Merge commit from fork

[Don't merge as is! v6.24.5] Move from cookie-based to token-based authentication

Author: bruntib

analyzer/config/analyzer_version.json

@@ -2,7 +2,7 @@
     "version": {
         "major" : "6",
         "minor" : "24",
-        "revision" : "4",
+        "revision" : "5",
         "rc" : ""
     }
 }

setup.py

@@ -142,7 +142,7 @@ def run(self):
 
 setuptools.setup(
     name="codechecker",
-    version="6.24.4",
+    version="6.24.5",
     author='CodeChecker Team (Ericsson)',
     author_email='[email protected]',
     description="CodeChecker is an analyzer tooling, defect database and "

snap/snapcraft.yaml

@@ -1,6 +1,6 @@
 name: codechecker
 base: core18
-version: '6.24.4'
+version: '6.24.5'
 summary: CodeChecker is an analyzer tooling, defect database and viewer extension
 description: |
   CodeChecker is an analyzer tooling, defect database and viewer extension.
@@ -33,7 +33,7 @@ parts:
   codechecker:
     plugin: python
     python-version: python3
-    source: https://github.com/Ericsson/codechecker/archive/v6.24.4.tar.gz
+    source: https://github.com/Ericsson/codechecker/archive/v6.24.5.tar.gz
     build-packages:
       - curl
       - gcc-multilib

web/api/js/codechecker-api-node/dist/codechecker-api-6.58.0.tgz

@@ -1,6 +1,6 @@
 {
   "name": "codechecker-api",
-  "version": "6.58.0",
+  "version": "6.59.0",
   "description": "Generated node.js compatible API stubs for CodeChecker server.",
   "main": "lib",
   "homepage": "https://github.com/Ericsson/codechecker",

web/api/js/codechecker-api-node/dist/codechecker-api-6.59.0.tgz

@@ -8,7 +8,7 @@
 with open('README.md', encoding='utf-8', errors="ignore") as f:
     long_description = f.read()
 
-api_version = '6.58.0'
+api_version = '6.59.0'
 
 setup(
     name='codechecker_api',

web/api/js/codechecker-api-node/package.json

@@ -8,7 +8,7 @@
 with open('README.md', encoding='utf-8', errors="ignore") as f:
     long_description = f.read()
 
-api_version = '6.58.0'
+api_version = '6.59.0'
 
 setup(
     name='codechecker_api_shared',

web/api/py/codechecker_api/dist/codechecker_api.tar.gz

@@ -13,7 +13,6 @@
 from thrift.transport import THttpClient
 from thrift.protocol import TJSONProtocol
 
-from codechecker_client.credential_manager import SESSION_COOKIE_NAME
 from codechecker_client.product import create_product_url
 
 from codechecker_common.logger import get_logger
@@ -72,7 +71,7 @@ def _set_token(self, session_token):
         if not session_token:
             return
 
-        headers = {'Cookie': SESSION_COOKIE_NAME + '=' + session_token}
+        headers = {'Authorization': 'Bearer ' + session_token}
         self.transport.setCustomHeaders(headers)
 
     def _reset_token(self):

web/api/py/codechecker_api/setup.py

@@ -13,12 +13,14 @@
 
 # The name of the cookie which contains the user's authentication session's
 # token.
+# DEPRECATED: Session-based authentication will be removed in a future version.
+# Use the Authorization header instead.
 SESSION_COOKIE_NAME = '__ccPrivilegedAccessToken'
 
 # The newest supported minor version (value) for each supported major version
 # (key) in this particular build.
 SUPPORTED_VERSIONS = {
-    6: 58
+    6: 59
 }
 
 # Used by the client to automatically identify the latest major and minor

web/api/py/codechecker_api_shared/dist/codechecker_api_shared.tar.gz

@@ -2,7 +2,7 @@
     "version": {
         "major" : "6",
         "minor" : "24",
-        "revision" : "4",
+        "revision" : "5",
         "rc" : ""
     }
 }

web/api/py/codechecker_api_shared/setup.py

@@ -0,0 +1,27 @@
+"""
+Clear legacy web sessions
+
+Revision ID: f59dfe4623fa
+Revises:     00099e8bc212
+Create Date: 2025-01-06 22:42:09.589909
+"""
+
+from logging import getLogger
+
+from alembic import op
+import sqlalchemy as sa
+
+
+
+# Revision identifiers, used by Alembic.
+revision = 'f59dfe4623fa'
+down_revision = '00099e8bc212'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.execute("DELETE FROM auth_sessions WHERE can_expire")
+
+def downgrade():
+    pass

web/client/codechecker_client/helpers/base.py

@@ -103,7 +103,7 @@ def send_thrift_exception(self, error_msg, iprot, oprot, otrans):
         self.end_headers()
         self.wfile.write(result)
 
-    def __check_session_cookie(self):
+    def __check_session_header(self):
         """
         Check the CodeChecker privileged access cookie in the request headers.
 
