1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-28 09:08:44 +02:00
Commit Graph

78 Commits

Author SHA1 Message Date
Ilia Pertsev
597ffeb121
Fix joined cookie name for those containing underline in the suffix (#970)
* properly handle splitted cookies with names ending with _

* test update

* provide cookieName into joinCookies instead of processing the suffix

* changelog update

* test update
2021-01-04 17:21:17 -08:00
Nick Meves
2b15ba0bcf
Remove v5 JSON session support 2020-11-08 08:52:55 -08:00
Mitsuo Heijo
fcb83c48f4
Update go-redis/redis to v8 (#801)
* update go-redis/redis to v8

testify, ginko and gomega have also been updated.

* update changelog

* Update pkg/sessions/redis/redis_store_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-07 11:49:27 +01:00
Mitsuo Heijo
3fa42edb73
Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
Nick Meves
6db1aeb9c6
Validate Redis session store health on startup 2020-09-24 10:41:43 -07:00
Nick Meves
51a9062044
Support Password & SentinelPassword in Redis session store 2020-08-11 12:22:05 -07:00
Phil Taprogge
d69fd6af22
Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
Nick Meves
45222395e0
Attempt to log still on template errors 2020-08-09 07:55:40 -07:00
Nick Meves
1c8c5b08d7
Handle cookie signing errors 2020-08-09 07:55:40 -07:00
Nick Meves
19836f85ac
Align persistence ginkgo tests to conventions 2020-07-21 22:13:17 -07:00
Nick Meves
9643a0b10c
Centralize Ticket management of persistent stores (#682)
* Centralize Ticket management of persistent stores

persistence package with Manager & Ticket will handle
all the details about keys, secrets, ticket into cookies,
etc. Persistent stores just need to pass Save, Load &
Clear function handles to the persistent manager now.

* Shift to persistence.Manager wrapping a persistence.Store

* Break up the Redis client builder logic

* Move error messages to Store from Manager

* Convert ticket to private for Manager use only

* Add persistence Manager & ticket tests

* Make a custom MockStore that handles time FastForwards
2020-07-19 21:25:13 +01:00
Nick Meves
bb5977095f
Add option to remove tokens from cookie sessions (#673)
* Add option to remove tokens from cookie sessions

* Move Minimal to be an option on CookieSession

* Add sessionOptionsDefaults helper
2020-07-14 23:02:10 +01:00
Nick Meves
a09eecc6a2
Reduce SessionState size better with MessagePack + LZ4 (#632)
* Encode sessions with MsgPack + LZ4

Assumes ciphers are now mandatory per #414. Cookie & Redis sessions
can fallback to V5 style JSON in error cases. TODO: session_state.go
unit tests & new unit tests for Legacy fallback scenarios.

* Only compress encoded sessions with Cookie Store

* Cleanup msgpack + lz4 error handling

* Change NewBase64Cipher to take in an existing Cipher

* Add msgpack & lz4 session state tests

* Add required options for oauthproxy tests

More aggressively assert.NoError on all
validation.Validate(opts) calls to enforce legal
options in all our tests.
Add additional NoError checks wherever error return
values were ignored.

* Remove support for uncompressed session state fields

* Improve error verbosity & add session state tests

* Ensure all marshalled sessions are valid

Invalid CFB decryptions can result in garbage data
that 1/100 times might cause message pack unmarshal
to not fail and instead return an empty session.
This adds more rigor to make sure legacy sessions
cause appropriate errors.

* Add tests for legacy V5 session decoding

Refactor common legacy JSON test cases to a
legacy helpers area under session store tests.

* Make ValidateSession a struct method & add CHANGELOG entry

* Improve SessionState error & comments verbosity

* Move legacy session test helpers to sessions pkg

Placing these helpers under the sessions pkg removed
all the circular import uses in housing it under the
session store area.

