From 44d43814826467b64f48275363749f87f4dc2b3e Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Fri, 23 Apr 2021 00:12:33 +0200 Subject: [PATCH 01/16] Add support for setting custom value for SameSite attribute for "auth-token" cookie we set when authentication against st2api from st2web. For backward compatibility reasons it defaults to none. --- CHANGELOG.rst | 9 +++++++++ st2api/st2api/cmd/api.py | 5 +++++ st2common/st2common/config.py | 9 +++++++++ st2common/st2common/router.py | 1 + 4 files changed, 24 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4232e28ffc..0b6c823eae 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -78,6 +78,15 @@ Added Contributed by @Kami. +* Add new ``api.same_site_cookie`` config option with which user can control the value for + ``SameSite`` attribute for the ``auth-token`` cookie we set when authenticating via st2web. + + For backward compatibility reasons it defaults to ``none``. Users who don't need to support old + browsers or have some other specific reason to disable it and encouraged to set this option to + ``strict``. + + Contributed by @Kami. + Changed ~~~~~~~ diff --git a/st2api/st2api/cmd/api.py b/st2api/st2api/cmd/api.py index e8cc71e875..d7abe6b91d 100644 --- a/st2api/st2api/cmd/api.py +++ b/st2api/st2api/cmd/api.py @@ -68,6 +68,11 @@ def _setup(): # Additional pre-run time checks validate_rbac_is_correctly_configured() + if cfg.CONF.api.same_site_cookie not in ["strict", "lax", "none"]: + raise ValueError( + "Valid values for api.same_site_cookie config options are: strict, lax, none" + ) + def _run_server(): host = cfg.CONF.api.host diff --git a/st2common/st2common/config.py b/st2common/st2common/config.py index cf2ada4ee3..150d094502 100644 --- a/st2common/st2common/config.py +++ b/st2common/st2common/config.py @@ -373,6 +373,15 @@ def register_opts(ignore_errors=False): default=True, help="True to mask secrets in the API responses", ), + cfg.StrOpt( + "same_site_cookie", + default="none", + help="SameSite attribute value for the " + "auth-token cookie we set on successful authentication from st2web. Valid values are " + "strict, lax, none. If you " + "don't have a specific reason (e.g. supporting old browsers) you are " + "recommended to set this value to strict.", + ), ] do_register_opts(api_opts, "api", ignore_errors) diff --git a/st2common/st2common/router.py b/st2common/st2common/router.py index fa9c002354..16d1ac18a2 100644 --- a/st2common/st2common/router.py +++ b/st2common/st2common/router.py @@ -383,6 +383,7 @@ def __call__(self, req): token, max_age=max_age, httponly=True, + samesite=cfg.CONF.api.same_site_cookie, ) break From e94f968a4193c74d7f0553ae717e26be354a89c6 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Fri, 23 Apr 2021 14:25:54 +0200 Subject: [PATCH 02/16] Call validation on app init, add tests for it. --- st2api/st2api/app.py | 2 ++ st2api/st2api/cmd/api.py | 7 ++----- st2api/st2api/validation.py | 22 ++++++++++++++++++++-- st2api/tests/unit/test_validation_utils.py | 12 ++++++++++++ 4 files changed, 36 insertions(+), 7 deletions(-) diff --git a/st2api/st2api/app.py b/st2api/st2api/app.py index 0495338000..c967c54ace 100644 --- a/st2api/st2api/app.py +++ b/st2api/st2api/app.py @@ -28,6 +28,7 @@ from st2common.constants.system import VERSION_STRING from st2common.service_setup import setup as common_setup from st2common.util import spec_loader +from st2api.validation import validate_same_cookie_is_correctly_configured from st2api.validation import validate_rbac_is_correctly_configured LOG = logging.getLogger(__name__) @@ -66,6 +67,7 @@ def setup_app(config=None): ) # Additional pre-run time checks + validate_same_cookie_is_correctly_configured() validate_rbac_is_correctly_configured() router = Router( diff --git a/st2api/st2api/cmd/api.py b/st2api/st2api/cmd/api.py index d7abe6b91d..ae58fe9662 100644 --- a/st2api/st2api/cmd/api.py +++ b/st2api/st2api/cmd/api.py @@ -36,6 +36,7 @@ config.register_opts(ignore_errors=True) from st2api import app +from st2api.validation import validate_same_cookie_is_correctly_configured from st2api.validation import validate_rbac_is_correctly_configured __all__ = ["main"] @@ -66,13 +67,9 @@ def _setup(): ) # Additional pre-run time checks + validate_same_cookie_is_correctly_configured() validate_rbac_is_correctly_configured() - if cfg.CONF.api.same_site_cookie not in ["strict", "lax", "none"]: - raise ValueError( - "Valid values for api.same_site_cookie config options are: strict, lax, none" - ) - def _run_server(): host = cfg.CONF.api.host diff --git a/st2api/st2api/validation.py b/st2api/st2api/validation.py index 42120c57bf..bc9a52dc8f 100644 --- a/st2api/st2api/validation.py +++ b/st2api/st2api/validation.py @@ -15,10 +15,28 @@ from oslo_config import cfg -__all__ = ["validate_rbac_is_correctly_configured"] +__all__ = [ + "validate_same_cookie_is_correctly_configured", + "validate_rbac_is_correctly_configured", +] -def validate_rbac_is_correctly_configured(): +def validate_same_cookie_is_correctly_configured() -> bool: + """ + Function which verifies that SameCookie config option value is correctly configured. + + This method should be called in the api init phase so we catch any misconfiguration issues + before startup. + """ + if cfg.CONF.api.same_site_cookie not in ["strict", "lax", "none"]: + raise ValueError( + "Valid values for api.same_site_cookie config option are: strict, lax, none." + ) + + return True + + +def validate_rbac_is_correctly_configured() -> bool: """ Function which verifies that RBAC is correctly set up and configured. """ diff --git a/st2api/tests/unit/test_validation_utils.py b/st2api/tests/unit/test_validation_utils.py index bad17b22a5..a16b48da16 100644 --- a/st2api/tests/unit/test_validation_utils.py +++ b/st2api/tests/unit/test_validation_utils.py @@ -16,6 +16,7 @@ import unittest2 from oslo_config import cfg +from st2api.validation import validate_same_cookie_is_correctly_configured from st2api.validation import validate_rbac_is_correctly_configured from st2tests import