From 34902c086d1707707b806864363cfaee317213e2 Mon Sep 17 00:00:00 2001 From: vnugent Date: Sun, 28 Jul 2024 19:34:23 -0400 Subject: Squashed commit of the following: commit a1ee522f7f5f0ab3cd268b0f42223700dd4d9dc8 Author: vnugent Date: Thu Jul 4 23:57:14 2024 -0400 analyzer pass commit d650bac961dc927cd9b1b35816dab6e48c744ef9 Author: vnugent Date: Fri Jun 21 17:07:54 2024 -0400 config validation updates commit 166e4b771f6f95c5093cf064ab47190bc2b33646 Merge: 4c973bb f2dedde Author: vnugent Date: Wed May 22 15:33:54 2024 -0400 Merge branch 'master' into develop commit 4c973bb81d8cff22a77eb082611746713390c99b Author: vnugent Date: Sun May 19 11:41:55 2024 -0400 feat: Update to follow latest core features commit 7118b66c4f2655db01fd061e43f5214d0dd891e8 Author: vnugent Date: Thu May 2 15:47:22 2024 -0400 refactor: Moved session security middleware commit 97722f178f5e5107fcbdd1df4944a818fedf8722 Merge: f70c94e 84f81db Author: vnugent Date: Sat Apr 20 12:13:23 2024 -0400 Merge branch 'master' into develop commit f70c94e948aa41e90d99f187d8a4791a726bc681 Author: vnugent Date: Sat Apr 20 00:48:49 2024 -0400 fix: Missing session detach flag on close commit 2a2078b8cc3dd216c46419bce7577ae572317955 Author: vnugent Date: Mon Apr 15 16:22:38 2024 -0400 fix: fixed bearer token header requirments from crashing --- .../src/OAuth2SessionConfig.cs | 27 +++++----------------- .../src/OAuth2SessionProvider.cs | 6 +++-- .../src/WebSession.cs | 4 ++-- .../src/Security/WebSessionSecMiddleware.cs | 24 +------------------ 4 files changed, 13 insertions(+), 48 deletions(-) diff --git a/libs/VNLib.Plugins.Sessions.OAuth/src/OAuth2SessionConfig.cs b/libs/VNLib.Plugins.Sessions.OAuth/src/OAuth2SessionConfig.cs index 9e612d5..ab36e25 100644 --- a/libs/VNLib.Plugins.Sessions.OAuth/src/OAuth2SessionConfig.cs +++ b/libs/VNLib.Plugins.Sessions.OAuth/src/OAuth2SessionConfig.cs @@ -22,10 +22,10 @@ * along with this program. If not, see https://www.gnu.org/licenses/. */ -using System; using System.Text.Json.Serialization; using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Configuration; namespace VNLib.Plugins.Sessions.OAuth @@ -47,27 +47,12 @@ namespace VNLib.Plugins.Sessions.OAuth [JsonPropertyName("access_token_type")] public string TokenType { get; set; } = "Bearer"; - public void Validate() + public void OnValidate() { - if (MaxTokensPerApp < 1) - { - throw new ArgumentOutOfRangeException("max_tokens_per_app", "You must configure at least 1 Oatuh2 access token per application, or disable this plugin"); - } - - if (AccessTokenSize < 16) - { - throw new ArgumentOutOfRangeException("access_token_size", "You must configure an access token size of at least 16 bytes in length"); - } - - if (TokenLifeTimeSeconds < 1) - { - throw new ArgumentOutOfRangeException("token_valid_for_sec", "You must configure an access token lifetime"); - } - - if (string.IsNullOrWhiteSpace(CachePrefix)) - { - throw new ArgumentException("You must specify a cache prefix", "cache_prefix"); - } + Validate.Range(MaxTokensPerApp, 1, int.MaxValue); + Validate.Range(AccessTokenSize, 16, int.MaxValue); + Validate.Range(TokenLifeTimeSeconds, 1, int.MaxValue); + Validate.NotNull(CachePrefix, "You must specify a cache prefix"); } } } \ No newline at end of file diff --git a/libs/VNLib.Plugins.Sessions.OAuth/src/OAuth2SessionProvider.cs b/libs/VNLib.Plugins.Sessions.OAuth/src/OAuth2SessionProvider.cs index bc06052..fe176d6 100644 --- a/libs/VNLib.Plugins.Sessions.OAuth/src/OAuth2SessionProvider.cs +++ b/libs/VNLib.Plugins.Sessions.OAuth/src/OAuth2SessionProvider.cs @@ -71,6 +71,8 @@ namespace VNLib.Plugins.Sessions.OAuth TokenStore = new(plugin.GetContextOptions()); _tokenTypeString = $"client_credential,{_tokenFactory.TokenType}"; + _maxConnections = config.GetValueOrDefault("max_connections", p => p.GetUInt32(), 1000u); + //Schedule interval plugin.ScheduleInterval(this, TimeSpan.FromMinutes(2)); @@ -168,7 +170,7 @@ namespace VNLib.Plugins.Sessions.OAuth session.Invalidate(); //Clears important security variables - InitNewSession(session, null); + InitNewSession(session, app: null); } return new SessionHandle(session, OnSessionReleases); @@ -198,7 +200,7 @@ namespace VNLib.Plugins.Sessions.OAuth await _sessions.CommitSessionAsync(newSession); //Init new token result to pass to client - return new OAuth2TokenResult() + return new OAuth2TokenResult { ExpiresSeconds = (int)_tokenFactory.SessionValidFor.TotalSeconds, TokenType = _tokenFactory.TokenType, diff --git a/libs/VNLib.Plugins.Sessions.VNCache/src/WebSession.cs b/libs/VNLib.Plugins.Sessions.VNCache/src/WebSession.cs index 8cdf73b..85389be 100644 --- a/libs/VNLib.Plugins.Sessions.VNCache/src/WebSession.cs +++ b/libs/VNLib.Plugins.Sessions.VNCache/src/WebSession.cs @@ -1,5 +1,5 @@ /* -* Copyright (c) 2023 Vaughn Nugent +* Copyright (c) 2024 Vaughn Nugent * * Library: VNLib * Package: VNLib.Plugins.Essentials.Sessions.VNCache @@ -33,7 +33,7 @@ using VNLib.Plugins.Sessions.Cache.Client; namespace VNLib.Plugins.Sessions.VNCache { - internal class WebSession(string sessionId, IDictionary sessionData, bool isNew) + internal sealed class WebSession(string sessionId, IDictionary sessionData, bool isNew) : RemoteSession(sessionId, sessionData, isNew) { internal void InitNewSession(IHttpEvent entity) diff --git a/plugins/SessionProvider/src/Security/WebSessionSecMiddleware.cs b/plugins/SessionProvider/src/Security/WebSessionSecMiddleware.cs index 6a21ded..e8578a8 100644 --- a/plugins/SessionProvider/src/Security/WebSessionSecMiddleware.cs +++ b/plugins/SessionProvider/src/Security/WebSessionSecMiddleware.cs @@ -48,7 +48,6 @@ namespace VNLib.Plugins.Essentials.Sessions if (session.IsSet) { - /* * Check if the session was established over a secure connection, * and if the current connection is insecure, redirect them to a @@ -72,25 +71,6 @@ namespace VNLib.Plugins.Essentials.Sessions //If session is not new, then verify it matches stored credentials if (!session.IsNew && session.SessionType == SessionType.Web) { - /* - * When sessions are created for connections that come from a different - * origin, their origin is stored for later. - * - * If the session was created from a different origin or the current connection - * is cross origin, then the origin must match the stored origin. - */ - - if (_secConfig.EnforceStrictCors) - { - if ((entity.Server.CrossOrigin || session.CrossOrigin) - && !session.CrossOriginMatch - && entity.Server.Origin != null) - { - _log.Debug("Denied connection from {0} due to cross-origin session mismatch.", entity.TrustedRemoteIp); - return ValueTask.FromResult(FileProcessArgs.Deny); - } - } - if (_secConfig.EnfoceStrictTlsProtocol) { //Try to prevent security downgrade attacks @@ -105,11 +85,9 @@ namespace VNLib.Plugins.Essentials.Sessions return ValueTask.FromResult(FileProcessArgs.Continue); } - + sealed class SecConfig { - [JsonPropertyName("strict_cors")] - public bool EnforceStrictCors { get; set; } = true; [JsonPropertyName("strict_tls_protocol")] public bool EnfoceStrictTlsProtocol { get; set; } = true; -- cgit