lukaszraczylo/traefikoidc
1
0
Fork 0
mirror of https://github.com/lukaszraczylo/traefikoidc.git synced 2026-06-05 22:44:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
1e4142a7fbed7fe986db8c6d8def52f3bbaa288c
traefikoidc/session/chunking/chunk_serializer.go
T
lukaszraczylo 1b49e133da Complete rebuild of the plugin 
* Fix bug affecting Azure OIDC authentication ( and most likely others )

* Fixes issue #51

* Ensure that appended roles are unique. Update the documentation.

* Improvements targetting possible memory usage spikes.

* Additional fixes and cleanup

* Refactoring code to fix the issues identified by the users.

* Modernize run

* Fieldalignment

* Multiple changes to improve performance and reduce complexity.
- Optimise the errors and recovery.
- Deduplicate code in metadata cache.
- Remove unused performance monitoring code.
- Simplify session management and settings handling.

* Fix claims issue.

* Add ability to overwrite the default scopes in the settings file

* Well.. that escalated quickly.

Completely forgot that Traefik uses outdated Yaegi and requires compatibility with 1.20 ( pre-generic Go code ).

* Bugfix #51: Ensures that user provided scopes overrides work.

* fixup! Bugfix #51: Ensures that user provided scopes overrides work.

* fixup! fixup! Bugfix #51: Ensures that user provided scopes overrides work.

* Abstract the provider logic into a separate package.

* Additional micro fixes and cleanups.

* Simplify all the things.

* fixup! Simplify all the things.

* fixup! fixup! Simplify all the things.

* fixup! fixup! fixup! Simplify all the things.

* fixup! fixup! fixup! fixup! Simplify all the things.

* ...

* Cleanup tests.

* fixup! Cleanup tests.

* fixup! fixup! fixup! Cleanup tests.

* fixup! fixup! fixup! fixup! Cleanup tests.

* fixup! fixup! fixup! fixup! fixup! Cleanup tests.

* Issue #53: Fix CSRF token handling in reverse proxy

1.  HTTPS Detection Fixed (session.go:723)
- Now uses X-Forwarded-Proto header instead of r.URL.Scheme
- Properly detects HTTPS in reverse proxy environments
2.  SameSite Cookie Attribute Fixed
- Removed automatic SameSiteStrictMode for HTTPS (would break OAuth)
- Keeps SameSiteLaxMode to allow OAuth callbacks from external domains
- Only uses Strict for AJAX requests which don't involve OAuth redirects
3.  Cookie Domain Handling Fixed
- Now respects X-Forwarded-Host header for cookie domain
- Ensures cookies are set for the public domain, not internal proxy domain
4.  EnhanceSessionSecurity Properly Integrated
- Function is now actually called during session save
- Applies security enhancements without breaking OAuth flow

Why Issue #53 Failed Before:

1. Cookies were not marked Secure in HTTPS environments (browser wouldn't send them back)
2. If they had been Secure with SameSite=Strict, Azure callbacks would still fail
3. Cookie domain might have been wrong (internal vs public domain)

Why It Works Now:

1. Cookies are properly marked Secure for HTTPS
2. Uses SameSite=Lax to allow OAuth provider callbacks
3. Cookie domain uses public domain from X-Forwarded-Host
4. CSRF token persists through the entire OAuth flow

* Next set of enhancements together with memory usage improvements.

* Memory leak fixes and optimisations.

* CSRF and Cookie Domain fixes

* fixup! CSRF and Cookie Domain fixes

* Metadata cache leak fix + profiling

* fixup! Metadata cache leak fix + profiling

* Memory leaks hunting, part 1337.

* Further pursue of perfection.

* fixup! Further pursue of perfection.

* fixup! fixup! Further pursue of perfection.

* fixup! fixup! fixup! Further pursue of perfection.

* fixup! fixup! fixup! fixup! Further pursue of perfection.

