From 15f04b8da467a5dc4015e58ce569eea725cd892d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=88=98=E8=B1=AA=E8=B4=B5?= Date: Wed, 29 Jul 2020 21:57:16 +0800 Subject: [PATCH 1/9] add env BEEGO_CONFIG_PATH --- config.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config.go b/config.go index b6c9a99c..92aa3bbd 100644 --- a/config.go +++ b/config.go @@ -150,6 +150,9 @@ func init() { filename = os.Getenv("BEEGO_RUNMODE") + ".app.conf" } appConfigPath = filepath.Join(WorkPath, "conf", filename) + if configPath := os.Getenv("BEEGO_CONFIG_PATH"); configPath != "" { + appConfigPath = configPath + } if !utils.FileExists(appConfigPath) { appConfigPath = filepath.Join(AppPath, "conf", filename) if !utils.FileExists(appConfigPath) { From 15e11931fcd85128cada95daba8b72b789d34a97 Mon Sep 17 00:00:00 2001 From: "Mr. Myy" <1135038815@qq.com> Date: Thu, 30 Jul 2020 10:53:30 +0800 Subject: [PATCH 2/9] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E5=AF=B9=20BConfig.Liste?= =?UTF-8?q?n.ClientAuth=20=E5=AD=97=E6=AE=B5=E7=9A=84=E9=80=BB=E8=BE=91?= =?UTF-8?q?=E5=A4=84=E7=90=86=E3=80=82=E5=BD=93=E6=8C=87=E5=AE=9A=E4=BA=86?= =?UTF-8?q?=E8=AF=A5=E9=85=8D=E7=BD=AE=E6=97=B6=EF=BC=8C=E4=BD=BF=E7=94=A8?= =?UTF-8?q?=E9=85=8D=E7=BD=AE=E7=9A=84=E5=80=BC=E6=9D=A5=E4=BD=9C=E4=B8=BA?= =?UTF-8?q?=E9=AA=8C=E8=AF=81=E5=AE=A2=E6=88=B7=E7=AB=AF=E7=9A=84=E6=96=B9?= =?UTF-8?q?=E5=BC=8F=E3=80=82=E5=A6=82=E6=9E=9C=E6=B2=A1=E6=8C=87=E5=AE=9A?= =?UTF-8?q?=EF=BC=8C=E4=BD=BF=E7=94=A8=E9=BB=98=E8=AE=A4=E5=80=BC=20tls.Re?= =?UTF-8?q?quireAndVerifyClientCert?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/app.go b/app.go index f3fe6f7b..5e595bb6 100644 --- a/app.go +++ b/app.go @@ -195,10 +195,15 @@ func (app *App) Run(mws ...MiddleWare) { return } pool.AppendCertsFromPEM(data) - app.Server.TLSConfig = &tls.Config{ + tlsConfig := tls.Config{ ClientCAs: pool, - ClientAuth: tls.RequireAndVerifyClientCert, } + if string(BConfig.Listen.ClientAuth) != "" { + tslConfig.ClientAuth = BConfig.Listen.ClientAuth + } else { + tslConfig.ClientAuth = tls.RequireAndVerifyClientCert + } + app.Server.TLSConfig = &tslConfig } if err := app.Server.ListenAndServeTLS(BConfig.Listen.HTTPSCertFile, BConfig.Listen.HTTPSKeyFile); err != nil { logs.Critical("ListenAndServeTLS: ", err) From 513a4afff14c056f1fe5a844d8a60123987491f3 Mon Sep 17 00:00:00 2001 From: "Mr. Myy" <1135038815@qq.com> Date: Thu, 30 Jul 2020 10:59:32 +0800 Subject: [PATCH 3/9] =?UTF-8?q?=E5=AF=B9=20Listen=20=E7=BB=93=E6=9E=84?= =?UTF-8?q?=E4=BD=93=E5=A2=9E=E5=8A=A0=20ClientAuth=20=E5=AD=97=E6=AE=B5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 对 Listen 结构体增加 ClientAuth 字段,赋予默认配置对象该字段值为 tls.VerifyClientCertIfGiven,与原代码逻辑的默认值保持一致 --- config.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config.go b/config.go index 92aa3bbd..fef6c482 100644 --- a/config.go +++ b/config.go @@ -21,6 +21,7 @@ import ( "reflect" "runtime" "strings" + "crypto/tls" "github.com/astaxie/beego/config" "github.com/astaxie/beego/context" @@ -65,6 +66,7 @@ type Listen struct { HTTPSCertFile string HTTPSKeyFile string TrustCaFile string + ClientAuth tls.ClientAuthType EnableAdmin bool AdminAddr string AdminPort int @@ -234,6 +236,7 @@ func newBConfig() *Config { AdminPort: 8088, EnableFcgi: false, EnableStdIo: false, + ClientAuth: tls.VerifyClientCertIfGiven, }, WebConfig: WebConfig{ AutoRender: true, From 9d23e5a3fb23df1ac647660c13f566fa17e81c1e Mon Sep 17 00:00:00 2001 From: "Mr. Myy" <1135038815@qq.com> Date: Thu, 30 Jul 2020 11:03:32 +0800 Subject: [PATCH 4/9] =?UTF-8?q?=E7=AE=80=E5=8C=96=E4=BB=A3=E7=A0=81?= =?UTF-8?q?=E5=86=99=E6=B3=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app.go b/app.go index 5e595bb6..85fe7e5d 100644 --- a/app.go +++ b/app.go @@ -197,11 +197,10 @@ func (app *App) Run(mws ...MiddleWare) { pool.AppendCertsFromPEM(data) tlsConfig := tls.Config{ ClientCAs: pool, + ClientAuth: tls.RequireAndVerifyClientCert, } if string(BConfig.Listen.ClientAuth) != "" { tslConfig.ClientAuth = BConfig.Listen.ClientAuth - } else { - tslConfig.ClientAuth = tls.RequireAndVerifyClientCert } app.Server.TLSConfig = &tslConfig } From c46ba862157b9b6d5d39561985fa7f4d8a8bdd18 Mon Sep 17 00:00:00 2001 From: "Mr. Myy" <1135038815@qq.com> Date: Thu, 30 Jul 2020 11:18:14 +0800 Subject: [PATCH 5/9] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E7=AC=94=E8=AF=AF?= =?UTF-8?q?=E4=BA=A7=E7=94=9F=E7=9A=84=E6=8B=BC=E5=86=99=E9=94=99=E8=AF=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app.go b/app.go index 85fe7e5d..20af4ce8 100644 --- a/app.go +++ b/app.go @@ -200,7 +200,7 @@ func (app *App) Run(mws ...MiddleWare) { ClientAuth: tls.RequireAndVerifyClientCert, } if string(BConfig.Listen.ClientAuth) != "" { - tslConfig.ClientAuth = BConfig.Listen.ClientAuth + tlsConfig.ClientAuth = BConfig.Listen.ClientAuth } app.Server.TLSConfig = &tslConfig } From 0815e77f9af9336b17a50d6a4226aad9a1969731 Mon Sep 17 00:00:00 2001 From: "Mr. Myy" <1135038815@qq.com> Date: Thu, 30 Jul 2020 11:20:22 +0800 Subject: [PATCH 6/9] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E7=AC=94=E8=AF=AF?= =?UTF-8?q?=E4=BA=A7=E7=94=9F=E7=9A=84=E6=8B=BC=E5=86=99=E9=94=99=E8=AF=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app.go b/app.go index 20af4ce8..49cef256 100644 --- a/app.go +++ b/app.go @@ -202,7 +202,7 @@ func (app *App) Run(mws ...MiddleWare) { if string(BConfig.Listen.ClientAuth) != "" { tlsConfig.ClientAuth = BConfig.Listen.ClientAuth } - app.Server.TLSConfig = &tslConfig + app.Server.TLSConfig = &tlsConfig } if err := app.Server.ListenAndServeTLS(BConfig.Listen.HTTPSCertFile, BConfig.Listen.HTTPSKeyFile); err != nil { logs.Critical("ListenAndServeTLS: ", err) From 520380416557c76a59a2c30398e027c27ad70d36 Mon Sep 17 00:00:00 2001 From: "Mr. Myy" <1135038815@qq.com> Date: Thu, 30 Jul 2020 14:46:17 +0800 Subject: [PATCH 7/9] =?UTF-8?q?