Ensure secret tokens are deserialized as strings

Otherwise gopkg.in/yaml.v2 won't decode strings to []bytes.

server/config.go

@@ -30,8 +30,8 @@ type Config struct {
 		rx         *regexp.Regexp
 	} `yaml:"service_ttls"`
 	AuthSessionLifetimeSeconds int            `yaml:"auth_session_lifetime"`
-	SessionSecrets             [][]byte       `yaml:"session_secrets"`
-	CSRFSecret                 []byte         `yaml:"csrf_secret"`
+	SessionSecrets             []string       `yaml:"session_secrets"`
+	CSRFSecret                 string         `yaml:"csrf_secret"`
 	AuthService                string         `yaml:"auth_service"`
 	DeviceManager              *device.Config `yaml:"device_manager"`
 
@@ -79,9 +79,9 @@ func (c *Config) valid() error {
 	// only. Print a warning.
 	if len(c.SessionSecrets) == 0 {
 		log.Printf("Warning: session_secrets unset, generating temporary random session secrets")
-		c.SessionSecrets = [][]byte{
-			securecookie.GenerateRandomKey(64),
-			securecookie.GenerateRandomKey(32),
+		c.SessionSecrets = []string{
+			string(securecookie.GenerateRandomKey(64)),
+			string(securecookie.GenerateRandomKey(32)),
 		}
 	}
 

server/device/manager.go

@@ -28,7 +28,7 @@ type Manager struct {
 
 // Config stores options for the device info manager.
 type Config struct {
-	AuthKey           []byte   `yaml:"auth_key"`
+	AuthKey           string   `yaml:"auth_key"`
 	GeoIPDataFile     string   `yaml:"geo_ip_data"`
 	TrustedForwarders []string `yaml:"trusted_forwarders"`
 	RemoteAddrHeader  string   `yaml:"remote_addr_header"`
@@ -60,7 +60,7 @@ func New(config *Config) (*Manager, error) {
 
 	return &Manager{
 		geodb:             geodb,
-		store:             newStore(config.AuthKey),
+		store:             newStore([]byte(config.AuthKey)),
 		trustedForwarders: tf,
 		remoteAddrHeader:  hdr,
 	}, nil

server/http.go

@@ -76,9 +76,18 @@ type Server struct {
 	csrfSecret          []byte
 }
 
+func sl2bl(sl []string) [][]byte {
+	var out [][]byte
+	for _, s := range sl {
+		out = append(out, []byte(s))
+	}
+	return out
+}
+
 // New returns a new Server.
 func New(loginService *LoginService, authClient authclient.Client, config *Config) (*Server, error) {
-	store := sessions.NewCookieStore(config.SessionSecrets...)
+	sessionSecrets := sl2bl(config.SessionSecrets)
+	store := sessions.NewCookieStore(sessionSecrets...)
 	store.Options = &sessions.Options{
 		HttpOnly: true,
 		Secure:   true,
@@ -89,7 +98,9 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
 		authSessionLifetime: defaultAuthSessionLifetime,
 		authSessionStore:    store,
 		loginService:        loginService,
-		csrfSecret:          config.CSRFSecret,
+	}
+	if config.CSRFSecret != "" {
+		s.csrfSecret = []byte(config.CSRFSecret)
 	}
 	if config.AuthSessionLifetimeSeconds > 0 {
 		s.authSessionLifetime = time.Duration(config.AuthSessionLifetimeSeconds) * time.Second
@@ -99,7 +110,7 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
 	if err != nil {
 		return nil, err
 	}
-	s.loginHandler = newLoginHandler(s.loginCallback, devMgr, authClient, config.AuthService, config.SessionSecrets...)
+	s.loginHandler = newLoginHandler(s.loginCallback, devMgr, authClient, config.AuthService, sessionSecrets...)
 
 	return s, nil
 }