EN-3877 Changed DEV_USE_INSECURE_COOKIE to DEV_DISABLE_SSL to provide…

… a more generic name for the flag. Added DEV_DISABLE_SSL env variable to the various Env files. It is now used to set the secureCookie in main.go and to set the Strict-Transport-Security header. Corrected compile error (unused "fmt" import). Removed commented-out code.
18F · Sep 4, 2019 · 01df585 · 01df585
1 parent 82021df
commit 01df585
Show file tree

Hide file tree

Showing 9 changed files with 11 additions and 9 deletions.
diff --git a/.env.dev b/.env.dev
@@ -6,3 +6,4 @@ API_REDIRECT=https://eqip-prototype-dev.fr.cloud.gov
 API_BASE_URL=https://eqip-prototype-api-dev.fr.cloud.gov
 ATTACHMENTS_ENABLED=
 WS_ENABLED=0
+DEV_DISABLE_SSL=1
diff --git a/.env.example b/.env.example
@@ -39,4 +39,4 @@ WS_CALLERINFO_AGENCY_USER_SSN=
 WS_AGENCY_ID=
 WS_AGENCY_GROUP_ID=
 ATTACHMENTS_ENABLED=1
-DEV_USE_INSECURE_COOKIE=1
+DEV_DISABLE_SSL=1
diff --git a/.env.production b/.env.production
@@ -5,4 +5,5 @@ BASIC_ENABLED=1
 API_REDIRECT=https://eqip-prototype.fr.cloud.gov
 API_BASE_URL=https://eqip-prototype-api.fr.cloud.gov
 ATTACHMENTS_ENABLED=
-WS_ENABLED=
+WS_ENABLED=
+DEV_DISABLE_SSL=0
diff --git a/.env.staging b/.env.staging
@@ -17,3 +17,4 @@ SAML_SIGN_REQUEST=1
 SAML_CONSUMER_SERVICE_URL=https://eqip-prototype-api-staging.fr.cloud.gov/auth/saml/callback
 WS_ENABLED=1
 ATTACHMENTS_ENABLED=1
+DEV_DISABLE_SSL=0
diff --git a/.env.test b/.env.test
@@ -13,3 +13,4 @@ SAML_SIGN_REQUEST=1
 SAML_CONSUMER_SERVICE_URL=
 WS_ENABLED=1
 ATTACHMENTS_ENABLED=1
+DEV_DISABLE_SSL=0
diff --git a/api/cmd/server/main.go b/api/cmd/server/main.go
@@ -59,7 +59,7 @@ func main() {
 	sessionService := session.NewSessionService(sessionTimeout, store, logger)
 	samlsvc := &saml.Service{Log: logger, Env: settings}
 
-	secureCookie := !settings.True(api.DevUseInsecureCookie)
+	secureCookie := !settings.True(api.DevDisableSSL)
 	cookieService := http.NewSessionCookieService(secureCookie)
 
 	api.Geocode = usps.Geocoder{Log: logger, Env: settings}
@@ -125,7 +125,6 @@ func main() {
 	security := http.SecurityHandler{Log: logger, Env: settings}
 	cors := http.CORSHandler{Log: logger, Env: settings}
 	logging := http.LoggingHandler{Log: logger}
-	//router := caching.Middleware(cors.Middleware(logging.Middleware(r)))
 	router := caching.Middleware(security.Middleware(cors.Middleware(logging.Middleware(r))))
 
 	// Get the public address

diff --git a/api/env/env.go b/api/env/env.go
@@ -62,7 +62,7 @@ func (env Native) Configure() {
 	env.ensure(api.FileMaximumSize, "5000000")
 	env.ensure(api.FileTypes, ".tiff;.png;.pdf")
 	env.ensure(api.WsEnabled, "1")
-	env.ensure(api.DevUseInsecureCookie, "")
+	env.ensure(api.DevDisableSSL, "0")
 }
 
 // Has returns true if the environment has a value for the given environment variable.

diff --git a/api/http/security_headers.go b/api/http/security_headers.go
@@ -1,7 +1,6 @@
 package http
 
 import (
-	"fmt"
 	"net/http"
 
 	"github.com/18F/e-QIP-prototype/api"
@@ -18,7 +17,7 @@ func (service SecurityHandler) Middleware(next http.Handler) http.Handler {
 
 	handler := func(w http.ResponseWriter, r *http.Request) {
 
-		if !service.Env.True(api.DevUseInsecureCookie) {
+		if !service.Env.True(api.DevDisableSSL) {
 			w.Header().Set("Strict-Transport-Security", "max-age = 31536000; includeSubDomains")
 		}
 

diff --git a/api/settings.go b/api/settings.go
@@ -352,10 +352,10 @@ const (
 	// Default: ""
 	IndentJSON = "INDENT_JSON"
 
-	// DevUseInsecureCookie controls whether to use a cookie with Secure set to false in development.
+	// DevDisableSSL controls whether to use a cookie with Secure set to false in development.
 	// Also controls the Strict-Transport-Security header that's set in security_headers.go
 	//
 	// Target: Back-end (api)
 	// Default: ""
-	DevUseInsecureCookie = "DEV_USE_INSECURE_COOKIE"
+	DevDisableSSL = "DEV_DISABLE_SSL"
 )