Expire authentication tokens by configuration, defaulting to 1 day.

Signed-off-by: Randy Barlow <[email protected]>
fedora-infra · Apr 24, 2017 · c654607 · c654607
1 parent d367e09
commit c654607
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 1 deletion.
diff --git a/bodhi/server/__init__.py b/bodhi/server/__init__.py
@@ -219,9 +219,11 @@ def main(global_config, testing=None, session=None, **settings):
         # use a permissive security policy while running unit tests
         config.testing_securitypolicy(userid=testing, permissive=True)
     else:
+        timeout = int(settings.get('authtkt.timeout', '86400'))
         config.set_authentication_policy(AuthTktAuthenticationPolicy(
             settings['authtkt.secret'], callback=groupfinder,
-            secure=asbool(settings['authtkt.secure']), hashalg='sha512'))
+            secure=asbool(settings['authtkt.secure']), hashalg='sha512', timeout=timeout,
+            max_age=timeout))
         config.set_authorization_policy(ACLAuthorizationPolicy())
 
     # Frontpage

diff --git a/bodhi/tests/server/test___init__.py b/bodhi/tests/server/test___init__.py
@@ -16,6 +16,7 @@
 """This test suite contains tests for bodhi.server.__init__."""
 import mock
 
+from pyramid import authentication, authorization
 import unittest
 
 from bodhi import server
@@ -26,6 +27,51 @@ class TestMain(base.BaseWSGICase):
     """
     Assert correct behavior from the main() function.
     """
+    @mock.patch('bodhi.server.Configurator.set_authentication_policy')
+    @mock.patch('bodhi.server.Configurator.set_authorization_policy')
+    def test_authtkt_timeout_defined(self, set_authorization_policy, set_authentication_policy):
+        """Ensure that main() uses the setting when authtkt.timeout is defined in settings."""
+        with mock.patch.dict(
+                self.app_settings,
+                {'authtkt.timeout': '10', 'authtkt.secret': 'hunter2', 'authtkt.secure': 'true'}):
+            server.main({}, **self.app_settings)
+
+        policy = set_authentication_policy.mock_calls[0][1][0]
+        self.assertTrue(isinstance(policy, authentication.AuthTktAuthenticationPolicy))
+        self.assertEqual(policy.callback, server.groupfinder)
+        self.assertEqual(policy.cookie.hashalg, 'sha512')
+        self.assertEqual(policy.cookie.max_age, 10)
+        self.assertEqual(policy.cookie.secure, True)
+        self.assertEqual(policy.cookie.secret, 'hunter2')
+        self.assertEqual(policy.cookie.timeout, 10)
+        set_authentication_policy.assert_called_once_with(policy)
+        # Ensure that the ACLAuthorizationPolicy was used
+        policy = set_authorization_policy.mock_calls[0][1][0]
+        self.assertTrue(isinstance(policy, authorization.ACLAuthorizationPolicy))
+        set_authorization_policy.assert_called_once_with(policy)
+
+    @mock.patch('bodhi.server.Configurator.set_authentication_policy')
+    @mock.patch('bodhi.server.Configurator.set_authorization_policy')
+    def test_authtkt_timeout_undefined(self, set_authorization_policy, set_authentication_policy):
+        """Ensure that main() uses a default if authtkt.timeout is undefined in settings."""
+        with mock.patch.dict(
+                self.app_settings, {'authtkt.secret': 'hunter2', 'authtkt.secure': 'true'}):
+            server.main({}, **self.app_settings)
+
+        policy = set_authentication_policy.mock_calls[0][1][0]
+        self.assertTrue(isinstance(policy, authentication.AuthTktAuthenticationPolicy))
+        self.assertEqual(policy.callback, server.groupfinder)
+        self.assertEqual(policy.cookie.hashalg, 'sha512')
+        self.assertEqual(policy.cookie.max_age, 86400)
+        self.assertEqual(policy.cookie.secure, True)
+        self.assertEqual(policy.cookie.secret, 'hunter2')
+        self.assertEqual(policy.cookie.timeout, 86400)
+        set_authentication_policy.assert_called_once_with(policy)
+        # Ensure that the ACLAuthorizationPolicy was used
+        policy = set_authorization_policy.mock_calls[0][1][0]
+        self.assertTrue(isinstance(policy, authorization.ACLAuthorizationPolicy))
+        set_authorization_policy.assert_called_once_with(policy)
+
     @mock.patch('bodhi.server.bugs.set_bugtracker')
     def test_calls_set_bugtracker(self, set_bugtracker):
         """

diff --git a/development.ini.example b/development.ini.example
@@ -450,6 +450,8 @@ mako.directories = bodhi:server/templates
 authtkt.secret = changethisinproduction!
 session.secret = ChangeThisSecret!!1
 authtkt.secure = false
+# How long should an authorization ticket be valid for, in seconds? Defaults to one day.
+# authtkt.timeout = 86400
 
 # pyramid_beaker
 session.type = file

diff --git a/production.ini b/production.ini
@@ -429,6 +429,8 @@ mako.directories = bodhi:server/templates
 authtkt.secret = changethisinproduction!
 session.secret = ChangeThisSecret!!1
 authtkt.secure = false
+# How long should an authorization ticket be valid for, in seconds? Defaults to one day.
+# authtkt.timeout = 86400
 
 # pyramid_beaker
 session.type = file