1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-24 08:52:25 +02:00

Implement cookie auto-refresh

The intention is to refresh the cookie whenever the user accesses an
authenticated service with less than `cookie-refresh` time to go before the
cookie expires.
This commit is contained in:
Mike Bland 2015-05-08 10:00:57 -04:00
parent 5cbdb74518
commit 8e2d83600c
5 changed files with 41 additions and 7 deletions

View File

@ -15,11 +15,11 @@ import (
"time" "time"
) )
func validateCookie(cookie *http.Cookie, seed string) (string, bool) { func validateCookie(cookie *http.Cookie, seed string) (string, time.Time, bool) {
// value, timestamp, sig // value, timestamp, sig
parts := strings.Split(cookie.Value, "|") parts := strings.Split(cookie.Value, "|")
if len(parts) != 3 { if len(parts) != 3 {
return "", false return "", time.Unix(0, 0), false
} }
sig := cookieSignature(seed, cookie.Name, parts[0], parts[1]) sig := cookieSignature(seed, cookie.Name, parts[0], parts[1])
if checkHmac(parts[2], sig) { if checkHmac(parts[2], sig) {
@ -28,11 +28,11 @@ func validateCookie(cookie *http.Cookie, seed string) (string, bool) {
// it's a valid cookie. now get the contents // it's a valid cookie. now get the contents
rawValue, err := base64.URLEncoding.DecodeString(parts[0]) rawValue, err := base64.URLEncoding.DecodeString(parts[0])
if err == nil { if err == nil {
return string(rawValue), true return string(rawValue), time.Unix(int64(ts), 0), true
} }
} }
} }
return "", false return "", time.Unix(0, 0), false
} }
func signedCookieValue(seed string, key string, value string) string { func signedCookieValue(seed string, key string, value string) string {

View File

@ -45,6 +45,7 @@ func main() {
flagSet.String("cookie-secret", "", "the seed string for secure cookies") flagSet.String("cookie-secret", "", "the seed string for secure cookies")
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*") flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie") flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
flagSet.Duration("cookie-refresh", time.Duration(24)*time.Hour, "refresh the cookie when this much time remains before expiration")
flagSet.Bool("cookie-https-only", true, "set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)") flagSet.Bool("cookie-https-only", true, "set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)")
flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag") flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag") flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")

View File

@ -33,6 +33,7 @@ type OauthProxy struct {
CookieSecure bool CookieSecure bool
CookieHttpOnly bool CookieHttpOnly bool
CookieExpire time.Duration CookieExpire time.Duration
CookieRefresh time.Duration
Validator func(string) bool Validator func(string) bool
redirectUrl *url.URL // the url to receive requests at redirectUrl *url.URL // the url to receive requests at
@ -136,6 +137,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
CookieSecure: opts.CookieSecure, CookieSecure: opts.CookieSecure,
CookieHttpOnly: opts.CookieHttpOnly, CookieHttpOnly: opts.CookieHttpOnly,
CookieExpire: opts.CookieExpire, CookieExpire: opts.CookieExpire,
CookieRefresh: opts.CookieRefresh,
Validator: validator, Validator: validator,
clientID: opts.ClientID, clientID: opts.ClientID,
@ -259,10 +261,11 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
} }
func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (email, user, access_token string, ok bool) { func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (email, user, access_token string, ok bool) {
var value string
var timestamp time.Time
cookie, err := req.Cookie(p.CookieKey) cookie, err := req.Cookie(p.CookieKey)
if err == nil { if err == nil {
var value string value, timestamp, ok = validateCookie(cookie, p.CookieSeed)
value, ok = validateCookie(cookie, p.CookieSeed)
if ok { if ok {
email, user, access_token, err = parseCookieValue( email, user, access_token, err = parseCookieValue(
value, p.AesCipher) value, p.AesCipher)
@ -270,6 +273,11 @@ func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (e
} }
if err != nil { if err != nil {
log.Printf(err.Error()) log.Printf(err.Error())
} else if p.CookieRefresh != time.Duration(0) {
refresh_threshold := time.Now().Add(p.CookieRefresh)
if refresh_threshold.Unix() > timestamp.Unix() {
p.SetCookie(rw, req, value)
}
} }
return return
} }

View File

@ -353,8 +353,31 @@ func TestProcessCookie(t *testing.T) {
assert.Equal(t, "michael.bland", user) assert.Equal(t, "michael.bland", user)
} }
func TestProcessCookieError(t *testing.T) { func TestProcessCookieNoCookieError(t *testing.T) {
pc_test := NewProcessCookieTest() pc_test := NewProcessCookieTest()
_, _, _, ok := pc_test.ProcessCookie() _, _, _, ok := pc_test.ProcessCookie()
assert.Equal(t, false, ok) assert.Equal(t, false, ok)
} }
func TestProcessCookieRefreshNotSet(t *testing.T) {
pc_test := NewProcessCookieTest()
cookie := pc_test.MakeCookie("michael.bland@gsa.gov")
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
pc_test.req.AddCookie(cookie)
_, _, _, ok := pc_test.ProcessCookie()
assert.Equal(t, true, ok)
assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
}
func TestProcessCookieRefresh(t *testing.T) {
pc_test := NewProcessCookieTest()
cookie := pc_test.MakeCookie("michael.bland@gsa.gov")
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
pc_test.req.AddCookie(cookie)
pc_test.proxy.CookieRefresh = time.Duration(24) * time.Hour
_, _, _, ok := pc_test.ProcessCookie()
assert.Equal(t, true, ok)
assert.NotEqual(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
}

View File

@ -26,6 +26,7 @@ type Options struct {
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"` CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"` CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"` CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"GOOGLE_AUTH_PROXY_COOKIE_REFRESH"`
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"` CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"` CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
@ -61,6 +62,7 @@ func NewOptions() *Options {
CookieSecure: true, CookieSecure: true,
CookieHttpOnly: true, CookieHttpOnly: true,
CookieExpire: time.Duration(168) * time.Hour, CookieExpire: time.Duration(168) * time.Hour,
CookieRefresh: time.Duration(0),
PassBasicAuth: true, PassBasicAuth: true,
PassAccessToken: false, PassAccessToken: false,
PassHostHeader: true, PassHostHeader: true,