diff --git a/.travis.yml b/.travis.yml index 44bad55..ff495db 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,17 +7,16 @@ branches: # skip tags build, we are building branch and master that is enough for # consistenty check and release. Let's use Travis CI resources optimally # for aah framework. - - /^v[0-9]\.[0-9]/ + - /^v[0-9.]+$/ go: - - 1.8 - 1.9 + - "1.10" - tip go_import_path: aahframework.org/security.v0 install: - - git config --global http.https://aahframework.org.followRedirects true - go get -t -v ./... script: diff --git a/LICENSE b/LICENSE index 491ce72..02ad2ea 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2016-2017 Jeevanandam M., https://myjeeva.com +Copyright (c) 2016-2018 Jeevanandam M., https://myjeeva.com Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index e4aecf1..dcc6f4c 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # Security - aah framework -[![Build Status](https://travis-ci.org/go-aah/security.svg?branch=master)](https://travis-ci.org/go-aah/security) [![codecov](https://codecov.io/gh/go-aah/security/branch/master/graph/badge.svg)](https://codecov.io/gh/go-aah/security/branch/master) [![Go Report Card](https://goreportcard.com/badge/aahframework.org/security.v0)](https://goreportcard.com/report/aahframework.org/security.v0) [![Version](https://img.shields.io/badge/version-0.8-blue.svg)](https://github.com/go-aah/security/releases/latest) [![GoDoc](https://godoc.org/aahframework.org/security.v0?status.svg)](https://godoc.org/aahframework.org/security.v0) [![License](https://img.shields.io/github/license/go-aah/security.svg)](LICENSE) [![Twitter](https://img.shields.io/badge/twitter-@aahframework-55acee.svg)](https://twitter.com/aahframework) +[![Build Status](https://travis-ci.org/go-aah/security.svg?branch=master)](https://travis-ci.org/go-aah/security) [![codecov](https://codecov.io/gh/go-aah/security/branch/master/graph/badge.svg)](https://codecov.io/gh/go-aah/security/branch/master) [![Go Report Card](https://goreportcard.com/badge/aahframework.org/security.v0)](https://goreportcard.com/report/aahframework.org/security.v0) [![Version](https://img.shields.io/badge/version-0.9-blue.svg)](https://github.com/go-aah/security/releases/latest) [![GoDoc](https://godoc.org/aahframework.org/security.v0?status.svg)](https://godoc.org/aahframework.org/security.v0) [![License](https://img.shields.io/github/license/go-aah/security.svg)](LICENSE) [![Twitter](https://img.shields.io/badge/twitter-@aahframework-55acee.svg)](https://twitter.com/aahframework) -***v0.8 [released](https://github.com/go-aah/security/releases/latest) and tagged on Oct 04, 2017*** +***v0.9 [released](https://github.com/go-aah/security/releases/latest) and tagged on Mar 27, 2018*** -Security library houses all the application security implementation (Authentication, Authorization, Session Management, CORS, CSRF, Security Headers, etc.) by aah framework. +Security library houses all the application security implementation (Authentication, Authorization, Session Management, CSRF, Security Headers, etc.) by aah framework. *`security` developed for aah framework. However, it's an independent library, can be used separately with any `Go` language project. Feel free to use it.