Merge pull request #228 from CybercentreCanada/hotfix/uwsgi

Hotfix/uwsgi

assemblyline_ui/api/base.py

@@ -60,7 +60,6 @@ def auto_auth_check(self):
                 except AuthenticationException:
                     msg = "Invalid user or APIKey"
                     LOGGER.warning(f"Authentication failure. (U:{uname} - IP:{ip}) [{msg}]")
-                    flsk_session.clear()
                     abort(401, msg)
                     return
 

assemblyline_ui/api/v4/authentication.py

@@ -402,9 +402,13 @@ def logout(**_):
     }
     """
     try:
-        session_id = flsk_session.pop('session_id', None)
-        KV_SESSION.pop(session_id)
-        return make_api_response({"success": True})
+        session_id = flsk_session.get('session_id', None)
+        if session_id:
+            KV_SESSION.pop(session_id)
+        flsk_session.clear()
+        res = make_api_response({"success": True})
+        res.set_cookie('XSRF-TOKEN', '', max_age=0)
+        return res
     except ValueError:
         return make_api_response("", err="No user logged in?", status_code=400)
 

assemblyline_ui/error.py

@@ -34,7 +34,13 @@ def handle_401(e):
         "allow_signup": config.auth.internal.signup.enabled,
         "allow_pw_rest": config.auth.internal.signup.enabled
     }
-    return make_api_response(data, msg, 401)
+    session_id = flsk_session.get('session_id', None)
+    if session_id:
+        KV_SESSION.pop(session_id)
+    flsk_session.clear()
+    res = make_api_response(data, msg, 401)
+    res.set_cookie('XSRF-TOKEN', '', max_age=0)
+    return res
 
 
 @errors.app_errorhandler(403)
@@ -62,14 +68,14 @@ def handle_403(e):
             "allow_2fa": config.auth.allow_2fa,
             "allow_apikeys": config.auth.allow_apikeys,
             "allow_security_tokens": config.auth.allow_security_tokens,
-            },
+        },
         "ui": {
             "allow_url_submissions": config.ui.allow_url_submissions,
             "read_only": config.ui.read_only,
             "tos": config.ui.tos not in [None, ""],
             "tos_lockout": config.ui.tos_lockout,
             "tos_lockout_notify": config.ui.tos_lockout_notify not in [None, []]
-            }
+        }
     }
     return make_api_response(config_block, "Access Denied (%s) [%s]" % (request.path, error_message), 403)
 

assemblyline_ui/security/authenticator.py

@@ -1,3 +1,6 @@
+import base64
+import zlib
+
 from flask import abort, request, current_app, session as flsk_session
 
 from assemblyline.common.isotime import now
@@ -69,23 +72,35 @@ def get_logged_in_user(self):
         session_id = flsk_session.get("session_id", None)
 
         if not session_id:
-            current_app.logger.debug('session_id cookie not found')
-            flsk_session.clear()
-            abort(401, "Session not found")
+            if 'session' in request.cookies:
+                session = request.cookies.get('session')
+                try:
+                    parts = session.split('.')
+                    data = parts[0] or parts[1]
+                    missing_padding = len(data) % 4
+                    if missing_padding:
+                        data += '=' * (4 - missing_padding)
+
+                    decoded = zlib.decompress(base64.urlsafe_b64decode(data)).decode('utf-8')
+                    current_app.logger.warning(f'The session found in the cookies was rejected by flask: {decoded}')
+                except Exception:
+                    current_app.logger.warning(f'The session found in the cookies was rejected by flask: {session}')
+
+                abort(401, "Session rejected")
+            else:
+                current_app.logger.debug('session_id cookie not found')
+                abort(401, "Session not found")
 
         session = KV_SESSION.get(session_id)
 
         if not session:
             current_app.logger.debug(f'[{session_id}] session_id not found in redis')
-            flsk_session.clear()
             abort(401, "Session expired")
         else:
             cur_time = now()
             if session.get('expire_at', 0) < cur_time:
-                KV_SESSION.pop(session_id)
                 current_app.logger.debug(f'[{session_id}] session has expired '
                                          f'{session.get("expire_at", 0)} < {cur_time}')
-                flsk_session.clear()
                 abort(401, "Session expired")
             else:
                 session['expire_at'] = cur_time + session.get('duration', 3600)
@@ -94,14 +109,12 @@ def get_logged_in_user(self):
                 request.headers.get("X-Forwarded-For", request.remote_addr) != session.get('ip', None):
             current_app.logger.debug(f'[{session_id}] X-Forwarded-For does not match session IP '
                                      f'{request.headers.get("X-Forwarded-For", None)} != {session.get("ip", None)}')
-            flsk_session.clear()
             abort(401, "Invalid source IP for this session")
 
         if config.ui.validate_session_useragent and \
                 request.headers.get("User-Agent", None) != session.get('user_agent', None):
             current_app.logger.debug(f'[{session_id}] User-Agent does not match session user_agent '
                                      f'{request.headers.get("User-Agent", None)} != {session.get("user_agent", None)}')
-            flsk_session.clear()
             abort(401, "Invalid user agent for this session")
 
         KV_SESSION.set(session_id, session)

docker/ui/Dockerfile

@@ -34,12 +34,4 @@ COPY --chown=assemblyline:assemblyline --from=builder /var/lib/assemblyline/.loc
 # Switch back to assemblyline and run the app
 USER assemblyline
 
-ENV UWSGI_MAX_REQUESTS=${MAX_REQUESTS:-1000}
-ENV UWSGI_MAX_REQUESTS_DELTA=${MAX_REQUESTS_JITTER:-100}
-ENV UWSGI_WORKERS=${WORKERS:-2}
-ENV UWSGI_THREADS=${THREADS:-25}
-ENV UWSGI_PROTOCOL=${PROTOCOL:-http}
-ENV UWSGI_SOCKET=0.0.0.0:${PORT:-5000}
-ENV UWSGI_BUFFER_SIZE=${BUFFER_SIZE:-65535}
-
-CMD ["uwsgi", "--master", "--disable-logging", "--enable-threads", "--die-on-term", "--module", "assemblyline_ui.app:app"]
+CMD ["gunicorn", "assemblyline_ui.patched:app", "--config=python:assemblyline_ui.gunicorn_config", "--worker-class", "gevent"]

setup.py

@@ -46,7 +46,8 @@
         'authlib',
         'fido2',
         'PyJWT',
-        'uwsgi'
+        'gunicorn',
+        'gevent',
     ],
     extras_require={
         'test': [
@@ -55,10 +56,8 @@
             'cart'
         ],
         'socketio': [
-            'gunicorn',
             'python-socketio<5.0.0',
             'flask-socketio<5.0.0',
-            'gevent',
             'gevent-websocket',
         ]
     },