From 5a8200f17a4d1168686ceaa8c77d72daf07b5fe9 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 13 Oct 2016 14:49:29 -0400
Subject: [PATCH] Add option to properly handle external TLS

Fixes #1984
---
 .../directives/config/config-setup-tool.html  | 38 +++++++++++--------
 static/js/core-config-setup.js                | 31 +++++++++++++++
 util/config/validator.py                      |  6 +++
 3 files changed, 59 insertions(+), 16 deletions(-)
diff --git a/static/directives/config/config-setup-tool.html b/static/directives/config/config-setup-tool.html
index 8cbc13b02..c86187488 100644
--- a/static/directives/config/config-setup-tool.html
+++ b/static/directives/config/config-setup-tool.html
@@ -110,24 +110,30 @@
             </td>
           </tr>
           <tr>
-            <td>SSL:</td>
+            <td>TLS:</td>
             <td>
-              <label class="config-bool-field-element">
-                <input type="checkbox" ng-model="config.PREFERRED_URL_SCHEME"
-                       ng-true-value="'https'" ng-false-value="'http'">
-                Enable SSL
-              </label>
+              <select class="form-control" ng-model="mapped.TLS_SETTING">
+                <option value="internal-tls">Quay Enterprise handles TLS</option>
+                <option value="external-tls">My own load balancer handles TLS (Not Recommended)</option>
+                <option value="none">None (Not For Production)</option>
+              </select>
 
-              <div class="help-text" style="margin-bottom: 10px">
-                 A valid SSL certificate and private key files are required to use this option.
+              <div class="co-alert co-alert-danger" ng-if="mapped.TLS_SETTING == 'none'" style="margin-bottom: 20px">
+                Running without TLS should not be used for production workloads!
               </div>
 
-              <div class="co-alert co-alert-info" ng-if="config.PREFERRED_URL_SCHEME == 'https'" style="margin-bottom: 20px">
-                Enabling SSL also enables <a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security">HTTP Strict Transport Security</a>.<br/>
+              <div class="co-alert co-alert-warning" ng-if="mapped.TLS_SETTING == 'external-tls'" style="margin-bottom: 20px">
+                Terminating TLS outside of Quay Enterprise can result in unusual behavior if the external load balancer is not
+                configured properly. <strong>This option is not recommended for simple setups</strong>. Please contact support
+                if you encounter problems while using this option.
+              </div>
+
+              <div class="co-alert co-alert-info" ng-if="mapped.TLS_SETTING == 'internal-tls'" style="margin-bottom: 20px">
+                Enabling TLS also enables <a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security">HTTP Strict Transport Security</a>.<br/>
                 This prevents downgrade attacks and cookie theft, but browsers will reject all future insecure connections on this hostname.
               </div>
 
