go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-03-21 21:47:11 +02:00
Code Issues Releases Activity

Always encrypt sessions regardless of configuration

Browse Source
This commit is contained in:
Timo Beckers 2020-02-24 12:23:35 +01:00 committed by Joel Speed
parent 0c9795a964
commit 276d1c6f19
No known key found for this signature in database
GPG Key ID: 6E80578D6751DEFB
4 changed files with 49 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG.md
View File

@ -43,6 +43,11 @@
- Multiple cookie domains may now be configured. The longest domain that matches will be used. - Multiple cookie domains may now be configured. The longest domain that matches will be used.
- The config options `cookie_domain` is now `cookie_domains` - The config options `cookie_domain` is now `cookie_domains`
- The environment variable `OAUTH2_PROXY_COOKIE_DOMAIN` is now `OAUTH2_PROXY_COOKIE_DOMAINS` - The environment variable `OAUTH2_PROXY_COOKIE_DOMAIN` is now `OAUTH2_PROXY_COOKIE_DOMAINS`
- [#414](https://github.com/oauth2-proxy/oauth2-proxy/pull/414) Always encrypt sessions regardless of config
- Previously, sessions were encrypted only when certain options were configured.
This lead to confusion and misconfiguration as it was not obvious when a session should be encrypted.
- Cookie Secrets must now be 16, 24 or 32 bytes.
- If you need to change your secret, this will force users to reauthenticate.
## Changes since v5.1.1 ## Changes since v5.1.1
@ -86,6 +91,7 @@
- [#488](https://github.com/oauth2-proxy/oauth2-proxy/pull/488) Set-Basic-Auth should default to false (@JoelSpeed) - [#488](https://github.com/oauth2-proxy/oauth2-proxy/pull/488) Set-Basic-Auth should default to false (@JoelSpeed)
- [#494](https://github.com/oauth2-proxy/oauth2-proxy/pull/494) Upstream websockets TLS certificate validation now depends on ssl-upstream-insecure-skip-verify (@yaroslavros) - [#494](https://github.com/oauth2-proxy/oauth2-proxy/pull/494) Upstream websockets TLS certificate validation now depends on ssl-upstream-insecure-skip-verify (@yaroslavros)
- [#497](https://github.com/oauth2-proxy/oauth2-proxy/pull/497) Restrict access using Github collaborators (@jsclayton) - [#497](https://github.com/oauth2-proxy/oauth2-proxy/pull/497) Restrict access using Github collaborators (@jsclayton)
- [#414](https://github.com/oauth2-proxy/oauth2-proxy/pull/414) Always encrypt sessions regardless of config (@ti-mo)
# v5.1.1 # v5.1.1

19
oauthproxy_test.go
View File

@ -29,6 +29,13 @@ import (
"golang.org/x/net/websocket" "golang.org/x/net/websocket"
) )
const (
// The rawCookieSecret is 32 bytes and the base64CookieSecret is the base64
// encoded version of this.
rawCookieSecret = "secretthirtytwobytes+abcdefghijk"
base64CookieSecret = "c2VjcmV0dGhpcnR5dHdvYnl0ZXMrYWJjZGVmZ2hpamsK"
)
func init() { func init() {
logger.SetFlags(logger.Lshortfile) logger.SetFlags(logger.Lshortfile)
@ -166,7 +173,7 @@ func TestRobotsTxt(t *testing.T) {
opts := options.NewOptions() opts := options.NewOptions()
opts.ClientID = "asdlkjx" opts.ClientID = "asdlkjx"
opts.ClientSecret = "alkgks" opts.ClientSecret = "alkgks"
opts.Cookie.Secret = "asdkugkj" opts.Cookie.Secret = rawCookieSecret
validation.Validate(opts) validation.Validate(opts)
proxy := NewOAuthProxy(opts, func(string) bool { return true }) proxy := NewOAuthProxy(opts, func(string) bool { return true })
@ -181,7 +188,7 @@ func TestIsValidRedirect(t *testing.T) {
opts := options.NewOptions() opts := options.NewOptions()
opts.ClientID = "skdlfj" opts.ClientID = "skdlfj"
opts.ClientSecret = "fgkdsgj" opts.ClientSecret = "fgkdsgj"
opts.Cookie.Secret = "ljgiogbj" opts.Cookie.Secret = base64CookieSecret
// Should match domains that are exactly foo.bar and any subdomain of bar.foo // Should match domains that are exactly foo.bar and any subdomain of bar.foo
opts.WhitelistDomains = []string{ opts.WhitelistDomains = []string{
"foo.bar", "foo.bar",
@ -794,7 +801,7 @@ func NewSignInPageTest(skipProvider bool) *SignInPageTest {
var sipTest SignInPageTest var sipTest SignInPageTest
sipTest.opts = options.NewOptions() sipTest.opts = options.NewOptions()
sipTest.opts.Cookie.Secret = "adklsj2" sipTest.opts.Cookie.Secret = rawCookieSecret
sipTest.opts.ClientID = "lkdgj" sipTest.opts.ClientID = "lkdgj"
sipTest.opts.ClientSecret = "sgiufgoi" sipTest.opts.ClientSecret = "sgiufgoi"
sipTest.opts.SkipProviderButton = skipProvider sipTest.opts.SkipProviderButton = skipProvider
@ -1208,7 +1215,7 @@ func TestAuthSkippedForPreflightRequests(t *testing.T) {
opts.Upstreams = append(opts.Upstreams, upstream.URL) opts.Upstreams = append(opts.Upstreams, upstream.URL)
opts.ClientID = "aljsal" opts.ClientID = "aljsal"
opts.ClientSecret = "jglkfsdgj" opts.ClientSecret = "jglkfsdgj"
opts.Cookie.Secret = "dkfjgdls" opts.Cookie.Secret = base64CookieSecret
opts.SkipAuthPreflight = true opts.SkipAuthPreflight = true
validation.Validate(opts) validation.Validate(opts)
@ -1255,7 +1262,7 @@ type SignatureTest struct {
func NewSignatureTest() *SignatureTest { func NewSignatureTest() *SignatureTest {
opts := options.NewOptions() opts := options.NewOptions()
opts.Cookie.Secret = "cookie secret" opts.Cookie.Secret = rawCookieSecret
opts.ClientID = "client ID" opts.ClientID = "client ID"
opts.ClientSecret = "client secret" opts.ClientSecret = "client secret"
opts.EmailDomains = []string{"acm.org"} opts.EmailDomains = []string{"acm.org"}
@ -1402,7 +1409,7 @@ type ajaxRequestTest struct {
func newAjaxRequestTest() *ajaxRequestTest { func newAjaxRequestTest() *ajaxRequestTest {
test := &ajaxRequestTest{} test := &ajaxRequestTest{}
test.opts = options.NewOptions() test.opts = options.NewOptions()
test.opts.Cookie.Secret = "sdflsw" test.opts.Cookie.Secret = base64CookieSecret
test.opts.ClientID = "gkljfdl" test.opts.ClientID = "gkljfdl"
test.opts.ClientSecret = "sdflkjs" test.opts.ClientSecret = "sdflkjs"
validation.Validate(test.opts) validation.Validate(test.opts)

62
pkg/validation/options.go
View File

@ -12,7 +12,6 @@ import (
"regexp" "regexp"
"sort" "sort"
"strings" "strings"
"time"
"github.com/coreos/go-oidc" "github.com/coreos/go-oidc"
"github.com/dgrijalva/jwt-go" "github.com/dgrijalva/jwt-go"
@ -39,9 +38,38 @@ func Validate(o *options.Options) error {
} }
msgs := make([]string, 0) msgs := make([]string, 0)
var cipher *encryption.Cipher
if o.Cookie.Secret == "" { if o.Cookie.Secret == "" {
msgs = append(msgs, "missing setting: cookie-secret") msgs = append(msgs, "missing setting: cookie-secret")
} else {
validCookieSecretSize := false
for _, i := range []int{16, 24, 32} {
if len(encryption.SecretBytes(o.Cookie.Secret)) == i {
validCookieSecretSize = true
}
}
var decoded bool
if string(encryption.SecretBytes(o.Cookie.Secret)) != o.Cookie.Secret {
decoded = true
}
if !validCookieSecretSize {
var suffix string
if decoded {
suffix = " note: cookie secret was base64 decoded"
}
msgs = append(msgs,
fmt.Sprintf("Cookie secret must be 16, 24, or 32 bytes to create an AES cipher. Got %d bytes.%s",
len(encryption.SecretBytes(o.Cookie.Secret)), suffix))
} else {
var err error
cipher, err = encryption.NewCipher(encryption.SecretBytes(o.Cookie.Secret))
if err != nil {
msgs = append(msgs, fmt.Sprintf("cookie-secret error: %v", err))
}
}
} }
if o.ClientID == "" { if o.ClientID == "" {
msgs = append(msgs, "missing setting: client-id") msgs = append(msgs, "missing setting: client-id")
} }
@ -195,38 +223,6 @@ func Validate(o *options.Options) error {
} }
msgs = parseProviderInfo(o, msgs) msgs = parseProviderInfo(o, msgs)
var cipher *encryption.Cipher
if o.PassAccessToken || o.SetAuthorization || o.PassAuthorization || (o.Cookie.Refresh != time.Duration(0)) {
validCookieSecretSize := false
for _, i := range []int{16, 24, 32} {
if len(encryption.SecretBytes(o.Cookie.Secret)) == i {
validCookieSecretSize = true
}
}
var decoded bool
if string(encryption.SecretBytes(o.Cookie.Secret)) != o.Cookie.Secret {
decoded = true
}
if !validCookieSecretSize {
var suffix string
if decoded {
suffix = fmt.Sprintf(" note: cookie secret was base64 decoded from %q", o.Cookie.Secret)
}
msgs = append(msgs, fmt.Sprintf(
"cookie_secret must be 16, 24, or 32 bytes "+
"to create an AES cipher when "+
"pass_access_token == true or "+
"cookie_refresh != 0, but is %d bytes.%s",
len(encryption.SecretBytes(o.Cookie.Secret)), suffix))
} else {
var err error
cipher, err = encryption.NewCipher(encryption.SecretBytes(o.Cookie.Secret))
if err != nil {
msgs = append(msgs, fmt.Sprintf("cookie-secret error: %v", err))
}
}
}
o.Session.Cipher = cipher o.Session.Cipher = cipher
sessionStore, err := sessions.NewSessionStore(&o.Session, &o.Cookie) sessionStore, err := sessions.NewSessionStore(&o.Session, &o.Cookie)
if err != nil { if err != nil {

2
pkg/validation/options_test.go
View File

@ -15,7 +15,7 @@ import (
) )
const ( const (
cookieSecret = "foobar" cookieSecret = "secretthirtytwobytes+abcdefghijk"
clientID = "bazquux" clientID = "bazquux"
clientSecret = "xyzzyplugh" clientSecret = "xyzzyplugh"
) )