diff options
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/sessions/controller.go | 5 | ||||
| -rw-r--r-- | app/controllers/sessions/controller_test.go | 11 | ||||
| -rw-r--r-- | app/controllers/sessions/service.go | 3 | ||||
| -rw-r--r-- | app/controllers/sessions/service_test.go | 7 |
4 files changed, 14 insertions, 12 deletions
diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go index 7860ed5..61fdaf8 100644 --- a/app/controllers/sessions/controller.go +++ b/app/controllers/sessions/controller.go @@ -6,6 +6,7 @@ import ( "github.com/xlgmokha/x/pkg/cookie" "github.com/xlgmokha/x/pkg/log" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/middleware" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" @@ -37,7 +38,7 @@ func (c *Controller) New(w http.ResponseWriter, r *http.Request) { url, nonce := c.svc.GenerateRedirectURL() // This cookie must be sent as part of a redirect that originates from the OIDC Provider cookie.Write(w, web.NewCookie( - "oauth_state", + cfg.CSRFCookie, nonce, cookie.WithSameSite(http.SameSiteLaxMode), cookie.WithExpiration(time.Now().Add(10*time.Minute)), @@ -140,7 +141,7 @@ func (c *Controller) Create(w http.ResponseWriter, r *http.Request) { return } - ck := web.NewCookie("session", encoded, + ck := web.NewCookie(cfg.SessionCookie, encoded, cookie.WithSameSite(http.SameSiteLaxMode), cookie.WithExpiration(tokens.Expiry), ) diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go index 4b68c7a..82c56d5 100644 --- a/app/controllers/sessions/controller_test.go +++ b/app/controllers/sessions/controller_test.go @@ -95,7 +95,7 @@ func TestSessions(t *testing.T) { r, w := test.RequestResponse( "GET", "/session/callback?code="+code+"&state=invalid", - test.WithCookie(web.NewCookie("oauth_state", nonce)), + test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)), ) mux.ServeHTTP(w, r) @@ -119,7 +119,7 @@ func TestSessions(t *testing.T) { r, w := test.RequestResponse( "GET", "/session/callback?code="+code+"&state="+nonce, - test.WithCookie(web.NewCookie("oauth_state", nonce)), + test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)), ) mux.ServeHTTP(w, r) @@ -176,8 +176,7 @@ func TestSessions(t *testing.T) { t.Run("applies the appropriate cookie settings", func(t *testing.T) { assert.Equal(t, "/", cookie.Path) - assert.Equal(t, "localhost", cookie.Domain) - assert.Equal(t, "session", cookie.Name) + assert.Equal(t, xcfg.SessionCookie, cookie.Name) assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite) assert.Equal(t, x.Must(time.Parse(time.RFC3339, tokens["expiry"].(string))).Unix(), cookie.Expires.Unix()) assert.True(t, cookie.HttpOnly) @@ -189,14 +188,14 @@ func TestSessions(t *testing.T) { t.Run("POST /session/destroy", func(t *testing.T) { t.Run("clears the session cookie", func(t *testing.T) { - cookie := web.NewCookie("session", "value") + cookie := web.NewCookie(xcfg.SessionCookie, "value") r, w := test.RequestResponse("POST", "/session/destroy", test.WithCookie(cookie)) mux.ServeHTTP(w, r) require.Equal(t, http.StatusFound, w.Code) assert.Equal(t, "/", w.Header().Get("Location")) - assert.Equal(t, "session=; Path=/; Domain=localhost; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure", w.Header().Get("Set-Cookie")) + assert.Equal(t, "session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure", w.Header().Get("Set-Cookie")) }) }) } diff --git a/app/controllers/sessions/service.go b/app/controllers/sessions/service.go index af1512c..2dec9e3 100644 --- a/app/controllers/sessions/service.go +++ b/app/controllers/sessions/service.go @@ -5,6 +5,7 @@ import ( "errors" "net/http" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web" @@ -33,7 +34,7 @@ func (svc *Service) GenerateRedirectURL() (string, string) { } func (svc *Service) Exchange(r *http.Request) (*oidc.Tokens, error) { - cookies := r.CookiesNamed("oauth_state") + cookies := r.CookiesNamed(cfg.CSRFCookie) if len(cookies) != 1 { return nil, errors.New("Missing CSRF token") } diff --git a/app/controllers/sessions/service_test.go b/app/controllers/sessions/service_test.go index 81248ca..4bea1dd 100644 --- a/app/controllers/sessions/service_test.go +++ b/app/controllers/sessions/service_test.go @@ -8,6 +8,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/xlgmokha/x/pkg/test" + xcfg "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web" @@ -46,7 +47,7 @@ func TestService(t *testing.T) { r := test.Request( "GET", "/session/callback?code="+code+"&state=invalid", - test.WithCookie(web.NewCookie("oauth_state", nonce)), + test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)), ) tokens, err := svc.Exchange(r) @@ -59,7 +60,7 @@ func TestService(t *testing.T) { r := test.Request( "GET", "/session/callback?code=invalid", - test.WithCookie(web.NewCookie("oauth_state", nonce)), + test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)), ) tokens, err := svc.Exchange(r) @@ -76,7 +77,7 @@ func TestService(t *testing.T) { r := test.Request( "GET", "/session/callback?code="+code+"&state="+nonce, - test.WithCookie(web.NewCookie("oauth_state", nonce)), + test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)), ) tokens, err := svc.Exchange(r) |