0001-settings-set-secure-flag-on-cookies-71880.patch

Benjamin Dauvergne, 30 novembre 2022 15:28

Voir les différences: en ligne côte à côte

Subject: [PATCH 1/2] settings: set secure flag on cookies (#71880)

 src/authentic2/settings.py    |  5 +++++
 tests/api/test_all.py         | 16 ++++++++--------
 tests/auth_fc/conftest.py     |  4 ++--
 tests/auth_fc/test_auth_fc.py |  2 +-
 tests/conftest.py             |  6 ++++--
 tests/idp_oidc/test_misc.py   |  4 ++--
 tests/settings.py             |  2 +-
 tests/test_attribute_kinds.py |  2 +-
 tests/test_auth_oidc.py       |  2 +-
 tests/test_commands.py        |  2 +-
 tests/test_csv_import.py      |  2 +-
 tests/test_idp_saml2.py       | 14 ++++++++------
 tests/test_manager.py         |  6 +++---
 tests/test_password_reset.py  |  4 ++--
 14 files changed, 40 insertions(+), 31 deletions(-)

src/authentic2/settings.py
55	55	}
56	56	}
57	57
	58	# Cookies
	59	SESSION_COOKIE_SECURE = True
	60	CSRF_COOKIE_SECURE = True
	61	LANGUAGE_COOKIE_SECURE = True
	62
58	63	# Hey Entr'ouvert is in France !!
59	64	TIME_ZONE = 'Europe/Paris'
60	65	LANGUAGE_CODE = 'fr'

         Role.objects.create(name='Role4', service=service)
         # test failure when unlogged
         response = client.get('/api/user/', HTTP_ORIGIN='http://testserver')
         response = client.get('/api/user/', HTTP_ORIGIN='https://testserver')
         assert response.content == b'{}'
         # login
         client.login(request=None, username='john.doe', password='password')
         response = client.get('/api/user/', HTTP_ORIGIN='http://testserver')
         response = client.get('/api/user/', HTTP_ORIGIN='https://testserver')
         data = json.loads(force_str(response.content))
         assert isinstance(data, dict)
         assert set(data.keys()) == {
-...
         assert response.json['user']['last_name'] == last_name
         assert check_password(password, response.json['user']['password'])
         assert response.json['token']
         assert response.json['validation_url'].startswith('http://testserver/accounts/activate/')
         assert response.json['validation_url'].startswith('https://testserver/accounts/activate/')
         assert User.objects.count() == 2
         user = User.objects.latest('id')
         assert user.ou == get_default_ou()
-...
         assert response.json['user']['last_name'] == last_name
         assert check_password(password, response.json['user']['password'])
         assert response.json['token']
         assert response.json['validation_url'].startswith('http://testserver/accounts/activate/')
         assert response.json['validation_url'].startswith('https://testserver/accounts/activate/')
         assert User.objects.count() == 2
         user = User.objects.latest('id')
         assert user.username == username
-...
         assert len(mailoutbox) == 1
         mail = mailoutbox[0]
         assert mail.to[0] == email
         assert 'http://testserver/password/reset/confirm/' in mail.body
         assert 'https://testserver/password/reset/confirm/' in mail.body
         assert_event('manager.user.password.reset.request', user=admin, api=True)
-...
         mail = mailoutbox[0]
         assert mail.to[0] == new_email
         assert 'http://testserver/accounts/change-email/verify/' in mail.body
         assert 'https://testserver/accounts/change-email/verify/' in mail.body
     def test_api_delete_role(app, admin_ou1, role_ou1):
-...
         assert len(resp.json['data']) == 6
         login_stats = {
             'name': 'Login count by authentication type',
             'url': 'http://testserver/api/statistics/login/',
             'url': 'https://testserver/api/statistics/login/',
             'id': 'login',
             'filters': [
+                {
-...
         assert login_stats in resp.json['data']
         assert {
             'name': 'Login count by service',
             'url': 'http://testserver/api/statistics/service_login/',
             'url': 'https://testserver/api/statistics/service_login/',
             'id': 'service-login',
             'filters': [
+                {

