Skip to content

Commit

Permalink
[EOS-10808] Set explicit domain for stratio-cookie (kubernetes#18)
Browse files Browse the repository at this point in the history
Co-authored-by: Viktor Jacynycz <[email protected]>
Co-authored-by: Unai Arríen <[email protected]>
Co-authored-by: Francisco Orselli <[email protected]>
  • Loading branch information
4 people authored and Alvaro-Campesino committed Feb 10, 2023
1 parent d98f3eb commit 5b14114
Show file tree
Hide file tree
Showing 4 changed files with 14,070 additions and 13 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
# Changelog

## 1.5.1-0.6.0 (upcoming)

* Upcoming changelog

Expand All @@ -10,6 +9,8 @@
* Fix vault retrieve secret recode
* Avoid race condition
* [EOS-9406] Fix map CN / UID
* [EOS-10808] Set explicit domain for stratio-cookie


## 1.2.0-0.4.0 (2022-08-08)

Expand Down
31 changes: 19 additions & 12 deletions rootfs/etc/nginx/lua/stratio_auth.lua
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ function _M.create_cookie(userinfo_url, oauth2_cookie_name, stratio_cookie_name,
end
return
end

-- Get request's cookies
local req_cookie, err = ck:new()
if not req_cookie then
Expand All @@ -118,12 +118,11 @@ function _M.create_cookie(userinfo_url, oauth2_cookie_name, stratio_cookie_name,
-- If there's no Stratio cookie in the request, add it
local stratio_cookie, err = req_cookie:get(stratio_cookie_name)
if not stratio_cookie then

ngx.log(ngx.DEBUG, 'Cookie not found in request')
stratio_jwt = create_jwt(oauth2_cookie, userinfo_url, signing_key)

ngx.log(ngx.DEBUG, 'Cookie created, adding to response')
local ok, err = req_cookie:set({

local req_cookie_data = {
key = stratio_cookie_name,
value = stratio_jwt,
path = "/",
Expand All @@ -132,8 +131,13 @@ function _M.create_cookie(userinfo_url, oauth2_cookie_name, stratio_cookie_name,
samesite = "Lax",
expires = ngx.cookie_time(ngx.time() + 21600),
max_age = 21600
})
}
local cookie_domain = os.getenv("STRATIO_COOKIE_DOMAIN")
if cookie_domain then
req_cookie_data.domain = cookie_domain
end

local ok, err = req_cookie:set(req_cookie_data)
if not ok then
ngx.log(ngx.STDERR, 'Unexpected error setting the Stratio cookie: ', err)
return 403
Expand All @@ -142,7 +146,6 @@ function _M.create_cookie(userinfo_url, oauth2_cookie_name, stratio_cookie_name,
ngx.log(ngx.DEBUG, 'Adding cookie to request')
ngx.req.set_header("Cookie", stratio_cookie_name .. "=" .. stratio_jwt .. ";" .. ngx.var.http_cookie);
else

ngx.log(ngx.DEBUG, 'Cookie found in request, verifying signature, expiration and issuer')
local jwt = require "resty.jwt"
local jwt_obj = jwt:verify(verification_key, stratio_cookie, {
Expand All @@ -152,12 +155,11 @@ function _M.create_cookie(userinfo_url, oauth2_cookie_name, stratio_cookie_name,
})

if not jwt_obj["verified"] then

ngx.log(ngx.DEBUG, 'Invalid JWT, generating a new one')
stratio_jwt = create_jwt(oauth2_cookie, userinfo_url, signing_key)

ngx.log(ngx.DEBUG, 'Cookie created, adding to response')
local ok, err = req_cookie:set({

local req_cookie_data = {
key = stratio_cookie_name,
value = stratio_jwt,
path = "/",
Expand All @@ -166,8 +168,13 @@ function _M.create_cookie(userinfo_url, oauth2_cookie_name, stratio_cookie_name,
samesite = "Lax",
expires = ngx.cookie_time(ngx.time() + 21600),
max_age = 21600
})

}
local cookie_domain = os.getenv("STRATIO_COOKIE_DOMAIN")
if cookie_domain then
req_cookie_data.domain = cookie_domain
end

local ok, err = req_cookie:set(req_cookie_data)
if not ok then
ngx.log(ngx.STDERR, 'Unexpected error setting the Stratio cookie: ', err)
return 401
Expand All @@ -186,7 +193,7 @@ function _M.create_cookie(userinfo_url, oauth2_cookie_name, stratio_cookie_name,
end
mycookiestr = mycookiestr .. k .. "=" .. v .. ";"
end

ngx.log(ngx.DEBUG, 'Adding cookie to request')
ngx.req.set_header("Cookie", stratio_cookie_name .. "=" .. stratio_jwt .. ";" .. mycookiestr);
else
Expand Down
2 changes: 2 additions & 0 deletions rootfs/etc/nginx/template/nginx.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@
{{ $proxyHeaders := .ProxySetHeaders }}
{{ $addHeaders := .AddHeaders }}

env STRATIO_COOKIE_DOMAIN;

# Configuration checksum: {{ $all.Cfg.Checksum }}

# setup custom paths that do not require root access
Expand Down
Loading

0 comments on commit 5b14114

Please sign in to comment.