@@ -115,9 +115,19 @@ def __check_session_cookie(self):
             return None
 
         session = None
+        # Check if the user has presented a bearer token for authentication.
+        token = self.headers.get("Authorization")
+        if token and token.startswith("Bearer "):
+            token = token.split("Bearer ", 1)[1]
+            session = self.server.manager.get_session(token)
+
         # Check if the user has presented a privileged access cookie.
+        # This method is used by older command-line clients, and since cookies
+        # with an expiration date were purged when updating, the web interface
+        # should no longer have a valid access token as a cookie.
+        # DEPRECATED: Will be removed in a future version.
         cookies = self.headers.get("Cookie")
-        if cookies:
+        if not session and cookies:
             split = cookies.split("; ")
             for cookie in split:
                 values = cookie.split("=")
@@ -126,13 +136,13 @@ def __check_session_cookie(self):
                     session = self.server.manager.get_session(values[1])
 
         if session and session.is_alive:
-            # If a valid session token was found and it can still be used,
+            # If a valid bearer token was found and it can still be used,
             # mark that the user's last access to the server was the
             # request that resulted in the execution of this function.
             session.revalidate()
             return session
         else:
-            # If the user's access cookie is no longer usable (invalid),
+            # If the user's token is no longer usable (invalid),
             # present an error.
             client_host, client_port, is_ipv6 = \
                 RequestHandler._get_client_host_port(self.client_address)
@@ -168,22 +178,46 @@ def __handle_liveness(self):
         self.wfile.write(b'CODECHECKER_SERVER_IS_LIVE')
 
     def end_headers(self):
-        # Sending the authentication cookie
-        # in every response if any.
-        # This will update the the session cookie
-        # on the clients to the newest.
-        if self.auth_session:
-            token = self.auth_session.token
-            if token:
-                self.send_header(
-                    "Set-Cookie",
-                    f"{session_manager.SESSION_COOKIE_NAME}={token}; Path=/")
+        """
+        Headers in this section are based on the OWASP Secure Headers Project.
+        https://owasp.org/www-project-secure-headers/
+        They are adapted to not allow any cross-site requests.
+        """
+        if self.command in ['GET', 'HEAD', 'POST']:
+            self.send_header('X-Frame-Options', 'DENY')
+            self.send_header('X-XSS-Protection', '1; mode=block')
+            self.send_header('X-Content-Type-Options', 'nosniff')
+            self.send_header('Content-Security-Policy',
+                             'default-src \'self\'; ' +
+                             'style-src \'unsafe-inline\' \'self\'; ' +
+                             'script-src \'unsafe-inline\' \'self\'; ' +
+                             'form-action \'self\'; ' +
+                             'frame-ancestors \'none\'; ' +
+                             'upgrade-insecure-requests; ' +
+                             'block-all-mixed-content')
+            self.send_header('Cross-Origin-Embedder-Policy', 'require-corp')
+            self.send_header('Cross-Origin-Opener-Policy', 'same-origin')
+            self.send_header('Cross-Origin-Resource-Policy', 'same-origin')
+            self.send_header('Referrer-Policy', 'no-referrer')
 
+        if self.auth_session:
             # Set the current user name in the header.
             user_name = self.auth_session.user
             if user_name:
                 self.send_header("X-User", user_name)
 
+        # If the user has a leftover session cookie, try removing it.
+        # Command-line clients ignore overwriting the cookie, but web clients
+        # will remove the cookie from the browser.
+        # DEPRECATED: Will be removed in a future version.
+        elif self.headers.get('Cookie'):
+            self.send_header('Set-Cookie',
+                             session_manager.SESSION_COOKIE_NAME + '=; ' +
+                             'Path=/; ' +
+                             'Max-Age=0; ' +
+                             'HttpOnly; ' +
+                             'SameSite=Strict')
+
         SimpleHTTPRequestHandler.end_headers(self)
 
     @staticmethod
@@ -199,6 +233,23 @@ def _get_client_host_port(address):
 
         raise IndexError("Invalid address tuple given.")
 
