[AdminTL#83] authentication: keep secret key for secure cookie in con…

…figuration - auto generate this secret key if not exist.
mathben · Mar 18, 2018 · 7f39157 · 7f39157
1 parent 7a47f7c
commit 7f39157
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 8 deletions.
diff --git a/src/web/py_class/auth_keys.py b/src/web/py_class/auth_keys.py
@@ -3,25 +3,39 @@
 
 import json
 from sys import stderr
+import base64
+import uuid
 
 
 class AuthKeys(object):
     """Contains keys and secrets needed for third-party authentication."""
 
     def __init__(self, parser):
+        self._db_auth_keys_path = parser.db_auth_keys_path
         self.keys = {}
         try:
-            with open(parser.db_auth_keys_path, encoding='utf-8') as keys_file:
+            with open(self._db_auth_keys_path, encoding='utf-8') as keys_file:
                 self.keys = json.load(keys_file)
         except json.decoder.JSONDecodeError as exception:
             print("ERROR: %s isn't formatted properly. \nDetails: %s" % (parser.db_auth_keys_path, exception),
                   file=stderr)
         except FileNotFoundError:
             print("ERROR: file %s not exist. Please create it or read installation file." % parser.db_auth_keys_path)
 
-    def get(self, key):
+    def get(self, key, auto_gen=False):
         result = self.keys.get(key)
-        if result is None:
-            print("WARNING: Key \"%s\" is not set. Some third-party authentications may not work properly." % key,
-                  file=stderr)
+        if not result:
+            if not auto_gen:
+                print("WARNING: Key \"%s\" is not set. Some third-party authentications may not work properly." % key,
+                      file=stderr)
+            else:
+                print("WARNING: Regenerate key \"%s\"." % key)
+                bytes_result = base64.b64encode(uuid.uuid4().bytes + uuid.uuid4().bytes)
+                result = bytes_result.decode('utf-8')
+                self.keys[key] = result
+                self._flush()
         return result
+
+    def _flush(self):
+        with open(self._db_auth_keys_path, mode='w', encoding='utf-8') as keys_file:
+            json.dump(self.keys, keys_file)
diff --git a/src/web/web.py b/src/web/web.py
@@ -15,7 +15,6 @@
 from py_class.manual import Manual
 from py_class.lore import Lore
 from py_class.auth_keys import AuthKeys
-import uuid
 
 WEB_ROOT_DIR = os.path.dirname(os.path.realpath(__file__))
 DEFAULT_SSL_DIRECTORY = os.path.join(WEB_ROOT_DIR, "..", "..", "ssl_cert", "certs")
@@ -33,6 +32,8 @@ def main(parse_arg):
         if os.path.isfile(cert_file) and os.path.isfile(key_file):
             ssl_options.load_cert_chain(certfile=cert_file, keyfile=key_file)
 
+    auth_keys = AuthKeys(parse_arg)
+
     url = "http{2}://{0}:{1}".format(parse_arg.listen.address, parse_arg.listen.port, "s" if ssl_options else "")
     # TODO store cookie_secret if want to reuse it if restart server
     settings = {"static_path": parse_arg.static_dir,
@@ -47,13 +48,12 @@ def main(parse_arg):
                 "disable_login": parse_arg.disable_login,
                 "url": url,
                 "login_url": "/login",
-                "cookie_secret": uuid.uuid4().hex,
+                "cookie_secret": auth_keys.get("cookie_secret", auto_gen=True),
                 # TODO add xsrf_cookies
                 # "xsrf_cookies": True,
                 }
 
     if not parse_arg.disable_login:
-        auth_keys = AuthKeys(parse_arg)
         settings["google_oauth"] = auth_keys.get("google_oauth")
         settings["facebook_api_key"] = auth_keys.get("facebook_api_key")
         settings["facebook_secret"] = auth_keys.get("facebook_secret")