* fixup! fixup! fixup! fixup! fixup! Further pursue of perfection.

* fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection.

* fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection.

* fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection.

* fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection.

* Clear race conditions

* fixup! Clear race conditions

* Weekend fun with memory leaks

* Splitting code into multiple files with reasonable testing coverage.

```
ok      github.com/lukaszraczylo/traefikoidc    117.017s        coverage: 72.6% of statements
ok      github.com/lukaszraczylo/traefikoidc/auth       0.505s  coverage: 87.1% of statements
ok      github.com/lukaszraczylo/traefikoidc/circuit_breaker    0.283s  coverage: 99.0% of statements
        github.com/lukaszraczylo/traefikoidc/config             coverage: 0.0% of statements
ok      github.com/lukaszraczylo/traefikoidc/handlers   0.349s  coverage: 98.2% of statements
ok      github.com/lukaszraczylo/traefikoidc/internal/providers (cached)        coverage: 94.3% of statements
ok      github.com/lukaszraczylo/traefikoidc/middleware 0.808s  coverage: 78.0% of statements
ok      github.com/lukaszraczylo/traefikoidc/recovery   0.653s  coverage: 100.0% of statements
ok      github.com/lukaszraczylo/traefikoidc/session/chunking   (cached)        coverage: 87.8% of statements
ok      github.com/lukaszraczylo/traefikoidc/session/core       (cached)        coverage: 85.6% of statements
ok      github.com/lukaszraczylo/traefikoidc/session/crypto     (cached)        coverage: 81.8% of statements
ok      github.com/lukaszraczylo/traefikoidc/session/storage    (cached)        coverage: 93.5% of statements
ok      github.com/lukaszraczylo/traefikoidc/session/validators (cached)        coverage: 98.8% of statements
````

* fixup! Splitting code into multiple files with reasonable testing coverage.

* fixup! fixup! Splitting code into multiple files with reasonable testing coverage.

* Weekend fun with further optimisations.

* fixup! Weekend fun with further optimisations.

* fixup! fixup! Weekend fun with further optimisations.

* fixup! fixup! fixup! Weekend fun with further optimisations.

* fixup! fixup! fixup! fixup! Weekend fun with further optimisations.

* fixup! fixup! fixup! fixup! fixup! Weekend fun with further optimisations.

* Pre-release cleanup.

* Enhance test coverage.

* fixup! Enhance test coverage.

* fixup! fixup! Enhance test coverage.

