From 5af817564345773c56aac7ac3fd9408651a0388c Mon Sep 17 00:00:00 2001 From: James Gibson Date: Wed, 9 Dec 2020 15:53:16 +0000 Subject: [PATCH] Add security.txt file hosting to keystone If keystone_security_txt_content is defined in user variables, the keystone service will host this file at the following locations /security.txt and /.well-known/security.txt as defined in https://securitytxt.org/ Depends-On: https://review.opendev.org/766030 Change-Id: I3b418a7950cb1b89451e1f19d6e1c82b507aa1c0 --- defaults/main.yml | 12 ++++++++++++ tasks/keystone_pre_install.yml | 7 +++++++ templates/keystone-httpd.conf.j2 | 14 ++++++++++++++ templates/keystone_nginx.conf.j2 | 10 ++++++++++ 4 files changed, 43 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 12f6be85..460acea1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -193,6 +193,18 @@ keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_ keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}" keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}" +## security.txt +# When security risks in web services are discovered by independent security +# researchers who understand the severity of the risk, they often lack the +# channels to disclose them properly. As a result, security issues may be +# left unreported. security.txt defines a standard to help organizations +# define the process for security researchers to disclose security +# vulnerabilities securely. For more information see https://securitytxt.org/ +# This content will be hosted at /security.txt and /.well-known/security.txt +keystone_security_txt_dir: "/var/www/html" +# keystone_security_txt_content: | +# # Please see https://securitytxt.org/ for details of the specification of this file + ## Apache setup keystone_apache_log_level: info keystone_apache_custom_log_format: combined diff --git a/tasks/keystone_pre_install.yml b/tasks/keystone_pre_install.yml index 86114baa..f4b8d73a 100644 --- a/tasks/keystone_pre_install.yml +++ b/tasks/keystone_pre_install.yml @@ -125,8 +125,15 @@ owner: root group: root - path: "/var/www/cgi-bin/keystone" + - path: "{{ keystone_security_txt_dir }}" - path: "/etc/ansible/facts.d" owner: root group: root delegate_to: "{{ item[0] }}" when: _keystone_is_first_play_host + +- name: Create security.txt file + copy: + content: "{{ keystone_security_txt_content }}" + dest: "{{ keystone_security_txt_dir }}/security.txt" + when: keystone_security_txt_content is defined diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2 index 8546fd3f..76a927c0 100644 --- a/templates/keystone-httpd.conf.j2 +++ b/templates/keystone-httpd.conf.j2 @@ -115,6 +115,20 @@ Listen {{ keystone_service_port }} ProxyPass /Shibboleth.sso ! {% endif -%} + {% if keystone_security_txt_content is defined %} + AliasMatch "^/(.*)/security.txt$" "{{ keystone_security_txt_dir }}/security.txt" + + + Options None + AllowOverride None + Order allow,deny + Allow from all + + + ProxyPass /security.txt ! + ProxyPass /.well-known/security.txt ! + {%- endif %} + ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/ diff --git a/templates/keystone_nginx.conf.j2 b/templates/keystone_nginx.conf.j2 index 950c0f61..a8953999 100644 --- a/templates/keystone_nginx.conf.j2 +++ b/templates/keystone_nginx.conf.j2 @@ -32,6 +32,16 @@ server { set_real_ip_from {{ ip }}; {%- endfor %} + {% if keystone_security_txt_content is defined %} + location /security.txt { + alias {{ keystone_security_txt_dir }}/security.txt; + } + + location /.well-known/security.txt { + alias {{ keystone_security_txt_dir }}/security.txt; + } + {%- endif %} + location / { try_files $uri @yourapplication; }