From 10126daa9ceaa98ef8cf84331880d1fcc4d4b7b9 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Wed, 7 Sep 2022 21:08:31 -0500 Subject: [PATCH] Add the ability to define CSRF_TRUSTED_ORIGINS This change adds the ability within horizon to define a list of domains which are trusted through the CSRF functions of django. Change-Id: Ib92480e6caa74e050a99b36a54b2032714efb509 Signed-off-by: Kevin Carter --- defaults/main.yml | 6 ++++++ ...orizon_ssl_csrf_trusted_origins-15643e2b6e6eea3c.yaml | 9 +++++++++ templates/horizon_local_settings.py.j2 | 3 +++ 3 files changed, 18 insertions(+) create mode 100644 releasenotes/notes/horizon_ssl_csrf_trusted_origins-15643e2b6e6eea3c.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 68095b5d..a6c47f81 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -278,6 +278,12 @@ horizon_show_keystone_v2_rc: True ## alternatively, you can set horizon to turn off ssl verification for Keystone horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}" +## Horizon Cross-Site Request Forgery Trusted Hosts +# add a list of domains that are trusted when evaluated requests for Cross-Site Request Forgery +# This is useful when terminating SSL outside of the cloud on a domain that isn't directly tied +# to the hosts that are operating the cloud. +horizon_ssl_csrf_trusted_origins: [] + ## The role which Horizon should use as a default for users horizon_default_role_name: _member_ diff --git a/releasenotes/notes/horizon_ssl_csrf_trusted_origins-15643e2b6e6eea3c.yaml b/releasenotes/notes/horizon_ssl_csrf_trusted_origins-15643e2b6e6eea3c.yaml new file mode 100644 index 00000000..138a953b --- /dev/null +++ b/releasenotes/notes/horizon_ssl_csrf_trusted_origins-15643e2b6e6eea3c.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + The ability to define trusted Cross-Site Request Forgery domains hsa been + added with the `horizon_ssl_csrf_trusted_origins` variable. The new variable + is a array of strings and when defined will render the django built-in + variable **CSRF_TRUSTED_ORIGINS**. + + https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins diff --git a/templates/horizon_local_settings.py.j2 b/templates/horizon_local_settings.py.j2 index 862a090c..ed8a486e 100644 --- a/templates/horizon_local_settings.py.j2 +++ b/templates/horizon_local_settings.py.j2 @@ -57,6 +57,9 @@ SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR' # If Horizon is being served through SSL, then uncomment the following two # settings to better secure the cookies from security exploits CSRF_COOKIE_SECURE = True +{% if (horizon_ssl_csrf_trusted_origins | length) > 0 %} +CSRF_TRUSTED_ORIGINS = {{ horizon_ssl_csrf_trusted_origins | to_json }} +{% endif %} SESSION_COOKIE_SECURE = True {% else %} # If Horizon is being served through SSL, then uncomment the following two