# HG changeset patch # User Christophe de Vienne # Date 1438941128 -7200 # Node ID 197e10cb74f7c954a82b03f46f70d01336ec9d1f # Parent 0bad6416e32a2ba06bc97ae94b35ccaab54b4a5f [auth] Make the configuration cookies completely configurable Also transfert the secret setting from all-in-one.conf to pyramid.ini, with backward compatibility. Closes #5999625 diff -r 0bad6416e32a -r 197e10cb74f7 pyramid_cubicweb/auth.py --- a/pyramid_cubicweb/auth.py Mon Aug 03 18:11:10 2015 +0200 +++ b/pyramid_cubicweb/auth.py Fri Aug 07 11:52:08 2015 +0200 @@ -58,8 +58,26 @@ This allow to combine two policies with different settings and select them by just setting this argument. """ - def __init__(self, secret, persistent, **kw): + def __init__(self, secret, persistent, defaults={}, prefix='', **settings): self.persistent = persistent + unset = object() + kw = {} + # load string settings + for name in ('cookie_name', 'path', 'domain', 'hashalg'): + value = settings.get(prefix + name, defaults.get(name, unset)) + if value is not unset: + kw[name] = value + # load boolean settings + for name in ('secure', 'include_ip', 'http_only', 'wild_domain', + 'parent_domain', 'debug'): + value = settings.get(prefix + name, defaults.get(name, unset)) + if value is not unset: + kw[name] = asbool(value) + # load int settings + for name in ('timeout', 'reissue_time', 'max_age'): + value = settings.get(prefix + name, defaults.get(name, unset)) + if value is not unset: + kw[name] = int(value) super(CWAuthTktAuthenticationPolicy, self).__init__(secret, **kw) def remember(self, request, principals, **kw): @@ -85,17 +103,34 @@ policies.append(UpdateLoginTimeAuthenticationPolicy()) if asbool(settings.get('cubicweb.auth.authtkt', True)): - secret = config.registry['cubicweb.config']['pyramid-auth-secret'] + session_prefix = 'cubicweb.auth.authtkt.session.' + persistent_prefix = 'cubicweb.auth.authtkt.persistent.' - if not secret: + try: + secret = config.registry['cubicweb.config']['pyramid-auth-secret'] + warnings.warn( + "pyramid-auth-secret from all-in-one is now " + "cubicweb.auth.authtkt.[session|persistent].secret", + DeprecationWarning) + except: secret = 'notsosecret' + + session_secret = settings.get( + session_prefix + 'secret', secret) + persistent_secret = settings.get( + persistent_prefix + 'secret', secret) + + if 'notsosecret' in (session_secret, persistent_secret): warnings.warn(''' - !! WARNING !! !! WARNING !! + !! SECURITY WARNING !! The authentication cookies are signed with a static secret key. - To put your own secret key, edit your all-in-one.conf file - and set the 'pyramid-auth-secret' key. + + Configure the following options in your pyramid.ini file: + + - cubicweb.auth.authtkt.session.secret + - cubicweb.auth.authtkt.persistent.secret YOU SHOULD STOP THIS INSTANCE unless your really know what you are doing !! @@ -104,33 +139,29 @@ policies.append( CWAuthTktAuthenticationPolicy( - secret, False, hashalg='sha512', - cookie_name=settings.get( - 'cubicweb.auth.authtkt.session.cookie_name', - 'auth_tkt'), - timeout=int(settings.get( - 'cubicweb.auth.authtkt.session.timeout', - 1200)), - reissue_time=int(settings.get( - 'cubicweb.auth.authtkt.session.reissue_time', - 120)) + session_secret, False, + defaults={ + 'hashalg': 'sha512', + 'cookie_name': 'auth_tkt', + 'timeout': 1200, + 'reissue_time': 120 + }, + prefix=session_prefix, + **settings ) ) policies.append( CWAuthTktAuthenticationPolicy( - secret, True, hashalg='sha512', - cookie_name=settings.get( - 'cubicweb.auth.authtkt.persistent.cookie_name', - 'pauth_tkt'), - max_age=int(settings.get( - 'cubicweb.auth.authtkt.persistent.max_age', - 3600*24*30 # defaults to 1 month - )), - reissue_time=int(settings.get( - 'cubicweb.auth.authtkt.persistent.reissue_time', - 3600*24 - )) + persistent_secret, True, + defaults={ + 'hashalg': 'sha512', + 'cookie_name': 'pauth_tkt', + 'max_age': 3600*24*30, + 'reissue_time': 3600*24 + }, + prefix=persistent_prefix, + **settings ) )