Merge 4bfeb01 into af05d68

uc-cdis · Aug 6, 2021 · 2d05446 · 2d05446
2 parents af05d68 + 4bfeb01
commit 2d05446
Show file tree

Hide file tree

Showing 12 changed files with 239 additions and 126 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -1,6 +1,6 @@
 #!groovy
 
-@Library('cdis-jenkins-lib@master') _
+@Library('cdis-jenkins-lib@test/samesite') _
 
 testPipeline {
 }
diff --git a/fence/blueprints/privacy.py b/fence/blueprints/privacy.py
@@ -18,7 +18,7 @@
 
 import flask
 from markdown import Markdown
-from werkzeug.contrib.cache import SimpleCache
+from cachelib import SimpleCache
 
 from fence import config
 from fence.errors import NotFound

diff --git a/fence/resources/user/user_session.py b/fence/resources/user/user_session.py
@@ -193,6 +193,7 @@ def save_session(self, app, session, response):
                 expires=self.get_expiration_time(app, session),
                 httponly=True,
                 domain=domain,
+                samesite="Lax",
             )
             # try to get user, exception means they're not logged in
             try:
@@ -210,6 +211,7 @@ def save_session(self, app, session, response):
                     expires=0,
                     httponly=True,
                     domain=domain,
+                    samesite="Lax",
                 )
             # check that the current user is the one from the session,
             # clear access token if not
@@ -219,6 +221,7 @@ def save_session(self, app, session, response):
                     expires=0,
                     httponly=True,
                     domain=domain,
+                    samesite="Lax",
                 )
 
             # generate an access token and set in cookie if
@@ -249,6 +252,7 @@ def save_session(self, app, session, response):
                 expires=0,
                 httponly=True,
                 domain=domain,
+                samesite="Lax",
             )
 
 
@@ -327,6 +331,7 @@ def _create_access_token_cookie(app, session, response, user):
         expires=expiration,
         httponly=True,
         domain=domain,
+        samesite="Lax",
     )
 
     return response

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -46,7 +46,8 @@ retry = "^0.9.2"
 sqlalchemy = "^1.3.3"
 storageclient = {git = "https://github.com/uc-cdis/storage-client", rev = "1.0.2"}
 userdatamodel = "^2.3.3"
-werkzeug = "^0.16.0"
+werkzeug = "^1.0.0"
+cachelib = "^0.2.0"
 
 [tool.poetry.dev-dependencies]
 addict = "^2.2.1"
@@ -57,7 +58,7 @@ mock = "^2.0.0"
 moto = "^1.1.24"
 pytest = "^3.2.3"
 pytest-cov = "^2.5.1"
-pytest-flask = "^0.11.0"
+pytest-flask = "^0.15.0"
 
 [tool.poetry.scripts]
 fence-create = 'bin.fence_create:main'

diff --git a/tests/jwt/test_tokens.py b/tests/jwt/test_tokens.py
@@ -26,7 +26,7 @@ def test_passport_access_token(app, kid, rsa_private_key, test_user_a):
         ["openid", "user", "ga4gh_passport_v1"],
         client_id="client_a",
     )
-    payload = jwt.decode(jwt_token.token, verify=False)
+    payload = jwt.decode(jwt_token.token, algorithms="RS256", verify=False)
     # assert required fields exist
     assert payload["iss"] is not None or ""
     assert payload["sub"] is not None or ""

diff --git a/tests/link/test_link.py b/tests/link/test_link.py
@@ -177,7 +177,11 @@ def test_google_link_auth_return(
 
     # manually set cookie for initial session
     client.set_cookie(
-        "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+        "localhost",
+        config["SESSION_COOKIE_NAME"],
+        test_session_jwt,
+        httponly=True,
+        samesite="Lax",
     )
 
     # simulate successfully authed reponse with user email
@@ -254,7 +258,11 @@ def test_patch_google_link(
 
     # manually set cookie for initial session
     client.set_cookie(
-        "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+        "localhost",
+        config["SESSION_COOKIE_NAME"],
+        test_session_jwt,
+        httponly=True,
+        samesite="Lax",
     )
 
     r = client.patch(
@@ -354,7 +362,11 @@ def test_patch_google_link_account_not_in_token(
 
     # manually set cookie for initial session
     client.set_cookie(
-        "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+        "localhost",
+        config["SESSION_COOKIE_NAME"],
+        test_session_jwt,
+        httponly=True,
+        samesite="Lax",
     )
 
     r = client.patch(
@@ -406,7 +418,11 @@ def test_patch_google_link_account_doesnt_exist(
 
     # manually set cookie for initial session
     client.set_cookie(
-        "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+        "localhost",
+        config["SESSION_COOKIE_NAME"],
+        test_session_jwt,
+        httponly=True,
+        samesite="Lax",
     )
 
     r = client.patch(
@@ -471,7 +487,11 @@ def test_google_link_g_account_exists(
 
     # manually set cookie for initial session
     client.set_cookie(
-        "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+        "localhost",
+        config["SESSION_COOKIE_NAME"],
+        test_session_jwt,
+        httponly=True,
+        samesite="Lax",
     )
 
     # simulate successfully authed reponse with user email
@@ -546,7 +566,11 @@ def test_google_link_g_account_access_extension(
 
     # manually set cookie for initial session
     client.set_cookie(
-        "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+        "localhost",
+        config["SESSION_COOKIE_NAME"],
+        test_session_jwt,
+        httponly=True,
+        samesite="Lax",
     )
 
     # simulate successfully authed reponse with user email
@@ -629,7 +653,11 @@ def test_google_link_g_account_exists_linked_to_different_user(
 
     # manually set cookie for initial session
     client.set_cookie(
-        "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+        "localhost",
+        config["SESSION_COOKIE_NAME"],
+        test_session_jwt,
+        httponly=True,
+        samesite="Lax",
     )
 
     # simulate successfully authed reponse with user email
@@ -693,7 +721,11 @@ def test_google_link_no_proxy_group(
 
     # manually set cookie for initial session
     client.set_cookie(
-        "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+        "localhost",
+        config["SESSION_COOKIE_NAME"],
+        test_session_jwt,
+        httponly=True,
+        samesite="Lax",
     )
 
     # simulate successfully authed reponse with user email
@@ -775,7 +807,11 @@ def test_google_link_when_google_mocked(
 
     # manually set cookie for initial session
     client.set_cookie(
-        "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+        "localhost",
+        config["SESSION_COOKIE_NAME"],
+        test_session_jwt,
+        httponly=True,
+        samesite="Lax",
     )
 
     headers = {"Authorization": "Bearer " + encoded_creds_jwt.jwt}

diff --git a/tests/link/test_link_id_token.py b/tests/link/test_link_id_token.py
@@ -14,7 +14,7 @@ def test_google_id_token_not_linked(oauth_test_client):
     data = {"confirm": "yes"}
     oauth_test_client.authorize(data=data)
     tokens = oauth_test_client.token()
-    id_token = jwt.decode(tokens.id_token, verify=False)
+    id_token = jwt.decode(tokens.id_token, algorithms="RS256", verify=False)
     assert id_token["context"]["user"].get("google") is None
 
 
@@ -48,7 +48,7 @@ def test_google_id_token_linked(db_session, encoded_creds_jwt, oauth_test_client
     data = {"confirm": "yes"}
     oauth_test_client.authorize(data=data)
     tokens = oauth_test_client.token()
-    id_token = jwt.decode(tokens.id_token, verify=False)
+    id_token = jwt.decode(tokens.id_token, algorithms="RS256", verify=False)
 
     assert "google" in id_token["context"]["user"]
     assert (

diff --git a/tests/login/test_google_login.py b/tests/login/test_google_login.py
@@ -27,7 +27,11 @@ def test_google_login_http_headers_are_less_than_4k_for_user_with_many_projects(
         },
     )
     client.set_cookie(
-        "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+        "localhost",
+        config["SESSION_COOKIE_NAME"],
+        test_session_jwt,
+        httponly=True,
+        samesite="Lax",
     )
 
     user_projects = {

diff --git a/tests/rfc6749/test_revoke.py b/tests/rfc6749/test_revoke.py
@@ -13,7 +13,7 @@ def test_blacklisted_token(client, oauth_client, encoded_jwt_refresh_token):
     print(encoded_jwt_refresh_token)
     import jwt
 
