oauth2-proxy/pkg/cookies/cookies.go

package cookies

import (
	"fmt"
	"net"
	"net/http"
	"strings"
	"time"

	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
	requestutil "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests/util"
)

// MakeCookieFromOptions constructs a cookie based on the given *options.CookieOptions,
// value and creation time
func MakeCookieFromOptions(req *http.Request, name string, value string, opts *options.Cookie, expiration time.Duration, now time.Time) *http.Cookie {
	domain := GetCookieDomain(req, opts.Domains)
	// If nothing matches, create the cookie with the shortest domain
	if domain == "" && len(opts.Domains) > 0 {
		logger.Errorf("Warning: request host %q did not match any of the specific cookie domains of %q",
			requestutil.GetRequestHost(req),
			strings.Join(opts.Domains, ","),
		)
		domain = opts.Domains[len(opts.Domains)-1]
	}

	c := &http.Cookie{
		Name:     name,
		Value:    value,
		Path:     opts.Path,
		Domain:   domain,
		HttpOnly: opts.HTTPOnly,
		Secure:   opts.Secure,
		SameSite: ParseSameSite(opts.SameSite),
	}

	if expiration != time.Duration(0) {
		c.Expires = now.Add(expiration)
	}

	warnInvalidDomain(c, req)

	return c
}

// GetCookieDomain returns the correct cookie domain given a list of domains
// by checking the X-Fowarded-Host and host header of an an http request
func GetCookieDomain(req *http.Request, cookieDomains []string) string {
	host := requestutil.GetRequestHost(req)
	for _, domain := range cookieDomains {
		if strings.HasSuffix(host, domain) {
			return domain
		}
	}
	return ""
}

// Parse a valid http.SameSite value from a user supplied string for use of making cookies.
func ParseSameSite(v string) http.SameSite {
	switch v {
	case "lax":
		return http.SameSiteLaxMode
	case "strict":
		return http.SameSiteStrictMode
	case "none":
		return http.SameSiteNoneMode
	case "":
		return 0
	default:
		panic(fmt.Sprintf("Invalid value for SameSite: %s", v))
	}
}

// warnInvalidDomain logs a warning if the request host and cookie domain are
// mismatched.
func warnInvalidDomain(c *http.Cookie, req *http.Request) {
	if c.Domain == "" {
		return
	}

	host := requestutil.GetRequestHost(req)
	if h, _, err := net.SplitHostPort(host); err == nil {
		host = h
	}
	if !strings.HasSuffix(host, c.Domain) {
		logger.Errorf("Warning: request host is %q but using configured cookie domain of %q", host, c.Domain)
	}
}
Implement ClearSession for cookie SessionStore 2019-05-07 02:20:36 +03:00			`package cookies`

			`import (`
Add configuration for cookie 'SameSite' value. Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite 2019-12-16 21:10:04 +03:00			`"fmt"`
Implement ClearSession for cookie SessionStore 2019-05-07 02:20:36 +03:00			`"net"`
			`"net/http"`
			`"strings"`
			`"time"`

Fix import path for v7 (#800) * fix import path for v7 find ./ -name ".go" \| xargs sed -i -e 's\|"github.com/oauth2-proxy/oauth2-proxy\|"github.com/oauth2-proxy/oauth2-proxy/v7\|' fix module path * go mod tidy * fix installation docs * update CHANGELOG * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-09-29 19:44:42 +03:00			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"`
			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"`
Refactor organization of scope aware request utils Reorganized the structure of the Request Utils due to their widespread use resulting in circular imports issues (mostly because of middleware & logger). 2021-01-03 00:16:01 +03:00			`requestutil "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests/util"`
Implement ClearSession for cookie SessionStore 2019-05-07 02:20:36 +03:00			`)`

Support nonce checks in OIDC Provider (#967) * Set and verify a nonce with OIDC * Create a CSRF object to manage nonces & cookies * Add missing generic cookie unit tests * Add config flag to control OIDC SkipNonce * Send hashed nonces in authentication requests * Encrypt the CSRF cookie * Add clarity to naming & add more helper methods * Make CSRF an interface and keep underlying nonces private * Add ReverseProxy scope to cookie tests * Align to new 1.16 SameSite cookie default * Perform SecretBytes conversion on CSRF cookie crypto * Make state encoding signatures consistent * Mock time in CSRF struct via Clock * Improve InsecureSkipNonce docstring 2021-04-21 12:33:27 +03:00			`// MakeCookieFromOptions constructs a cookie based on the given *options.CookieOptions,`
			`// value and creation time`
			`func MakeCookieFromOptions(req http.Request, name string, value string, opts options.Cookie, expiration time.Duration, now time.Time) *http.Cookie {`
			`domain := GetCookieDomain(req, opts.Domains)`
			`// If nothing matches, create the cookie with the shortest domain`
			`if domain == "" && len(opts.Domains) > 0 {`
			`logger.Errorf("Warning: request host %q did not match any of the specific cookie domains of %q",`
			`requestutil.GetRequestHost(req),`
			`strings.Join(opts.Domains, ","),`
			`)`
			`domain = opts.Domains[len(opts.Domains)-1]`
Implement ClearSession for cookie SessionStore 2019-05-07 02:20:36 +03:00			`}`

