Google Git
Sign in
apache / trafficcontrol / refs/tags/v7.0.1-rc0 / . / traffic_ops / traffic_ops_golang / tocookie / cookie.go
blob: e6cd2efc53b87c7245d8191de3081e287ae8a2eb [file] [log] [blame]
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package tocookie
import (
"crypto/hmac"
"crypto/sha1"
"encoding/base64"
"encoding/hex"
"encoding/json"
"fmt"
"net/http"
"strings"
"time"
)
const GeneratedByStr = "trafficcontrol-go-tocookie"
const Name = "mojolicious"
const DefaultDuration = time.Hour
type Cookie struct {
AuthData string `json:"auth_data"`
ExpiresUnix int64 `json:"expires"`
By string `json:"by"`
}
func checkHmac(message, messageMAC, key []byte) bool {
mac := hmac.New(sha1.New, key)
mac.Write(message)
expectedMAC := mac.Sum(nil)
return hmac.Equal(messageMAC, expectedMAC)
}
func Parse(secret, cookie string) (*Cookie, error) {
dashPos := strings.Index(cookie, "-")
if dashPos == -1 {
return nil, fmt.Errorf("malformed cookie '%s' - no dashes", cookie)
}
lastDashPos := strings.LastIndex(cookie, "-")
if lastDashPos == -1 {
return nil, fmt.Errorf("malformed cookie '%s' - no dashes", cookie)
}
if len(cookie) < lastDashPos+1 {
return nil, fmt.Errorf("malformed cookie '%s' -- no signature", cookie)
}
base64Txt := cookie[:dashPos]
txtBytes, err := base64.RawURLEncoding.DecodeString(base64Txt)
if err != nil {
return nil, fmt.Errorf("error decoding base64 data: %v", err)
}
base64TxtSig := cookie[:lastDashPos-1] // the signature signs the base64 including trailing hyphens, but the Go base64 decoder doesn't want the trailing hyphens.
base64Sig := cookie[lastDashPos+1:]
sigBytes, err := hex.DecodeString(base64Sig)
if err != nil {
return nil, fmt.Errorf("error decoding signature: %v", err)
}
if !checkHmac([]byte(base64TxtSig), sigBytes, []byte(secret)) {
return nil, fmt.Errorf("bad signature")
}
cookieData := Cookie{}
if err := json.Unmarshal(txtBytes, &cookieData); err != nil {
return nil, fmt.Errorf("error decoding base64 text '%s' to JSON: %v", string(txtBytes), err)
}
if cookieData.ExpiresUnix-time.Now().Unix() < 0 {
return nil, fmt.Errorf("signature expired")
}
return &cookieData, nil
}
func NewRawMsg(msg, key []byte) string {
base64Msg := base64.RawURLEncoding.EncodeToString(msg)
mac := hmac.New(sha1.New, []byte(key))
mac.Write([]byte(base64Msg))
encMac := mac.Sum(nil)
base64Sig := hex.EncodeToString(encMac)
return base64Msg + "--" + base64Sig
}
func GetCookie(authData string, duration time.Duration, secret string) *http.Cookie {
expiry := time.Now().Add(duration)
maxAge := int(duration.Seconds())
c := Cookie{By: GeneratedByStr, AuthData: authData, ExpiresUnix: expiry.Unix()}
m, _ := json.Marshal(c)
msg := NewRawMsg(m, []byte(secret))
httpCookie := http.Cookie{Name: "mojolicious", Value: msg, Path: "/", Expires: expiry, MaxAge: maxAge, HttpOnly: true}
return &httpCookie
}