2020-03-28 06:10:39 +00:00
|
|
|
package session
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/sha256"
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/fasthttp/session"
|
2020-04-05 12:37:21 +00:00
|
|
|
|
|
|
|
"github.com/authelia/authelia/internal/utils"
|
2020-03-28 06:10:39 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// EncryptingSerializer a serializer encrypting the data with AES-GCM with 256-bit keys.
|
|
|
|
type EncryptingSerializer struct {
|
|
|
|
key [32]byte
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewEncryptingSerializer return new encrypt instance
|
|
|
|
func NewEncryptingSerializer(secret string) *EncryptingSerializer {
|
|
|
|
key := sha256.Sum256([]byte(secret))
|
|
|
|
return &EncryptingSerializer{key}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Encode encode and encrypt session
|
|
|
|
func (e *EncryptingSerializer) Encode(src session.Dict) ([]byte, error) {
|
|
|
|
if len(src.D) == 0 {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
dst, err := src.MarshalMsg(nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Unable to marshal session: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
encryptedDst, err := utils.Encrypt(dst, &e.key)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Unable to encrypt session: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return encryptedDst, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decode decrypt and decode session
|
|
|
|
func (e *EncryptingSerializer) Decode(dst *session.Dict, src []byte) error {
|
|
|
|
if len(src) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
dst.Reset()
|
|
|
|
decryptedSrc, err := utils.Decrypt(src, &e.key)
|
|
|
|
if err != nil {
|
|
|
|
// If an error is thrown while decrypting, it's probably an old unencrypted session
|
|
|
|
// so we just unmarshall it without decrypting. It's a way to avoid a breaking change
|
|
|
|
// requiring to flush redis.
|
|
|
|
// TODO(clems4ever): remove in few months
|
|
|
|
_, uerr := dst.UnmarshalMsg(src)
|
|
|
|
if uerr != nil {
|
|
|
|
return fmt.Errorf("Unable to decrypt session: %s", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = dst.UnmarshalMsg(decryptedSrc)
|
|
|
|
return err
|
|
|
|
}
|