-              <table class="config-table"  ng-if="config.PREFERRED_URL_SCHEME == 'https'">
+              <table class="config-table"  ng-if="mapped.TLS_SETTING == 'internal-tls'">
                 <tr>
                   <td class="non-input">Certificate:</td>
                   <td>
@@ -272,7 +278,7 @@
                         {{ field.placeholder }}
                   </span>
                   <div ng-if="field.kind == 'option'">
-                    <select ng-model="sc.data[1][field.name]">
+                    <select class="form-control" ng-model="sc.data[1][field.name]">
                       <option ng-repeat="value in field.values" value="{{ value }}"
                               ng-selected="sc.data[1][field.name] == value">{{ value }}</option>
                     </select>
@@ -495,7 +501,7 @@
           <tr>
             <td class="non-input">Authentication:</td>
             <td>
-              <select ng-model="config.AUTHENTICATION_TYPE">
+              <select class="form-control" ng-model="config.AUTHENTICATION_TYPE">
                 <option value="Database">Local Database</option>
                 <option value="LDAP">LDAP</option>
                 <option value="Keystone">Keystone (OpenStack Identity)</option>
@@ -739,7 +745,7 @@
           <tr>
             <td>GitHub:</td>
             <td>
-              <select ng-model="mapped.GITHUB_LOGIN_KIND">
+              <select class="form-control" ng-model="mapped.GITHUB_LOGIN_KIND">
                 <option value="hosted">GitHub.com</option>
                 <option value="enterprise">GitHub Enterprise</option>
               </select>
@@ -887,7 +893,7 @@
           <tr>
             <td>GitHub:</td>
             <td>
-              <select ng-model="mapped.GITHUB_TRIGGER_KIND">
+              <select class="form-control" ng-model="mapped.GITHUB_TRIGGER_KIND">
                 <option value="hosted">GitHub.com</option>
                 <option value="enterprise">GitHub Enterprise</option>
               </select>
@@ -997,7 +1003,7 @@
           <tr>
             <td>GitLab:</td>
             <td>
-              <select ng-model="mapped.GITLAB_TRIGGER_KIND">
+              <select class="form-control" ng-model="mapped.GITLAB_TRIGGER_KIND">
                 <option value="hosted">GitLab.com</option>
                 <option value="enterprise">GitLab CE/EE</option>
               </select>
diff --git a/static/js/core-config-setup.js b/static/js/core-config-setup.js
index 4d9f5b138..c47ba2f77 100644
--- a/static/js/core-config-setup.js
+++ b/static/js/core-config-setup.js
@@ -479,6 +479,36 @@ angular.module("core-config-setup", ['angularFileUpload'])
           $scope.mapped['redis']['host'] = getKey(config, 'BUILDLOGS_REDIS.host') || getKey(config, 'USER_EVENTS_REDIS.host');
           $scope.mapped['redis']['port'] = getKey(config, 'BUILDLOGS_REDIS.port') || getKey(config, 'USER_EVENTS_REDIS.port');
           $scope.mapped['redis']['password'] = getKey(config, 'BUILDLOGS_REDIS.password') || getKey(config, 'USER_EVENTS_REDIS.password');
+
+          $scope.mapped['TLS_SETTING'] = 'none';
+          if (config['PREFERRED_URL_SCHEME'] == 'https') {
+            if (config['EXTERNAL_TLS_TERMINATION'] === true) {
+              $scope.mapped['TLS_SETTING'] = 'external-tls';
+            } else {
+              $scope.mapped['TLS_SETTING'] = 'internal-tls';
+            }
+          }
+        };
+
+        var tlsSetter = function(value) {
+            if (value == null || !$scope.config) { return; }
+
+            switch (value) {
+              case 'none':
+                $scope.config['PREFERRED_URL_SCHEME'] = 'http';
+                delete $scope.config['EXTERNAL_TLS_TERMINATION'];
+                return;
+
+              case 'external-tls':
+                $scope.config['PREFERRED_URL_SCHEME'] = 'https';
+                $scope.config['EXTERNAL_TLS_TERMINATION'] = true;
+                return;
+
+              case 'internal-tls':
+                $scope.config['PREFERRED_URL_SCHEME'] = 'https';
+                delete $scope.config['EXTERNAL_TLS_TERMINATION'];
+                return;
+            }
         };
 
         var redisSetter = function(keyname) {
@@ -508,6 +538,7 @@ angular.module("core-config-setup", ['angularFileUpload'])
         $scope.$watch('mapped.GITHUB_LOGIN_KIND', githubSelector('GITHUB_LOGIN_CONFIG'));
         $scope.$watch('mapped.GITHUB_TRIGGER_KIND', githubSelector('GITHUB_TRIGGER_CONFIG'));
         $scope.$watch('mapped.GITLAB_TRIGGER_KIND', gitlabSelector('GITLAB_TRIGGER_KIND'));
+        $scope.$watch('mapped.TLS_SETTING', tlsSetter);
 
         $scope.$watch('mapped.redis.host', redisSetter('host'));
         $scope.$watch('mapped.redis.port', redisSetter('port'));
diff --git a/util/config/validator.py b/util/config/validator.py
index 73696aa26..e824b210c 100644
--- a/util/config/validator.py
+++ b/util/config/validator.py
@@ -242,9 +242,15 @@ def _validate_google_login(config, _):
 
 def _validate_ssl(config, _):
   """ Validates the SSL configuration (if enabled). """
+
+  # Skip if non-SSL.
   if config.get('PREFERRED_URL_SCHEME', 'http') != 'https':
     return
 
