Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1428720

Summary: [3.6] haproxy router should not set cookies as secure if InsecureEdgeTerminationPolicy is 'Allow' for reecrypt route
Product: OpenShift Container Platform Reporter: zhaozhanqi <zzhao>
Component: NetworkingAssignee: Jacob Tanenbaum <jtanenba>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, bperkins, eparis, tdawson
Version: 3.5.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The logic in the haproxy router template did not account for 'Allow' as InsecureEdgeTerminationPolicy for reencrypt routes Consequence: The cookie object was set as secure Fix: Add logic to correctly tag the cookie as insecure when InsecureEdgeTerminationPolicy is 'Allow' for reencrypt routes Result: Cookies are correctly set as insecure when InsecureEdgeTerminationPolicy is 'Allow' for reencrypt routes
 Story Points: ---
Clone Of:
: 1429028 (view as bug list) Environment:
Last Closed: 2017-08-10 05:18:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1429028    

Description zhaozhanqi 2017-03-03 09:06:05 UTC 
Description of problem:
When set the 'InsecureEdgeTerminationPolicy' is 'Allow' for reencrypt route. the cookie should not mark 'secure'

Version-Release number of selected component (if applicable):
openshift v3.5.0.37
kubernetes v1.5.2+43a9be4
etcd 3.1.0


How reproducible:
always

Steps to Reproduce:
1. Create pod/service
2. Create reencrypt route with 'InsecureEdgeTerminationPolicy' is 'Allow'
3. Access the route and store the cookie
  #curl --resolve reen.example.com:80:10.66.140.17 http://reen.example.com -c cookie
4. Check the cookie
  # cat cookie


Actual results:

step 4: the part with * is 'TRUE'

# cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_reen.example.com	FALSE	/	***TRUE***	0	aa8cbbcaffb926b10626caa7909176ee	4650cd02b0c49d73fbff41d387fbe618

Expected results:

it should be 'False'

# cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_reen.example.com	FALSE	/	***FALSE***	0	aa8cbbcaffb926b10626caa7909176ee	4650cd02b0c49d73fbff41d387fbe618

Additional info:

there is lack judgement in reencypte part:
  {{ if not (matchPattern "true|TRUE" (index $cfg.Annotations "haproxy.router.openshift.io/disable_cookies")) }}
  cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure
  {{ end }}
Comment 1 openshift-github-bot 2017-03-03 19:57:53 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/06cd1d1aae5b64a4b847aa7cbfbacf28200f563c
Fix cookies for reencrypt routes with InsecureEdgeTerminationPolicy "Allow"

currently secure cookies are always generated for reencrypt routes this changes
that to correctly create unsecured cookies when InsecureEdgeTermination policy is
"Allow"

Bug 1428720
Comment 2 Troy Dawson 2017-04-11 20:57:26 UTC 
This has been merged into ocp and is in OCP v3.6.27 or newer.
Comment 4 zhaozhanqi 2017-04-12 06:58:50 UTC 
Verified this bug on openshift v3.6.27
with haproxy image:
openshift3/ose-haproxy-router    v3.6.27             d4fc46b62c76
Comment 6 errata-xmlrpc 2017-08-10 05:18:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716