Fix/session secrets (#830)

pcrespov · web-flow · commit 9e7e84d6830a · 2019-06-26T15:08:02.000+02:00
Sets unique secret session key for all webserver replicas. This was preventing scaling up the webserver since each would encode differently the session tokens

-  session moved from ``servicelib`` into ``webserver``
-  moved session secret-key to webserver service  **configuration** ``session.secret_key`` so it can scale: configuration is shared by all containers in a service.
-  Fix warning in master deployment ``WARNING:aiohttp_session:Cannot decrypt cookie value, create a new fresh session``
diff --git a/packages/service-library/requirements/_base.in b/packages/service-library/requirements/_base.in
@@ -9,8 +9,6 @@ openapi-core~=0.8.0 # there is an issue validating "number" type 3 is considered
 
 aiohttp
 aiopg[sa]
-cryptography
 ujson
 werkzeug
 jsonschema
-aiohttp_session[secure] # TODO: eliminate this dependency or make it optional!
diff --git a/packages/service-library/requirements/_base.txt b/packages/service-library/requirements/_base.txt
@@ -4,28 +4,23 @@
 #
 #    pip-compile --output-file=_base.txt _base.in
 #
-aiohttp-session[secure]==2.7.0
 aiohttp==3.5.4
 aiopg[sa]==0.16.0
-asn1crypto==0.24.0        # via cryptography
 async-timeout==3.0.1      # via aiohttp
-attrs==19.1.0             # via aiohttp, openapi-core
-cffi==1.12.3              # via cryptography
+attrs==19.1.0             # via aiohttp, jsonschema, openapi-core
 chardet==3.0.4            # via aiohttp
-cryptography==2.6.1
 idna-ssl==1.1.0           # via aiohttp
 idna==2.8                 # via idna-ssl, yarl
-jsonschema==2.6.0
+jsonschema==3.0.1
 lazy-object-proxy==1.4.1  # via openapi-core
 multidict==4.5.2          # via aiohttp, yarl
 openapi-core==0.8.0
-openapi-spec-validator==0.2.6  # via openapi-core
-pathlib==1.0.1            # via openapi-spec-validator
+openapi-spec-validator==0.2.7  # via openapi-core
 psycopg2-binary==2.8.2
-pycparser==2.19           # via cffi
+pyrsistent==0.15.2        # via jsonschema
 pyyaml==5.1
-six==1.12.0               # via cryptography, openapi-core, openapi-spec-validator
-sqlalchemy[postgresql_psycopg2binary]==1.3.3
+six==1.12.0               # via jsonschema, openapi-core, openapi-spec-validator, pyrsistent
+sqlalchemy[postgresql_psycopg2binary]==1.3.4
 strict-rfc3339==0.7       # via openapi-core
 typing-extensions==3.7.2  # via aiohttp
 ujson==1.35
diff --git a/packages/service-library/requirements/_test.txt b/packages/service-library/requirements/_test.txt
@@ -4,51 +4,48 @@
 #
 #    pip-compile --output-file=_test.txt _test.in
 #
-aiohttp-session[secure]==2.7.0
 aiohttp==3.5.4
 aiopg[sa]==0.16.0
-asn1crypto==0.24.0
 astroid==2.2.5            # via pylint
 async-timeout==3.0.1
 atomicwrites==1.3.0       # via pytest
 attrs==19.1.0
 certifi==2019.3.9         # via requests
-cffi==1.12.3
 chardet==3.0.4
 coverage==4.5.3           # via coveralls, pytest-cov
 coveralls==1.7.0
-cryptography==2.6.1
 docopt==0.6.2             # via coveralls
 idna-ssl==1.1.0
 idna==2.8
+importlib-metadata==0.15  # via pluggy
 isort==4.3.20             # via pylint
-jsonschema==2.6.0
+jsonschema==3.0.1
 lazy-object-proxy==1.4.1