config as tests_config @@ -27,6 +28,17 @@ def setUp(self): super(ValidationUtilsTestCase, self).setUp() tests_config.parse_args() + def test_validate_same_cookie_is_correctly_configured_success(self): + valid_values = [ + "strict", + "lax", + "none", + ] + + for value in valid_values: + cfg.CONF.set_override(group="api", name="same_site_cookie", override=value) + self.assertTrue(validate_same_cookie_is_correctly_configured()) + def test_validate_rbac_is_correctly_configured_succcess(self): result = validate_rbac_is_correctly_configured() self.assertTrue(result) From c914a40b62d35d15edec6690e115c6915084e534 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Fri, 23 Apr 2021 14:34:44 +0200 Subject: [PATCH 03/16] Also add API level tests for it. --- st2api/st2api/validation.py | 2 +- st2api/tests/unit/controllers/v1/test_auth.py | 36 +++++++++++++++++++ st2common/st2common/config.py | 4 +-- 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/st2api/st2api/validation.py b/st2api/st2api/validation.py index bc9a52dc8f..c0d732f7d1 100644 --- a/st2api/st2api/validation.py +++ b/st2api/st2api/validation.py @@ -28,7 +28,7 @@ def validate_same_cookie_is_correctly_configured() -> bool: This method should be called in the api init phase so we catch any misconfiguration issues before startup. """ - if cfg.CONF.api.same_site_cookie not in ["strict", "lax", "none"]: + if cfg.CONF.api.same_site_cookie not in ["strict", "lax", "none", None]: raise ValueError( "Valid values for api.same_site_cookie config option are: strict, lax, none." ) diff --git a/st2api/tests/unit/controllers/v1/test_auth.py b/st2api/tests/unit/controllers/v1/test_auth.py index d6f3602c3c..92cd8169a7 100644 --- a/st2api/tests/unit/controllers/v1/test_auth.py +++ b/st2api/tests/unit/controllers/v1/test_auth.py @@ -18,6 +18,7 @@ import bson import mock +from oslo_config import cfg from st2tests.api import FunctionalTest from st2common.util import date as date_utils @@ -69,6 +70,41 @@ def test_token_validation_token_in_query_params(self): self.assertIn("application/json", response.headers["content-type"]) self.assertEqual(response.status_int, 200) + @mock.patch.object( + Token, + "get", + mock.Mock( + return_value=TokenDB(id=OBJ_ID, user=USER, token=TOKEN, expiry=FUTURE) + ), + ) + @mock.patch.object(User, "get_by_name", mock.Mock(return_value=USER_DB)) + def test_token_validation_token_in_query_params_cookie_is_set(self): + response = self.app.get( + "/v1/actions?x-auth-token=%s" % (TOKEN), expect_errors=False + ) + self.assertIn("application/json", response.headers["content-type"]) + self.assertEqual(response.status_int, 200) + self.assertTrue("Set-Cookie" in response.headers) + self.assertTrue("HttpOnly" in response.headers["Set-Cookie"]) + + # Also test same cookie values + valid_values = [ + "strict", + "lax", + ] + + for value in valid_values: + cfg.CONF.set_override(group="api", name="same_site_cookie", override=value) + + response = self.app.get( + "/v1/actions?x-auth-token=%s" % (TOKEN), expect_errors=False + ) + self.assertIn("application/json", response.headers["content-type"]) + self.assertEqual(response.status_int, 200) + self.assertTrue("Set-Cookie" in response.headers) + self.assertTrue("HttpOnly" in response.headers["Set-Cookie"]) + self.assertTrue("SameSite=%s" % (value) in response.headers["Set-Cookie"]) + @mock.patch.object( Token, "get", diff --git a/st2common/st2common/config.py b/st2common/st2common/config.py index 150d094502..c1ebcb7b6f 100644 --- a/st2common/st2common/config.py +++ b/st2common/st2common/config.py @@ -375,10 +375,10 @@ def register_opts(ignore_errors=False): ), cfg.StrOpt( "same_site_cookie", - default="none", + default=None, help="SameSite attribute value for the " "auth-token cookie we set on successful authentication from st2web. Valid values are " - "strict, lax, none. If you " + "strict, lax, none, None. If you " "don't have a specific reason (e.g. supporting old browsers) you are " "recommended to set this value to strict.", ), From dde0617c1884c8d13c6aba5fed10b1a9bc1899a4 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Fri, 23 Apr 2021 14:41:42 +0200 Subject: [PATCH 04/16] Fix lint. --- st2client/st2client/utils/interactive.py | 1 + 1 file changed, 1 insertion(+) diff --git a/st2client/st2client/utils/interactive.py b/st2client/st2client/utils/interactive.py index 7e6f81b29b..fd4943661d 100644 --- a/st2client/st2client/utils/interactive.py +++ b/st2client/st2client/utils/interactive.py @@ -93,6 +93,7 @@ def _construct_description(self): if "description" in self.spec: def get_bottom_toolbar_tokens(cli): + # pylint: disable=no-member return [(token.Token.Toolbar, self.spec["description"])] self.options["get_bottom_toolbar_tokens"] = get_bottom_toolbar_tokens From 70d32b5291d2a20670e6c8d5fba1660d94ee0761 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Fri, 23 Apr 2021 15:35:00 +0200 Subject: [PATCH 05/16] Use better options name, also allow user to set "secure" value for auth cookie we set and default it to True for security reasons. Also default SameSite attribute to Lax. --- CHANGELOG.rst | 16 +++++--- st2api/st2api/app.py | 4 +- st2api/st2api/cmd/api.py | 4 +- st2api/st2api/validation.py | 25 +++++++++-- st2api/tests/unit/controllers/v1/test_auth.py | 24 +++++++++-- st2api/tests/unit/test_validation_utils.py | 41 +++++++++++++++++-- st2common/st2common/config.py | 11 ++++- st2common/st2common/router.py | 3 +- st2tests/st2tests/config.py | 5 +++ 9 files changed, 110 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0b6c823eae..1f76c4a8a6 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -78,12 +78,18 @@ Added Contributed by @Kami. -* Add new ``api.same_site_cookie`` config option with which user can control the value for - ``SameSite`` attribute for the ``auth-token`` cookie we set when authenticating via st2web. +* Add new ``api.auth_cookie_secure`` and ``api.auth_cookie_same_site`` config options which + specify values which are set for ``secure`` and ``SameSite`` attribute for the auth cookie + we