+    def do_OPTIONS(self):  # pylint: disable=C0103
+        """
+        Handle OPTIONS requests.
+
+        Always returns 403 to indicate that no cross-site requests are allowed.
+        No CORS heeaders are allowed next to the 403 response.
+        """
+        client_host, client_port, is_ipv6 = \
+            RequestHandler._get_client_host_port(self.client_address)
+
+        LOG.debug("%s:%s -- [Anonymous] OPTIONS %s",
+                  client_host if not is_ipv6 else '[' + client_host + ']',
+                  client_port, self.path)
+
+        self.send_response(403)
+        self.end_headers()
+
     def do_GET(self):
         """ Handles the SPA browser access (GET requests).
 
@@ -212,12 +263,14 @@ def do_GET(self):
         """
         client_host, client_port, is_ipv6 = \
             RequestHandler._get_client_host_port(self.client_address)
-        self.auth_session = self.__check_session_cookie()
 
-        username = self.auth_session.user if self.auth_session else 'Anonymous'
-        LOG.debug("%s:%s -- [%s] GET %s",
+        # GET requests are served from www_root.
+        self.directory = self.server.www_root
+
+        # Bearer tokens are not sent alongside GET requests.
+        LOG.debug("%s:%s -- [Anonymous] GET %s",
                   client_host if not is_ipv6 else '[' + client_host + ']',
-                  client_port, username, self.path)
+                  client_port, self.path)
 
         if self.path == '/':
             self.path = 'index.html'
@@ -310,7 +363,7 @@ def do_POST(self):
 
         client_host, client_port, is_ipv6 = \
             RequestHandler._get_client_host_port(self.client_address)
-        self.auth_session = self.__check_session_cookie()
+        self.auth_session = self.__check_session_header()
         auth_user = \
             self.auth_session.user if self.auth_session else "Anonymous"
         host_info = client_host if not is_ipv6 else '[' + client_host + ']'

web/codechecker_web/shared/version.py

@@ -118,6 +118,15 @@ def is_alive(self):
         return (datetime.now() - self.last_access).total_seconds() <= \
             self.session_lifetime
 
+    @property
+    def can_expire(self):
+        """
+        Returns if the session can expire.
+        Expiring sessions are created through the web interface, non-expiring
+        sessions are created through the command-line client.
+        """
+        return self.__can_expire
+
     def revalidate(self):
         """
         A session is only revalidated if it has yet to exceed its

web/config/web_version.json

@@ -27,7 +27,7 @@
   },
   "dependencies": {
     "@mdi/font": "^6.5.95",
-    "codechecker-api": "file:../../api/js/codechecker-api-node/dist/codechecker-api-6.58.0.tgz",
+    "codechecker-api": "file:../../api/js/codechecker-api-node/dist/codechecker-api-6.59.0.tgz",
     "chart.js": "^2.9.4",
     "chartjs-plugin-datalabels": "^0.7.0",
     "codemirror": "^5.65.0",

web/server/codechecker_server/migrations/config/versions/f59dfe4623fa_clear_legacy_web_sessions.py

@@ -9,6 +9,7 @@ import {
 import router from "@/router";
 import store from "@/store";
 import { ADD_ERROR, PURGE_AUTH } from "@/store/mutations.type";
+import authService from "./auth.service";
 
 // Host should be set explicitly to `hostname` because thrift will use
 // the value of `window.location.host` which will contain port number by
@@ -51,7 +52,10 @@ class BaseService {
       const xreq = getXmlHttpRequestObject();
 
       xreq.addEventListener("readystatechange", function () {
-        if (this.readyState === 4) {
+        if (this.readyState === 1) { // connection opened, headers not sent yet
+          xreq.setRequestHeader("Authorization",
+            "Bearer " + authService.getToken());
+        } else if (this.readyState === 4) { // request finished
           if (this.status === 504) {
             store.commit(ADD_ERROR,
               `Error ${this.status}: ${this.statusText}`);
@@ -94,14 +98,14 @@ const handleThriftError = function (cb, onError) {
         router.push({
           name: "login",
           query: { "return_to": router.currentRoute.fullPath }
-        }).catch(() => {});
+        }).catch(() => { });
 
         if (onError) onError(err);
         return;
       } else if (msg.search(/The product .* does not exist!/) > -1) {
         return router.replace({
           name: "404"
-        }).catch(() => {});
+        }).catch(() => { });
       }
     }