 mccabe==0.6.1             # via pylint
 more-itertools==7.0.0     # via pytest
 multidict==4.5.2
 openapi-core==0.8.0
-openapi-spec-validator==0.2.6
-pathlib==1.0.1
-pluggy==0.11.0            # via pytest
+openapi-spec-validator==0.2.7
+pluggy==0.12.0            # via pytest
 psycopg2-binary==2.8.2
 py==1.8.0                 # via pytest
-pycparser==2.19
 pylint==2.3.1
+pyrsistent==0.15.2
 pytest-aiohttp==0.3.0
 pytest-cov==2.7.1
-pytest-runner==4.4
+pytest-runner==5.1
 pytest==4.5.0
 pyyaml==5.1
 requests==2.22.0          # via coveralls
 six==1.12.0
-sqlalchemy[postgresql_psycopg2binary]==1.3.3
+sqlalchemy[postgresql_psycopg2binary]==1.3.4
 strict-rfc3339==0.7
 typed-ast==1.3.5          # via astroid
 typing-extensions==3.7.2
 ujson==1.35
-urllib3==1.25.2           # via requests
+urllib3==1.25.3           # via requests
 wcwidth==0.1.7            # via pytest
 werkzeug==0.15.4
 wrapt==1.11.1             # via astroid
 yarl==1.3.0
+zipp==0.5.1               # via importlib-metadata
diff --git a/packages/service-library/src/servicelib/session.py b/packages/service-library/src/servicelib/session.py
diff --git a/services/web/server/requirements/_base.in b/services/web/server/requirements/_base.in
@@ -13,11 +13,13 @@ jsonschema<3        # FIXME: openapi-spec-validator==0.2.6 (used in tests) requi
 aio-pika==2.9.0     # TODO: upgrade code before !!
 aiohttp
 aiohttp_jinja2
+aiohttp_session[secure]
 aiohttp_security
 aiopg[sa]
 aiosmtplib
 asyncpg
 celery
+cryptography
 change_case
 jinja_app_loader
 passlib
diff --git a/services/web/server/requirements/_base.txt b/services/web/server/requirements/_base.txt
@@ -8,18 +8,22 @@ aadict==0.2.3             # via asset
 aio-pika==2.9.0
 aiohttp-jinja2==1.1.1
 aiohttp-security==0.4.0
+aiohttp-session[secure]==2.7.0
 aiohttp==3.5.4
 aiopg[sa]==0.16.0
 aiosmtplib==1.0.5
 amqp==2.4.2               # via kombu
+asn1crypto==0.24.0        # via cryptography
 asset==0.6.12             # via passwordmeter
 async-timeout==3.0.1      # via aiohttp
 asyncpg==0.18.3
 attrs==19.1.0             # via aiohttp, openapi-core
 billiard==3.6.0.0         # via celery
 celery==4.3.0
+cffi==1.12.3              # via cryptography
 change-case==0.5.2
 chardet==3.0.4            # via aiohttp
+cryptography==2.6.1
 globre==0.1.5             # via asset
 idna-ssl==1.1.0           # via aiohttp
 idna==2.8                 # via idna-ssl, yarl
@@ -32,20 +36,20 @@ lazy-object-proxy==1.4.1  # via openapi-core
 markupsafe==1.1.1         # via jinja2
 multidict==4.5.2          # via aiohttp, yarl
 openapi-core==0.8.0
-openapi-spec-validator==0.2.6  # via openapi-core
+openapi-spec-validator==0.2.7  # via openapi-core
 passlib==1.7.1
 passwordmeter==0.1.8
-pathlib==1.0.1            # via openapi-spec-validator
 pika==0.10.0              # via aio-pika
 psycopg2-binary==2.8.2
-python-engineio==3.5.1    # via python-socketio
-python-socketio==4.0.1
+pycparser==2.19           # via cffi
+python-engineio==3.7.0    # via python-socketio
+python-socketio==4.0.3
 pytz==2019.1              # via celery
 pyyaml==5.1
 semantic-version==2.6.0
 shortuuid==0.5.0          # via aio-pika
