Add HMAC protection on /approval endpoint
Signed-off-by: Bob Callaway <bcallaway@google.com>
This commit is contained in:
Bob Callaway
@@ -1,6 +1,7 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"crypto/hmac"
|
||||
"crypto/sha256"
|
||||
"crypto/subtle"
|
||||
"encoding/base64"
|
||||
@@ -499,7 +500,13 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth
|
||||
s.logger.Infof("login successful: connector %q, username=%q, preferred_username=%q, email=%q, groups=%q",
|
||||
authReq.ConnectorID, claims.Username, claims.PreferredUsername, email, claims.Groups)
|
||||
|
||||
returnURL := path.Join(s.issuerURL.Path, "/approval") + "?req=" + authReq.ID
|
||||
// TODO: if s.skipApproval or !authReq.ForceApprovalPrompt, we can skip the redirect to /approval and go ahead and send code
|
||||
|
||||
h := hmac.New(sha256.New, authReq.HMACKey)
|
||||
h.Write([]byte(authReq.ID))
|
||||
mac := h.Sum(nil)
|
||||
|
||||
returnURL := path.Join(s.issuerURL.Path, "/approval") + "?req=" + authReq.ID + "&hmac=" + base64.RawURLEncoding.EncodeToString(mac)
|
||||
_, ok := conn.(connector.RefreshConnector)
|
||||
if !ok {
|
||||
return returnURL, nil
|
||||
@@ -544,6 +551,17 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth
|
||||
}
|
||||
|
||||
func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
|
||||
macEncoded := r.FormValue("hmac")
|
||||
if macEncoded == "" {
|
||||
s.renderError(r, w, http.StatusUnauthorized, "Unauthorized request")
|
||||
return
|
||||
}
|
||||
mac, err := base64.RawURLEncoding.DecodeString(macEncoded)
|
||||
if err != nil {
|
||||
s.renderError(r, w, http.StatusUnauthorized, "Unauthorized request")
|
||||
return
|
||||
}
|
||||
|
||||
authReq, err := s.storage.GetAuthRequest(r.FormValue("req"))
|
||||
if err != nil {
|
||||
s.logger.Errorf("Failed to get auth request: %v", err)
|
||||
@@ -556,6 +574,16 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
// build expected hmac with secret key
|
||||
h := hmac.New(sha256.New, authReq.HMACKey)
|
||||
h.Write([]byte(r.FormValue("req")))
|
||||
expectedMAC := h.Sum(nil)
|
||||
// constant time comparison
|
||||
if !hmac.Equal(mac, expectedMAC) {
|
||||
s.renderError(r, w, http.StatusUnauthorized, "Unauthorized request")
|
||||
return
|
||||
}
|
||||
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
if s.skipApproval {
|
||||
|
||||
@@ -2,6 +2,7 @@ package server
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto"
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rsa"
|
||||
@@ -576,6 +577,7 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques
|
||||
CodeChallenge: codeChallenge,
|
||||
CodeChallengeMethod: codeChallengeMethod,
|
||||
},
|
||||
HMACKey: storage.NewHMACKey(crypto.SHA256),
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user