Merge pull request #5 from qld-gov-au/develop

Develop to main

.flake8

@@ -0,0 +1,17 @@
+[flake8]
+# @see https://flake8.pycqa.org/en/latest/user/configuration.html?highlight=.flake8
+
+exclude =
+
+# Extended output format.
+format = pylint
+
+# Show the source of errors.
+show_source = True
+
+max-complexity = 10
+max-line-length = 127
+
+# List ignore rules one per line.
+ignore =
+    W503

.github/workflows/test.yml

@@ -0,0 +1,44 @@
+---
+#based on https://raw.githubusercontent.com/ckan/ckanext-scheming/master/.github/workflows/test.yml
+# alternative https://github.com/ckan/ckan/blob/master/contrib/cookiecutter/ckan_extension/%7B%7Bcookiecutter.project%7D%7D/.github/workflows/test.yml
+name: Tests
+on: [push]
+
+jobs:
+  lint:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+      - name: Install requirements
+        run: pip install flake8 pycodestyle
+      - name: Check syntax
+        run: flake8 . --count --show-source --statistics
+
+  test:
+    needs: lint
+    strategy:
+      matrix:
+        ckan-version: [2.9, 2.9-py2, 2.8]
+      fail-fast: true
+
+    name: CKAN ${{ matrix.ckan-version }}
+    runs-on: ubuntu-18.04
+    container:
+      image: openknowledge/ckan-dev:${{ matrix.ckan-version }}
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Install requirements
+      run: |
+        pip install -r requirements.txt
+        pip install -e .
+
+    - name: Run all tests
+      run: |
+        PYTHON=`which python3 || which python`
+        $PYTHON ckanext/csrf_filter/test_anti_csrf.py
+

.gitignore

@@ -0,0 +1,58 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.cache
+nosetests.xml
+coverage.xml
+test/screenshots
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+#Intellij
+.idea

README.md

@@ -1,2 +1,111 @@
-# ckanext-csrf-filter
-A CKAN extension to add protection against Cross-Site Request Forgery attacks
+ckanext-csrf-filter
+===================
+
+Overview
+========
+A CKAN extension to add protection against [Cross-Site Request Forgery](https://owasp.org/www-community/attacks/csrf)
+attacks, with minimal overhead (no server-side state, no modifications to existing forms).
+
+This is achieved using a mix of the Double Submit Cookie and HMAC Based Token
+patterns [documented by OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html),
+with tokens being generated from a HMAC of the username, current time, nonce, and a server secret.
+Tokens are set in cookies and injected into HTML responses as needed, then verified
+on applicable POST requests.
+
+By default, tokens expire after 30 minutes, and will be proactively rotated after 10 minutes.
+
+An attacker restricted by the Same Origin Policy is unable to read or write
+the token cookie, and is therefore unable to forge a request that will match it.
+
+An attacker who finds an XSS exploit on a subdomain allowing them to write cookies
+will still be unable to write a properly formed token cookie, since it requires
+knowledge of the server secret.
+
+Installation
+============
+
+To install ``ckanext-csrf-filter``:
+
+1. Install CKAN >=2.8. CKAN 2.7 may be compatible, but is not tested.
+
+1. Activate your CKAN virtual environment, eg:
+
+    ```
+    . /usr/lib/ckan/default/bin/activate
+    ```
+
+1. Install the extension into your virtual environment:
+
+    ```
+    pip install -e git+https://github.com/qld-gov-au/ckanext-csrf-filter.git#egg=ckanext-csrf-filter
+    ```
+
+1. Install the extension dependencies:
+
+    ```
+    pip install -r ckanext-csrf-filter/requirements.txt
+    ```
+
+1. Add ``csrf_filter`` to the ``ckan.plugins`` setting in
+your CKAN config file (by default the config file is located at
+``/etc/ckan/default/production.ini``).
+
+1. Restart CKAN. Eg if you've deployed CKAN with Apache on Ubuntu:
+
+    ```
+    sudo service apache2 reload
+    ```
+
+Configuration
+=============
+
+A cryptographically unguessable server secret must be present to generate secure hashes.
+This will be taken from one of the following, in order:
+
+- `ckanext.csrf_filter.secret_key` (if you wish to provide your own key)
+- `beaker.session.secret` (normally present within CKAN apps out of the box)
+- The Flask app `secret_key` value (for future-proofing and easier conversion to non-CKAN applications)
+
+The value of `ckan.site_url` will be used to determine whether token cookies
+should have the 'Secure' flag. NB Insecure cookies should only be used in testing,
+never in a production environment.
+
+Optional
+--------
+
+    # Maximum age of a token cookie, in minutes.
+    # Tokens older than this will be rejected.
+    # Default 30 minutes.
+    ckanext.csrf_filter.token_expiry_minutes = 30
+
+    # Tokens older than this will be replaced with new ones on the next response.
+    # Default 10 minutes.
+    ckanext.csrf_filter.token_rotation_minutes = 10
+
+
+Testing
+=======
+
+To run the tests:
+
+1. Activate your CKAN virtual environment, eg:
+
+    ```
+    . /usr/lib/ckan/default/bin/activate
+    ```
+
+1. Switch to the extension directory, eg:
+
+    ```
+    cd /usr/lib/ckan/default/src/ckanext-csrf-filter
+    ```
+
+1. Run the tests. This can be done in multiple ways.
+
+    1. Execute the test class directly:
+
+        ```
+        python ckanext/csrf_filter/test_anti_csrf.py
+        ```
+
+    1. Run ``nosetests`` or ``pytest``.

ckanext/__init__.py

@@ -0,0 +1,7 @@
+"""Empty namespace, just exists to keep things tidy"""
+try:
+    import pkg_resources
+    pkg_resources.declare_namespace(__name__)
+except ImportError:
+    import pkgutil
+    __path__ = pkgutil.extend_path(__path__, __name__)