Merge pull request mesosphere#29 from k3a/k3a-cookies

[1st & important] Fix domains and encryption key setup of securecookies with claims
tgerakitis · May 8, 2020 · 06a0eb7 · 06a0eb7
2 parents 5d70c6f + 11dc396
commit 06a0eb7
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/cmd/main.go b/cmd/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"net/http"
+	"time"
 
 	"github.com/gorilla/sessions"
 	"k8s.io/client-go/kubernetes"
@@ -40,8 +41,14 @@ func main() {
 		clientset = nil
 	}
 
+	// Prepare cookie session store (first key is for auth, the second one for encryption)
+	cookieStore := sessions.NewCookieStore(config.Secret, []byte(config.SessionKey))
+	cookieStore.Options.MaxAge = int(config.Lifetime / time.Second)
+	cookieStore.Options.HttpOnly = true
+	cookieStore.Options.Secure = !config.InsecureCookie
+
 	// Build server
-	server := internal.NewServer(sessions.NewCookieStore([]byte(config.SessionKey)), clientset)
+	server := internal.NewServer(cookieStore, clientset)
 
 	// Attach router to default server
 	http.HandleFunc("/", server.RootHandler)

diff --git a/internal/config.go b/internal/config.go
@@ -201,6 +201,8 @@ func (c *Config) Validate() {
 	// Check for show stopper errors
 	if len(c.SecretString) == 0 {
 		log.Fatal("\"secret\" option must be set.")
+	} else if len(c.SecretString) < 32 {
+		log.Infoln("for better security, \"secret\" should ideally be 32 bytes or longer")
 	}
 
 	if c.ProviderUri == "" || c.ClientId == "" || c.ClientSecret == "" {
@@ -227,6 +229,13 @@ func (c *Config) Validate() {
 		}
 		c.ServiceAccountToken = strings.TrimSuffix(string(t), "\n")
 	}
+
+	// RBAC
+	if c.EnableRBAC && len(c.SessionKey) != 16 && len(c.SessionKey) != 24 && len(c.SessionKey) != 32 {
+		// Gorilla sessions require encryption keys of specific length
+		// https://www.gorillatoolkit.org/pkg/sessions#NewCookieStore
+		log.Fatal("\"session-key\" must be 16, 24 or 32 bytes long to select AES-128, AES-192, or AES-256 modes")
+	}
 }
 
 func (c *Config) SetOidcProvider() {

diff --git a/internal/server.go b/internal/server.go
@@ -308,13 +308,22 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 		logger.Printf("creating group claims session with groups: %v", groups)
 		session, err := s.sessionStore.Get(r, config.GroupsSessionName)
 		if err != nil {
-			logger.Errorf("failed to get group claims session: %v", err)
+			// from the .Get() documentation:
+			// "It returns a new session and an error if the session exists but could not be decoded."
+			// So it's ok to ignore and use the newly-created secure session! No need to hard-fail here.
+			logger.Errorf("unable to decode existing session with group claims (creating a new one): %v", err)
+		}
+
+		if session == nil {
+			// should never happen
 			http.Error(w, "Bad Gateway", 502)
 			return
 		}
+
 		session.Values["groups"] = make([]string, len(groups))
 		copy(session.Values["groups"].([]string), groups)
 
+		session.Options.Domain = cookieDomain(r)
 		if err := session.Save(r, w); err != nil {
 			logger.Errorf("error saving session: %v", err)
 			http.Error(w, "Bad Gateway", 502)