* fixup! fixup! fixup! Enhance test coverage.
2025-09-18 11:01:30 +01:00

280 lines
8.1 KiB
Go
Raw Blame History

// Package chunking provides chunk serialization functionality
package chunking
import (
"encoding/base64"
"fmt"
"strings"
)
// ChunkSerializer handles serialization and deserialization of token chunks
type ChunkSerializer struct {
logger Logger
}
// NewChunkSerializer creates a new chunk serializer
func NewChunkSerializer(logger Logger) *ChunkSerializer {
return &ChunkSerializer{
logger: logger,
}
}
// SerializeTokenToChunks splits a token into chunks suitable for cookie storage
func (cs *ChunkSerializer) SerializeTokenToChunks(token string, config TokenConfig) ([]ChunkData, error) {
if token == "" {
return nil, fmt.Errorf("cannot serialize empty token")
}
if len(token) < config.MinLength {
return nil, fmt.Errorf("token too short: %d < %d", len(token), config.MinLength)
}
if len(token) > config.MaxLength {
return nil, fmt.Errorf("token too long: %d > %d", len(token), config.MaxLength)
}
// Calculate optimal chunk size
chunkSize := config.MaxChunkSize
if chunkSize <= 0 {
chunkSize = maxCookieSize
}
// Estimate number of chunks needed
estimatedChunks := (len(token) + chunkSize - 1) / chunkSize
if estimatedChunks > config.MaxChunks {
return nil, fmt.Errorf("token requires too many chunks: %d > %d", estimatedChunks, config.MaxChunks)
}
// Split token into chunks
chunks := make([]ChunkData, 0, estimatedChunks)
remaining := token
chunkIndex := 0
for len(remaining) > 0 {
if chunkIndex >= config.MaxChunks {
return nil, fmt.Errorf("exceeded maximum chunk count during serialization")
}
// Determine chunk size for this iteration
currentChunkSize := chunkSize
if len(remaining) < currentChunkSize {
currentChunkSize = len(remaining)
}
// Extract chunk
chunkContent := remaining[:currentChunkSize]
remaining = remaining[currentChunkSize:]
// Create chunk data
chunkData := ChunkData{
Index: chunkIndex,
Content: chunkContent,
Total: estimatedChunks, // Will be updated after all chunks are created
Checksum: cs.calculateChecksum(chunkContent),
}
chunks = append(chunks, chunkData)
chunkIndex++
}
// Update total count in all chunks
actualChunks := len(chunks)
for i := range chunks {
chunks[i].Total = actualChunks
}
cs.logger.Debugf("Serialized %s token into %d chunks", config.Type, len(chunks))
return chunks, nil
}
// DeserializeTokenFromChunks reconstructs a token from chunk data
func (cs *ChunkSerializer) DeserializeTokenFromChunks(chunks []ChunkData, config TokenConfig) (string, error) {
if len(chunks) == 0 {
return "", fmt.Errorf("no chunks provided for deserialization")
}
if len(chunks) > config.MaxChunks {
return "", fmt.Errorf("too many chunks: %d > %d", len(chunks), config.MaxChunks)
}
// Validate chunk consistency
expectedTotal := chunks[0].Total
for i, chunk := range chunks {
if chunk.Total != expectedTotal {
return "", fmt.Errorf("chunk %d has inconsistent total count: %d != %d", i, chunk.Total, expectedTotal)
}
}
if len(chunks) != expectedTotal {
return "", fmt.Errorf("chunk count mismatch: got %d, expected %d", len(chunks), expectedTotal)
}
// Sort chunks by index
orderedChunks := make([]ChunkData, expectedTotal)
for _, chunk := range chunks {
if chunk.Index < 0 || chunk.Index >= expectedTotal {
return "", fmt.Errorf("invalid chunk index: %d (total: %d)", chunk.Index, expectedTotal)
}
if orderedChunks[chunk.Index].Content != "" {
return "", fmt.Errorf("duplicate chunk index: %d", chunk.Index)
}
orderedChunks[chunk.Index] = chunk
}
// Verify all chunks are present
for i, chunk := range orderedChunks {
if chunk.Content == "" {
return "", fmt.Errorf("missing chunk at index: %d", i)
}
// Verify checksum
expectedChecksum := cs.calculateChecksum(chunk.Content)
if chunk.Checksum != expectedChecksum {
return "", fmt.Errorf("chunk %d checksum mismatch", i)
}
}
// Reconstruct token
var tokenBuilder strings.Builder
tokenBuilder.Grow(len(chunks) * config.MaxChunkSize) // Pre-allocate capacity
for _, chunk := range orderedChunks {
tokenBuilder.WriteString(chunk.Content)
