mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-05 12:23:03 +02:00
authenticate: encrypt & mac oauth2 callback state
- cryptutil: add hmac & tests - cryptutil: rename cipher / encoders to be more clear - cryptutil: simplify SecureEncoder interface - cryptutil: renamed NewCipherFromBase64 to NewAEADCipherFromBase64 - cryptutil: move key & random generators to helpers Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone
parent
3a806c6dfc
commit
7c755d833f
26 changed files with 539 additions and 464 deletions
|
|
@ -1,6 +1,7 @@
|
|||
package authenticate // import "github.com/pomerium/pomerium/authenticate"
|
||||
|
||||
import (
|
||||
"crypto/cipher"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
|
@ -20,10 +21,10 @@ const callbackPath = "/oauth2/callback"
|
|||
// ValidateOptions checks that configuration are complete and valid.
|
||||
// Returns on first error found.
|
||||
func ValidateOptions(o config.Options) error {
|
||||
if _, err := cryptutil.NewCipherFromBase64(o.SharedKey); err != nil {
|
||||
if _, err := cryptutil.NewAEADCipherFromBase64(o.SharedKey); err != nil {
|
||||
return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %v", err)
|
||||
}
|
||||
if _, err := cryptutil.NewCipherFromBase64(o.CookieSecret); err != nil {
|
||||
if _, err := cryptutil.NewAEADCipherFromBase64(o.CookieSecret); err != nil {
|
||||
return fmt.Errorf("authenticate: 'COOKIE_SECRET' invalid %v", err)
|
||||
}
|
||||
if err := urlutil.ValidateURL(o.AuthenticateURL); err != nil {
|
||||
|
|
@ -48,7 +49,8 @@ type Authenticate struct {
|
|||
cookieSecret []byte
|
||||
templates *template.Template
|
||||
sessionStore sessions.SessionStore
|
||||
cipher cryptutil.Cipher
|
||||
cipher cipher.AEAD
|
||||
encoder cryptutil.SecureEncoder
|
||||
provider identity.Authenticator
|
||||
}
|
||||
|
||||
|
|
@ -58,7 +60,8 @@ func New(opts config.Options) (*Authenticate, error) {
|
|||
return nil, err
|
||||
}
|
||||
decodedCookieSecret, _ := base64.StdEncoding.DecodeString(opts.CookieSecret)
|
||||
cipher, err := cryptutil.NewCipher(decodedCookieSecret)
|
||||
cipher, err := cryptutil.NewAEADCipher(decodedCookieSecret)
|
||||
encoder := cryptutil.NewSecureJSONEncoder(cipher)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -72,7 +75,7 @@ func New(opts config.Options) (*Authenticate, error) {
|
|||
CookieSecure: opts.CookieSecure,
|
||||
CookieHTTPOnly: opts.CookieHTTPOnly,
|
||||
CookieExpire: opts.CookieExpire,
|
||||
CookieCipher: cipher,
|
||||
Encoder: encoder,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -100,6 +103,7 @@ func New(opts config.Options) (*Authenticate, error) {
|
|||
templates: templates.New(),
|
||||
sessionStore: cookieStore,
|
||||
cipher: cipher,
|
||||
encoder: encoder,
|
||||
provider: provider,
|
||||
cookieSecret: decodedCookieSecret,
|
||||
cookieName: opts.CookieName,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue