mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-02-03 13:21:51 +02:00
Reduce SessionState size better with MessagePack + LZ4 (#632)
* Encode sessions with MsgPack + LZ4 Assumes ciphers are now mandatory per #414. Cookie & Redis sessions can fallback to V5 style JSON in error cases. TODO: session_state.go unit tests & new unit tests for Legacy fallback scenarios. * Only compress encoded sessions with Cookie Store * Cleanup msgpack + lz4 error handling * Change NewBase64Cipher to take in an existing Cipher * Add msgpack & lz4 session state tests * Add required options for oauthproxy tests More aggressively assert.NoError on all validation.Validate(opts) calls to enforce legal options in all our tests. Add additional NoError checks wherever error return values were ignored. * Remove support for uncompressed session state fields * Improve error verbosity & add session state tests * Ensure all marshalled sessions are valid Invalid CFB decryptions can result in garbage data that 1/100 times might cause message pack unmarshal to not fail and instead return an empty session. This adds more rigor to make sure legacy sessions cause appropriate errors. * Add tests for legacy V5 session decoding Refactor common legacy JSON test cases to a legacy helpers area under session store tests. * Make ValidateSession a struct method & add CHANGELOG entry * Improve SessionState error & comments verbosity * Move legacy session test helpers to sessions pkg Placing these helpers under the sessions pkg removed all the circular import uses in housing it under the session store area. * Improve SignatureAuthenticator test helper formatting * Make redis.legacyV5DecodeSession internal * Make LegacyV5TestCase test table public for linter
This commit is contained in:
parent
dd36138965
commit
a09eecc6a2
@ -4,10 +4,14 @@
|
||||
|
||||
## Important Notes
|
||||
|
||||
- [#632](https://github.com/oauth2-proxy/oauth2-proxy/pull/632) There is backwards compatibility to sessions from v5
|
||||
- Any unencrypted sessions from before v5 that only contained a Username & Email will trigger a reauthentication
|
||||
|
||||
## Breaking Changes
|
||||
|
||||
## Changes since v6.0.0
|
||||
|
||||
- [#632](https://github.com/oauth2-proxy/oauth2-proxy/pull/632) Reduce session size by encoding with MessagePack and using LZ4 compression (@NickMeves)
|
||||
- [#675](https://github.com/oauth2-proxy/oauth2-proxy/pull/675) Fix required ruby version and deprecated option for building docs (@mkontani)
|
||||
- [#669](https://github.com/oauth2-proxy/oauth2-proxy/pull/669) Reduce docker context to improve build times (@JoelSpeed)
|
||||
- [#668](https://github.com/oauth2-proxy/oauth2-proxy/pull/668) Use req.Host in --force-https when req.URL.Host is empty (@zucaritask)
|
||||
|
9
go.mod
9
go.mod
@ -9,23 +9,24 @@ require (
|
||||
github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
|
||||
github.com/coreos/go-oidc v2.2.1+incompatible
|
||||
github.com/dgrijalva/jwt-go v3.2.0+incompatible
|
||||
github.com/frankban/quicktest v1.10.0 // indirect
|
||||
github.com/fsnotify/fsnotify v1.4.9
|
||||
github.com/go-redis/redis/v7 v7.2.0
|
||||
github.com/justinas/alice v1.2.0
|
||||
github.com/kr/pretty v0.2.0 // indirect
|
||||
github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa
|
||||
github.com/mitchellh/mapstructure v1.1.2
|
||||
github.com/onsi/ginkgo v1.12.0
|
||||
github.com/onsi/gomega v1.9.0
|
||||
github.com/pierrec/lz4 v2.5.2+incompatible
|
||||
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
|
||||
github.com/spf13/pflag v1.0.3
|
||||
github.com/spf13/viper v1.6.3
|
||||
github.com/stretchr/testify v1.5.1
|
||||
github.com/vmihailenco/msgpack/v4 v4.3.11
|
||||
github.com/yhat/wsutil v0.0.0-20170731153501-1d66fa95c997
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
|
||||
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
|
||||
golang.org/x/net v0.0.0-20200301022130-244492dfa37a
|
||||
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
|
||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 // indirect
|
||||
google.golang.org/api v0.20.0
|
||||
gopkg.in/natefinch/lumberjack.v2 v2.0.0
|
||||
gopkg.in/square/go-jose.v2 v2.4.1
|
||||
|
23
go.sum
23
go.sum
@ -47,6 +47,8 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm
|
||||
github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
|
||||
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
||||
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
|
||||
github.com/frankban/quicktest v1.10.0 h1:Gfh+GAJZOAoKZsIZeZbdn2JF10kN1XHNvjsvQK8gVkE=
|
||||
github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y=
|
||||
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
|
||||
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
|
||||
github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
|
||||
@ -69,6 +71,8 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
|
||||
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
|
||||
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.4 h1:87PNWwrRvUSnqS4dlcBU/ftvOIBep4sYuBLlh6rX2wk=
|
||||
github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
|
||||
github.com/gomodule/redigo v1.7.1-0.20190322064113-39e2c31b7ca3 h1:6amM4HsNPOvMLVc2ZnyqrjeQ92YAVWn7T4WBKK87inY=
|
||||
github.com/gomodule/redigo v1.7.1-0.20190322064113-39e2c31b7ca3/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4=
|
||||
github.com/gomodule/redigo v1.8.1 h1:Abmo0bI7Xf0IhdIPc7HZQzZcShdnmxeoVuDDtIQp8N8=
|
||||
@ -78,6 +82,8 @@ github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ
|
||||
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
|
||||
github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
|
||||
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
|
||||
github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
|
||||
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
|
||||
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
|
||||
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
||||
@ -142,6 +148,8 @@ github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg=
|
||||
github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
|
||||
github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
|
||||
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
|
||||
github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI=
|
||||
github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
|
||||
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
@ -184,6 +192,10 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
|
||||
github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
|
||||
github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
|
||||
github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
|
||||
github.com/vmihailenco/msgpack/v4 v4.3.11 h1:Q47CePddpNGNhk4GCnAx9DDtASi2rasatE0cd26cZoE=
|
||||
github.com/vmihailenco/msgpack/v4 v4.3.11/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
|
||||
github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY=
|
||||
github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
|
||||
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
|
||||
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
|
||||
github.com/yhat/wsutil v0.0.0-20170731153501-1d66fa95c997 h1:1+FQ4Ns+UZtUiQ4lP0sTCyKSQ0EXoiwAdHZB0Pd5t9Q=
|
||||
@ -201,8 +213,6 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
|
||||
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
|
||||
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
|
||||
@ -217,14 +227,14 @@ golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73r
|
||||
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c h1:uOCk1iQW6Vc18bnC13MfzScl+wdKBmM9Y9kU7Z83/lw=
|
||||
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
|
||||
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
|
||||
golang.org/x/net v0.0.0-20190923162816-aa69164e4478 h1:l5EDrHhldLYb3ZRHDUhXF7Om7MvYXnkV9/iQNo1lX6g=
|
||||
golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b h1:0mm1VjtFUOIlE1SbDlwjYaDxZVDP2S5ou6y0gSgXHu8=
|
||||
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0=
|
||||
golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
|
||||
@ -243,7 +253,6 @@ golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5h
|
||||
golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA=
|
||||
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
@ -276,6 +285,8 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl
|
||||
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||
google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
|
||||
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||
google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
|
||||
google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
|
||||
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
|
||||
google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||
|
File diff suppressed because it is too large
Load Diff
87
pkg/apis/sessions/legacy_v5_tester.go
Normal file
87
pkg/apis/sessions/legacy_v5_tester.go
Normal file
@ -0,0 +1,87 @@
|
||||
package sessions
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/oauth2-proxy/oauth2-proxy/pkg/encryption"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
// LegacyV5TestCase provides V5 JSON based test cases for legacy fallback code
|
||||
type LegacyV5TestCase struct {
|
||||
Input string
|
||||
Error bool
|
||||
Output *SessionState
|
||||
}
|
||||
|
||||
// CreateLegacyV5TestCases makes various V5 JSON sessions as test cases
|
||||
//
|
||||
// Used for `apis/sessions/session_state_test.go` & `sessions/redis/redis_store_test.go`
|
||||
//
|
||||
// TODO: Remove when this is deprecated (likely V7)
|
||||
func CreateLegacyV5TestCases(t *testing.T) (map[string]LegacyV5TestCase, encryption.Cipher, encryption.Cipher) {
|
||||
const secret = "0123456789abcdefghijklmnopqrstuv"
|
||||
|
||||
created := time.Now()
|
||||
createdJSON, err := created.MarshalJSON()
|
||||
assert.NoError(t, err)
|
||||
createdString := string(createdJSON)
|
||||
e := time.Now().Add(time.Duration(1) * time.Hour)
|
||||
eJSON, err := e.MarshalJSON()
|
||||
assert.NoError(t, err)
|
||||
eString := string(eJSON)
|
||||
|
||||
cfbCipher, err := encryption.NewCFBCipher([]byte(secret))
|
||||
assert.NoError(t, err)
|
||||
legacyCipher := encryption.NewBase64Cipher(cfbCipher)
|
||||
|
||||
testCases := map[string]LegacyV5TestCase{
|
||||
"User & email unencrypted": {
|
||||
Input: `{"Email":"user@domain.com","User":"just-user"}`,
|
||||
Error: true,
|
||||
},
|
||||
"Only email unencrypted": {
|
||||
Input: `{"Email":"user@domain.com"}`,
|
||||
Error: true,
|
||||
},
|
||||
"Just user unencrypted": {
|
||||
Input: `{"User":"just-user"}`,
|
||||
Error: true,
|
||||
},
|
||||
"User and Email unencrypted while rest is encrypted": {
|
||||
Input: fmt.Sprintf(`{"Email":"user@domain.com","User":"just-user","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","CreatedAt":%s,"ExpiresOn":%s}`, createdString, eString),
|
||||
Error: true,
|
||||
},
|
||||
"Full session with cipher": {
|
||||
Input: fmt.Sprintf(`{"Email":"FsKKYrTWZWrxSOAqA/fTNAUZS5QWCqOBjuAbBlbVOw==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw==","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","CreatedAt":%s,"ExpiresOn":%s}`, createdString, eString),
|
||||
Output: &SessionState{
|
||||
Email: "user@domain.com",
|
||||
User: "just-user",
|
||||
AccessToken: "token1234",
|
||||
IDToken: "rawtoken1234",
|
||||
CreatedAt: &created,
|
||||
ExpiresOn: &e,
|
||||
RefreshToken: "refresh4321",
|
||||
},
|
||||
},
|
||||
"Minimal session encrypted with cipher": {
|
||||
Input: `{"Email":"EGTllJcOFC16b7LBYzLekaHAC5SMMSPdyUrg8hd25g==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw=="}`,
|
||||
Output: &SessionState{
|
||||
Email: "user@domain.com",
|
||||
User: "just-user",
|
||||
},
|
||||
},
|
||||
"Unencrypted User, Email and AccessToken": {
|
||||
Input: `{"Email":"user@domain.com","User":"just-user","AccessToken":"X"}`,
|
||||
Error: true,
|
||||
},
|
||||
"Unencrypted User, Email and IDToken": {
|
||||
Input: `{"Email":"user@domain.com","User":"just-user","IDToken":"XXXX"}`,
|
||||
Error: true,
|
||||
},
|
||||
}
|
||||
|
||||
return testCases, cfbCipher, legacyCipher
|
||||
}
|
@ -1,25 +1,30 @@
|
||||
package sessions
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"time"
|
||||
"unicode/utf8"
|
||||
|
||||
"github.com/oauth2-proxy/oauth2-proxy/pkg/encryption"
|
||||
"github.com/pierrec/lz4"
|
||||
"github.com/vmihailenco/msgpack/v4"
|
||||
)
|
||||
|
||||
// SessionState is used to store information about the currently authenticated user session
|
||||
type SessionState struct {
|
||||
AccessToken string `json:",omitempty"`
|
||||
IDToken string `json:",omitempty"`
|
||||
CreatedAt *time.Time `json:",omitempty"`
|
||||
ExpiresOn *time.Time `json:",omitempty"`
|
||||
RefreshToken string `json:",omitempty"`
|
||||
Email string `json:",omitempty"`
|
||||
User string `json:",omitempty"`
|
||||
PreferredUsername string `json:",omitempty"`
|
||||
