From d2e01b2ead411ebeabbf8ac7f33cb599c5f09677 Mon Sep 17 00:00:00 2001 From: Trong Huu Nguyen Date: Tue, 5 Nov 2024 21:24:25 +0100 Subject: [PATCH] refactor: consolidate cookie config, correct documentation --- cmd/wonderwall/main.go | 4 ++-- docs/configuration.md | 18 +++++++++--------- pkg/config/config.go | 7 ------- pkg/config/config_test.go | 4 ++-- pkg/config/cookie.go | 12 +++++++++--- pkg/config/redis.go | 4 ++-- pkg/handler/handler_sso_server.go | 2 +- 7 files changed, 25 insertions(+), 26 deletions(-) diff --git a/cmd/wonderwall/main.go b/cmd/wonderwall/main.go index 22c5167..222af7c 100644 --- a/cmd/wonderwall/main.go +++ b/cmd/wonderwall/main.go @@ -42,8 +42,8 @@ func run() error { ctx, cancel := context.WithCancel(context.Background()) defer cancel() - if cfg.CookiePrefix != cookie.DefaultPrefix { - cookie.ConfigureCookieNamesWithPrefix(cfg.CookiePrefix) + if cfg.Cookie.Prefix != cookie.DefaultPrefix { + cookie.ConfigureCookieNamesWithPrefix(cfg.Cookie.Prefix) } if cfg.SSO.Enabled { diff --git a/docs/configuration.md b/docs/configuration.md index ab3b42d..6d5388f 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -14,8 +14,8 @@ The following flags are available: | `auto-login` | boolean | Enforce authentication if the user does not have a valid session for all matching upstream paths. Automatically redirects HTTP navigation requests to login, otherwise responds with 401 with the Location header set. | `false` | | `auto-login-ignore-paths` | strings | Comma separated list of absolute paths to ignore when `auto-login` is enabled. Supports basic wildcard matching with glob-style asterisks. Invalid patterns are ignored. | | | `bind-address` | string | Listen address for public connections. | `127.0.0.1:3000` | -| `cookie-prefix` | string | Prefix for cookie names. | `io.nais.wonderwall` | -| `cookie-same-site` | string | SameSite attribute for session cookies. One of [Strict, Lax, None]. | `Lax` | +| `cookie.prefix` | string | Prefix for cookie names. | `io.nais.wonderwall` | +| `cookie.same-site` | string | SameSite attribute for session cookies. One of [Strict, Lax, None]. | `Lax` | | `cookie.secure` | string | Set secure flag on session cookies. Can only be disabled when `ingress` only consist of localhost hosts. Generally, disabling this is only necessary when using Safari. | `true` | | `encryption-key` | string | Base64 encoded 256-bit cookie encryption key; must be identical in instances that share session store. | | | `ingress` | strings | Comma separated list of ingresses used to access the main application. | | @@ -25,20 +25,20 @@ The following flags are available: | `openid.acr-values` | string | Space separated string that configures the default security level (`acr_values`) parameter for authorization requests. | | | `openid.audiences` | strings | List of additional trusted audiences (other than the client_id) for OpenID Connect id_token validation. | | | `openid.client-id` | string | Client ID for the OpenID client. | | -| `openid.client-jwk` | string | JWK containing the private key for the OpenID client in string format. If configured, this takes precedence over 'openid.client-secret'. | | -| `openid.client-secret` | string | Client secret for the OpenID client. Overridden by 'openid.client-jwk', if configured. | | -| `openid.id-token-signing-alg` | string | Expected JWA value (as defined in RFC 7518) of public keys for validating id_token signatures. This only applies where the key's 'alg' header is not set. | `RS256` | +| `openid.client-jwk` | string | JWK containing the private key for the OpenID client in string format. If configured, this takes precedence over `openid.client-secret`. | | +| `openid.client-secret` | string | Client secret for the OpenID client. Overridden by `openid.client-jwk`, if configured. | | +| `openid.id-token-signing-alg` | string | Expected JWA value (as defined in RFC 7518) of public keys for validating id_token signatures. This only applies where the key's `alg` header is not set. | `RS256` | | `openid.post-logout-redirect-uri` | string | URI for redirecting the user after successful logout at the Identity Provider. | | | `openid.provider` | string | Provider configuration to load and use, either `openid`, `azure`, `idporten`. | `openid` | | `openid.resource-indicator` | string | OAuth2 resource indicator to include in authorization request for acquiring audience-restricted tokens. | | | `openid.scopes` | strings | Comma separated list of additional scopes (other than `openid`) that should be used during the login flow. | | | `openid.ui-locales` | string | Space-separated string that configures the default UI locale (`ui_locales`) parameter for OAuth2 consent screen. | | | `openid.well-known-url` | string | URI to the well-known OpenID Configuration metadata document. | | -| `redis.address` | string | Address of the Redis instance (host:port). An empty value will use in-memory session storage. Does not override address set by `redis.uri`. | | +| `redis.address` | string | Deprecated: prefer using `redis.uri`. Address of the Redis instance (host:port). An empty value will use in-memory session storage. Does not override address set by `redis.uri`. | | | `redis.connection-idle-timeout` | int | Idle timeout for Redis connections, in seconds. If non-zero, the value should be less