From b02ec05d76188c836143609eded037d5060d3aa3 Mon Sep 17 00:00:00 2001
From: Pete Birley <pete@port.direct>
Date: Fri, 1 Feb 2019 15:06:58 -0600
Subject: [PATCH] Horizon: Expose security config params

This PS exposes security related config params

Change-Id: Ia6d2e089301cfc8fd809380ad3f31c6e37dc5607
Signed-off-by: Pete Birley <pete@port.direct>
---
 horizon/values.yaml | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/horizon/values.yaml b/horizon/values.yaml
index 846982d204..9a1363af0e 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -171,6 +171,11 @@ conf:
         debug: "False"
         keystone_multidomain_support: "True"
         keystone_default_domain: Default
+        disable_password_reveal: "False"
+        csrf_cookie_secure: "False"
+        session_cookie_secure: "False"
+        session_cookie_httponly: "False"
+        secure_proxy_ssl_header: false
         openstack_cinder_features:
           enable_backup: "True"
         openstack_neutron_network:
@@ -234,12 +239,16 @@ conf:
         # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
         #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
         # https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
-        #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+        {{- if .Values.conf.horizon.local_settings.config.secure_proxy_ssl_header }}
+        SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+        {{- end }}
 
         # If Horizon is being served through SSL, then uncomment the following two
         # settings to better secure the cookies from security exploits
-        #CSRF_COOKIE_SECURE = True
-        #SESSION_COOKIE_SECURE = True
+        CSRF_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}'
+        SESSION_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}'
+
+        SESSION_COOKIE_HTTPONLY = '{{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}'
 
         # Overrides for OpenStack API versions. Use this setting to force the
         # OpenStack dashboard to use a specific API version for a given service API.
@@ -305,7 +314,7 @@ conf:
 
         # Setting this to True will disable the reveal button for password fields,
         # including on the login form.
-        #HORIZON_CONFIG["disable_password_reveal"] = False
+        HORIZON_CONFIG["disable_password_reveal"] = '{{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}'
 
         LOCAL_PATH = '/tmp'