AccessToken string `json:",omitempty" msgpack:"at,omitempty"`
|
||||
IDToken string `json:",omitempty" msgpack:"it,omitempty"`
|
||||
CreatedAt *time.Time `json:",omitempty" msgpack:"ca,omitempty"`
|
||||
ExpiresOn *time.Time `json:",omitempty" msgpack:"eo,omitempty"`
|
||||
RefreshToken string `json:",omitempty" msgpack:"rt,omitempty"`
|
||||
Email string `json:",omitempty" msgpack:"e,omitempty"`
|
||||
User string `json:",omitempty" msgpack:"u,omitempty"`
|
||||
PreferredUsername string `json:",omitempty" msgpack:"pu,omitempty"`
|
||||
}
|
||||
|
||||
// IsExpired checks whether the session has expired
|
||||
@ -59,78 +64,79 @@ func (s *SessionState) String() string {
|
||||
return o + "}"
|
||||
}
|
||||
|
||||
// EncodeSessionState returns string representation of the current session
|
||||
func (s *SessionState) EncodeSessionState(c encryption.Cipher) (string, error) {
|
||||
var ss SessionState
|
||||
if c == nil {
|
||||
// Store only Email and User when cipher is unavailable
|
||||
ss.Email = s.Email
|
||||
ss.User = s.User
|
||||
ss.PreferredUsername = s.PreferredUsername
|
||||
} else {
|
||||
ss = *s
|
||||
for _, s := range []*string{
|
||||
&ss.Email,
|
||||
&ss.User,
|
||||
&ss.PreferredUsername,
|
||||
&ss.AccessToken,
|
||||
&ss.IDToken,
|
||||
&ss.RefreshToken,
|
||||
} {
|
||||
err := into(s, c.Encrypt)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
// EncodeSessionState returns an encrypted, lz4 compressed, MessagePack encoded session
|
||||
func (s *SessionState) EncodeSessionState(c encryption.Cipher, compress bool) ([]byte, error) {
|
||||
packed, err := msgpack.Marshal(s)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error marshalling session state to msgpack: %w", err)
|
||||
}
|
||||
|
||||
if !compress {
|
||||
return c.Encrypt(packed)
|
||||
}
|
||||
|
||||
compressed, err := lz4Compress(packed)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return c.Encrypt(compressed)
|
||||
}
|
||||
|
||||
// DecodeSessionState decodes a LZ4 compressed MessagePack into a Session State
|
||||
func DecodeSessionState(data []byte, c encryption.Cipher, compressed bool) (*SessionState, error) {
|
||||
decrypted, err := c.Decrypt(data)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error decrypting the session state: %w", err)
|
||||
}
|
||||
|
||||
packed := decrypted
|
||||
if compressed {
|
||||
packed, err = lz4Decompress(decrypted)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
b, err := json.Marshal(ss)
|
||||
return string(b), err
|
||||
var ss SessionState
|
||||
err = msgpack.Unmarshal(packed, &ss)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error unmarshalling data to session state: %w", err)
|
||||
}
|
||||
|
||||
err = ss.validate()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &ss, nil
|
||||
}
|
||||
|
||||
// DecodeSessionState decodes the session cookie string into a SessionState
|
||||
func DecodeSessionState(v string, c encryption.Cipher) (*SessionState, error) {
|
||||
// LegacyV5DecodeSessionState decodes a legacy JSON session cookie string into a SessionState
|
||||
func LegacyV5DecodeSessionState(v string, c encryption.Cipher) (*SessionState, error) {
|
||||
var ss SessionState
|
||||
err := json.Unmarshal([]byte(v), &ss)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error unmarshalling session: %w", err)
|
||||
}
|
||||
|
||||
if c == nil {
|
||||
// Load only Email and User when cipher is unavailable
|
||||
ss = SessionState{
|
||||
Email: ss.Email,
|
||||
User: ss.User,
|
||||
PreferredUsername: ss.PreferredUsername,
|
||||
}
|
||||
} else {
|
||||
// Backward compatibility with using unencrypted Email or User
|
||||
// Decryption errors will leave original string
|
||||
err = into(&ss.Email, c.Decrypt)
|
||||
if err == nil {
|
||||
if !utf8.ValidString(ss.Email) {
|
||||
return nil, errors.New("invalid value for decrypted email")
|
||||
}
|
||||
}
|
||||
err = into(&ss.User, c.Decrypt)
|
||||
if err == nil {
|
||||
if !utf8.ValidString(ss.User) {
|
||||
return nil, errors.New("invalid value for decrypted user")
|
||||
}
|
||||
}
|
||||
|
||||
for _, s := range []*string{
|
||||
&ss.PreferredUsername,
|
||||
&ss.AccessToken,
|
||||
&ss.IDToken,
|
||||
&ss.RefreshToken,
|
||||
} {
|
||||
err := into(s, c.Decrypt)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
for _, s := range []*string{
|
||||
&ss.User,
|
||||
&ss.Email,
|
||||
&ss.PreferredUsername,
|
||||
&ss.AccessToken,
|
||||
&ss.IDToken,
|
||||
&ss.RefreshToken,
|
||||
} {
|
||||
err := into(s, c.Decrypt)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
err = ss.validate()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &ss, nil
|
||||
}
|
||||
|
||||
@ -150,3 +156,86 @@ func into(s *string, f codecFunc) error {
|
||||
*s = string(d)
|
||||
return nil
|
||||
}
|
||||
|
||||
// lz4Compress compresses with LZ4
|
||||
//
|
||||
// The Compress:Decompress ratio is 1:Many. LZ4 gives fastest decompress speeds
|
||||
// at the expense of greater compression compared to other compression
|
||||
// algorithms.
|
||||
func lz4Compress(payload []byte) ([]byte, error) {
|
||||
buf := new(bytes.Buffer)
|
||||
zw := lz4.NewWriter(nil)
|
||||
zw.Header = lz4.Header{
|
||||
BlockMaxSize: 65536,
|
||||
CompressionLevel: 0,
|
||||
}
|
||||
zw.Reset(buf)
|
||||
|
||||
reader := bytes.NewReader(payload)
|
||||
_, err := io.Copy(zw, reader)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error copying lz4 stream to buffer: %w", err)
|
||||
}
|
||||
err = zw.Close()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error closing lz4 writer: %w", err)
|
||||
}
|
||||
|
||||
compressed, err := ioutil.ReadAll(buf)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error reading lz4 buffer: %w", err)
|
||||
}
|
||||
|
||||
return compressed, nil
|
||||
}
|
||||
|
||||
// lz4Decompress decompresses with LZ4
|
||||
func lz4Decompress(compressed []byte) ([]byte, error) {
|
||||
reader := bytes.NewReader(compressed)
|
||||
buf := new(bytes.Buffer)
|
||||
zr := lz4.NewReader(nil)
|
||||
zr.Reset(reader)
|
||||
_, err := io.Copy(buf, zr)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error copying lz4 stream to buffer: %w", err)
|
||||
}
|
||||
|
||||
payload, err := ioutil.ReadAll(buf)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error reading lz4 buffer: %w", err)
|
||||
}
|
||||
|
||||
return payload, nil
|
||||
}
|
||||
|
||||
// validate ensures the decoded session is non-empty and contains valid data
|
||||
//
|
||||
// Non-empty check is needed due to ensure the non-authenticated AES-CFB
|
