Skip to content

Commit

Permalink
Merge pull request #389 from jmpsec/changes-session-cookie
Browse files Browse the repository at this point in the history 
Use token for cookie name
  • Loading branch information
@javuto
javuto authored Jan 11, 2024
2 parents ed09af3 + f94311a commit ca72274
Show file tree
Hide file tree
Showing 14 changed files with 67 additions and 66 deletions.
26 changes: 13 additions & 13 deletions admin/auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@ const (
carveLevel string = "carve"
)

// Using the default name for the cookie in SAML:
// https://github.com/crewjam/saml/blob/main/samlsp/session_cookie.go#L11
const (
ctxUser = "user"
ctxEmail = "email"
ctxCSRF = "csrftoken"
authCookieName = "token"
)

// Handler to check access to a resource based on the authentication enabled
Expand All @@ -30,16 +30,16 @@ func handlerAuthCheck(h http.Handler) http.Handler {
// Check if user is already authenticated
authenticated, session := sessionsmgr.CheckAuth(r)
if !authenticated {
http.Redirect(w, r, "/login", http.StatusFound)
http.Redirect(w, r, loginPath, http.StatusFound)
return
}
// Set middleware values
s := make(sessions.ContextValue)
s[ctxUser] = session.Username
s[ctxCSRF] = session.Values[ctxCSRF].(string)
ctx := context.WithValue(r.Context(), sessions.ContextKey("session"), s)
s[sessions.CtxUser] = session.Username
s[sessions.CtxCSRF] = session.Values[sessions.CtxCSRF].(string)
ctx := context.WithValue(r.Context(), sessions.ContextKey(sessions.CtxSession), s)
// Update metadata for the user
if err := adminUsers.UpdateMetadata(session.IPAddress, session.UserAgent, session.Username, s["csrftoken"]); err != nil {
if err := adminUsers.UpdateMetadata(session.IPAddress, session.UserAgent, session.Username, s[sessions.CtxCSRF]); err != nil {
log.Printf("error updating metadata for user %s: %v", session.Username, err)
}
// Access granted
Expand All @@ -49,7 +49,7 @@ func handlerAuthCheck(h http.Handler) http.Handler {
if err != nil {
log.Printf("GetSession %v", err)
}
cookiev, err := r.Cookie(samlConfig.TokenName)
cookiev, err := r.Cookie(authCookieName)
if err != nil {
log.Printf("error extracting JWT data: %v", err)
http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound)
Expand Down Expand Up @@ -92,11 +92,11 @@ func handlerAuthCheck(h http.Handler) http.Handler {
}
// Set middleware values
s := make(sessions.ContextValue)
s[ctxUser] = session.Username
s[ctxCSRF] = session.Values[ctxCSRF].(string)
ctx := context.WithValue(r.Context(), sessions.ContextKey("session"), s)
s[sessions.CtxUser] = session.Username
s[sessions.CtxCSRF] = session.Values[sessions.CtxCSRF].(string)
ctx := context.WithValue(r.Context(), sessions.ContextKey(sessions.CtxSession), s)
// Update metadata for the user
err = adminUsers.UpdateMetadata(session.IPAddress, session.UserAgent, session.Username, s["csrftoken"])
err = adminUsers.UpdateMetadata(session.IPAddress, session.UserAgent, session.Username, s[sessions.CtxCSRF])
if err != nil {
log.Printf("error updating metadata for user %s: %v", session.Username, err)
}
Expand Down
4 changes: 2 additions & 2 deletions admin/handlers/get.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ func (h *HandlersAdmin) PermissionsGETHandler(w http.ResponseWriter, r *http.Req
return
}
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, users.NoEnvironment) {
log.Printf("%s has insuficient permissions", ctx[sessions.CtxUser])
Expand All @@ -94,7 +94,7 @@ func (h *HandlersAdmin) CarvesDownloadHandler(w http.ResponseWriter, r *http.Req
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), false)
vars := mux.Vars(r)
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Extract environment
envVar, ok := vars["env"]
if !ok {
Expand Down
2 changes: 1 addition & 1 deletion admin/handlers/json-carves.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ func (h *HandlersAdmin) JSONCarvesHandler(w http.ResponseWriter, r *http.Request
h.Inc(metricJSONReq)
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), false)
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.CarveLevel, users.NoEnvironment) {
log.Printf("%s has insuficient permissions", ctx[sessions.CtxUser])
Expand Down
