From ab549ed94e1977ccb3d4253279de77c90e5fdc13 Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Thu, 14 Sep 2023 12:13:09 +0200 Subject: [PATCH 1/5] Add `SaveAccessedTime`, harden sess. conf defaults --- CHANGELOG.md | 5 +++++ charts/sddi-ckan/charts/ckan/README.md | 9 +++++---- .../charts/ckan/templates/ckan-sct-session.yml | 1 + charts/sddi-ckan/charts/ckan/values.yaml | 17 ++++++++++------- 4 files changed, 21 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 36b578d..d11e1ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,11 @@ For releases `< 1.0.0` minor version step indicate breaking changes. ## [Unreleased] +### Added + +- Multiple configuration variables for session management: + - `ckan.session.beakersSessionSaveAccessedTime` + ### Fixed - Multiple session variables had no effect due to false ENV var names. Affected options: diff --git a/charts/sddi-ckan/charts/ckan/README.md b/charts/sddi-ckan/charts/ckan/README.md index 3eafc07..12871b2 100644 --- a/charts/sddi-ckan/charts/ckan/README.md +++ b/charts/sddi-ckan/charts/ckan/README.md @@ -138,14 +138,15 @@ A Helm chart for SDDI enabled CKAN. | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.create | bool | `false` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| session.beakerSamesite | string | `nil` | defaults to "Lax" if left empty. | -| session.beakerSessionHttpOnly | string | `nil` | defaults to `True` if left empty. | +| session.beakerSamesite | string | `"Strict"` | defaults to "Lax" if left empty. | +| session.beakerSessionHttpOnly | string | `"True"` | defaults to `True`. | | session.beakerSessionKey | string | `"ckan-session"` | [CKAN beaker session key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-key), defaults to *ckan* if left empty. | | session.beakerSessionSecret | string | `nil` | [CKAN beaker session secret](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secret): If left empty, a [64 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. | -| session.beakerSessionSecure | string | `nil` | defaults to `False` if left empty. | -| session.beakerSessionTimeout | string | `nil` | defaults to 600 if left empty. | +| session.beakerSessionSecure | bool | `true` | defaults to `True`. | +| session.beakerSessionTimeout | int | `600` | defaults to 600. Requires `beakersSessionSaveAccessedTime` be `True`! | | session.beakerSessionType | string | `nil` | defaults to "cookie" if left empty. | | session.beakerSessionValidateKey | string | `nil` | [CKAN beaker session validate key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-validate-key): If left empty, a [64 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. | +| session.beakersSessionSaveAccessedTime | bool | `true` | defaults to `True`. | | siteAbout | string | `"My CKAN about info. You can use Markdown here."` | [CKAN config about](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-about) | | siteDescription | string | `"This is my SDDI CKAN instance description."` | [CKAN config site_id](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-description) | | siteId | string | `"default"` | [CKAN config site_id](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-id) | diff --git a/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml b/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml index 47fa9b5..6c6dee5 100644 --- a/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml +++ b/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml @@ -12,6 +12,7 @@ type: Opaque stringData: CKAN___BEAKER_SESSION__TYPE: {{ .Values.session.beakerSessionType | default "cookie" | quote }} CKAN___BEAKER__SESSION__TIMEOUT: {{ .Values.session.beakerSessionTimeout | default "600" | quote }} + CKAN___BEAKER__SESSION__SAVE_ACCESSED_TIME: {{ .Values.session.beakersSessionSaveAccessedTime | quote }} CKAN___BEAKER__SESSION__SECURE: {{ .Values.session.beakerSessionSecure | default "False" | quote }} CKAN___BEAKER__SESSION__SAMESITE: {{ .Values.session.beakerSamesite | default "Lax" | quote }} CKAN___BEAKER__SESSION__HTTPONLY: {{ .Values.session.beakerSessionHttpOnly | default "True" | quote }} diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml index 89d271e..93c6486 100644 --- a/charts/sddi-ckan/charts/ckan/values.yaml +++ b/charts/sddi-ckan/charts/ckan/values.yaml @@ -243,17 +243,20 @@ session: # -- defaults to "cookie" if left empty. beakerSessionType: # -- [CKAN beaker session timeout](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-timeout), - # -- defaults to 600 if left empty. - beakerSessionTimeout: + # -- defaults to 600. Requires `beakersSessionSaveAccessedTime` be `True`! + beakerSessionTimeout: 600 + # -- [CKAN beaker session save access time](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-save-accessed-time), + # -- defaults to `True`. + beakersSessionSaveAccessedTime: True # -- [CKAN beaker session secure](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secure), - # -- defaults to `False` if left empty. - beakerSessionSecure: + # -- defaults to `True`. + beakerSessionSecure: True # -- [CKAN beaker session samesite](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-samesite), # -- defaults to "Lax" if left empty. - beakerSamesite: + beakerSamesite: "Strict" # -- [CKAN beaker session http only](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-httponly), - # -- defaults to `True` if left empty. - beakerSessionHttpOnly: + # -- defaults to `True`. + beakerSessionHttpOnly: "True" apiToken: # -- [CKAN API token settings](https://docs.ckan.org/en/latest/maintaining/configuration.html#api-token-nbytes) From db152022590960e25a07da515f6d326e5edeb5f4 Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Thu, 14 Sep 2023 13:34:08 +0200 Subject: [PATCH 2/5] fix session type variable --- charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml b/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml index 6c6dee5..a6d9f22 100644 --- a/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml +++ b/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml @@ -10,7 +10,7 @@ metadata: app.kubernetes.io/component: {{ .Values.component }} type: Opaque stringData: - CKAN___BEAKER_SESSION__TYPE: {{ .Values.session.beakerSessionType | default "cookie" | quote }} + CKAN___BEAKER__SESSION__TYPE: {{ .Values.session.beakerSessionType | default "cookie" | quote }} CKAN___BEAKER__SESSION__TIMEOUT: {{ .Values.session.beakerSessionTimeout | default "600" | quote }} CKAN___BEAKER__SESSION__SAVE_ACCESSED_TIME: {{ .Values.session.beakersSessionSaveAccessedTime | quote }} CKAN___BEAKER__SESSION__SECURE: {{ .Values.session.beakerSessionSecure | default "False" | quote }} From 689569cf8e9ac1e2039cb242695f853b089c203b Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Thu, 14 Sep 2023 14:51:26 +0200 Subject: [PATCH 3/5] rework session settings for sec. hardening --- CHANGELOG.md | 9 ++- charts/sddi-ckan/charts/ckan/README.md | 18 +++--- .../ckan/templates/ckan-sct-session.yml | 24 +++++--- charts/sddi-ckan/charts/ckan/values.yaml | 56 ++++++++++++------- 4 files changed, 70 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d11e1ca..68fb1e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,8 +12,12 @@ For releases `< 1.0.0` minor version step indicate breaking changes. ### Added -- Multiple configuration variables for session management: - - `ckan.session.beakersSessionSaveAccessedTime` +- Added configuration variables for session management: + - `ckan.session.userLastActiveInterval` + - `ckan.session.beakerSessionSaveAccessedTime` + - `ckan.session.beakerSessionCookieDomain` + - `ckan.session.beakerSessionCookieExpires` + - `ckan.session.beakerSessionAuto` ### Fixed @@ -31,6 +35,7 @@ For releases `< 1.0.0` minor version step indicate breaking changes. - Changed default setting of `ckan.auth.public_user_details` to `False` to prevent unauthorized leakage of user details. The `/user` page will now return `403 Forbidden` by default. +- Changed various defaults of `ckan.session.*` settings for security hardening. ## [sddi-ckan-1.2.2] - 2023-08-24 diff --git a/charts/sddi-ckan/charts/ckan/README.md b/charts/sddi-ckan/charts/ckan/README.md index 12871b2..a198fcd 100644 --- a/charts/sddi-ckan/charts/ckan/README.md +++ b/charts/sddi-ckan/charts/ckan/README.md @@ -139,14 +139,18 @@ A Helm chart for SDDI enabled CKAN. | serviceAccount.create | bool | `false` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | session.beakerSamesite | string | `"Strict"` | defaults to "Lax" if left empty. | +| session.beakerSessionAuto | bool | `false` | [CKAN beaker session auto](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-auto), defaults to `False`. | +| session.beakerSessionCookieDomain | string | `nil` | [CKAN beaker session domain](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-cookie-domain), defaults to the current domain in its entirety. | +| session.beakerSessionCookieExpires | bool | `true` | [CKAN beaker session cookie expires](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-cookie-expires), defaults to `True` seconds. | | session.beakerSessionHttpOnly | string | `"True"` | defaults to `True`. | -| session.beakerSessionKey | string | `"ckan-session"` | [CKAN beaker session key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-key), defaults to *ckan* if left empty. | -| session.beakerSessionSecret | string | `nil` | [CKAN beaker session secret](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secret): If left empty, a [64 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. | -| session.beakerSessionSecure | bool | `true` | defaults to `True`. | -| session.beakerSessionTimeout | int | `600` | defaults to 600. Requires `beakersSessionSaveAccessedTime` be `True`! | -| session.beakerSessionType | string | `nil` | defaults to "cookie" if left empty. | -| session.beakerSessionValidateKey | string | `nil` | [CKAN beaker session validate key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-validate-key): If left empty, a [64 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. | -| session.beakersSessionSaveAccessedTime | bool | `true` | defaults to `True`. | +| session.beakerSessionKey | string | `"ckan_session"` | [CKAN beaker session key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-key), defaults to `ckan_session`. | +| session.beakerSessionSaveAccessedTime | bool | `true` | [CKAN beaker session save access time](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-save-accessed-time), defaults to `True`. | +| session.beakerSessionSecret | string | `nil` | [CKAN beaker session secret](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secret): If left empty, a [128 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. | +| session.beakerSessionSecure | bool | `true` | [CKAN beaker session secure](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secure), defaults to `True`. | +| session.beakerSessionTimeout | int | `3600` | [CKAN beaker session timeout](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-timeout), defaults to 3600 seconds. Requires `beakerSessionSaveAccessedTime` be `True`! | +| session.beakerSessionType | string | `"cookie"` | [CKAN beaker session type](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-type), defaults to "cookie" if left empty. | +| session.beakerSessionValidateKey | string | `nil` | [CKAN beaker session validate key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-validate-key): If left empty, a [128 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. | +| session.userLastActiveInterval | int | `600` | [CKAN user last active interval](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-user-last-active-interval), defaults to 600. | | siteAbout | string | `"My CKAN about info. You can use Markdown here."` | [CKAN config about](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-about) | | siteDescription | string | `"This is my SDDI CKAN instance description."` | [CKAN config site_id](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-description) | | siteId | string | `"default"` | [CKAN config site_id](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-id) | diff --git a/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml b/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml index a6d9f22..f547c53 100644 --- a/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml +++ b/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml @@ -10,13 +10,19 @@ metadata: app.kubernetes.io/component: {{ .Values.component }} type: Opaque stringData: - CKAN___BEAKER__SESSION__TYPE: {{ .Values.session.beakerSessionType | default "cookie" | quote }} - CKAN___BEAKER__SESSION__TIMEOUT: {{ .Values.session.beakerSessionTimeout | default "600" | quote }} - CKAN___BEAKER__SESSION__SAVE_ACCESSED_TIME: {{ .Values.session.beakersSessionSaveAccessedTime | quote }} - CKAN___BEAKER__SESSION__SECURE: {{ .Values.session.beakerSessionSecure | default "False" | quote }} - CKAN___BEAKER__SESSION__SAMESITE: {{ .Values.session.beakerSamesite | default "Lax" | quote }} - CKAN___BEAKER__SESSION__HTTPONLY: {{ .Values.session.beakerSessionHttpOnly | default "True" | quote }} - CKAN___BEAKER__SESSION__KEY: {{ .Values.session.beakerSessionKey | default "ckan" | quote }} - CKAN___BEAKER__SESSION__SECRET: {{ .Values.session.beakerSessionSecret | default (randAlphaNum 64) | quote }} - CKAN___BEAKER__SESSION__VALIDATE_KEY: {{ .Values.session.beakerSessionValidateKey | default (randAlphaNum 64) | quote }} + CKAN__USER__LAST_ACTIVE_INTERVAL: {{ .Values.session.userLastActiveInterval | quote }} + CKAN___BEAKER__SESSION__KEY: {{ .Values.session.beakerSessionKey | quote }} + CKAN___BEAKER__SESSION__SECRET: {{ .Values.session.beakerSessionSecret | default (randAlphaNum 128) | quote }} + CKAN___BEAKER__SESSION__AUTO: {{ .Values.session.beakerSessionAuto | quote }} + CKAN___BEAKER__SESSION__COOKIE_EXPIRES: {{ .Values.session.beakerSessionCookieExpires | quote }} + {{- if .Values.session.beakerSessionCookieDomain }} + CKAN___BEAKER__SESSION__COOKIE_DOMAIN: {{ .Values.session.beakerSessionCookieDomain | quote }} + {{- end }} + CKAN___BEAKER__SESSION__SAVE_ACCESSED_TIME: {{ .Values.session.beakerSessionSaveAccessedTime | quote }} + CKAN___BEAKER__SESSION__SECURE: {{ .Values.session.beakerSessionSecure | quote }} + CKAN___BEAKER__SESSION__TIMEOUT: {{ .Values.session.beakerSessionTimeout | quote }} + CKAN___BEAKER__SESSION__TYPE: {{ .Values.session.beakerSessionType | quote }} + CKAN___BEAKER__SESSION__VALIDATE_KEY: {{ .Values.session.beakerSessionValidateKey | default (randAlphaNum 128) | quote }} + CKAN___BEAKER__SESSION__HTTPONLY: {{ .Values.session.beakerSessionHttpOnly | quote }} + CKAN___BEAKER__SESSION__SAMESITE: {{ .Values.session.beakerSamesite | quote }} {{- end -}} diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml index 93c6486..ac2cd10 100644 --- a/charts/sddi-ckan/charts/ckan/values.yaml +++ b/charts/sddi-ckan/charts/ckan/values.yaml @@ -228,35 +228,53 @@ sysadmin: email: user@example.de session: + # -- [CKAN user last active interval](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-user-last-active-interval), + # defaults to 600. + userLastActiveInterval: 600 + # -- [CKAN beaker session key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-key), + # defaults to `ckan_session`. + beakerSessionKey: ckan_session # -- [CKAN beaker session secret](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secret): - # If left empty, a [64 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. + # If left empty, a [128 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. # **Note:** In a cluster environment this values need to be the same on each instance. beakerSessionSecret: + # -- [CKAN beaker session auto](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-auto), + # defaults to `False`. + beakerSessionAuto: False + # -- [CKAN beaker session cookie expires](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-cookie-expires), + # defaults to `True` seconds. + beakerSessionCookieExpires: True + # -- [CKAN beaker session domain](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-cookie-domain), + # defaults to the current domain in its entirety. + beakerSessionCookieDomain: + # -- [CKAN beaker session save access time](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-save-accessed-time), + # defaults to `True`. + beakerSessionSaveAccessedTime: True + # -- [CKAN beaker session secure](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secure), + # defaults to `True`. + beakerSessionSecure: True + # -- [CKAN beaker session timeout](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-timeout), + # defaults to 3600 seconds. Requires `beakerSessionSaveAccessedTime` be `True`! + beakerSessionTimeout: 3600 + # -- [CKAN beaker session type](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-type), + # defaults to "cookie" if left empty. + beakerSessionType: cookie # -- [CKAN beaker session validate key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-validate-key): - # If left empty, a [64 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. + # If left empty, a [128 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. # **Note:** In a cluster environment this values need to be the same on each instance. beakerSessionValidateKey: - # -- [CKAN beaker session