Add security.txt file hosting to keystone

If keystone_security_txt_content is defined in user variables, the keystone service will host this file at the following locations /security.txt and /.well-known/security.txt as defined in https://securitytxt.org/ Depends-On: https://review.opendev.org/766030 Change-Id: I3b418a7950cb1b89451e1f19d6e1c82b507aa1c0
2020-12-09 15:53:16 +00:00 · 2020-12-09 15:53:16 +00:00 · 5af8175643
commit 5af8175643
parent ae94a86230
4 changed files with 43 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -193,6 +193,18 @@ keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_
 keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}"
 keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"

+## security.txt
+# When security risks in web services are discovered by independent security
+# researchers who understand the severity of the risk, they often lack the
+# channels to disclose them properly. As a result, security issues may be
+# left unreported. security.txt defines a standard to help organizations
+# define the process for security researchers to disclose security
+# vulnerabilities securely. For more information see https://securitytxt.org/
+# This content will be hosted at /security.txt and /.well-known/security.txt
+keystone_security_txt_dir: "/var/www/html"
+# keystone_security_txt_content: |
+#   # Please see https://securitytxt.org/ for details of the specification of this file
+
 ## Apache setup
 keystone_apache_log_level: info
 keystone_apache_custom_log_format: combined
--- a/tasks/keystone_pre_install.yml
+++ b/tasks/keystone_pre_install.yml
@ -125,8 +125,15 @@
        owner: root
        group: root
      - path: "/var/www/cgi-bin/keystone"
+      - path: "{{ keystone_security_txt_dir }}"
      - path: "/etc/ansible/facts.d"
        owner: root
        group: root
  delegate_to: "{{ item[0] }}"
  when: _keystone_is_first_play_host
+
+- name: Create security.txt file
+  copy:
+    content: "{{ keystone_security_txt_content }}"
+    dest: "{{ keystone_security_txt_dir }}/security.txt"
+  when: keystone_security_txt_content is defined
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@ -115,6 +115,20 @@ Listen {{ keystone_service_port }}
    ProxyPass /Shibboleth.sso !
    {% endif -%}

+    {% if keystone_security_txt_content is defined %}
+    AliasMatch "^/(.*)/security.txt$" "{{ keystone_security_txt_dir }}/security.txt"
+
+    <Directory "{{ keystone_security_txt_dir }}">
+        Options None
+        AllowOverride None
+        Order allow,deny
+        Allow from all
+    </Directory>
+
+    ProxyPass /security.txt !
+    ProxyPass /.well-known/security.txt !
+    {%- endif %}
+
    ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/

 </VirtualHost>
--- a/templates/keystone_nginx.conf.j2
+++ b/templates/keystone_nginx.conf.j2
@ -32,6 +32,16 @@ server {
    set_real_ip_from {{ ip }};
    {%- endfor %}

+    {% if keystone_security_txt_content is defined %}
+    location /security.txt {
+        alias {{ keystone_security_txt_dir }}/security.txt;
+    }
+
+    location /.well-known/security.txt {
+        alias {{ keystone_security_txt_dir }}/security.txt;
+    }
+    {%- endif %}
+
    location / {
        try_files   $uri @yourapplication;
    }