From 6d6c6774bb0f07edd067d802f7c543775853eebe Mon Sep 17 00:00:00 2001 From: Brook Elgie Date: Sun, 16 Nov 2014 16:28:56 +0000 Subject: [PATCH] [#1942] secure flag for auth cookies --- ckan/lib/auth_tkt.py | 3 ++ ckan/new_tests/lib/test_auth_tkt.py | 45 +++++++++++++++++++++++++++++ doc/maintaining/configuration.rst | 14 +++++++++ 3 files changed, 62 insertions(+) diff --git a/ckan/lib/auth_tkt.py b/ckan/lib/auth_tkt.py index ef68de09fa5..9f7feab0059 100644 --- a/ckan/lib/auth_tkt.py +++ b/ckan/lib/auth_tkt.py @@ -77,6 +77,9 @@ def make_plugin(secret=None, # Set httponly based on config value. Default is True httponly = config.get('who.httponly', True) + # Set secure based on config value. Default is False + secure = config.get('who.secure', False) + # back to repoze boilerplate if (secret is None and secretfile is None): raise ValueError("One of 'secret' or 'secretfile' must not be None.") diff --git a/ckan/new_tests/lib/test_auth_tkt.py b/ckan/new_tests/lib/test_auth_tkt.py index ce8a755a750..7a5c89b0e80 100644 --- a/ckan/new_tests/lib/test_auth_tkt.py +++ b/ckan/new_tests/lib/test_auth_tkt.py @@ -182,3 +182,48 @@ def test_httponly_expected_cookies_without_config_httponly(self): ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=.0.0.0.0; HttpOnly') ] assert cookies == expected_cookies + + @helpers.change_config('who.secure', True) + def test_secure_expected_cookies_with_config_secure_true(self): + ''' + The returned cookies are in the format we expect, with secure flag. + ''' + plugin = make_plugin(secret='sosecret') + cookies = plugin._get_cookies(environ={'SERVER_NAME': '0.0.0.0'}, + value='HELLO') + expected_cookies = [ + ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; secure; HttpOnly'), + ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=0.0.0.0; secure; HttpOnly'), + ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=.0.0.0.0; secure; HttpOnly') + ] + assert cookies == expected_cookies + + @helpers.change_config('who.secure', False) + def test_secure_expected_cookies_with_config_secure_false(self): + ''' + The returned cookies are in the format we expect, without secure + flag. + ''' + plugin = make_plugin(secret='sosecret') + cookies = plugin._get_cookies(environ={'SERVER_NAME': '0.0.0.0'}, + value='HELLO') + expected_cookies = [ + ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; HttpOnly'), + ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=0.0.0.0; HttpOnly'), + ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=.0.0.0.0; HttpOnly') + ] + assert cookies == expected_cookies + + def test_secure_expected_cookies_without_config_secure(self): + ''' + The returned cookies are in the format we expect, with secure flag. + ''' + plugin = make_plugin(secret='sosecret') + cookies = plugin._get_cookies(environ={'SERVER_NAME': '0.0.0.0'}, + value='HELLO') + expected_cookies = [ + ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; HttpOnly'), + ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=0.0.0.0; HttpOnly'), + ('Set-Cookie', 'auth_tkt="HELLO"; Path=/; Domain=.0.0.0.0; HttpOnly') + ] + assert cookies == expected_cookies diff --git a/doc/maintaining/configuration.rst b/doc/maintaining/configuration.rst index 6278c1a8731..5497bfa2390 100644 --- a/doc/maintaining/configuration.rst +++ b/doc/maintaining/configuration.rst @@ -77,6 +77,20 @@ Default value: True This determines whether the HttpOnly flag will be set on the repoze.who authorization cookie. The default in the absence of the setting is ``True``. +.. _who.secure: + +who.secure +^^^^^^^^^^ + +Example:: + who.secure = True + +Default value: False + +This determines whether the secure flag will be set for the repoze.who +authorization cookie. If ``True``, the cookie will be sent over HTTPS. The +default in the absence of the setting is ``False``. + Database Settings -----------------