fix: use GetSecret() in ticket.go makeCookie
The makeCookie method in ticket.go was using t.options.Secret directly, which meant cookie-secret-file was not being respected. Updated to use GetSecret() which handles both cookie-secret and cookie-secret-file properly. Also added test coverage for cookie-secret-file functionality. Fixes #3224 Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com>
This commit is contained in:
stagswtf
Jan Larwig
parent
c0a087d7f2
commit
349d98c8a0
|
|
@ -233,8 +233,11 @@ func (t *ticket) clearCookie(rw http.ResponseWriter, req *http.Request) {
|
||||||
// makeCookie makes a cookie, signing the value if present
|
// makeCookie makes a cookie, signing the value if present
|
||||||
func (t *ticket) makeCookie(req *http.Request, value string, expires time.Duration, now time.Time) (*http.Cookie, error) {
|
func (t *ticket) makeCookie(req *http.Request, value string, expires time.Duration, now time.Time) (*http.Cookie, error) {
|
||||||
if value != "" {
|
if value != "" {
|
||||||
var err error
|
secret, err := t.options.GetSecret()
|
||||||
value, err = encryption.SignedValue(t.options.Secret, t.options.Name, []byte(value), now)
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
value, err = encryption.SignedValue(secret, t.options.Name, []byte(value), now)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
|
"os"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
@ -133,6 +134,42 @@ func RunSessionStoreTests(newSS NewSessionStoreFunc, persistentFastForward Persi
|
||||||
PersistentSessionStoreInterfaceTests(&input)
|
PersistentSessionStoreInterfaceTests(&input)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
Context("with cookie secret file", func() {
|
||||||
|
var tmpfile *os.File
|
||||||
|
var err error
|
||||||
|
BeforeEach(func() {
|
||||||
|
tmpfile, err = os.CreateTemp("", "cookie-secret-test")
|
||||||
|
secretBytes := make([]byte, 32)
|
||||||
|
tmpfile.Write(secretBytes)
|
||||||
|
tmpfile.Close()
|
||||||
|
|
||||||
|
input.cookieOpts = &options.Cookie{
|
||||||
|
Name: "_oauth2_proxy_file",
|
||||||
|
Path: "/",
|
||||||
|
Expire: time.Duration(168) * time.Hour,
|
||||||
|
Refresh: time.Duration(1) * time.Hour,
|
||||||
|
Secure: true,
|
||||||
|
HTTPOnly: true,
|
||||||
|
SameSite: "",
|
||||||
|
Secret: "",
|
||||||
|
SecretFile: tmpfile.Name(),
|
||||||
|
}
|
||||||
|
ss, err = newSS(opts, input.cookieOpts)
|
||||||
|
Expect(err).ToNot(HaveOccurred())
|
||||||
|
})
|
||||||
|
|
||||||
|
AfterEach(func() {
|
||||||
|
if tmpfile != nil {
|
||||||
|
os.Remove(tmpfile.Name())
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
SessionStoreInterfaceTests(&input)
|
||||||
|
if persistentFastForward != nil {
|
||||||
|
PersistentSessionStoreInterfaceTests(&input)
|
||||||
|
}
|
||||||
|
})
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue