1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-04-02 22:25:30 +02:00

Improve design of Base64Cipher wrapping other ciphers.

Have it take in a cipher init function as an argument.
Remove the confusing `newCipher` method that matched legacy behavior
and returns a Base64Cipher(CFBCipher) -- instead explicitly ask for
that in the uses.
This commit is contained in:
Nick Meves 2020-05-10 09:44:04 -07:00
parent b6931aa4ea
commit ce2e92bc57
No known key found for this signature in database
GPG Key ID: 93BA8A3CEDCDD1CF
5 changed files with 67 additions and 47 deletions

View File

@ -17,10 +17,14 @@ func timePtr(t time.Time) *time.Time {
return &t
}
func NewCipher(secret []byte) (encryption.Cipher, error) {
return encryption.NewBase64Cipher(encryption.NewCFBCipher, secret)
}
func TestSessionStateSerialization(t *testing.T) {
c, err := encryption.NewCipher([]byte(secret))
c, err := NewCipher([]byte(secret))
assert.Equal(t, nil, err)
c2, err := encryption.NewCipher([]byte(altSecret))
c2, err := NewCipher([]byte(altSecret))
assert.Equal(t, nil, err)
s := &sessions.SessionState{
Email: "user@domain.com",
@ -53,9 +57,9 @@ func TestSessionStateSerialization(t *testing.T) {
}
func TestSessionStateSerializationWithUser(t *testing.T) {
c, err := encryption.NewCipher([]byte(secret))
c, err := NewCipher([]byte(secret))
assert.Equal(t, nil, err)
c2, err := encryption.NewCipher([]byte(altSecret))
c2, err := NewCipher([]byte(altSecret))
assert.Equal(t, nil, err)
s := &sessions.SessionState{
User: "just-user",
@ -201,7 +205,7 @@ func TestDecodeSessionState(t *testing.T) {
eJSON, _ := e.MarshalJSON()
eString := string(eJSON)
c, err := encryption.NewCipher([]byte(secret))
c, err := NewCipher([]byte(secret))
assert.NoError(t, err)
testCases := []testCase{

View File

@ -135,16 +135,6 @@ func (c *DefaultCipher) DecryptInto(s *string) error {
return into(c.Decrypt, s)
}
// NewCipher returns a new aes Cipher for encrypting cookie values
// This defaults to the Base64 Cipher to align with legacy Encrypt/Decrypt functionality
func NewCipher(secret []byte) (Cipher, error) {
cfb, err := NewCFBCipher(secret)
if err != nil {
return nil, err
}
return NewBase64Cipher(cfb)
}
type Base64Cipher struct {
DefaultCipher
Cipher Cipher
@ -152,7 +142,11 @@ type Base64Cipher struct {
// NewBase64Cipher returns a new AES Cipher for encrypting cookie values
// and wrapping them in Base64 -- Supports Legacy encryption scheme
func NewBase64Cipher(c Cipher) (Cipher, error) {
func NewBase64Cipher(initCipher func([]byte) (Cipher, error), secret []byte) (Cipher, error) {
c, err := initCipher(secret)
if err != nil {
return nil, err
}
return &Base64Cipher{Cipher: c}, nil
}
@ -170,7 +164,7 @@ func (c *Base64Cipher) Encrypt(value []byte) ([]byte, error) {
func (c *Base64Cipher) Decrypt(ciphertext []byte) ([]byte, error) {
encrypted, err := base64.StdEncoding.DecodeString(string(ciphertext))
if err != nil {
return nil, fmt.Errorf("failed to decrypt cookie value %s", err)
return nil, fmt.Errorf("failed to base64 decode value %s", err)
}
return c.Cipher.Decrypt(encrypted)
@ -206,9 +200,7 @@ func (c *CFBCipher) Encrypt(value []byte) ([]byte, error) {
// Decrypt an AES CFB ciphertext
func (c *CFBCipher) Decrypt(ciphertext []byte) ([]byte, error) {
if len(ciphertext) < aes.BlockSize {
return nil, fmt.Errorf("encrypted value should be "+
"at least %d bytes, but is only %d bytes",
aes.BlockSize, len(ciphertext))
return nil, fmt.Errorf("encrypted value should be at least %d bytes, but is only %d bytes", aes.BlockSize, len(ciphertext))
}
iv := ciphertext[:aes.BlockSize]

