Auth cookie domain (#440)

* Adding domain to secure auth cookies

Signed-off-by: Prafulla Mahindrakar <[email protected]>

* Adding . suffix to the domain

Signed-off-by: Prafulla Mahindrakar <[email protected]>

* Add getCookiedomain

Signed-off-by: Prafulla Mahindrakar <[email protected]>

* Added enumers for domainMatch and sameSite and testing done

Signed-off-by: Prafulla Mahindrakar <[email protected]>

* Added debug make targets for admin and scheduler

Signed-off-by: Prafulla Mahindrakar <[email protected]>

* Added more coverage

Signed-off-by: Prafulla Mahindrakar <[email protected]>

flyteadmin/Makefile

@@ -36,10 +36,19 @@ k8s_integration_execute:
 compile:
 	go build -o flyteadmin -ldflags=$(LD_FLAGS) ./cmd/ && mv ./flyteadmin ${GOPATH}/bin
 
+.PHONY: compile_debug
+compile_debug:
+	go build -o flyteadmin -gcflags='all=-N -l' ./cmd/ && mv ./flyteadmin ${GOPATH}/bin
+
+
 .PHONY: compile_scheduler
 compile_scheduler:
 	go build -o flytescheduler -ldflags=$(LD_FLAGS) ./cmd/scheduler/ && mv ./flytescheduler ${GOPATH}/bin
 
+.PHONY: compile_scheduler_debug
+compile_scheduler_debug:
+	go build -o flytescheduler -gcflags='all=-N -l' ./cmd/scheduler/ && mv ./flytescheduler ${GOPATH}/bin
+
 
 .PHONY: linux_compile
 linux_compile:

flyteadmin/auth/auth_context.go

@@ -122,7 +122,7 @@ func NewAuthenticationContext(ctx context.Context, sm core.SecretManager, oauth2
 		return Context{}, errors.Wrapf(ErrConfigFileRead, err, "Could not read hash key file")
 	}
 
-	cookieManager, err := NewCookieManager(ctx, hashKeyBase64, blockKeyBase64)
+	cookieManager, err := NewCookieManager(ctx, hashKeyBase64, blockKeyBase64, options.UserAuth.CookieSetting)
 	if err != nil {
 		logger.Errorf(ctx, "Error creating cookie manager %s", err)
 		return Context{}, errors.Wrapf(ErrauthCtx, err, "Error creating cookie manager")

flyteadmin/auth/authzserver/authorize.go

@@ -121,7 +121,7 @@ func authEndpoint(authCtx interfaces.AuthenticationContext, rw http.ResponseWrit
 		return
 	}
 
-	err = authCtx.CookieManager().SetAuthCodeCookie(ctx, rw, req.URL.String())
+	err = authCtx.CookieManager().SetAuthCodeCookie(ctx, req, rw, req.URL.String())
 	if err != nil {
 		logger.Infof(ctx, "Error occurred in NewAuthorizeRequest: %+v", err)
 		oauth2Provider.WriteAuthorizeError(rw, ar, err)

flyteadmin/auth/authzserver/authorize_test.go

@@ -34,7 +34,7 @@ func TestAuthEndpoint(t *testing.T) {
 		authCtx.OnOAuth2Provider().Return(oauth2Provider)
 
 		cookieManager := &mocks.CookieHandler{}
-		cookieManager.OnSetAuthCodeCookie(req.Context(), w, originalURL).Return(nil)
+		cookieManager.OnSetAuthCodeCookie(req.Context(), req, w, originalURL).Return(nil)
 		authCtx.OnCookieManager().Return(cookieManager)
 
 		authEndpoint(authCtx, w, req)
@@ -57,7 +57,7 @@ func TestAuthEndpoint(t *testing.T) {
 		authCtx.OnOAuth2Provider().Return(oauth2Provider)
 
 		cookieManager := &mocks.CookieHandler{}
-		cookieManager.OnSetAuthCodeCookie(req.Context(), w, originalURL).Return(fmt.Errorf("failure injection"))
+		cookieManager.OnSetAuthCodeCookie(req.Context(), req, w, originalURL).Return(fmt.Errorf("failure injection"))
 		authCtx.OnCookieManager().Return(cookieManager)
 
 		authEndpoint(authCtx, w, req)

flyteadmin/auth/config/config.go

@@ -73,6 +73,10 @@ var (
 					"profile",
 				},
 			},
+			CookieSetting: CookieSettings{
+				DomainMatchPolicy: DomainMatchExact,
+				SameSitePolicy:    SameSiteDefaultMode,
+			},
 		},
 		AppAuth: OAuth2Options{
 			AuthServerType: AuthorizationServerTypeSelf,
@@ -212,8 +216,32 @@ type UserAuthConfig struct {
 	// Possibly add basicAuth & SAML/p support.
 
 	// Secret names, defaults are set in DefaultConfig variable above but are possible to override through configs.
-	CookieHashKeySecretName  string `json:"cookieHashKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie hash key."`
-	CookieBlockKeySecretName string `json:"cookieBlockKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie block key."`
+	CookieHashKeySecretName  string         `json:"cookieHashKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie hash key."`
+	CookieBlockKeySecretName string         `json:"cookieBlockKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie block key."`
+	CookieSetting            CookieSettings `json:"cookieSetting" pflag:", settings used by cookies created for user auth"`
+}
+
+//go:generate enumer --type=DomainMatch --trimprefix=DomainMatch -json
+type DomainMatch int
+
+const (
+	DomainMatchExact DomainMatch = iota
+	DomainMatchSubdomains
+)
+
+//go:generate enumer --type=SameSite --trimprefix=SameSite -json
+type SameSite int
+
+const (
+	SameSiteDefaultMode SameSite = iota
+	SameSiteLaxMode
+	SameSiteStrictMode
+	SameSiteNoneMode
+)
+
+type CookieSettings struct {
+	SameSitePolicy    SameSite    `json:"sameSitePolicy" pflag:",OPTIONAL: Allows you to declare if your cookie should be restricted to a first-party or same-site context.Wrapper around http.SameSite."`
+	DomainMatchPolicy DomainMatch `json:"domainMatchPolicy" pflag:",OPTIONAL: Allow subdomain access to the created cookies by setting the domain attribute or do an exact match on domain."`
 }
 
 type OpenIDOptions struct {

flyteadmin/auth/cookie.go

@@ -51,14 +51,15 @@ func HashCsrfState(csrf string) string {
 	return hash
 }
 
-func NewSecureCookie(cookieName, value string, hashKey, blockKey []byte) (http.Cookie, error) {
+func NewSecureCookie(cookieName, value string, hashKey, blockKey []byte, domain string, sameSiteMode http.SameSite) (http.Cookie, error) {
 	var s = securecookie.New(hashKey, blockKey)
 	encoded, err := s.Encode(cookieName, value)
-
 	if err == nil {
 		return http.Cookie{
-			Name:  cookieName,
-			Value: encoded,
+			Name:     cookieName,
+			Value:    encoded,
+			Domain:   domain,
+			SameSite: sameSiteMode,
 		}, nil
 	}