diff --git a/auth_ldap.go b/auth_ldap.go index 9c0eed2..d2bb784 100644 --- a/auth_ldap.go +++ b/auth_ldap.go @@ -132,7 +132,7 @@ func (a authLDAP) DetectUser(res http.ResponseWriter, r *http.Request) (string, } // We had a cookie, lets renew it - sess.Options = mainCfg.GetSessionOpts() + sess.Options = mainCfg.Cookie.GetSessionOpts() if err := sess.Save(r, res); err != nil { return "", nil, err } @@ -164,7 +164,7 @@ func (a authLDAP) Login(res http.ResponseWriter, r *http.Request) (string, []plu } sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned - sess.Options = mainCfg.GetSessionOpts() + sess.Options = mainCfg.Cookie.GetSessionOpts() sess.Values["user"] = userDN sess.Values["alias"] = alias return userDN, nil, sess.Save(r, res) @@ -194,7 +194,7 @@ func (a authLDAP) LoginFields() (fields []plugins.LoginField) { // needs to destroy any persistent stored cookies func (a authLDAP) Logout(res http.ResponseWriter, r *http.Request) (err error) { sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned - sess.Options = mainCfg.GetSessionOpts() + sess.Options = mainCfg.Cookie.GetSessionOpts() sess.Options.MaxAge = -1 // Instant delete return sess.Save(r, res) } diff --git a/auth_simple.go b/auth_simple.go index 2c625e9..326989a 100644 --- a/auth_simple.go +++ b/auth_simple.go @@ -88,7 +88,7 @@ func (a authSimple) DetectUser(res http.ResponseWriter, r *http.Request) (string } // We had a cookie, lets renew it - sess.Options = mainCfg.GetSessionOpts() + sess.Options = mainCfg.Cookie.GetSessionOpts() if err := sess.Save(r, res); err != nil { return "", nil, err } @@ -123,7 +123,7 @@ func (a authSimple) Login(res http.ResponseWriter, r *http.Request) (string, []p } sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned - sess.Options = mainCfg.GetSessionOpts() + sess.Options = mainCfg.Cookie.GetSessionOpts() sess.Values["user"] = u return u, a.MFA[u], sess.Save(r, res) } @@ -155,7 +155,7 @@ func (a authSimple) LoginFields() (fields []plugins.LoginField) { // needs to destroy any persistent stored cookies func (a authSimple) Logout(res http.ResponseWriter, r *http.Request) (err error) { sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned - sess.Options = mainCfg.GetSessionOpts() + sess.Options = mainCfg.Cookie.GetSessionOpts() sess.Options.MaxAge = -1 // Instant delete return sess.Save(r, res) } diff --git a/auth_yubikey.go b/auth_yubikey.go index 43a6c2e..942bc6e 100644 --- a/auth_yubikey.go +++ b/auth_yubikey.go @@ -69,7 +69,7 @@ func (a authYubikey) DetectUser(res http.ResponseWriter, r *http.Request) (strin } // We had a cookie, lets renew it - sess.Options = mainCfg.GetSessionOpts() + sess.Options = mainCfg.Cookie.GetSessionOpts() if err := sess.Save(r, res); err != nil { return "", nil, err } @@ -115,7 +115,7 @@ func (a authYubikey) Login(res http.ResponseWriter, r *http.Request) (string, [] } sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned - sess.Options = mainCfg.GetSessionOpts() + sess.Options = mainCfg.Cookie.GetSessionOpts() sess.Values["user"] = user return user, nil, sess.Save(r, res) } @@ -138,7 +138,7 @@ func (a authYubikey) LoginFields() (fields []plugins.LoginField) { // needs to destroy any persistent stored cookies func (a authYubikey) Logout(res http.ResponseWriter, r *http.Request) (err error) { sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned - sess.Options = mainCfg.GetSessionOpts() + sess.Options = mainCfg.Cookie.GetSessionOpts() sess.Options.MaxAge = -1 // Instant delete return sess.Save(r, res) } diff --git a/main.go b/main.go index 8f2b5d0..f133e1e 100644 --- a/main.go +++ b/main.go @@ -22,16 +22,10 @@ import ( ) type mainConfig struct { - ACL acl `yaml:"acl"` - AuditLog auditLogger `yaml:"audit_log"` - Cookie struct { - Domain string `yaml:"domain"` - AuthKey string `yaml:"authentication_key"` - Expire int `yaml:"expire"` - Prefix string `yaml:"prefix"` - Secure bool `yaml:"secure"` - } - Listen struct { + ACL acl `yaml:"acl"` + AuditLog auditLogger `yaml:"audit_log"` + Cookie plugins.CookieConfig `yaml:"cookie"` + Listen struct { Addr string `yaml:"addr"` Port int `yaml:"port"` } `yaml:"listen"` @@ -47,16 +41,6 @@ type mainConfig struct { } `yaml:"plugins"` } -func (m *mainConfig) GetSessionOpts() *sessions.Options { - return &sessions.Options{ - Path: "/", - Domain: m.Cookie.Domain, - MaxAge: m.Cookie.Expire, - Secure: m.Cookie.Secure, - HttpOnly: true, - } -} - var ( cfg = struct { ConfigFile string `flag:"config,c" default:"config.yaml" env:"CONFIG" description:"Location of the configuration file"` diff --git a/plugins/cookie.go b/plugins/cookie.go new file mode 100644 index 0000000..a5cba19 --- /dev/null +++ b/plugins/cookie.go @@ -0,0 +1,21 @@ +package plugins + +import "github.com/gorilla/sessions" + +type CookieConfig struct { + Domain string `yaml:"domain"` + AuthKey string `yaml:"authentication_key"` + Expire int `yaml:"expire"` + Prefix string `yaml:"prefix"` + Secure bool `yaml:"secure"` +} + +func (c CookieConfig) GetSessionOpts() *sessions.Options { + return &sessions.Options{ + Path: "/", + Domain: c.Domain, + MaxAge: c.Expire, + Secure: c.Secure, + HttpOnly: true, + } +}