||||
// decryption doesn't result in garbage data that collides with a valid
|
||||
// MessagePack header bytes (which MessagePack will unmarshal to an empty
|
||||
// default SessionState). <1% chance, but observed with random test data.
|
||||
//
|
||||
// UTF-8 check ensures the strings are valid and not raw bytes overloaded
|
||||
// into Latin-1 encoding. The occurs when legacy unencrypted fields are
|
||||
// decrypted with AES-CFB which results in random bytes.
|
||||
func (s *SessionState) validate() error {
|
||||
for _, field := range []string{
|
||||
s.User,
|
||||
s.Email,
|
||||
s.PreferredUsername,
|
||||
s.AccessToken,
|
||||
s.IDToken,
|
||||
s.RefreshToken,
|
||||
} {
|
||||
if !utf8.ValidString(field) {
|
||||
return errors.New("invalid non-UTF8 field in session")
|
||||
}
|
||||
}
|
||||
|
||||
empty := new(SessionState)
|
||||
if *s == *empty {
|
||||
return errors.New("invalid empty session unmarshalled")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
@ -12,132 +12,11 @@ import (
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
const secret = "0123456789abcdefghijklmnopqrstuv"
|
||||
const altSecret = "0000000000abcdefghijklmnopqrstuv"
|
||||
|
||||
func timePtr(t time.Time) *time.Time {
|
||||
return &t
|
||||
}
|
||||
|
||||
func newTestCipher(secret []byte) (encryption.Cipher, error) {
|
||||
return encryption.NewBase64Cipher(encryption.NewCFBCipher, secret)
|
||||
}
|
||||
|
||||
func TestSessionStateSerialization(t *testing.T) {
|
||||
c, err := newTestCipher([]byte(secret))
|
||||
assert.Equal(t, nil, err)
|
||||
c2, err := newTestCipher([]byte(altSecret))
|
||||
assert.Equal(t, nil, err)
|
||||
s := &SessionState{
|
||||
Email: "user@domain.com",
|
||||
PreferredUsername: "user",
|
||||
AccessToken: "token1234",
|
||||
IDToken: "rawtoken1234",
|
||||
CreatedAt: timePtr(time.Now()),
|
||||
ExpiresOn: timePtr(time.Now().Add(time.Duration(1) * time.Hour)),
|
||||
RefreshToken: "refresh4321",
|
||||
}
|
||||
encoded, err := s.EncodeSessionState(c)
|
||||
assert.Equal(t, nil, err)
|
||||
|
||||
ss, err := DecodeSessionState(encoded, c)
|
||||
t.Logf("%#v", ss)
|
||||
assert.Equal(t, nil, err)
|
||||
assert.Equal(t, "", ss.User)
|
||||
assert.Equal(t, s.Email, ss.Email)
|
||||
assert.Equal(t, s.PreferredUsername, ss.PreferredUsername)
|
||||
assert.Equal(t, s.AccessToken, ss.AccessToken)
|
||||
assert.Equal(t, s.IDToken, ss.IDToken)
|
||||
assert.Equal(t, s.CreatedAt.Unix(), ss.CreatedAt.Unix())
|
||||
assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix())
|
||||
assert.Equal(t, s.RefreshToken, ss.RefreshToken)
|
||||
|
||||
// ensure a different cipher can't decode properly (ie: it gets gibberish)
|
||||
ss, err = DecodeSessionState(encoded, c2)
|
||||
t.Logf("%#v", ss)
|
||||
assert.NotEqual(t, nil, err)
|
||||
}
|
||||
|
||||
func TestSessionStateSerializationWithUser(t *testing.T) {
|
||||
c, err := newTestCipher([]byte(secret))
|
||||
assert.Equal(t, nil, err)
|
||||
c2, err := newTestCipher([]byte(altSecret))
|
||||
assert.Equal(t, nil, err)
|
||||
s := &SessionState{
|
||||
User: "just-user",
|
||||
PreferredUsername: "ju",
|
||||
Email: "user@domain.com",
|
||||
AccessToken: "token1234",
|
||||
CreatedAt: timePtr(time.Now()),
|
||||
ExpiresOn: timePtr(time.Now().Add(time.Duration(1) * time.Hour)),
|
||||
RefreshToken: "refresh4321",
|
||||
}
|
||||
encoded, err := s.EncodeSessionState(c)
|
||||
assert.Equal(t, nil, err)
|
||||
|
||||
ss, err := DecodeSessionState(encoded, c)
|
||||
t.Logf("%#v", ss)
|
||||
assert.Equal(t, nil, err)
|
||||
assert.Equal(t, s.User, ss.User)
|
||||
assert.Equal(t, s.Email, ss.Email)
|
||||
assert.Equal(t, s.PreferredUsername, ss.PreferredUsername)
|
||||
assert.Equal(t, s.AccessToken, ss.AccessToken)
|
||||
assert.Equal(t, s.CreatedAt.Unix(), ss.CreatedAt.Unix())
|
||||
assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix())
|
||||
assert.Equal(t, s.RefreshToken, ss.RefreshToken)
|
||||
|
||||
// ensure a different cipher can't decode properly (ie: it gets gibberish)
|
||||
ss, err = DecodeSessionState(encoded, c2)
|
||||
t.Logf("%#v", ss)
|
||||
assert.NotEqual(t, nil, err)
|
||||
}
|
||||
|
||||
func TestSessionStateSerializationNoCipher(t *testing.T) {
|
||||
s := &SessionState{
|
||||
Email: "user@domain.com",
|
||||
PreferredUsername: "user",
|
||||
AccessToken: "token1234",
|
||||
CreatedAt: timePtr(time.Now()),
|
||||
ExpiresOn: timePtr(time.Now().Add(time.Duration(1) * time.Hour)),
|
||||
RefreshToken: "refresh4321",
|
||||
}
|
||||
encoded, err := s.EncodeSessionState(nil)
|
||||
assert.Equal(t, nil, err)
|
||||
|
||||
// only email should have been serialized
|
||||
ss, err := DecodeSessionState(encoded, nil)
|
||||
assert.Equal(t, nil, err)
|
||||
assert.Equal(t, "", ss.User)
|
||||
assert.Equal(t, s.Email, ss.Email)
|
||||
assert.Equal(t, s.PreferredUsername, ss.PreferredUsername)
|
||||
assert.Equal(t, "", ss.AccessToken)
|
||||
assert.Equal(t, "", ss.RefreshToken)
|
||||
}
|
||||
|
||||
func TestSessionStateSerializationNoCipherWithUser(t *testing.T) {
|
||||
s := &SessionState{
|
||||
User: "just-user",
|
||||
Email: "user@domain.com",
|
||||
PreferredUsername: "user",
|
||||
AccessToken: "token1234",
|
||||
CreatedAt: timePtr(time.Now()),
|
||||
ExpiresOn: timePtr(time.Now().Add(time.Duration(1) * time.Hour)),
|
||||
RefreshToken: "refresh4321",
|
||||
}
|
||||
encoded, err := s.EncodeSessionState(nil)
|
||||
assert.Equal(t, nil, err)
|
||||
|
||||
// only email should have been serialized
|
||||
ss, err := DecodeSessionState(encoded, nil)
|
||||
assert.Equal(t, nil, err)
|
||||
assert.Equal(t, s.User, ss.User)
|
||||
assert.Equal(t, s.Email, ss.Email)
|
||||
assert.Equal(t, s.PreferredUsername, ss.PreferredUsername)
|
||||
assert.Equal(t, "", ss.AccessToken)
|
||||
assert.Equal(t, "", ss.RefreshToken)
|
||||
}
|
||||
|
||||
func TestExpired(t *testing.T) {
|
||||
func TestIsExpired(t *testing.T) {
|
||||
s := &SessionState{ExpiresOn: timePtr(time.Now().Add(time.Duration(-1) * time.Minute))}
|
||||
assert.Equal(t, true, s.IsExpired())
|
||||
|
||||
@ -148,161 +27,7 @@ func TestExpired(t *testing.T) {
|
||||
assert.Equal(t, false, s.IsExpired())
|
||||
}
|
||||
|
||||
type testCase struct {
|
||||
SessionState
|
||||
Encoded string
|
||||
Cipher encryption.Cipher
|
||||
Error bool
|
||||
}
|
||||
|
||||
// TestEncodeSessionState tests EncodeSessionState with the test vector
|
||||
//
|
||||
// Currently only tests without cipher here because we have no way to mock
|
||||
// the random generator used in EncodeSessionState.
