diff options
author | Kassio Borges <kborges@gitlab.com> | 2022-11-03 11:29:35 +0300 |
---|---|---|
committer | Alessio Caiazza <acaiazza@gitlab.com> | 2022-11-03 11:29:35 +0300 |
commit | 5f51016111a64f54272eb40383467c8a45876fae (patch) | |
tree | f8b30898d4d58f1d23da501163b7f15e9acd3c0f | |
parent | 9759fdf494816a1a42b8b3590dde9f74b0aec76e (diff) |
Add auth-cookie-session-timeout flag
Related to: https://gitlab.com/gitlab-org/gitlab-pages/-/issues/806
Changelog: added
-rw-r--r-- | app.go | 3 | ||||
-rw-r--r-- | internal/auth/auth.go | 17 | ||||
-rw-r--r-- | internal/auth/auth_test.go | 4 | ||||
-rw-r--r-- | internal/auth/session.go | 2 | ||||
-rw-r--r-- | internal/config/config.go | 27 | ||||
-rw-r--r-- | internal/config/flags.go | 12 |
6 files changed, 37 insertions, 28 deletions
@@ -391,7 +391,8 @@ func (a *theApp) setAuth(config *cfg.Config) error { var err error a.Auth, err = auth.New(config.General.Domain, config.Authentication.Secret, config.Authentication.ClientID, config.Authentication.ClientSecret, - config.Authentication.RedirectURI, config.GitLab.InternalServer, config.GitLab.PublicServer, config.Authentication.Scope, config.Authentication.Timeout) + config.Authentication.RedirectURI, config.GitLab.InternalServer, config.GitLab.PublicServer, config.Authentication.Scope, + config.Authentication.Timeout, config.Authentication.CookieSessionTimeout) if err != nil { return fmt.Errorf("could not initialize auth package: %w", err) } diff --git a/internal/auth/auth.go b/internal/auth/auth.go index 3014936b..b4dc73aa 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -37,7 +37,6 @@ const ( tokenURLTemplate = "%s/oauth/token" callbackPath = "/auth" authorizeProxyTemplate = "%s?domain=%s&state=%s" - authSessionMaxAge = 60 * 10 // 10 minutes failAuthErrMsg = "failed to authenticate request" fetchAccessTokenErrMsg = "fetching access token failed" @@ -66,6 +65,7 @@ type Auth struct { apiClient *http.Client store sessions.Store now func() time.Time // allows to stub time.Now() easily in tests + cookieSessionTimeout time.Duration } type tokenResponse struct { @@ -637,7 +637,7 @@ func generateKeys(secret string, count int) ([][]byte, error) { } // New when authentication supported this will be used to create authentication handler -func New(pagesDomain, storeSecret, clientID, clientSecret, redirectURI, internalGitlabServer, publicGitlabServer, authScope string, authTimeout time.Duration) (*Auth, error) { +func New(pagesDomain, storeSecret, clientID, clientSecret, redirectURI, internalGitlabServer, publicGitlabServer, authScope string, authTimeout, cookieSessionTimeout time.Duration) (*Auth, error) { // generate 3 keys, 2 for the cookie store and 1 for JWT signing keys, err := generateKeys(storeSecret, 3) if err != nil { @@ -655,11 +655,12 @@ func New(pagesDomain, storeSecret, clientID, clientSecret, redirectURI, internal Timeout: authTimeout, Transport: httptransport.DefaultTransport, }, - store: sessions.NewCookieStore(keys[0], keys[1]), - authSecret: storeSecret, - authScope: authScope, - jwtSigningKey: keys[2], - jwtExpiry: time.Minute, - now: time.Now, + store: sessions.NewCookieStore(keys[0], keys[1]), + authSecret: storeSecret, + authScope: authScope, + jwtSigningKey: keys[2], + jwtExpiry: time.Minute, + now: time.Now, + cookieSessionTimeout: cookieSessionTimeout, }, nil } diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go index 4236d695..47a43d4c 100644 --- a/internal/auth/auth_test.go +++ b/internal/auth/auth_test.go @@ -29,7 +29,9 @@ func createTestAuth(t *testing.T, internalServer string, publicServer string) *A "http://pages.gitlab-example.com/auth", internalServer, publicServer, - "scope", 5*time.Second) + "scope", + 5*time.Second, + 10*time.Minute) require.NoError(t, err) diff --git a/internal/auth/session.go b/internal/auth/session.go index d6402bf9..5bfc8e03 100644 --- a/internal/auth/session.go +++ b/internal/auth/session.go @@ -30,7 +30,7 @@ func (a *Auth) getSessionFromStore(r *http.Request) (*hostSession, error) { session.Options.Path = "/" session.Options.HttpOnly = true session.Options.Secure = request.IsHTTPS(r) - session.Options.MaxAge = authSessionMaxAge + session.Options.MaxAge = int(a.cookieSessionTimeout.Seconds()) if session.Values[sessionHostKey] == nil || session.Values[sessionHostKey] != r.Host { session.Values = make(map[interface{}]interface{}) diff --git a/internal/config/config.go b/internal/config/config.go index 50146011..5a1736ec 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -88,12 +88,13 @@ type ArtifactsServer struct { // Auth groups settings related to configuring Authentication with // GitLab type Auth struct { - Secret string - ClientID string - ClientSecret string - RedirectURI string - Scope string - Timeout time.Duration + Secret string + ClientID string + ClientSecret string + RedirectURI string + Scope string + Timeout time.Duration + CookieSessionTimeout time.Duration } // Cache configuration for GitLab API @@ -318,12 +319,13 @@ func loadConfig() (*Config, error) { URL: *artifactsServer, }, Authentication: Auth{ - Secret: *secret, - ClientID: *clientID, - ClientSecret: *clientSecret, - RedirectURI: *redirectURI, - Scope: *authScope, - Timeout: *authTimeout, + Secret: *secret, + ClientID: *clientID, + ClientSecret: *clientSecret, + RedirectURI: *redirectURI, + Scope: *authScope, + Timeout: *authTimeout, + CookieSessionTimeout: *authCookieSessionTimeout, }, Log: Log{ Format: *logFormat, @@ -440,6 +442,7 @@ func LogConfig(config *Config) { "enable-disk": config.GitLab.EnableDisk, "auth-redirect-uri": config.Authentication.RedirectURI, "auth-scope": config.Authentication.Scope, + "auth-cookie-session-timeout": config.Authentication.CookieSessionTimeout, "max-conns": config.General.MaxConns, "max-uri-length": config.General.MaxURILength, "zip-cache-expiration": config.Zip.ExpirationInterval, diff --git a/internal/config/flags.go b/internal/config/flags.go index 9d79f0bc..4b8ee7a0 100644 --- a/internal/config/flags.go +++ b/internal/config/flags.go @@ -68,11 +68,13 @@ var ( enableDisk = flag.Bool("enable-disk", true, "Enable disk access, shall be disabled in environments where shared disk storage isn't available") - clientID = flag.String("auth-client-id", "", "GitLab application Client ID") - clientSecret = flag.String("auth-client-secret", "", "GitLab application Client Secret") - redirectURI = flag.String("auth-redirect-uri", "", "GitLab application redirect URI") - authScope = flag.String("auth-scope", "api", "Scope to be used for authentication (must match GitLab Pages OAuth application settings)") - authTimeout = flag.Duration("auth-timeout", 5*time.Second, "GitLab application client timeout for authentication") + clientID = flag.String("auth-client-id", "", "GitLab application Client ID") + clientSecret = flag.String("auth-client-secret", "", "GitLab application Client Secret") + redirectURI = flag.String("auth-redirect-uri", "", "GitLab application redirect URI") + authScope = flag.String("auth-scope", "api", "Scope to be used for authentication (must match GitLab Pages OAuth application settings)") + authTimeout = flag.Duration("auth-timeout", 5*time.Second, "GitLab application client timeout for authentication") + authCookieSessionTimeout = flag.Duration("auth-cookie-session-timeout", 10*time.Minute, "Authentication cookie session timeout (truncated to seconds). A zero value means the cookie will be deleted after the browser session ends") + maxConns = flag.Int("max-conns", 0, "Limit on the number of concurrent connections to the HTTP, HTTPS or proxy listeners, 0 for no limit") maxURILength = flag.Int("max-uri-length", 1024, "Limit the length of URI, 0 for unlimited.") insecureCiphers = flag.Bool("insecure-ciphers", false, "Use default list of cipher suites, may contain insecure ones like 3DES and RC4") |