0001-settings-set-secure-flag-on-cookies-71880.patch

Benjamin Dauvergne, 30 novembre 2022 20:37

Voir les différences: en ligne côte à côte

Subject: [PATCH 1/2] settings: set secure flag on cookies (#71880)

Tests fixes :
* force https scheme in webtest HTTP client
* add secure=True to call with the django HTTP client
* replace http scheme by https in URLs assertions,
* properly use response.form in tests directly using app.post, as CSRF checks on secure connection also test the Referrer
* manually add Referer header in other cases,

 src/authentic2/settings.py        |  5 ++++
 tests/api/test_all.py             | 16 ++++++-------
 tests/auth_fc/conftest.py         |  4 ++--
 tests/auth_fc/test_auth_fc.py     |  2 +-
 tests/auth_fc/test_auth_fc_api.py |  4 ++--
 tests/conftest.py                 |  6 +++--
 tests/idp_oidc/test_misc.py       |  4 ++--
 tests/settings.py                 |  2 +-
 tests/test_attribute_kinds.py     |  2 +-
 tests/test_auth_oidc.py           |  2 +-
 tests/test_commands.py            |  2 +-
 tests/test_csv_import.py          |  2 +-
 tests/test_idp_saml2.py           | 16 +++++++------
 tests/test_manager.py             | 40 ++++++++++++++++++++++---------
 tests/test_password_reset.py      | 15 ++++--------
 tests/test_registration.py        | 11 +++------
 tests/test_role_manager.py        |  8 +++++--
 tests/test_user_manager.py        |  4 +++-
 18 files changed, 84 insertions(+), 61 deletions(-)

src/authentic2/settings.py
55	55	}
56	56	}
57	57
	58	# Cookies
	59	SESSION_COOKIE_SECURE = True
	60	CSRF_COOKIE_SECURE = True
	61	LANGUAGE_COOKIE_SECURE = True
	62
58	63	# Hey Entr'ouvert is in France !!
59	64	TIME_ZONE = 'Europe/Paris'
60	65	LANGUAGE_CODE = 'fr'

         Role.objects.create(name='Role4', service=service)
         # test failure when unlogged
         response = client.get('/api/user/', HTTP_ORIGIN='http://testserver')
         response = client.get('/api/user/', HTTP_ORIGIN='https://testserver', secure=True)
         assert response.content == b'{}'
         # login
         client.login(request=None, username='john.doe', password='password')
         response = client.get('/api/user/', HTTP_ORIGIN='http://testserver')
         response = client.get('/api/user/', HTTP_ORIGIN='https://testserver', secure=True)
         data = json.loads(force_str(response.content))
         assert isinstance(data, dict)
         assert set(data.keys()) == {
-...
         assert response.json['user']['last_name'] == last_name
         assert check_password(password, response.json['user']['password'])
         assert response.json['token']
         assert response.json['validation_url'].startswith('http://testserver/accounts/activate/')
         assert response.json['validation_url'].startswith('https://testserver/accounts/activate/')
         assert User.objects.count() == 2
         user = User.objects.latest('id')
         assert user.ou == get_default_ou()
-...
         assert response.json['user']['last_name'] == last_name
         assert check_password(password, response.json['user']['password'])
         assert response.json['token']
         assert response.json['validation_url'].startswith('http://testserver/accounts/activate/')
         assert response.json['validation_url'].startswith('https://testserver/accounts/activate/')
         assert User.objects.count() == 2
         user = User.objects.latest('id')
         assert user.username == username
-...
         assert len(mailoutbox) == 1
         mail = mailoutbox[0]
         assert mail.to[0] == email
         assert 'http://testserver/password/reset/confirm/' in mail.body
         assert 'https://testserver/password/reset/confirm/' in mail.body
         assert_event('manager.user.password.reset.request', user=admin, api=True)
-...
         mail = mailoutbox[0]
         assert mail.to[0] == new_email
         assert 'http://testserver/accounts/change-email/verify/' in mail.body
         assert 'https://testserver/accounts/change-email/verify/' in mail.body
     def test_api_delete_role(app, admin_ou1, role_ou1):
-...
         assert len(resp.json['data']) == 6
         login_stats = {
             'name': 'Login count by authentication type',
             'url': 'http://testserver/api/statistics/login/',
             'url': 'https://testserver/api/statistics/login/',
             'id': 'login',
             'filters': [
+                {
-...
         assert login_stats in resp.json['data']
         assert {
             'name': 'Login count by service',
             'url': 'http://testserver/api/statistics/service_login/',
             'url': 'https://testserver/api/statistics/service_login/',
             'id': 'service-login',
             'filters': [
+                {

