Fix issue with cookie deletion

Author: dhague

pkg/api/keystone/keystone.go

@@ -66,8 +66,7 @@ func getNewToken(c *middleware.Context) (string, error) {
 
 	var keystonePasswordObj interface{}
 	if setting.KeystoneCookieCredentials {
-		keystonePasswordObj = c.GetCookie(middleware.SESS_KEY_PASSWORD)
-		if keystonePasswordObj == nil {
+		if keystonePasswordObj = c.GetCookie(middleware.SESS_KEY_PASSWORD); keystonePasswordObj == nil {
 			return "", errors.New("Couldn't find cookie containing keystone password")
 		} else {
 			log.Debug("Got password from cookie")
@@ -94,7 +93,7 @@ func getNewToken(c *middleware.Context) (string, error) {
 	}
 	if err := AuthenticateScoped(&auth); err != nil {
 		if setting.KeystoneCookieCredentials {
-			c.SetCookie(middleware.SESS_KEY_PASSWORD, "", 0)
+			c.SetCookie(middleware.SESS_KEY_PASSWORD, "", -1, setting.AppSubUrl+"/", nil, middleware.IsSecure(c), true)
 		} else {
 			c.Session.Set(middleware.SESS_KEY_PASSWORD, nil)
 		}
@@ -182,7 +181,15 @@ func decryptPassword(base64ciphertext string) string {
 		log.Error(3, "Error: NewCipher(%d bytes) = %s", len(setting.KeystoneCredentialAesKey), err)
 	}
 	ciphertext, err := base64.StdEncoding.DecodeString(base64ciphertext)
+	if err != nil {
+		log.Error(3, "Error: %s", err)
+		return ""
+	}
 	iv := ciphertext[:aes.BlockSize]
+	if aes.BlockSize > len(ciphertext) {
+		log.Error(3, "Error: ciphertext %s is shorter than AES blocksize %d", ciphertext, aes.BlockSize)
+		return ""
+	}
 	password := make([]byte, len(ciphertext)-aes.BlockSize)
 	stream := cipher.NewOFB(block, iv)
 	stream.XORKeyStream(password, ciphertext[aes.BlockSize:])

pkg/api/login.go

@@ -13,7 +13,6 @@ import (
 	m "github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
-	"gopkg.in/macaron.v1"
 )
 
 const (
@@ -125,7 +124,7 @@ func LoginPost(c *middleware.Context, cmd dtos.LoginCommand) Response {
 			} else {
 				days = 86400 * setting.LogInRememberDays
 			}
-			c.SetCookie(middleware.SESS_KEY_PASSWORD, cmd.Password, days, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
+			c.SetCookie(middleware.SESS_KEY_PASSWORD, cmd.Password, days, setting.AppSubUrl+"/", nil, middleware.IsSecure(c), true)
 		} else {
 			c.Session.Set(middleware.SESS_KEY_PASSWORD, cmd.Password)
 		}
@@ -152,22 +151,18 @@ func loginUserWithUser(user *m.User, c *middleware.Context) {
 
 	days := 86400 * setting.LogInRememberDays
 	if days > 0 {
-		c.SetCookie(setting.CookieUserName, user.Login, days, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
+		c.SetCookie(setting.CookieUserName, user.Login, days, setting.AppSubUrl+"/", nil, middleware.IsSecure(c), true)
 		c.SetSuperSecureCookie(util.EncodeMd5(user.Rands+user.Password),
-			setting.CookieRememberName, user.Login, days, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
+			setting.CookieRememberName, user.Login, days, setting.AppSubUrl+"/", nil, middleware.IsSecure(c), true)
 	}
 
 	c.Session.Set(middleware.SESS_KEY_USERID, user.Id)
 }
 
 func Logout(c *middleware.Context) {
-	c.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
-	c.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
-	c.SetCookie(middleware.SESS_KEY_PASSWORD, "", -1, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
+	c.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl+"/", nil, middleware.IsSecure(c), true)
+	c.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl+"/", nil, middleware.IsSecure(c), true)
+	c.SetCookie(middleware.SESS_KEY_PASSWORD, "", -1, setting.AppSubUrl+"/", nil, middleware.IsSecure(c), true)
 	c.Session.Destory(c)
 	c.Redirect(setting.AppSubUrl + "/login")
 }
-
-func isSecure(r *macaron.Request) bool {
-	return (r.TLS != nil) || (r.Header.Get("X-Forwarded-Proto") == "https")
-}

pkg/middleware/middleware.go

@@ -232,3 +232,7 @@ func (ctx *Context) HasUserRole(role m.RoleType) bool {
 func (ctx *Context) TimeRequest(timer metrics.Timer) {
 	ctx.Data["perfmon.timer"] = timer
 }
+
+func IsSecure(ctx *Context) bool {
+	return (ctx.Req.TLS != nil) || (ctx.Req.Header.Get("X-Forwarded-Proto") == "https")
+}