Canonical SSO provider

~suligap/canonical-identity-provider:drop-djangosecure

Last commit made on 2020-05-26

Get this branch:: git clone -b drop-djangosecure https://git.launchpad.net/~suligap/canonical-identity-provider

Only Przemysław Suliga can upload to this branch. If you are Przemysław Suliga please log in for upload directions.

Branch merges

Merged into canonical-identity-provider:master

Daniel Manrique (community): Approve on 2020-05-26

Branch information

Name:: drop-djangosecure

Repository:: lp:~suligap/canonical-identity-provider

Recent commits

57f14a9... by Przemysław Suliga on 2020-05-26

Remove djangosecure from INSTALLED_APPS

5d1d22e... by Przemysław Suliga on 2020-05-26

Drop deprecated django-secure dependency

djangosecure was mostly swallowed by Django in 1.8:
https://docs.djangoproject.com/en/1.8/releases/1.8/#security-enhancements

And switch to django.middleware.security.SecurityMiddleware.

This has the additional benefit of no longer depending on a middleware class
that is not compatible with Django's "new style" MIDDLEWARE:
https://docs.djangoproject.com/en/1.11/topics/http/middleware/#upgrading-middleware

Functionally nothing changes with the djangosecure settings we use:

- `SECURE_BROWSER_XSS_FILTER = True` adds the
`x-xss-protection: 1; mode=block` response header

- `SECURE_CONTENT_TYPE_NOSNIFF = True` adds the
`x-content-type-options: nosniff` response header

- SECURE_HSTS_SECONDS and SECURE_HSTS_INCLUDE_SUBDOMAINS are also supported. As
  a side note: It looks like for SSO, HSTS might be configured in its reverse
  proxies, since the max-age values differ between what's being server by
  login.ubuntu.com and the value that exists in SSO's django settings. Also,
  SECURE_HSTS_PRELOAD is not configured in SSO's django settings but `preload`
  exists in responses from login.ubuntu.com.

- SECURE_SSL_REDIRECT (set to None currently) is also supported

- SECURE_FRAME_DENY is being dropped in this change as the behavior is already
  being overriden by Django's XFrameOptionsMiddleware configured in SSO.
  Functionally nothing changes and `X-Frame-Options: SAMEORIGIN` header is being
  added to responses`. This setting was set to None and it does not exist
  outside of djangosecure's middleware.

This change also puts the SecurityMiddleware first in the middleware's list.

1c9af4d... by Przemysław Suliga on 2020-05-25

Switch to talisker and simplify/standardise the Sentry config

Merged from https://code.launchpad.net/~suligap/canonical-identity-provider/+git/canonical-identity-provider/+merge/384254

b7aa595... by Daniel Manrique on 2020-05-22

Emit metrics when 2fa devices are added.

The metric includes the device type (automatically-added backup devices
have the fake "paper_auto" type) and subtype (for OATH devices which
can be TOTP or HOTP)

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/+git/canonical-identity-provider/+merge/384389

f08753b... by Daniel Manrique on 2020-05-22

Update lost device message with current contact info.

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/+git/canonical-identity-provider/+merge/384426

eddb647... by Daniel Manrique on 2020-05-22

Update lost device message with current contact info

c6d5667... by Daniel Manrique on 2020-05-21

Emit metrics when 2fa devices are added.

The metric includes the device type (automatically-added backup devices
have the fake "paper_auto" type) and subtype (for OATH devices which
can be TOTP or HOTP)

014045c... by Daniel Manrique on 2020-05-21