         @property
         def callback_url(self):
             return 'http://testserver' + reverse('fc-login-or-link')
             return 'https://testserver' + reverse('fc-login-or-link')
         def login_with_fc_fixed_params(self, app):
             if app.session:
-...
             assert url.startswith('https://fcp.integ01.dev-franceconnect.fr/api/v1/logout')
             parsed_url = urllib.parse.urlparse(url)
             query = QueryDict(parsed_url.query)
             assert_equals_url(query['post_logout_redirect_uri'], 'http://testserver' + reverse('fc-logout'))
             assert_equals_url(query['post_logout_redirect_uri'], 'https://testserver' + reverse('fc-logout'))
             assert query['state']
             self.state = query['state']
             return app.get(reverse('fc-logout') + '?state=' + self.state)

         for body in (mailoutbox[0].body, mailoutbox[0].alternatives[0][0]):
             assert 'Hi AnonymousUser,' in body
             assert 'You have just created an account using FranceConnect.' in body
             assert 'http://testserver/login/' in body
             assert 'https://testserver/login/' in body
         assert user.verified_attributes.first_name == 'Ÿuñe'
         assert user.verified_attributes.last_name == 'Frédérique'

         content = response.json['franceconnect']
         assert isinstance(content, dict), 'franceconnect field is not a dict'
         assert content.get('linked') is True
         assert content.get('link_url').startswith('http://')
         assert content.get('link_url').startswith('https://')
         assert content.get('link_url').endswith('/callback/')
         assert content.get('unlink_url').startswith('http://')
         assert content.get('unlink_url').startswith('https://')
         assert content.get('unlink_url').endswith('/unlink/')
         unlink_url = '/api/users/%s/fc-unlink/' % simple_user.uuid

         try:
             def factory(hostname='testserver'):
                 return django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': hostname})
                 return django_webtest.DjangoTestApp(
                     extra_environ={'HTTP_HOST': hostname, 'wsgi.url_scheme': 'https'}
+                )
             yield factory
         finally:
-...
         else:
             def check_location(response, default_return):
                 assert urllib.parse.urljoin('http://testserver/', default_return).endswith(response['Location'])
                 assert urllib.parse.urljoin('https://testserver/', default_return).endswith(response['Location'])
         return check_location

         with open('tests/200x200.jpg', 'rb') as fd:
             simple_user.attributes.cityscape_image = File(fd)
         response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))
         assert response.json['cityscape_image'].startswith('http://testserver/media/profile-image/')
         assert response.json['cityscape_image'].startswith('https://testserver/media/profile-image/')
         # check against a user without username
         simple_user.username = None
-...
                 src = iframes.attr('src')
                 assert '?' in src
                 src_qd = QueryDict(src.split('?', 1)[1])
                 assert 'iss' in src_qd and src_qd['iss'] == 'http://testserver/'
                 assert 'iss' in src_qd and src_qd['iss'] == 'https://testserver/'
                 assert 'sid' in src_qd and src_qd['sid'] == get_session_id(
                     mock.Mock(session=app.session), oidc_client
+                )

