vmware-archive · craigtracey · Jun 15, 2018 · Jun 15, 2018
diff --git a/cmd/gangway/config_test.go b/cmd/gangway/config_test.go
@@ -33,6 +33,7 @@ func TestEnvionmentOverrides(t *testing.T) {
 	os.Setenv("GANGWAY_CLIENT_ID", "foo")
 	os.Setenv("GANGWAY_CLIENT_SECRET", "bar")
 	os.Setenv("GANGWAY_REDIRECT_URL", "https://foo.baz/callback")
+	os.Setenv("GANGWAY_SESSION_SECURITY_KEY", "testing")
 	cfg, err := NewConfig("")
 	if err != nil {
 		t.Errorf("Failed to test config overrides with error: %s", err)

diff --git a/cmd/gangway/handlers_test.go b/cmd/gangway/handlers_test.go
@@ -20,6 +20,13 @@ import (
 	"testing"
 )
 
+func testInit() {
+	cfg = &Config{
+		SessionSecurityKey: "test",
+	}
+	initSessionStore()
+}
+
 func TestHomeHandler(t *testing.T) {
 	req, err := http.NewRequest("GET", "/", nil)
 	if err != nil {
@@ -37,13 +44,13 @@ func TestHomeHandler(t *testing.T) {
 }
 
 func TestCallbackHandler(t *testing.T) {
+	testInit()
+
 	req, err := http.NewRequest("GET", "/callback", nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	initSessionStore()
-
 	rr := httptest.NewRecorder()
 	handler := http.HandlerFunc(callbackHandler)
 
@@ -55,6 +62,8 @@ func TestCallbackHandler(t *testing.T) {
 }
 
 func TestUnauthedCommandlineHandlerRedirect(t *testing.T) {
+	testInit()
+
 	req, err := http.NewRequest("GET", "/commandline", nil)
 	if err != nil {
 		t.Fatal(err)

diff --git a/cmd/gangway/session.go b/cmd/gangway/session.go
@@ -18,14 +18,13 @@ import (
 	"crypto/sha256"
 	"net/http"
 
-	"golang.org/x/crypto/pbkdf2"
-
 	"github.com/gorilla/sessions"
+	"golang.org/x/crypto/pbkdf2"
 )
 
 const salt = "MkmfuPNHnZBBivy0L0aW"
 
-func initSessionStore() {
+func generateSessionKeys() ([]byte, []byte) {
 	// Take the configured security key and generate 96 bytes of data. This is
 	// used as the signing and encryption keys for the cookie store.  For details
 	// on the PBKDF2 function: https://en.wikipedia.org/wiki/PBKDF2
@@ -34,7 +33,12 @@ func initSessionStore() {
 		[]byte(salt),
 		4096, 96, sha256.New)
 
-	sessionStore = sessions.NewCookieStore(b[0:64], b[64:96])
+	return b[0:64], b[64:96]
+}
+
+func initSessionStore() {
+
+	sessionStore = sessions.NewCookieStore(generateSessionKeys())
 }
 
 func cleanupSession(w http.ResponseWriter, r *http.Request) {

diff --git a/cmd/gangway/session_test.go b/cmd/gangway/session_test.go
@@ -24,16 +24,13 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-func TestGenerateRandomString(t *testing.T) {
-	rs := generateRandomString(48)
-	rs2 := generateRandomString(48)
+func TestGenerateSessionKeys(t *testing.T) {
+	cfg.SessionSecurityKey = "testing"
 
-	if rs == "" {
-		t.Errorf("Received an empty string")
-		return
-	}
-	if rs == rs2 {
-		t.Errorf("Generated the same string two times in a row. String is not random.")
+	b1, b2 := generateSessionKeys()
+
+	if len(b1) != 64 || len(b2) != 32 {
+		t.Errorf("Wrong byte length's returned")
 		return
 	}
 }