}
reconstructedToken := tokenBuilder.String()
// Final validation
if len(reconstructedToken) < config.MinLength {
return "", fmt.Errorf("reconstructed token too short: %d < %d", len(reconstructedToken), config.MinLength)
}
if len(reconstructedToken) > config.MaxLength {
return "", fmt.Errorf("reconstructed token too long: %d > %d", len(reconstructedToken), config.MaxLength)
}
cs.logger.Debugf("Deserialized %s token from %d chunks (length: %d)", config.Type, len(chunks), len(reconstructedToken))
return reconstructedToken, nil
}
// EncodeChunk encodes chunk data for cookie storage
func (cs *ChunkSerializer) EncodeChunk(chunk ChunkData) (string, error) {
// Create a simple format: index:total:checksum:content
encoded := fmt.Sprintf("%d:%d:%s:%s", chunk.Index, chunk.Total, chunk.Checksum, chunk.Content)
// Base64 encode the entire chunk for safe cookie storage
return base64.StdEncoding.EncodeToString([]byte(encoded)), nil
}
// DecodeChunk decodes chunk data from cookie storage
func (cs *ChunkSerializer) DecodeChunk(encoded string) (ChunkData, error) {
// Base64 decode
decoded, err := base64.StdEncoding.DecodeString(encoded)
if err != nil {
return ChunkData{}, fmt.Errorf("failed to base64 decode chunk: %w", err)
}
// Parse the format: index:total:checksum:content
parts := strings.SplitN(string(decoded), ":", 4)
if len(parts) != 4 {
return ChunkData{}, fmt.Errorf("invalid chunk format: expected 4 parts, got %d", len(parts))
}
var index, total int
if _, err := fmt.Sscanf(parts[0], "%d", &index); err != nil {
return ChunkData{}, fmt.Errorf("invalid chunk index: %w", err)
}
if _, err := fmt.Sscanf(parts[1], "%d", &total); err != nil {
return ChunkData{}, fmt.Errorf("invalid chunk total: %w", err)
}
checksum := parts[2]
content := parts[3]
return ChunkData{
Index: index,
Total: total,
Content: content,
Checksum: checksum,
}, nil
}
// ValidateChunkIntegrity validates the integrity of chunk data
func (cs *ChunkSerializer) ValidateChunkIntegrity(chunk ChunkData) error {
if chunk.Index < 0 {
return fmt.Errorf("negative chunk index: %d", chunk.Index)
}
if chunk.Total <= 0 {
return fmt.Errorf("invalid total chunks: %d", chunk.Total)
}
if chunk.Index >= chunk.Total {
return fmt.Errorf("chunk index %d exceeds total %d", chunk.Index, chunk.Total)
}
if chunk.Content == "" {
return fmt.Errorf("empty chunk content at index %d", chunk.Index)
}
if chunk.Checksum == "" {
return fmt.Errorf("empty chunk checksum at index %d", chunk.Index)
}
// Verify checksum
expectedChecksum := cs.calculateChecksum(chunk.Content)
if chunk.Checksum != expectedChecksum {
return fmt.Errorf("chunk %d checksum mismatch: expected %s, got %s",
chunk.Index, expectedChecksum, chunk.Checksum)
}
return nil
}
// calculateChecksum calculates a simple checksum for chunk content
func (cs *ChunkSerializer) calculateChecksum(content string) string {
// Simple checksum using length and first/last characters
if len(content) == 0 {
return "empty"
}
checksum := fmt.Sprintf("len%d", len(content))
if len(content) >= 1 {
checksum += fmt.Sprintf("_first%d", int(content[0]))
}
if len(content) >= 2 {
checksum += fmt.Sprintf("_last%d", int(content[len(content)-1]))
}
return checksum
}
// ChunkData represents a single chunk of token data
type ChunkData struct {
Index int // Position of this chunk in the sequence
Total int // Total number of chunks for this token
Content string // The actual chunk content
Checksum string // Simple checksum for integrity verification
}
// EstimateChunkCount estimates how many chunks a token will need
func (cs *ChunkSerializer) EstimateChunkCount(tokenLength int, chunkSize int) int {
if chunkSize <= 0 {
chunkSize = maxCookieSize
}
return (tokenLength + chunkSize - 1) / chunkSize
}
// MaxTokenSizeForChunks calculates the maximum token size that can fit in the given number of chunks
func (cs *ChunkSerializer) MaxTokenSizeForChunks(maxChunks int, chunkSize int) int {
if chunkSize <= 0 {
chunkSize = maxCookieSize
}
return maxChunks * chunkSize
}
Reference in New Issue View Git Blame Copy Permalink