Support nonce checks in OIDC Provider (#967) * Set and verify a nonce with OIDC * Create a CSRF object to manage nonces & cookies * Add missing generic cookie unit tests * Add config flag to control OIDC SkipNonce * Send hashed nonces in authentication requests * Encrypt the CSRF cookie * Add clarity to naming & add more helper methods * Make CSRF an interface and keep underlying nonces private * Add ReverseProxy scope to cookie tests * Align to new 1.16 SameSite cookie default * Perform SecretBytes conversion on CSRF cookie crypto * Make state encoding signatures consistent * Mock time in CSRF struct via Clock * Improve InsecureSkipNonce docstring 2021-04-21 12:33:27 +03:00			`c := &http.Cookie{`
Implement ClearSession for cookie SessionStore 2019-05-07 02:20:36 +03:00			`Name: name,`
			`Value: value,`
Support nonce checks in OIDC Provider (#967) * Set and verify a nonce with OIDC * Create a CSRF object to manage nonces & cookies * Add missing generic cookie unit tests * Add config flag to control OIDC SkipNonce * Send hashed nonces in authentication requests * Encrypt the CSRF cookie * Add clarity to naming & add more helper methods * Make CSRF an interface and keep underlying nonces private * Add ReverseProxy scope to cookie tests * Align to new 1.16 SameSite cookie default * Perform SecretBytes conversion on CSRF cookie crypto * Make state encoding signatures consistent * Mock time in CSRF struct via Clock * Improve InsecureSkipNonce docstring 2021-04-21 12:33:27 +03:00			`Path: opts.Path,`
Implement ClearSession for cookie SessionStore 2019-05-07 02:20:36 +03:00			`Domain: domain,`
Support nonce checks in OIDC Provider (#967) * Set and verify a nonce with OIDC * Create a CSRF object to manage nonces & cookies * Add missing generic cookie unit tests * Add config flag to control OIDC SkipNonce * Send hashed nonces in authentication requests * Encrypt the CSRF cookie * Add clarity to naming & add more helper methods * Make CSRF an interface and keep underlying nonces private * Add ReverseProxy scope to cookie tests * Align to new 1.16 SameSite cookie default * Perform SecretBytes conversion on CSRF cookie crypto * Make state encoding signatures consistent * Mock time in CSRF struct via Clock * Improve InsecureSkipNonce docstring 2021-04-21 12:33:27 +03:00			`HttpOnly: opts.HTTPOnly,`
			`Secure: opts.Secure,`
			`SameSite: ParseSameSite(opts.SameSite),`
Implement ClearSession for cookie SessionStore 2019-05-07 02:20:36 +03:00			`}`
Simplify cookie creation form *options.CookieOptions 2019-05-13 18:01:28 +03:00
Session-Cookie Support (#1713) * Create session cookie when cookie-expire set 0 * Fix format * add test * fix lint error * fix test code * fix conflicted test case * update test case of cookie expiration * update tests of csrf cookies * update docs * Update docs/docs/configuration/overview.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> --------- Co-authored-by: tanuki884 <morkazuk@fsi.co.jp> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2023-08-16 14:23:02 +03:00			`if expiration != time.Duration(0) {`
			`c.Expires = now.Add(expiration)`
			`}`