set when authenticating via token / api key in query parameter value (e.g. via st2web). - For backward compatibility reasons it defaults to ``none``. Users who don't need to support old - browsers or have some other specific reason to disable it and encouraged to set this option to - ``strict``. + For security reasons, ``api.auth_cookie_secure`` defaults to ``True``. This should only be + changed to ``False`` if you have a valid reason to not run StackStorm behind HTTPs proxy. + + Default value for ``api.auth_cookie_same_site`` is ``Strict``. If you want to disable this + functionality so it behaves the same as in the previous releases, you can set that option + to ``None``. + + #5248 Contributed by @Kami. diff --git a/st2api/st2api/app.py b/st2api/st2api/app.py index c967c54ace..ffb65ff313 100644 --- a/st2api/st2api/app.py +++ b/st2api/st2api/app.py @@ -28,7 +28,7 @@ from st2common.constants.system import VERSION_STRING from st2common.service_setup import setup as common_setup from st2common.util import spec_loader -from st2api.validation import validate_same_cookie_is_correctly_configured +from st2api.validation import validate_auth_cookie_is_correctly_configured from st2api.validation import validate_rbac_is_correctly_configured LOG = logging.getLogger(__name__) @@ -67,7 +67,7 @@ def setup_app(config=None): ) # Additional pre-run time checks - validate_same_cookie_is_correctly_configured() + validate_auth_cookie_is_correctly_configured() validate_rbac_is_correctly_configured() router = Router( diff --git a/st2api/st2api/cmd/api.py b/st2api/st2api/cmd/api.py index ae58fe9662..8965c323bc 100644 --- a/st2api/st2api/cmd/api.py +++ b/st2api/st2api/cmd/api.py @@ -36,7 +36,7 @@ config.register_opts(ignore_errors=True) from st2api import app -from st2api.validation import validate_same_cookie_is_correctly_configured +from st2api.validation import validate_auth_cookie_is_correctly_configured from st2api.validation import validate_rbac_is_correctly_configured __all__ = ["main"] @@ -67,7 +67,7 @@ def _setup(): ) # Additional pre-run time checks - validate_same_cookie_is_correctly_configured() + validate_auth_cookie_is_correctly_configured() validate_rbac_is_correctly_configured() diff --git a/st2api/st2api/validation.py b/st2api/st2api/validation.py index c0d732f7d1..e6ba954933 100644 --- a/st2api/st2api/validation.py +++ b/st2api/st2api/validation.py @@ -15,22 +15,39 @@ from oslo_config import cfg +from webob import cookies + __all__ = [ - "validate_same_cookie_is_correctly_configured", + "validate_auth_cookie_is_correctly_configured", "validate_rbac_is_correctly_configured", ] -def validate_same_cookie_is_correctly_configured() -> bool: +def validate_auth_cookie_is_correctly_configured() -> bool: """ Function which verifies that SameCookie config option value is correctly configured. This method should be called in the api init phase so we catch any misconfiguration issues before startup. """ - if cfg.CONF.api.same_site_cookie not in ["strict", "lax", "none", None]: + if cfg.CONF.api.auth_cookie_same_site not in ["strict", "lax", "none", None]: + raise ValueError( + "Valid values for api.auth_cookie_same_site config option are: strict, lax, none." + ) + + # Now we try to make a dummy cookie to verify all the options are configured correctly. Some + # Options are mutually exclusive - e.g. SameSite none and Secure false. + try: + cookies.make_cookie( + "test_cookie", + "dummyvalue", + httponly=True, + secure=cfg.CONF.api.auth_cookie_secure, + samesite=cfg.CONF.api.auth_cookie_same_site, + ) + except Exception as e: raise ValueError( - "Valid values for api.same_site_cookie config option are: strict, lax, none." + "Failed to validate api.auth_cookie config options: %s" % (str(e)) ) return True diff --git a/st2api/tests/unit/controllers/v1/test_auth.py b/st2api/tests/unit/controllers/v1/test_auth.py index 92cd8169a7..88c809fd5c 100644 --- a/st2api/tests/unit/controllers/v1/test_auth.py +++ b/st2api/tests/unit/controllers/v1/test_auth.py @@ -78,7 +78,7 @@ def test_token_validation_token_in_query_params(self): ), ) @mock.patch.object(User, "get_by_name", mock.Mock(return_value=USER_DB)) - def test_token_validation_token_in_query_params_cookie_is_set(self): + def test_token_validation_token_in_query_params_auth_cookie_is_set(self): response = self.app.get( "/v1/actions?x-auth-token=%s" % (TOKEN), expect_errors=False ) @@ -87,14 +87,17 @@ def test_token_validation_token_in_query_params_cookie_is_set(self): self.assertTrue("Set-Cookie" in response.headers) self.assertTrue("HttpOnly" in response.headers["Set-Cookie"]) - # Also test same cookie values + # Also test same cookie values + secure valid_values = [ "strict", "lax", ] for value in valid_values: - cfg.CONF.set_override(group="api", name="same_site_cookie", override=value) + cfg.CONF.set_override( + group="api", name="auth_cookie_same_site", override=value + ) + cfg.CONF.set_override(group="api", name="auth_cookie_secure", override=True) response = self.app.get( "/v1/actions?x-auth-token=%s" % (TOKEN), expect_errors=False @@ -104,6 +107,21 @@ def test_token_validation_token_in_query_params_cookie_is_set(self): self.assertTrue("Set-Cookie" in response.headers) self.assertTrue("HttpOnly" in response.headers["Set-Cookie"]) self.assertTrue("SameSite=%s" % (value) in response.headers["Set-Cookie"]) + self.assertTrue("secure" in response.headers["Set-Cookie"]) + + # SameSite=Lax, Secure=False + cfg.CONF.set_override(group="api", name="auth_cookie_same_site", override="lax") + cfg.CONF.set_override(group="api", name="auth_cookie_secure", override=False) + + response = self.app.get( + "/v1/actions?x-auth-token=%s" % (TOKEN), expect_errors=False + ) + self.assertIn("application/json", response.headers["content-type"]) + self.assertEqual(response.status_int, 200) + self.assertTrue("Set-Cookie" in response.headers) + self.assertTrue("HttpOnly" in response.headers["Set-Cookie"]) + self.assertTrue("SameSite=lax" in response.headers["Set-Cookie"]) + self.assertTrue("secure" not in response.headers["Set-Cookie"]) @mock.patch.object( Token, diff --git a/st2api/tests/unit/test_validation_utils.py b/st2api/tests/unit/test_validation_utils.py index a16b48da16..a2a77d0900 100644 --- a/st2api/tests/unit/test_validation_utils.py +++ b/st2api/tests/unit/test_validation_utils.py @@ -16,7 +16,7 @@ import unittest2 from oslo_config import cfg -from st2api.validation import validate_same_cookie_is_correctly_configured +from st2api.validation import validate_auth_cookie_is_correctly_configured from st2api.validation import validate_rbac_is_correctly_configured from st2tests import config as tests_config @@ -28,16 +28,49 @@ def setUp(self): super(ValidationUtilsTestCase, self).setUp() tests_config.parse_args() - def test_validate_same_cookie_is_correctly_configured_success(self): + def test_validate_auth_cookie_is_correctly_configured_success(self): valid_values = [ "strict", "lax", "none", ] + cfg.CONF.set_override(group="api", name="auth_cookie_secure", override=True) + for value in valid_values: - cfg.CONF.set_override(group="api", name="same_site_cookie", override=value) - self.assertTrue(validate_same_cookie_is_correctly_configured()) + cfg.CONF.set_override( + group="api", name="auth_cookie_same_site", override=value + ) + self.assertTrue(validate_auth_cookie_is_correctly_configured()) + + def test_validate_auth_cookie_is_correctly_configured_error(self): + invalid_values = ["strictx", "laxx", "nonex", "invalid"] + + for value in invalid_values: + cfg.CONF.set_override( + group="api", name="auth_cookie_same_site", override=value + ) + + expected_msg = ( + "Valid values for api.auth_cookie_same_site config option are:" + ) + self.assertRaisesRegexp( + ValueError, expected_msg, validate_auth_cookie_is_correctly_configured + ) + + # SameSite=none + Secure=false is not compatible + cfg.CONF.set_override( + group="api", name="auth_cookie_same_site", override="none" + ) + cfg.CONF.set_override(group="api", name="auth_cookie_secure", override=False) + + expected_msg = ( + r"Failed to validate api.auth_cookie config options: Incompatible cookie attributes: " + "when the samesite equals 'none', then the secure must be True" + ) + self.assertRaisesRegexp( + ValueError, expected_msg, validate_auth_cookie_is_correctly_configured + ) def test_validate_rbac_is_correctly_configured_succcess(self): result = validate_rbac_is_correctly_configured() diff --git a/st2common/st2common/config.py b/st2common/st2common/config.py index c1ebcb7b6f..19673031f9 100644 --- a/st2common/st2common/config.py +++ b/st2common/st2common/config.py @@ -374,8 +374,15 @@ def register_opts(ignore_errors=False): help="True to mask secrets in the API responses", ), cfg.StrOpt( - "same_site_cookie", - default=None, + "auth_cookie_secure", + default=True, + help='True if secure flag should be set for "auth-token" cookie which is set on successful ' + "authentication via st2web. You should only set this to False if you have a good " + "reason to not run and access StackStorm behind https proxy.", + ), + cfg.StrOpt( + "auth_cookie_same_site", + default="lax", help="SameSite attribute value for the " "auth-token cookie we set on successful authentication from st2web. Valid values are " "strict, lax, none, None. If you " diff --git a/st2common/st2common/router.py b/st2common/st2common/router.py index 16d1ac18a2..4d041f2141 100644 --- a/st2common/st2common/router.py +++ b/st2common/st2common/router.py @@ -383,7 +383,8 @@ def __call__(self, req): token, max_age=max_age, httponly=True, - samesite=cfg.CONF.api.same_site_cookie, + secure=cfg.CONF.api.auth_cookie_secure, + samesite=cfg.CONF.api.auth_cookie_same_site, ) break diff --git a/st2tests/st2tests/config.py b/st2tests/st2tests/config.py index 0f44fa02a6..c4ae0cfcd1 100644 --- a/st2tests/st2tests/config.py +++ b/st2tests/st2tests/config.py @@ -111,6 +111,11 @@ def _override_api_opts(): override=["http://127.0.0.1:3000", "http://dev"], group="api", ) + CONF.set_override( + name="auth_cookie_secure", + override=False, + group="api", + ) def _override_keyvalue_opts(): From f8369bbc06efd4bbdcc39218f540d2bcec41b293 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Fri, 23 Apr 2021 15:52:23 +0200 Subject: [PATCH 06/16] Revert "Fix lint." This reverts commit dde0617c1884c8d13c6aba5fed10b1a9bc1899a4. --- st2client/st2client/utils/interactive.py | 1 - 1 file changed, 1 deletion(-) diff --git a/st2client/st2client/utils/interactive.py b/st2client/st2client/utils/interactive.py index fd4943661d..7e6f81b29b 100644 --- a/st2client/st2client/utils/interactive.py +++ b/st2client/st2client/utils/interactive.py @@ -93,7 +93,6 @@ def _construct_description(self): if "description" in self.spec: def get_bottom_toolbar_tokens(cli): - # pylint: disable=no-member return [(token.Token.Toolbar, self.spec["description"])] self.options["get_bottom_toolbar_tokens"] = get_bottom_toolbar_tokens From 7dd85a9d6718979f02c7d6ea8796c9e6a4ad34d1 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Fri, 23 Apr 2021 16:03:36 +0200 Subject: [PATCH 07/16] Update changelog. --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1f76c4a8a6..e18b3597ea 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -85,7 +85,7 @@ Added For security reasons, ``api.auth_cookie_secure`` defaults to ``True``. This should only be changed to ``False`` if you have a valid reason to not run StackStorm behind HTTPs proxy. - Default value for ``api.auth_cookie_same_site`` is ``Strict``. If you want to disable this + Default value for ``api.auth_cookie_same_site`` is ``lax``. If you want to disable this functionality so it behaves the same as in the previous releases, you can set that option to ``None``. From e29fd2a3fe838ca810b484ba605e7be6daf3aca1 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Sat, 24 Apr 2021 11:32:49 +0200 Subject: [PATCH 08/16] Update error message. --- st2api/st2api/validation.py | 9 +++++++-- st2api/tests/unit/test_validation_utils.py | 4 +--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/st2api/st2api/validation.py