oauth2-proxy/pkg/cookies/cookies.go

package cookies

import (
	"fmt"
	"net"
	"net/http"
	"strings"
	"time"

	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
)

// MakeCookie constructs a cookie from the given parameters,
// discovering the domain from the request if not specified.
func MakeCookie(req *http.Request, name string, value string, path string, domain string, httpOnly bool, secure bool, expiration time.Duration, now time.Time, sameSite http.SameSite) *http.Cookie {
	if domain != "" {
		host := util.GetRequestHost(req)
		if h, _, err := net.SplitHostPort(host); err == nil {
			host = h
		}
		if !strings.HasSuffix(host, domain) {
			logger.Errorf("Warning: request host is %q but using configured cookie domain of %q", host, domain)
		}
	}

	return &http.Cookie{
		Name:     name,
		Value:    value,
		Path:     path,
		Domain:   domain,
		HttpOnly: httpOnly,
		Secure:   secure,
		Expires:  now.Add(expiration),
		SameSite: sameSite,
	}
}

// MakeCookieFromOptions constructs a cookie based on the given *options.CookieOptions,
// value and creation time
func MakeCookieFromOptions(req *http.Request, name string, value string, cookieOpts *options.Cookie, expiration time.Duration, now time.Time) *http.Cookie {
	domain := GetCookieDomain(req, cookieOpts.Domains)

	if domain != "" {
		return MakeCookie(req, name, value, cookieOpts.Path, domain, cookieOpts.HTTPOnly, cookieOpts.Secure, expiration, now, ParseSameSite(cookieOpts.SameSite))
	}
	// If nothing matches, create the cookie with the shortest domain
	defaultDomain := ""
	if len(cookieOpts.Domains) > 0 {
		logger.Errorf("Warning: request host %q did not match any of the specific cookie domains of %q", util.GetRequestHost(req), strings.Join(cookieOpts.Domains, ","))
		defaultDomain = cookieOpts.Domains[len(cookieOpts.Domains)-1]
	}
	return MakeCookie(req, name, value, cookieOpts.Path, defaultDomain, cookieOpts.HTTPOnly, cookieOpts.Secure, expiration, now, ParseSameSite(cookieOpts.SameSite))
}

// GetCookieDomain returns the correct cookie domain given a list of domains
// by checking the X-Fowarded-Host and host header of an an http request
func GetCookieDomain(req *http.Request, cookieDomains []string) string {
	host := util.GetRequestHost(req)
	for _, domain := range cookieDomains {
		if strings.HasSuffix(host, domain) {
			return domain
		}
	}
	return ""
}

// Parse a valid http.SameSite value from a user supplied string for use of making cookies.
func ParseSameSite(v string) http.SameSite {
	switch v {
	case "lax":
		return http.SameSiteLaxMode
	case "strict":
		return http.SameSiteStrictMode
	case "none":
		return http.SameSiteNoneMode
	case "":
		return http.SameSiteDefaultMode
	default:
		panic(fmt.Sprintf("Invalid value for SameSite: %s", v))
	}
}
Implement ClearSession for cookie SessionStore 2019-05-07 00:20:36 +01:00			`package cookies`

			`import (`
Add configuration for cookie 'SameSite' value. Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite 2019-12-16 13:10:04 -05:00			`"fmt"`
Implement ClearSession for cookie SessionStore 2019-05-07 00:20:36 +01:00			`"net"`
			`"net/http"`
			`"strings"`
			`"time"`

Fix import path for v7 (#800) * fix import path for v7 find ./ -name ".go" \| xargs sed -i -e 's\|"github.com/oauth2-proxy/oauth2-proxy\|"github.com/oauth2-proxy/oauth2-proxy/v7\|' fix module path * go mod tidy * fix installation docs * update CHANGELOG * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-09-30 01:44:42 +09:00			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"`
			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"`
			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"`
Implement ClearSession for cookie SessionStore 2019-05-07 00:20:36 +01:00			`)`

			`// MakeCookie constructs a cookie from the given parameters,`
			`// discovering the domain from the request if not specified.`
Add configuration for cookie 'SameSite' value. Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite 2019-12-16 13:10:04 -05:00			`func MakeCookie(req http.Request, name string, value string, path string, domain string, httpOnly bool, secure bool, expiration time.Duration, now time.Time, sameSite http.SameSite) http.Cookie {`
Implement ClearSession for cookie SessionStore 2019-05-07 00:20:36 +01:00			`if domain != "" {`
Use X-Forwarded-Host consistently 2020-08-21 19:50:32 -07:00			`host := util.GetRequestHost(req)`
Implement ClearSession for cookie SessionStore 2019-05-07 00:20:36 +01:00			`if h, _, err := net.SplitHostPort(host); err == nil {`
			`host = h`
			`}`
			`if !strings.HasSuffix(host, domain) {`
Allow Logging to stdout with separate Error Log Channel (#718) * Add dedicated error logging writer * Document new errors to stdout flag * Update changelog * Thread-safe the log buffer * Address feedback * Remove duplication by adding log level * Clean up error formatting * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-08-10 11:44:08 +01:00			`logger.Errorf("Warning: request host is %q but using configured cookie domain of %q", host, domain)`
Implement ClearSession for cookie SessionStore 2019-05-07 00:20:36 +01:00			`}`
			`}`

