From e60c91e99d526b3e77a4c3f4675184f6b0383840 Mon Sep 17 00:00:00 2001
From: Rick Bartra <rb560u@att.com>
Date: Mon, 4 Feb 2019 09:46:52 -0500
Subject: [PATCH] Horizon: Expose additional security config params

Expose additional Horizon security params in accordance with the
OpenStack Security Guide [0]

- Check-Dashboard-03: Is DISALLOW_IFRAME_EMBED parameter set to True
- Check-Dashboard-07: Is PASSWORD_AUTOCOMPLETE set to False

[0] https://docs.openstack.org/security-guide/dashboard/checklist.html

Change-Id: I355ddbc9fb1dcd0a6100ee650afd54680ef9ffbd
---
 horizon/values.yaml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/horizon/values.yaml b/horizon/values.yaml
index 9a1363af0e..45e6fb77f3 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -176,6 +176,8 @@ conf:
         session_cookie_secure: "False"
         session_cookie_httponly: "False"
         secure_proxy_ssl_header: false
+        password_autocomplete: "off"
+        disallow_iframe_embed: "False"
         openstack_cinder_features:
           enable_backup: "True"
         openstack_neutron_network:
@@ -245,10 +247,10 @@ conf:
 
         # If Horizon is being served through SSL, then uncomment the following two
         # settings to better secure the cookies from security exploits
-        CSRF_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}'
-        SESSION_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}'
+        CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
+        SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
 
-        SESSION_COOKIE_HTTPONLY = '{{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}'
+        SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
 
         # Overrides for OpenStack API versions. Use this setting to force the
         # OpenStack dashboard to use a specific API version for a given service API.
@@ -310,11 +312,11 @@ conf:
 
         # Turn off browser autocompletion for forms including the login form and
         # the database creation workflow if so desired.
-        #HORIZON_CONFIG["password_autocomplete"] = "off"
+        HORIZON_CONFIG["password_autocomplete"] = '{{ .Values.conf.horizon.local_settings.config.password_autocomplete }}'
 
         # Setting this to True will disable the reveal button for password fields,
         # including on the login form.
-        HORIZON_CONFIG["disable_password_reveal"] = '{{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}'
+        HORIZON_CONFIG["disable_password_reveal"] = {{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}
 
         LOCAL_PATH = '/tmp'
 
@@ -874,7 +876,7 @@ conf:
         # where iframes are not used in deployment. Default setting is True.
         # For more information see:
         # http://tinyurl.com/anticlickjack
-        # DISALLOW_IFRAME_EMBED = True
+        DISALLOW_IFRAME_EMBED = {{ .Values.conf.horizon.local_settings.config.disallow_iframe_embed }}
 
         STATIC_ROOT = '/var/www/html/horizon'
     policy: