From 8b4a31d9a69cd9a4133fec795b3ebc3e99c2b5ef Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Tue, 10 May 2022 11:33:04 +0900
Subject: [PATCH] Horizon: Support Strict-Transport-Security header

This allows operators to enable HTTP Strict-Transport-Security (HSTS)
for Horizon endpoint, to enforce usage of SSL.

Change-Id: I20c2aee6af03af96a4a2022681eabba75a6acf00
(cherry picked from commit 837abea1f385851aa9d67848867f63ae820f3b5c)
---
 manifests/haproxy/horizon_endpoint.pp | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/manifests/haproxy/horizon_endpoint.pp b/manifests/haproxy/horizon_endpoint.pp
index 0cb511476..5b9d684a2 100644
--- a/manifests/haproxy/horizon_endpoint.pp
+++ b/manifests/haproxy/horizon_endpoint.pp
@@ -71,6 +71,10 @@
 #  (false means disabled, and true means enabled)
 #  Defaults to hiera('tripleo::firewall::manage_firewall', true)
 #
+# [*hsts_header_value*]
+#   (optional) Adds the HTTP Strict Transport Securiy (HSTS) header to
+#   response. This takes effect only when public_certificate is set.
+#   Defaults to undef
 class tripleo::haproxy::horizon_endpoint (
   $internal_ip,
   $ip_addresses,
@@ -83,6 +87,7 @@ class tripleo::haproxy::horizon_endpoint (
   $internal_certificates_specs = {},
   $service_network             = undef,
   $manage_firewall             = hiera('tripleo::firewall::manage_firewall', true),
+  $hsts_header_value           = undef,
 ) {
   # Let users override the options on a per-service basis
   $custom_options = hiera('tripleo::haproxy::horizon::options', undef)
@@ -120,9 +125,24 @@ class tripleo::haproxy::horizon_endpoint (
       "${public_virtual_ip}:80"  => union($haproxy_listen_bind_param, $custom_bind_options_public),
       "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate], $custom_bind_options_public),
     }
+<<<<<<< HEAD   (e60b46 Fix regression of Nova dhcp_domain handling)
     $horizon_options = merge({
       'cookie'       => 'SERVERID insert indirect nocache',
       'rsprep'       => '^Location:\ http://(.*) Location:\ https://\1',
+=======
+
+    if $hsts_header_value != undef {
+      $hsts_header_value_real = join(any2array($hsts_header_value), '; ')
+      $hsts_response = "set-header Strict-Transport-Security \"${hsts_header_value_real};\""
+    } else {
+      $hsts_response = undef
+    }
+
+    $horizon_frontend_options = {
+      'http-response' => delete_undef_values([
+          'replace-header Location http://(.*) https://\\1',
+          $hsts_response]),
+>>>>>>> CHANGE (c8890f Horizon: Support Strict-Transport-Security header)
       # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
       'redirect'     => 'scheme https code 301 if !{ ssl_fc }',
       'option'       => [ 'forwardfor', 'httpchk' ],