			`return &http.Cookie{`
			`Name: name,`
			`Value: value,`
			`Path: path,`
			`Domain: domain,`
			`HttpOnly: httpOnly,`
			`Secure: secure,`
			`Expires: now.Add(expiration),`
Add configuration for cookie 'SameSite' value. Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite 2019-12-16 13:10:04 -05:00			`SameSite: sameSite,`
Implement ClearSession for cookie SessionStore 2019-05-07 00:20:36 +01:00			`}`
			`}`
Simplify cookie creation form *options.CookieOptions 2019-05-13 16:01:28 +01:00
Fix typos in doc strings. 2019-12-20 09:44:59 -05:00			`// MakeCookieFromOptions constructs a cookie based on the given *options.CookieOptions,`
Simplify cookie creation form *options.CookieOptions 2019-05-13 16:01:28 +01:00			`// value and creation time`
Rename CookieOptions to Cookie 2020-05-25 12:43:24 +01:00			`func MakeCookieFromOptions(req http.Request, name string, value string, cookieOpts options.Cookie, expiration time.Duration, now time.Time) *http.Cookie {`
Rename Cookie Options to remove extra 'Cookie' 2020-04-12 14:00:59 +01:00			`domain := GetCookieDomain(req, cookieOpts.Domains)`
Allow multiple cookie domains to be specified (#412) * Allow multiple cookie domains to be specified * Use X-Forwarded-Host, if it exists, when selecting cookie domain * Perform cookie domain sorting in config validation phase * Extract get domain cookies to a single function * Update pkg/cookies/cookies.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Update changelog Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-12 04:00:44 -07:00
			`if domain != "" {`
Rename Cookie Options to remove extra 'Cookie' 2020-04-12 14:00:59 +01:00			`return MakeCookie(req, name, value, cookieOpts.Path, domain, cookieOpts.HTTPOnly, cookieOpts.Secure, expiration, now, ParseSameSite(cookieOpts.SameSite))`
Allow multiple cookie domains to be specified (#412) * Allow multiple cookie domains to be specified * Use X-Forwarded-Host, if it exists, when selecting cookie domain * Perform cookie domain sorting in config validation phase * Extract get domain cookies to a single function * Update pkg/cookies/cookies.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Update changelog Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-12 04:00:44 -07:00			`}`
			`// If nothing matches, create the cookie with the shortest domain`
			`defaultDomain := ""`
Rename Cookie Options to remove extra 'Cookie' 2020-04-12 14:00:59 +01:00			`if len(cookieOpts.Domains) > 0 {`
Use X-Forwarded-Host consistently 2020-08-21 19:50:32 -07:00			`logger.Errorf("Warning: request host %q did not match any of the specific cookie domains of %q", util.GetRequestHost(req), strings.Join(cookieOpts.Domains, ","))`
Rename Cookie Options to remove extra 'Cookie' 2020-04-12 14:00:59 +01:00			`defaultDomain = cookieOpts.Domains[len(cookieOpts.Domains)-1]`
Allow multiple cookie domains to be specified (#412) * Allow multiple cookie domains to be specified * Use X-Forwarded-Host, if it exists, when selecting cookie domain * Perform cookie domain sorting in config validation phase * Extract get domain cookies to a single function * Update pkg/cookies/cookies.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Update changelog Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-12 04:00:44 -07:00			`}`
Rename Cookie Options to remove extra 'Cookie' 2020-04-12 14:00:59 +01:00			`return MakeCookie(req, name, value, cookieOpts.Path, defaultDomain, cookieOpts.HTTPOnly, cookieOpts.Secure, expiration, now, ParseSameSite(cookieOpts.SameSite))`
Allow multiple cookie domains to be specified (#412) * Allow multiple cookie domains to be specified * Use X-Forwarded-Host, if it exists, when selecting cookie domain * Perform cookie domain sorting in config validation phase * Extract get domain cookies to a single function * Update pkg/cookies/cookies.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Update changelog Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-12 04:00:44 -07:00			`}`

			`// GetCookieDomain returns the correct cookie domain given a list of domains`
			`// by checking the X-Fowarded-Host and host header of an an http request`
			`func GetCookieDomain(req *http.Request, cookieDomains []string) string {`
Use X-Forwarded-Host consistently 2020-08-21 19:50:32 -07:00			`host := util.GetRequestHost(req)`
Allow multiple cookie domains to be specified (#412) * Allow multiple cookie domains to be specified * Use X-Forwarded-Host, if it exists, when selecting cookie domain * Perform cookie domain sorting in config validation phase * Extract get domain cookies to a single function * Update pkg/cookies/cookies.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Update changelog Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-12 04:00:44 -07:00			`for _, domain := range cookieDomains {`
			`if strings.HasSuffix(host, domain) {`
			`return domain`
			`}`
			`}`
			`return ""`
			`}`

Add configuration for cookie 'SameSite' value. Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite 2019-12-16 13:10:04 -05:00			`// Parse a valid http.SameSite value from a user supplied string for use of making cookies.`
			`func ParseSameSite(v string) http.SameSite {`
			`switch v {`
			`case "lax":`
			`return http.SameSiteLaxMode`
			`case "strict":`
			`return http.SameSiteStrictMode`
			`case "none":`
			`return http.SameSiteNoneMode`
			`case "":`
			`return http.SameSiteDefaultMode`
			`default:`
			`panic(fmt.Sprintf("Invalid value for SameSite: %s", v))`
			`}`
Simplify cookie creation form *options.CookieOptions 2019-05-13 16:01:28 +01:00			`}`