feat(cas-auth): sign request URI cookie and tighten cookie attributes#13331
Open
shreemaan-abhishek wants to merge 3 commits intoapache:masterfrom
Open
feat(cas-auth): sign request URI cookie and tighten cookie attributes#13331shreemaan-abhishek wants to merge 3 commits intoapache:masterfrom
shreemaan-abhishek wants to merge 3 commits intoapache:masterfrom
Conversation
The CAS_REQUEST_URI cookie used by the plugin to remember the pre-login URL is now signed with HMAC-SHA256 and verified on the IdP callback using a constant-time comparison. The recovered redirect target is also validated as a same-origin path before being applied; on mismatch the plugin falls back to /. Cookie attributes are tightened to include Secure; SameSite=Lax. Adds a required cookie_secret field (minLength 32) to the plugin schema. The same value must be configured on every APISIX node.
- Move cookie options under a nested cookie object: cookie.secret, cookie.secure (default true), cookie.samesite (default Lax, enum Lax|None). Strict is intentionally omitted because it breaks the IdP->SP cross-site redirect. - Mark cookie.secret as encrypt_fields so it is encrypted at rest in etcd, matching how other plugins protect plugin secrets. - Guard first_access against sign_value returning nil so a transient HMAC failure cannot crash the request with a Lua concatenation error; fall through and let the safe-redirect fallback take over. - Capture and log the error from compute_hmac in verify_value rather than dropping it. - Build cookie attributes per-config so deployments that legitimately run over HTTP can disable Secure without giving up SameSite. - Strip session identifiers, ticket values, and full request URIs from info-level logs; demote raw SLO LogoutRequest body to debug. - Update t/lib/keycloak_cas.lua and t/plugin/security-warning.t for the new schema; add unit-style tests for the schema, the safe redirect predicate, and the HMAC sign/verify roundtrip with tampering, wrong-secret, and malformed-input cases.
dosubot
Bot
added
size:L
- Move encrypt_fields = {"cookie.secret"} from the plugin module
table into the schema table. The framework's encryption pipeline
reads schema.encrypt_fields (apisix/plugin.lua); declaring it on
_M was silently a no-op and meant cookie.secret was being stored
in plaintext at rest in etcd despite the previous claim. Other
plugins (basic-auth, openid-connect, etc.) place it on the schema
table for the same reason.
- Drop the debug-level log of the raw SLO LogoutRequest body. Even
at debug level, the body contains the SAML SessionIndex (the
ticket value the plugin reuses as a session id), which is
authentication material that should not be written to logs at any
level. The "SLO request received from IdP" info log already
captures the operational signal; raw-body inspection can be done
via packet capture if ever needed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This change updates the
cas-authplugin so that theCAS_REQUEST_URIcookie — which the plugin uses to remember where the user was headed before being bounced to the CAS IdP — is signed with HMAC-SHA256 and verified on the IdP callback using a constant-time comparison.After successful CAS ticket validation, the recovered redirect target is also validated as a same-origin path before being applied; if the cookie is missing, malformed, fails signature verification, or carries something that is not a relative path, the plugin falls back to
/instead of using the cookie value verbatim.A new required
cookieobject is added to the plugin schema:cookie.secret(string, required, minLength 32) — HMAC-signing key. Must match across all APISIX nodes so cookies issued on one node remain verifiable on another. Encrypted at rest viaschema.encrypt_fields.cookie.secure(boolean, defaulttrue) — whether to set theSecureattribute on issued cookies. Set tofalseonly for deployments where the protected route is not served over HTTPS.cookie.samesite(string, default"Lax", enum"Lax"/"None") — value for theSameSitecookie attribute."Strict"is intentionally not exposed because it suppresses the cookie on the IdP→SP top-level redirect when the IdP is on a different site.HttpOnlycontinues to be set unconditionally on the issued cookies.t/lib/keycloak_cas.luais updated so existing integration tests continue to pass; new tests int/plugin/cas-auth.texercise the schema constraints, the safe-redirect predicate, and the HMAC sign/verify roundtrip including tampering, wrong-secret, and malformed-cookie cases.Which issue(s) this PR fixes:
N/A
Checklist