Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2025-02-02 13:01:23 +01:00
Code Issues Projects Releases Wiki Activity

make Secure flag of CSRF cookie adapt to config

Browse Source 
fixes #11074

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
Daniel Jiang 2020-03-14 15:58:06 +08:00
parent 901b615d78
commit cbd2619035
2 changed files with 44 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/server/middleware/csrf/csrf.go
View File

@ -1,6 +1,11 @@
package csrf package csrf
import ( import (
"net/http"
"os"
"strings"
"sync"
"github.com/goharbor/harbor/src/common/utils" "github.com/goharbor/harbor/src/common/utils"
"github.com/goharbor/harbor/src/common/utils/log" "github.com/goharbor/harbor/src/common/utils/log"
"github.com/goharbor/harbor/src/core/config" "github.com/goharbor/harbor/src/core/config"
@ -8,10 +13,6 @@ import (
serror "github.com/goharbor/harbor/src/server/error" serror "github.com/goharbor/harbor/src/server/error"
"github.com/goharbor/harbor/src/server/middleware" "github.com/goharbor/harbor/src/server/middleware"
"github.com/gorilla/csrf" "github.com/gorilla/csrf"
"net/http"
"os"
"strings"
"sync"
) )
const ( const (
@ -22,6 +23,7 @@ const (
var ( var (
once sync.Once once sync.Once
secureFlag = true
protect func(handler http.Handler) http.Handler protect func(handler http.Handler) http.Handler
) )
@ -30,7 +32,7 @@ func attachToken(w http.ResponseWriter, r *http.Request) {
if t := csrf.Token(r); len(t) > 0 { if t := csrf.Token(r); len(t) > 0 {
http.SetCookie(w, &http.Cookie{ http.SetCookie(w, &http.Cookie{
Name: tokenCookie, Name: tokenCookie,
Secure: true, Secure: secureFlag,
Value: t, Value: t,
Path: "/", Path: "/",
SameSite: http.SameSiteStrictMode, SameSite: http.SameSiteStrictMode,
@ -60,9 +62,10 @@ func Middleware() func(handler http.Handler) http.Handler {
if len(key) != 32 { if len(key) != 32 {
log.Warningf("Invalid CSRF key from environment: %s, generating random key...", key) log.Warningf("Invalid CSRF key from environment: %s, generating random key...", key)
key = utils.GenerateRandomString() key = utils.GenerateRandomString()
} }
secureFlag = secureCookie()
protect = csrf.Protect([]byte(key), csrf.RequestHeader(tokenHeader), protect = csrf.Protect([]byte(key), csrf.RequestHeader(tokenHeader),
csrf.Secure(secureFlag),
csrf.ErrorHandler(http.HandlerFunc(handleError)), csrf.ErrorHandler(http.HandlerFunc(handleError)),
csrf.SameSite(csrf.SameSiteStrictMode), csrf.SameSite(csrf.SameSiteStrictMode),
csrf.Path("/")) csrf.Path("/"))
@ -87,3 +90,12 @@ func csrfSkipper(req *http.Request) bool {
} }
return false return false
} }
func secureCookie() bool {
ep, err := config.ExtEndpoint()
if err != nil {
log.Warningf("Failed to get external endpoint: %v, set cookie secure flag to true", err)
return true
}
return !strings.HasPrefix(strings.ToLower(ep), "http://")
}

24
src/server/middleware/csrf/csrf_test.go
View File

@ -1,12 +1,24 @@
package csrf package csrf
import ( import (
"github.com/goharbor/harbor/src/common"
"github.com/goharbor/harbor/src/core/config"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"os"
"testing" "testing"
) )
func TestMain(m *testing.M) {
conf := map[string]interface{}{}
config.InitWithSettings(conf)
result := m.Run()
if result != 0 {
os.Exit(result)
}
}
type handler struct { type handler struct {
} }
@ -58,3 +70,15 @@ func hasCookie(resp *http.Response, name string) bool {
} }
return false return false
} }
func TestSecureCookie(t *testing.T) {
assert.True(t, secureCookie())
conf := map[string]interface{}{
common.ExtEndpoint: "http://harbor.test",
}
config.InitWithSettings(conf)
assert.False(t, secureCookie())
conf = map[string]interface{}{}
config.InitWithSettings(conf)
}