key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-key), - # defaults to *ckan* if left empty. - beakerSessionKey: ckan-session - # -- [CKAN beaker session type](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-type), - # -- defaults to "cookie" if left empty. - beakerSessionType: - # -- [CKAN beaker session timeout](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-timeout), - # -- defaults to 600. Requires `beakersSessionSaveAccessedTime` be `True`! - beakerSessionTimeout: 600 - # -- [CKAN beaker session save access time](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-save-accessed-time), - # -- defaults to `True`. - beakersSessionSaveAccessedTime: True - # -- [CKAN beaker session secure](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secure), + # -- [CKAN beaker session http only](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-httponly), # -- defaults to `True`. - beakerSessionSecure: True + beakerSessionHttpOnly: "True" # -- [CKAN beaker session samesite](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-samesite), # -- defaults to "Lax" if left empty. beakerSamesite: "Strict" - # -- [CKAN beaker session http only](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-httponly), - # -- defaults to `True`. - beakerSessionHttpOnly: "True" + + + + + + apiToken: # -- [CKAN API token settings](https://docs.ckan.org/en/latest/maintaining/configuration.html#api-token-nbytes) From d4db033378f50a2044be8c3eeeab47016b49c89a Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Thu, 14 Sep 2023 15:03:41 +0200 Subject: [PATCH 4/5] minor change --- charts/sddi-ckan/charts/ckan/README.md | 2 +- charts/sddi-ckan/charts/ckan/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/sddi-ckan/charts/ckan/README.md b/charts/sddi-ckan/charts/ckan/README.md index a198fcd..8e86737 100644 --- a/charts/sddi-ckan/charts/ckan/README.md +++ b/charts/sddi-ckan/charts/ckan/README.md @@ -142,7 +142,7 @@ A Helm chart for SDDI enabled CKAN. | session.beakerSessionAuto | bool | `false` | [CKAN beaker session auto](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-auto), defaults to `False`. | | session.beakerSessionCookieDomain | string | `nil` | [CKAN beaker session domain](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-cookie-domain), defaults to the current domain in its entirety. | | session.beakerSessionCookieExpires | bool | `true` | [CKAN beaker session cookie expires](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-cookie-expires), defaults to `True` seconds. | -| session.beakerSessionHttpOnly | string | `"True"` | defaults to `True`. | +| session.beakerSessionHttpOnly | bool | `true` | defaults to `True`. | | session.beakerSessionKey | string | `"ckan_session"` | [CKAN beaker session key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-key), defaults to `ckan_session`. | | session.beakerSessionSaveAccessedTime | bool | `true` | [CKAN beaker session save access time](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-save-accessed-time), defaults to `True`. | | session.beakerSessionSecret | string | `nil` | [CKAN beaker session secret](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-secret): If left empty, a [128 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. | diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml index ac2cd10..4ac25a6 100644 --- a/charts/sddi-ckan/charts/ckan/values.yaml +++ b/charts/sddi-ckan/charts/ckan/values.yaml @@ -265,7 +265,7 @@ session: beakerSessionValidateKey: # -- [CKAN beaker session http only](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-httponly), # -- defaults to `True`. - beakerSessionHttpOnly: "True" + beakerSessionHttpOnly: True # -- [CKAN beaker session samesite](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-samesite), # -- defaults to "Lax" if left empty. beakerSamesite: "Strict" From 855f335bbd4fe7f6dde4a5f1346d18909b978306 Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Thu, 14 Sep 2023 16:26:35 +0200 Subject: [PATCH 5/5] Added who settings --- charts/sddi-ckan/charts/ckan/README.md | 4 ++++ .../charts/ckan/templates/ckan-sct-session.yml | 6 ++++++ charts/sddi-ckan/charts/ckan/values.yaml | 18 ++++++++++++------ 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/charts/sddi-ckan/charts/ckan/README.md b/charts/sddi-ckan/charts/ckan/README.md