Feature/persistent sessions (#3264)

* feat: add configurable session persistence across server reboots

* fix: restore accidentally deleted configuration fields in default.yml

* update unit tests, remove unused imports from auth_svc, update gitignore

---------

Co-authored-by: uruwhy <58484522+uruwhy@users.noreply.github.com>

Author: clutester

.gitignore

@@ -20,6 +20,7 @@ conf/*.yml
 !conf/default.yml
 data/object_store
 data/fact_store
+data/cookie_storage
 data/results/*
 !data/results/.gitkeep
 data/payloads/*

app/service/auth_svc.py

@@ -1,6 +1,6 @@
-import base64
 from collections import namedtuple
 from importlib import import_module
+import os
 
 from aiohttp import web, web_request
 from aiohttp.web_exceptions import HTTPUnauthorized, HTTPForbidden
@@ -10,7 +10,6 @@
 from aiohttp_security.abc import AbstractAuthorizationPolicy
 from aiohttp_session import setup as setup_session
 from aiohttp_session.cookie_storage import EncryptedCookieStorage
-from cryptography import fernet
 
 from app.service.interfaces.i_auth_svc import AuthServiceInterface
 from app.service.interfaces.i_login_handler import LoginHandlerInterface
@@ -73,9 +72,35 @@ async def apply(self, app, users):
                 for username, password in user.items():
                     await self.create_user(username, password, group)
         app.user_map = self.user_map
-        fernet_key = fernet.Fernet.generate_key()
-        secret_key = base64.urlsafe_b64decode(fernet_key)
-        storage = EncryptedCookieStorage(secret_key, cookie_name=COOKIE_SESSION)
+        cookie_file = 'cookie_storage'
+        expiration_days = self.get_config('session_expiration_days')
+        file_svc = self.get_service('file_svc')
+        cookie_path = os.path.join('data', cookie_file)
+
+        # Safely calculate max_age in seconds, allowing for fractional days
+        try:
+            max_age = int(float(expiration_days) * 86400) if expiration_days else None
+        except (ValueError, TypeError):
+            max_age = None
+        try:
+            if os.path.exists(os.path.join('data', cookie_file)):
+                secret_key = file_svc._read(cookie_path)
+                self.log.debug('Loaded persistent session key from data/cookie_storage')
+            else:
+                # Generate a new random 32-byte key for AES encryption if no valid key is found in the config or data folder
+                secret_key = os.urandom(32)
+                file_svc._save(cookie_path, secret_key, encrypt=True)
+                self.log.debug('Generated and saved new persistent session key.')
+        except Exception as e:
+            # Fallback if file operations fail
+            self.log.warning('Could not manage persistent key file, falling back to ephemeral: %s', e)
+            secret_key = os.urandom(32)
+        if len(secret_key) != 32:
+            secret_key = os.urandom(32)
+            self.log.warning('Loaded session key is not 32 bytes long. Generating new key.')
+
+        # Pass max_age to the storage initializer
+        storage = EncryptedCookieStorage(secret_key, cookie_name=COOKIE_SESSION, max_age=max_age)
         setup_session(app, storage)
         policy = SessionIdentityPolicy()
         setup_security(app, policy, DictionaryAuthorizationPolicy(self.user_map))

conf/default.yml

@@ -27,6 +27,7 @@ app.contact.websocket: 0.0.0.0:7012
 auth.login.handler.module: default
 crypt_salt: REPLACE_WITH_RANDOM_VALUE
 encryption_key: ADMIN123
+session_expiration_days: 7
 exfil_dir: /tmp/caldera
 host: 0.0.0.0
 objects.planners.default: atomic

tests/api/v2/test_security.py

@@ -1,4 +1,5 @@
 import pytest
+import os
 from aiohttp import web
 
 from app.api.v2 import security
@@ -8,13 +9,17 @@
 
 @pytest.fixture
 def base_world():
+    cookie_path = os.path.join('data', 'cookie_storage')
     BaseWorld.clear_config()
+    if os.path.exists(cookie_path):
+        os.remove(cookie_path)
 
     BaseWorld.apply_config(
         name='main',
         config={
             CONFIG_API_KEY_RED: 'abc123',
-
+            'crypt_salt': 'REPLACE_WITH_RANDOM_VALUE',
+            'encryption_key': 'ADMIN123',
             'users': {
                 'red': {'reduser': 'redpass'},
                 'blue': {'blueuser': 'bluepass'}
@@ -25,6 +30,8 @@ def base_world():
 
     yield BaseWorld
     BaseWorld.clear_config()
+    if os.path.exists(cookie_path):
+        os.remove(cookie_path)
 
 
 @pytest.fixture