* Improve SignatureAuthenticator test helper formatting

* Make redis.legacyV5DecodeSession internal

* Make LegacyV5TestCase test table public for linter
2020-07-13 20:56:05 +01:00
Joel Speed
211fd3a010
Rename CookieOptions to Cookie 2020-07-05 09:18:21 +01:00
Nick Meves
48a2aaadc1
Count complete cookie content in byte splitting 2020-07-03 23:41:08 -07:00
Nick Meves
c6f1daba2f
Split cookies more precisely at 4096 bytes 2020-07-03 20:38:04 -07:00
Joel Speed
5c8a66bcc9
Close client connections after each redis test 2020-07-03 16:24:47 +01:00
Joel Speed
34137f7305
Move SessionStore tests to independent package 2020-07-01 06:41:35 +01:00
Joel Speed
6e1b3b9660
Switch to in session store initialisation 2020-06-28 12:50:55 +01:00
Joel Speed
5ce9e75c21
Initialise Session Storage in NewOAuthProxy instead of validation 2020-06-28 12:32:06 +01:00
Joel Speed
c8dbf1cf60
Move Cipher intialisation to session store initialisation 2020-06-28 12:03:03 +01:00
Nick Meves
ce2e92bc57
Improve design of Base64Cipher wrapping other ciphers.
Have it take in a cipher init function as an argument.
Remove the confusing `newCipher` method that matched legacy behavior
and returns a Base64Cipher(CFBCipher) -- instead explicitly ask for
that in the uses.
2020-06-12 14:36:58 -07:00
Nick Meves
f7cca1d0b3
Refactor encryption.Cipher to be an Encrypt/Decrypt Interface
All Encrypt/Decrypt Cipher implementations will now take
and return []byte to set up usage in future binary compatible
encoding schemes to fix issues with bloat encrypting to strings
(which requires base64ing adding 33% size)
2020-06-12 14:36:58 -07:00
Nick Meves
b4530b9292
Allow binary values in signed cookies
Make signedValue & Validate operate on []byte
by default and not assume/cast string. Any casting
will be done from callers.
2020-06-12 14:36:58 -07:00
Joel Speed
f7b28cb1d3
Improvements to Session State code (#536)
* Drop SessionStateJSON wrapper
* Use EncrpytInto/DecryptInto to reduce sessionstate

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-30 08:53:38 +01:00
Amnay
6a88da7f7a
Parse Redis cluster and sentinel urls (#573)
* Parse Redis cluster and sentinel urls

* Add changelog entry for #573

* Add unit tests for redis session store

* Use %v for error fmt

Co-authored-by: Amnay Mokhtari <amnay.mokhtari@adevinta.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-05-27 18:40:50 +01:00
Nick Meves
d228d5a928
Refactor the utils package to other areas (#538)
* Refactor the utils package to other areas

Move cookieSession functions to cookie session store
& align the double implementation of SecretBytes to be
united and housed under encryption

* Remove unused Provider SessionFromCookie/CookieForSession

These implementations aren't used, these are handled in the cookie store.

* Add changelog entry for session/utils refactor
2020-05-14 10:16:35 +01:00
Joel Speed
e49f8542bc
Rename Session Options to improve structure 2020-04-29 19:51:24 +01:00
Joel Speed
458710149c
Rename Cookie Options to remove extra 'Cookie' 2020-04-29 19:51:24 +01:00
Mitsuo Heijo
dd05e7ff0b
Add new linters (#486)
* add new linters and fix issues

* fix deprecated warnings

* simplify return

* update CHANGELOG

* fix staticcheck issues

* remove a deprecated linter, minor fixes of variable initialization
2020-04-14 09:36:44 +01:00
Joel Speed
fcd52e042e
Warn users when session cookies are split 2020-04-12 12:01:38 +01:00
Eric Dahlseng
a659b9558e
Allow multiple cookie domains to be specified (#412)
* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 12:00:44 +01:00
Mitsuo Heijo
c7bfbdecef
Implement graceful shutdown and propagate request context (#468)
* feature: Implement graceful shutdown

Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.

Added handling of Unix signals to http server.

Upgrade go-redis/redis to v7.

* Update dependencies

- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert

* add doc for  wrapper interface

* Update CHANGELOG.md

* fix: upgrade fsnotify to v1.4.9

* fix: remove unnessary logging

* fix: wait until  all connections have been closed

* refactor: move chan to main for testing

* add assert to check if stop chan is empty

* add an idiomatic for sync.WaitGroup with timeout
2020-04-04 16:12:38 +01:00
Joel Speed
802754caad
Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:40:10 +01:00
Mitsuo Heijo
362cdf7713
Fix http.Cookie SameSite is not copied. (#450)
* fix: http.Cookie SameSite is not copied.

* Update CHANGELOG.md
2020-03-17 18:48:52 +00:00
Mitsuo Heijo
81b9a63e51
Support Go 1.14 (#419)
* Upgrade base image tags and golangci-lint

* Upgrade golang and golangci-lint in travis-ci

* fix:  tests, pointed out by golangci-lint and format files

* Upgrade dependencies

* update changelog

* fix: tests related to https://github.com/pusher/oauth2_proxy/pull/418

* Separate tests using go version build tags

* Update CHANGELOG

* Revert "Separate tests using go version build tags"

This reverts commit 9b7e65eb90cae954dc7b6316345d3207205d488a.

* fix test to support go1.14 and go1.13

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-14 10:14:15 +00:00
Yan Yao
18d20364a8
Extension of Redis Session Store to Support Redis Cluster (#363)
* Extend the redis session store to support redis cluster

* rename function newRedisClient to newRedisCmdable

* update docs about redis cluster as session store

* update autocomplete script with redis cluster options

* add check about conflict between option redis-use-sentinel and redis-use-cluster

* update change log

* Update docs/configuration/sessions.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/sessions/redis/redis_store.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* add the dropped option back

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 17:59:12 +00:00
Paul Groudas
5d0827a028 Add configuration for cookie 'SameSite' value.
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.

Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.

See: https://www.owasp.org/index.php/SameSite
2020-01-06 12:21:52 -05:00
Lukasz Leszczuk
befab0521a log message in case of failure during loading system cert pool 2019-11-12 11:42:49 +01:00
Lukasz Leszczuk
3c10aee62c Code formatting. Add missing CHANGELOG entry. 2019-11-09 13:57:40 +01:00
Lukasz Leszczuk
3f7ed36e46 Add support for Redis with custom CA. 2019-11-08 10:47:18 +01:00
Kirill Motkov
e64e6fa514 Some code improvements
* Remove shadowing of predeclared identifier: new.
* strings.ReplaceAll instead of strings.Replace with -1.
* Change strings.ToLower comparison to strings.EqualFold.
* Rewrite if-else-if-else chain as a switch.
2019-10-09 15:44:26 +03:00
Joel Speed
d1ef14becc
Move cookie to pkg/encryption 2019-06-15 11:33:57 +02:00
Joel Speed
4721da02f2 Ensure SessionStores can handle recieving cookies for the wrong implementation
(cherry picked from commit 131206cf41697543583751ac2714287898c19ad0)
2019-06-05 00:11:42 -07:00
Joel Speed
c1ae0ca807 Make sure the cookie exists before we clear the session in redis
(cherry picked from commit 6d7f0ab57d554706425f76aed4df60717dd63ece)
2019-06-05 00:11:42 -07:00
Joel Speed
22199fa417 Fix ticket retrieval with an invalid ticket
(cherry picked from commit 66bbf146ec45d127bdd374120743aeef936894a7)
2019-06-05 00:11:42 -07:00
Joel Speed
3155ada287 Ensure sessions are refreshable in redis session store
(cherry picked from commit 48edce3003d187a3eadc4ea96236845271dd9360)
2019-06-05 00:11:42 -07:00
Joel Speed
2e2327af6c Check SaveSession works when an existing session is present
(cherry picked from commit 9dc1a96d817741632cb476456755a645b732db7d)
2019-06-05 00:11:42 -07:00
Joel Speed
518c1d3e8e Add Redis sentinel compatibility
(cherry picked from commit ff36b61f8cee4ecf0b91a90b5e1b651b526bb6b6)
2019-06-05 00:11:42 -07:00
Joel Speed
4f5dbace9f Refactor persistent tests with more Context 2019-06-05 00:10:51 -07:00