Refactor cookies (#376)

gogatekeeper · Nov 14, 2023 · 0e61b22 · 0e61b22
1 parent 6be89f0
commit 0e61b22
Show file tree

Hide file tree

Showing 7 changed files with 155 additions and 105 deletions.
diff --git a/pkg/keycloak/proxy/handlers.go b/pkg/keycloak/proxy/handlers.go
@@ -136,7 +136,7 @@ func (r *OauthProxy) oauthAuthorizationHandler(wrt http.ResponseWriter, req *htt
 			oauth2.SetAuthURLParam(pkce.ParamCodeChallenge, codeChallenge),
 			oauth2.SetAuthURLParam(pkce.ParamCodeChallengeMethod, pkce.MethodS256),
 		)
-		r.writePKCECookie(wrt, codeVerifier)
+		r.Cm.WritePKCECookie(wrt, codeVerifier)
 	}
 
 	authURL := conf.AuthCodeURL(
@@ -226,7 +226,7 @@ func (r *OauthProxy) oauthCallbackHandler(writer http.ResponseWriter, req *http.
 				return
 			}
 		default:
-			r.DropRefreshTokenCookie(req, writer, encrypted, oidcTokensCookiesExp)
+			r.Cm.DropRefreshTokenCookie(req, writer, encrypted, oidcTokensCookiesExp)
 		}
 	}
 
@@ -282,14 +282,14 @@ func (r *OauthProxy) oauthCallbackHandler(writer http.ResponseWriter, req *http.
 		}
 	}
 
-	r.dropAccessTokenCookie(req, writer, accessToken, oidcTokensCookiesExp)
+	r.Cm.DropAccessTokenCookie(req, writer, accessToken, oidcTokensCookiesExp)
 	if r.Config.EnableIDTokenCookie {
-		r.dropIDTokenCookie(req, writer, identityToken, oidcTokensCookiesExp)
+		r.Cm.DropIDTokenCookie(req, writer, identityToken, oidcTokensCookiesExp)
 	}
 
 	if r.Config.EnableUma && umaError == nil {
 		scope.Logger.Debug("got uma token", zap.String("uma", umaToken))
-		r.dropUMATokenCookie(req, writer, umaToken, oidcTokensCookiesExp)
+		r.Cm.DropUMATokenCookie(req, writer, umaToken, oidcTokensCookiesExp)
 	}
 
 	if umaError != nil {
@@ -415,15 +415,15 @@ func (r *OauthProxy) loginHandler(writer http.ResponseWriter, req *http.Request)
 			}
 
 			// drop in the access token - cookie expiration = access token
-			r.dropAccessTokenCookie(
+			r.Cm.DropAccessTokenCookie(
 				req,
 				writer,
 				accessToken,
 				r.GetAccessCookieExpiration(token.RefreshToken),
 			)
 
 			if r.Config.EnableIDTokenCookie {
-				r.dropIDTokenCookie(
+				r.Cm.DropIDTokenCookie(
 					req,
 					writer,
 					idToken,
@@ -458,17 +458,17 @@ func (r *OauthProxy) loginHandler(writer http.ResponseWriter, req *http.Request)
 					)
 				}
 			default:
-				r.DropRefreshTokenCookie(req, writer, refreshToken, expiration)
+				r.Cm.DropRefreshTokenCookie(req, writer, refreshToken, expiration)
 			}
 		} else {
-			r.dropAccessTokenCookie(
+			r.Cm.DropAccessTokenCookie(
 				req,
 				writer,
 				accessToken,
 				time.Until(identity.ExpiresAt),
 			)
 			if r.Config.EnableIDTokenCookie {
-				r.dropIDTokenCookie(
+				r.Cm.DropIDTokenCookie(
 					req,
 					writer,
 					idToken,
@@ -588,7 +588,7 @@ func (r *OauthProxy) logoutHandler(writer http.ResponseWriter, req *http.Request
 		idToken = user.RawToken
 	}
 
-	r.ClearAllCookies(req, writer)
+	r.Cm.ClearAllCookies(req, writer)
 
 	// @metric increment the logout counter
 	metrics.OauthTokensMetric.WithLabelValues("logout").Inc()

diff --git a/pkg/keycloak/proxy/middleware.go b/pkg/keycloak/proxy/middleware.go
@@ -283,7 +283,7 @@ func (r *OauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
 						switch err {
 						case apperrors.ErrRefreshTokenExpired:
 							lLog.Warn("refresh token has expired, cannot retrieve access token")
-							r.ClearAllCookies(req.WithContext(ctx), wrt)
+							r.Cm.ClearAllCookies(req.WithContext(ctx), wrt)
 						default:
 							lLog.Debug(
 								apperrors.ErrAccTokenRefreshFailure.Error(),
@@ -337,7 +337,7 @@ func (r *OauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
 					}
 
 					// step: inject the refreshed access token
-					r.dropAccessTokenCookie(req.WithContext(ctx), wrt, accessToken, accessExpiresIn)
+					r.Cm.DropAccessTokenCookie(req.WithContext(ctx), wrt, accessToken, accessExpiresIn)
 
