Initialise SessionStore in Options

pkg/apis/options/sessions.go

@@ -2,7 +2,8 @@ package options
 
 // SessionOptions contains configuration options for the SessionStore providers.
 type SessionOptions struct {
-	Type string `flag:"session-store-type" cfg:"session_store_type" env:"OAUTH2_PROXY_SESSION_STORE_TYPE"`
+	Type         string `flag:"session-store-type" cfg:"session_store_type" env:"OAUTH2_PROXY_SESSION_STORE_TYPE"`
+	EnableCipher bool   // Allow the user to choose encryption or not
 	CookieStoreOptions
 }
 
@@ -11,4 +12,6 @@ type SessionOptions struct {
 var CookieSessionStoreType = "cookie"
 
 // CookieStoreOptions contains configuration options for the CookieSessionStore.
-type CookieStoreOptions struct{}
+type CookieStoreOptions struct {
+	EnableCipher bool // Allow the user to choose encryption or not
+}

pkg/sessions/cookie/session_store.go

@@ -126,7 +126,7 @@ func (s *SessionStore) makeCookie(req *http.Request, name string, value string,
 // the configuration given
 func NewCookieSessionStore(opts options.CookieStoreOptions, cookieOpts *options.CookieOptions) (sessions.SessionStore, error) {
 	var cipher *cookie.Cipher
-	if len(cookieOpts.CookieSecret) > 0 {
+	if opts.EnableCipher {
 		var err error
 		cipher, err = cookie.NewCipher(utils.SecretBytes(cookieOpts.CookieSecret))
 		if err != nil {

pkg/sessions/session_store.go

@@ -12,6 +12,8 @@ import (
 func NewSessionStore(opts *options.SessionOptions, cookieOpts *options.CookieOptions) (sessions.SessionStore, error) {
 	switch opts.Type {
 	case options.CookieSessionStoreType:
+		// Ensure EnableCipher is propogated from the parent option
+		opts.CookieStoreOptions.EnableCipher = opts.EnableCipher
 		return cookie.NewCookieSessionStore(opts.CookieStoreOptions, cookieOpts)
 	default:
 		return nil, fmt.Errorf("unknown session store type '%s'", opts.Type)

pkg/sessions/session_store_test.go

@@ -181,12 +181,13 @@ var _ = Describe("NewSessionStore", func() {
 			SessionStoreInterfaceTests()
 		})
 
-		Context("with a cookie-secret set", func() {
+		Context("with encryption enabled", func() {
 			BeforeEach(func() {
 				secret := make([]byte, 32)
 				_, err := rand.Read(secret)
 				Expect(err).ToNot(HaveOccurred())
 				cookieOpts.CookieSecret = base64.URLEncoding.EncodeToString(secret)
+				opts.EnableCipher = true
 
 				ss, err = sessions.NewSessionStore(opts, cookieOpts)
 				Expect(err).ToNot(HaveOccurred())
@@ -194,6 +195,19 @@ var _ = Describe("NewSessionStore", func() {
 
 			SessionStoreInterfaceTests()
 		})
+
+		Context("with encryption enabled, but no secret", func() {
+			BeforeEach(func() {
+				opts.EnableCipher = true
+			})
+
+			It("returns an error", func() {
+				ss, err := sessions.NewSessionStore(opts, cookieOpts)
+				Expect(err).To(HaveOccurred())
+				Expect(err.Error()).To(Equal("unable to create cipher: crypto/aes: invalid key size 0"))
+				Expect(ss).To(BeNil())
+			})
+		})
 	}
 
 	BeforeEach(func() {