diff --git a/docs/4-auth.md b/docs/4-auth.md index 777775ca..45740974 100644 --- a/docs/4-auth.md +++ b/docs/4-auth.md @@ -40,6 +40,10 @@ adminPassword: "" adminUsername: "admin" # Configure zero or more authentication backends auth: + sessionStore: + # 32 random bytes in hexadecimal encoding (64 chars) used to sign session cookies. It's generated randomly + # if not present. Need to be set when running in HA setup (more than one replica) + secret: "" simple: # Users is a list of htpasswd encoded username:password pairs # supports BCrypt, Sha, Ssha, Md5 diff --git a/pkg/authnz/authconfig/authconfig.go b/pkg/authnz/authconfig/authconfig.go index 1fac5e15..3c26f43f 100644 --- a/pkg/authnz/authconfig/authconfig.go +++ b/pkg/authnz/authconfig/authconfig.go @@ -5,10 +5,15 @@ import ( ) type AuthConfig struct { - OIDC *OIDCConfig `yaml:"oidc"` - Gitlab *GitlabConfig `yaml:"gitlab"` - Basic *BasicAuthConfig `yaml:"basic"` - Simple *SimpleAuthConfig `yaml:"simple"` + SessionStore *SessionStoreConfig `yaml:"sessionStore"` + OIDC *OIDCConfig `yaml:"oidc"` + Gitlab *GitlabConfig `yaml:"gitlab"` + Basic *BasicAuthConfig `yaml:"basic"` + Simple *SimpleAuthConfig `yaml:"simple"` +} + +type SessionStoreConfig struct { + Secret string `yaml:"secret"` } func (c *AuthConfig) IsEnabled() bool { diff --git a/pkg/authnz/router.go b/pkg/authnz/router.go index 775054dd..8c4263fa 100644 --- a/pkg/authnz/router.go +++ b/pkg/authnz/router.go @@ -1,6 +1,7 @@ package authnz import ( + "encoding/hex" "fmt" "net/http" "strconv" @@ -26,7 +27,20 @@ type AuthMiddleware struct { func New(config authconfig.AuthConfig, claimsMiddleware authsession.ClaimsMiddleware) (*AuthMiddleware, error) { router := mux.NewRouter() - store := sessions.NewCookieStore([]byte(authutil.RandomString(32))) + var storeSecret []byte + if config.SessionStore.Secret == "" { + storeSecret = []byte(authutil.RandomString(32)) + } else { + var err error + storeSecret, err = hex.DecodeString(config.SessionStore.Secret) + if err != nil { + return nil, err + } + if len(storeSecret) != 32 { + return nil, errors.New("session store secret must be 32 bytes long") + } + } + store := sessions.NewCookieStore(storeSecret) runtime := authruntime.NewProviderRuntime(store) providers := config.Providers()