openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

Add security.txt file hosting to keystone

Browse Source 
If keystone_security_txt_content is defined in user variables,
the keystone service will host this file at the following locations
/security.txt and /.well-known/security.txt as defined in
https://securitytxt.org/

Depends-On: https://review.opendev.org/766030
Change-Id: I3b418a7950cb1b89451e1f19d6e1c82b507aa1c0
This commit is contained in:
James Gibson 2020-12-09 15:53:16 +00:00 committed by Andrew Bonney
parent ae94a86230
commit 5af8175643
4 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
defaults/main.yml
View File

@ -193,6 +193,18 @@ keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_
keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}" keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}"
keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}" keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
## security.txt
# When security risks in web services are discovered by independent security
# researchers who understand the severity of the risk, they often lack the
# channels to disclose them properly. As a result, security issues may be
# left unreported. security.txt defines a standard to help organizations
# define the process for security researchers to disclose security
# vulnerabilities securely. For more information see https://securitytxt.org/
# This content will be hosted at /security.txt and /.well-known/security.txt
keystone_security_txt_dir: "/var/www/html"
# keystone_security_txt_content: |
# # Please see https://securitytxt.org/ for details of the specification of this file
## Apache setup ## Apache setup
keystone_apache_log_level: info keystone_apache_log_level: info
keystone_apache_custom_log_format: combined keystone_apache_custom_log_format: combined

7
tasks/keystone_pre_install.yml
View File

@ -125,8 +125,15 @@
owner: root owner: root
group: root group: root
- path: "/var/www/cgi-bin/keystone" - path: "/var/www/cgi-bin/keystone"
- path: "{{ keystone_security_txt_dir }}"
- path: "/etc/ansible/facts.d" - path: "/etc/ansible/facts.d"
owner: root owner: root
group: root group: root
delegate_to: "{{ item[0] }}" delegate_to: "{{ item[0] }}"
when: _keystone_is_first_play_host when: _keystone_is_first_play_host
- name: Create security.txt file
copy:
content: "{{ keystone_security_txt_content }}"
dest: "{{ keystone_security_txt_dir }}/security.txt"
when: keystone_security_txt_content is defined

14
templates/keystone-httpd.conf.j2
View File

@ -115,6 +115,20 @@ Listen {{ keystone_service_port }}
ProxyPass /Shibboleth.sso ! ProxyPass /Shibboleth.sso !
{% endif -%} {% endif -%}
{% if keystone_security_txt_content is defined %}
AliasMatch "^/(.*)/security.txt$" "{{ keystone_security_txt_dir }}/security.txt"
<Directory "{{ keystone_security_txt_dir }}">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ProxyPass /security.txt !
ProxyPass /.well-known/security.txt !
{%- endif %}
ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/ ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
</VirtualHost> </VirtualHost>

10
templates/keystone_nginx.conf.j2
View File

@ -32,6 +32,16 @@ server {
set_real_ip_from {{ ip }}; set_real_ip_from {{ ip }};
{%- endfor %} {%- endfor %}
{% if keystone_security_txt_content is defined %}
location /security.txt {
alias {{ keystone_security_txt_dir }}/security.txt;
}
location /.well-known/security.txt {
alias {{ keystone_security_txt_dir }}/security.txt;
}
{%- endif %}
location / { location / {
try_files $uri @yourapplication; try_files $uri @yourapplication;
} }