[#1942] secure flag for auth cookies

ckan/lib/auth_tkt.py

@@ -77,6 +77,9 @@ def make_plugin(secret=None,
     # Set httponly based on config value. Default is True
     httponly = config.get('who.httponly', True)
 
+    # Set secure based on config value. Default is False
+    secure = config.get('who.secure', False)
+
     # back to repoze boilerplate
     if (secret is None and secretfile is None):
         raise ValueError("One of 'secret' or 'secretfile' must not be None.")

ckan/new_tests/lib/test_auth_tkt.py

@@ -182,3 +182,48 @@ def test_httponly_expected_cookies_without_config_httponly(self):
             ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=.0.0.0.0; HttpOnly')
         ]
         assert cookies == expected_cookies
+
+    @helpers.change_config('who.secure', True)
+    def test_secure_expected_cookies_with_config_secure_true(self):
+        '''
+        The returned cookies are in the format we expect, with secure flag.
+        '''
+        plugin = make_plugin(secret='sosecret')
+        cookies = plugin._get_cookies(environ={'SERVER_NAME': '0.0.0.0'},
+                                      value='HELLO')
+        expected_cookies = [
+            ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; secure; HttpOnly'),
+            ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=0.0.0.0; secure; HttpOnly'),
+            ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=.0.0.0.0; secure; HttpOnly')
+        ]
+        assert cookies == expected_cookies
+
+    @helpers.change_config('who.secure', False)
+    def test_secure_expected_cookies_with_config_secure_false(self):
+        '''
+        The returned cookies are in the format we expect, without secure
+        flag.
+        '''
+        plugin = make_plugin(secret='sosecret')
+        cookies = plugin._get_cookies(environ={'SERVER_NAME': '0.0.0.0'},
+                                      value='HELLO')
+        expected_cookies = [
+            ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; HttpOnly'),
+            ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=0.0.0.0; HttpOnly'),
+            ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=.0.0.0.0; HttpOnly')
+        ]
+        assert cookies == expected_cookies
+
+    def test_secure_expected_cookies_without_config_secure(self):
+        '''
+        The returned cookies are in the format we expect, with secure flag.
+        '''
+        plugin = make_plugin(secret='sosecret')
+        cookies = plugin._get_cookies(environ={'SERVER_NAME': '0.0.0.0'},
+                                      value='HELLO')
+        expected_cookies = [
+            ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; HttpOnly'),
+            ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=0.0.0.0; HttpOnly'),
+            ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=.0.0.0.0; HttpOnly')
+        ]
+        assert cookies == expected_cookies

doc/maintaining/configuration.rst

@@ -77,6 +77,20 @@ Default value: True
 This determines whether the HttpOnly flag will be set on the repoze.who
 authorization cookie. The default in the absence of the setting is ``True``.
 
+.. _who.secure:
+
+who.secure
+^^^^^^^^^^
+
+Example::
+ who.secure = True
+
+Default value: False
+
+This determines whether the secure flag will be set for the repoze.who
+authorization cookie. If ``True``, the cookie will be sent over HTTPS. The
+default in the absence of the setting is ``False``.
+
 
 Database Settings
 -----------------