         @property
         def callback_url(self):
             return 'http://testserver' + reverse('fc-login-or-link')
             return 'https://testserver' + reverse('fc-login-or-link')
         def login_with_fc_fixed_params(self, app):
             if app.session:
-...
             assert url.startswith('https://fcp.integ01.dev-franceconnect.fr/api/v1/logout')
             parsed_url = urllib.parse.urlparse(url)
             query = QueryDict(parsed_url.query)
             assert_equals_url(query['post_logout_redirect_uri'], 'http://testserver' + reverse('fc-logout'))
             assert_equals_url(query['post_logout_redirect_uri'], 'https://testserver' + reverse('fc-logout'))
             assert query['state']
             self.state = query['state']
             return app.get(reverse('fc-logout') + '?state=' + self.state)

         for body in (mailoutbox[0].body, mailoutbox[0].alternatives[0][0]):
             assert 'Hi AnonymousUser,' in body
             assert 'You have just created an account using FranceConnect.' in body
             assert 'http://testserver/login/' in body
             assert 'https://testserver/login/' in body
         assert user.verified_attributes.first_name == 'Ÿuñe'
         assert user.verified_attributes.last_name == 'Frédérique'

         try:
             def factory(hostname='testserver'):
                 return django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': hostname})
                 return django_webtest.DjangoTestApp(
                     extra_environ={'HTTP_HOST': hostname, 'wsgi.url_scheme': 'https'}
+                )
             yield factory
         finally:
-...
         else:
             def check_location(response, default_return):
                 assert urllib.parse.urljoin('http://testserver/', default_return).endswith(response['Location'])
                 assert urllib.parse.urljoin('https://testserver/', default_return).endswith(response['Location'])
         return check_location

         with open('tests/200x200.jpg', 'rb') as fd:
             simple_user.attributes.cityscape_image = File(fd)
         response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))
         assert response.json['cityscape_image'].startswith('http://testserver/media/profile-image/')
         assert response.json['cityscape_image'].startswith('https://testserver/media/profile-image/')
         # check against a user without username
         simple_user.username = None
-...
                 src = iframes.attr('src')
                 assert '?' in src
                 src_qd = QueryDict(src.split('?', 1)[1])
                 assert 'iss' in src_qd and src_qd['iss'] == 'http://testserver/'
                 assert 'iss' in src_qd and src_qd['iss'] == 'https://testserver/'
                 assert 'sid' in src_qd and src_qd['sid'] == get_session_id(
                     mock.Mock(session=app.session), oidc_client
+                )

     TEMPLATES[0]['DIRS'].append('tests/templates')  # pylint: disable=undefined-variable
     TEMPLATES[0]['OPTIONS']['debug'] = True  # pylint: disable=undefined-variable
     SITE_BASE_URL = 'http://testserver'
     SITE_BASE_URL = 'https://testserver'
     A2_MAX_EMAILS_PER_IP = None
     A2_MAX_EMAILS_FOR_ADDRESS = None

         response = app.get('/api/users/%s/' % john().uuid)
         assert (
             response.json['cityscape_image']
             == 'http://testserver/media/%s' % john().attributes.cityscape_image.name
             == 'https://testserver/media/%s' % john().attributes.cityscape_image.name
+        )
         app.authorization = None

         assert query['response_type'] == 'code'
         assert query['client_id'] == str(oidc_provider.client_id)
         assert query['scope'] == 'openid'
         assert query['redirect_uri'] == 'http://testserver' + reverse('oidc-login-callback')
         assert query['redirect_uri'] == 'https://testserver' + reverse('oidc-login-callback')
         nonce = query['nonce']
         if oidc_provider.claims_parameter_supported:

         simple_user.save()
         call_command('clean-unused-accounts')
         mail = mailoutbox[0]
         assert 'href="http://testserver/login/"' in mail.message().as_string()
         assert 'href="https://testserver/login/"' in mail.message().as_string()
     def test_clean_unused_account_with_no_email(simple_user, mailoutbox, caplog):

         assert importer.run()
         thomas = User.objects.get(email='tnoel@entrouvert.com')
         assert len(mail.outbox) == 1
         assert 'http://testserver/password/reset/confirm/' in mail.outbox[0].body
         assert 'https://testserver/password/reset/confirm/' in mail.outbox[0].body
         password = thomas.password
         del mail.outbox[0]

             self.base_url = 'https://sp.example.com'
             self.name = 'Test SP'
             self.slug = 'test-sp'
             self.idp_entity_idp = ('http://testserver/idp/saml2/metadata',)
             self.idp_entity_idp = ('https://testserver/idp/saml2/metadata',)
             self.default_name_id_format = 'email'
             self.accepted_name_id_format = ['email', 'persistent', 'transient', 'username']
             self.ou = OrganizationalUnit.objects.get()
-...
                 ),
+                (
                     "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='avatar']/saml:AttributeValue",
                     re.compile('^http://testserver/media/profile-image/.*$'),
                     re.compile('^https://testserver/media/profile-image/.*$'),
                 ),
+                (
                     "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='verified_attributes']/@NameFormat",
-...
             == '_' + hashlib.sha256(b'b' + b'https://sp.com/' + b'a').hexdigest().upper()
+        )
         edpt = saml2_endpoints.make_edu_person_targeted_id('http://testserver/idp/saml2/metadata', provider, user)
         edpt = saml2_endpoints.make_edu_person_targeted_id(
             'https://testserver/idp/saml2/metadata', provider, user
+        )
         assert edpt is not None
         node = lasso.Node.newFromXmlNode(force_str(ET.tostring(edpt)))
         assert isinstance(node, lasso.Saml2NameID)
         assert force_str(node.content) == '_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5'
         assert node.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
         assert node.nameQualifier == 'http://testserver/idp/saml2/metadata'
         assert node.nameQualifier == 'https://testserver/idp/saml2/metadata'
         assert node.spNameQualifier == 'https://sp.com/'
-...
         assert isinstance(node, lasso.Saml2NameID)
         assert force_str(node.content) == '_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5'
         assert node.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
         assert node.nameQualifier == 'http://testserver/idp/saml2/metadata'
         assert node.nameQualifier == 'https://testserver/idp/saml2/metadata'
         assert node.spNameQualifier == 'https://sp.com/'
-...
         assert isinstance(node, lasso.Saml2NameID)
         assert force_str(node.content) == '_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5'
         assert node.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
         assert node.nameQualifier == 'http://testserver/idp/saml2/metadata'
         assert node.nameQualifier == 'https://testserver/idp/saml2/metadata'
         assert node.spNameQualifier == 'https://sp.com/'

+            {
                 'label': 'Identity management',
                 'slug': 'identity-management',
                 'url': 'http://testserver/manage/',
                 'url': 'https://testserver/manage/',
                 'sub': False,
             },
             {'label': 'Users', 'slug': 'users', 'url': 'http://testserver/manage/users/', 'sub': True},
             {'label': 'Roles', 'slug': 'roles', 'url': 'http://testserver/manage/roles/', 'sub': True},
             {'label': 'Users', 'slug': 'users', 'url': 'https://testserver/manage/users/', 'sub': True},
             {'label': 'Roles', 'slug': 'roles', 'url': 'https://testserver/manage/roles/', 'sub': True},
+        ]
         response = login(app, admin)

         for body in (mail.body, mail.alternatives[0][0]):
             assert 'no account was found associated with this address' in body
             if settings.REGISTRATION_OPEN:
                 assert 'http://testserver/register/' in body
                 assert 'https://testserver/register/' in body
                 # check next_url was preserved
                 assert 'next=/whatever/' in body
             else:
                 assert 'http://testserver/register/' not in body
                 assert 'https://testserver/register/' not in body
     def test_send_password_reset_email_disabled_account(app, simple_user, mailoutbox):
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-settings-set-secure-flag-on-cookies-71880.patch