Cortex: Add workaround for XSRF token requirement

Our usage of a retry-configured session has been observed to confuse Cortex by learning CSRF token and even session cookies from responses and submitting them back to the server. In keeping with the default behaviour of the cortex4py module we configure a cookie policy in our session that prevents any cookies from being learned from and returned to the server.
scVENUS · Jan 13, 2021 · fafa69b · fafa69b
1 parent fcd1c52
commit fafa69b
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/peekaboo/toolbox/cortex.py b/peekaboo/toolbox/cortex.py
@@ -26,6 +26,7 @@
 """ Interface to Cortex. """
 
 import datetime
+import http.cookiejar
 import logging
 import os
 import threading
@@ -347,6 +348,17 @@ def is_retry(self, method, status_code, has_retry_after=False):
         return super().is_retry(method, status_code, has_retry_after)
 
 
+class NocookiesPolicy(http.cookiejar.DefaultCookiePolicy):
+    """ A cookie policy that denies to accept any cookies. """
+
+    # CookiePolicy as a base class is not enough. CookieJar makes assumptions
+    # about the expansive interface of DefaultCookiePolicy.
+
+    def set_ok(self, cookie, request):
+        """ No cookie will be accepted ever. """
+        return False
+
+
 class Cortex:
     """ Interfaces with a Cortex installation via its REST API. """
     def __init__(self, job_queue, url="http://localhost:9001", api_token="",
@@ -414,6 +426,13 @@ def __init__(self, job_queue, url="http://localhost:9001", api_token="",
         self.session = requests.sessions.Session()
         self.session.mount('http://', retry_adapter)
         self.session.mount('https://', retry_adapter)
+        # attach a cookie policy that refuses to learn any cookies from
+        # responses. This is because Cortex sometimes hands out CSRF tokens and
+        # even session cookies in response to our bearer-token-authenticated
+        # API requests which we don't need but have the potential to confuse
+        # Cortex on subsequent requests.
+        self.session.cookies = requests.cookies.RequestsCookieJar(
+            NocookiesPolicy())
 
         self.api = None
         self.tracker = None