* diff --git a/acrypto/password_encoder.go b/acrypto/password_encoder.go index fd79f3c..77d2298 100644 --- a/acrypto/password_encoder.go +++ b/acrypto/password_encoder.go @@ -48,13 +48,7 @@ func AddPasswordAlgorithm(name string, pe PasswordEncoder) error { return ErrPasswordEncoderIsNil } - if _, found := passEncoders[name]; found { - log.Warnf("acrypto: password encoder '%v' is already added", name) - return nil - } - passEncoders[name] = pe - return nil } diff --git a/anticsrf/anti_csrf.go b/anticsrf/anti_csrf.go index f45ea49..4547122 100644 --- a/anticsrf/anti_csrf.go +++ b/anticsrf/anti_csrf.go @@ -40,9 +40,12 @@ type AntiCSRF struct { // New method initializes the Anti-CSRF based on security configuration. func New(cfg *config.Config) (*AntiCSRF, error) { - c := &AntiCSRF{cfg: cfg} keyPrefix := "security.anti_csrf" + if !cfg.IsExists(keyPrefix) { + return &AntiCSRF{Enabled: false}, nil + } + c := &AntiCSRF{cfg: cfg} c.Enabled = c.cfg.BoolDefault(keyPrefix+".enable", true) c.secretLength = c.cfg.IntDefault(keyPrefix+".secret_length", 32) c.headerName = c.cfg.StringDefault(keyPrefix+".header_name", "X-Anti-CSRF-Token") @@ -87,6 +90,10 @@ func (ac *AntiCSRF) GenerateSecret() []byte { // CipherSecret method returns the Anti-CSRF secert from the cookie if not available // generates new secret. func (ac *AntiCSRF) CipherSecret(r *ahttp.Request) []byte { + if ac.cookieMgr == nil { + return ac.GenerateSecret() + } + cookie, err := r.Cookie(ac.cookieMgr.Options.Name) if err != nil { return ac.GenerateSecret() @@ -130,6 +137,10 @@ func (ac *AntiCSRF) SaltCipherSecret(secret []byte) string { // SetCookie method write/refresh the Anti-CSRF cookie value and expriy. func (ac *AntiCSRF) SetCookie(w http.ResponseWriter, secret []byte) error { + if len(secret) == 0 || ac.cookieMgr == nil { + return nil + } + s := make([]byte, len(secret)) copy(s, secret) value, err := ac.cookieMgr.Encode(s) @@ -143,6 +154,10 @@ func (ac *AntiCSRF) SetCookie(w http.ResponseWriter, secret []byte) error { // ClearCookie method is to clear Anti-CSRF cookie when disabled. func (ac *AntiCSRF) ClearCookie(w http.ResponseWriter, r *ahttp.Request) { + if !ac.Enabled || ac.cookieMgr == nil { + return + } + if _, err := r.Cookie(ac.cookieMgr.Options.Name); err == nil { opts := *ac.cookieMgr.Options opts.MaxAge = -1 diff --git a/anticsrf/anti_csrf_test.go b/anticsrf/anti_csrf_test.go index 8813dbe..ecda067 100644 --- a/anticsrf/anti_csrf_test.go +++ b/anticsrf/anti_csrf_test.go @@ -18,6 +18,26 @@ import ( "aahframework.org/test.v0/assert" ) +func TestAntiCSRFNotEnabled(t *testing.T) { + cfgStr := ` + security { + } + ` + + cfg, err := config.ParseString(cfgStr) + assert.Nil(t, err) + + antiCSRF, err := New(cfg) + assert.Nil(t, err) + + assert.False(t, antiCSRF.Enabled) + + antiCSRF.SetCookie(nil, []byte{}) + antiCSRF.ClearCookie(nil, nil) + antiCSRF.CipherSecret(nil) + +} + func TestAntiCSRFSecret(t *testing.T) { cfgStr := ` security { diff --git a/security.go b/security.go index d6f5491..1f7ad54 100644 --- a/security.go +++ b/security.go @@ -3,7 +3,7 @@ // license that can be found in the LICENSE file. // Package security houses all the application security implementation Authentication, -// Authorization, Session Management, CORS, CSRF, Security Headers, etc.) by aah framework. +// Authorization, Session Management, CSRF, Security Headers, etc.) by aah framework. package security import ( @@ -84,7 +84,7 @@ func New() *Manager { //___________________________________ // Init method initialize the application security configuration `security { ... }`. -// Which is mainly Session, CORS, CSRF, Security Headers, etc. +// Which is mainly Session, CSRF, Security Headers, etc. func (m *Manager) Init(appCfg *config.Config) error { var err error m.appCfg = appCfg diff --git a/version.go b/version.go index 62e6cfc..ccffc81 100644 --- a/version.go +++ b/version.go @@ -5,4 +5,4 @@ package security // Version is security library version no. of aah framework -const Version = "0.8" +const Version = "0.9"