Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create new config section for web security settings #2815

Merged
merged 4 commits into from
Mar 1, 2024

Conversation

hmpf
Copy link
Contributor

@hmpf hmpf commented Feb 21, 2024

Closes #2194

Use it (for now) for setting secure cookies and the most basic form of XSS-protection.

@hmpf hmpf self-assigned this Feb 21, 2024
@hmpf
Copy link
Contributor Author

hmpf commented Feb 21, 2024

Open question: where in the documentation should this be documented? I am tempted to make a new "security"-page.

Copy link

github-actions bot commented Feb 21, 2024

Test results

     12 files       12 suites   12m 20s ⏱️
3 308 tests 3 308 ✔️ 0 💤 0
9 399 runs  9 399 ✔️ 0 💤 0

Results for commit 6db0a3f.

♻️ This comment has been updated with latest results.

Copy link

codecov bot commented Feb 21, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 57.15%. Comparing base (0fe59ef) to head (6db0a3f).
Report is 2 commits behind head on master.

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #2815   +/-   ##
=======================================
  Coverage   57.14%   57.15%           
=======================================
  Files         567      568    +1     
  Lines       41268    41277    +9     
=======================================
+ Hits        23584    23593    +9     
  Misses      17684    17684           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Member

@lunkwill42 lunkwill42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Open question: where in the documentation should this be documented? I am tempted to make a new "security"-page.

Not sure we have a suitable pre-existing page or section in the Sphinx docs, so I can understand your temptation.

Our most basic form of documenting config options is, however, a comment immediately preceding the option in the example config file, as evidenced by other options already present in webfront.conf. You should add that as a minimum.

Also, changes or additions to config files usually warrant a note in NOTES.rst, to make users aware that they may need to change something.

Naming the option tls does not seem intuitive to me. Going from just the name, without documentation, it looks to me like an option to switch TLS on or off, something NAV cannot do, since this is up to the web server you set up to serve NAV.

@hmpf
Copy link
Contributor Author

hmpf commented Feb 26, 2024

I'm thinking we'll need a security-section in the proper docs eventually as we cannot expect the c-suite to read code :)

Copy link
Member

@lunkwill42 lunkwill42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slightly better.

Still need the release notes tip and the doc change. If we put off making a "security" docs section, we should at least mention this new option wherever the docs mention SSL (there are one or two notes in the various installation guides about adding SSL as being an exercise left up to the reader)

@hmpf hmpf force-pushed the secure-cookie branch 2 times, most recently from c56c7d3 to 57dd64d Compare February 27, 2024 06:49
@hmpf hmpf requested a review from lunkwill42 February 27, 2024 07:37
Copy link
Member

@lunkwill42 lunkwill42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs are good!

Really sorry, but I still can't get comfortable with the option name. If all the new option really affects in NAV is turning on secure cookies, then I think it should be named "use_secure_cookies" or something like that. (after all, naming things is still one of the hardest CS problems :P )

python/nav/django/settings.py Outdated Show resolved Hide resolved
@lunkwill42
Copy link
Member

"use_secure_cookies" or something like that.

Or even just reuse the setting name from Django :D

@hmpf
Copy link
Contributor Author

hmpf commented Feb 28, 2024

Really sorry, but I still can't get comfortable with the option name. If all the new option really affects in NAV is turning on secure cookies, then I think it should be named "use_secure_cookies" or something like that. (after all, naming things is still one of the hardest CS problems :P )

Right now all the flag does is turn on secure cookies, yes. There are other cookie-flags that also depend on SSL/TLS being enabled (CSRF-protection for one, which we ought to start using), and IIRC other features that depend on SSL/TLS being enabled. I want to avoid having multiple flags, just an easy way to tell Django that it can assume it is running under SSL/TLS. I've looked into automatically detecting whether we're running under SSL/TLS but that can't be used to change settings. (Changing settings for an already running Django is a no-no.)

@lunkwill42
Copy link
Member

Right now all the flag does is turn on secure cookies, yes. There are other cookie-flags that also depend on SSL/TLS being enabled (CSRF-protection for one, which we ought to start using), and IIRC other features that depend on SSL/TLS being enabled.

Alright, but then a needs_tls boolean flag still doesn't communicate that to me (are you telling NAV that it needs TLS?). Maybe tls_security_features would be better - or is that too long?

@hmpf hmpf force-pushed the secure-cookie branch 2 times, most recently from ef341bb to a43c302 Compare February 28, 2024 12:31
@hmpf
Copy link
Contributor Author

hmpf commented Feb 28, 2024

Right now all the flag does is turn on secure cookies, yes. There are other cookie-flags that also depend on SSL/TLS being enabled (CSRF-protection for one, which we ought to start using), and IIRC other features that depend on SSL/TLS being enabled.

Alright, but then a needs_tls boolean flag still doesn't communicate that to me (are you telling NAV that it needs TLS?).

Well it's for subsets of NAV that needs tls, so...

Maybe tls_security_features would be better - or is that too long?

It's a better name than a django setting specific one yes. I started with "ssl" because I wanted to avoid a multi-part name since there seems to be no consensus on how to spell multi word config flags: with spaces, '-', '_', camel case, no gaps at all...

@lunkwill42
Copy link
Member

It's a better name than a django setting specific one yes. I started with "ssl" because I wanted to avoid a multi-part name since there seems to be no consensus on how to spell multi word config flags: with spaces, '-', '_', camel case, no gaps at all...

Well, if you really want it short and sweet, then I'm fine with just tls, as long as there's comment that explains what it actually means to turn it on (i.e. it doesn't "turn on TLS", it turns on "security features that are only relevant when NAV is served over TLS").

@hmpf
Copy link
Contributor Author

hmpf commented Feb 29, 2024

Well, if you really want it short and sweet, then I'm fine with just tls, as long as there's comment that explains what it actually means to turn it on (i.e. it doesn't "turn on TLS", it turns on "security features that are only relevant when NAV is served over TLS").

Eh, I quite like "needs_tls".

We could have a clean-up round where we standardize on one system per config-file though.

Oh, actually, it is possible to make such a flag turn on tls, for django code (though leaving it to django is not recommended). That's not compatible with how we deploy though and people can have their own localsettings anyway if they need that.

Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

Copy link
Member

@lunkwill42 lunkwill42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a feeling we will be bikeshedding this some more further down the road, but WTH :)

@hmpf hmpf merged commit 459cb29 into Uninett:master Mar 1, 2024
12 checks passed
@hmpf hmpf deleted the secure-cookie branch March 1, 2024 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG] Use secure session cookies
2 participants