     TEMPLATES[0]['DIRS'].append('tests/templates')  # pylint: disable=undefined-variable
     TEMPLATES[0]['OPTIONS']['debug'] = True  # pylint: disable=undefined-variable
     SITE_BASE_URL = 'http://testserver'
     SITE_BASE_URL = 'https://testserver'
     A2_MAX_EMAILS_PER_IP = None
     A2_MAX_EMAILS_FOR_ADDRESS = None

         response = app.get('/api/users/%s/' % john().uuid)
         assert (
             response.json['cityscape_image']
             == 'http://testserver/media/%s' % john().attributes.cityscape_image.name
             == 'https://testserver/media/%s' % john().attributes.cityscape_image.name
+        )
         app.authorization = None

         assert query['response_type'] == 'code'
         assert query['client_id'] == str(oidc_provider.client_id)
         assert query['scope'] == 'openid'
         assert query['redirect_uri'] == 'http://testserver' + reverse('oidc-login-callback')
         assert query['redirect_uri'] == 'https://testserver' + reverse('oidc-login-callback')
         nonce = query['nonce']
         if oidc_provider.claims_parameter_supported:

         simple_user.save()
         call_command('clean-unused-accounts')
         mail = mailoutbox[0]
         assert 'href="http://testserver/login/"' in mail.message().as_string()
         assert 'href="https://testserver/login/"' in mail.message().as_string()
     def test_clean_unused_account_with_no_email(simple_user, mailoutbox, caplog):

         assert importer.run()
         thomas = User.objects.get(email='tnoel@entrouvert.com')
         assert len(mail.outbox) == 1
         assert 'http://testserver/password/reset/confirm/' in mail.outbox[0].body
         assert 'https://testserver/password/reset/confirm/' in mail.outbox[0].body
         password = thomas.password
         del mail.outbox[0]

             self.base_url = 'https://sp.example.com'
             self.name = 'Test SP'
             self.slug = 'test-sp'
             self.idp_entity_idp = ('http://testserver/idp/saml2/metadata',)
             self.idp_entity_idp = ('https://testserver/idp/saml2/metadata',)
             self.default_name_id_format = 'email'
             self.accepted_name_id_format = ['email', 'persistent', 'transient', 'username']
             self.ou = OrganizationalUnit.objects.get()
-...
                 ),
+                (
                     "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='avatar']/saml:AttributeValue",
                     re.compile('^http://testserver/media/profile-image/.*$'),
                     re.compile('^https://testserver/media/profile-image/.*$'),
                 ),
+                (
                     "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='verified_attributes']/@NameFormat",
-...
             with mock.patch(
                 'authentic2.idp.saml.saml2_endpoints.get_attributes', wraps=saml2_endpoints.get_attributes
             ) as get_attributes:
                 request = rf.get('/')
                 request = rf.get('/', secure=True)
                 request.user = None
                 assertion = lasso.Saml2Assertion()
                 provider = Service(ou=None)
-...
             == '_' + hashlib.sha256(b'b' + b'https://sp.com/' + b'a').hexdigest().upper()
+        )
         edpt = saml2_endpoints.make_edu_person_targeted_id('http://testserver/idp/saml2/metadata', provider, user)
         edpt = saml2_endpoints.make_edu_person_targeted_id(
             'https://testserver/idp/saml2/metadata', provider, user
+        )
         assert edpt is not None
         node = lasso.Node.newFromXmlNode(force_str(ET.tostring(edpt)))
         assert isinstance(node, lasso.Saml2NameID)
         assert force_str(node.content) == '_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5'
         assert node.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
         assert node.nameQualifier == 'http://testserver/idp/saml2/metadata'
         assert node.nameQualifier == 'https://testserver/idp/saml2/metadata'
         assert node.spNameQualifier == 'https://sp.com/'
-...
         assert isinstance(node, lasso.Saml2NameID)
         assert force_str(node.content) == '_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5'
         assert node.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
         assert node.nameQualifier == 'http://testserver/idp/saml2/metadata'
         assert node.nameQualifier == 'https://testserver/idp/saml2/metadata'
         assert node.spNameQualifier == 'https://sp.com/'
-...
         assert isinstance(node, lasso.Saml2NameID)
         assert force_str(node.content) == '_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5'
         assert node.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
         assert node.nameQualifier == 'http://testserver/idp/saml2/metadata'
         assert node.nameQualifier == 'https://testserver/idp/saml2/metadata'
         assert node.spNameQualifier == 'https://sp.com/'