-    print(jwt.decode(encoded_jwt_refresh_token, verify=False))
+    print(jwt.decode(encoded_jwt_refresh_token, algorithms="RS256", verify=False))
     assert response.status_code == 200, response.data
     assert is_token_blacklisted(encoded_jwt_refresh_token)
 

diff --git a/tests/session/test_session.py b/tests/session/test_session.py
@@ -59,7 +59,11 @@ def test_valid_session(app):
     with app.test_client() as client:
         # manually set cookie for initial session
         client.set_cookie(
-            "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+            "localhost",
+            config["SESSION_COOKIE_NAME"],
+            test_session_jwt,
+            httponly=True,
+            samesite="Lax",
         )
         with client.session_transaction() as session:
             assert session["username"] == username
@@ -78,7 +82,11 @@ def test_valid_session_modified(app):
     with app.test_client() as client:
         # manually set cookie for initial session
         client.set_cookie(
-            "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+            "localhost",
+            config["SESSION_COOKIE_NAME"],
+            test_session_jwt,
+            httponly=True,
+            samesite="Lax",
         )
         with client.session_transaction() as session:
 
@@ -105,7 +113,11 @@ def test_expired_session_lifetime(app):
     with app.test_client() as client:
         # manually set cookie for initial session
         client.set_cookie(
-            "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+            "localhost",
+            config["SESSION_COOKIE_NAME"],
+            test_session_jwt,
+            httponly=True,
+            samesite="Lax",
         )
         with client.session_transaction() as session:
             # make sure we don't have the username when opening
@@ -134,7 +146,11 @@ def test_expired_session_timeout(app):
     with app.test_client() as client:
         # manually set cookie for initial session
         client.set_cookie(
-            "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+            "localhost",
+            config["SESSION_COOKIE_NAME"],
+            test_session_jwt,
+            httponly=True,
+            samesite="Lax",
         )
         with client.session_transaction() as session:
             # make sure we don't have the username when opening
@@ -154,7 +170,11 @@ def test_session_cleared(app):
     with app.test_client() as client:
         # manually set cookie for initial session
         client.set_cookie(
-            "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+            "localhost",
+            config["SESSION_COOKIE_NAME"],
+            test_session_jwt,
+            httponly=True,
+            samesite="Lax",
         )
         with client.session_transaction() as session:
             session["username"] = username
@@ -172,7 +192,11 @@ def test_invalid_session_cookie(app):
     with app.test_client() as client:
         # manually set cookie for initial session
         client.set_cookie(
-            "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+            "localhost",
+            config["SESSION_COOKIE_NAME"],
+            test_session_jwt,
+            httponly=True,
+            samesite="Lax",
         )
         with client.session_transaction() as session:
             # main test is that we haven't raised an exception by this point
@@ -212,13 +236,18 @@ def test_valid_session_valid_access_token(
     with app.test_client() as client:
         # manually set cookie for initial session
         client.set_cookie(
-            "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+            "localhost",
+            config["SESSION_COOKIE_NAME"],
+            test_session_jwt,
+            httponly=True,
+            samesite="Lax",
         )
         client.set_cookie(
             "localhost",
             config["ACCESS_TOKEN_COOKIE_NAME"],
             test_access_jwt,
             httponly=True,
+            samesite="Lax",
         )
 
         response = client.get("/user")
@@ -260,13 +289,18 @@ def test_valid_session_valid_access_token_diff_user(
     with app.test_client() as client:
         # manually set cookie for initial session
         client.set_cookie(
-            "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+            "localhost",
+            config["SESSION_COOKIE_NAME"],
+            test_session_jwt,
+            httponly=True,
+            samesite="Lax",
         )
         client.set_cookie(
             "localhost",
             config["ACCESS_TOKEN_COOKIE_NAME"],
             test_access_jwt,
             httponly=True,
+            samesite="Lax",
         )
 
         response = client.get("/user")

diff --git a/tests/test_logout.py b/tests/test_logout.py
@@ -71,7 +71,11 @@ def test_logout_fence(app, client, user_with_fence_provider, monkeypatch):
     with mock.patch("fence.allowed_login_redirects", return_value={"some_site.com"}):
         # manually set cookie for initial session
         client.set_cookie(
-            "localhost", config["SESSION_COOKIE_NAME"], test_session_jwt, httponly=True
+            "localhost",
+            config["SESSION_COOKIE_NAME"],
+            test_session_jwt,
+            httponly=True,
+            samesite="Lax",
         )
 
         r = client.get("/logout?next={}".format(redirect))