b/st2api/st2api/validation.py index e6ba954933..19802c0912 100644 --- a/st2api/st2api/validation.py +++ b/st2api/st2api/validation.py @@ -30,9 +30,14 @@ def validate_auth_cookie_is_correctly_configured() -> bool: This method should be called in the api init phase so we catch any misconfiguration issues before startup. """ - if cfg.CONF.api.auth_cookie_same_site not in ["strict", "lax", "none", None]: + if cfg.CONF.api.auth_cookie_same_site not in ["strict", "lax", "none", "None"]: raise ValueError( - "Valid values for api.auth_cookie_same_site config option are: strict, lax, none." + 'Got invalid value "%s" (type %s) for cfg.CONF.api.auth_cookie_same_site config ' + "option. Valid values are: strict, lax, none, None." + % ( + cfg.CONF.api.auth_cookie_same_site, + type(cfg.CONF.api.auth_cookie_same_site), + ) ) # Now we try to make a dummy cookie to verify all the options are configured correctly. Some diff --git a/st2api/tests/unit/test_validation_utils.py b/st2api/tests/unit/test_validation_utils.py index a2a77d0900..cf478f0076 100644 --- a/st2api/tests/unit/test_validation_utils.py +++ b/st2api/tests/unit/test_validation_utils.py @@ -51,9 +51,7 @@ def test_validate_auth_cookie_is_correctly_configured_error(self): group="api", name="auth_cookie_same_site", override=value ) - expected_msg = ( - "Valid values for api.auth_cookie_same_site config option are:" - ) + expected_msg = "Valid values are: strict, lax, none" self.assertRaisesRegexp( ValueError, expected_msg, validate_auth_cookie_is_correctly_configured ) From fb2cc68a315eccf335729bad5404a60662a996a9 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Sat, 24 Apr 2021 11:32:57 +0200 Subject: [PATCH 09/16] Re-generate config. --- conf/st2.conf.sample | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/conf/st2.conf.sample b/conf/st2.conf.sample index 62e1e00f6d..ba13733d77 100644 --- a/conf/st2.conf.sample +++ b/conf/st2.conf.sample @@ -32,6 +32,10 @@ workflows_pool_size = 40 [api] # List of origins allowed for api, auth and stream allow_origin = http://127.0.0.1:3000 # comma separated list allowed here. +# SameSite attribute value for the auth-token cookie we set on successful authentication from st2web. Valid values are strict, lax, none, None. If you don't have a specific reason (e.g. supporting old browsers) you are recommended to set this value to strict. +auth_cookie_same_site = lax +# True if secure flag should be set for "auth-token" cookie which is set on successful authentication via st2web. You should only set this to False if you have a good reason to not run and access StackStorm behind https proxy. +auth_cookie_secure = True # None debug = False # StackStorm API server host From 8e2838f66634c5aa8442775ab12854da666e9d51 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Sat, 24 Apr 2021 22:10:50 +0200 Subject: [PATCH 10/16] Improve handling of "None" value, add choices attribute, add additional tests. --- st2api/st2api/validation.py | 10 +++++++++- st2api/tests/unit/controllers/v1/test_auth.py | 14 +++++++++----- st2api/tests/unit/test_validation_utils.py | 1 + st2common/st2common/config.py | 3 ++- st2common/st2common/router.py | 11 ++++++++++- 5 files changed, 31 insertions(+), 8 deletions(-) diff --git a/st2api/st2api/validation.py b/st2api/st2api/validation.py index 19802c0912..9737646b63 100644 --- a/st2api/st2api/validation.py +++ b/st2api/st2api/validation.py @@ -43,12 +43,20 @@ def validate_auth_cookie_is_correctly_configured() -> bool: # Now we try to make a dummy cookie to verify all the options are configured correctly. Some # Options are mutually exclusive - e.g. SameSite none and Secure false. try: + # NOTE: None and none don't mean the same thing - None implies not setting this attribute + # (backward compatibility) and none implies setting this attribute value to none + same_site = cfg.CONF.api.auth_cookie_same_site + + kwargs = {} + if same_site != "None": + kwargs["samesite"] = same_site + cookies.make_cookie( "test_cookie", "dummyvalue", httponly=True, secure=cfg.CONF.api.auth_cookie_secure, - samesite=cfg.CONF.api.auth_cookie_same_site, + **kwargs, ) except Exception as e: raise ValueError( diff --git a/st2api/tests/unit/controllers/v1/test_auth.py b/st2api/tests/unit/controllers/v1/test_auth.py index 88c809fd5c..4ff1bb7707 100644 --- a/st2api/tests/unit/controllers/v1/test_auth.py +++ b/st2api/tests/unit/controllers/v1/test_auth.py @@ -88,10 +88,7 @@ def test_token_validation_token_in_query_params_auth_cookie_is_set(self): self.assertTrue("HttpOnly" in response.headers["Set-Cookie"]) # Also test same cookie values + secure - valid_values = [ - "strict", - "lax", - ] + valid_values = ["strict", "lax", "none", "None"] for value in valid_values: cfg.CONF.set_override( @@ -106,7 +103,14 @@ def test_token_validation_token_in_query_params_auth_cookie_is_set(self): self.assertEqual(response.status_int, 200) self.assertTrue("Set-Cookie" in response.headers) self.assertTrue("HttpOnly" in response.headers["Set-Cookie"]) - self.assertTrue("SameSite=%s" % (value) in response.headers["Set-Cookie"]) + + if value == "None": + self.assertFalse("SameSite" in response.headers["Set-Cookie"]) + else: + self.assertTrue( + "SameSite=%s" % (value) in response.headers["Set-Cookie"] + ) + self.assertTrue("secure" in response.headers["Set-Cookie"]) # SameSite=Lax, Secure=False diff --git a/st2api/tests/unit/test_validation_utils.py b/st2api/tests/unit/test_validation_utils.py index cf478f0076..d63f5da5ec 100644 --- a/st2api/tests/unit/test_validation_utils.py +++ b/st2api/tests/unit/test_validation_utils.py @@ -33,6 +33,7 @@ def test_validate_auth_cookie_is_correctly_configured_success(self): "strict", "lax", "none", + "None", ] cfg.CONF.set_override(group="api", name="auth_cookie_secure", override=True) diff --git a/st2common/st2common/config.py b/st2common/st2common/config.py index 19673031f9..287fa2094b 100644 --- a/st2common/st2common/config.py +++ b/st2common/st2common/config.py @@ -373,7 +373,7 @@ def register_opts(ignore_errors=False): default=True, help="True