/ckanext-security

A CKAN extension to hold various security improvements for CKAN

Primary LanguagePythonGNU Affero General Public License v3.0AGPL-3.0

CKANEXT-SECURITY

What am I?

A CKAN extension to hold various security improvements for CKAN, including:

  • Stronger password reset tokens
  • Brute force protection
  • Double-submit CSRF protection for requests (Courtesy of the Queensland Government)
  • Removed ability to change usernames after signup
  • Server-side session storage
  • Session invalidation on logout
  • Stronger password validators (NZISM compatible)
  • When users try to reset a password for an email address, CKAN will no longer disclose whether or not that email address exists in the DB.

Reset tokens

Reset tokens are generated using os.urandom(16) instead of CKAN's default uuid.uuid4().hex[:10].

Brute force protection

Users attempting to log in more than ckanext.security.login_max_count times within ckanext.security.lock_timeout seconds from a single IP address will be temporarily locked out.

By default, this means that after 10 unsuccessful login attempts within 15 minutes the login will be disabled for another 15 minutes.

A notification email will be sent to locked out users.

Requirements

  • The CSRFMiddleware needs to be placed at the bottom of the middleware stack. This requires to patch ckan.config.middleware.pylons_app. The patch is currently available in the data.govt.nz CKAN repository on the dia branch, or commit 74f78865 for cherry-pick.
  • A running Redis instance to store brute force protection tokens configured with a maxmemory and maxmemory-policy=lru so it overwrites the least recently used item rather than running out of space. This instance should be a different instance from the one used for Harvest items to avoid data loss. Redis LRU-Cache documentation.

Changes to who.ini

You will need at least the following setting ins your who.ini

[plugin:use_beaker]
use = repoze.who.plugins.use_beaker:make_plugin
key_name = ckan_session
delete_on_logout = True

[plugin:friendlyform]
# <your other settings here>
rememberer_name = use_beaker

[identifiers]
plugins =
    friendlyform;browser
    use_beaker

[authenticators]
plugins =
    ckanext.security.authenticator:CKANLoginThrottle
    ckanext.security.authenticator:BeakerRedisAuth

Changes to CKAN config

For better security, make sure you harden your session configuration (in your ckan config file). See for example the settings below.

[app:main]
# <your other settings here>
beaker.session.key = ckan_session
# Your session secret should be a long, random and secret string!
beaker.session.secret = beaker-secret
beaker.session.data_serializer = json
beaker.session.httponly = true
beaker.session.secure = true
beaker.session.timeout = 3600
beaker.session.save_accessed_time = true
beaker.session.type = redis
beaker.session.url = 127.0.0.1:6739
beaker.session.cookie_expires = true
# Your domain should show here.
beaker.session.cookie_domain = 192.168.232.65

ckanext-security configuration options

## Security
ckanext.security.domain = 192.168.232.65      # Cookie domain

ckanext.security.redis.host = 127.0.0.1
ckanext.security.redis.port = 6379
ckanext.security.redis.db = 1                 # ckan uses db 0

# 15 minute timeout with 10 attempts
ckanext.security.lock_timeout = 900           # Login throttling lock period
ckanext.security.login_max_count = 10         # Login throttling attempt limit

How to install?

You can use pip to install this plugin into your virtual environment:

pip install --process-dependency-links -e 'https://github.com/data-govt-nz/ckanext-security.git#egg=ckanext-security==0.1.0'

NOTE: The ``--process-dependency-links` flag has officially been deprecated, but has not been removed from pip, because it is the currently the only setuptools-supported way for specifying private repo dependencies

Finally, add security to ckan.plugins in your config file.

Possible problems

  • If your service is responding with Internal Server Error, try using paster request <config> /. If you see a ValueError: No Beaker session (beaker.session) in environment then you have not installed the patch to CKAN correctly.