4 changes: 2 additions & 2 deletions admin/handlers/json-logs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ func (h *HandlersAdmin) JSONLogsHandler(w http.ResponseWriter, r *http.Request)
return
}
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.UserLevel, env.UUID) {
log.Printf("%s has insuficient permissions", ctx[sessions.CtxUser])
Expand Down Expand Up @@ -171,7 +171,7 @@ func (h *HandlersAdmin) JSONQueryLogsHandler(w http.ResponseWriter, r *http.Requ
h.Inc(metricJSONReq)
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), false)
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.QueryLevel, users.NoEnvironment) {
log.Printf("%s has insuficient permissions", ctx[sessions.CtxUser])
Expand Down
4 changes: 2 additions & 2 deletions admin/handlers/json-nodes.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ func (h *HandlersAdmin) JSONEnvironmentHandler(w http.ResponseWriter, r *http.Re
return
}
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.UserLevel, env.UUID) {
log.Printf("%s has insuficient permissions", ctx[sessions.CtxUser])
Expand Down Expand Up @@ -126,7 +126,7 @@ func (h *HandlersAdmin) JSONPlatformHandler(w http.ResponseWriter, r *http.Reque
h.Inc(metricJSONReq)
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), false)
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, users.NoEnvironment) {
log.Printf("%s has insuficient permissions", ctx[sessions.CtxUser])
Expand Down
2 changes: 1 addition & 1 deletion admin/handlers/json-queries.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ func (h *HandlersAdmin) JSONQueryHandler(w http.ResponseWriter, r *http.Request)
h.Inc(metricJSONReq)
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), false)
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.QueryLevel, users.NoEnvironment) {
log.Printf("%s has insuficient permissions", ctx[sessions.CtxUser])
Expand Down
2 changes: 1 addition & 1 deletion admin/handlers/json-stats.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ func (h *HandlersAdmin) JSONStatsHandler(w http.ResponseWriter, r *http.Request)
h.Inc(metricAdminReq)
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), false)
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
vars := mux.Vars(r)
// Extract stats target
target, ok := vars["target"]
Expand Down
2 changes: 1 addition & 1 deletion admin/handlers/json-tags.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ func (h *HandlersAdmin) JSONTagsHandler(w http.ResponseWriter, r *http.Request)
h.Inc(metricAdminReq)
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), false)
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, users.NoEnvironment) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down
36 changes: 18 additions & 18 deletions admin/handlers/post.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ func (h *HandlersAdmin) LogoutPOSTHandler(w http.ResponseWriter, r *http.Request
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), false)
var l LogoutRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Parse request JSON body
if h.Settings.DebugService(settings.ServiceAdmin) {
log.Println("DebugService: Decoding POST body")
Expand Down Expand Up @@ -115,7 +115,7 @@ func (h *HandlersAdmin) QueryRunPOSTHandler(w http.ResponseWriter, r *http.Reque
return
}
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions for query
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.QueryLevel, env.UUID) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -268,7 +268,7 @@ func (h *HandlersAdmin) CarvesRunPOSTHandler(w http.ResponseWriter, r *http.Requ
return
}
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.CarveLevel, env.UUID) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -425,7 +425,7 @@ func (h *HandlersAdmin) QueryActionsPOSTHandler(w http.ResponseWriter, r *http.R
return
}
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions for query
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.QueryLevel, env.UUID) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -499,7 +499,7 @@ func (h *HandlersAdmin) CarvesActionsPOSTHandler(w http.ResponseWriter, r *http.
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), true)
