diff options
author | Nick Thomas <nick@gitlab.com> | 2019-07-30 18:15:07 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-07-30 18:15:07 +0300 |
commit | d623618c95e5a96e6c7be7e173f7188f682994c1 (patch) | |
tree | 7bf51eb16ca8c0f625bb8e43579a7bd8c49fe312 /internal/auth/auth.go | |
parent | bd8aff8fd5cfe26ac576d351043239ffd309f8be (diff) | |
parent | 372dfdee60f0c1359752b6f987a0ec1c19a248f0 (diff) |
Merge branch 'security-1-6-encrypt-cookies' into '1-6-stable'v1.6.2
Encrypt cookies
See merge request gitlab/gitlab-pages!10
Diffstat (limited to 'internal/auth/auth.go')
-rw-r--r-- | internal/auth/auth.go | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/internal/auth/auth.go b/internal/auth/auth.go index 02879568..b9d224ae 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -1,10 +1,12 @@ package auth import ( + "crypto/sha256" "encoding/base64" "encoding/json" "errors" "fmt" + "io" "net" "net/http" "net/url" @@ -19,6 +21,8 @@ import ( "gitlab.com/gitlab-org/gitlab-pages/internal/domain" "gitlab.com/gitlab-org/gitlab-pages/internal/httperrors" "gitlab.com/gitlab-org/gitlab-pages/internal/httptransport" + + "golang.org/x/crypto/hkdf" ) const ( @@ -519,9 +523,29 @@ func logRequest(r *http.Request) *log.Entry { }) } +// generateKeyPair returns key pair for secure cookie: signing and encryption key +func generateKeyPair(storeSecret string) ([]byte, []byte) { + hash := sha256.New + hkdf := hkdf.New(hash, []byte(storeSecret), []byte{}, []byte("PAGES_SIGNING_AND_ENCRYPTION_KEY")) + var keys [][]byte + for i := 0; i < 2; i++ { + key := make([]byte, 32) + if _, err := io.ReadFull(hkdf, key); err != nil { + log.WithError(err).Fatal("Can't generate key pair for secure cookies") + } + keys = append(keys, key) + } + return keys[0], keys[1] +} + +func createCookieStore(storeSecret string) sessions.Store { + return sessions.NewCookieStore(generateKeyPair(storeSecret)) +} + // New when authentication supported this will be used to create authentication handler func New(pagesDomain string, storeSecret string, clientID string, clientSecret string, redirectURI string, gitLabServer string) *Auth { + return &Auth{ pagesDomain: pagesDomain, clientID: clientID, @@ -532,6 +556,6 @@ func New(pagesDomain string, storeSecret string, clientID string, clientSecret s Timeout: 5 * time.Second, Transport: httptransport.Transport, }, - store: sessions.NewCookieStore([]byte(storeSecret)), + store: createCookieStore(storeSecret), } } |