index 8e86737..61d77b7 100644 --- a/charts/sddi-ckan/charts/ckan/README.md +++ b/charts/sddi-ckan/charts/ckan/README.md @@ -151,6 +151,10 @@ A Helm chart for SDDI enabled CKAN. | session.beakerSessionType | string | `"cookie"` | [CKAN beaker session type](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-type), defaults to "cookie" if left empty. | | session.beakerSessionValidateKey | string | `nil` | [CKAN beaker session validate key](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-validate-key): If left empty, a [128 char random AlphaNum](https://docs.gomplate.ca/functions/random/#random-alphanum) is generated. **Note:** In a cluster environment this values need to be the same on each instance. | | session.userLastActiveInterval | int | `600` | [CKAN user last active interval](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-user-last-active-interval), defaults to 600. | +| session.whoHttpOnly | bool | `true` | [CKAN who http only](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-httponly), defaults to `True`. | +| session.whoSamesite | string | `"Strict"` | [CKAN who same site](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-samesite), defaults to `Strict`. | +| session.whoSecure | bool | `true` | [CKAN who secure](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-secure), defaults to `True`. | +| session.whoTimeout | int | `3600` | [CKAN who timeout](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-timeout), defaults to 3600. | | siteAbout | string | `"My CKAN about info. You can use Markdown here."` | [CKAN config about](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-about) | | siteDescription | string | `"This is my SDDI CKAN instance description."` | [CKAN config site_id](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-description) | | siteId | string | `"default"` | [CKAN config site_id](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-site-id) | diff --git a/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml b/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml index f547c53..9f6becd 100644 --- a/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml +++ b/charts/sddi-ckan/charts/ckan/templates/ckan-sct-session.yml @@ -10,6 +10,7 @@ metadata: app.kubernetes.io/component: {{ .Values.component }} type: Opaque stringData: + # Beaker settings CKAN__USER__LAST_ACTIVE_INTERVAL: {{ .Values.session.userLastActiveInterval | quote }} CKAN___BEAKER__SESSION__KEY: {{ .Values.session.beakerSessionKey | quote }} CKAN___BEAKER__SESSION__SECRET: {{ .Values.session.beakerSessionSecret | default (randAlphaNum 128) | quote }} @@ -25,4 +26,9 @@ stringData: CKAN___BEAKER__SESSION__VALIDATE_KEY: {{ .Values.session.beakerSessionValidateKey | default (randAlphaNum 128) | quote }} CKAN___BEAKER__SESSION__HTTPONLY: {{ .Values.session.beakerSessionHttpOnly | quote }} CKAN___BEAKER__SESSION__SAMESITE: {{ .Values.session.beakerSamesite | quote }} + # Repoze - who.ini settings + CKAN___WHO__TIMEOUT: {{ .Values.session.whoTimeout | quote }} + CKAN___WHO__SECURE: {{ .Values.session.whoSecure | quote }} + CKAN___WHO__HTTPONLY: {{ .Values.session.whoHttpOnly | quote }} + CKAN___WHO__SAMESITE: {{ .Values.session.whoSamesite | quote }} {{- end -}} diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml index 4ac25a6..e68ddf0 100644 --- a/charts/sddi-ckan/charts/ckan/values.yaml +++ b/charts/sddi-ckan/charts/ckan/values.yaml @@ -269,12 +269,18 @@ session: # -- [CKAN beaker session samesite](https://docs.ckan.org/en/latest/maintaining/configuration.html#beaker-session-samesite), # -- defaults to "Lax" if left empty. beakerSamesite: "Strict" - - - - - - + # -- [CKAN who timeout](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-timeout), + # defaults to 3600. + whoTimeout: 3600 + # -- [CKAN who secure](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-secure), + # defaults to `True`. + whoSecure: True + # -- [CKAN who http only](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-httponly), + # defaults to `True`. + whoHttpOnly: True + # -- [CKAN who same site](https://docs.ckan.org/en/2.9/maintaining/configuration.html#who-samesite), + # defaults to `Strict`. + whoSamesite: "Strict" apiToken: # -- [CKAN API token settings](https://docs.ckan.org/en/latest/maintaining/configuration.html#api-token-nbytes)