From 0373c62b00b076a5d11d94cfc51c3db1ad3d6e17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20-nexus-=20Mlyn=C3=A1=C5=99?= Date: Sun, 30 Oct 2022 23:16:18 +0100 Subject: [PATCH 1/2] feat: specify stable session cookie secret for HA setup --- docs/4-auth.md | 5 +++++ pkg/authnz/authconfig/authconfig.go | 13 +++++++++---- pkg/authnz/router.go | 16 +++++++++++++++- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/docs/4-auth.md b/docs/4-auth.md index 2b96ee08..b5d6a4ec 100644 --- a/docs/4-auth.md +++ b/docs/4-auth.md @@ -40,6 +40,11 @@ adminPassword: "" adminUsername: "admin" # Configure zero or more authentication backends auth: + sessionStore: + # 32 random bytes used to sign session cookies. It's generated randomly + # if not present. Need to be set when running in HA setup (more than one replica) + # It has to be 32 bytes long (/[0-9a-f]{64}/) + secret: 4f68646565736f6f5368346f685468656567364c696537636569746861696368 simple: # Users is a list of htpasswd encoded username:password pairs # supports BCrypt, Sha, Ssha, Md5 diff --git a/pkg/authnz/authconfig/authconfig.go b/pkg/authnz/authconfig/authconfig.go index 1fac5e15..3c26f43f 100644 --- a/pkg/authnz/authconfig/authconfig.go +++ b/pkg/authnz/authconfig/authconfig.go @@ -5,10 +5,15 @@ import ( ) type AuthConfig struct { - OIDC *OIDCConfig `yaml:"oidc"` - Gitlab *GitlabConfig `yaml:"gitlab"` - Basic *BasicAuthConfig `yaml:"basic"` - Simple *SimpleAuthConfig `yaml:"simple"` + SessionStore *SessionStoreConfig `yaml:"sessionStore"` + OIDC *OIDCConfig `yaml:"oidc"` + Gitlab *GitlabConfig `yaml:"gitlab"` + Basic *BasicAuthConfig `yaml:"basic"` + Simple *SimpleAuthConfig `yaml:"simple"` +} + +type SessionStoreConfig struct { + Secret string `yaml:"secret"` } func (c *AuthConfig) IsEnabled() bool { diff --git a/pkg/authnz/router.go b/pkg/authnz/router.go index 775054dd..8c4263fa 100644 --- a/pkg/authnz/router.go +++ b/pkg/authnz/router.go @@ -1,6 +1,7 @@ package authnz import ( + "encoding/hex" "fmt" "net/http" "strconv" @@ -26,7 +27,20 @@ type AuthMiddleware struct { func New(config authconfig.AuthConfig, claimsMiddleware authsession.ClaimsMiddleware) (*AuthMiddleware, error) { router := mux.NewRouter() - store := sessions.NewCookieStore([]byte(authutil.RandomString(32))) + var storeSecret []byte + if config.SessionStore.Secret == "" { + storeSecret = []byte(authutil.RandomString(32)) + } else { + var err error + storeSecret, err = hex.DecodeString(config.SessionStore.Secret) + if err != nil { + return nil, err + } + if len(storeSecret) != 32 { + return nil, errors.New("session store secret must be 32 bytes long") + } + } + store := sessions.NewCookieStore(storeSecret) runtime := authruntime.NewProviderRuntime(store) providers := config.Providers() From 0f84cb32d3972c353f045f3e7c49feaade776bb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Mlyn=C3=A1=C5=99?= Date: Sun, 6 Nov 2022 20:29:23 +0100 Subject: [PATCH 2/2] Update docs/4-auth.md Co-authored-by: DasSkelett --- docs/4-auth.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/4-auth.md b/docs/4-auth.md index b5d6a4ec..3f72ca6c 100644 --- a/docs/4-auth.md +++ b/docs/4-auth.md @@ -41,10 +41,9 @@ adminUsername: "admin" # Configure zero or more authentication backends auth: sessionStore: - # 32 random bytes used to sign session cookies. It's generated randomly + # 32 random bytes in hexadecimal encoding (64 chars) used to sign session cookies. It's generated randomly # if not present. Need to be set when running in HA setup (more than one replica) - # It has to be 32 bytes long (/[0-9a-f]{64}/) - secret: 4f68646565736f6f5368346f685468656567364c696537636569746861696368 + secret: "" simple: # Users is a list of htpasswd encoded username:password pairs # supports BCrypt, Sha, Ssha, Md5