From 4f7517b2f91cca30a71cb8a8c7f6efa0d83b6008 Mon Sep 17 00:00:00 2001 From: Costel Moraru Date: Tue, 9 Apr 2019 14:55:33 +0300 Subject: [PATCH 1/4] Encrypting user/email from cookie --- providers/session_state.go | 27 +++++++++++++++++++++++++++ providers/session_state_test.go | 12 ++++++------ 2 files changed, 33 insertions(+), 6 deletions(-) diff --git a/providers/session_state.go b/providers/session_state.go index 4741b4a9..10cbba48 100644 --- a/providers/session_state.go +++ b/providers/session_state.go @@ -62,6 +62,19 @@ func (s *SessionState) EncodeSessionState(c *cookie.Cipher) (string, error) { } else { ss = *s var err error + // Encrypt also Email and User when cipher is provided + if ss.Email != "" { + ss.Email, err = c.Encrypt(ss.Email) + if err != nil { + return "", err + } + } + if ss.User != "" { + ss.User, err = c.Encrypt(ss.User) + if err != nil { + return "", err + } + } if ss.AccessToken != "" { ss.AccessToken, err = c.Encrypt(ss.AccessToken) if err != nil { @@ -172,6 +185,20 @@ func DecodeSessionState(v string, c *cookie.Cipher) (*SessionState, error) { User: ss.User, } } else { + // Backward compatibility with using unecrypted Email + if ss.Email != "" { + decryptedEmail, err := c.Decrypt(ss.Email) + if err == nil { + ss.Email = decryptedEmail + } + } + // Backward compatibility with using unecrypted User + if ss.User != "" { + decryptedUser, err := c.Decrypt(ss.User) + if err == nil { + ss.User = decryptedUser + } + } if ss.AccessToken != "" { ss.AccessToken, err = c.Decrypt(ss.AccessToken) if err != nil { diff --git a/providers/session_state_test.go b/providers/session_state_test.go index 9557eea3..dee81bbc 100644 --- a/providers/session_state_test.go +++ b/providers/session_state_test.go @@ -41,8 +41,8 @@ func TestSessionStateSerialization(t *testing.T) { ss, err = DecodeSessionState(encoded, c2) t.Logf("%#v", ss) assert.Equal(t, nil, err) - assert.Equal(t, "user", ss.User) - assert.Equal(t, s.Email, ss.Email) + assert.NotEqual(t, "user", ss.User) + assert.NotEqual(t, s.Email, ss.Email) assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix()) assert.NotEqual(t, s.AccessToken, ss.AccessToken) assert.NotEqual(t, s.IDToken, ss.IDToken) @@ -77,8 +77,8 @@ func TestSessionStateSerializationWithUser(t *testing.T) { ss, err = DecodeSessionState(encoded, c2) t.Logf("%#v", ss) assert.Equal(t, nil, err) - assert.Equal(t, s.User, ss.User) - assert.Equal(t, s.Email, ss.Email) + assert.NotEqual(t, s.User, ss.User) + assert.NotEqual(t, s.Email, ss.Email) assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix()) assert.NotEqual(t, s.AccessToken, ss.AccessToken) assert.NotEqual(t, s.RefreshToken, ss.RefreshToken) @@ -229,7 +229,7 @@ func TestDecodeSessionState(t *testing.T) { ExpiresOn: e, RefreshToken: "refresh4321", }, - Encoded: fmt.Sprintf(`{"Email":"user@domain.com","User":"just-user","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString), + Encoded: fmt.Sprintf(`{"Email":"FsKKYrTWZWrxSOAqA/fTNAUZS5QWCqOBjuAbBlbVOw==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw==","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString), Cipher: c, }, { @@ -237,7 +237,7 @@ func TestDecodeSessionState(t *testing.T) { Email: "user@domain.com", User: "just-user", }, - Encoded: `{"Email":"user@domain.com","User":"just-user"}`, + Encoded: `{"Email":"EGTllJcOFC16b7LBYzLekaHAC5SMMSPdyUrg8hd25g==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw=="}`, Cipher: c, }, { From 6da6ee7f849d583bcd2019604bb1f3c474dc242f Mon Sep 17 00:00:00 2001 From: Costel Moraru Date: Tue, 9 Apr 2019 15:00:17 +0300 Subject: [PATCH 2/4] Encrypting user/email from cookie, add changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c36c201a..6d3100fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ - Use JSON to encode session state to be stored in browser cookies - Implement legacy decode function to support existing cookies generated by older versions - Add detailed table driven tests in session_state_test.go +- [#120](https://github.com/pusher/oauth2_proxy/pull/120) Encrypting user/email from cookie (@costelmoraru) - [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added login.gov provider (@timothy-spencer) - [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added environment variables for all config options (@timothy-spencer) - [#70](https://github.com/pusher/oauth2_proxy/pull/70) Fix handling of splitted cookies (@einfachchr) From f5a6609b450e1d0c31473c68967b5842b059ce01 Mon Sep 17 00:00:00 2001 From: Costel Moraru Date: Tue, 9 Apr 2019 15:17:40 +0300 Subject: [PATCH 3/4] Fixing lint error --- providers/session_state.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/providers/session_state.go b/providers/session_state.go index 10cbba48..5e5a0055 100644 --- a/providers/session_state.go +++ b/providers/session_state.go @@ -187,15 +187,15 @@ func DecodeSessionState(v string, c *cookie.Cipher) (*SessionState, error) { } else { // Backward compatibility with using unecrypted Email if ss.Email != "" { - decryptedEmail, err := c.Decrypt(ss.Email) - if err == nil { + decryptedEmail, errEmail := c.Decrypt(ss.Email) + if errEmail == nil { ss.Email = decryptedEmail } } // Backward compatibility with using unecrypted User if ss.User != "" { - decryptedUser, err := c.Decrypt(ss.User) - if err == nil { + decryptedUser, errUser := c.Decrypt(ss.User) + if errUser == nil { ss.User = decryptedUser } } From f7c85a4d16b8c9f09b28448b10f09bd50303f7c3 Mon Sep 17 00:00:00 2001 From: Costel Moraru Date: Wed, 10 Apr 2019 15:28:03 +0300 Subject: [PATCH 4/4] Removing obsolete comment from EncodeSessionState --- providers/session_state.go | 1 - 1 file changed, 1 deletion(-) diff --git a/providers/session_state.go b/providers/session_state.go index 5e5a0055..5d4a892f 100644 --- a/providers/session_state.go +++ b/providers/session_state.go @@ -62,7 +62,6 @@ func (s *SessionState) EncodeSessionState(c *cookie.Cipher) (string, error) { } else { ss = *s var err error - // Encrypt also Email and User when cipher is provided if ss.Email != "" { ss.Email, err = c.Encrypt(ss.Email) if err != nil {