feat: secret and salt are now optionally configurable

gnur · gnur · commit ecb3ef2555ed · 2020-09-10T14:40:29.000+02:00
diff --git a/config.go b/config.go
@@ -4,6 +4,7 @@ type Config struct {
 	Hostname     string
 	CookieScope  string
 	Secret       string
+	Salt         string
 	CertDir      string
 	Hosts        map[string]Host
 	Email        string
diff --git a/go.mod b/go.mod
@@ -1,16 +1,20 @@
 module github.com/gnur/tobab
 
-go 1.14
+go 1.15
 
 require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/caddyserver/certmagic v0.11.2
 	github.com/davecgh/go-spew v1.1.1
 	github.com/gorilla/handlers v1.5.0
 	github.com/gorilla/mux v1.8.0
+	github.com/kr/pretty v0.2.0 // indirect
 	github.com/markbates/goth v1.64.2
 	github.com/o1egl/paseto v1.0.0
 	github.com/ryanuber/go-glob v1.0.0
 	github.com/sirupsen/logrus v1.6.0
+	github.com/stretchr/testify v1.6.1 // indirect
 	golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a
+	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c // indirect
 )
diff --git a/go.sum b/go.sum
@@ -185,6 +185,8 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxv
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
+github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
@@ -274,6 +276,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/timewasted/linode v0.0.0-20160829202747-37e84520dcf7/go.mod h1:imsgLplxEC/etjIhdr3dNzV3JeT27LbVu5pYWm0JCBY=
 github.com/transip/gotransip/v6 v6.0.2/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g=
 github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
@@ -496,6 +500,8 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/h2non/gock.v1 v1.0.15/go.mod h1:sX4zAkdYX1TRGJ2JY156cFspQn4yRWn6p9EMdODlynE=
@@ -512,6 +518,9 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c h1:grhR+C34yXImVGp7EzNk+DTIk+323eIUWOmEevy6bDo=
+gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/main.go b/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/rand"
 	"fmt"
 	"net"
 	"net/http"
@@ -11,6 +12,7 @@ import (
 
 	"github.com/BurntSushi/toml"
 	"github.com/caddyserver/certmagic"
+	"github.com/gnur/tobab/muxlogger"
 	"github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
 	"github.com/sirupsen/logrus"
@@ -29,6 +31,10 @@ type Tobab struct {
 
 func main() {
 	logger := logrus.New()
+	logger.SetFormatter(&logrus.TextFormatter{
+		ForceColors:   true,
+		FullTimestamp: true,
+	})
 
 	confLoc := os.Getenv("TOBAB_CONFIG")
 	if confLoc == "" {
@@ -52,7 +58,28 @@ func main() {
 		certmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA
 	}
 
-	key := argon2.IDKey([]byte(cfg.Secret), salt, 4, 4*1024, 2, 32)
+	//only use provided salt if it makes any sense at all
+	//otherwise use the default salt, shouldn't be a problem
+	if len(cfg.Salt) > 2 {
+		salt = []byte(cfg.Salt)
+	}
+
+	secret := []byte(cfg.Secret)
+	//only use provided secret if is it provided
+	if len(secret) < 1 {
+		b := make([]byte, 32)
+		_, err := rand.Read(b)
+		if err != nil {
+			logger.WithError(err).Fatal("unable to generate secure secret, please provide it in config")
+		}
+		secret = b
+	}
+
+	//set secret that goth uses
+	os.Setenv("SESSION_SECRET", string(secret))
+
+	//transform provided salt and secret into a 32 byte key that can be used by paseto
+	key := argon2.IDKey(secret, salt, 4, 4*1024, 2, 32)
 
 	app := Tobab{
 		key:    key,
@@ -91,6 +118,7 @@ func main() {
 	tobabRoutes := r.Host(app.config.Hostname).Subrouter()
 	app.setupgoth(tobabRoutes)
 
+	r.Use(muxlogger.NewLogger(app.logger).Middleware)
 	r.Use(handlers.CompressHandler)
 	r.Use(app.getRBACMiddleware())
 
diff --git a/middleware.go b/middleware.go
@@ -14,9 +14,22 @@ func (app *Tobab) getRBACMiddleware() func(http.Handler) http.Handler {
 
 			h := r.Host
 			u, err := app.extractUser(r)
-			if err != nil {
-				//this shouldn't happen
+			if err != nil && err != ErrUnauthenticatedRequest {
+				//this shouldn't happen unless someone tampered with a cookie manually
 				app.logger.WithError(err).Error("Unable to extract user")
+				//invalid cookie is present, delete it and force re-auth
+				c := http.Cookie{
+					Name:     "X-Tobab-Token",
+					Domain:   app.config.CookieScope,
+					SameSite: http.SameSiteLaxMode,
+					Secure:   true,
+					HttpOnly: true,
+					MaxAge:   -1,
+					Path:     "/",
+				}
+				http.SetCookie(w, &c)
+				http.Error(w, "bad request", http.StatusBadRequest)
+				return
 			}
 			app.logger.WithFields(logrus.Fields{
 				"host": h,
@@ -31,7 +44,6 @@ func (app *Tobab) getRBACMiddleware() func(http.Handler) http.Handler {
 						Path:   r.URL.String(),
 						Scheme: "https",
 					}
-					app.logger.Info("should redirect")
 					c := http.Cookie{
 						Domain:   app.config.CookieScope,
 						Secure:   true,
@@ -43,7 +55,6 @@ func (app *Tobab) getRBACMiddleware() func(http.Handler) http.Handler {
 					http.SetCookie(w, &c)
 					http.Redirect(w, r, app.fqdn, 302)
 				} else {
-					app.logger.Info("Should return 403")
 					http.Error(w, "access denied", http.StatusUnauthorized)
 				}
 
diff --git a/paseto.go b/paseto.go
@@ -18,7 +18,6 @@ func (app *Tobab) extractUser(r *http.Request) (string, error) {
 
 	c, err := r.Cookie("X-Tobab-Token")
 	if err != nil {
-		app.logger.WithError(err).Error("unable to read cookie")
 		return "", ErrUnauthenticatedRequest
 	}
 
@@ -36,7 +35,6 @@ func (app *Tobab) decryptToken(t string) (*paseto.JSONToken, error) {
 	var footer string
 	err := v2.Decrypt(t, app.key, &token, &footer)
 	if err != nil {
-		app.logger.WithError(err).Warning("Unable to parse cookie token")
 		return nil, ErrInvalidToken
 	}
 	err = token.Validate()

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,6 @@ func (app Tobab) extractUser(r http.Request) (string, error) {`
`18`	`18`
`19`	`19`	`c, err := r.Cookie("X-Tobab-Token")`
`20`	`20`	`if err != nil {`
`21`		`- app.logger.WithError(err).Error("unable to read cookie")`
`22`	`21`	`return "", ErrUnauthenticatedRequest`
`23`	`22`	`}`
`24`	`23`
`@@ -36,7 +35,6 @@ func (app Tobab) decryptToken(t string) (paseto.JSONToken, error) {`
`36`	`35`	`var footer string`
`37`	`36`	`err := v2.Decrypt(t, app.key, &token, &footer)`
`38`	`37`	`if err != nil {`
`39`		`- app.logger.WithError(err).Warning("Unable to parse cookie token")`
`40`	`38`	`return nil, ErrInvalidToken`
`41`	`39`	`}`
`42`	`40`	`err = token.Validate()`