View File

@ -102,7 +102,7 @@ func TestSignAndValidate(t *testing.T) {
func TestEncodeAndDecodeAccessToken(t *testing.T) {
const secret = "0123456789abcdefghijklmnopqrstuv"
const token = "my access token"
c, err := NewCipher([]byte(secret))
c, err := NewBase64Cipher(NewCFBCipher, []byte(secret))
assert.Equal(t, nil, err)
encoded, err := c.Encrypt([]byte(token))
@ -121,7 +121,7 @@ func TestEncodeAndDecodeAccessTokenB64(t *testing.T) {
secret, err := base64.URLEncoding.DecodeString(secretBase64)
assert.Equal(t, nil, err)
c, err := NewCipher([]byte(secret))
c, err := NewBase64Cipher(NewCFBCipher, []byte(secret))
assert.Equal(t, nil, err)
encoded, err := c.Encrypt([]byte(token))
@ -135,14 +135,12 @@ func TestEncodeAndDecodeAccessTokenB64(t *testing.T) {
}
func TestEncryptAndDecrypt(t *testing.T) {
var err error
// Test our 3 cipher types
for _, initCipher := range []func([]byte) (Cipher, error){NewCipher, NewCFBCipher, NewGCMCipher} {
// Test our 2 cipher types
for _, initCipher := range []func([]byte) (Cipher, error){NewCFBCipher, NewGCMCipher} {
// Test all 3 valid AES sizes
for _, secretSize := range []int{16, 24, 32} {
secret := make([]byte, secretSize)
_, err = io.ReadFull(rand.Reader, secret)
_, err := io.ReadFull(rand.Reader, secret)
assert.Equal(t, nil, err)
c, err := initCipher(secret)
@ -167,27 +165,55 @@ func TestEncryptAndDecrypt(t *testing.T) {
}
}
func TestDecryptWrongSecret(t *testing.T) {
func TestEncryptAndDecryptBase64(t *testing.T) {
// Test our cipher types wrapped in Base64 encoder
for _, initCipher := range []func([]byte) (Cipher, error){NewCFBCipher, NewGCMCipher} {
// Test all 3 valid AES sizes
for _, secretSize := range []int{16, 24, 32} {
secret := make([]byte, secretSize)
_, err := io.ReadFull(rand.Reader, secret)
assert.Equal(t, nil, err)
c, err := NewBase64Cipher(initCipher, secret)
assert.Equal(t, nil, err)
// Test various sizes sessions might be
for _, dataSize := range []int{10, 100, 1000, 5000, 10000} {
data := make([]byte, dataSize)
_, err := io.ReadFull(rand.Reader, data)
assert.Equal(t, nil, err)
encrypted, err := c.Encrypt(data)
assert.Equal(t, nil, err)
assert.NotEqual(t, encrypted, data)
decrypted, err := c.Decrypt(encrypted)
assert.Equal(t, nil, err)
assert.Equal(t, data, decrypted)
assert.NotEqual(t, encrypted, decrypted)
}
}
}
}
func TestDecryptCFBWrongSecret(t *testing.T) {
secret1 := []byte("0123456789abcdefghijklmnopqrstuv")
secret2 := []byte("9876543210abcdefghijklmnopqrstuv")
// Test CFB & Base64 (GCM is authenticated, it errors differently)
for _, initCipher := range []func([]byte) (Cipher, error){NewCipher, NewCFBCipher} {
c1, err := initCipher(secret1)
assert.Equal(t, nil, err)
c1, err := NewCFBCipher(secret1)
assert.Equal(t, nil, err)
c2, err := initCipher(secret2)
assert.Equal(t, nil, err)
c2, err := NewCFBCipher(secret2)
assert.Equal(t, nil, err)
data := []byte("f3928pufm982374dj02y485dsl34890u2t9nd4028s94dm58y2394087dhmsyt29h8df")
data := []byte("f3928pufm982374dj02y485dsl34890u2t9nd4028s94dm58y2394087dhmsyt29h8df")
ciphertext, err := c1.Encrypt(data)
assert.Equal(t, nil, err)
ciphertext, err := c1.Encrypt(data)
assert.Equal(t, nil, err)
wrongData, err := c2.Decrypt(ciphertext)
assert.Equal(t, nil, err)
assert.NotEqual(t, data, wrongData)
}
wrongData, err := c2.Decrypt(ciphertext)
assert.Equal(t, nil, err)
assert.NotEqual(t, data, wrongData)
}
func TestDecryptGCMWrongSecret(t *testing.T) {
@ -211,13 +237,11 @@ func TestDecryptGCMWrongSecret(t *testing.T) {
}
func TestIntermixCiphersErrors(t *testing.T) {
var err error
// Encrypt with GCM, Decrypt with CFB: Results in Garbage data
// Test all 3 valid AES sizes
for _, secretSize := range []int{16, 24, 32} {
secret := make([]byte, secretSize)
_, err = io.ReadFull(rand.Reader, secret)
_, err := io.ReadFull(rand.Reader, secret)
assert.Equal(t, nil, err)
gcm, err := NewGCMCipher(secret)
@ -248,7 +272,7 @@ func TestIntermixCiphersErrors(t *testing.T) {
// Test all 3 valid AES sizes
for _, secretSize := range []int{16, 24, 32} {
secret := make([]byte, secretSize)
_, err = io.ReadFull(rand.Reader, secret)
_, err := io.ReadFull(rand.Reader, secret)
assert.Equal(t, nil, err)
gcm, err := NewGCMCipher(secret)

View File

@ -367,7 +367,7 @@ var _ = Describe("NewSessionStore", func() {
_, err := rand.Read(secret)
Expect(err).ToNot(HaveOccurred())
cookieOpts.Secret = base64.URLEncoding.EncodeToString(secret)
cipher, err := encryption.NewCipher(encryption.SecretBytes(cookieOpts.Secret))
cipher, err := encryption.NewBase64Cipher(encryption.NewCFBCipher, encryption.SecretBytes(cookieOpts.Secret))
Expect(err).ToNot(HaveOccurred())
Expect(cipher).ToNot(BeNil())
opts.Cipher = cipher

View File

@ -62,7 +62,7 @@ func Validate(o *options.Options) error {
len(encryption.SecretBytes(o.Cookie.Secret)), suffix))
} else {
var err error
cipher, err = encryption.NewCipher(encryption.SecretBytes(o.Cookie.Secret))
cipher, err = encryption.NewBase64Cipher(encryption.NewCFBCipher, encryption.SecretBytes(o.Cookie.Secret))
if err != nil {
msgs = append(msgs, fmt.Sprintf("cookie-secret error: %v", err))
}