From 8ec967ac324734f0180f9b7307e0406aefe31246 Mon Sep 17 00:00:00 2001 From: Mike Bland Date: Sat, 9 May 2015 17:31:13 -0400 Subject: [PATCH] Check cookie_secret size when cookie_refresh set --- oauthproxy.go | 2 +- options.go | 6 +++--- options_test.go | 4 ++++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/oauthproxy.go b/oauthproxy.go index 12023eb..d4208de 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -128,7 +128,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy { aes_cipher, err = aes.NewCipher([]byte(opts.CookieSecret)) if err != nil { log.Fatal("error creating AES cipher with "+ - "pass_access_token == true: %s", err) + "cookie-secret ", opts.CookieSecret, ": ", err) } } diff --git a/options.go b/options.go index e6aafac..262e27f 100644 --- a/options.go +++ b/options.go @@ -120,7 +120,7 @@ func (o *Options) Validate() error { } msgs = parseProviderInfo(o, msgs) - if o.PassAccessToken { + if o.PassAccessToken || (o.CookieRefresh != time.Duration(0)) { valid_cookie_secret_size := false for _, i := range []int{16, 24, 32} { if len(o.CookieSecret) == i { @@ -131,8 +131,8 @@ func (o *Options) Validate() error { msgs = append(msgs, fmt.Sprintf( "cookie_secret must be 16, 24, or 32 bytes "+ "to create an AES cipher when "+ - "pass_access_token == true, "+ - "but is %d bytes", + "pass_access_token == true or "+ + "cookie_refresh != 0, but is %d bytes", len(o.CookieSecret))) } } diff --git a/options_test.go b/options_test.go index dcb5421..55eda29 100644 --- a/options_test.go +++ b/options_test.go @@ -112,6 +112,10 @@ func TestPassAccessTokenRequiresSpecificCookieSecretLengths(t *testing.T) { o.CookieSecret = "cookie of invalid length-" assert.NotEqual(t, nil, o.Validate()) + o.PassAccessToken = false + o.CookieRefresh = time.Duration(24) * time.Hour + assert.NotEqual(t, nil, o.Validate()) + o.CookieSecret = "16 bytes AES-128" assert.Equal(t, nil, o.Validate())