|
||||
func TestEncodeSessionState(t *testing.T) {
|
||||
c := time.Now()
|
||||
e := time.Now().Add(time.Duration(1) * time.Hour)
|
||||
|
||||
testCases := []testCase{
|
||||
{
|
||||
SessionState: SessionState{
|
||||
Email: "user@domain.com",
|
||||
User: "just-user",
|
||||
},
|
||||
Encoded: `{"Email":"user@domain.com","User":"just-user"}`,
|
||||
},
|
||||
{
|
||||
SessionState: SessionState{
|
||||
Email: "user@domain.com",
|
||||
User: "just-user",
|
||||
AccessToken: "token1234",
|
||||
IDToken: "rawtoken1234",
|
||||
CreatedAt: &c,
|
||||
ExpiresOn: &e,
|
||||
RefreshToken: "refresh4321",
|
||||
},
|
||||
Encoded: `{"Email":"user@domain.com","User":"just-user"}`,
|
||||
},
|
||||
}
|
||||
|
||||
for i, tc := range testCases {
|
||||
encoded, err := tc.EncodeSessionState(tc.Cipher)
|
||||
t.Logf("i:%d Encoded:%#vSessionState:%#v Error:%#v", i, encoded, tc.SessionState, err)
|
||||
if tc.Error {
|
||||
assert.Error(t, err)
|
||||
assert.Empty(t, encoded)
|
||||
continue
|
||||
}
|
||||
assert.NoError(t, err)
|
||||
assert.JSONEq(t, tc.Encoded, encoded)
|
||||
}
|
||||
}
|
||||
|
||||
// TestDecodeSessionState testssessions.DecodeSessionState with the test vector
|
||||
func TestDecodeSessionState(t *testing.T) {
|
||||
created := time.Now()
|
||||
createdJSON, _ := created.MarshalJSON()
|
||||
createdString := string(createdJSON)
|
||||
e := time.Now().Add(time.Duration(1) * time.Hour)
|
||||
eJSON, _ := e.MarshalJSON()
|
||||
eString := string(eJSON)
|
||||
|
||||
c, err := newTestCipher([]byte(secret))
|
||||
assert.NoError(t, err)
|
||||
|
||||
testCases := []testCase{
|
||||
{
|
||||
SessionState: SessionState{
|
||||
Email: "user@domain.com",
|
||||
User: "just-user",
|
||||
},
|
||||
Encoded: `{"Email":"user@domain.com","User":"just-user"}`,
|
||||
},
|
||||
{
|
||||
SessionState: SessionState{
|
||||
Email: "user@domain.com",
|
||||
User: "",
|
||||
},
|
||||
Encoded: `{"Email":"user@domain.com"}`,
|
||||
},
|
||||
{
|
||||
SessionState: SessionState{
|
||||
User: "just-user",
|
||||
},
|
||||
Encoded: `{"User":"just-user"}`,
|
||||
},
|
||||
{
|
||||
SessionState: SessionState{
|
||||
Email: "user@domain.com",
|
||||
User: "just-user",
|
||||
},
|
||||
Encoded: fmt.Sprintf(`{"Email":"user@domain.com","User":"just-user","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","CreatedAt":%s,"ExpiresOn":%s}`, createdString, eString),
|
||||
},
|
||||
{
|
||||
SessionState: SessionState{
|
||||
Email: "user@domain.com",
|
||||
User: "just-user",
|
||||
AccessToken: "token1234",
|
||||
IDToken: "rawtoken1234",
|
||||
CreatedAt: &created,
|
||||
ExpiresOn: &e,
|
||||
RefreshToken: "refresh4321",
|
||||
},
|
||||
Encoded: fmt.Sprintf(`{"Email":"FsKKYrTWZWrxSOAqA/fTNAUZS5QWCqOBjuAbBlbVOw==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw==","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","CreatedAt":%s,"ExpiresOn":%s}`, createdString, eString),
|
||||
Cipher: c,
|
||||
},
|
||||
{
|
||||
SessionState: SessionState{
|
||||
Email: "user@domain.com",
|
||||
User: "just-user",
|
||||
},
|
||||
Encoded: `{"Email":"EGTllJcOFC16b7LBYzLekaHAC5SMMSPdyUrg8hd25g==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw=="}`,
|
||||
Cipher: c,
|
||||
},
|
||||
{
|
||||
Encoded: `{"Email":"user@domain.com","User":"just-user","AccessToken":"X"}`,
|
||||
Cipher: c,
|
||||
Error: true,
|
||||
},
|
||||
{
|
||||
Encoded: `{"Email":"user@domain.com","User":"just-user","IDToken":"XXXX"}`,
|
||||
Cipher: c,
|
||||
Error: true,
|
||||
},
|
||||
{
|
||||
SessionState: SessionState{
|
||||
Email: "user@domain.com",
|
||||
User: "YmFzZTY0LWVuY29kZWQtdXNlcgo=", // Base64 encoding of base64-encoded-user
|
||||
},
|
||||
Error: true,
|
||||
Cipher: c,
|
||||
},
|
||||
}
|
||||
|
||||
for i, tc := range testCases {
|
||||
ss, err := DecodeSessionState(tc.Encoded, tc.Cipher)
|
||||
t.Logf("i:%d Encoded:%#vSessionState:%#v Error:%#v", i, tc.Encoded, ss, err)
|
||||
if tc.Error {
|
||||
assert.Error(t, err)
|
||||
assert.Nil(t, ss)
|
||||
continue
|
||||
}
|
||||
assert.NoError(t, err)
|
||||
if assert.NotNil(t, ss) {
|
||||
assert.Equal(t, tc.User, ss.User)
|
||||
assert.Equal(t, tc.Email, ss.Email)
|
||||
assert.Equal(t, tc.AccessToken, ss.AccessToken)
|
||||
assert.Equal(t, tc.RefreshToken, ss.RefreshToken)
|
||||
assert.Equal(t, tc.IDToken, ss.IDToken)
|
||||
if tc.ExpiresOn != nil {
|
||||
assert.NotEqual(t, nil, ss.ExpiresOn)
|
||||
assert.Equal(t, tc.ExpiresOn.Unix(), ss.ExpiresOn.Unix())
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestSessionStateAge(t *testing.T) {
|
||||
func TestAge(t *testing.T) {
|
||||
ss := &SessionState{}
|
||||
|
||||
// Created at unset so should be 0
|
||||
@ -313,7 +38,149 @@ func TestSessionStateAge(t *testing.T) {
|
||||
assert.Equal(t, time.Hour, ss.Age().Round(time.Minute))
|
||||
}
|
||||
|
||||
func TestIntoEncryptAndIntoDecrypt(t *testing.T) {
|
||||
// TestEncodeAndDecodeSessionState encodes & decodes various session states
|
||||
// and confirms the operation is 1:1
|
||||
func TestEncodeAndDecodeSessionState(t *testing.T) {
|
||||
created := time.Now()
|
||||
expires := time.Now().Add(time.Duration(1) * time.Hour)
|
||||
|
||||
// Tokens in the test table are purposefully redundant
|
||||
// Otherwise compressing small payloads could result in a compressed value
|
||||
// that is larger (compression dictionary + limited like strings to compress)
|
||||
// which breaks the len(compressed) < len(uncompressed) assertion.
