Feature/security hardening

CHANGELOG.md

@@ -10,6 +10,15 @@ For releases `< 1.0.0` minor version step indicate breaking changes.
 
 ## [Unreleased]
 
+### Added
+
+- Added configuration variables for session management:
+  - `ckan.session.userLastActiveInterval`
+  - `ckan.session.beakerSessionSaveAccessedTime`
+  - `ckan.session.beakerSessionCookieDomain`
+  - `ckan.session.beakerSessionCookieExpires`
+  - `ckan.session.beakerSessionAuto`
+
 ### Fixed
 
 - Multiple session variables had no effect due to false ENV var names. Affected options:
@@ -26,6 +35,7 @@ For releases `< 1.0.0` minor version step indicate breaking changes.
 - Changed default setting of `ckan.auth.public_user_details` to `False` to prevent
   unauthorized leakage of user details. The `/user` page will now return `403 Forbidden`
   by default.
+- Changed various defaults of `ckan.session.*` settings for security hardening.
 
 ## [sddi-ckan-1.2.2] - 2023-08-24
 

charts/sddi-ckan/charts/ckan/README.md

@@ -138,14 +138,23 @@ A Helm chart for SDDI enabled CKAN.
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.create | bool | `false` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
-| session.beakerSamesite | string | `nil` | defaults to "Lax" if left empty. |
-| session.beakerSessionHttpOnly | string | `nil` | defaults to `True` if left empty. |
-| session.beakerSessionKey | string | `"ckan-session"` | [CKAN beaker session key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-key), defaults to *ckan* if left empty. |
-| session.beakerSessionSecret | string | `nil` | [CKAN beaker session secret](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secret): If left empty, a [64 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. |
-| session.beakerSessionSecure | string | `nil` | defaults to `False` if left empty. |
-| session.beakerSessionTimeout | string | `nil` | defaults to 600 if left empty. |
-| session.beakerSessionType | string | `nil` | defaults to "cookie"  if left empty. |
-| session.beakerSessionValidateKey | string | `nil` | [CKAN beaker session validate key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-validate-key): If left empty, a [64 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. |
+| session.beakerSamesite | string | `"Strict"` | defaults to "Lax" if left empty. |
+| session.beakerSessionAuto | bool | `false` | [CKAN beaker session auto](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-auto), defaults to `False`. |
+| session.beakerSessionCookieDomain | string | `nil` | [CKAN beaker session domain](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-cookie-domain), defaults to the current domain in its entirety. |
+| session.beakerSessionCookieExpires | bool | `true` | [CKAN beaker session cookie expires](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-cookie-expires), defaults to `True` seconds. |
+| session.beakerSessionHttpOnly | bool | `true` | defaults to `True`. |
+| session.beakerSessionKey | string | `"ckan_session"` | [CKAN beaker session key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-key), defaults to `ckan_session`. |
+| session.beakerSessionSaveAccessedTime | bool | `true` | [CKAN beaker session save access time](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-save-accessed-time), defaults to `True`. |
+| session.beakerSessionSecret | string | `nil` | [CKAN beaker session secret](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secret): If left empty, a [128 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. |
+| session.beakerSessionSecure | bool | `true` | [CKAN beaker session secure](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secure), defaults to `True`. |
+| session.beakerSessionTimeout | int | `3600` | [CKAN beaker session timeout](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-timeout), defaults to 3600 seconds. Requires `beakerSessionSaveAccessedTime` be `True`! |
+| session.beakerSessionType | string | `"cookie"` | [CKAN beaker session type](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-type), defaults to "cookie"  if left empty. |
+| session.beakerSessionValidateKey | string | `nil` | [CKAN beaker session validate key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-validate-key): If left empty, a [128 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. |
+| session.userLastActiveInterval | int | `600` | [CKAN user last active interval](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-user-last-active-interval), defaults to 600. |
+| session.whoHttpOnly | bool | `true` | [CKAN who http only](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-httponly), defaults to `True`. |
+| session.whoSamesite | string | `"Strict"` | [CKAN who same site](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-samesite), defaults to `Strict`. |
+| session.whoSecure | bool | `true` | [CKAN who secure](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-secure), defaults to `True`. |
+| session.whoTimeout | int | `3600` | [CKAN who timeout](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-timeout), defaults to 3600. |
 | siteAbout | string | `"My CKAN about info. You can use Markdown here."` | [CKAN config about](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-about) |
 | siteDescription | string | `"This is my SDDI CKAN instance description."` | [CKAN config site_id](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-description) |
 | siteId | string | `"default"` | [CKAN config site_id](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-id) |

charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml

@@ -10,12 +10,25 @@ metadata:
     app.kubernetes.io/component: {{ .Values.component }}
 type: Opaque
 stringData:
-  CKAN___BEAKER_SESSION__TYPE: {{ .Values.session.beakerSessionType | default "cookie" | quote }}
-  CKAN___BEAKER__SESSION__TIMEOUT: {{ .Values.session.beakerSessionTimeout | default "600" | quote }}
-  CKAN___BEAKER__SESSION__SECURE: {{ .Values.session.beakerSessionSecure | default "False" | quote }}
-  CKAN___BEAKER__SESSION__SAMESITE: {{ .Values.session.beakerSamesite | default "Lax" | quote }}
-  CKAN___BEAKER__SESSION__HTTPONLY: {{ .Values.session.beakerSessionHttpOnly | default "True" | quote }}
-  CKAN___BEAKER__SESSION__KEY: {{ .Values.session.beakerSessionKey | default "ckan" | quote }}
-  CKAN___BEAKER__SESSION__SECRET: {{ .Values.session.beakerSessionSecret | default (randAlphaNum 64) | quote }}
-  CKAN___BEAKER__SESSION__VALIDATE_KEY: {{ .Values.session.beakerSessionValidateKey | default (randAlphaNum 64) | quote }}
+  # Beaker settings
+  CKAN__USER__LAST_ACTIVE_INTERVAL: {{ .Values.session.userLastActiveInterval | quote }}
+  CKAN___BEAKER__SESSION__KEY: {{ .Values.session.beakerSessionKey | quote }}
+  CKAN___BEAKER__SESSION__SECRET: {{ .Values.session.beakerSessionSecret | default (randAlphaNum 128) | quote }}
+  CKAN___BEAKER__SESSION__AUTO: {{ .Values.session.beakerSessionAuto | quote }}
+  CKAN___BEAKER__SESSION__COOKIE_EXPIRES: {{ .Values.session.beakerSessionCookieExpires | quote }}
+  {{- if .Values.session.beakerSessionCookieDomain }}
+  CKAN___BEAKER__SESSION__COOKIE_DOMAIN: {{ .Values.session.beakerSessionCookieDomain | quote }}
+  {{- end }}
+  CKAN___BEAKER__SESSION__SAVE_ACCESSED_TIME: {{ .Values.session.beakerSessionSaveAccessedTime | quote }}
+  CKAN___BEAKER__SESSION__SECURE: {{ .Values.session.beakerSessionSecure | quote }}
+  CKAN___BEAKER__SESSION__TIMEOUT: {{ .Values.session.beakerSessionTimeout | quote }}
+  CKAN___BEAKER__SESSION__TYPE: {{ .Values.session.beakerSessionType | quote }}
+  CKAN___BEAKER__SESSION__VALIDATE_KEY: {{ .Values.session.beakerSessionValidateKey | default (randAlphaNum 128) | quote }}
+  CKAN___BEAKER__SESSION__HTTPONLY: {{ .Values.session.beakerSessionHttpOnly | quote }}
+  CKAN___BEAKER__SESSION__SAMESITE: {{ .Values.session.beakerSamesite | quote }}
+  # Repoze - who.ini settings
+  CKAN___WHO__TIMEOUT: {{ .Values.session.whoTimeout | quote }}
+  CKAN___WHO__SECURE: {{ .Values.session.whoSecure | quote }}
+  CKAN___WHO__HTTPONLY: {{ .Values.session.whoHttpOnly | quote }}
+  CKAN___WHO__SAMESITE: {{ .Values.session.whoSamesite | quote }}
 {{- end -}}

charts/sddi-ckan/charts/ckan/values.yaml

@@ -228,32 +228,59 @@ sysadmin:
   email: [email protected]
 
 session:
+  # -- [CKAN user last active interval](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-user-last-active-interval),
+  # defaults to 600.
+  userLastActiveInterval: 600
+  # -- [CKAN beaker session key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-key),
+  # defaults to `ckan_session`.
+  beakerSessionKey: ckan_session
   # -- [CKAN beaker session secret](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secret):
-  # If left empty, a [64 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated.
+  # If left empty, a [128 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated.
   # **Note:** In a cluster environment this values need to be the same on each instance.
   beakerSessionSecret:
+  # -- [CKAN beaker session auto](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-auto),
+  # defaults to `False`.
+  beakerSessionAuto: False
+  # -- [CKAN beaker session cookie expires](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-cookie-expires),
+  # defaults to `True` seconds.
+  beakerSessionCookieExpires: True
+  # -- [CKAN beaker session domain](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-cookie-domain),
+  # defaults to the current domain in its entirety.
+  beakerSessionCookieDomain:
+  # -- [CKAN beaker session save access time](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-save-accessed-time),
+  # defaults to `True`.
+  beakerSessionSaveAccessedTime: True
+  # -- [CKAN beaker session secure](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secure),
+  # defaults to `True`.
+  beakerSessionSecure: True
+  # -- [CKAN beaker session timeout](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-timeout),
+  # defaults to 3600 seconds. Requires `beakerSessionSaveAccessedTime` be `True`!
+  beakerSessionTimeout: 3600
+  # -- [CKAN beaker session type](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-type),
+  # defaults to "cookie"  if left empty.
+  beakerSessionType: cookie
   # -- [CKAN beaker session validate key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-validate-key):
-  # If left empty, a [64 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated.
+  # If left empty, a [128 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated.
   # **Note:** In a cluster environment this values need to be the same on each instance.
   beakerSessionValidateKey:
-  # -- [CKAN beaker session key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-key),
-  # defaults to *ckan* if left empty.
-  beakerSessionKey: ckan-session
-  # -- [CKAN beaker session type](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-type),
-  # -- defaults to "cookie"  if left empty.
-  beakerSessionType:
-  # -- [CKAN beaker session timeout](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-timeout),
-  # -- defaults to 600 if left empty.
-  beakerSessionTimeout:
-  # -- [CKAN beaker session secure](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secure),
-  # -- defaults to `False` if left empty.
-  beakerSessionSecure:
+  # -- [CKAN beaker session http only](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-httponly),
+  # -- defaults to `True`.
+  beakerSessionHttpOnly: True
   # -- [CKAN beaker session samesite](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-samesite),
   # -- defaults to "Lax" if left empty.
-  beakerSamesite:
-  # -- [CKAN beaker session http only](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-httponly),
-  # -- defaults to `True` if left empty.
-  beakerSessionHttpOnly:
+  beakerSamesite: "Strict"
+  # -- [CKAN who timeout](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-timeout),
+  # defaults to 3600.
+  whoTimeout: 3600
+  # -- [CKAN who secure](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-secure),
+  # defaults to `True`.
+  whoSecure: True
+  # -- [CKAN who http only](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-httponly),
+  # defaults to `True`.
+  whoHttpOnly: True
+  # -- [CKAN who same site](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-samesite),
+  # defaults to `Strict`.
+  whoSamesite: "Strict"
 
 apiToken:
   # -- [CKAN API token settings](https://docs.ckan.org/en/latest/maintaining/configuration.html#api-token-nbytes)