search

data-govt-nz / ckanext-security

A CKAN extension to hold various security improvements for CKAN
GNU Affero General Public License v3.0
25 stars 32 forks source link

CKAN ckanext-security Redis and CSRF errors #22

Closed ghost closed 5 years ago

ghost commented 5 years ago

I'm trying to install the ckanext-security and I'm hitting a couple of issues.

I've completed the readme.md instructions, but I hit a 404 internal server error with the recommended settings. When I check the Apache logs, the description is as follows: "Connection Error: Error 111 connecting to 127.0.0.1:6739. Connection refused." It appears to be related to this line from the .ini file: beaker.session.type = redis. I've ran the command: redis-cli ping and the Redis instance seems to be up and running.

The only fix (and I can't prove that it has worked properly) is if I update from beaker.session.type = redis to beaker.session.type = ext:redis. Can someone verify this?

Using the approach above, I can get passed the 404 internal server error. However, when I then try to login to an existing user account, I get "403 Forbidden Access was denied to this resource. CSRF authentication failed. Token missing or invalid." from the front end. I've checked the Apache logs for the 403 error, and there's nothing in there. I can create a new account and remain logged in, but when I log out and log back in, the 403 error reappears.

Can anyone help?

I've pasted the .ini settings I'm using below:

ckanext.security.domain = http://localhost:5000

ckanext.security.redis.host = 127.0.0.1 ckanext.security.redis.port = 6379 ckanext.security.redis.db = 1 beaker.session.key = ckan_session beaker.session.secret = Changed-for-GitHub-post beaker.session.data_serializer = json beaker.session.httponly = true beaker.session.secure = true beaker.session.timeout = 3600 beaker.session.save_accessed_time = true beaker.session.type = ext:redis beaker.session.url = 127.0.0.1:6739 beaker.session.cookie_expires = true beaker.session.cookie_domain = http://localhost:5000

15 minute timeout with 10 attempts ckanext.security.lock_timeout = 900
Login throttling lock period ckanext.security.login_max_count = 10
Login throttling attempt limit

camfindlay commented 5 years ago

Hi @wild276 can you tell us which version of CKAN you are running please? We've mostly used this module with 2.6.x and 2.7.x.

ghost commented 5 years ago

Hi @camfindlay I'm running on v2.8.

I did some more digging. The error I'm seeing on the front end is generated in the security/middleware.py file (relevant code below). This would suggest there is a problem with the beaker.session in the environment. I saw you've called that out in the README, but I'm almost certain I've installed the patch correctly. Again, I'm not sure if this is related to the redis connection not working properly.

CSRF_ERR = 'CSRF authentication failed. Token missing or invalid.'
....
class CSRFMiddleware(object):
    COOKIE_NAME = 'csrftoken'

    def __init__(self, app, config):
        self.app = app
        self.cache = CSRFClient()
        self.domain = config['ckanext.security.domain']

    def __call__(self, environ, start_response):
        request = Request(environ)
        self.session = environ['beaker.session']
        self.session.save()

        if self.is_valid(request):
            resp = request.get_response(self.app)
        else:
            resp = HTTPForbidden(CSRF_ERR)
camfindlay commented 5 years ago

Hi @wild276 I've seen this problem on a fresh 2.8 install. We've primarily used this module for 2.7.x.

I started to trace the bug back through the middleware layer of CKAN as far as I can tell I "think" it may be to do with how the underlying pylon python framework is passing session information into the flask framework (now that CKAN is somewhere in between those 2 frameworks at present). You'll see here, there is a middleware class for each, this extension provides a patch for the pylon layer only. https://github.com/ckan/ckan/tree/ckan-2.8.2/ckan/config/middleware

As for a fix, we haven't yet upgraded our CKAN install to 2.8 so we haven't addressed this extension. I'd be grateful if someone had a crack at it and provided a PR. At this stage, we can probably say this module isn't 2.8.x compatible just yet (at least I haven't been able to get it to work).

ghost commented 5 years ago

Thanks for confirming @camfindlay. There's a lot of interest on our side in adding extra security features to CKAN. Hopefully we can get some resource provisioned in the coming months to look into a pull request and publish back. Will keep you posted.

camfindlay commented 5 years ago

Absolutely. We're actually quite keen to see some of this stuff in CKAN core if at all possible, we did start some work to this effect. See #2

camfindlay commented 5 years ago

See our new proposed way of doing CSRF which we'll look to make a tagged release of soon #24

ebuckley commented 5 years ago

As per Cam's comment, we have tagged release 1.1.0 which changes the method of csrf and it no longer uses Redis for storing the token https://github.com/data-govt-nz/ckanext-security/releases/tag/1.1.0