diff --git a/main.go b/main.go index 2a2d99a3..e16b782f 100644 --- a/main.go +++ b/main.go @@ -68,10 +68,8 @@ func main() { // It will either load the alpha configuration (if alphaConfig is given) // or the legacy configuration. func loadConfiguration(config, yamlConfig string, extraFlags *pflag.FlagSet, args []string) (*options.Options, error) { - opts, err := loadLegacyOptions(config, extraFlags, args) - if err != nil { - return nil, fmt.Errorf("failed to load legacy options: %w", err) - } + var err error + var opts *options.Options if yamlConfig != "" { logger.Printf("WARNING: You are using alpha configuration. The structure in this configuration file may change without notice. You MUST remove conflicting options from your existing configuration.") @@ -79,6 +77,11 @@ func loadConfiguration(config, yamlConfig string, extraFlags *pflag.FlagSet, arg if err != nil { return nil, fmt.Errorf("failed to load yaml options: %w", err) } + } else { + opts, err = loadLegacyOptions(config, extraFlags, args) + if err != nil { + return nil, fmt.Errorf("failed to load legacy options: %w", err) + } } // Ensure defaults after loading configuration diff --git a/main_test.go b/main_test.go index f896c398..2a93bb06 100644 --- a/main_test.go +++ b/main_test.go @@ -55,7 +55,7 @@ injectRequestHeaders: claim: user prefix: "Basic " basicAuthPassword: - value: c3VwZXItc2VjcmV0LXBhc3N3b3Jk + value: YzNWd1pYSXRjMlZqY21WMExYQmhjM04zYjNKaw== - name: X-Forwarded-Groups preserveRequestValue: false values: @@ -83,12 +83,13 @@ injectResponseHeaders: claim: user prefix: "Basic " basicAuthPassword: - value: c3VwZXItc2VjcmV0LXBhc3N3b3Jk + value: "YzNWd1pYSXRjMlZqY21WMExYQmhjM04zYjNKaw==" server: bindAddress: "127.0.0.1:4180" cookie: - secure: false - secret: "OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w=" + insecure: true + secret: + value: "OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w=" providers: - id: google=oauth2-proxy provider: google @@ -123,9 +124,9 @@ redirect_url="http://localhost:4180/oauth2/callback" opts, err := options.NewLegacyOptions().ToOptions() Expect(err).ToNot(HaveOccurred()) - opts.Cookie.Secret = "OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w=" + opts.Cookie.Secret = &options.SecretSource{Value: []byte("OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w=")} opts.EmailDomains = []string{"example.com"} - opts.Cookie.Secure = ptr.To(false) + opts.Cookie.Insecure = ptr.To(true) opts.RawRedirectURL = "http://localhost:4180/oauth2/callback" opts.UpstreamServers = options.UpstreamConfig{ @@ -152,11 +153,9 @@ redirect_url="http://localhost:4180/oauth2/callback" Values: []options.HeaderValue{ { ClaimSource: &options.ClaimSource{ - Claim: "user", - Prefix: "Basic ", - BasicAuthPassword: &options.SecretSource{ - Value: []byte("c3VwZXItc2VjcmV0LXBhc3N3b3Jk"), - }, + Claim: "user", + Prefix: "Basic ", + BasicAuthPassword: options.NewSecretSourceFromString("c3VwZXItc2VjcmV0LXBhc3N3b3Jk"), }, }, }, @@ -294,7 +293,7 @@ redirect_url="http://localhost:4180/oauth2/callback" configContent: testCoreConfig + "unknown_field=\"something\"", alphaConfigContent: testAlphaConfig, expectedOptions: func() *options.Options { return nil }, - expectedErr: errors.New("failed to load legacy options: failed to load legacy config: error unmarshalling config: decoding failed due to the following error(s):\n\n'' has invalid keys: unknown_field"), + expectedErr: errors.New("failed to load yaml options: failed to load core options: failed to load config: error unmarshalling config: decoding failed due to the following error(s):\n\n'' has invalid keys: unknown_field"), }), ) }) diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 722d84ee..6f6b2611 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -33,10 +33,13 @@ import ( const ( // The rawCookieSecret is 32 bytes and the base64CookieSecret is the base64 // encoded version of this. - rawCookieSecret = "secretthirtytwobytes+abcdefghijk" - base64CookieSecret = "c2VjcmV0dGhpcnR5dHdvYnl0ZXMrYWJjZGVmZ2hpams" - clientID = "3984n253984d7348dm8234yf982t" - clientSecret = "gv3498mfc9t23y23974dm2394dm9" + clientID = "3984n253984d7348dm8234yf982t" + clientSecret = "gv3498mfc9t23y23974dm2394dm9" +) + +var ( + rawCookieSecret = &options.SecretSource{Value: []byte("secretthirtytwobytes+abcdefghijk")} + base64CookieSecret = &options.SecretSource{Value: []byte("c2VjcmV0dGhpcnR5dHdvYnl0ZXMrYWJjZGVmZ2hpams")} ) func init() { @@ -207,7 +210,7 @@ func TestBasicAuthPassword(t *testing.T) { }, } - opts.Cookie.Secure = ptr.To(false) + opts.Cookie.Insecure = ptr.To(true) opts.InjectRequestHeaders = []options.Header{ { Name: "Authorization", @@ -362,7 +365,7 @@ func NewPassAccessTokenTest(opts PassAccessTokenTestOptions) (*PassAccessTokenTe patt.opts.UpstreamServers.Upstreams = append(patt.opts.UpstreamServers.Upstreams, opts.ProxyUpstream) } - patt.opts.Cookie.Secure = ptr.To(false) + patt.opts.Cookie.Insecure = ptr.To(true) if opts.PassAccessToken { patt.opts.InjectRequestHeaders = []options.Header{ { @@ -3470,7 +3473,7 @@ func TestGetOAuthRedirectURI(t *testing.T) { { name: "redirect with http schema", setupOpts: func(baseOpts *options.Options) *options.Options { - baseOpts.Cookie.Secure = ptr.To(false) + baseOpts.Cookie.Insecure = ptr.To(true) return baseOpts }, req: &http.Request{ diff --git a/pkg/apis/options/cookie.go b/pkg/apis/options/cookie.go index 4b71544a..93baacec 100644 --- a/pkg/apis/options/cookie.go +++ b/pkg/apis/options/cookie.go @@ -37,7 +37,7 @@ type Cookie struct { // Name is the name of the cookie Name string `yaml:"name,omitempty"` // Secret is the secret source used to encrypt/sign the cookie value - Secret SecretSource `yaml:"secret,omitempty"` + Secret *SecretSource `yaml:"secret,omitempty"` // Domains is a list of domains for which the cookie is valid Domains []string `yaml:"domains,omitempty"` // Path is the path for which the cookie is valid @@ -98,7 +98,7 @@ func (sa *ScriptAccess) UnmarshalYAML(value *yaml.Node) error { // GetSecret returns the cookie secret as a string from the SecretSource func (c *Cookie) GetSecret() (string, error) { - secret, err := c.Secret.GetSecretValue() + secret, err := c.Secret.GetRawSecretValue() if err != nil { return "", fmt.Errorf("error getting cookie secret: %w", err) } @@ -117,6 +117,9 @@ func (c *Cookie) EnsureDefaults() { if c.Expire == 0 { c.Expire = time.Duration(168) * time.Hour } + if c.Secret == nil { + c.Secret = &SecretSource{} + } if c.Insecure == nil { c.Insecure = ptr.To(DefaultCookieInsecure) } diff --git a/pkg/apis/options/cookie_test.go b/pkg/apis/options/cookie_test.go index 053d0e6b..df1f63f2 100644 --- a/pkg/apis/options/cookie_test.go +++ b/pkg/apis/options/cookie_test.go @@ -10,7 +10,7 @@ import ( func TestCookieGetSecret(t *testing.T) { t.Run("returns secret when Secret is set", func(t *testing.T) { c := &Cookie{ - Secret: SecretSource{ + Secret: &SecretSource{ Value: []byte("my-secret"), FromFile: "", }, @@ -22,7 +22,7 @@ func TestCookieGetSecret(t *testing.T) { t.Run("returns secret when both Secret and SecretFile are set", func(t *testing.T) { c := &Cookie{ - Secret: SecretSource{ + Secret: &SecretSource{ Value: []byte("my-secret"), FromFile: "/some/file", }, @@ -43,7 +43,7 @@ func TestCookieGetSecret(t *testing.T) { tmpfile.Close() c := &Cookie{ - Secret: SecretSource{ + Secret: &SecretSource{ Value: []byte(""), FromFile: tmpfile.Name(), }, @@ -55,7 +55,7 @@ func TestCookieGetSecret(t *testing.T) { t.Run("returns error when file does not exist", func(t *testing.T) { c := &Cookie{ - Secret: SecretSource{ + Secret: &SecretSource{ Value: []byte(""), FromFile: "/nonexistent/file", }, @@ -63,12 +63,12 @@ func TestCookieGetSecret(t *testing.T) { secret, err := c.GetSecret() assert.Error(t, err) assert.Equal(t, "", secret) - assert.Contains(t, err.Error(), "error reading cookie secret file /nonexistent/file:") + assert.Contains(t, err.Error(), "error getting cookie secret: error reading secret from file \"/nonexistent/file\": open /nonexistent/file: no such file or directory") }) t.Run("returns empty when both Secret and SecretFile are empty", func(t *testing.T) { c := &Cookie{ - Secret: SecretSource{ + Secret: &SecretSource{ Value: []byte(""), FromFile: "", }, diff --git a/pkg/apis/options/legacy_cookie.go b/pkg/apis/options/legacy_cookie.go index 8240e7c8..b214ff13 100644 --- a/pkg/apis/options/legacy_cookie.go +++ b/pkg/apis/options/legacy_cookie.go @@ -52,9 +52,11 @@ func (l *LegacyCookie) convert() Cookie { scriptAccess = ScriptAccessAllowed } - var secret *SecretSource + secret := &SecretSource{} if l.Secret != "" { - secret = NewSecretSourceFromString(l.Secret) + secret = &SecretSource{ + Value: []byte(l.Secret), + } } else if l.SecretFile != "" { secret = &SecretSource{ FromFile: l.SecretFile, @@ -63,7 +65,7 @@ func (l *LegacyCookie) convert() Cookie { return Cookie{ Name: l.Name, - Secret: *secret, + Secret: secret, Domains: l.Domains, Path: l.Path, Expire: l.Expire, diff --git a/pkg/apis/options/legacy_options_test.go b/pkg/apis/options/legacy_options_test.go index d055be25..81659e0e 100644 --- a/pkg/apis/options/legacy_options_test.go +++ b/pkg/apis/options/legacy_options_test.go @@ -370,11 +370,9 @@ var _ = Describe("Legacy Options", func() { Values: []HeaderValue{ { ClaimSource: &ClaimSource{ - Claim: "user", - Prefix: "Basic ", - BasicAuthPassword: &SecretSource{ - Value: []byte(basicAuthSecret), - }, + Claim: "user", + Prefix: "Basic ", + BasicAuthPassword: NewSecretSourceFromString(basicAuthSecret), }, }, }, @@ -410,11 +408,9 @@ var _ = Describe("Legacy Options", func() { Values: []HeaderValue{ { ClaimSource: &ClaimSource{ - Claim: "email", - Prefix: "Basic ", - BasicAuthPassword: &SecretSource{ - Value: []byte(basicAuthSecret), - }, + Claim: "email", + Prefix: "Basic ", + BasicAuthPassword: NewSecretSourceFromString(basicAuthSecret), }, }, }, @@ -1094,7 +1090,7 @@ var _ = Describe("Legacy Options", func() { // Test cases and expected outcomes fullCookie := Cookie{ Name: "_oauth2_proxy", - Secret: SecretSource{}, + Secret: &SecretSource{}, Domains: nil, Path: "/", Expire: time.Duration(168) * time.Hour, diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go index 3555f55f..5440268a 100644 --- a/pkg/apis/options/options.go +++ b/pkg/apis/options/options.go @@ -36,7 +36,7 @@ type Options struct { HtpasswdUserGroups []string `flag:"htpasswd-user-group" cfg:"htpasswd_user_groups"` Cookie Cookie `cfg:",internal"` - Session SessionOptions `cfg:",squash"` + Session SessionOptions `cfg:",internal"` Logging Logging `cfg:",squash"` Templates Templates `cfg:",squash"` diff --git a/pkg/apis/options/secret_source.go b/pkg/apis/options/secret_source.go index d73ac41d..f3b35f2b 100644 --- a/pkg/apis/options/secret_source.go +++ b/pkg/apis/options/secret_source.go @@ -20,8 +20,8 @@ type SecretSource struct { } func NewSecretSourceFromValue(value []byte) *SecretSource { - encoded := make([]byte, base64.RawStdEncoding.EncodedLen(len(value))) - base64.RawStdEncoding.Encode(encoded, value) + encoded := make([]byte, base64.URLEncoding.EncodedLen(len(value))) + base64.URLEncoding.Encode(encoded, value) return &SecretSource{ Value: encoded, } @@ -31,13 +31,9 @@ func NewSecretSourceFromString(s string) *SecretSource { return NewSecretSourceFromValue([]byte(s)) } -func (ss *SecretSource) GetSecretValue() ([]byte, error) { +func (ss *SecretSource) GetRawSecretValue() ([]byte, error) { if len(ss.Value) > 0 { - var decoded []byte - if _, err := base64.RawStdEncoding.Decode(decoded, ss.Value); err != nil { - return nil, fmt.Errorf("error decoding secret value: %w", err) - } - return decoded, nil + return ss.Value, nil } if ss.FromEnv != "" { @@ -56,6 +52,23 @@ func (ss *SecretSource) GetSecretValue() ([]byte, error) { return nil, nil } +func (ss *SecretSource) GetSecretValue() ([]byte, error) { + value, err := ss.GetRawSecretValue() + if err != nil { + return nil, fmt.Errorf("failed getting raw secret value: %w", err) + } + + if value == nil { + return nil, fmt.Errorf("failed retrieving secret value: no source defined") + } + + decoded := make([]byte, base64.URLEncoding.DecodedLen(len(value))) + if _, err := base64.URLEncoding.Decode(decoded, value); err != nil { + return nil, fmt.Errorf("error decoding secret value: %w", err) + } + return decoded, nil +} + // EnsureDefaults sets any default values for SecretSource fields. func (ss *SecretSource) EnsureDefaults() { // No defaults to set currently diff --git a/pkg/cookies/cookies.go b/pkg/cookies/cookies.go index 913d9b9b..a221ac91 100644 --- a/pkg/cookies/cookies.go +++ b/pkg/cookies/cookies.go @@ -26,9 +26,11 @@ func MakeCookieFromOptions(req *http.Request, name string, value string, opts *o domain = opts.Domains[len(opts.Domains)-1] } - httpOnly := true + var httpOnly bool if opts.ScriptAccess == options.ScriptAccessAllowed { httpOnly = false + } else { + httpOnly = true } c := &http.Cookie{ diff --git a/pkg/cookies/cookies_test.go b/pkg/cookies/cookies_test.go index dece3e95..8e4c213a 100644 --- a/pkg/cookies/cookies_test.go +++ b/pkg/cookies/cookies_test.go @@ -92,7 +92,7 @@ var _ = Describe("Cookie Tests", func() { } validName := "_oauth2_proxy" - validSecret := []byte("secretthirtytwobytes+abcdefghijk") + validSecret := &options.SecretSource{Value: []byte("secretthirtytwobytes+abcdefghijk")} domains := []string{"www.cookies.test"} now := time.Now() @@ -115,7 +115,7 @@ var _ = Describe("Cookie Tests", func() { value: "1", opts: options.Cookie{ Name: validName, - Secret: options.SecretSource{Value: validSecret}, + Secret: validSecret, Domains: domains, Path: "", Expire: time.Hour, @@ -133,7 +133,7 @@ var _ = Describe("Cookie Tests", func() { value: "1", opts: options.Cookie{ Name: validName, - Secret: options.SecretSource{Value: validSecret}, + Secret: validSecret, Domains: domains, Path: "", Expire: time.Hour * -1, @@ -151,7 +151,7 @@ var _ = Describe("Cookie Tests", func() { value: "1", opts: options.Cookie{ Name: validName, - Secret: options.SecretSource{Value: validSecret}, + Secret: validSecret, Domains: domains, Path: "", Expire: 0, diff --git a/pkg/cookies/csrf_per_request_test.go b/pkg/cookies/csrf_per_request_test.go index 0f9e2963..8247c22e 100644 --- a/pkg/cookies/csrf_per_request_test.go +++ b/pkg/cookies/csrf_per_request_test.go @@ -25,7 +25,7 @@ var _ = Describe("CSRF Cookie with non-fixed name Tests", func() { BeforeEach(func() { cookieOpts = &options.Cookie{ Name: cookieName, - Secret: options.SecretSource{Value: cookieSecret}, + Secret: &options.SecretSource{Value: cookieSecret}, Domains: []string{cookieDomain}, Path: cookiePath, Expire: time.Hour, diff --git a/pkg/cookies/csrf_test.go b/pkg/cookies/csrf_test.go index c89f7d12..02b476b8 100644 --- a/pkg/cookies/csrf_test.go +++ b/pkg/cookies/csrf_test.go @@ -26,7 +26,7 @@ var _ = Describe("CSRF Cookie Tests", func() { BeforeEach(func() { cookieOpts = &options.Cookie{ Name: cookieName, - Secret: options.SecretSource{Value: cookieSecret}, + Secret: &options.SecretSource{Value: cookieSecret}, Domains: []string{cookieDomain}, Path: cookiePath, Expire: time.Hour, diff --git a/pkg/encryption/utils.go b/pkg/encryption/utils.go index df0158b8..642f80a8 100644 --- a/pkg/encryption/utils.go +++ b/pkg/encryption/utils.go @@ -9,6 +9,7 @@ import ( "hash" "io" "net/http" + "slices" "strconv" "strings" "time" @@ -27,10 +28,8 @@ func SecretBytes(secret string) []byte { // Only return decoded form if a valid AES length // Don't want unintentional decoding resulting in invalid lengths confusing a user // that thought they used a 16, 24, 32 length string - for _, i := range []int{16, 24, 32} { - if len(b) == i { - return b - } + if slices.Contains([]int{16, 24, 32}, len(b)) { + return b } } // If decoding didn't work or resulted in non-AES compliant length, diff --git a/pkg/middleware/headers_test.go b/pkg/middleware/headers_test.go index e8bbe665..c3ce016b 100644 --- a/pkg/middleware/headers_test.go +++ b/pkg/middleware/headers_test.go @@ -189,7 +189,7 @@ var _ = Describe("Headers Suite", func() { ClaimSource: &options.ClaimSource{ Claim: "user", BasicAuthPassword: &options.SecretSource{ - Value: []byte(base64.RawStdEncoding.EncodeToString([]byte("basic-password"))), + Value: []byte(base64.URLEncoding.EncodeToString([]byte("basic-password"))), FromEnv: "SECRET_ENV", }, }, @@ -461,7 +461,7 @@ var _ = Describe("Headers Suite", func() { ClaimSource: &options.ClaimSource{ Claim: "user", BasicAuthPassword: &options.SecretSource{ - Value: []byte(base64.StdEncoding.EncodeToString([]byte("basic-password"))), + Value: []byte(base64.RawStdEncoding.EncodeToString([]byte("basic-password"))), FromEnv: "SECRET_ENV", }, }, diff --git a/pkg/sessions/redis/client_test.go b/pkg/sessions/redis/client_test.go index 2a07aba8..1f25ea10 100644 --- a/pkg/sessions/redis/client_test.go +++ b/pkg/sessions/redis/client_test.go @@ -9,6 +9,7 @@ import ( "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/sessions/redis" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) @@ -26,7 +27,7 @@ var _ = Describe("Redis Client Tests", func() { RunClientTests(func(mr *miniredis.Miniredis) options.RedisStoreOptions { return options.RedisStoreOptions{ ClusterConnectionURLs: []string{"redis://" + mr.Addr()}, - UseCluster: true, + UseCluster: ptr.To(true), } }) }) diff --git a/pkg/sessions/session_store_test.go b/pkg/sessions/session_store_test.go index d1fd5881..470de3e6 100644 --- a/pkg/sessions/session_store_test.go +++ b/pkg/sessions/session_store_test.go @@ -39,7 +39,7 @@ var _ = Describe("NewSessionStore", func() { secret := make([]byte, 32) _, err := rand.Read(secret) Expect(err).ToNot(HaveOccurred()) - var secretValue []byte + secretValue := make([]byte, base64.URLEncoding.EncodedLen(len(secret))) base64.URLEncoding.Encode(secretValue, secret) Expect(secretValue).ToNot(BeEmpty()) @@ -47,7 +47,7 @@ var _ = Describe("NewSessionStore", func() { // Set default options in CookieOptions cookieOpts = &options.Cookie{ Name: "_oauth2_proxy", - Secret: options.SecretSource{ + Secret: &options.SecretSource{ Value: secretValue, }, Path: "/", diff --git a/pkg/sessions/tests/session_store_tests.go b/pkg/sessions/tests/session_store_tests.go index d78fa679..5e47c007 100644 --- a/pkg/sessions/tests/session_store_tests.go +++ b/pkg/sessions/tests/session_store_tests.go @@ -73,7 +73,7 @@ func RunSessionStoreTests(newSS NewSessionStoreFunc, persistentFastForward Persi Insecure: ptr.To(false), ScriptAccess: options.ScriptAccessDenied, SameSite: options.SameSiteDefault, - Secret: options.SecretSource{Value: cookieSecret}, + Secret: &options.SecretSource{Value: cookieSecret}, } expires := time.Now().Add(1 * time.Hour) @@ -124,7 +124,7 @@ func RunSessionStoreTests(newSS NewSessionStoreFunc, persistentFastForward Persi ScriptAccess: options.ScriptAccessAllowed, Domains: []string{"example.com"}, SameSite: options.SameSiteStrict, - Secret: options.SecretSource{Value: cookieSecret}, + Secret: &options.SecretSource{Value: cookieSecret}, } var err error @@ -155,7 +155,7 @@ func RunSessionStoreTests(newSS NewSessionStoreFunc, persistentFastForward Persi Insecure: ptr.To(false), ScriptAccess: options.ScriptAccessDenied, SameSite: options.SameSiteDefault, - Secret: options.SecretSource{FromFile: tmpfile.Name()}, + Secret: &options.SecretSource{FromFile: tmpfile.Name()}, } ss, err = newSS(input.sessionOpts, input.cookieOpts) Expect(err).ToNot(HaveOccurred()) diff --git a/pkg/validation/cookie.go b/pkg/validation/cookie.go index 76d8dd12..31e7b238 100644 --- a/pkg/validation/cookie.go +++ b/pkg/validation/cookie.go @@ -49,12 +49,12 @@ func validateCookieName(name string) []string { return msgs } -func validateCookieSecret(secret options.SecretSource) []string { - if len(secret.Value) == 0 && secret.FromFile == "" { +func validateCookieSecret(secret *options.SecretSource) []string { + if secret == nil || len(secret.Value) == 0 && secret.FromFile == "" { return []string{"missing setting: cookie-secret or cookie-secret-file"} } - value, err := secret.GetSecretValue() + value, err := secret.GetRawSecretValue() if err != nil { return []string{fmt.Sprintf("error retrieving cookie secret: %v", err)} } diff --git a/pkg/validation/cookie_test.go b/pkg/validation/cookie_test.go index cd9a6bdf..30002126 100644 --- a/pkg/validation/cookie_test.go +++ b/pkg/validation/cookie_test.go @@ -18,11 +18,11 @@ func TestValidateCookie(t *testing.T) { invalidName := "_oauth2;proxy" // Separater character not allowed // 10 times the alphabet should be longer than 256 characters longName := strings.Repeat(alphabet, 10) - validSecret := options.SecretSource{ + validSecret := &options.SecretSource{ Value: []byte("secretthirtytwobytes+abcdefghijk"), } // 6 bytes is not a valid size - invalidSecret := options.SecretSource{ + invalidSecret := &options.SecretSource{ Value: []byte("abcdef"), } @@ -90,7 +90,7 @@ func TestValidateCookie(t *testing.T) { name: "with no cookie secret", cookie: options.Cookie{ Name: validName, - Secret: options.SecretSource{ + Secret: &options.SecretSource{ Value: nil, FromFile: "", }, @@ -127,7 +127,7 @@ func TestValidateCookie(t *testing.T) { name: "with a valid Base64 secret", cookie: options.Cookie{ Name: validName, - Secret: validBase64Secret, + Secret: &validBase64Secret, Domains: emptyDomains, Path: "", Expire: time.Hour, @@ -142,7 +142,7 @@ func TestValidateCookie(t *testing.T) { name: "with an invalid Base64 secret", cookie: options.Cookie{ Name: validName, - Secret: invalidBase64Secret, + Secret: &invalidBase64Secret, Domains: emptyDomains, Path: "", Expire: time.Hour, @@ -307,7 +307,7 @@ func TestValidateCookie(t *testing.T) { name: "with valid secret file", cookie: options.Cookie{ Name: validName, - Secret: options.SecretSource{ + Secret: &options.SecretSource{ FromFile: tmpfile.Name(), }, Domains: domains, @@ -324,7 +324,7 @@ func TestValidateCookie(t *testing.T) { name: "with nonexistent secret file", cookie: options.Cookie{ Name: validName, - Secret: options.SecretSource{ + Secret: &options.SecretSource{ FromFile: "/nonexistent/file.txt", }, Domains: domains, @@ -335,7 +335,7 @@ func TestValidateCookie(t *testing.T) { SameSite: "", }, refresh: 0, - errStrings: []string{"could not read cookie secret file: /nonexistent/file.txt"}, + errStrings: []string{"error retrieving cookie secret: error reading secret from file \"/nonexistent/file.txt\": open /nonexistent/file.txt: no such file or