $fqdn                                = undef,
diff --git a/releasenotes/notes/disallow_iframe_embed-f0ffa1cabeca5b1e.yaml b/releasenotes/notes/disallow_iframe_embed-f0ffa1cabeca5b1e.yaml
new file mode 100644
index 00000000..467194a7
--- /dev/null
+++ b/releasenotes/notes/disallow_iframe_embed-f0ffa1cabeca5b1e.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Making DISALLOW_IFRAME_EMBED in local_settings.py a configurable value
+    DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+    within an iframe
diff --git a/spec/classes/horizon_init_spec.rb b/spec/classes/horizon_init_spec.rb
index e4b6bdf3..352bc5dd 100644
--- a/spec/classes/horizon_init_spec.rb
+++ b/spec/classes/horizon_init_spec.rb
@@ -442,6 +442,20 @@ describe 'horizon' do
         ])
       end
     end
+
+    context 'with disallow iframe embed enabled' do
+      before do
+        params.merge!({
+                        :disallow_iframe_embed => true
+                      })
+      end
+
+      it 'disallow_iframe_embed is configured' do
+        verify_concat_fragment_contents(catalogue, 'local_settings.py', [
+                                          'HORIZON_CONFIG["disallow_iframe_embed"] = True',
+                                        ])
+      end
+    end
   end
 
   shared_examples_for 'horizon on RedHat' do
diff --git a/templates/local_settings.py.erb b/templates/local_settings.py.erb
index 0385184a..78c4801c 100644
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@@ -968,3 +968,7 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
 # For more information see:
 # http://tinyurl.com/anticlickjack
 #DISALLOW_IFRAME_EMBED = True
+<% if @disallow_iframe_embed == true %>
+HORIZON_CONFIG["disallow_iframe_embed"] = True
+<% end %>
+