Bug 1429028 - [3.5] haproxy router should not set cookies as secure if InsecureEdgeTerminationPolicy is 'Allow' for reecrypt route
Summary: [3.5] haproxy router should not set cookies as secure if InsecureEdgeTerminat...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.5.0
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: ---
Assignee: Jacob Tanenbaum
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On: 1428720
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-03 21:48 UTC by Eric Paris
Modified: 2022-08-04 22:20 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1428720
Environment:
Last Closed: 2017-04-12 19:14:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Origin (Github) 12802 0 None None None 2017-03-08 16:32:33 UTC
Red Hat Product Errata RHBA-2017:0884 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 22:50:07 UTC

Description Eric Paris 2017-03-03 21:48:23 UTC 
+++ This bug was initially created as a clone of Bug #1428720 +++

Description of problem:
When set the 'InsecureEdgeTerminationPolicy' is 'Allow' for reencrypt route. the cookie should not mark 'secure'

Version-Release number of selected component (if applicable):
openshift v3.5.0.37
kubernetes v1.5.2+43a9be4
etcd 3.1.0


How reproducible:
always

Steps to Reproduce:
1. Create pod/service
2. Create reencrypt route with 'InsecureEdgeTerminationPolicy' is 'Allow'
3. Access the route and store the cookie
  #curl --resolve reen.example.com:80:10.66.140.17 http://reen.example.com -c cookie
4. Check the cookie
  # cat cookie


Actual results:

step 4: the part with * is 'TRUE'

# cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_reen.example.com	FALSE	/	***TRUE***	0	aa8cbbcaffb926b10626caa7909176ee	4650cd02b0c49d73fbff41d387fbe618

Expected results:

it should be 'False'

# cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_reen.example.com	FALSE	/	***FALSE***	0	aa8cbbcaffb926b10626caa7909176ee	4650cd02b0c49d73fbff41d387fbe618

Additional info:

there is lack judgement in reencypte part:
  {{ if not (matchPattern "true|TRUE" (index $cfg.Annotations "haproxy.router.openshift.io/disable_cookies")) }}
  cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure
  {{ end }}

--- Additional comment from openshift-github-bot on 2017-03-03 14:57:53 EST ---

Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/06cd1d1aae5b64a4b847aa7cbfbacf28200f563c
Fix cookies for reencrypt routes with InsecureEdgeTerminationPolicy "Allow"

currently secure cookies are always generated for reencrypt routes this changes
that to correctly create unsecured cookies when InsecureEdgeTermination policy is
"Allow"

Bug 1428720
Comment 1 Jacob Tanenbaum 2017-03-07 14:16:01 UTC 
The fix was merged over from origin
Comment 3 Jacob Tanenbaum 2017-03-08 16:32:34 UTC 
https://github.com/openshift/origin/pull/12802
Comment 5 Troy Dawson 2017-03-14 14:32:55 UTC 
This has been merged into ocp and is in OCP v3.5.0.52 or newer.
Comment 7 zhaozhanqi 2017-03-15 03:33:56 UTC 
Verified this bug on v3.5.0.52

the cookie will be set 'secure' if not http request for reencrypt
Comment 9 errata-xmlrpc 2017-04-12 19:14:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884
Note You need to log in before you can comment on or make changes to this bug.