add tests for sessions

keygen-sh · Feb 26, 2025 · a4e938a · a4e938a
1 parent 990846f
commit a4e938a
Show file tree

Hide file tree

Showing 15 changed files with 546 additions and 8 deletions.
diff --git a/app/controllers/api/v1/environments/relationships/tokens_controller.rb b/app/controllers/api/v1/environments/relationships/tokens_controller.rb
@@ -29,7 +29,7 @@ def show
 
       param :data, type: :hash, optional: true do
         param :type, type: :string, inclusion: { in: %w[token tokens] }
-        param :attributes, type: :hash do
+        param :attributes, type: :hash, optional: true do
           param :expiry, type: :time, allow_nil: true, optional: true, coerce: true
           param :name, type: :string, allow_nil: true, optional: true
 

diff --git a/app/controllers/api/v1/licenses/relationships/tokens_controller.rb b/app/controllers/api/v1/licenses/relationships/tokens_controller.rb
@@ -30,7 +30,7 @@ def show
 
       param :data, type: :hash, optional: true do
         param :type, type: :string, inclusion: { in: %w[token tokens] }
-        param :attributes, type: :hash do
+        param :attributes, type: :hash, optional: true do
           param :expiry, type: :time, allow_nil: true, optional: true, coerce: true
           param :name, type: :string, allow_nil: true, optional: true
           param :max_activations, type: :integer, optional: true

diff --git a/app/controllers/api/v1/products/relationships/tokens_controller.rb b/app/controllers/api/v1/products/relationships/tokens_controller.rb
@@ -30,7 +30,7 @@ def show
 
       param :data, type: :hash, optional: true do
         param :type, type: :string, inclusion: { in: %w[token tokens] }
-        param :attributes, type: :hash do
+        param :attributes, type: :hash, optional: true do
           param :expiry, type: :time, allow_nil: true, optional: true, coerce: true
           param :name, type: :string, allow_nil: true, optional: true
 

diff --git a/app/controllers/api/v1/tokens_controller.rb b/app/controllers/api/v1/tokens_controller.rb
@@ -31,7 +31,7 @@ def show
 
       param :data, type: :hash, optional: true do
         param :type, type: :string, inclusion: { in: %w[token tokens] }
-        param :attributes, type: :hash do
+        param :attributes, type: :hash, optional: true do
           param :expiry, type: :time, allow_nil: true, optional: true, coerce: true
           param :name, type: :string, allow_nil: true, optional: true
           Keygen.ee do |license|
@@ -90,7 +90,7 @@ def generate
       )
 
       if token.save
-        cookies.encrypted[:session_id] = { value: session.id, httponly: true, secure: true, same_site: :none, expires: session.expiry, domain: Keygen::DOMAIN }
+        cookies.encrypted[:session_id] = { value: session.id, httponly: true, secure: !Rails.env.test?, same_site: :none, expires: session.expiry, domain: Keygen::DOMAIN }
 
         BroadcastEventService.call(
           event: 'token.generated',

diff --git a/app/controllers/api/v1/users/relationships/tokens_controller.rb b/app/controllers/api/v1/users/relationships/tokens_controller.rb
@@ -30,7 +30,7 @@ def show
 
       param :data, type: :hash, optional: true do
         param :type, type: :string, inclusion: { in: %w[token tokens] }
-        param :attributes, type: :hash do
+        param :attributes, type: :hash, optional: true do
           param :expiry, type: :time, allow_nil: true, optional: true, coerce: true
           param :name, type: :string, allow_nil: true, optional: true
 

diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
@@ -318,7 +318,7 @@ def request_http_basic_authentication(realm = 'keygen', message = nil)
     raise Keygen::Error::UnauthorizedError.new(code: 'TOKEN_INVALID')
   end
 
-  def has_cookie_credentials? = cookies.encrypted[:session_id].present?
+  def has_cookie_credentials? = cookies[:session_id].present?
 
   def has_bearer_credentials?
     authentication_scheme == 'bearer' || authentication_scheme == 'token'

diff --git a/app/models/environment.rb b/app/models/environment.rb
@@ -18,6 +18,10 @@ class Environment < ApplicationRecord
     def owned = where(bearer: proxy_association.owner)
   end
 
+  has_many :sessions, dependent: :destroy_async do
+    def owned = where(bearer: proxy_association.owner)
+  end
+
   # TODO(ezekg) Should deleting queue up a cancelable background job?
   has_many :webhook_endpoints,   dependent: :destroy_async
   has_many :webhook_events,      dependent: :destroy_async

diff --git a/app/models/license.rb b/app/models/license.rb
@@ -30,6 +30,7 @@ class License < ApplicationRecord
   has_many :license_entitlements, dependent: :delete_all
   has_many :policy_entitlements, through: :policy
   has_many :tokens, as: :bearer, dependent: :destroy_async
+  has_many :sessions, as: :bearer, dependent: :destroy_async
   has_many :machines, dependent: :destroy_async
   has_many :components, through: :machines
   has_many :processes, through: :machines

diff --git a/app/models/product.rb b/app/models/product.rb
@@ -24,6 +24,7 @@ class Product < ApplicationRecord
     def owners = where.not(licenses: { user_id: nil })
   end
   has_many :tokens, as: :bearer, dependent: :destroy_async
+  has_many :sessions, as: :bearer, dependent: :destroy_async
   has_many :releases, inverse_of: :product, dependent: :destroy_async
   has_many :release_packages, inverse_of: :product, dependent: :destroy_async
   has_many :release_engines, through: :release_packages, source: :engine

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -38,6 +38,7 @@ def owned = where(owner: proxy_association.owner)
   has_many :components, through: :machines
   has_many :processes, through: :machines
   has_many :tokens, as: :bearer, dependent: :destroy_async
+  has_many :sessions, as: :bearer, dependent: :destroy_async
   has_many :releases, -> { distinct.reorder("#{table_name}.created_at": DEFAULT_SORT_ORDER) },
     through: :products
   has_many :event_logs,

diff --git a/config/application.rb b/config/application.rb
@@ -105,6 +105,19 @@ class Application < Rails::Application
     # FIXME(ezekg) Use 7.0 cache format until we can roll over to 7.1.
     config.active_support.cache_format_version 7.0
 
+    # explicit cookie secrets
+    config.action_dispatch.authenticated_encrypted_cookie_salt = ENV.fetch('COOKIE_AUTHENTICATED_ENCRYPTED_SALT') { 'authenticated encrypted cookie' }
+    config.action_dispatch.encrypted_signed_cookie_salt        = ENV.fetch('COOKIE_ENCRYPTED_SIGNED_SALT')        { 'signed encrypted cookie' }
+    config.action_dispatch.encrypted_cookie_salt               = ENV.fetch('COOKIE_ENCRYPTED_SALT')               { 'encrypted cookie' }
+    config.action_dispatch.signed_cookie_salt                  = ENV.fetch('COOKIE_SIGNED_SALT')                  { 'signed cookie' }
+
+    # explicit cookie settings
+    config.action_dispatch.use_authenticated_cookie_encryption = true
+    config.action_dispatch.use_cookies_with_metadata           = true
+    config.action_dispatch.encrypted_cookie_cipher             = 'aes-256-gcm'
+    config.action_dispatch.signed_cookie_digest                =
+    config.action_dispatch.cookies_digest                      = 'SHA256'
+
     # We don't need this: https://guides.rubyonrails.org/security.html#unsafe-query-generation
     config.action_dispatch.perform_deep_munge = false