YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Prevent unecessary import resulting in catastrophies + lazy-load the session secrets

Browse source
This commit is contained in:
Alexandre Aubin 2023-12-22 00:25:08 +01:00
parent 38b3cfddd8
commit 6022be5ff1
3 changed files with 32 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/app.py
View file

@ -96,6 +96,8 @@ APP_FILES_TO_COPY = [
"doc", "doc",
] ]
PORTAL_SETTINGS_DIR = "/etc/yunohost/portal"
def app_list(full=False, upgradable=False): def app_list(full=False, upgradable=False):
""" """
@ -1619,7 +1621,6 @@ def app_ssowatconf():
_get_domain_portal_dict, _get_domain_portal_dict,
) )
from yunohost.permission import user_permission_list from yunohost.permission import user_permission_list
from yunohost.portal import PORTAL_SETTINGS_DIR
domains = domain_list()["domains"] domains = domain_list()["domains"]
portal_domains = domain_list(exclude_subdomains=True)["domains"] portal_domains = domain_list(exclude_subdomains=True)["domains"]

17
src/authenticators/ldap_admin.py
View file

@ -34,7 +34,18 @@ from yunohost.utils.ldap import _get_ldap_interface
logger = logging.getLogger("yunohost.authenticators.ldap_admin") logger = logging.getLogger("yunohost.authenticators.ldap_admin")
SESSION_SECRET = open("/etc/yunohost/.admin_cookie_secret").read().strip()
def SESSION_SECRET():
# Only load this once actually requested to avoid boring issues like
# "secret doesnt exists yet" (before postinstall) and therefore service
# miserably fail to start
if not SESSION_SECRET.value:
SESSION_SECRET.value = open("/etc/yunohost/.admin_cookie_secret").read().strip()
assert SESSION_SECRET.value
return SESSION_SECRET.value
SESSION_SECRET.value = None
SESSION_FOLDER = "/var/cache/yunohost/sessions" SESSION_FOLDER = "/var/cache/yunohost/sessions"
SESSION_VALIDITY = 3 * 24 * 3600 # 3 days SESSION_VALIDITY = 3 * 24 * 3600 # 3 days
@ -148,7 +159,7 @@ class Authenticator(BaseAuthenticator):
response.set_cookie( response.set_cookie(
"yunohost.admin", "yunohost.admin",
jwt.encode(infos, SESSION_SECRET, algorithm="HS256"), jwt.encode(infos, SESSION_SECRET(), algorithm="HS256"),
secure=True, secure=True,
httponly=True, httponly=True,
path="/", path="/",
@ -166,7 +177,7 @@ class Authenticator(BaseAuthenticator):
token = request.get_cookie("yunohost.admin", default="").encode() token = request.get_cookie("yunohost.admin", default="").encode()
infos = jwt.decode( infos = jwt.decode(
token, token,
SESSION_SECRET, SESSION_SECRET(),
algorithms="HS256", algorithms="HS256",
options={"require": ["id", "user"]}, options={"require": ["id", "user"]},
) )

21
src/authenticators/ldap_ynhuser.py
View file

@ -23,7 +23,18 @@ from yunohost.utils.ldap import _get_ldap_interface
logger = logging.getLogger("yunohostportal.authenticators.ldap_ynhuser") logger = logging.getLogger("yunohostportal.authenticators.ldap_ynhuser")
SESSION_SECRET = open("/etc/yunohost/.ssowat_cookie_secret").read().strip()
def SESSION_SECRET():
# Only load this once actually requested to avoid boring issues like
# "secret doesnt exists yet" (before postinstall) and therefore service
# miserably fail to start
if not SESSION_SECRET.value:
SESSION_SECRET.value = open("/etc/yunohost/.ssowat_cookie_secret").read().strip()
assert SESSION_SECRET.value
return SESSION_SECRET.value
SESSION_SECRET.value = None
SESSION_FOLDER = "/var/cache/yunohost-portal/sessions" SESSION_FOLDER = "/var/cache/yunohost-portal/sessions"
SESSION_VALIDITY = 3 * 24 * 3600 # 3 days SESSION_VALIDITY = 3 * 24 * 3600 # 3 days
@ -87,7 +98,7 @@ def user_is_allowed_on_domain(user: str, domain: str) -> bool:
# The result is a string formatted as <password_enc_b64>|<iv_b64> # The result is a string formatted as <password_enc_b64>|<iv_b64>
# For example: ctl8kk5GevYdaA5VZ2S88Q==|yTAzCx0Gd1+MCit4EQl9lA== # For example: ctl8kk5GevYdaA5VZ2S88Q==|yTAzCx0Gd1+MCit4EQl9lA==
def encrypt(data): def encrypt(data):
alg = algorithms.AES(SESSION_SECRET.encode()) alg = algorithms.AES(SESSION_SECRET().encode())
iv = os.urandom(int(alg.block_size / 8)) iv = os.urandom(int(alg.block_size / 8))
E = Cipher(alg, modes.CBC(iv), default_backend()).encryptor() E = Cipher(alg, modes.CBC(iv), default_backend()).encryptor()
@ -104,7 +115,7 @@ def decrypt(data_enc_and_iv_b64):
data_enc = base64.b64decode(data_enc_b64) data_enc = base64.b64decode(data_enc_b64)
iv = base64.b64decode(iv_b64) iv = base64.b64decode(iv_b64)
alg = algorithms.AES(SESSION_SECRET.encode()) alg = algorithms.AES(SESSION_SECRET().encode())
D = Cipher(alg, modes.CBC(iv), default_backend()).decryptor() D = Cipher(alg, modes.CBC(iv), default_backend()).decryptor()
p = padding.PKCS7(alg.block_size).unpadder() p = padding.PKCS7(alg.block_size).unpadder()
data_padded = D.update(data_enc) data_padded = D.update(data_enc)
@ -181,7 +192,7 @@ class Authenticator(BaseAuthenticator):
response.set_cookie( response.set_cookie(
"yunohost.portal", "yunohost.portal",
jwt.encode(infos, SESSION_SECRET, algorithm="HS256"), jwt.encode(infos, SESSION_SECRET(), algorithm="HS256"),
secure=True, secure=True,
httponly=True, httponly=True,
path="/", path="/",
@ -200,7 +211,7 @@ class Authenticator(BaseAuthenticator):
token = request.get_cookie("yunohost.portal", default="").encode() token = request.get_cookie("yunohost.portal", default="").encode()
infos = jwt.decode( infos = jwt.decode(
token, token,
SESSION_SECRET, SESSION_SECRET(),
algorithms="HS256", algorithms="HS256",
options={"require": ["id", "host", "user", "pwd"]}, options={"require": ["id", "host", "user", "pwd"]},
) )