From 5e9d514e5eb7ee4a1bd8f378aec32ade2846c763 Mon Sep 17 00:00:00 2001
From: John Westcott IV <32551173+john-westcott-iv@users.noreply.github.com>
Date: Wed, 5 Jul 2023 15:18:23 -0400
Subject: [PATCH] Added CSRF Origin in settings (#14062)
---
awx/conf/apps.py | 2 +-
awx/main/conf.py | 14 +++++++++++
awx/settings/defaults.py | 5 ++++
.../MiscSystemDetail/MiscSystemDetail.js | 1 +
.../MiscSystemDetail/MiscSystemDetail.test.js | 1 +
.../MiscSystemEdit/MiscSystemEdit.js | 7 ++++++
.../MiscSystemEdit/MiscSystemEdit.test.js | 1 +
.../shared/data.allSettingOptions.json | 25 +++++++++++++++++++
.../Setting/shared/data.allSettings.json | 1 +
9 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/awx/conf/apps.py b/awx/conf/apps.py
index 49993d6203..55e0d3753a 100644
--- a/awx/conf/apps.py
+++ b/awx/conf/apps.py
@@ -14,7 +14,7 @@ class ConfConfig(AppConfig):
def ready(self):
self.module.autodiscover()
- if not set(sys.argv) & {'migrate', 'check_migrations'}:
+ if not set(sys.argv) & {'migrate', 'check_migrations', 'showmigrations'}:
from .settings import SettingsWrapper
SettingsWrapper.initialize()
diff --git a/awx/main/conf.py b/awx/main/conf.py
index b21be34add..cb47c22e06 100644
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@@ -94,6 +94,20 @@ register(
category_slug='system',
)
+register(
+ 'CSRF_TRUSTED_ORIGINS',
+ default=[],
+ field_class=fields.StringListField,
+ label=_('CSRF Trusted Origins List'),
+ help_text=_(
+ "If the service is behind a reverse proxy/load balancer, use this setting "
+ "to configure the schema://addresses from which the service should trust "
+ "Origin header values. "
+ ),
+ category=_('System'),
+ category_slug='system',
+)
+
register(
'LICENSE',
field_class=fields.DictField,
diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 795cb44fe3..ff22d194de 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -158,6 +158,11 @@ REMOTE_HOST_HEADERS = ['REMOTE_ADDR', 'REMOTE_HOST']
# REMOTE_HOST_HEADERS will be trusted unconditionally')
PROXY_IP_ALLOWED_LIST = []
+# If we are behind a reverse proxy/load balancer, use this setting to
+# allow the scheme://addresses from which Tower should trust csrf requests from
+# If this setting is an empty list (the default), we will only trust ourself
+CSRF_TRUSTED_ORIGINS = []
+
CUSTOM_VENV_PATHS = []
# Warning: this is a placeholder for a database setting
diff --git a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.js b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.js
index b7ed41969a..bc7dc6efc8 100644
--- a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.js
+++ b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.js
@@ -59,6 +59,7 @@ function MiscSystemDetail() {
'TOWER_URL_BASE',
'DEFAULT_EXECUTION_ENVIRONMENT',
'PROXY_IP_ALLOWED_LIST',
+ 'CSRF_TRUSTED_ORIGINS',
'AUTOMATION_ANALYTICS_LAST_GATHER',
'AUTOMATION_ANALYTICS_LAST_ENTRIES',
'UI_NEXT'
diff --git a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.js b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.js
index f30dd11693..c9c5c7f9cc 100644
--- a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.js
+++ b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.js
@@ -29,6 +29,7 @@ describe('', () => {
TOWER_URL_BASE: 'https://towerhost',
REMOTE_HOST_HEADERS: [],
PROXY_IP_ALLOWED_LIST: [],
+ CSRF_TRUSTED_ORIGINS: [],
LICENSE: null,
REDHAT_USERNAME: 'name1',
REDHAT_PASSWORD: '$encrypted$',
diff --git a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.js b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.js
index 9f2bf48d09..35c38f4873 100644
--- a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.js
+++ b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.js
@@ -53,6 +53,7 @@ function MiscSystemEdit() {
'TOWER_URL_BASE',
'DEFAULT_EXECUTION_ENVIRONMENT',
'PROXY_IP_ALLOWED_LIST',
+ 'CSRF_TRUSTED_ORIGINS',
'UI_NEXT'
);
@@ -95,6 +96,7 @@ function MiscSystemEdit() {
await submitForm({
...form,
PROXY_IP_ALLOWED_LIST: formatJson(form.PROXY_IP_ALLOWED_LIST),
+ CSRF_TRUSTED_ORIGINS: formatJson(form.CSRF_TRUSTED_ORIGINS),
REMOTE_HOST_HEADERS: formatJson(form.REMOTE_HOST_HEADERS),
DEFAULT_EXECUTION_ENVIRONMENT:
form.DEFAULT_EXECUTION_ENVIRONMENT?.id || null,
@@ -239,6 +241,11 @@ function MiscSystemEdit() {
config={system.PROXY_IP_ALLOWED_LIST}
isRequired
/>
+
{submitError && }
{revertError && }
diff --git a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.js b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.js
index b8adaeef86..144ba7276d 100644
--- a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.js
+++ b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.js
@@ -39,6 +39,7 @@ const systemData = {
REMOTE_HOST_HEADERS: ['REMOTE_ADDR', 'REMOTE_HOST'],
TOWER_URL_BASE: 'https://localhost:3000',
PROXY_IP_ALLOWED_LIST: [],
+ CSRF_TRUSTED_ORIGINS: [],
UI_NEXT: false,
};
diff --git a/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json b/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json
index 504158d042..10c398d94b 100644
--- a/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json
+++ b/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json
@@ -78,6 +78,20 @@
"read_only": false
}
},
+ "CSRF_TRUSTED_ORIGINS": {
+ "type": "list",
+ "required": true,
+ "label": "CSRF Origins List",
+ "help_text": "If the service is behind a reverse proxy/load balancer, use this setting to configure the schema://addresses from which the service should trust Origin header values. ",
+ "category": "System",
+ "category_slug": "system",
+ "default": [],
+ "child": {
+ "type": "string",
+ "required": true,
+ "read_only": false
+ }
+ },
"REDHAT_USERNAME": {
"type": "string",
"required": false,
@@ -4487,6 +4501,17 @@
"type": "string"
}
},
+ "CSRF_TRUSTED_ORIGINS": {
+ "type": "list",
+ "label": "CSRF Origins List",
+ "help_text": "If the service is behind a reverse proxy/load balancer, use this setting to configure the schema://addresses from which the service should trust Origin header values. ",
+ "category": "System",
+ "category_slug": "system",
+ "defined_in_file": false,
+ "child": {
+ "type": "string"
+ }
+ },
"LICENSE": {
"type": "nested object",
"label": "License",
diff --git a/awx/ui/src/screens/Setting/shared/data.allSettings.json b/awx/ui/src/screens/Setting/shared/data.allSettings.json
index 4fc9cabfdb..7a67b71c6d 100644
--- a/awx/ui/src/screens/Setting/shared/data.allSettings.json
+++ b/awx/ui/src/screens/Setting/shared/data.allSettings.json
@@ -9,6 +9,7 @@
"REMOTE_HOST"
],
"PROXY_IP_ALLOWED_LIST": [],
+ "CSRF_TRUSTED_ORIGINS": [],
"LICENSE": {},
"REDHAT_USERNAME": "",
"REDHAT_PASSWORD": "",