Bug 1429028

Summary: [3.5] haproxy router should not set cookies as secure if InsecureEdgeTerminationPolicy is 'Allow' for reecrypt route
Product: OpenShift Container Platform Reporter: Eric Paris <eparis>
Component: NetworkingAssignee: Jacob Tanenbaum <jtanenba>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, bbennett, bperkins, jtanenba, tdawson, zzhao
Version: 3.5.0Keywords: Reopened
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1428720 Environment:
Last Closed: 2017-04-12 19:14:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1428720    
Bug Blocks:    

Description Eric Paris 2017-03-03 21:48:23 UTC 
+++ This bug was initially created as a clone of Bug #1428720 +++

Description of problem:
When set the 'InsecureEdgeTerminationPolicy' is 'Allow' for reencrypt route. the cookie should not mark 'secure'

Version-Release number of selected component (if applicable):
openshift v3.5.0.37
kubernetes v1.5.2+43a9be4
etcd 3.1.0


How reproducible:
always

Steps to Reproduce:
1. Create pod/service
2. Create reencrypt route with 'InsecureEdgeTerminationPolicy' is 'Allow'
3. Access the route and store the cookie
  #curl --resolve reen.example.com:80:10.66.140.17 http://reen.example.com -c cookie
4. Check the cookie
  # cat cookie


Actual results:

step 4: the part with * is 'TRUE'

# cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_reen.example.com	FALSE	/	***TRUE***	0	aa8cbbcaffb926b10626caa7909176ee	4650cd02b0c49d73fbff41d387fbe618

Expected results:

it should be 'False'

# cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_reen.example.com	FALSE	/	***FALSE***	0	aa8cbbcaffb926b10626caa7909176ee	4650cd02b0c49d73fbff41d387fbe618

Additional info:

there is lack judgement in reencypte part:
  {{ if not (matchPattern "true|TRUE" (index $cfg.Annotations "haproxy.router.openshift.io/disable_cookies")) }}
  cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure
  {{ end }}

--- Additional comment from openshift-github-bot on 2017-03-03 14:57:53 EST ---

Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/06cd1d1aae5b64a4b847aa7cbfbacf28200f563c
Fix cookies for reencrypt routes with InsecureEdgeTerminationPolicy "Allow"

currently secure cookies are always generated for reencrypt routes this changes
that to correctly create unsecured cookies when InsecureEdgeTermination policy is
"Allow"

Bug 1428720
Comment 1 Jacob Tanenbaum 2017-03-07 14:16:01 UTC 
The fix was merged over from origin
Comment 3 Jacob Tanenbaum 2017-03-08 16:32:34 UTC 
https://github.com/openshift/origin/pull/12802
Comment 5 Troy Dawson 2017-03-14 14:32:55 UTC 
This has been merged into ocp and is in OCP v3.5.0.52 or newer.
Comment 7 zhaozhanqi 2017-03-15 03:33:56 UTC 
Verified this bug on v3.5.0.52

the cookie will be set 'secure' if not http request for reencrypt
Comment 9 errata-xmlrpc 2017-04-12 19:14:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884