Support nonce checks in OIDC Provider (#967) * Set and verify a nonce with OIDC * Create a CSRF object to manage nonces & cookies * Add missing generic cookie unit tests * Add config flag to control OIDC SkipNonce * Send hashed nonces in authentication requests * Encrypt the CSRF cookie * Add clarity to naming & add more helper methods * Make CSRF an interface and keep underlying nonces private * Add ReverseProxy scope to cookie tests * Align to new 1.16 SameSite cookie default * Perform SecretBytes conversion on CSRF cookie crypto * Make state encoding signatures consistent * Mock time in CSRF struct via Clock * Improve InsecureSkipNonce docstring 2021-04-21 12:33:27 +03:00			`warnInvalidDomain(c, req)`
Allow multiple cookie domains to be specified (#412) * Allow multiple cookie domains to be specified * Use X-Forwarded-Host, if it exists, when selecting cookie domain * Perform cookie domain sorting in config validation phase * Extract get domain cookies to a single function * Update pkg/cookies/cookies.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Update changelog Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-12 14:00:44 +03:00
Support nonce checks in OIDC Provider (#967) * Set and verify a nonce with OIDC * Create a CSRF object to manage nonces & cookies * Add missing generic cookie unit tests * Add config flag to control OIDC SkipNonce * Send hashed nonces in authentication requests * Encrypt the CSRF cookie * Add clarity to naming & add more helper methods * Make CSRF an interface and keep underlying nonces private * Add ReverseProxy scope to cookie tests * Align to new 1.16 SameSite cookie default * Perform SecretBytes conversion on CSRF cookie crypto * Make state encoding signatures consistent * Mock time in CSRF struct via Clock * Improve InsecureSkipNonce docstring 2021-04-21 12:33:27 +03:00			`return c`
Allow multiple cookie domains to be specified (#412) * Allow multiple cookie domains to be specified * Use X-Forwarded-Host, if it exists, when selecting cookie domain * Perform cookie domain sorting in config validation phase * Extract get domain cookies to a single function * Update pkg/cookies/cookies.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Update changelog Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-12 14:00:44 +03:00			`}`

			`// GetCookieDomain returns the correct cookie domain given a list of domains`
			`// by checking the X-Fowarded-Host and host header of an an http request`
			`func GetCookieDomain(req *http.Request, cookieDomains []string) string {`
Refactor organization of scope aware request utils Reorganized the structure of the Request Utils due to their widespread use resulting in circular imports issues (mostly because of middleware & logger). 2021-01-03 00:16:01 +03:00			`host := requestutil.GetRequestHost(req)`
Allow multiple cookie domains to be specified (#412) * Allow multiple cookie domains to be specified * Use X-Forwarded-Host, if it exists, when selecting cookie domain * Perform cookie domain sorting in config validation phase * Extract get domain cookies to a single function * Update pkg/cookies/cookies.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Update changelog Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-12 14:00:44 +03:00			`for _, domain := range cookieDomains {`
			`if strings.HasSuffix(host, domain) {`
			`return domain`
			`}`
			`}`
			`return ""`
			`}`

Add configuration for cookie 'SameSite' value. Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite 2019-12-16 21:10:04 +03:00			`// Parse a valid http.SameSite value from a user supplied string for use of making cookies.`
			`func ParseSameSite(v string) http.SameSite {`
			`switch v {`
			`case "lax":`
			`return http.SameSiteLaxMode`
			`case "strict":`
			`return http.SameSiteStrictMode`
			`case "none":`
			`return http.SameSiteNoneMode`
			`case "":`
Update go version to 1.16 This includes a fix for our samesite cookie parsing. The behaviour changed in 1.16 so that the default value now leaves it empty, so it's equivalent to not setting it (as per spec) 2021-02-17 23:59:46 +03:00			`return 0`
Add configuration for cookie 'SameSite' value. Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite 2019-12-16 21:10:04 +03:00			`default:`
			`panic(fmt.Sprintf("Invalid value for SameSite: %s", v))`
			`}`
Simplify cookie creation form *options.CookieOptions 2019-05-13 18:01:28 +03:00			`}`
Support nonce checks in OIDC Provider (#967) * Set and verify a nonce with OIDC * Create a CSRF object to manage nonces & cookies * Add missing generic cookie unit tests * Add config flag to control OIDC SkipNonce * Send hashed nonces in authentication requests * Encrypt the CSRF cookie * Add clarity to naming & add more helper methods * Make CSRF an interface and keep underlying nonces private * Add ReverseProxy scope to cookie tests * Align to new 1.16 SameSite cookie default * Perform SecretBytes conversion on CSRF cookie crypto * Make state encoding signatures consistent * Mock time in CSRF struct via Clock * Improve InsecureSkipNonce docstring 2021-04-21 12:33:27 +03:00
			`// warnInvalidDomain logs a warning if the request host and cookie domain are`
			`// mismatched.`
			`func warnInvalidDomain(c http.Cookie, req http.Request) {`
			`if c.Domain == "" {`
			`return`
			`}`

			`host := requestutil.GetRequestHost(req)`
			`if h, _, err := net.SplitHostPort(host); err == nil {`
			`host = h`
			`}`
			`if !strings.HasSuffix(host, c.Domain) {`
			`logger.Errorf("Warning: request host is %q but using configured cookie domain of %q", host, c.Domain)`
			`}`
			`}`