Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1429028 - [3.5] haproxy router should not set cookies as secure if InsecureEdgeTerminationPolicy is 'Allow' for reecrypt route
[3.5] haproxy router should not set cookies as secure if InsecureEdgeTerminat...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing (Show other bugs)
3.5.0
All All
medium Severity medium
: ---
: ---
Assigned To: jtanenba
zhaozhanqi
: Reopened
Depends On: 1428720
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-03 16:48 EST by Eric Paris
Modified: 2017-07-24 10 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1428720
Environment:
Last Closed: 2017-04-12 15:14:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Origin (Github) 12802 None None None 2017-03-08 11:32 EST
Red Hat Product Errata RHBA-2017:0884 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 18:50:07 EDT

  None (edit)
Description Eric Paris 2017-03-03 16:48:23 EST 
+++ This bug was initially created as a clone of Bug #1428720 +++

Description of problem:
When set the 'InsecureEdgeTerminationPolicy' is 'Allow' for reencrypt route. the cookie should not mark 'secure'

Version-Release number of selected component (if applicable):
openshift v3.5.0.37
kubernetes v1.5.2+43a9be4
etcd 3.1.0


How reproducible:
always

Steps to Reproduce:
1. Create pod/service
2. Create reencrypt route with 'InsecureEdgeTerminationPolicy' is 'Allow'
3. Access the route and store the cookie
  #curl --resolve reen.example.com:80:10.66.140.17 http://reen.example.com -c cookie
4. Check the cookie
  # cat cookie


Actual results:

step 4: the part with * is 'TRUE'

# cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_reen.example.com	FALSE	/	***TRUE***	0	aa8cbbcaffb926b10626caa7909176ee	4650cd02b0c49d73fbff41d387fbe618

Expected results:

it should be 'False'

# cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_reen.example.com	FALSE	/	***FALSE***	0	aa8cbbcaffb926b10626caa7909176ee	4650cd02b0c49d73fbff41d387fbe618

Additional info:

there is lack judgement in reencypte part:
  {{ if not (matchPattern "true|TRUE" (index $cfg.Annotations "haproxy.router.openshift.io/disable_cookies")) }}
  cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure
  {{ end }}

--- Additional comment from openshift-github-bot on 2017-03-03 14:57:53 EST ---

Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/06cd1d1aae5b64a4b847aa7cbfbacf28200f563c
Fix cookies for reencrypt routes with InsecureEdgeTerminationPolicy "Allow"

currently secure cookies are always generated for reencrypt routes this changes
that to correctly create unsecured cookies when InsecureEdgeTermination policy is
"Allow"

Bug 1428720
Comment 1 jtanenba 2017-03-07 09:16:01 EST 
The fix was merged over from origin
Comment 5 Troy Dawson 2017-03-14 10:32:55 EDT 
This has been merged into ocp and is in OCP v3.5.0.52 or newer.
Comment 7 zhaozhanqi 2017-03-14 23:33:56 EDT 
Verified this bug on v3.5.0.52

the cookie will be set 'secure' if not http request for reencrypt
Comment 9 errata-xmlrpc 2017-04-12 15:14:35 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.