-six==1.12.0               # via aadict, asset, openapi-core, openapi-spec-validator, python-engineio, python-socketio, tenacity
-sqlalchemy[postgresql_psycopg2binary]==1.3.3
+six==1.12.0               # via aadict, asset, cryptography, openapi-core, openapi-spec-validator, python-engineio, python-socketio, tenacity
+sqlalchemy[postgresql_psycopg2binary]==1.3.4
 strict-rfc3339==0.7       # via openapi-core
 tenacity==5.0.4
 trafaret-config==2.0.2
diff --git a/services/web/server/requirements/_test.txt b/services/web/server/requirements/_test.txt
@@ -8,10 +8,12 @@ aadict==0.2.3
 aio-pika==2.9.0
 aiohttp-jinja2==1.1.1
 aiohttp-security==0.4.0
+aiohttp-session[secure]==2.7.0
 aiohttp==3.5.4
 aiopg[sa]==0.16.0
 aiosmtplib==1.0.5
 amqp==2.4.2
+asn1crypto==0.24.0
 asset==0.6.12
 astroid==2.2.5            # via pylint
 async-timeout==3.0.1
@@ -21,18 +23,20 @@ attrs==19.1.0
 billiard==3.6.0.0
 celery==4.3.0
 certifi==2019.3.9         # via requests
+cffi==1.12.3
 change-case==0.5.2
 chardet==3.0.4
 codecov==2.0.15
 coverage==4.5.3           # via codecov, coveralls, pytest-cov
 coveralls==1.7.0
-docker-pycreds==0.4.0     # via docker
-docker==3.7.2
+cryptography==2.6.1
+docker==4.0.1
 docopt==0.6.2             # via coveralls
 faker==1.0.7
 globre==0.1.5
 idna-ssl==1.1.0
 idna==2.8
+importlib-metadata==0.16  # via pluggy
 isort==4.3.20             # via pylint
 jinja-app-loader==1.0.2
 jinja2==2.10.1
@@ -45,41 +49,42 @@ mccabe==0.6.1             # via pylint
 more-itertools==7.0.0     # via pytest
 multidict==4.5.2
 openapi-core==0.8.0
-openapi-spec-validator==0.2.6
+openapi-spec-validator==0.2.7
 passlib==1.7.1
 passwordmeter==0.1.8
-pathlib==1.0.1
 pika==0.10.0
-pluggy==0.11.0            # via pytest
+pluggy==0.12.0            # via pytest
 psycopg2-binary==2.8.2
 py==1.8.0                 # via pytest
+pycparser==2.19
 pylint==2.3.1
 pytest-aiohttp==0.3.0
 pytest-cov==2.7.1
 pytest-docker==0.6.1
 pytest-mock==1.10.4
-pytest-runner==4.4
+pytest-runner==5.1
 pytest==4.5.0
 python-dateutil==2.8.0    # via faker
-python-engineio==3.5.1
-python-socketio==4.0.1
+python-engineio==3.7.0
+python-socketio==4.0.3
 pytz==2019.1
 pyyaml==5.1
 requests==2.22.0          # via codecov, coveralls, docker
 semantic-version==2.6.0
 shortuuid==0.5.0
 six==1.12.0
-sqlalchemy[postgresql_psycopg2binary]==1.3.3
+sqlalchemy[postgresql_psycopg2binary]==1.3.4
 strict-rfc3339==0.7
 tenacity==5.0.4
 text-unidecode==1.2       # via faker
 trafaret-config==2.0.2
 trafaret==1.2.0
 typed-ast==1.3.5          # via astroid
 typing-extensions==3.7.2
-urllib3==1.24.3           # via requests
+urllib3==1.25.3           # via requests
 vine==1.3.0
 wcwidth==0.1.7            # via pytest
 websocket-client==0.56.0  # via docker
 wrapt==1.11.1             # via astroid
 yarl==1.3.0
+zipp==0.5.1               # via importlib-metadata
diff --git a/services/web/server/src/simcore_service_webserver/application_config.py b/services/web/server/src/simcore_service_webserver/application_config.py
@@ -23,7 +23,7 @@
 from servicelib import application_keys  # pylint:disable=unused-import
 
 from . import (computation_config, db_config, email_config, rest_config,
-               storage_config)
+               storage_config, session_config)