 					// step: inject the renewed refresh token
 					if newRefreshToken != "" {
@@ -374,7 +374,7 @@ func (r *OauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
 								}
 							}(user.RawToken, newRawAccToken, encryptedRefreshToken)
 						} else {
-							r.DropRefreshTokenCookie(req.WithContext(ctx), wrt, encryptedRefreshToken, refreshExpiresIn)
+							r.Cm.DropRefreshTokenCookie(req.WithContext(ctx), wrt, encryptedRefreshToken, refreshExpiresIn)
 						}
 					}
 
@@ -487,7 +487,7 @@ func (r *OauthProxy) authorizationMiddleware() func(http.Handler) http.Handler {
 						}
 					}
 
-					r.dropUMATokenCookie(req, wrt, umaToken, time.Until(umaUser.ExpiresAt))
+					r.Cm.DropUMATokenCookie(req, wrt, umaToken, time.Until(umaUser.ExpiresAt))
 					wrt.Header().Set(constant.UMAHeader, umaToken)
 					scope.Logger.Debug("got uma token")
 					decision, err = authzFunc(authzPath, umaUser.Permissions)

diff --git a/pkg/keycloak/proxy/misc.go b/pkg/keycloak/proxy/misc.go
@@ -164,7 +164,7 @@ func (r *OauthProxy) redirectToAuthorization(wrt http.ResponseWriter, req *http.
 	}
 
 	// step: add a state referrer to the authorization page
-	uuid := r.writeStateParameterCookie(req, wrt)
+	uuid := r.Cm.WriteStateParameterCookie(req, wrt)
 	authQuery := fmt.Sprintf("?state=%s", uuid)
 
 	// step: if verification is switched off, we can't authorization

diff --git a/pkg/keycloak/proxy/oauth_proxy.go b/pkg/keycloak/proxy/oauth_proxy.go
@@ -16,6 +16,7 @@ import (
 	"github.com/gogatekeeper/gatekeeper/pkg/authorization"
 	"github.com/gogatekeeper/gatekeeper/pkg/constant"
 	"github.com/gogatekeeper/gatekeeper/pkg/keycloak/config"
+	"github.com/gogatekeeper/gatekeeper/pkg/proxy/cookie"
 	"github.com/gogatekeeper/gatekeeper/pkg/storage"
 	"go.uber.org/zap"
 	"gopkg.in/square/go-jose.v2/jwt"
@@ -55,6 +56,7 @@ type OauthProxy struct {
 	accessError      func(wrt http.ResponseWriter, req *http.Request) context.Context
 	customSignInPage func(wrt http.ResponseWriter, authURL string)
 	GetIdentity      func(req *http.Request, tokenCookie string, tokenHeader string) (*UserContext, error)
+	Cm               *cookie.Manager
 }
 
 // TokenResponse

diff --git a/pkg/keycloak/proxy/server.go b/pkg/keycloak/proxy/server.go
@@ -50,6 +50,7 @@ import (
 	"github.com/gogatekeeper/gatekeeper/pkg/constant"
 	"github.com/gogatekeeper/gatekeeper/pkg/encryption"
 	"github.com/gogatekeeper/gatekeeper/pkg/keycloak/config"
+	"github.com/gogatekeeper/gatekeeper/pkg/proxy/cookie"
 	proxycore "github.com/gogatekeeper/gatekeeper/pkg/proxy/core"
 	"github.com/gogatekeeper/gatekeeper/pkg/proxy/handlers"
 	"github.com/gogatekeeper/gatekeeper/pkg/proxy/metrics"
@@ -289,6 +290,24 @@ func (r *OauthProxy) CreateReverseProxy() error {
 	engine := chi.NewRouter()
 	r.useDefaultStack(engine)
 
+	r.Cm = &cookie.Manager{
+		CookieDomain:         r.Config.CookieDomain,
+		BaseURI:              r.Config.BaseURI,
+		HTTPOnlyCookie:       r.Config.HTTPOnlyCookie,
+		SecureCookie:         r.Config.SecureCookie,
+		EnableSessionCookies: r.Config.EnableSessionCookies,
+		SameSiteCookie:       r.Config.SameSiteCookie,
+		CookieAccessName:     r.Config.CookieAccessName,
+		CookieRefreshName:    r.Config.CookieRefreshName,
+		CookieIDTokenName:    r.Config.CookieIDTokenName,
+		CookiePKCEName:       r.Config.CookiePKCEName,
+		CookieUMAName:        r.Config.CookieUMAName,
+		CookieRequestURIName: r.Config.CookieRequestURIName,
+		CookieOAuthStateName: r.Config.CookieOAuthStateName,
+		NoProxy:              r.Config.NoProxy,
+		NoRedirects:          r.Config.NoRedirects,
+	}
+
 	r.GetIdentity = GetIdentity(
 		r.Log,
 		r.Config.SkipAuthorizationHeaderIdentity,