|
||||
testCases := map[string]SessionState{
|
||||
"Full session": {
|
||||
Email: "username@example.com",
|
||||
User: "username",
|
||||
PreferredUsername: "preferred.username",
|
||||
AccessToken: "AccessToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
IDToken: "IDToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
CreatedAt: &created,
|
||||
ExpiresOn: &expires,
|
||||
RefreshToken: "RefreshToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
},
|
||||
"No ExpiresOn": {
|
||||
Email: "username@example.com",
|
||||
User: "username",
|
||||
PreferredUsername: "preferred.username",
|
||||
AccessToken: "AccessToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
IDToken: "IDToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
CreatedAt: &created,
|
||||
RefreshToken: "RefreshToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
},
|
||||
"No PreferredUsername": {
|
||||
Email: "username@example.com",
|
||||
User: "username",
|
||||
AccessToken: "AccessToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
IDToken: "IDToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
CreatedAt: &created,
|
||||
ExpiresOn: &expires,
|
||||
RefreshToken: "RefreshToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
},
|
||||
"Minimal session": {
|
||||
User: "username",
|
||||
IDToken: "IDToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
CreatedAt: &created,
|
||||
RefreshToken: "RefreshToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
},
|
||||
"Bearer authorization header created session": {
|
||||
Email: "username",
|
||||
User: "username",
|
||||
AccessToken: "IDToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
IDToken: "IDToken.12349871293847fdsaihf9238h4f91h8fr.1349f831y98fd7",
|
||||
ExpiresOn: &expires,
|
||||
},
|
||||
}
|
||||
|
||||
for _, secretSize := range []int{16, 24, 32} {
|
||||
t.Run(fmt.Sprintf("%d byte secret", secretSize), func(t *testing.T) {
|
||||
secret := make([]byte, secretSize)
|
||||
_, err := io.ReadFull(rand.Reader, secret)
|
||||
assert.NoError(t, err)
|
||||
|
||||
cfb, err := encryption.NewCFBCipher([]byte(secret))
|
||||
assert.NoError(t, err)
|
||||
gcm, err := encryption.NewGCMCipher([]byte(secret))
|
||||
assert.NoError(t, err)
|
||||
|
||||
ciphers := map[string]encryption.Cipher{
|
||||
"CFB cipher": cfb,
|
||||
"GCM cipher": gcm,
|
||||
}
|
||||
|
||||
for cipherName, c := range ciphers {
|
||||
t.Run(cipherName, func(t *testing.T) {
|
||||
for testName, ss := range testCases {
|
||||
t.Run(testName, func(t *testing.T) {
|
||||
encoded, err := ss.EncodeSessionState(c, false)
|
||||
assert.NoError(t, err)
|
||||
encodedCompressed, err := ss.EncodeSessionState(c, true)
|
||||
assert.NoError(t, err)
|
||||
// Make sure compressed version is smaller than if not compressed
|
||||
assert.Greater(t, len(encoded), len(encodedCompressed))
|
||||
|
||||
decoded, err := DecodeSessionState(encoded, c, false)
|
||||
assert.NoError(t, err)
|
||||
decodedCompressed, err := DecodeSessionState(encodedCompressed, c, true)
|
||||
assert.NoError(t, err)
|
||||
|
||||
compareSessionStates(t, decoded, decodedCompressed)
|
||||
compareSessionStates(t, decoded, &ss)
|
||||
})
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
t.Run("Mixed cipher types cause errors", func(t *testing.T) {
|
||||
for testName, ss := range testCases {
|
||||
t.Run(testName, func(t *testing.T) {
|
||||
cfbEncoded, err := ss.EncodeSessionState(cfb, false)
|
||||
assert.NoError(t, err)
|
||||
_, err = DecodeSessionState(cfbEncoded, gcm, false)
|
||||
assert.Error(t, err)
|
||||
|
||||
gcmEncoded, err := ss.EncodeSessionState(gcm, false)
|
||||
assert.NoError(t, err)
|
||||
_, err = DecodeSessionState(gcmEncoded, cfb, false)
|
||||
assert.Error(t, err)
|
||||
})
|
||||
}
|
||||
})
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestLegacyV5DecodeSessionState confirms V5 JSON sessions decode
|
||||
//
|
||||
// TODO: Remove when this is deprecated (likely V7)
|
||||
func TestLegacyV5DecodeSessionState(t *testing.T) {
|
||||
testCases, cipher, legacyCipher := CreateLegacyV5TestCases(t)
|
||||
|
||||
for testName, tc := range testCases {
|
||||
t.Run(testName, func(t *testing.T) {
|
||||
// Legacy sessions fail in DecodeSessionState which results in
|
||||
// the fallback to LegacyV5DecodeSessionState
|
||||
_, err := DecodeSessionState([]byte(tc.Input), cipher, false)
|
||||
assert.Error(t, err)
|
||||
_, err = DecodeSessionState([]byte(tc.Input), cipher, true)
|
||||
assert.Error(t, err)
|
||||
|
||||
ss, err := LegacyV5DecodeSessionState(tc.Input, legacyCipher)
|
||||
if tc.Error {
|
||||
assert.Error(t, err)
|
||||
assert.Nil(t, ss)
|
||||
return
|
||||
}
|
||||
assert.NoError(t, err)
|
||||
compareSessionStates(t, tc.Output, ss)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// Test_into tests the into helper function used in LegacyV5DecodeSessionState
|
||||
//
|
||||
// TODO: Remove when this is deprecated (likely V7)
|
||||
func Test_into(t *testing.T) {
|
||||
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
|
||||
|
||||
// Test all 3 valid AES sizes
|
||||
@ -323,8 +190,9 @@ func TestIntoEncryptAndIntoDecrypt(t *testing.T) {
|
||||
_, err := io.ReadFull(rand.Reader, secret)
|
||||
assert.Equal(t, nil, err)
|
||||
|
||||
c, err := newTestCipher(secret)
|
||||
cfb, err := encryption.NewCFBCipher(secret)
|
||||
assert.NoError(t, err)
|
||||
c := encryption.NewBase64Cipher(cfb)
|
||||
|
||||
// Check no errors with empty or nil strings
|
||||
empty := ""
|
||||
@ -353,3 +221,27 @@ func TestIntoEncryptAndIntoDecrypt(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func compareSessionStates(t *testing.T, expected *SessionState, actual *SessionState) {
|
||||
if expected.CreatedAt != nil {
|
||||
assert.NotNil(t, actual.CreatedAt)
|
||||
assert.Equal(t, true, expected.CreatedAt.Equal(*actual.CreatedAt))
|
||||
} else {
|
||||
assert.Nil(t, actual.CreatedAt)
|
||||
}
|
||||
if expected.ExpiresOn != nil {
|
||||
assert.NotNil(t, actual.ExpiresOn)
|
||||
assert.Equal(t, true, expected.ExpiresOn.Equal(*actual.ExpiresOn))
|
||||
} else {
|
||||
assert.Nil(t, actual.ExpiresOn)
|
||||
}
|
||||
|
||||
// Compare sessions without *time.Time fields
|
||||
exp := *expected
|
||||
exp.CreatedAt = nil
|
||||
exp.ExpiresOn = nil
|
||||
act := *actual
|
||||
act.CreatedAt = nil
|
||||
act.ExpiresOn = nil
|
||||
assert.Equal(t, exp, act)
|
||||
}
|
||||
|
@ -21,12 +21,8 @@ type base64Cipher struct {
|
||||
|
||||
// NewBase64Cipher returns a new AES Cipher for encrypting cookie values
|
||||
// and wrapping them in Base64 -- Supports Legacy encryption scheme
|
||||
func NewBase64Cipher(initCipher func([]byte) (Cipher, error), secret []byte) (Cipher, error) {
|
||||
c, err := initCipher(secret)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &base64Cipher{Cipher: c}, nil
|
||||
func NewBase64Cipher(c Cipher) Cipher {
|
||||
return &base64Cipher{Cipher: c}
|
||||
}
|
||||
|
||||
// Encrypt encrypts a value with the embedded Cipher & Base64 encodes it
|
||||
|
@ -13,8 +13,9 @@ import (
|
||||
func TestEncodeAndDecodeAccessToken(t *testing.T) {
|
||||
const secret = "0123456789abcdefghijklmnopqrstuv"
|
||||
const token = "my access token"
|
||||
c, err := NewBase64Cipher(NewCFBCipher, []byte(secret))
|
||||
assert.Equal(t, nil, err)
|
||||
cfb, err := NewCFBCipher([]byte(secret))
|
||||
assert.NoError(t, err)
|
||||
c := NewBase64Cipher(cfb)
|
||||
|
||||
encoded, err := c.Encrypt([]byte(token))
|
||||
assert.Equal(t, nil, err)
|
||||
@ -32,8 +33,9 @@ func TestEncodeAndDecodeAccessTokenB64(t *testing.T) {
|
||||
|
||||
secret, err := base64.URLEncoding.DecodeString(secretBase64)
|
||||
assert.Equal(t, nil, err)
|
||||
c, err := NewBase64Cipher(NewCFBCipher, []byte(secret))
|
||||
assert.Equal(t, nil, err)
|
||||
cfb, err := NewCFBCipher([]byte(secret))
|
||||
assert.NoError(t, err)
|
||||
c := NewBase64Cipher(cfb)
|
||||
|
||||
encoded, err := c.Encrypt([]byte(token))
|
||||
assert.Equal(t, nil, err)
|
||||
@ -64,8 +66,7 @@ func TestEncryptAndDecrypt(t *testing.T) {
|
||||
cstd, err := initCipher(secret)
|
||||
assert.Equal(t, nil, err)
|
||||
|
||||
cb64, err := NewBase64Cipher(initCipher, secret)
|
||||
assert.Equal(t, nil, err)
|
||||
cb64 := NewBase64Cipher(cstd)
|
||||
|
||||
ciphers := map[string]Cipher{
|
||||
"Standard": cstd,
|
||||
|
@ -60,7 +60,7 @@ func (s *SessionStore) Load(req *http.Request) (*sessions.SessionState, error) {
|
||||
return nil, errors.New("cookie signature not valid")
|
||||
}
|
||||
|
||||
session, err := sessionFromCookie(string(val), s.CookieCipher)
|
||||
