From 19e0780e81bffabecd621b52bbf8bbb6aee4e67b Mon Sep 17 00:00:00 2001 From: Otto Hollmann Date: Tue, 16 Mar 2021 10:44:10 +0100 Subject: [PATCH 1/5] horizon: Add SSL protocol option. --- chef/cookbooks/horizon/attributes/default.rb | 1 + chef/cookbooks/horizon/recipes/server.rb | 1 + .../horizon/templates/suse/openstack-dashboard.conf.erb | 2 +- chef/data_bags/crowbar/template-horizon.json | 3 ++- chef/data_bags/crowbar/template-horizon.schema | 1 + .../app/views/barclamp/horizon/_edit_attributes.html.haml | 1 + crowbar_framework/config/locales/horizon/en.yml | 1 + 7 files changed, 8 insertions(+), 2 deletions(-) diff --git a/chef/cookbooks/horizon/attributes/default.rb b/chef/cookbooks/horizon/attributes/default.rb index 38808b0654..bf0eaae561 100644 --- a/chef/cookbooks/horizon/attributes/default.rb +++ b/chef/cookbooks/horizon/attributes/default.rb @@ -33,6 +33,7 @@ default[:horizon][:policy_file][:neutron_fwaas] = "neutron-fwaas-policy.json" default[:horizon][:apache][:ssl] = false +default[:horizon][:apache][:ssl_protocol] = "all -SSLv2 -SSLv3" default[:horizon][:apache][:ssl_crt_file] = "/etc/apache2/ssl.crt/openstack-dashboard-server.crt" default[:horizon][:apache][:ssl_key_file] = "/etc/apache2/ssl.key/openstack-dashboard-server.key" default[:horizon][:apache][:generate_certs] = false diff --git a/chef/cookbooks/horizon/recipes/server.rb b/chef/cookbooks/horizon/recipes/server.rb index e1e87c7157..e5914f5104 100644 --- a/chef/cookbooks/horizon/recipes/server.rb +++ b/chef/cookbooks/horizon/recipes/server.rb @@ -564,6 +564,7 @@ user: node[:apache][:user], group: node[:apache][:group], use_ssl: node[:horizon][:apache][:ssl], + ssl_protocol: node[:horizon][:apache][:ssl_protocol], ssl_crt_file: node[:horizon][:apache][:ssl_crt_file], ssl_key_file: node[:horizon][:apache][:ssl_key_file], ssl_crt_chain_file: node[:horizon][:apache][:ssl_crt_chain_file], diff --git a/chef/cookbooks/horizon/templates/suse/openstack-dashboard.conf.erb b/chef/cookbooks/horizon/templates/suse/openstack-dashboard.conf.erb index dec550afef..86a40b68af 100644 --- a/chef/cookbooks/horizon/templates/suse/openstack-dashboard.conf.erb +++ b/chef/cookbooks/horizon/templates/suse/openstack-dashboard.conf.erb @@ -55,7 +55,7 @@ Listen <%= @bind_host %>:<%= @bind_port_ssl %> :<%= @bind_port_ssl %>> SSLEngine On SSLCipherSuite DEFAULT_SUSE - SSLProtocol all -SSLv2 -SSLv3 + SSLProtocol <%= @ssl_protocol %> # Prevent plaintext downgrade for 180 days Header always set Strict-Transport-Security "max-age=15552000" SSLCertificateFile <%= @ssl_crt_file %> diff --git a/chef/data_bags/crowbar/template-horizon.json b/chef/data_bags/crowbar/template-horizon.json index e364f423c4..33a811a2e7 100644 --- a/chef/data_bags/crowbar/template-horizon.json +++ b/chef/data_bags/crowbar/template-horizon.json @@ -36,6 +36,7 @@ "apache": { "ssl": false, "generate_certs": false, + "ssl_protocol": "all -SSLv2 -SSLv3", "ssl_crt_file": "/etc/apache2/ssl.crt/openstack-dashboard-server.crt", "ssl_key_file": "/etc/apache2/ssl.key/openstack-dashboard-server.key", "ssl_crt_chain_file": "" @@ -52,7 +53,7 @@ "horizon": { "crowbar-revision": 0, "crowbar-applied": false, - "schema-revision": 302, + "schema-revision": 303, "element_states": { "horizon-server": [ "readying", "ready", "applying" ] }, diff --git a/chef/data_bags/crowbar/template-horizon.schema b/chef/data_bags/crowbar/template-horizon.schema index 027102a7d6..f4266f55bb 100644 --- a/chef/data_bags/crowbar/template-horizon.schema +++ b/chef/data_bags/crowbar/template-horizon.schema @@ -60,6 +60,7 @@ "mapping": { "ssl": { "type": "bool", "required": true }, "generate_certs": { "type": "bool", "required": true }, + "ssl_protocol": { "type": "str" }, "ssl_crt_file": { "type": "str" }, "ssl_key_file": { "type": "str" }, "ssl_crt_chain_file": { "type": "str" } diff --git a/crowbar_framework/app/views/barclamp/horizon/_edit_attributes.html.haml b/crowbar_framework/app/views/barclamp/horizon/_edit_attributes.html.haml index ea0c0ce33c..0b26802670 100644 --- a/crowbar_framework/app/views/barclamp/horizon/_edit_attributes.html.haml +++ b/crowbar_framework/app/views/barclamp/horizon/_edit_attributes.html.haml @@ -27,6 +27,7 @@ #apache_container = boolean_field %w(apache generate_certs) + = string_field %w(apache ssl_protocol) = string_field %w(apache ssl_crt_file) = string_field %w(apache ssl_key_file) = string_field %w(apache ssl_crt_chain_file) diff --git a/crowbar_framework/config/locales/horizon/en.yml b/crowbar_framework/config/locales/horizon/en.yml index 04ee351c3c..3fdbd6a23d 100644 --- a/crowbar_framework/config/locales/horizon/en.yml +++ b/crowbar_framework/config/locales/horizon/en.yml @@ -31,6 +31,7 @@ en: apache: ssl: 'Protocol' generate_certs: 'Generate (self-signed) certificates' + ssl_protocol: 'SSL Protocol Version' ssl_crt_file: 'SSL Certificate File' ssl_key_file: 'SSL (Private) Key File' ssl_crt_chain_file: 'SSL Certificate Chain File' From 04aea12ce53b87d8c1b8099a3930263b664a0569 Mon Sep 17 00:00:00 2001 From: Otto Hollmann Date: Thu, 18 Mar 2021 13:47:05 +0100 Subject: [PATCH 2/5] Add migration file and remove redundant SSLv2. --- chef/cookbooks/horizon/attributes/default.rb | 2 +- .../crowbar/migrate/neutron/309_add_ssl_protocol.rb | 9 +++++++++ chef/data_bags/crowbar/template-horizon.json | 2 +- .../views/barclamp/horizon/_edit_attributes.html.haml | 1 - 4 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 chef/data_bags/crowbar/migrate/neutron/309_add_ssl_protocol.rb diff --git a/chef/cookbooks/horizon/attributes/default.rb b/chef/cookbooks/horizon/attributes/default.rb index bf0eaae561..5d76d7e8e9 100644 --- a/chef/cookbooks/horizon/attributes/default.rb +++ b/chef/cookbooks/horizon/attributes/default.rb @@ -33,7 +33,7 @@ default[:horizon][:policy_file][:neutron_fwaas] = "neutron-fwaas-policy.json" default[:horizon][:apache][:ssl] = false -default[:horizon][:apache][:ssl_protocol] = "all -SSLv2 -SSLv3" +default[:horizon][:apache][:ssl_protocol] = "all -SSLv3" default[:horizon][:apache][:ssl_crt_file] = "/etc/apache2/ssl.crt/openstack-dashboard-server.crt" default[:horizon][:apache][:ssl_key_file] = "/etc/apache2/ssl.key/openstack-dashboard-server.key" default[:horizon][:apache][:generate_certs] = false diff --git a/chef/data_bags/crowbar/migrate/neutron/309_add_ssl_protocol.rb b/chef/data_bags/crowbar/migrate/neutron/309_add_ssl_protocol.rb new file mode 100644 index 0000000000..4f6604ea29 --- /dev/null +++ b/chef/data_bags/crowbar/migrate/neutron/309_add_ssl_protocol.rb @@ -0,0 +1,9 @@ +def upgrade(ta, td, a, d) + a["apache"]["ssl_protocol"] = "all -SSLv3" + return a, d +end + +def downgrade(ta, td, a, d) + a["apache"].delete("ssl_protocol") + return a, d +end diff --git a/chef/data_bags/crowbar/template-horizon.json b/chef/data_bags/crowbar/template-horizon.json index 33a811a2e7..bf8cf43638 100644 --- a/chef/data_bags/crowbar/template-horizon.json +++ b/chef/data_bags/crowbar/template-horizon.json @@ -36,7 +36,7 @@ "apache": { "ssl": false, "generate_certs": false, - "ssl_protocol": "all -SSLv2 -SSLv3", + "ssl_protocol": "all -SSLv3", "ssl_crt_file": "/etc/apache2/ssl.crt/openstack-dashboard-server.crt", "ssl_key_file": "/etc/apache2/ssl.key/openstack-dashboard-server.key", "ssl_crt_chain_file": "" diff --git a/crowbar_framework/app/views/barclamp/horizon/_edit_attributes.html.haml b/crowbar_framework/app/views/barclamp/horizon/_edit_attributes.html.haml index 0b26802670..ea0c0ce33c 100644 --- a/crowbar_framework/app/views/barclamp/horizon/_edit_attributes.html.haml +++ b/crowbar_framework/app/views/barclamp/horizon/_edit_attributes.html.haml @@ -27,7 +27,6 @@ #apache_container = boolean_field %w(apache generate_certs) - = string_field %w(apache ssl_protocol) = string_field %w(apache ssl_crt_file) = string_field %w(apache ssl_key_file) = string_field %w(apache ssl_crt_chain_file) From 29a9474b6132bfb26bce9c80e38721f5ea087f74 Mon Sep 17 00:00:00 2001 From: Otto Hollmann Date: Thu, 18 Mar 2021 13:57:36 +0100 Subject: [PATCH 3/5] Fix migration file. --- .../crowbar/migrate/horizon/303_add_ssl_protocol.rb | 9 +++++++++ .../crowbar/migrate/neutron/309_add_ssl_protocol.rb | 9 --------- 2 files changed, 9 insertions(+), 9 deletions(-) create mode 100644 chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb delete mode 100644 chef/data_bags/crowbar/migrate/neutron/309_add_ssl_protocol.rb diff --git a/chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb b/chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb new file mode 100644 index 0000000000..f5c61db5fb --- /dev/null +++ b/chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb @@ -0,0 +1,9 @@ +def upgrade(template_attrs, template_deployment, attrs, deployment) + attrs["apache"]["ssl_protocol"] = template_attrs["apache"]["ssl_protocol"] + return attrs, deployment +end + +def downgrade(template_attrs, template_deployment, attrs, deployment) + attrs["apache"].delete("ssl_protocol") + return attrs, deployment +end diff --git a/chef/data_bags/crowbar/migrate/neutron/309_add_ssl_protocol.rb b/chef/data_bags/crowbar/migrate/neutron/309_add_ssl_protocol.rb deleted file mode 100644 index 4f6604ea29..0000000000 --- a/chef/data_bags/crowbar/migrate/neutron/309_add_ssl_protocol.rb +++ /dev/null @@ -1,9 +0,0 @@ -def upgrade(ta, td, a, d) - a["apache"]["ssl_protocol"] = "all -SSLv3" - return a, d -end - -def downgrade(ta, td, a, d) - a["apache"].delete("ssl_protocol") - return a, d -end From 81fb76299ef4a981fadbdee67cd77cc8262039dc Mon Sep 17 00:00:00 2001 From: Otto Hollmann Date: Mon, 29 Mar 2021 15:57:35 +0200 Subject: [PATCH 4/5] Improve migration file. --- .../crowbar/migrate/horizon/303_add_ssl_protocol.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb b/chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb index f5c61db5fb..3497a6dae0 100644 --- a/chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb +++ b/chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb @@ -1,9 +1,11 @@ def upgrade(template_attrs, template_deployment, attrs, deployment) - attrs["apache"]["ssl_protocol"] = template_attrs["apache"]["ssl_protocol"] + unless attrs["apache"].key? "ssl_protocol" + attrs["apache"]["ssl_protocol"] = template_attrs["apache"]["ssl_protocol"] return attrs, deployment end def downgrade(template_attrs, template_deployment, attrs, deployment) - attrs["apache"].delete("ssl_protocol") + unless template_attrs["apache"].key? "ssl_protocol" + attrs["apache"].delete("ssl_protocol") return attrs, deployment end From 92e9f0f0ed4171fc34e9f295e9e02de68ed5e9e5 Mon Sep 17 00:00:00 2001 From: Otto Hollmann Date: Mon, 29 Mar 2021 16:13:06 +0200 Subject: [PATCH 5/5] Remove localization. --- crowbar_framework/config/locales/horizon/en.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/crowbar_framework/config/locales/horizon/en.yml b/crowbar_framework/config/locales/horizon/en.yml index 3fdbd6a23d..04ee351c3c 100644 --- a/crowbar_framework/config/locales/horizon/en.yml +++ b/crowbar_framework/config/locales/horizon/en.yml @@ -31,7 +31,6 @@ en: apache: ssl: 'Protocol' generate_certs: 'Generate (self-signed) certificates' - ssl_protocol: 'SSL Protocol Version' ssl_crt_file: 'SSL Certificate File' ssl_key_file: 'SSL (Private) Key File' ssl_crt_chain_file: 'SSL Certificate Chain File'