+  # Skip if externally terminated.
+  if config.get('EXTERNAL_TLS_TERMINATION', False) == True:
+    return
+
   for filename in SSL_FILENAMES:
     if not config_provider.volume_file_exists(filename):
       raise Exception('Missing required SSL file: %s' % filename)

Certificate:	@@ -272,7 +278,7 @@ {{ field.placeholder }} - @@ -495,7 +501,7 @@
Authentication:	- @@ -739,7 +745,7 @@
GitHub:	- @@ -887,7 +893,7 @@
GitHub:	- @@ -997,7 +1003,7 @@
GitLab:	- diff --git a/static/js/core-config-setup.js b/static/js/core-config-setup.js index 4d9f5b138..c47ba2f77 100644 --- a/static/js/core-config-setup.js +++ b/static/js/core-config-setup.js @@ -479,6 +479,36 @@ angular.module("core-config-setup", ['angularFileUpload']) $scope.mapped['redis']['host'] = getKey(config, 'BUILDLOGS_REDIS.host') \|\| getKey(config, 'USER_EVENTS_REDIS.host'); $scope.mapped['redis']['port'] = getKey(config, 'BUILDLOGS_REDIS.port') \|\| getKey(config, 'USER_EVENTS_REDIS.port'); $scope.mapped['redis']['password'] = getKey(config, 'BUILDLOGS_REDIS.password') \|\| getKey(config, 'USER_EVENTS_REDIS.password'); + + $scope.mapped['TLS_SETTING'] = 'none'; + if (config['PREFERRED_URL_SCHEME'] == 'https') { + if (config['EXTERNAL_TLS_TERMINATION'] === true) { + $scope.mapped['TLS_SETTING'] = 'external-tls'; + } else { + $scope.mapped['TLS_SETTING'] = 'internal-tls'; + } + } + }; + + var tlsSetter = function(value) { + if (value == null \|\| !$scope.config) { return; } + + switch (value) { + case 'none': + $scope.config['PREFERRED_URL_SCHEME'] = 'http'; + delete $scope.config['EXTERNAL_TLS_TERMINATION']; + return; + + case 'external-tls': + $scope.config['PREFERRED_URL_SCHEME'] = 'https'; + $scope.config['EXTERNAL_TLS_TERMINATION'] = true; + return; + + case 'internal-tls': + $scope.config['PREFERRED_URL_SCHEME'] = 'https'; + delete $scope.config['EXTERNAL_TLS_TERMINATION']; + return; + } }; var redisSetter = function(keyname) { @@ -508,6 +538,7 @@ angular.module("core-config-setup", ['angularFileUpload']) $scope.$watch('mapped.GITHUB_LOGIN_KIND', githubSelector('GITHUB_LOGIN_CONFIG')); $scope.$watch('mapped.GITHUB_TRIGGER_KIND', githubSelector('GITHUB_TRIGGER_CONFIG')); $scope.$watch('mapped.GITLAB_TRIGGER_KIND', gitlabSelector('GITLAB_TRIGGER_KIND')); + $scope.$watch('mapped.TLS_SETTING', tlsSetter); $scope.$watch('mapped.redis.host', redisSetter('host')); $scope.$watch('mapped.redis.port', redisSetter('port')); diff --git a/util/config/validator.py b/util/config/validator.py index 73696aa26..e824b210c 100644 --- a/util/config/validator.py +++ b/util/config/validator.py @@ -242,9 +242,15 @@ def _validate_google_login(config, _): def _validate_ssl(config, _): """ Validates the SSL configuration (if enabled). """ + + # Skip if non-SSL. if config.get('PREFERRED_URL_SCHEME', 'http') != 'https': return + # Skip if externally terminated. + if config.get('EXTERNAL_TLS_TERMINATION', False) == True: + return + for filename in SSL_FILENAMES: if not config_provider.volume_file_exists(filename): raise Exception('Missing required SSL file: %s' % filename)