session, err := sessionFromCookie(val, s.CookieCipher)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -85,17 +85,26 @@ func (s *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) error {
|
||||
}
|
||||
|
||||
// cookieForSession serializes a session state for storage in a cookie
|
||||
func cookieForSession(s *sessions.SessionState, c encryption.Cipher) (string, error) {
|
||||
return s.EncodeSessionState(c)
|
||||
func cookieForSession(s *sessions.SessionState, c encryption.Cipher) ([]byte, error) {
|
||||
return s.EncodeSessionState(c, true)
|
||||
}
|
||||
|
||||
// sessionFromCookie deserializes a session from a cookie value
|
||||
func sessionFromCookie(v string, c encryption.Cipher) (s *sessions.SessionState, err error) {
|
||||
return sessions.DecodeSessionState(v, c)
|
||||
func sessionFromCookie(v []byte, c encryption.Cipher) (s *sessions.SessionState, err error) {
|
||||
ss, err := sessions.DecodeSessionState(v, c, true)
|
||||
// If anything fails (Decrypt, LZ4, MessagePack), try legacy JSON decode
|
||||
// LZ4 will likely fail for wrong header after AES-CFB spits out garbage
|
||||
// data from trying to decrypt JSON it things is ciphertext
|
||||
if err != nil {
|
||||
// Legacy used Base64 + AES CFB
|
||||
legacyCipher := encryption.NewBase64Cipher(c)
|
||||
return sessions.LegacyV5DecodeSessionState(string(v), legacyCipher)
|
||||
}
|
||||
return ss, nil
|
||||
}
|
||||
|
||||
// setSessionCookie adds the user's session cookie to the response
|
||||
func (s *SessionStore) setSessionCookie(rw http.ResponseWriter, req *http.Request, val string, created time.Time) {
|
||||
func (s *SessionStore) setSessionCookie(rw http.ResponseWriter, req *http.Request, val []byte, created time.Time) {
|
||||
for _, c := range s.makeSessionCookie(req, val, created) {
|
||||
http.SetCookie(rw, c)
|
||||
}
|
||||
@ -103,12 +112,12 @@ func (s *SessionStore) setSessionCookie(rw http.ResponseWriter, req *http.Reques
|
||||
|
||||
// makeSessionCookie creates an http.Cookie containing the authenticated user's
|
||||
// authentication details
|
||||
func (s *SessionStore) makeSessionCookie(req *http.Request, value string, now time.Time) []*http.Cookie {
|
||||
if value != "" {
|
||||
value = encryption.SignedValue(s.Cookie.Secret, s.Cookie.Name, []byte(value), now)
|
||||
func (s *SessionStore) makeSessionCookie(req *http.Request, value []byte, now time.Time) []*http.Cookie {
|
||||
strValue := string(value)
|
||||
if strValue != "" {
|
||||
strValue = encryption.SignedValue(s.Cookie.Secret, s.Cookie.Name, value, now)
|
||||
}
|
||||
c := s.makeCookie(req, s.Cookie.Name, value, s.Cookie.Expire, now)
|
||||
|
||||
c := s.makeCookie(req, s.Cookie.Name, strValue, s.Cookie.Expire, now)
|
||||
if len(c.String()) > maxCookieLength {
|
||||
return splitCookie(c)
|
||||
}
|
||||
@ -129,7 +138,7 @@ func (s *SessionStore) makeCookie(req *http.Request, name string, value string,
|
||||
// NewCookieSessionStore initialises a new instance of the SessionStore from
|
||||
// the configuration given
|
||||
func NewCookieSessionStore(opts *options.SessionOptions, cookieOpts *options.Cookie) (sessions.SessionStore, error) {
|
||||
cipher, err := encryption.NewBase64Cipher(encryption.NewCFBCipher, encryption.SecretBytes(cookieOpts.Secret))
|
||||
cipher, err := encryption.NewCFBCipher(encryption.SecretBytes(cookieOpts.Secret))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error initialising cipher: %v", err)
|
||||
}
|
||||
|
@ -40,7 +40,7 @@ type SessionStore struct {
|
||||
// NewRedisSessionStore initialises a new instance of the SessionStore from
|
||||
// the configuration given
|
||||
func NewRedisSessionStore(opts *options.SessionOptions, cookieOpts *options.Cookie) (sessions.SessionStore, error) {
|
||||
cipher, err := encryption.NewBase64Cipher(encryption.NewCFBCipher, encryption.SecretBytes(cookieOpts.Secret))
|
||||
cfbCipher, err := encryption.NewCFBCipher(encryption.SecretBytes(cookieOpts.Secret))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error initialising cipher: %v", err)
|
||||
}
|
||||
@ -52,7 +52,7 @@ func NewRedisSessionStore(opts *options.SessionOptions, cookieOpts *options.Cook
|
||||
|
||||
rs := &SessionStore{
|
||||
Client: client,
|
||||
CookieCipher: cipher,
|
||||
CookieCipher: cfbCipher,
|
||||
Cookie: cookieOpts,
|
||||
}
|
||||
return rs, nil
|
||||
@ -146,12 +146,8 @@ func (store *SessionStore) Save(rw http.ResponseWriter, req *http.Request, s *se
|
||||
// Old sessions that we are refreshing would have a request cookie
|
||||
// New sessions don't, so we ignore the error. storeValue will check requestCookie
|
||||
requestCookie, _ := req.Cookie(store.Cookie.Name)
|
||||
value, err := s.EncodeSessionState(store.CookieCipher)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ctx := req.Context()
|
||||
ticketString, err := store.storeValue(ctx, value, store.Cookie.Expire, requestCookie)
|
||||
ticketString, err := store.saveSession(ctx, s, store.Cookie.Expire, requestCookie)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -180,40 +176,13 @@ func (store *SessionStore) Load(req *http.Request) (*sessions.SessionState, erro
|
||||
return nil, fmt.Errorf("cookie signature not valid")
|
||||
}
|
||||
ctx := req.Context()
|
||||
session, err := store.loadSessionFromString(ctx, string(val))
|
||||
session, err := store.loadSessionFromTicket(ctx, string(val))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error loading session: %s", err)
|
||||
}
|
||||
return session, nil
|
||||
}
|
||||
|
||||
// loadSessionFromString loads the session based on the ticket value
|
||||
func (store *SessionStore) loadSessionFromString(ctx context.Context, value string) (*sessions.SessionState, error) {
|
||||
ticket, err := decodeTicket(store.Cookie.Name, value)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
resultBytes, err := store.Client.Get(ctx, ticket.asHandle(store.Cookie.Name))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
block, err := aes.NewCipher(ticket.Secret)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// Use secret as the IV too, because each entry has it's own key
|
||||
stream := cipher.NewCFBDecrypter(block, ticket.Secret)
|
||||
stream.XORKeyStream(resultBytes, resultBytes)
|
||||
|
||||
session, err := sessions.DecodeSessionState(string(resultBytes), store.CookieCipher)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return session, nil
|
||||
}
|
||||
|
||||
// Clear clears any saved session information for a given ticket cookie
|
||||
// from redis, and then clears the session
|
||||
func (store *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) error {
|
||||
@ -253,6 +222,80 @@ func (store *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) erro
|
||||
return nil
|
||||
}
|
||||
|
||||
// saveSession encodes a session with a GCM cipher & saves the data into Redis
|
||||
func (store *SessionStore) saveSession(ctx context.Context, s *sessions.SessionState, expiration time.Duration, requestCookie *http.Cookie) (string, error) {
|
||||
ticket, err := store.getTicket(requestCookie)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("error getting ticket: %v", err)
|
||||
}
|
||||
|
||||
c, err := encryption.NewGCMCipher(ticket.Secret)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("error initiating cipher block %s", err)
|
||||
}
|
||||
|
||||
// Use AES-GCM since it provides authenticated encryption
|
||||
// AES-CFB used in cookies has the cookie signing SHA to get around the lack of
|
||||
// authentication in AES-CFB
|
||||
ciphertext, err := s.EncodeSessionState(c, false)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
handle := ticket.asHandle(store.Cookie.Name)
|
||||
err = store.Client.Set(ctx, handle, ciphertext, expiration)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return ticket.encodeTicket(store.Cookie.Name), nil
|
||||
}
|
||||
|
||||
// loadSessionFromTicket loads the session based on the ticket value
|
||||
func (store *SessionStore) loadSessionFromTicket(ctx context.Context, value string) (*sessions.SessionState, error) {
|
||||
ticket, err := decodeTicket(store.Cookie.Name, value)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
resultBytes, err := store.Client.Get(ctx, ticket.asHandle(store.Cookie.Name))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
c, err := encryption.NewGCMCipher(ticket.Secret)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
session, err := sessions.DecodeSessionState(resultBytes, c, false)
|
||||
if err != nil {
|
||||
// The GCM cipher will error due to a legacy JSON payload not passing
|
||||
// the authentication check part of AES GCM encryption.
