search

openshift / oauth-proxy

A reverse proxy that provides authentication with OpenShift via OAuth and Kubernetes service accounts
MIT License
261 stars 137 forks source link

Add configuration for cookie 'SameSite' value. #182

Closed k-wall closed 4 years ago

k-wall commented 4 years ago

Expose the samesite cookie option for configuration.

Values of lax and strict can improve and mitigate some categories of cross-site traffic tampering.

As oauth-proxy is used to front other components, having this configuration option available makes a useful defence.

Based on Paul Groudas' paul@clubhouse.io work (https://github.com/oauth2-proxy/oauth2-proxy/commit/5d0827a)

openshift-ci-robot commented 4 years ago

Hi @k-wall. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
k-wall commented 4 years ago

I see the Travis build, which uses Go 1.12, failed like so:

./oauthproxy.go:873:10: undefined: http.SameSiteNoneMode
253FAIL github.com/openshift/oauth-proxy [build failed]

http.SameSiteNoneMode is a Go 1.13 symbol. I thought this was safe as the go.mod declares 1.13. Is the Travis config out of date, or should I avoid the 1.13 symbol? Please advise me, @stlaz or @sttts?

sttts commented 4 years ago

/assign @stlaz

stlaz commented 4 years ago

/ok-to-test /lgtm Using golang 1.13 should be fine, I'll try to see whether I can disable the Travis job here, it's quite obsolete anyway

openshift-ci-robot commented 4 years ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: k-wall, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/oauth-proxy/blob/master/OWNERS)~~ [stlaz] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-bot commented 4 years ago

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot commented 4 years ago

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot commented 4 years ago

/retest

Please review the full test history for this PR and help us cut down flakes.