cookie: restrict the SameSite options for the state and csrf cookies

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

auth_openidc.conf

@@ -601,7 +601,7 @@
 #   OIDCCookieSameSite Strict None
 #
 # When not defined the default is On (Lax).
-#OIDCCookieSameSite On|Off|Strict|Lax|None|Disabled [On|Off|Lax|None|Disabled] [On|Off|Strict|Lax|None|Disabled]
+#OIDCCookieSameSite On|Off|Strict|Lax|None|Disabled [Lax|None|Disabled] [Strict|Lax|None|Disabled]
 
 # Specify the names of cookies to pick up from the browser and send along on backchannel
 # calls to the OP and AS endpoints. This can be used for load-balancing purposes.

src/cfg/cfg.c

@@ -587,17 +587,20 @@ const char *oidc_cmd_cookie_same_site_session_set(cmd_parms *cmd, void *m, const
 							   &cfg->cookie_same_site_session);
 	if ((rv == NULL) && (arg2 != NULL)) {
 		static const oidc_cfg_option_t state_options[] = {
-		    {OIDC_SAMESITE_COOKIE_NONE, OIDC_SAMESITE_COOKIE_OFF_STR},
-		    {OIDC_SAMESITE_COOKIE_LAX, OIDC_SAMESITE_COOKIE_ON_STR},
 		    {OIDC_SAMESITE_COOKIE_DISABLED, OIDC_SAMESITE_COOKIE_DISABLED_STR},
 		    {OIDC_SAMESITE_COOKIE_NONE, OIDC_SAMESITE_COOKIE_NONE_STR},
 		    {OIDC_SAMESITE_COOKIE_LAX, OIDC_SAMESITE_COOKIE_LAX_STR}};
 		rv = oidc_cfg_parse_option_ignore_case(cmd->pool, state_options, OIDC_CFG_OPTIONS_SIZE(state_options),
 						       arg2, &cfg->cookie_same_site_state);
 	}
 	if ((rv == NULL) && (arg3 != NULL)) {
-		rv = oidc_cfg_parse_option_ignore_case(cmd->pool, options, OIDC_CFG_OPTIONS_SIZE(options), arg3,
-						       &cfg->cookie_same_site_discovery_csrf);
+		static const oidc_cfg_option_t csrf_options[] = {
+		    {OIDC_SAMESITE_COOKIE_DISABLED, OIDC_SAMESITE_COOKIE_DISABLED_STR},
+		    {OIDC_SAMESITE_COOKIE_NONE, OIDC_SAMESITE_COOKIE_NONE_STR},
+		    {OIDC_SAMESITE_COOKIE_LAX, OIDC_SAMESITE_COOKIE_LAX_STR},
+		    {OIDC_SAMESITE_COOKIE_STRICT, OIDC_SAMESITE_COOKIE_STRICT_STR}};
+		rv = oidc_cfg_parse_option_ignore_case(cmd->pool, csrf_options, OIDC_CFG_OPTIONS_SIZE(csrf_options),
+						       arg3, &cfg->cookie_same_site_discovery_csrf);
 	}
 	return OIDC_CONFIG_DIR_RV(cmd, rv);
 }

test/test_cfg.c

@@ -150,7 +150,14 @@ START_TEST(test_cmd_cookie_same_site) {
 	ck_assert_int_eq(oidc_cfg_cookie_same_site_state_get(cfg), OIDC_SAMESITE_COOKIE_NONE);
 	ck_assert_int_eq(oidc_cfg_cookie_same_site_discovery_csrf_get(cfg), OIDC_SAMESITE_COOKIE_NONE);
 
+	ck_assert_ptr_null(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "Disabled", NULL, NULL));
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_session_get(cfg), OIDC_SAMESITE_COOKIE_DISABLED);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_state_get(cfg), OIDC_SAMESITE_COOKIE_DISABLED);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_discovery_csrf_get(cfg), OIDC_SAMESITE_COOKIE_DISABLED);
+
 	ck_assert_ptr_nonnull(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "InvalidValue", NULL, NULL));
+	ck_assert_ptr_nonnull(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "Strict", "On", NULL));
+	ck_assert_ptr_nonnull(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "Strict", "Lax", "Off"));
 
 	ck_assert_ptr_null(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "Strict", "None", NULL));
 	ck_assert_int_eq(oidc_cfg_cookie_same_site_session_get(cfg), OIDC_SAMESITE_COOKIE_STRICT);