|
||||
// In that case, we can attempt to fallback to try a legacy load
|
||||
legacyCipher := encryption.NewBase64Cipher(store.CookieCipher)
|
||||
return legacyV5DecodeSession(resultBytes, ticket, legacyCipher)
|
||||
}
|
||||
return session, nil
|
||||
}
|
||||
|
||||
// legacyV5DecodeSession loads the session based on the ticket value
|
||||
// This fallback uses V5 style encryption of Base64 + AES CFB
|
||||
func legacyV5DecodeSession(resultBytes []byte, ticket *TicketData, c encryption.Cipher) (*sessions.SessionState, error) {
|
||||
block, err := aes.NewCipher(ticket.Secret)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// Use secret as the IV too, because each entry has it's own key
|
||||
stream := cipher.NewCFBDecrypter(block, ticket.Secret)
|
||||
stream.XORKeyStream(resultBytes, resultBytes)
|
||||
|
||||
session, err := sessions.LegacyV5DecodeSessionState(string(resultBytes), c)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return session, nil
|
||||
}
|
||||
|
||||
// makeCookie makes a cookie, signing the value if present
|
||||
func (store *SessionStore) makeCookie(req *http.Request, value string, expires time.Duration, now time.Time) *http.Cookie {
|
||||
if value != "" {
|
||||
@ -268,30 +311,6 @@ func (store *SessionStore) makeCookie(req *http.Request, value string, expires t
|
||||
)
|
||||
}
|
||||
|
||||
func (store *SessionStore) storeValue(ctx context.Context, value string, expiration time.Duration, requestCookie *http.Cookie) (string, error) {
|
||||
ticket, err := store.getTicket(requestCookie)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("error getting ticket: %v", err)
|
||||
}
|
||||
|
||||
ciphertext := make([]byte, len(value))
|
||||
block, err := aes.NewCipher(ticket.Secret)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("error initiating cipher block %s", err)
|
||||
}
|
||||
|
||||
// Use secret as the Initialization Vector too, because each entry has it's own key
|
||||
stream := cipher.NewCFBEncrypter(block, ticket.Secret)
|
||||
stream.XORKeyStream(ciphertext, []byte(value))
|
||||
|
||||
handle := ticket.asHandle(store.Cookie.Name)
|
||||
err = store.Client.Set(ctx, handle, ciphertext, expiration)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return ticket.encodeTicket(store.Cookie.Name), nil
|
||||
}
|
||||
|
||||
// getTicket retrieves an existing ticket from the cookie if present,
|
||||
// or creates a new ticket
|
||||
func (store *SessionStore) getTicket(requestCookie *http.Cookie) (*TicketData, error) {
|
||||
|
@ -1,6 +1,11 @@
|
||||
package redis
|
||||
|
||||
import (
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"os"
|
||||
"testing"
|
||||
@ -17,6 +22,65 @@ import (
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
// TestLegacyV5DecodeSession tests the fallback to LegacyV5DecodeSession
|
||||
// when a V5 encoded session is in Redis
|
||||
//
|
||||
// TODO: Remove when this is deprecated (likely V7)
|
||||
func Test_legacyV5DecodeSession(t *testing.T) {
|
||||
testCases, _, legacyCipher := sessionsapi.CreateLegacyV5TestCases(t)
|
||||
|
||||
for testName, tc := range testCases {
|
||||
t.Run(testName, func(t *testing.T) {
|
||||
g := NewWithT(t)
|
||||
|
||||
secret := make([]byte, aes.BlockSize)
|
||||
_, err := io.ReadFull(rand.Reader, secret)
|
||||
g.Expect(err).ToNot(HaveOccurred())
|
||||
ticket := &TicketData{
|
||||
TicketID: "",
|
||||
Secret: secret,
|
||||
}
|
||||
|
||||
encrypted, err := legacyStoreValue(tc.Input, ticket.Secret)
|
||||
g.Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
ss, err := legacyV5DecodeSession(encrypted, ticket, legacyCipher)
|
||||
if tc.Error {
|
||||
g.Expect(err).To(HaveOccurred())
|
||||
g.Expect(ss).To(BeNil())
|
||||
return
|
||||
}
|
||||
g.Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
// Compare sessions without *time.Time fields
|
||||
exp := *tc.Output
|
||||
exp.CreatedAt = nil
|
||||
exp.ExpiresOn = nil
|
||||
act := *ss
|
||||
act.CreatedAt = nil
|
||||
act.ExpiresOn = nil
|
||||
g.Expect(exp).To(Equal(act))
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// legacyStoreValue implements the legacy V5 Redis store AES-CFB value encryption
|
||||
//
|
||||
// TODO: Remove when this is deprecated (likely V7)
|
||||
func legacyStoreValue(value string, ticketSecret []byte) ([]byte, error) {
|
||||
ciphertext := make([]byte, len(value))
|
||||
block, err := aes.NewCipher(ticketSecret)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error initiating cipher block: %v", err)
|
||||
}
|
||||
|
||||
// Use secret as the Initialization Vector too, because each entry has it's own key
|
||||
stream := cipher.NewCFBEncrypter(block, ticketSecret)
|
||||
stream.XORKeyStream(ciphertext, []byte(value))
|
||||
|
||||
return ciphertext, nil
|
||||
}
|
||||
|
||||
func TestSessionStore(t *testing.T) {
|
||||
logger.SetOutput(GinkgoWriter)
|
||||
|
Loading…
x
Reference in New Issue
Block a user