Canonical SSO provider

Merge ~suligap/canonical-identity-provider:drop-djangosecure into canonical-identity-provider:master

Proposed by Przemysław Suliga on 2020-05-26

Status:	Merged
Approved by:	Przemysław Suliga on 2020-05-26
Approved revision:	57f14a97918ca92f7fb2f5e06aa17217402183c7
Merge reported by:	Otto Co-Pilot
Merged at revision:	not available
Proposed branch:	~suligap/canonical-identity-provider:drop-djangosecure
Merge into:	canonical-identity-provider:master
Diff against target:	48 lines (+1/-4) 2 files modified django_project/settings_base.py (+1/-3) requirements.txt (+0/-1)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Daniel Manrique (community)		2020-05-26	Approve on 2020-05-26
Review via email: mp+384528@code.launchpad.net

Commit message

Drop deprecated django-secure dependency

Description of the change

djangosecure was mostly swallowed by Django in 1.8:
https://docs.djangoproject.com/en/1.8/releases/1.8/#security-enhancements

And switch to django.middleware.security.SecurityMiddleware.

This has the additional benefit of no longer depending on a middleware class
that is not compatible with Django's "new style" MIDDLEWARE:
https://docs.djangoproject.com/en/1.11/topics/http/middleware/#upgrading-middleware

Functionally nothing changes with the djangosecure settings we use:

- `SECURE_BROWSER_XSS_FILTER = True` adds the
`x-xss-protection: 1; mode=block` response header

- `SECURE_CONTENT_TYPE_NOSNIFF = True` adds the
`x-content-type-options: nosniff` response header

- SECURE_HSTS_SECONDS and SECURE_HSTS_INCLUDE_SUBDOMAINS are also supported. As
  a side note: It looks like for SSO, HSTS might be configured in its reverse
  proxies, since the max-age values differ between what's being server by
  login.ubuntu.com and the value that exists in SSO's django settings. Also,
  SECURE_HSTS_PRELOAD is not configured in SSO's django settings but `preload`
  exists in responses from login.ubuntu.com.

- SECURE_SSL_REDIRECT (set to None currently) is also supported

- SECURE_FRAME_DENY is being dropped in this change as the behavior is already
  being overriden by Django's XFrameOptionsMiddleware configured in SSO.
  Functionally nothing changes and `X-Frame-Options: SAMEORIGIN` header is being
  added to responses`. This setting was set to None and it does not exist
  outside of djangosecure's middleware.

This change also puts the SecurityMiddleware first in the middleware's list.

Revision history for this message

Daniel Manrique (roadmr) wrote on 2020-05-26:

Brilliant :)

review: Approve

Revision history for this message

Otto Co-Pilot (otto-copilot) wrote on 2020-05-26:

Running landing tests failed
https://jenkins.ols.canonical.com/online-services/job/canonical-identity-provider/338/

~suligap/canonical-identity-provider:drop-djangosecure updated on 2020-05-26

57f14a9... by Przemysław Suliga on 2020-05-26: Remove djangosecure from INSTALLED_APPS

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Online Services

Christina A Reitbauer

Przemysław Suliga

Sang nyoman trimayasa

Ubuntu One hackers

1	diff --git a/django_project/settings_base.py b/django_project/settings_base.py
2	index 561acbf..512b4d6 100644
3	--- a/django_project/settings_base.py
4	+++ b/django_project/settings_base.py
5	@@ -207,7 +207,6 @@ INSTALLED_APPS = [
6	'adminaudit',
7	'django_openid_auth',
8	'django_statsd',
9	- 'djangosecure',
10	'gargoyle',
11	'honeypot',
12	'oauth_backend',
13	@@ -386,6 +385,7 @@ MEDIA_ROOT = ''
14	MEDIA_URL = ''
15	MESSAGE_STORAGE = 'django.contrib.messages.storage.fallback.FallbackStorage'
16	MIDDLEWARE_CLASSES = [
17	+ 'django.middleware.security.SecurityMiddleware',
18	('raven.contrib.django.raven_compat.middleware'
19	'.SentryResponseErrorIdMiddleware'),
20	'api.v20.utils.EnsureJSONResponseOnAPIErrorMiddleware',
21	@@ -394,7 +394,6 @@ MIDDLEWARE_CLASSES = [
22	'django_statsd.middleware.GraphiteMiddleware',
23	'identityprovider.middleware.readonly.ReadOnlyMiddleware',
24	'identityprovider.middleware.oopsplease.OopsPleaseMiddleware',
25	- 'djangosecure.middleware.SecurityMiddleware',
26	'django.contrib.sessions.middleware.SessionMiddleware',
27	'django.middleware.common.CommonMiddleware',
28	'identityprovider.middleware.honeypot.HoneypotMiddleware',
29	@@ -490,7 +489,6 @@ SAML_NOT_AFTER_MINUTES = 15
30	SECRET_KEY = ''
31	SECURE_BROWSER_XSS_FILTER = True
32	SECURE_CONTENT_TYPE_NOSNIFF = True
33	-SECURE_FRAME_DENY = False
34	SECURE_HSTS_INCLUDE_SUBDOMAINS = True
35	SECURE_HSTS_SECONDS = 15552000
36	SECURE_PROXY_SSL_HEADER = None
37	diff --git a/requirements.txt b/requirements.txt
38	index 0577502..8c192ec 100644
39	--- a/requirements.txt
40	+++ b/requirements.txt
41	@@ -12,7 +12,6 @@ django-openid-auth==0.14
42	django-pgtools==0.4.2
43	django-piston==0.2.4
44	django-preflight==0.2.0
45	-django-secure==1.0.1
46	django-statsd-mozilla==0.4.0
47	enum34==1.1.6
48	gargoyle-yplan==1.2.5