Commit 775db71e authored by ale's avatar ale

Ensure secret tokens are deserialized as strings

Otherwise gopkg.in/yaml.v2 won't decode strings to []bytes.
parent 715507b5
Pipeline #598 passed with stages
in 3 minutes and 13 seconds
......@@ -30,8 +30,8 @@ type Config struct {
rx *regexp.Regexp
} `yaml:"service_ttls"`
AuthSessionLifetimeSeconds int `yaml:"auth_session_lifetime"`
SessionSecrets [][]byte `yaml:"session_secrets"`
CSRFSecret []byte `yaml:"csrf_secret"`
SessionSecrets []string `yaml:"session_secrets"`
CSRFSecret string `yaml:"csrf_secret"`
AuthService string `yaml:"auth_service"`
DeviceManager *device.Config `yaml:"device_manager"`
......@@ -79,9 +79,9 @@ func (c *Config) valid() error {
// only. Print a warning.
if len(c.SessionSecrets) == 0 {
log.Printf("Warning: session_secrets unset, generating temporary random session secrets")
c.SessionSecrets = [][]byte{
securecookie.GenerateRandomKey(64),
securecookie.GenerateRandomKey(32),
c.SessionSecrets = []string{
string(securecookie.GenerateRandomKey(64)),
string(securecookie.GenerateRandomKey(32)),
}
}
......
......@@ -28,7 +28,7 @@ type Manager struct {
// Config stores options for the device info manager.
type Config struct {
AuthKey []byte `yaml:"auth_key"`
AuthKey string `yaml:"auth_key"`
GeoIPDataFile string `yaml:"geo_ip_data"`
TrustedForwarders []string `yaml:"trusted_forwarders"`
RemoteAddrHeader string `yaml:"remote_addr_header"`
......@@ -60,7 +60,7 @@ func New(config *Config) (*Manager, error) {
return &Manager{
geodb: geodb,
store: newStore(config.AuthKey),
store: newStore([]byte(config.AuthKey)),
trustedForwarders: tf,
remoteAddrHeader: hdr,
}, nil
......
......@@ -76,9 +76,18 @@ type Server struct {
csrfSecret []byte
}
func sl2bl(sl []string) [][]byte {
var out [][]byte
for _, s := range sl {
out = append(out, []byte(s))
}
return out
}
// New returns a new Server.
func New(loginService *LoginService, authClient authclient.Client, config *Config) (*Server, error) {
store := sessions.NewCookieStore(config.SessionSecrets...)
sessionSecrets := sl2bl(config.SessionSecrets)
store := sessions.NewCookieStore(sessionSecrets...)
store.Options = &sessions.Options{
HttpOnly: true,
Secure: true,
......@@ -89,7 +98,9 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
authSessionLifetime: defaultAuthSessionLifetime,
authSessionStore: store,
loginService: loginService,
csrfSecret: config.CSRFSecret,
}
if config.CSRFSecret != "" {
s.csrfSecret = []byte(config.CSRFSecret)
}
if config.AuthSessionLifetimeSeconds > 0 {
s.authSessionLifetime = time.Duration(config.AuthSessionLifetimeSeconds) * time.Second
......@@ -99,7 +110,7 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
if err != nil {
return nil, err
}
s.loginHandler = newLoginHandler(s.loginCallback, devMgr, authClient, config.AuthService, config.SessionSecrets...)
s.loginHandler = newLoginHandler(s.loginCallback, devMgr, authClient, config.AuthService, sessionSecrets...)
return s, nil
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment