New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #10275 -Use secure cookies when SSL #2328
Conversation
|
There were the following issues with the commit message:
Guidelines are available on the Foreman wiki. This message was auto-generated by Foreman's prprocessor |
|
Does this affect non-HTTPS usage? What if require_ssl's disabled? Also the other cookies mentioned in my comment to the ticket should be fixed. |
| @@ -131,7 +131,7 @@ | |||
| config.assets.precompile += javascript.map{|js| js + ".js"} + stylesheets + %w(background-size.htc) | |||
|
|
|||
| # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. | |||
| # config.force_ssl = true | |||
| config.force_ssl = true | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
won't this break provisioning? (which needs http)
|
Setting back to WoC for answers to all of the above questions. |
|
Added secure params to $.cookie on timezone and selected hosts cookies. When without ssl: One thing I am not sure about is provisioning. Any thoughts @domcleal ? |
I don't follow, what aren't you sure about? |
|
@shlomizadok i guess you can use force_ssl: but, imho you would need to look at:
anything else @domcleal ? |
| @@ -131,7 +131,7 @@ | |||
| config.assets.precompile += javascript.map{|js| js + ".js"} + stylesheets + %w(background-size.htc) | |||
|
|
|||
| # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. | |||
| # config.force_ssl = true | |||
| config.force_ssl = true if SETTINGS[:require_ssl] | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
config.force_ssl = !!SETTINGS[:require_ssl]There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That seems a bit dangerous if the file is misconfigured, 'false' gets evaluated to true.
6668c02
to
6594736
Compare
| @@ -578,6 +578,10 @@ def test_unset_manage | |||
| Setting[:restrict_registered_smart_proxies] = true | |||
| Setting[:require_ssl_smart_proxies] = true | |||
| SETTINGS[:require_ssl] = true | |||
| # Adding https and certificates or else the request will be redirected | |||
| @request.env['HTTPS'] = 'on' | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since SETTINGS[:require_ssl] = true, I have to simulate an https call, or else I'll be redirected to https (and the response will be 301, and not 403 as expected)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That means you're no longer testing the scenario described on line 576? Instead it seems to test the SSL verification step over HTTPS.
That probably points to this PR needing to add something to disable the redirect in the Foreman::Controller::SmartProxyAuth concern, which currently disables the existing SSL redirect and checking require_ssl itself.
|
Does this obsolete our own require_ssl filter? |
|
@domcleal - removed |
|
@shlomizadok okay, but now we're back to the issue you're originally aiming to fix - the session cookie has no secure flag. See the link I mentioned in my last reply, about setting the session options - is that an alternative way? (Currently this PR only fixes two non-session cookies, and simply refactors our redirects.) |
|
@domcleal - another try at application.rb to set cookie to secure. |
| @@ -146,6 +146,12 @@ class Application < Rails::Application | |||
| child.helper helpers | |||
| end | |||
| end | |||
|
|
|||
| # Secure cookies if the connection is via SSL | |||
| if SETTINGS[:require_ssl] == true | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if !!SETTINGS[:require_ssl] for consistency
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Chose the true option :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My only nitpick is that it's different to https://github.com/theforeman/foreman/pull/2328/files#diff-b4f92b4e361ffab4fbb91c68eb3f77bbR69 in behaviour.
58b043f
to
4bf9e98
Compare
|
Alright, looks good and tests well, thanks @shlomizadok. Since this has evolved into two different things, would you mind moving the force_ssl changes into a separate PR against ticket http://projects.theforeman.org/issues/10471? We'll merge both, but that will probably go to 1.9.0 and this to our stable release(s) as we don't need it to fix the CVE. Thanks! |
|
Done. #2373 is the second part |
|
Merged as 0b03b9b, thanks @shlomizadok! |


In production, we must enforce ssl, so cookies will be secured :)

Tried on a local foreman (Satellite machine):
This should be backported to 1.7 and 1.8