SSL Certificate Validation (#1)

* Add `VOUCH_PROXY_VERIFY_SSL` setting to disable SSL cert checking
* Add HISTORY.md file for release change documentation
* Bump version to 0.1.2

Author: bdalpe

HISTORY.md

@@ -0,0 +1,13 @@
+History
+-------
+
+0.1.2 (2021-01-05)
+==================
+
+* Add `VOUCH_PROXY_VERIFY_SSL` setting to disable SSL certificate 
+  verification of the Vouch Proxy server.
+
+0.1.1 (2021-01-04)
+==================
+
+* Initial Release

README.md

@@ -43,6 +43,11 @@ VOUCH_PROXY_VALIDATE_ENDPOINT = 'https://login.avacado.lol/validate'
 ### `VOUCH_PROXY_VALIDATE_ENDPOINT`
 Location of the Vouch Proxy validation endpoint. You MUST provide this value, or the Middleware will raise an `ImproperlyConfigured` exception.
 
+### `VOUCH_PROXY_VERIFY_SSL`
+Default: `True`
+
+Set this to False to ignore verification of the Vouch Proxy SSL certificate.
+
 ### `VOUCH_PROXY_COOKIE_NAME`
 Default: `VouchCookie`
 

django_vouch_proxy_auth/__init__.py

@@ -1 +1 @@
-__version__ = "0.1.1"
+__version__ = "0.1.2"

django_vouch_proxy_auth/middleware.py

@@ -18,6 +18,7 @@ def __init__(self, *args, **kwargs):
         self.expiry_time = getattr(settings, 'VOUCH_PROXY_CACHE_TIMEOUT', 300)
         self.cache = caches[getattr(settings, 'VOUCH_PROXY_CACHE_BACKEND', 'default')]
         self.force_logout_if_no_cookie = getattr(settings, 'VOUCH_PROXY_FORCE_LOGOUT_IF_NO_COOKIE', False)
+        self.verify_ssl_certificate = getattr(settings, 'VOUCH_PROXY_VERIFY_SSL', True)
 
         super(VouchProxyMiddleware).__init__(*args, **kwargs)
 
@@ -42,7 +43,9 @@ def process_request(self, request):
             cache_key = '{}{}'.format(self.cache_prefix, hashlib.sha256(cookie.encode('ascii')).hexdigest())
             username = self.cache.get(cache_key)
             if not username:
-                validate = requests.get(settings.VOUCH_PROXY_VALIDATE_ENDPOINT, cookies={self.cookie_name: cookie})
+                validate = requests.get(settings.VOUCH_PROXY_VALIDATE_ENDPOINT,
+                                        cookies={self.cookie_name: cookie},
+                                        verify=self.verify_ssl_certificate)
                 validate.raise_for_status()
 
                 # Vouch cookie is URL-safe Base64 encoded Gzipped data

tests/tests.py

@@ -112,6 +112,26 @@ def test_disabled_paths(self):
 
             self.assertIsNone(m.process_request(request=m_request))
 
+    def test_ssl_verification_setting(self):
+        self.assertTrue(self.middleware.verify_ssl_certificate)
+
+        with self.settings(VOUCH_PROXY_VERIFY_SSL=False):
+            m = VouchProxyMiddleware()
+            self.assertFalse(m.verify_ssl_certificate)
+
+    @patch('django_vouch_proxy_auth.middleware.requests')
+    def test_ssl_verification_disabled(self, requests_mock):
+        req = self._build_vouch_cookie_request(self.user.username)
+
+        requests_mock.get.status_code.return_value = 200
+
+        self.middleware.verify_ssl_certificate = False
+
+        self.middleware.process_request(request=req)
+        requests_mock.get.assert_called_once_with('http://vouch/validate',
+                                                  cookies={'VouchCookie': req.COOKIES[self.middleware.cookie_name]},
+                                                  verify=False)
+
     @patch('django_vouch_proxy_auth.middleware.requests')
     def test_caching(self, requests_mock):
         req = self._build_vouch_cookie_request(self.user.username)
@@ -122,7 +142,8 @@ def test_caching(self, requests_mock):
         self.middleware.process_request(request=req)
 
         requests_mock.get.assert_called_once_with('http://vouch/validate',
-                                                  cookies={'VouchCookie': req.COOKIES[self.middleware.cookie_name]})
+                                                  cookies={'VouchCookie': req.COOKIES[self.middleware.cookie_name]},
+                                                  verify=True)
 
     @patch('django_vouch_proxy_auth.middleware.requests')
     def test_caching_disabled(self, requests_mock):
@@ -134,12 +155,14 @@ def test_caching_disabled(self, requests_mock):
 
         self.middleware.process_request(request=req)
         requests_mock.get.assert_called_once_with('http://vouch/validate',
-                                                  cookies={'VouchCookie': req.COOKIES[self.middleware.cookie_name]})
+                                                  cookies={'VouchCookie': req.COOKIES[self.middleware.cookie_name]},
+                                                  verify=True)
         requests_mock.get.reset_mock()
 
         self.middleware.process_request(request=req)
         requests_mock.get.assert_called_once_with('http://vouch/validate',
-                                                  cookies={'VouchCookie': req.COOKIES[self.middleware.cookie_name]})
+                                                  cookies={'VouchCookie': req.COOKIES[self.middleware.cookie_name]},
+                                                  verify=True)
 
     @patch('django_vouch_proxy_auth.middleware.requests')
     def test_successful_auth(self, requests_mock):
@@ -149,7 +172,8 @@ def test_successful_auth(self, requests_mock):
 
         self.middleware.process_request(request=req)
         requests_mock.get.assert_called_once_with('http://vouch/validate',
-                                                  cookies={'VouchCookie': req.COOKIES[self.middleware.cookie_name]})
+                                                  cookies={'VouchCookie': req.COOKIES[self.middleware.cookie_name]},
+                                                  verify=True)
 
         cache_key = '{}{}'.format(self.middleware.cache_prefix,
                                   hashlib.sha256(req.COOKIES[self.middleware.cookie_name].encode('ascii')).hexdigest())