From ae3cdb78515397420c13f7fb03a8ab3a4826f901 Mon Sep 17 00:00:00 2001 From: amercader Date: Tue, 7 Jan 2014 11:41:45 +0000 Subject: [PATCH] [#1422] More secure default for the repoze secret key The who.ini file has a secret key used during authentication. To make sure users don't forget to update it we can use the beaker session secret which is generated randomly when creating the ckan ini file. If users define a secret in the who.ini file, this one will be used. To do this, we use a small custom plugin that checks the secret key and calls the core repoze plugin afterwards. --- ckan/config/middleware.py | 6 ++++++ ckan/config/who.ini | 5 +++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ckan/config/middleware.py b/ckan/config/middleware.py index 5ba02933d46..ba3f1f15d2e 100644 --- a/ckan/config/middleware.py +++ b/ckan/config/middleware.py @@ -18,6 +18,7 @@ from routes.middleware import RoutesMiddleware from repoze.who.config import WhoConfig from repoze.who.middleware import PluggableAuthenticationMiddleware +from repoze.who.plugins.auth_tkt import make_plugin as auth_tkt_make_plugin from fanstatic import Fanstatic from ckan.plugins import PluginImplementations @@ -183,6 +184,11 @@ def make_app(conf, full_stack=True, static_files=True, **app_conf): return app +def ckan_auth_tkt_make_app(**kw): + if not len(kw.get('secret', '')) or kw.get('secret') == 'somesecret': + kw['secret'] = config['beaker.session.secret'] + return auth_tkt_make_plugin(**kw) + class I18nMiddleware(object): """I18n Middleware selects the language based on the url diff --git a/ckan/config/who.ini b/ckan/config/who.ini index 54528f27c3b..5282e20d9b1 100644 --- a/ckan/config/who.ini +++ b/ckan/config/who.ini @@ -1,6 +1,7 @@ [plugin:auth_tkt] -use = repoze.who.plugins.auth_tkt:make_plugin -secret = somesecret +use = ckan.config.middleware:ckan_auth_tkt_make_app +# If no secret key is defined here, beaker.session.secret will be used +#secret = somesecret [plugin:friendlyform] use = repoze.who.plugins.friendlyform:FriendlyFormPlugin