misc: add setting to set secure flag on opened session cookie (#45938)

2020-08-17 22:54:02 +02:00 · 2020-08-17 22:54:02 +02:00 · 5d32b8db52
parent a0eeaede8d
commit 5d32b8db52
6 changed files with 24 additions and 2 deletions
--- a/debian/debian_config.py
+++ b/debian/debian_config.py
@ -118,6 +118,8 @@ LOGGING = {
    },
 }

+A2_OPENED_SESSION_COOKIE_SECURE = True
+
 # Old settings method
 def extract_settings_from_environ():
    import json
--- a/debian/multitenant/debian_config.py
+++ b/debian/multitenant/debian_config.py
@ -39,6 +39,8 @@ if 'syslog' in LOGGING['handlers']:
 # Default login's form username label
 A2_USERNAME_LABEL = _('Email')

+A2_OPENED_SESSION_COOKIE_SECURE = True
+
 # Rest Authentication Class for services access
 REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] += (
    'authentic2.authentication.Authentic2Authentication',
--- a/src/authentic2/app_settings.py
+++ b/src/authentic2/app_settings.py
@ -208,6 +208,8 @@ default_settings = dict(
        definition='Authentic session open'),
    A2_OPENED_SESSION_COOKIE_DOMAIN=Setting(
        default=None),
+    A2_OPENED_SESSION_COOKIE_SECURE=Setting(
+        default=False),
    A2_ATTRIBUTE_KINDS=Setting(
        default=(),
        definition='List of other attribute kinds'),
--- a/src/authentic2/middleware.py
+++ b/src/authentic2/middleware.py
@ -62,7 +62,8 @@ class OpenedSessionCookieMiddleware(MiddlewareMixin):
        else:
            domain = app_settings.A2_OPENED_SESSION_COOKIE_DOMAIN
        if hasattr(request, 'user') and request.user.is_authenticated:
-            response.set_cookie(name, value='1', max_age=None, domain=domain)
+            response.set_cookie(name, value='1', max_age=None, domain=domain,
+                    secure=app_settings.A2_OPENED_SESSION_COOKIE_SECURE)
        elif app_settings.A2_OPENED_SESSION_COOKIE_NAME in request.COOKIES:
            response.delete_cookie(name, domain=domain)
        return response
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -1295,7 +1295,7 @@ def test_api_get_role_list(app, admin_ou1, role_ou1, role_random):


 def test_no_opened_session_cookie_on_api(app, user, settings):
-    settings.A2_OPENED_SESSION_COOKIE_DOMAIN = 'testserver'
+    settings.A2_OPENED_SESSION_COOKIE_DOMAIN = 'testserver.local'
    app.authorization = ('Basic', (user.username, user.username))
    resp = app.get('/api/users/')
    assert 'A2_OPENED_SESSION' not in app.cookies
--- a/tests/test_login.py
+++ b/tests/test_login.py
@ -277,3 +277,18 @@ def test_login_error_messages(app, settings, simple_user):
    assert 'Incorrect Username or password.' in resp
    assert 'use the forgotten password link below' not in resp
    assert 'or create an account.' in resp
+
+
+def test_login_opened_session_cookie(db, app, settings, simple_user):
+    settings.A2_OPENED_SESSION_COOKIE_DOMAIN = 'testserver.local'
+    app.cookiejar.clear()
+    login(app, simple_user)
+    assert 'A2_OPENED_SESSION' in app.cookies
+
+    settings.A2_OPENED_SESSION_COOKIE_SECURE = True
+    app.cookiejar.clear()
+    login(app, simple_user)
+    assert 'A2_OPENED_SESSION' in app.cookies
+    for cookie in app.cookiejar:
+        if cookie.name == 'A2_OPENED_SESSION':
+            assert cookie.secure is True