to mask secrets in the API responses", ), - cfg.StrOpt( + cfg.BoolOpt( "auth_cookie_secure", default=True, help='True if secure flag should be set for "auth-token" cookie which is set on successful ' @@ -383,6 +383,7 @@ def register_opts(ignore_errors=False): cfg.StrOpt( "auth_cookie_same_site", default="lax", + choices=["strict", "lax", "none", "None"], help="SameSite attribute value for the " "auth-token cookie we set on successful authentication from st2web. Valid values are " "strict, lax, none, None. If you " diff --git a/st2common/st2common/router.py b/st2common/st2common/router.py index 4d041f2141..5c4a5e2638 100644 --- a/st2common/st2common/router.py +++ b/st2common/st2common/router.py @@ -378,13 +378,22 @@ def __call__(self, req): max_age = ( auth_resp.expiry - date_utils.get_datetime_utc_now() ) + # NOTE: None and none don't mean the same thing - None implies not + # setting this attribute at all (backward compatibility) and none + # implies setting this attribute value to none + same_site = cfg.CONF.api.auth_cookie_same_site + + kwargs = {} + if same_site != "None": + kwargs["samesite"] = same_site + cookie_token = cookies.make_cookie( definition["x-set-cookie"], token, max_age=max_age, httponly=True, secure=cfg.CONF.api.auth_cookie_secure, - samesite=cfg.CONF.api.auth_cookie_same_site, + **kwargs, ) break From f2f48d19cea37d486639af63cdae2ad65391cbf3 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Sat, 24 Apr 2021 22:22:24 +0200 Subject: [PATCH 11/16] Add support for choices attribute to the config gen script, update affected config options. --- st2common/st2common/config.py | 19 +++++++++---------- tools/config_gen.py | 8 ++++++++ 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/st2common/st2common/config.py b/st2common/st2common/config.py index 287fa2094b..b30c1c4fd1 100644 --- a/st2common/st2common/config.py +++ b/st2common/st2common/config.py @@ -254,7 +254,7 @@ def register_opts(ignore_errors=False): cfg.IntOpt( "zlib_compression_level", default="", - help="Compression level when compressors is set to zlib. Valid calues are -1 to 9. " + help="Compression level when compressors is set to zlib. Valid values are -1 to 9. " "Defaults to 6.", ), ] @@ -321,9 +321,9 @@ def register_opts(ignore_errors=False): cfg.StrOpt( "compression", default=None, + choices=["zstd", "lzma", "bz2", "gzip", None], help="Compression algorithm to use for compressing the payloads which are sent over " - "the message bus. Valid values include: zstd, lzma, bz2, gzip. Defaults to no " - "compression.", + "the message bus. Defaults to no compression.", ), ] @@ -376,19 +376,18 @@ def register_opts(ignore_errors=False): cfg.BoolOpt( "auth_cookie_secure", default=True, - help='True if secure flag should be set for "auth-token" cookie which is set on successful ' - "authentication via st2web. You should only set this to False if you have a good " - "reason to not run and access StackStorm behind https proxy.", + help='True if secure flag should be set for "auth-token" cookie which is set on ' + "successful authentication via st2web. You should only set this to False if you have " + "a good reason to not run and access StackStorm behind https proxy.", ), cfg.StrOpt( "auth_cookie_same_site", default="lax", choices=["strict", "lax", "none", "None"], help="SameSite attribute value for the " - "auth-token cookie we set on successful authentication from st2web. Valid values are " - "strict, lax, none, None. If you " - "don't have a specific reason (e.g. supporting old browsers) you are " - "recommended to set this value to strict.", + "auth-token cookie we set on successful authentication from st2web. If you " + "don't have a specific reason (e.g. supporting old browsers) you are recommended to " + "set this value to strict.", ), ] diff --git a/tools/config_gen.py b/tools/config_gen.py index fc92195e9c..68a514ee74 100755 --- a/tools/config_gen.py +++ b/tools/config_gen.py @@ -175,6 +175,14 @@ def _print_options(opt_group, options): value = opt.default print(("# %s" % opt.help).strip()) + + if isinstance(opt, cfg.StrOpt) and opt.type.choices: + if isinstance(opt.type.choices, list): + valid_values = ", ".join([str(x) for x in opt.type.choices]) + else: + valid_values = opt.type.choices + print("# Valid values: %s" % (valid_values)) + print(("%s = %s" % (opt.name, value)).strip()) From b3702cf26fd7c479223224ad693be363fed6338d Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Sat, 24 Apr 2021 22:24:17 +0200 Subject: [PATCH 12/16] Re-generate sample config. --- conf/st2.conf.sample | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/conf/st2.conf.sample b/conf/st2.conf.sample index ba13733d77..362cd8cba3 100644 --- a/conf/st2.conf.sample +++ b/conf/st2.conf.sample @@ -32,7 +32,8 @@ workflows_pool_size = 40 [api] # List of origins allowed for api, auth and stream allow_origin = http://127.0.0.1:3000 # comma separated list allowed here. -# SameSite attribute value for the auth-token cookie we set on successful authentication from st2web. Valid values are strict, lax, none, None. If you don't have a specific reason (e.g. supporting old browsers) you are recommended to set this value to strict. +# SameSite attribute value for the auth-token cookie we set on successful authentication from st2web. If you don't have a specific reason (e.g. supporting old browsers) you are recommended to set this value to strict. +# Valid values: strict, lax, none, None auth_cookie_same_site = lax # True if secure flag should be set for "auth-token" cookie which is set on successful authentication via st2web. You should only set this to False if you have a good reason to not run and access StackStorm behind https proxy. auth_cookie_secure = True @@ -140,6 +141,7 @@ ssl = False # ca_certs file contains a set of concatenated CA certificates, which are used to validate certificates passed from MongoDB. ssl_ca_certs = None # Specifies whether a certificate is required from the other side of the connection, and whether it will be validated if provided +# Valid values: none, optional, required ssl_cert_reqs = None # Certificate file used to identify the localconnection ssl_certfile = None @@ -149,7 +151,7 @@ ssl_keyfile = None ssl_match_hostname = True # username for db login username = None -# Compression level when compressors is set to zlib. Valid calues are -1 to 9. Defaults to 6. +# Compression level when compressors is set to zlib. Valid values are -1 to 9. Defaults to 6. zlib_compression_level = [exporter] @@ -193,7 +195,8 @@ redirect_stderr = False [messaging] # URL of all the nodes in a messaging service cluster. cluster_urls = # comma separated list allowed here. -# Compression algorithm to use for compressing the payloads which are sent over the message bus. Valid values include: zstd, lzma, bz2, gzip. Defaults to no compression. +# Compression algorithm to use for compressing the payloads which are sent over the message bus. Defaults to no compression. +# Valid values: zstd, lzma, bz2, gzip, None compression = None # How many times should we retry connection before failing. connection_retries = 10 @@ -206,6 +209,7 @@ ssl = False # ca_certs file contains a set of concatenated CA certificates, which are used to validate certificates passed from RabbitMQ. ssl_ca_certs = None # Specifies whether a certificate is required from the other side of the connection, and whether it will be validated if provided. +# Valid values: none, optional, required ssl_cert_reqs = None # Certificate file used to identify the local connection (client). ssl_certfile = None From 8b90041d46f84430b6892188087e04fdc31ac702 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Sat, 2 Oct 2021 01:48:30 -0500 Subject: [PATCH 13/16] Doc wording change --- conf/st2.conf.sample | 2 +- st2common/st2common/config.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/st2.conf.sample b/conf/st2.conf.sample index 362cd8cba3..fc5a3df82b 100644 --- a/conf/st2.conf.sample +++ b/conf/st2.conf.sample @@ -32,7 +32,7 @@ workflows_pool_size = 40 [api] # List of origins allowed for api, auth and stream allow_origin = http://127.0.0.1:3000 # comma separated list allowed here. -# SameSite attribute value for the auth-token cookie we set on successful authentication from st2web. If you don't have a specific reason (e.g. supporting old browsers) you are recommended to set this value to strict. +# SameSite attribute value for the auth-token cookie we set on successful authentication from st2web. If you don't have a specific reason (e.g. supporting old browsers) we recommend you set this value to strict. # Valid values: strict, lax, none, None auth_cookie_same_site = lax # True if secure flag should be set for "auth-token" cookie which is set on successful authentication via st2web. You should only set this to False if you have a good reason to not run and access StackStorm behind https proxy. diff --git a/st2common/st2common/config.py b/st2common/st2common/config.py index b30c1c4fd1..eb12d6381d 100644 --- a/st2common/st2common/config.py +++ b/st2common/st2common/config.py @@ -386,7 +386,7 @@ def register_opts(ignore_errors=False): choices=["strict", "lax", "none", "None"], help="SameSite attribute value for the " "auth-token cookie we set on successful authentication from st2web. If you " - "don't have a specific reason (e.g. supporting old browsers) you are recommended to " + "don't have a specific reason (e.g. supporting old browsers) we recommend you " "set this value to strict.", ), ] From 642be883d9d3868934b58c52616bb225339149c2 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Thu, 11 Nov 2021 12:52:56 +0100 Subject: [PATCH 14/16] Change the option value name from "None" to "unset" to avoid the confusion between none and None. --- conf/st2.conf.sample | 2 +- st2api/st2api/validation.py | 8 ++++---- st2api/tests/unit/controllers/v1/test_auth.py | 4 ++-- st2api/tests/unit/test_validation_utils.py | 4 ++-- st2common/st2common/config.py | 5 +++-- st2common/st2common/router.py | 8 ++++---- 6 files changed, 16 insertions(+), 15 deletions(-) diff --git a/conf/st2.conf.sample b/conf/st2.conf.sample index fc5a3df82b..b730e7fa3c 100644 --- a/conf/st2.conf.sample +++ b/conf/st2.conf.sample @@ -33,7 +33,7 @@ workflows_pool_size = 40 # List of origins allowed for api, auth and stream allow_origin = http://127.0.0.1:3000 # comma separated list allowed here. # SameSite attribute value for the auth-token cookie we set on successful authentication from st2web. If you don't have a specific reason (e.g. supporting old browsers) we recommend you set this value to strict. -# Valid values: strict, lax, none, None +# Valid values: strict, lax, none, unset auth_cookie_same_site = lax # True if secure flag should be set for "auth-token" cookie which is set on successful authentication via st2web. You should only set this to False if you have a good reason to not run and access StackStorm behind https proxy. auth_cookie_secure = True diff --git a/st2api/st2api/validation.py b/st2api/st2api/validation.py index 9737646b63..f513094a98 100644 --- a/st2api/st2api/validation.py +++ b/st2api/st2api/validation.py @@ -30,10 +30,10 @@ def validate_auth_cookie_is_correctly_configured() -> bool: This method should be called in the api init phase so we catch any misconfiguration issues before startup. """ - if cfg.CONF.api.auth_cookie_same_site not in ["strict", "lax", "none", "None"]: + if cfg.CONF.api.auth_cookie_same_site not in ["strict", "lax", "none", "unset"]: raise ValueError( 'Got invalid value "%s" (type %s) for cfg.CONF.api.auth_cookie_same_site config ' - "option. Valid values are: strict, lax, none, None." + "option. Valid values are: strict, lax, none, unset." % ( cfg.CONF.api.auth_cookie_same_site, type(cfg.CONF.api.auth_cookie_same_site), @@ -43,12 +43,12 @@ def validate_auth_cookie_is_correctly_configured() -> bool: # Now we try to make a dummy cookie to verify all the options are configured correctly. Some # Options are mutually exclusive - e.g. SameSite none and Secure false. try: - # NOTE: None and none don't mean the