enh: set up beaker session cookies with validate_key

DCOR-dev · Jan 17, 2024 · 743c3af · 743c3af
1 parent 599588b
commit 743c3af
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 0 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,5 @@
+0.9.1
+ - enh: set up beaker session cookies with validate_key
 0.9.0
  - feat: perform compatible version check during update
  - feat: introduce CLI `dcor develop`, editable install of all extensions

diff --git a/dcor_control/cli/inspect.py b/dcor_control/cli/inspect.py
@@ -13,6 +13,10 @@ def inspect(assume_yes=False):
     click.secho("Checking CKAN options...", bold=True)
     inspect_mod.check_ckan_ini(autocorrect=assume_yes)
 
+    click.secho("Checking beaker session secret...", bold=True)
+    inspect_mod.check_ckan_beaker_session_cookie_validate_key(
+        autocorrect=assume_yes)
+
     click.secho("Checking www-data permissions...", bold=True)
     for path in [
         "/tmp/DCOR_generate_condensed",  # resource condense locks

diff --git a/dcor_control/inspect/__init__.py b/dcor_control/inspect/__init__.py
@@ -2,6 +2,7 @@
 from .common import check_permission
 from .config_ckan import (
     check_ckan_ini,
+    check_ckan_beaker_session_cookie_validate_key,
     check_dcor_theme_i18n_hack,
     check_dcor_theme_main_css,
     check_ckan_uploader_patch_to_support_symlinks,

diff --git a/dcor_control/inspect/config_ckan.py b/dcor_control/inspect/config_ckan.py
@@ -4,6 +4,7 @@
 from pkg_resources import resource_filename
 import socket
 import subprocess as sp
+import uuid
 
 from dcor_shared.paths import get_ckan_config_option, get_ckan_config_path
 from dcor_shared.parse import ConfigOptionNotFoundError, parse_ini_config
@@ -13,6 +14,21 @@
 from . import common
 
 
+def check_ckan_beaker_session_cookie_validate_key(autocorrect=False):
+    """Generate a beaker cookie hash secret
+
+    This is the secret token that the beaker library uses to hash the
+    cookie sent to the client. ckan generate config generates a unique
+    value for this each time it generates a config file. When used in a
+    cluster environment, the value must be the same on every machine.
+    """
+    opt = get_actual_ckan_option("beaker.session.validate_key")
+    if opt == "NOT SET!":
+        check_ckan_ini_option("beaker.session.validate_key",
+                              str(uuid.uuid4()),
+                              autocorrect=autocorrect)
+
+
 def check_ckan_ini(autocorrect=False):
     """Check custom ckan.ini server options
 

diff --git a/dcor_control/resources/dcor_options.ini b/dcor_control/resources/dcor_options.ini
@@ -71,3 +71,12 @@ ckanext.dcor_schemas.json_resource_schema_dir = package
 
 # enforce CSRF protection for all extensions
 ckan.csrf_protection.ignore_extensions = false
+
+
+# cookies
+beaker.session.type = cookie
+beaker.session.data_serializer = json
+beaker.session.httponly = true
+beaker.session.secure = true
+beaker.session.samesite = Strict
+beaker.session.httponly = true
diff --git a/setup.py b/setup.py
@@ -51,6 +51,7 @@
         # the "ckan" dependency is implied
         "appdirs",
         "click>=7",
+        "cryptography>=41",  # client beaker session cookies
         "ckanext-dc_log_view>0.2.9",
         "ckanext-dc_serve>0.11.1",
         "ckanext-dc_view>0.6.10",