directory"}, }, } diff --git a/pkg/validation/header_test.go b/pkg/validation/header_test.go index e9566752..eb46f5af 100644 --- a/pkg/validation/header_test.go +++ b/pkg/validation/header_test.go @@ -1,8 +1,6 @@ package validation import ( - "encoding/base64" - "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -29,9 +27,7 @@ var _ = Describe("Headers", func() { Name: "X-Forwarded-Auth", Values: []options.HeaderValue{ { - SecretSource: &options.SecretSource{ - Value: []byte(base64.RawStdEncoding.EncodeToString([]byte("secret"))), - }, + SecretSource: options.NewSecretSourceFromString("secret"), }, }, } @@ -41,10 +37,8 @@ var _ = Describe("Headers", func() { Values: []options.HeaderValue{ { ClaimSource: &options.ClaimSource{ - Claim: "email", - BasicAuthPassword: &options.SecretSource{ - Value: []byte(base64.RawStdEncoding.EncodeToString([]byte("secret"))), - }, + Claim: "email", + BasicAuthPassword: options.NewSecretSourceFromString("secret"), }, }, }, diff --git a/pkg/validation/options_test.go b/pkg/validation/options_test.go index e0f7bbb0..0d193af8 100644 --- a/pkg/validation/options_test.go +++ b/pkg/validation/options_test.go @@ -20,7 +20,7 @@ const ( ) var ( - cookieSecret = options.NewSecretSourceFromString("secretthirtytwobytes+abcdefghijk") + cookieSecret = &options.SecretSource{Value: []byte("secretthirtytwobytes+abcdefghijk")} ) func testOptions() *options.Options { @@ -128,7 +128,7 @@ func TestCookieRefreshMustBeLessThanCookieExpire(t *testing.T) { o := testOptions() assert.Equal(t, nil, Validate(o)) - o.Cookie.Secret = options.NewSecretSourceFromString("0123456789abcdef") + o.Cookie.Secret = &options.SecretSource{Value: []byte("0123456789abcdef")} o.Session.Refresh = o.Cookie.Expire assert.NotEqual(t, nil, Validate(o)) @@ -141,23 +141,23 @@ func TestBase64CookieSecret(t *testing.T) { assert.Equal(t, nil, Validate(o)) // 32 byte, base64 (urlsafe) encoded key - o.Cookie.Secret = options.NewSecretSourceFromString("yHBw2lh2Cvo6aI_jn_qMTr-pRAjtq0nzVgDJNb36jgQ=") + o.Cookie.Secret = &options.SecretSource{Value: []byte("yHBw2lh2Cvo6aI_jn_qMTr-pRAjtq0nzVgDJNb36jgQ=")} assert.Equal(t, nil, Validate(o)) // 32 byte, base64 (urlsafe) encoded key, w/o padding - o.Cookie.Secret = options.NewSecretSourceFromString("yHBw2lh2Cvo6aI_jn_qMTr-pRAjtq0nzVgDJNb36jgQ") + o.Cookie.Secret = &options.SecretSource{Value: []byte("yHBw2lh2Cvo6aI_jn_qMTr-pRAjtq0nzVgDJNb36jgQ")} assert.Equal(t, nil, Validate(o)) // 24 byte, base64 (urlsafe) encoded key - o.Cookie.Secret = options.NewSecretSourceFromString("Kp33Gj-GQmYtz4zZUyUDdqQKx5_Hgkv3") + o.Cookie.Secret = &options.SecretSource{Value: []byte("Kp33Gj-GQmYtz4zZUyUDdqQKx5_Hgkv3")} assert.Equal(t, nil, Validate(o)) // 16 byte, base64 (urlsafe) encoded key - o.Cookie.Secret = options.NewSecretSourceFromString("LFEqZYvYUwKwzn0tEuTpLA==") + o.Cookie.Secret = &options.SecretSource{Value: []byte("LFEqZYvYUwKwzn0tEuTpLA==")} assert.Equal(t, nil, Validate(o)) // 16 byte, base64 (urlsafe) encoded key, w/o padding - o.Cookie.Secret = options.NewSecretSourceFromString("LFEqZYvYUwKwzn0tEuTpLA") + o.Cookie.Secret = &options.SecretSource{Value: []byte("LFEqZYvYUwKwzn0tEuTpLA")} assert.Equal(t, nil, Validate(o)) }