same thing - None implies not setting this attribute + # NOTE: none and unset don't mean the same thing - unset implies not setting this attribute # (backward compatibility) and none implies setting this attribute value to none same_site = cfg.CONF.api.auth_cookie_same_site kwargs = {} - if same_site != "None": + if same_site != "unset": kwargs["samesite"] = same_site cookies.make_cookie( diff --git a/st2api/tests/unit/controllers/v1/test_auth.py b/st2api/tests/unit/controllers/v1/test_auth.py index b7e2c5c409..7fad0d816f 100644 --- a/st2api/tests/unit/controllers/v1/test_auth.py +++ b/st2api/tests/unit/controllers/v1/test_auth.py @@ -88,7 +88,7 @@ def test_token_validation_token_in_query_params_auth_cookie_is_set(self): self.assertTrue("HttpOnly" in response.headers["Set-Cookie"]) # Also test same cookie values + secure - valid_values = ["strict", "lax", "none", "None"] + valid_values = ["strict", "lax", "none", "unset"] for value in valid_values: cfg.CONF.set_override( @@ -104,7 +104,7 @@ def test_token_validation_token_in_query_params_auth_cookie_is_set(self): self.assertTrue("Set-Cookie" in response.headers) self.assertTrue("HttpOnly" in response.headers["Set-Cookie"]) - if value == "None": + if value == "unset": self.assertFalse("SameSite" in response.headers["Set-Cookie"]) else: self.assertTrue( diff --git a/st2api/tests/unit/test_validation_utils.py b/st2api/tests/unit/test_validation_utils.py index d63f5da5ec..b5c939221c 100644 --- a/st2api/tests/unit/test_validation_utils.py +++ b/st2api/tests/unit/test_validation_utils.py @@ -33,7 +33,7 @@ def test_validate_auth_cookie_is_correctly_configured_success(self): "strict", "lax", "none", - "None", + "unset", ] cfg.CONF.set_override(group="api", name="auth_cookie_secure", override=True) @@ -52,7 +52,7 @@ def test_validate_auth_cookie_is_correctly_configured_error(self): group="api", name="auth_cookie_same_site", override=value ) - expected_msg = "Valid values are: strict, lax, none" + expected_msg = "Valid values are: strict, lax, none, unset" self.assertRaisesRegexp( ValueError, expected_msg, validate_auth_cookie_is_correctly_configured ) diff --git a/st2common/st2common/config.py b/st2common/st2common/config.py index d23d2d2d4e..22809e565c 100644 --- a/st2common/st2common/config.py +++ b/st2common/st2common/config.py @@ -383,11 +383,12 @@ def register_opts(ignore_errors=False): cfg.StrOpt( "auth_cookie_same_site", default="lax", - choices=["strict", "lax", "none", "None"], + choices=["strict", "lax", "none", "unset"], help="SameSite attribute value for the " "auth-token cookie we set on successful authentication from st2web. If you " "don't have a specific reason (e.g. supporting old browsers) we recommend you " - "set this value to strict.", + "set this value to strict. Setting it to \"unset\" will default to the behavior " + "in previous releases and not set this SameSite header value.", ), ] diff --git a/st2common/st2common/router.py b/st2common/st2common/router.py index 5c4a5e2638..58d72a8412 100644 --- a/st2common/st2common/router.py +++ b/st2common/st2common/router.py @@ -378,13 +378,13 @@ def __call__(self, req): max_age = ( auth_resp.expiry - date_utils.get_datetime_utc_now() ) - # NOTE: None and none don't mean the same thing - None implies not - # setting this attribute at all (backward compatibility) and none - # implies setting this attribute value to none + # NOTE: unset and none don't mean the same thing - unset implies + # not setting this attribute at all (backward compatibility) and + # none implies setting this attribute value to none same_site = cfg.CONF.api.auth_cookie_same_site kwargs = {} - if same_site != "None": + if same_site != "unset": kwargs["samesite"] = same_site cookie_token = cookies.make_cookie( From 7a9bd3070b3d335433000cb253c835ffb17284a6 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Thu, 11 Nov 2021 13:47:02 +0100 Subject: [PATCH 15/16] Fix lint. --- conf/st2.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/st2.conf.sample b/conf/st2.conf.sample index b730e7fa3c..86e1981f66 100644 --- a/conf/st2.conf.sample +++ b/conf/st2.conf.sample @@ -32,7 +32,7 @@ workflows_pool_size = 40 [api] # List of origins allowed for api, auth and stream allow_origin = http://127.0.0.1:3000 # comma separated list allowed here. -# SameSite attribute value for the auth-token cookie we set on successful authentication from st2web. If you don't have a specific reason (e.g. supporting old browsers) we recommend you set this value to strict. +# SameSite attribute value for the auth-token cookie we set on successful authentication from st2web. If you don't have a specific reason (e.g. supporting old browsers) we recommend you set this value to strict. Setting it to "unset" will default to the behavior in previous releases and not set this SameSite header value. # Valid values: strict, lax, none, unset auth_cookie_same_site = lax # True if secure flag should be set for "auth-token" cookie which is set on successful authentication via st2web. You should only set this to False if you have a good reason to not run and access StackStorm behind https proxy. From 7233c7b2ddfc837307d8092e3f1f2271473f51a4 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Thu, 11 Nov 2021 13:55:13 +0100 Subject: [PATCH 16/16] Fix lint. --- st2common/st2common/config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/st2common/st2common/config.py b/st2common/st2common/config.py index 22809e565c..59840b1884 100644 --- a/st2common/st2common/config.py +++ b/st2common/st2common/config.py @@ -387,7 +387,7 @@ def register_opts(ignore_errors=False): help="SameSite attribute value for the " "auth-token cookie we set on successful authentication from st2web. If you " "don't have a specific reason (e.g. supporting old browsers) we recommend you " - "set this value to strict. Setting it to \"unset\" will default to the behavior " + 'set this value to strict. Setting it to "unset" will default to the behavior ' "in previous releases and not set this SameSite header value.", ), ]