 from .director import config as director_config
 from .login import config as login_config
 from .projects import config as projects_config
@@ -54,7 +54,8 @@ def create_schema():
         email_config.CONFIG_SECTION_NAME: email_config.schema,
         computation_config.CONFIG_SECTION_NAME: computation_config.schema,
         storage_config.CONFIG_SECTION_NAME: storage_config.schema,
-        T.Key(login_config.CONFIG_SECTION_NAME, optional=True): login_config.schema
+        T.Key(login_config.CONFIG_SECTION_NAME, optional=True): login_config.schema,
+        session_config.CONFIG_SECTION_NAME: session_config.schema,
         #s3_config.CONFIG_SECTION_NAME: s3_config.schema
         #TODO: enable when sockets are refactored
     })
diff --git a/services/web/server/src/simcore_service_webserver/config/host-dev-config.yaml b/services/web/server/src/simcore_service_webserver/config/host-dev-config.yaml
@@ -55,3 +55,5 @@ projects:
 storage:
   host: storage
   port: 11111
+session:
+  secret_key: "TODO: Replace with a key of at least length 32"
diff --git a/services/web/server/src/simcore_service_webserver/config/server-defaults.yaml b/services/web/server/src/simcore_service_webserver/config/server-defaults.yaml
@@ -54,3 +54,5 @@ rest:
     - http://localhost:9081
 projects:
   location: http://localhost:8043/api/specs/webserver/v0/components/schemas/project-v0.0.1.json
+session:
+  secret_key: "TODO: Replace with a key of at least length 32"
diff --git a/services/web/server/src/simcore_service_webserver/config/server-docker-dev.yaml b/services/web/server/src/simcore_service_webserver/config/server-docker-dev.yaml
@@ -55,4 +55,6 @@ storage:
   host: ${STORAGE_HOST}
   port: ${STORAGE_PORT}
   version: v0
+session:
+  secret_key: "TODO: Replace with a key of at least length 32"
 ...
diff --git a/services/web/server/src/simcore_service_webserver/config/server-docker-prod.yaml b/services/web/server/src/simcore_service_webserver/config/server-docker-prod.yaml
@@ -52,4 +52,6 @@ rest:
   location: http://${APIHUB_HOST}:${APIHUB_PORT}/api/specs/webserver/v0/openapi.yaml
 projects:
   location: http://${APIHUB_HOST}:${APIHUB_PORT}/api/specs/webserver/v0/components/schemas/project-v0.0.1.json
+session:
+  secret_key: "TODO: Replace with a key of at least length 32"
 ...
diff --git a/services/web/server/src/simcore_service_webserver/config/server-template.yaml b/services/web/server/src/simcore_service_webserver/config/server-template.yaml
@@ -52,4 +52,6 @@ rest:
   location: http://${APIHUB_HOST}:${APIHUB_PORT}/api/specs/webserver/v0/openapi.yaml
 projects:
   location: http://${APIHUB_HOST}:${APIHUB_PORT}/api/specs/webserver/v0/components/schemas/project-v0.0.1.json
+session:
+  secret_key: "Thirty  two  length  bytes  key."
 ...
diff --git a/services/web/server/src/simcore_service_webserver/session.py b/services/web/server/src/simcore_service_webserver/session.py
diff --git a/services/web/server/src/simcore_service_webserver/session_config.py b/services/web/server/src/simcore_service_webserver/session_config.py
diff --git a/services/web/server/tests/unit/with_postgres/config.yaml b/services/web/server/tests/unit/with_postgres/config.yaml
