moves cookie https setting to [security]

7 years ago · d6edaa1328
parent 9153b6ed96
commit d6edaa1328
7 changed files with 25 additions and 21 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -113,9 +113,6 @@ cache_mode = private
 # Login cookie name
 cookie_name = grafana_session

-# If you want login cookies to be https only. default is false
-cookie_secure = false
-
 # How many days an session can be unused before we inactivate it
 login_remember_days = 7

@ -203,6 +200,9 @@ data_source_proxy_whitelist =
 # disable protection against brute force login attempts
 disable_brute_force_login_protection = false

+# set cookies as https only. default is false
+https_flag_cookies = false
+
 #################################### Snapshots ###########################
 [snapshots]
 # snapshot sharing options
--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -109,9 +109,6 @@ log_queries =
 # Login cookie name
 ;cookie_name = grafana_session

-# If you want login cookies to be https only. default is false
-;cookie_secure = false
-
 # How many days an session can be unused before we inactivate it
 ;login_remember_days = 7

@ -190,6 +187,9 @@ log_queries =
 # disable protection against brute force login attempts
 ;disable_brute_force_login_protection = false

+# set cookies as https only. default is false
+;https_flag_cookies = false
+
 #################################### Snapshots ###########################
 [snapshots]
 # snapshot sharing options
--- a/pkg/api/login.go
+++ b/pkg/api/login.go
@ -176,7 +176,7 @@ func (hs *HTTPServer) trySetEncryptedCookie(ctx *m.ReqContext, cookieName string
 		Value:    hex.EncodeToString(encryptedError),
 		HttpOnly: true,
 		Path:     setting.AppSubUrl + "/",
-		Secure:   hs.Cfg.LoginCookieSecure,
+		Secure:   hs.Cfg.SecurityHTTPSCookies,
 	})

 	return nil
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@ -60,8 +60,7 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
 	if code == "" {
 		state := GenStateString()
 		hashedState := hashStatecode(state, setting.OAuthService.OAuthInfos[name].ClientSecret)
-		hs.writeOauthStateCookie(ctx, hashedState, 60)
-
+		hs.writeCookie(ctx.Resp, OauthStateCookieName, hashedState, 60)
 		if setting.OAuthService.OAuthInfos[name].HostedDomain == "" {
 			ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
 		} else {
@ -70,19 +69,20 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
 		return
 	}

-	savedState := ctx.GetCookie(OauthStateCookieName)
+	cookieState := ctx.GetCookie(OauthStateCookieName)

 	// delete cookie
 	ctx.Resp.Header().Del("Set-Cookie")
-	hs.writeOauthStateCookie(ctx, "", -1)
+	hs.deleteCookie(ctx.Resp, OauthStateCookieName)

-	if savedState == "" {
+	if cookieState == "" {
 		ctx.Handle(500, "login.OAuthLogin(missing saved state)", nil)
 		return
 	}

 	queryState := hashStatecode(ctx.Query("state"), setting.OAuthService.OAuthInfos[name].ClientSecret)
-	if savedState != queryState {
+	oauthLogger.Info("state check", "queryState", queryState, "cookieState", cookieState)
+	if cookieState != queryState {
 		ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)
 		return
 	}
@ -203,14 +203,18 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
 	ctx.Redirect(setting.AppSubUrl + "/")
 }

-func (hs *HTTPServer) writeOauthStateCookie(ctx *m.ReqContext, value string, maxAge int) {
-	http.SetCookie(ctx.Resp, &http.Cookie{
-		Name:     OauthStateCookieName,
+func (hs *HTTPServer) deleteCookie(w http.ResponseWriter, name string) {
+	hs.writeCookie(w, name, "", -1)
+}
+
+func (hs *HTTPServer) writeCookie(w http.ResponseWriter, name string, value string, maxAge int) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
 		MaxAge:   maxAge,
 		Value:    value,
 		HttpOnly: true,
 		Path:     setting.AppSubUrl + "/",
-		Secure:   hs.Cfg.LoginCookieSecure,
+		Secure:   hs.Cfg.SecurityHTTPSCookies,
 	})
 }

--- a/pkg/services/auth/auth_token.go
+++ b/pkg/services/auth/auth_token.go
@ -95,7 +95,7 @@ func (s *UserAuthTokenServiceImpl) writeSessionCookie(ctx *models.ReqContext, va
 		HttpOnly: true,
 		Domain:   setting.Domain,
 		Path:     setting.AppSubUrl + "/",
-		Secure:   s.Cfg.LoginCookieSecure,
+		Secure:   s.Cfg.SecurityHTTPSCookies,
 		MaxAge:   maxAge,
 	}

--- a/pkg/services/auth/auth_token_test.go
+++ b/pkg/services/auth/auth_token_test.go
@ -293,7 +293,6 @@ func createTestContext(t *testing.T) *testContext {
 		SQLStore: sqlstore,
 		Cfg: &setting.Cfg{
 			LoginCookieName:                   "grafana_session",
-			LoginCookieSecure:                 false,
 			LoginCookieMaxDays:                7,
 			LoginDeleteExpiredTokensAfterDays: 30,
 			LoginCookieRotation:               10,
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -223,10 +223,11 @@ type Cfg struct {
 	EnterpriseLicensePath            string

 	LoginCookieName                   string
-	LoginCookieSecure                 bool
 	LoginCookieMaxDays                int
 	LoginCookieRotation               int
 	LoginDeleteExpiredTokensAfterDays int
+
+	SecurityHTTPSCookies bool
 }

 type CommandLineArgs struct {
@ -554,7 +555,6 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	login := iniFile.Section("login")
 	cfg.LoginCookieName = login.Key("cookie_name").MustString("grafana_session")
 	cfg.LoginCookieMaxDays = login.Key("login_remember_days").MustInt(7)
-	cfg.LoginCookieSecure = login.Key("cookie_secure").MustBool(false)
 	cfg.LoginDeleteExpiredTokensAfterDays = login.Key("delete_expired_token_after_days").MustInt(30)
 	cfg.LoginCookieRotation = login.Key("rotate_token_minutes").MustInt(30)
 	if cfg.LoginCookieRotation < 2 {
@ -603,6 +603,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	SecretKey = security.Key("secret_key").String()
 	DisableGravatar = security.Key("disable_gravatar").MustBool(true)
 	cfg.DisableBruteForceLoginProtection = security.Key("disable_brute_force_login_protection").MustBool(false)
+	cfg.SecurityHTTPSCookies = security.Key("https_flag_cookies").MustBool(false)
 	DisableBruteForceLoginProtection = cfg.DisableBruteForceLoginProtection

 	// read snapshots settings