Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security improvements #68

Merged
merged 2 commits into from
Nov 26, 2024
Merged

Security improvements #68

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ee48e9c
Change to generate a cache key when unspecified.
nepella Nov 22, 2024
5f40302
Change to enforce CacheTimeout
nepella Nov 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ go 1.17

require (
github.com/go-ldap/ldap/v3 v3.4.4
github.com/gorilla/securecookie v1.1.1
github.com/gorilla/sessions v1.2.1
)

require (
github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect
github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
github.com/gorilla/securecookie v1.1.1 // indirect
golang.org/x/crypto v0.17.0 // indirect
)
20 changes: 18 additions & 2 deletions ldapauth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (

"github.com/go-ldap/ldap/v3"
"github.com/gorilla/sessions"
"github.com/gorilla/securecookie"
)

// nolint
Expand Down Expand Up @@ -94,7 +95,7 @@ func CreateConfig() *Config {
CacheCookieName: "ldapAuth_session_token",
CacheCookiePath: "",
CacheCookieSecure: false,
CacheKey: "super-secret-key",
CacheKey: "",
Attribute: "cn", // Usually uid or sAMAccountname
SearchFilter: "",
BaseDN: "",
Expand Down Expand Up @@ -155,13 +156,28 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
logConfigParams(config)

// Create new session with CacheKey and CacheTimeout.
store = sessions.NewCookieStore([]byte(config.CacheKey))
var key []byte
if config.CacheKey != "" {
key = []byte(config.CacheKey)
} else {
key = securecookie.GenerateRandomKey(64)
if key == nil {
return nil, fmt.Errorf("Error generating random key")
}
}
store = sessions.NewCookieStore(key)
store.Options = &sessions.Options{
HttpOnly: true,
MaxAge: int(config.CacheTimeout),
Path: config.CacheCookiePath,
Secure: config.CacheCookieSecure,
}
// This is called in sessions.NewCookieStore using the default MaxAge. If
// it's not called again here, our CacheTimeout would affect only the
// expiration time sent in the 'set-cookie' header but not the actual check
// of the HMACed timestamp in the cookie, so a cookie would be accepted for
// 30 days.
store.MaxAge(store.Options.MaxAge)

return &LdapAuth{
name: name,
Expand Down
4 changes: 2 additions & 2 deletions readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,9 +166,9 @@ Set to true if the session cookie should have the secure flag. The cookie will o
##### `cacheKey`
Needs `traefik` >= [`v2.8.5`](https://github.com/traefik/traefik/releases/tag/v2.8.5)

_Optional, Default: `super-secret-key`_
_Optional_

The key used to encrypt session cookie information. You `must` use a strong value here.
The key used to sign session cookie information. If unset, one will be randomly generated at startup.

##### `serverList.startTLS`
_Optional, Default: `false`_
Expand Down
Loading