~2.8, ~2.9

Install the extension:

pip install -e git+https://github.com/data-govt-nz/ckanext-security.git#egg=ckanext-security

pip install -r ckanext-security/requirements.txt

Run database migration for 2FA:

ckan -c /PATH_TO_INI/config.ini security migrate

Enable the plugin:

ckan.plugins = security

Required who.ini configuration:

[plugin:use_beaker] use = repoze.who.plugins.use_beaker:make_plugin key_name = ckan_session delete_on_logout = True

[plugin:friendlyform] rememberer_name = use_beaker

[identifiers] plugins = friendlyform;browser use_beaker

[authenticators] plugins = ckanext.security.authenticator:CKANLoginThrottle ckanext.security.authenticator:BeakerRedisAuth

Session configuration (in CKAN config file):

beaker.session.key = ckan_session

beaker.session.secret = YOUR-LONG-RANDOM-SECRET

beaker.session.data_serializer = json

beaker.session.httponly = true

beaker.session.secure = true

beaker.session.timeout = 3600

beaker.session.save_accessed_time = true

beaker.session.type = ext:redis

beaker.session.url = redis://127.0.0.1:6379

beaker.session.cookie_expires = true

beaker.session.cookie_domain = YOUR-DOMAIN

Security configuration options:

Cookie domain

ckanext.security.domain = 192.168.232.65

Redis connection

ckanext.security.redis.host = 127.0.0.1

ckanext.security.redis.port = 6379

ckanext.security.redis.db = 1

ckanext.security.redis.password = StrongPassword

Login throttling (15 min timeout with 10 attempts)

ckanext.security.lock_timeout = 900

ckanext.security.login_max_count = 10

Brute force detection by username instead of IP

ckanext.security.brute_force_key = user_name

Brute force lockout email footer file path

ckanext.security.brute_force_footer_path = /path/to/footer.txt

Disable password reset override (CKAN 2.7.7+)

ckanext.security.disable_password_reset_override = true

Enable/disable 2FA (default: true)

ckanext.security.enable_totp = true

Help link for 2FA users

ckanext.security.mfa_help_link = https://example.com/2fa-help

Resource upload blacklist

ckanext.security.upload_blacklist = [‘.png’, ‘image/jpg’]

Extended MIME type mappings

ckanext.security.extended_upload_mimetypes = {‘image/jpeg’: ‘.jpg’}

CLI command for 2FA reset:

ckan -c /PATH/config.ini security reset_totp

Requirements: - Redis instance with maxmemory and maxmemory-policy=lru - CKAN core patch for session middleware placement (see ckanext-security.patch) - python-magic library for file type detection

Note: CSRF protection removed from v3.0.0+ - use ckanext-csrf-filter instead.