mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-23 18:55:18 +01:00
update csrf key generation (#21154)
* update csrf key generation Fixes #21060 Do not generate a random key if the provided key has an invalid length. Signed-off-by: wang yan <wangyan@vmware.com> * fix ut check Signed-off-by: wang yan <wangyan@vmware.com> --------- Signed-off-by: wang yan <wangyan@vmware.com>
This commit is contained in:
parent
bccfd5fb41
commit
9345fe39c9
@ -67,9 +67,16 @@ func attach(handler http.Handler) http.Handler {
|
|||||||
func Middleware() func(handler http.Handler) http.Handler {
|
func Middleware() func(handler http.Handler) http.Handler {
|
||||||
once.Do(func() {
|
once.Do(func() {
|
||||||
key := os.Getenv(csrfKeyEnv)
|
key := os.Getenv(csrfKeyEnv)
|
||||||
if len(key) != 32 {
|
if len(key) == 0 {
|
||||||
log.Warningf("Invalid CSRF key from environment: %s, generating random key...", key)
|
|
||||||
key = utils.GenerateRandomString()
|
key = utils.GenerateRandomString()
|
||||||
|
} else if len(key) != 32 {
|
||||||
|
log.Errorf("Invalid CSRF key length from the environment: %s. Please ensure the key length is 32 characters.", key)
|
||||||
|
protect = func(_ http.Handler) http.Handler {
|
||||||
|
return http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||||
|
lib_http.SendError(w, errors.New("invalid CSRF key length from the environment. Please ensure the key length is 32 characters"))
|
||||||
|
})
|
||||||
|
}
|
||||||
|
return
|
||||||
}
|
}
|
||||||
secureFlag = secureCookie()
|
secureFlag = secureCookie()
|
||||||
protect = csrf.Protect([]byte(key), csrf.RequestHeader(tokenHeader),
|
protect = csrf.Protect([]byte(key), csrf.RequestHeader(tokenHeader),
|
||||||
|
@ -4,6 +4,7 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
"os"
|
"os"
|
||||||
|
"sync"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
@ -14,6 +15,10 @@ import (
|
|||||||
_ "github.com/goharbor/harbor/src/pkg/config/inmemory"
|
_ "github.com/goharbor/harbor/src/pkg/config/inmemory"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func resetMiddleware() {
|
||||||
|
once = sync.Once{}
|
||||||
|
}
|
||||||
|
|
||||||
func TestMain(m *testing.M) {
|
func TestMain(m *testing.M) {
|
||||||
test.InitDatabaseFromEnv()
|
test.InitDatabaseFromEnv()
|
||||||
conf := map[string]interface{}{}
|
conf := map[string]interface{}{}
|
||||||
@ -32,7 +37,6 @@ func (h *handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestMiddleware(t *testing.T) {
|
func TestMiddleware(t *testing.T) {
|
||||||
srv := Middleware()(&handler{})
|
|
||||||
cases := []struct {
|
cases := []struct {
|
||||||
req *http.Request
|
req *http.Request
|
||||||
statusCode int
|
statusCode int
|
||||||
@ -60,6 +64,7 @@ func TestMiddleware(t *testing.T) {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
for _, c := range cases {
|
for _, c := range cases {
|
||||||
|
srv := Middleware()(&handler{})
|
||||||
rec := httptest.NewRecorder()
|
rec := httptest.NewRecorder()
|
||||||
srv.ServeHTTP(rec, c.req)
|
srv.ServeHTTP(rec, c.req)
|
||||||
assert.Equal(t, c.statusCode, rec.Result().StatusCode)
|
assert.Equal(t, c.statusCode, rec.Result().StatusCode)
|
||||||
@ -67,13 +72,24 @@ func TestMiddleware(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func hasCookie(resp *http.Response, name string) bool {
|
func TestMiddlewareInvalidKey(t *testing.T) {
|
||||||
for _, c := range resp.Cookies() {
|
originalEnv := os.Getenv(csrfKeyEnv)
|
||||||
if c != nil && c.Name == name {
|
defer os.Setenv(csrfKeyEnv, originalEnv)
|
||||||
return true
|
|
||||||
}
|
t.Run("invalid CSRF key", func(t *testing.T) {
|
||||||
}
|
os.Setenv(csrfKeyEnv, "invalidkey")
|
||||||
return false
|
resetMiddleware()
|
||||||
|
middleware := Middleware()
|
||||||
|
testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
t.Error("handler should not be reached when CSRF key is invalid")
|
||||||
|
})
|
||||||
|
|
||||||
|
handler := middleware(testHandler)
|
||||||
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||||
|
rec := httptest.NewRecorder()
|
||||||
|
handler.ServeHTTP(rec, req)
|
||||||
|
assert.Equal(t, http.StatusInternalServerError, rec.Code)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestSecureCookie(t *testing.T) {
|
func TestSecureCookie(t *testing.T) {
|
||||||
|
Loading…
Reference in New Issue
Block a user