=E8=B0=83=E6=95=B4=E9=BB=98=E8=AE=A4?= =?UTF-8?q?=E9=85=8D=E7=BD=AE=E4=B8=AD=E7=9A=84=20ClientAuth=20=E5=80=BC?= =?UTF-8?q?=EF=BC=8C=E4=BD=BF=E4=B9=8B=E4=B8=8E=E5=8E=9F=E6=9D=A5=E7=9A=84?= =?UTF-8?q?=E8=A1=8C=E4=B8=BA=E4=BF=9D=E6=8C=81=E4=B8=80=E8=87=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.go b/config.go index fef6c482..0c995293 100644 --- a/config.go +++ b/config.go @@ -236,7 +236,7 @@ func newBConfig() *Config { AdminPort: 8088, EnableFcgi: false, EnableStdIo: false, - ClientAuth: tls.VerifyClientCertIfGiven, + ClientAuth: tls.RequireAndVerifyClientCert, }, WebConfig: WebConfig{ AutoRender: true, From 7831638f3793d1b3058ffa0cbc1e8d0c818bd3e8 Mon Sep 17 00:00:00 2001 From: "Mr. Myy" <1135038815@qq.com> Date: Thu, 30 Jul 2020 14:48:46 +0800 Subject: [PATCH 8/9] =?UTF-8?q?=E7=A7=BB=E9=99=A4=E5=A4=9A=E4=BD=99?= =?UTF-8?q?=E7=9A=84=E6=9D=A1=E4=BB=B6=E5=88=A4=E6=96=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/app.go b/app.go index 49cef256..3dee8999 100644 --- a/app.go +++ b/app.go @@ -195,14 +195,10 @@ func (app *App) Run(mws ...MiddleWare) { return } pool.AppendCertsFromPEM(data) - tlsConfig := tls.Config{ + app.Server.TLSConfig = &tls.Config{ ClientCAs: pool, - ClientAuth: tls.RequireAndVerifyClientCert, + ClientAuth: BConfig.Listen.ClientAuth, } - if string(BConfig.Listen.ClientAuth) != "" { - tlsConfig.ClientAuth = BConfig.Listen.ClientAuth - } - app.Server.TLSConfig = &tlsConfig } if err := app.Server.ListenAndServeTLS(BConfig.Listen.HTTPSCertFile, BConfig.Listen.HTTPSKeyFile); err != nil { logs.Critical("ListenAndServeTLS: ", err) From a0d1c42daca7af6cbf3a6c73a89793a06cdbd4c7 Mon Sep 17 00:00:00 2001 From: Ming Deng Date: Mon, 3 Aug 2020 21:03:08 +0800 Subject: [PATCH 9/9] XSRF add secure and http only flag --- context/context.go | 2 +- context/context_test.go | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/context/context.go b/context/context.go index de248ed2..7c161ac0 100644 --- a/context/context.go +++ b/context/context.go @@ -150,7 +150,7 @@ func (ctx *Context) XSRFToken(key string, expire int64) string { token, ok := ctx.GetSecureCookie(key, "_xsrf") if !ok { token = string(utils.RandomCreateBytes(32)) - ctx.SetSecureCookie(key, "_xsrf", token, expire) + ctx.SetSecureCookie(key, "_xsrf", token, expire, "", "", true, true) } ctx._xsrfToken = token } diff --git a/context/context_test.go b/context/context_test.go index 7c0535e0..e81e8191 100644 --- a/context/context_test.go +++ b/context/context_test.go @@ -17,7 +17,10 @@ package context import ( "net/http" "net/http/httptest" + "strings" "testing" + + "github.com/stretchr/testify/assert" ) func TestXsrfReset_01(t *testing.T) { @@ -44,4 +47,8 @@ func TestXsrfReset_01(t *testing.T) { if token == c._xsrfToken { t.FailNow() } + + ck := c.ResponseWriter.Header().Get("Set-Cookie") + assert.True(t, strings.Contains(ck, "Secure")) + assert.True(t, strings.Contains(ck, "HttpOnly")) }