var q DistributedCarvesActionRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.CarveLevel, users.NoEnvironment) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -565,7 +565,7 @@ func (h *HandlersAdmin) ConfPOSTHandler(w http.ResponseWriter, r *http.Request)
}
var c ConfigurationRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, env.UUID) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -799,7 +799,7 @@ func (h *HandlersAdmin) IntervalsPOSTHandler(w http.ResponseWriter, r *http.Requ
}
var c IntervalsRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, env.UUID) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -868,7 +868,7 @@ func (h *HandlersAdmin) ExpirationPOSTHandler(w http.ResponseWriter, r *http.Req
}
var e ExpirationRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, env.UUID) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -967,7 +967,7 @@ func (h *HandlersAdmin) NodeActionsPOSTHandler(w http.ResponseWriter, r *http.Re
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), true)
var m NodeMultiActionRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, users.NoEnvironment) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -1024,7 +1024,7 @@ func (h *HandlersAdmin) EnvsPOSTHandler(w http.ResponseWriter, r *http.Request)
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), true)
var c EnvironmentsRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, users.NoEnvironment) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -1149,7 +1149,7 @@ func (h *HandlersAdmin) SettingsPOSTHandler(w http.ResponseWriter, r *http.Reque
}
var s SettingsRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, users.NoEnvironment) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -1235,7 +1235,7 @@ func (h *HandlersAdmin) UsersPOSTHandler(w http.ResponseWriter, r *http.Request)
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), true)
var u UsersRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, users.NoEnvironment) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -1412,7 +1412,7 @@ func (h *HandlersAdmin) TagsPOSTHandler(w http.ResponseWriter, r *http.Request)
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), true)
var t TagsRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, users.NoEnvironment) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -1500,7 +1500,7 @@ func (h *HandlersAdmin) TagNodesPOSTHandler(w http.ResponseWriter, r *http.Reque
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), true)
var t TagNodesRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, users.NoEnvironment) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -1578,7 +1578,7 @@ func (h *HandlersAdmin) PermissionsPOSTHandler(w http.ResponseWriter, r *http.Re
}
var p PermissionsRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, users.NoEnvironment) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -1656,7 +1656,7 @@ func (h *HandlersAdmin) EnrollPOSTHandler(w http.ResponseWriter, r *http.Request
}
var e EnrollRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Check permissions
if !h.Users.CheckPermissions(ctx[sessions.CtxUser], users.AdminLevel, env.UUID) {
adminErrorResponse(w, fmt.Sprintf("%s has insuficient permissions", ctx[sessions.CtxUser]), http.StatusForbidden, nil)
Expand Down Expand Up @@ -1708,7 +1708,7 @@ func (h *HandlersAdmin) EditProfilePOSTHandler(w http.ResponseWriter, r *http.Re
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), false)
var u UsersRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Parse request JSON body
if h.Settings.DebugService(settings.ServiceAdmin) {
log.Println("DebugService: Decoding POST body")
Expand Down Expand Up @@ -1794,7 +1794,7 @@ func (h *HandlersAdmin) SavedQueriesPOSTHandler(w http.ResponseWriter, r *http.R
utils.DebugHTTPDump(r, h.Settings.DebugHTTP(settings.ServiceAdmin, settings.NoEnvironment), false)
var s SavedQueryRequest
// Get context data
ctx := r.Context().Value(sessions.ContextKey("session")).(sessions.ContextValue)
ctx := r.Context().Value(sessions.ContextKey(sessions.CtxSession)).(sessions.ContextValue)
// Parse request JSON body
if h.Settings.DebugService(settings.ServiceAdmin) {
log.Println("DebugService: Decoding POST body")
Expand Down
Loading

0 comments on commit ca72274

Please sign in to comment.