Canonical SSO provider

Merge ~suligap/canonical-identity-provider:drop-djangosecure into canonical-identity-provider:master

  1. Git
  2. lp:~suligap/canonical-identity-provider
  3. drop-djangosecure
  4. Merge into master
Proposed by Przemysław Suliga
Status: Merged
Approved by: Przemysław Suliga
Approved revision: 57f14a97918ca92f7fb2f5e06aa17217402183c7
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~suligap/canonical-identity-provider:drop-djangosecure
Merge into: canonical-identity-provider:master
Diff against target: 48 lines (+1/-4)
2 files modified
django_project/settings_base.py (+1/-3)
requirements.txt (+0/-1)
Reviewer Review Type Date Requested Status
Daniel Manrique (community) Approve
Review via email: mp+384528@code.launchpad.net

Commit message

Drop deprecated django-secure dependency

Description of the change

djangosecure was mostly swallowed by Django in 1.8:
https://docs.djangoproject.com/en/1.8/releases/1.8/#security-enhancements

And switch to django.middleware.security.SecurityMiddleware.

This has the additional benefit of no longer depending on a middleware class
that is not compatible with Django's "new style" MIDDLEWARE:
https://docs.djangoproject.com/en/1.11/topics/http/middleware/#upgrading-middleware

Functionally nothing changes with the djangosecure settings we use:

- `SECURE_BROWSER_XSS_FILTER = True` adds the
  `x-xss-protection: 1; mode=block` response header

- `SECURE_CONTENT_TYPE_NOSNIFF = True` adds the
  `x-content-type-options: nosniff` response header

- SECURE_HSTS_SECONDS and SECURE_HSTS_INCLUDE_SUBDOMAINS are also supported. As
  a side note: It looks like for SSO, HSTS might be configured in its reverse
  proxies, since the max-age values differ between what's being server by
  login.ubuntu.com and the value that exists in SSO's django settings. Also,
  SECURE_HSTS_PRELOAD is not configured in SSO's django settings but `preload`
  exists in responses from login.ubuntu.com.

- SECURE_SSL_REDIRECT (set to None currently) is also supported

- SECURE_FRAME_DENY is being dropped in this change as the behavior is already
  being overriden by Django's XFrameOptionsMiddleware configured in SSO.
  Functionally nothing changes and `X-Frame-Options: SAMEORIGIN` header is being
  added to responses`. This setting was set to None and it does not exist
  outside of djangosecure's middleware.

This change also puts the SecurityMiddleware first in the middleware's list.

To post a comment you must log in.
Revision history for this message
Daniel Manrique (roadmr) wrote :

Brilliant :)

review: Approve
Revision history for this message
Otto Co-Pilot (otto-copilot) wrote :

Running landing tests failed
https://jenkins.ols.canonical.com/online-services/job/canonical-identity-provider/338/

~suligap/canonical-identity-provider:drop-djangosecure updated
57f14a9... by Przemysław Suliga

Remove djangosecure from INSTALLED_APPS

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/django_project/settings_base.py b/django_project/settings_base.py
index 561acbf..512b4d6 100644
--- a/django_project/settings_base.py
+++ b/django_project/settings_base.py
@@ -207,7 +207,6 @@ INSTALLED_APPS = [
207 'adminaudit',207 'adminaudit',
208 'django_openid_auth',208 'django_openid_auth',
209 'django_statsd',209 'django_statsd',
210 'djangosecure',
211 'gargoyle',210 'gargoyle',
212 'honeypot',211 'honeypot',
213 'oauth_backend',212 'oauth_backend',
@@ -386,6 +385,7 @@ MEDIA_ROOT = ''
386MEDIA_URL = ''385MEDIA_URL = ''
387MESSAGE_STORAGE = 'django.contrib.messages.storage.fallback.FallbackStorage'386MESSAGE_STORAGE = 'django.contrib.messages.storage.fallback.FallbackStorage'
388MIDDLEWARE_CLASSES = [387MIDDLEWARE_CLASSES = [
388 'django.middleware.security.SecurityMiddleware',
389 ('raven.contrib.django.raven_compat.middleware'389 ('raven.contrib.django.raven_compat.middleware'
390 '.SentryResponseErrorIdMiddleware'),390 '.SentryResponseErrorIdMiddleware'),
391 'api.v20.utils.EnsureJSONResponseOnAPIErrorMiddleware',391 'api.v20.utils.EnsureJSONResponseOnAPIErrorMiddleware',
@@ -394,7 +394,6 @@ MIDDLEWARE_CLASSES = [
394 'django_statsd.middleware.GraphiteMiddleware',394 'django_statsd.middleware.GraphiteMiddleware',
395 'identityprovider.middleware.readonly.ReadOnlyMiddleware',395 'identityprovider.middleware.readonly.ReadOnlyMiddleware',
396 'identityprovider.middleware.oopsplease.OopsPleaseMiddleware',396 'identityprovider.middleware.oopsplease.OopsPleaseMiddleware',
397 'djangosecure.middleware.SecurityMiddleware',
398 'django.contrib.sessions.middleware.SessionMiddleware',397 'django.contrib.sessions.middleware.SessionMiddleware',
399 'django.middleware.common.CommonMiddleware',398 'django.middleware.common.CommonMiddleware',
400 'identityprovider.middleware.honeypot.HoneypotMiddleware',399 'identityprovider.middleware.honeypot.HoneypotMiddleware',
@@ -490,7 +489,6 @@ SAML_NOT_AFTER_MINUTES = 15
490SECRET_KEY = ''489SECRET_KEY = ''
491SECURE_BROWSER_XSS_FILTER = True490SECURE_BROWSER_XSS_FILTER = True
492SECURE_CONTENT_TYPE_NOSNIFF = True491SECURE_CONTENT_TYPE_NOSNIFF = True
493SECURE_FRAME_DENY = False
494SECURE_HSTS_INCLUDE_SUBDOMAINS = True492SECURE_HSTS_INCLUDE_SUBDOMAINS = True
495SECURE_HSTS_SECONDS = 15552000493SECURE_HSTS_SECONDS = 15552000
496SECURE_PROXY_SSL_HEADER = None494SECURE_PROXY_SSL_HEADER = None
diff --git a/requirements.txt b/requirements.txt
index 0577502..8c192ec 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -12,7 +12,6 @@ django-openid-auth==0.14
12django-pgtools==0.4.212django-pgtools==0.4.2
13django-piston==0.2.413django-piston==0.2.4
14django-preflight==0.2.014django-preflight==0.2.0
15django-secure==1.0.1
16django-statsd-mozilla==0.4.015django-statsd-mozilla==0.4.0
17enum34==1.1.616enum34==1.1.6
18gargoyle-yplan==1.2.517gargoyle-yplan==1.2.5

Subscribers

People subscribed via source and target branches