than the client timeout configured at the Redis server. A value of -1 disables timeout. If zero, the default value from go-redis is used (30 minutes). Overrides options set by `redis.uri`. | `0` | | `redis.password` | string | Password for Redis. Overrides password set by `redis.uri`. | | | `redis.tls` | boolean | Whether or not to use TLS for connecting to Redis. Does not override TLS config set by `redis.uri`. | `true` | -| `redis.uri` | string | Redis URI string. Prefer using this. An empty value will fall back to `redis-address`. | | +| `redis.uri` | string | Redis URI string. An empty value will fall back to `redis-address`. | | | `redis.username` | string | Username for Redis. Overrides username set by `redis.uri`. | | | `session.inactivity` | boolean | Automatically expire user sessions if they have not refreshed their tokens within a given duration. | `false` | | `session.inactivity-timeout` | duration | Inactivity timeout for user sessions. | `30m` | @@ -54,8 +54,8 @@ The following flags are available: | `sso.server-url` | string | The URL used by the proxy to point to the SSO server instance. | | | `sso.session-cookie-name` | string | Session cookie name. Must be the same across all SSO Servers and Proxies that should share sessions. | | | `upstream-host` | string | Address of upstream host. | `127.0.0.1:8080` | -| `upstream-ip` | string | IP of upstream host. Overrides 'upstream-host' if set. | | -| `upstream-port` | int | Port of upstream host. Overrides 'upstream-host' if set. | `0` | +| `upstream-ip` | string | IP of upstream host. Overrides `upstream-host` if set. | | +| `upstream-port` | int | Port of upstream host. Overrides `upstream-host` if set. | `0` | Boolean flags are by default set to `false` unless noted otherwise. diff --git a/pkg/config/config.go b/pkg/config/config.go index 0a5ba80..06477eb 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -27,8 +27,6 @@ type Config struct { AutoLogin bool `json:"auto-login"` AutoLoginIgnorePaths []string `json:"auto-login-ignore-paths"` Cookie Cookie `json:"cookie"` - CookiePrefix string `json:"cookie-prefix"` - CookieSameSite SameSite `json:"cookie-same-site"` EncryptionKey string `json:"encryption-key"` Ingresses []string `json:"ingress"` LegacyCookie bool `json:"legacy-cookie"` @@ -136,11 +134,6 @@ func (c *Config) Validate() error { return err } - // TODO: move this into Cookie - if err := c.CookieSameSite.Validate(); err != nil { - return err - } - if err := c.OpenID.Validate(); err != nil { return err } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 86ea7f7..28c9bb0 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -35,9 +35,9 @@ func TestConfig_Validate(t *testing.T) { run("default", base, []test{ { - "invalid value for cookie-same-site", + "invalid value for cookie.same-site", func(cfg *config.Config) { - cfg.CookieSameSite = "invalid" + cfg.Cookie.SameSite = "invalid" }, }, { diff --git a/pkg/config/cookie.go b/pkg/config/cookie.go index 2f59eea..1dfc335 100644 --- a/pkg/config/cookie.go +++ b/pkg/config/cookie.go @@ -11,10 +11,16 @@ import ( ) type Cookie struct { - Secure bool `json:"secure"` + Prefix string `json:"prefix"` + SameSite SameSite `json:"same-site"` + Secure bool `json:"secure"` } func (c *Cookie) Validate(cfg *Config) error { + if err := c.SameSite.Validate(); err != nil { + return err + } + if c.Secure { return nil } @@ -72,8 +78,8 @@ func (s SameSite) Validate() error { } const ( - CookiePrefix = "cookie-prefix" - CookieSameSite = "cookie-same-site" + CookiePrefix = "cookie.prefix" + CookieSameSite = "cookie.same-site" CookieSecure = "cookie.secure" EncryptionKey = "encryption-key" LegacyCookie = "legacy-cookie" diff --git a/pkg/config/redis.go b/pkg/config/redis.go index 8396e39..e42603e 100644 --- a/pkg/config/redis.go +++ b/pkg/config/redis.go @@ -66,8 +66,8 @@ const ( ) func redisFlags() { - flag.String(RedisURI, "", "Redis URI string. Prefer using this. An empty value will fall back to 'redis-address'.") - flag.String(RedisAddress, "", "Address of the Redis instance (host:port). An empty value will use in-memory session storage. Does not override address set by 'redis.uri'.") + flag.String(RedisURI, "", "Redis URI string. An empty value will fall back to 'redis-address'.") + flag.String(RedisAddress, "", "Deprecated: prefer using 'redis.uri'. Address of the Redis instance (host:port). An empty value will use in-memory session storage. Does not override address set by 'redis.uri'.") flag.String(RedisPassword, "", "Password for Redis. Overrides password set by 'redis.uri'.") flag.Bool(RedisTLS, true, "Whether or not to use TLS for connecting to Redis. Does not override TLS config set by 'redis.uri'.") flag.String(RedisUsername, "", "Username for Redis. Overrides username set by 'redis.uri'.") diff --git a/pkg/handler/handler_sso_server.go b/pkg/handler/handler_sso_server.go index be5c453..04fee33 100644 --- a/pkg/handler/handler_sso_server.go +++ b/pkg/handler/handler_sso_server.go @@ -25,7 +25,7 @@ func NewSSOServer(cfg *config.Config, handler *Standalone) (*SSOServer, error) { handler.CookieOptions = cookie.DefaultOptions(). WithPath("/"). WithDomain(cfg.SSO.Domain). - WithSameSite(cfg.CookieSameSite.ToHttp()). + WithSameSite(cfg.Cookie.SameSite.ToHttp()). WithSecure(cfg.Cookie.Secure) return &SSOServer{Standalone: handler}, nil