         assert q('table tbody tr td .icon-remove-sign')
         token = str(response.context['csrf_token'])
         params = {'action': 'remove', 'user_or_role': 'user-%s' % admin.pk, 'csrfmiddlewaretoken': token}
         app.post('/manage/roles/%s/' % simple_role.pk, params=params)
         app.post('/manage/roles/%s/' % simple_role.pk, params=params, headers={'Referer': 'https://testserver/'})
         assert simple_role not in admin.roles.all()
         # user can act on role inheritance
-...
         response = app.get('/manage/roles/%s/children/' % simple_role.pk)
         token = str(response.context['csrf_token'])
         params = {'action': 'add', 'role': role.pk, 'csrfmiddlewaretoken': token}
         response = app.post('/manage/roles/%s/children/' % simple_role.pk, params=params)
         response = app.post(
             '/manage/roles/%s/children/' % simple_role.pk,
             params=params,
             headers={'Referer': 'https://testserver/'},
+        )
         assert role in simple_role.children()
         params = {'action': 'remove', 'role': role.pk, 'csrfmiddlewaretoken': token}
         response = app.post('/manage/roles/%s/children/' % simple_role.pk, params=params)
         response = app.post(
             '/manage/roles/%s/children/' % simple_role.pk,
             params=params,
             headers={'Referer': 'https://testserver/'},
+        )
         assert role not in simple_role.children()
         response = app.get('/manage/roles/%s/parents/' % role.pk)
         token = str(response.context['csrf_token'])
         params = {'action': 'add', 'role': simple_role.pk, 'csrfmiddlewaretoken': token}
         response = app.post('/manage/roles/%s/parents/' % role.pk, params=params)
         response = app.post(
             '/manage/roles/%s/parents/' % role.pk, params=params, headers={'Referer': 'https://testserver/'}
+        )
         assert simple_role in role.parents()
         params = {'action': 'remove', 'role': simple_role.pk, 'csrfmiddlewaretoken': token}
         response = app.post('/manage/roles/%s/parents/' % role.pk, params=params)
         response = app.post(
             '/manage/roles/%s/parents/' % role.pk, params=params, headers={'Referer': 'https://testserver/'}
+        )
         assert simple_role not in role.parents()
         # user can add role as a member through role members form
-...
         assert q('table tbody tr td .icon-remove-sign')
         token = str(response.context['csrf_token'])
         params = {'action': 'remove', 'user_or_role': 'role-%s' % role.pk, 'csrfmiddlewaretoken': token}
         app.post('/manage/roles/%s/' % simple_role.pk, params=params)
         app.post('/manage/roles/%s/' % simple_role.pk, params=params, headers={'Referer': 'https://testserver/'})
         assert role not in simple_role.children()
         # try to add arbitrary role
-...
         response = app.get('/manage/roles/%s/parents/' % role.pk)
         token = str(response.context['csrf_token'])
         params = {'action': 'add', 'role': admin_role.pk, 'csrfmiddlewaretoken': token}
         response = app.post('/manage/roles/%s/parents/' % simple_role.pk, params=params)
         response = app.post(
             '/manage/roles/%s/parents/' % simple_role.pk,
             params=params,
             headers={'Referer': 'https://testserver/'},
+        )
         assert admin_role not in role.parents()
         # user roles view works
-...
         token = str(response.context['csrf_token'])
         params = {'action': 'add', 'role': simple_role.pk, 'csrfmiddlewaretoken': token}
         response = app.post('/manage/users/%s/roles/' % admin.pk, params=params)
         response = app.post(
             '/manage/users/%s/roles/' % admin.pk, params=params, headers={'Referer': 'https://testserver/'}
+        )
         assert simple_role in admin.roles.all()
         app.get('/manage/roles/add/', status=403)
-...
+            {
                 'label': 'Identity management',
                 'slug': 'identity-management',
                 'url': 'http://testserver/manage/',
                 'url': 'https://testserver/manage/',
                 'sub': False,
             },
             {'label': 'Users', 'slug': 'users', 'url': 'http://testserver/manage/users/', 'sub': True},
             {'label': 'Roles', 'slug': 'roles', 'url': 'http://testserver/manage/roles/', 'sub': True},
             {'label': 'Users', 'slug': 'users', 'url': 'https://testserver/manage/users/', 'sub': True},
             {'label': 'Roles', 'slug': 'roles', 'url': 'https://testserver/manage/roles/', 'sub': True},
+        ]
         response = login(app, admin)

         for body in (mail.body, mail.alternatives[0][0]):
             assert 'no account was found associated with this address' in body
             if settings.REGISTRATION_OPEN:
                 assert 'http://testserver/register/' in body
                 assert 'https://testserver/register/' in body
                 # check next_url was preserved
                 assert 'next=/whatever/' in body
             else:
                 assert 'http://testserver/register/' not in body
                 assert 'https://testserver/register/' not in body
     def test_send_password_reset_email_disabled_account(app, simple_user, mailoutbox):
-...
         url = reverse('password_reset')
         response = app.get(url, status=200)
         response = app.post(
             url,
             params={
                 'email': 'testbot@entrouvert.com',
                 'csrfmiddlewaretoken': response.context['csrf_token'],
                 'robotcheck': 'a',
             },
+        )
         response.form.set('email', 'testbot@entrouvert.com')
         response.form.set('robotcheck', True)
         response = response.form.submit()
         response = response.follow()
         assert len(mailoutbox) == 0
         assert 'Your password reset request has been refused' in response

         settings.DEFAULT_FROM_EMAIL = 'show only addr <noreply@example.net>'
         response = app.get(utils_misc.make_url('registration_register'))
         response = app.post(
             utils_misc.make_url('registration_register'),
             params={
                 'email': 'testbot@entrouvert.com',
                 'csrfmiddlewaretoken': response.context['csrf_token'],
                 'robotcheck': 'a',
             },
+        )
         response.form.set('email', 'testbot@entrouvert.com')
         response.form.set('robotcheck', True)
         response = response.form.submit()
         response = response.follow()
         assert len(mailoutbox) == 0
         assert 'Your registration request has been refused' in response

         # simulate click on Jôhn Dôe delete icon
         token = str(resp.context['csrf_token'])
         params = {'action': 'remove', 'user_or_role': 'user-%s' % simple_user.pk, 'csrfmiddlewaretoken': token}
         resp = app.post('/manage/roles/%s/' % simple_role.pk, params=params).follow()
         resp = app.post(
             '/manage/roles/%s/' % simple_role.pk, params=params, headers={'Referer': 'https://testserver/'}
         ).follow()
         assert 'Jôhn Dôe' not in resp.text
         # simulate click on role_ou1 delete icon
         token = str(resp.context['csrf_token'])
         params = {'action': 'remove', 'user_or_role': 'role-%s' % role_ou1.pk, 'csrfmiddlewaretoken': token}
         resp = app.post('/manage/roles/%s/' % simple_role.pk, params=params).follow()
         resp = app.post(
             '/manage/roles/%s/' % simple_role.pk, params=params, headers={'Referer': 'https://testserver/'}
         ).follow()
         assert 'role_ou1' not in resp.text
         # invalid choices are ignored

         # cannot click it's JS :/
         token = str(resp.context['csrf_token'])
         params = {'authorization': auth.pk, 'csrfmiddlewaretoken': token}
         resp = app.post(user_authorizations_url, params=params, status=302)
         resp = app.post(
             user_authorizations_url, params=params, status=302, headers={'Referer': 'https://testserver/'}
+        )
         assert OIDCAuthorization.objects.count() == 0
         resp = resp.follow()
         assert resp.html.find('td').text == 'This user has not granted profile data access to any service yet.'
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-settings-set-secure-flag-on-cookies-71880.patch