Store access token when cookie-refresh is set

cookie-refresh now no longer requires pass-access-token in order to work.
This commit is contained in:
Mike Bland 2015-05-09 16:08:55 -04:00
parent b6e07d51b2
commit bd4eae8fec
2 changed files with 10 additions and 3 deletions

View File

@ -49,6 +49,7 @@ type OauthProxy struct {
DisplayHtpasswdForm bool DisplayHtpasswdForm bool
serveMux http.Handler serveMux http.Handler
PassBasicAuth bool PassBasicAuth bool
PassAccessToken bool
AesCipher cipher.Block AesCipher cipher.Block
skipAuthRegex []string skipAuthRegex []string
compiledRegex []*regexp.Regexp compiledRegex []*regexp.Regexp
@ -122,7 +123,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain) log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
var aes_cipher cipher.Block var aes_cipher cipher.Block
if opts.PassAccessToken { if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) {
var err error var err error
aes_cipher, err = aes.NewCipher([]byte(opts.CookieSecret)) aes_cipher, err = aes.NewCipher([]byte(opts.CookieSecret))
if err != nil { if err != nil {
@ -153,6 +154,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
skipAuthRegex: opts.SkipAuthRegex, skipAuthRegex: opts.SkipAuthRegex,
compiledRegex: opts.CompiledRegex, compiledRegex: opts.CompiledRegex,
PassBasicAuth: opts.PassBasicAuth, PassBasicAuth: opts.PassBasicAuth,
PassAccessToken: opts.PassAccessToken,
AesCipher: aes_cipher, AesCipher: aes_cipher,
templates: loadTemplates(opts.CustomTemplatesDir), templates: loadTemplates(opts.CustomTemplatesDir),
} }
@ -496,7 +498,7 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
req.Header["X-Forwarded-User"] = []string{user} req.Header["X-Forwarded-User"] = []string{user}
req.Header["X-Forwarded-Email"] = []string{email} req.Header["X-Forwarded-Email"] = []string{email}
} }
if access_token != "" { if p.PassAccessToken {
req.Header["X-Forwarded-Access-Token"] = []string{access_token} req.Header["X-Forwarded-Access-Token"] = []string{access_token}
} }
if email == "" { if email == "" {

View File

@ -407,14 +407,19 @@ func NewProcessCookieTest() *ProcessCookieTest {
pc_test.opts.CookieSecret = "foobar" pc_test.opts.CookieSecret = "foobar"
pc_test.opts.ClientID = "bazquux" pc_test.opts.ClientID = "bazquux"
pc_test.opts.ClientSecret = "xyzzyplugh" pc_test.opts.ClientSecret = "xyzzyplugh"
pc_test.opts.PassAccessToken = true
pc_test.opts.CookieSecret = "0123456789abcdef" pc_test.opts.CookieSecret = "0123456789abcdef"
// First, set the CookieRefresh option so proxy.AesCipher is created,
// needed to encrypt the access_token.
pc_test.opts.CookieRefresh = time.Duration(24) * time.Hour
pc_test.opts.Validate() pc_test.opts.Validate()
pc_test.proxy = NewOauthProxy(pc_test.opts, func(email string) bool { pc_test.proxy = NewOauthProxy(pc_test.opts, func(email string) bool {
return true return true
}) })
// Now, zero-out proxy.CookieRefresh for the cases that don't involve
// access_token validation.
pc_test.proxy.CookieRefresh = time.Duration(0)
pc_test.rw = httptest.NewRecorder() pc_test.rw = httptest.NewRecorder()
pc_test.req, _ = http.NewRequest("GET", "/", strings.NewReader("")) pc_test.req, _ = http.NewRequest("GET", "/", strings.NewReader(""))
return &pc_test return &pc_test