From 255839046b93ab8f7884b08367428b29976cc720 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Robles?= Date: Mon, 15 Jul 2024 09:20:23 -0500 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Separation=20of=20voting=20session?= =?UTF-8?q?=20time=20and=20bearer=20token=20lifetime=20(#359)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Parent issue: https://github.com/sequentech/meta/issues/762 --- config.yml | 10 +++++-- doc/production/config.auth.yml | 40 +++++++++++++++++++++++++-- doc/production/config.master.yml | 40 +++++++++++++++++++++++++-- iam/templates/deploy.py | 7 ++++- iam/templates/test_settings.py | 8 +++++- sequent-ui/templates/SequentConfig.js | 2 +- 6 files changed, 98 insertions(+), 9 deletions(-) diff --git a/config.yml b/config.yml index 38f2265..92bba39 100644 --- a/config.yml +++ b/config.yml @@ -1163,8 +1163,14 @@ config: # default: true allow_deregister: true - # Number of seconds after which an authentication token expires. - auth_token_expiration_seconds: 600 + # Number of seconds after which an smartlink authentication token expires. + smartlink_token_expiration_seconds: 90 + + # Minimum session duration for a voter + access_auth_token_expiration_seconds: 60 + + # Maximum session duration for a voter (after renewing the access token) + refresh_auth_token_expiration_seconds: 600 # Number of seconds after which an authentication token expires for admin # users diff --git a/doc/production/config.auth.yml b/doc/production/config.auth.yml index b9d819e..08f8d70 100644 --- a/doc/production/config.auth.yml +++ b/doc/production/config.auth.yml @@ -194,6 +194,13 @@ config: # value is low to avoid denial of service attacks. client_max_header_size: 8k + # This changes proxy_connect_timeout/proxy_send_timeout/proxy_read_timeout + # in the nginx web server. + # Any request to the server will timeout with a 504 code if the server + # doesn't answer after this time. + # Note that this value is not higher to avoid denial of service attacks. + nginx_timeout_secs: 120 + # Path of the TLS PEM public certificate. # # Requirements: @@ -428,6 +435,10 @@ config: # using their certificates as client certificates. ssl_port: 14453 + # Numbers of seconds memcached mantains a cached item (an election) + # in the cache. By default it's 5 seconds. + cache_expiration_seconds: 5 + # Password used to encrypt the authorities' public keys for usage in # ballot-box. keystore_pass: '' @@ -1147,8 +1158,14 @@ config: # default: true allow_deregister: true - # Number of seconds after which an authentication token expires. - auth_token_expiration_seconds: 600 + # Number of seconds after which an smartlink authentication token expires. + smartlink_token_expiration_seconds: 90 + + # Minimum session duration for a voter + access_auth_token_expiration_seconds: 60 + + # Maximum session duration for a voter (after renewing the access token) + refresh_auth_token_expiration_seconds: 600 # Number of seconds after which an authentication token expires for admin # users @@ -1193,6 +1210,25 @@ config: # Allowed values: (user-and-password|email|email-otp|sms|sms-otp|openid-connect) auth_method: 'user-and-password' + # Enter the AWS credentials and configuration. Used for sending SMS using + # the 'aws-sns' SMS Provider. For more information, see + # https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html#using-boto3 + aws: + # configures the content of the `~/.aws/credentials` file: + credentials: | + [default] + aws_access_key_id = AWS_ACCESS_KEY_ID + aws_secret_access_key = AWS_SECRET_ACCESS_KEY + # configures the content of the `~/.aws/config` file: + config: | + [default] + region=eu-west-1 + # Sets the configuration for authentication messages sent by the AWS SNS + # provider + sns_message_attributes: + AWS.SNS.SMS.SenderID: "{'DataType': 'String', 'StringValue': 'SEQUENT'}" + AWS.SNS.SMS.SMSType: "{'DataType': 'String', 'StringValue': 'Transactional'}" + # Defines the extra fields used in authentication and registration. Empty by # default extra_fields: > diff --git a/doc/production/config.master.yml b/doc/production/config.master.yml index 0e0fbd1..8a56422 100644 --- a/doc/production/config.master.yml +++ b/doc/production/config.master.yml @@ -194,6 +194,13 @@ config: # value is low to avoid denial of service attacks. client_max_header_size: 8k + # This changes proxy_connect_timeout/proxy_send_timeout/proxy_read_timeout + # in the nginx web server. + # Any request to the server will timeout with a 504 code if the server + # doesn't answer after this time. + # Note that this value is not higher to avoid denial of service attacks. + nginx_timeout_secs: 120 + # Path of the TLS PEM public certificate. # # Requirements: @@ -428,6 +435,10 @@ config: # using their certificates as client certificates. ssl_port: 14453 + # Numbers of seconds memcached mantains a cached item (an election) + # in the cache. By default it's 5 seconds. + cache_expiration_seconds: 5 + # Password used to encrypt the authorities' public keys for usage in # ballot-box. keystore_pass: '' @@ -1147,8 +1158,14 @@ config: # default: true allow_deregister: true - # Number of seconds after which an authentication token expires. - auth_token_expiration_seconds: 600 + # Number of seconds after which an smartlink authentication token expires. + smartlink_token_expiration_seconds: 90 + + # Minimum session duration for a voter + access_auth_token_expiration_seconds: 60 + + # Maximum session duration for a voter (after renewing the access token) + refresh_auth_token_expiration_seconds: 600 # Number of seconds after which an authentication token expires for admin # users @@ -1193,6 +1210,25 @@ config: # Allowed values: (user-and-password|email|email-otp|sms|sms-otp|openid-connect) auth_method: 'user-and-password' + # Enter the AWS credentials and configuration. Used for sending SMS using + # the 'aws-sns' SMS Provider. For more information, see + # https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html#using-boto3 + aws: + # configures the content of the `~/.aws/credentials` file: + credentials: | + [default] + aws_access_key_id = AWS_ACCESS_KEY_ID + aws_secret_access_key = AWS_SECRET_ACCESS_KEY + # configures the content of the `~/.aws/config` file: + config: | + [default] + region=eu-west-1 + # Sets the configuration for authentication messages sent by the AWS SNS + # provider + sns_message_attributes: + AWS.SNS.SMS.SenderID: "{'DataType': 'String', 'StringValue': 'SEQUENT'}" + AWS.SNS.SMS.SMSType: "{'DataType': 'String', 'StringValue': 'Transactional'}" + # Defines the extra fields used in authentication and registration. Empty by # default extra_fields: > diff --git a/iam/templates/deploy.py b/iam/templates/deploy.py index 49c3471..3495a7c 100644 --- a/iam/templates/deploy.py +++ b/iam/templates/deploy.py @@ -96,10 +96,15 @@ def on_celery_setup_logging(**kwargs): SHARED_SECRET = b'{{config.ballot_box.shared_secret}}' -TIMEOUT = {{config.iam.auth_token_expiration_seconds}} +SMARTLINK_TIMEOUT = {{config.iam.smartlink_token_expiration_seconds}} + +ACCESS_TIMEOUT = {{config.iam.access_auth_token_expiration_seconds}} + +REFRESH_TIMEOUT = {{config.iam.refresh_auth_token_expiration_seconds}} ADMIN_TIMEOUT = {{config.iam.admin_auth_token_expiration_seconds}} + SECRET_KEY = '{{ config.global_secret_key }}' HOME_URL = "https://{{ config.ballot_box.domain }}/election/__EVENT_ID__/public/home" diff --git a/iam/templates/test_settings.py b/iam/templates/test_settings.py index 3c2f30f..7e042f2 100644 --- a/iam/templates/test_settings.py +++ b/iam/templates/test_settings.py @@ -66,10 +66,16 @@ class CeleryConfig: ALLOWED_HOSTS = [] -TIMEOUT = 300 +SMARTLINK_TIMEOUT = 90 + +ACCESS_TIMEOUT = 60 + +REFRESH_TIMEOUT = 600 ADMIN_TIMEOUT = 3000 +REFRESH_TIMEOUT = 300 + ADMIN_AUTH_ID = 1 ALLOW_ADMIN_AUTH_REGISTRATION = False diff --git a/sequent-ui/templates/SequentConfig.js b/sequent-ui/templates/SequentConfig.js index cc5d028..8ec56f9 100644 --- a/sequent-ui/templates/SequentConfig.js +++ b/sequent-ui/templates/SequentConfig.js @@ -405,7 +405,7 @@ var SequentConfigData = { ], // Number of seconds after which an authentication token expires. - authTokenExpirationSeconds: {{ config.iam.auth_token_expiration_seconds }}, + authTokenExpirationSeconds: {{ config.iam.access_auth_token_expiration_seconds }}, // Allow to tally multiple times and when election is open. enableMultipleTallies: {% if config.enable_multiple_tallies %}true{% else %}false{% endif %},