action #66610: Prevent misleading login failing over http on https-enabled instances, e.g. disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts - openQA Infrastructure - openSUSE Project Management Tool

Custom queries

openQA Infrastructure Project
openqa-review - Closed tickets last updated by openqa-review, last 30 days
QA roadmap long-term
QA SLE functional
QA SLE Functional - closed in last 14 days
QA SLE Functional - High, need to be refined
QA SLE Functional - over cycle time median
QA SLE u
QA SLE y
QA tools (tag not necessary in openQA and subprojects)
QA tools tag (tag not necessary in openQA and subprojects; excluding tickets in "Ready" version as they are already on the backlog)
QAC - Backlog
QE tools team - backlog (ready issues)
QE tools team - backlog (w/o infra)
QE tools team - backlog SLA high
QE tools team - backlog SLA immediate
QE tools team - backlog SLA no immediate/urgent in feedback/blocked
QE tools team - backlog SLA normal
QE tools team - backlog SLA urgent
QE tools team - backlog SLO high
QE tools team - backlog SLO normal
QE tools team - backlog SLO urgent
QE tools team - backlog, high-level view (epics and higher)
QE tools team - backlog, non-reactive work, needs parent
QE tools team - backlog, top-level view (all sagas)
QE tools team - closed within last 14 days
QE tools team - closed within last 60 days
QE tools team - closed yesterday
QE Tools Team - Collaborative Session
QE tools team - due date forecast
QE tools team - exceeding due-date
QE tools team - infrastructure backlog
QE tools team - next - sorted by update time
QE tools team - next issues
QE tools team - non-estimated (unblocked) issues (w/o infra)
QE tools team - ready issues - Workable
QE tools team - ready, not assigned/blocked/low
QE tools team - update forecast
QE tools team - updated by priority
QE tools team - what members of the team are working on - Feedback (not-low)
QE Tools Team Backlog By Assignee
Tools Team Retrospective
Tools Team Retrospective (not estimated or assigned)

Actions

Copy link

action #66610

open

Prevent misleading login failing over http on https-enabled instances, e.g. disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts

Added by mkittler almost 4 years ago. Updated over 3 years ago.

Status:

New

Priority:

Low

Assignee:

Category:

Target version:

QA - future

Start date:

2020-05-05

Due date:

% Done:

Estimated time:

Description

~~The OpenID login does not work with plain HTTP anymore~~ openID login can fail on https enabled openQA instances so at least the /login route should redirect to HTTPS . Besides, without HTTPS the session is likely not secure at all (e.g. a man in the middle could inject JavaScript and for instance do arbitrary AJAX calls to openQA's API).

notes¶

Take care that the workers can still connect. I'm not sure whether they will use HTTPS automatically so it might be required to use HOST = http://... in workers.ini (at least if enforcing SSL for everything and not just the /login route).

History
Notes
Property changes

Actions

Copy link

Updated by okurz almost 4 years ago

Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) to Disable non-SSL in production openQA instances using OpenID (OSD, o3) for login attempts
Description updated (diff)

Not sure if you maybe missed my comment in rocket chat where I wrote "I just checked again, from an openQA instance on http://localhost using openID I can login flawlessly and I am redirected to http://localhost when I enabled "httpsonly = 0" in /etc/openqa/openqa.ini as is described in the documentation. If you want to try out openid+http go to http://okurz-vm.qa.suse.de

I updated the description to reflect that this concerns https-enabled instances, not the generic case. Ok like this?

I would trust that any recent browser that supports javascript is automatically redirecting to the available https routes as available. So the problem might concern only /login redirection while we can still keep read-only access without enforcing https.

Can we find a solution within perl code that redirects to /login over https if available if "httpsonly=1" so that we do not need an "apache-specific" solution?

Actions

Copy link

Updated by okurz almost 4 years ago

Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) for login attempts to Disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts

Actions

Copy link

Updated by mkittler almost 4 years ago

Not sure if you maybe missed my comment in rocket chat […]

Yes, I've missed that and it works on your instance indeed.

Can we find a solution within perl code that redirects to /login over https if available if "httpsonly=1" so that we do not need an "apache-specific" solution?

That is generally possible as well. I'm not sure how much knowledge the "Perl code" needs/has about the reverse proxy setup to make it work, though.

Actions

Copy link

Updated by okurz almost 4 years ago

Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts to Prevent misleading login failing over http on https-enabled instances, e.g. disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts

Actions

Copy link