feat: Use encrypted cookie to store OAuth2 state nonce (instead of redis)

[alexmt]

Signed-off-by: Alexander Matyushentsev AMatyushentsev@gmail.com

Closes #5873

PR changes SSO auth flow to store temporary nonce tokens in an encrypted cookie instead of redis

[codecov]

Codecov Report

Merging #8241 (ba1f8d6) into master (b7bdb8f) will increase coverage by 0.29%.
The diff coverage is 56.32%.

@@            Coverage Diff             @@
##           master    #8241      +/-   ##
==========================================
+ Coverage   41.63%   41.93%   +0.29%     
==========================================
  Files         174      176       +2     
  Lines       22881    22992     +111     
==========================================
+ Hits         9527     9641     +114     
+ Misses      11990    11966      -24     
- Partials     1364     1385      +21     

Impacted Files	Coverage Δ
server/cache/cache.go	68.00% <ø> (-5.34%)	⬇️
server/server.go	54.76% <0.00%> (ø)
util/settings/settings.go	47.08% <0.00%> (-0.06%)	⬇️
util/crypto/crypto.go	44.82% <44.82%> (ø)
util/oidc/oidc.go	40.67% <64.28%> (+21.46%)	⬆️
cmd/argocd/commands/headless/headless.go	3.48% <0.00%> (ø)
util/buffered_context/buffered_context.go	100.00% <0.00%> (ø)
reposerver/repository/repository.go	58.08% <0.00%> (+0.23%)	⬆️
util/kustomize/kustomize.go	69.79% <0.00%> (+1.99%)	⬆️
util/oidc/provider.go	5.88% <0.00%> (+5.88%)	⬆️
... and 2 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b7bdb8f...ba1f8d6. Read the comment docs.

[jannfis]

From the first glance, I have a few questions and challenges to discuss.

Since we should be careful with this change, I'm putting a request for change for now.

[alexmt]

Thank you for the review, @leoluz and @jannfis !

@jannfis do you think that change is too dangerous and should be postponed to v2.4?

[jannfis]

@jannfis do you think that change is too dangerous and should be postponed to v2.4?

It's not dangerous per se, but we should carefully review the code, flow of data and possible pitfalls before merging. Change itself is fine to go into 2.3 IMHO.

[alexmt]

Thanks for review, @jannfis and @leoluz . Your comments have been addressed. PTAL

[jannfis]

Few more comments.

[alexmt]

Thanks for the careful review! All comments have been addressed. PTAL

[crenshaw-dev]

Should we use bcrypt instead of sha256? It's recommended in the crypto docs for keys.

Since the key is 32 random bytes, I don't think bcrypt actually buys us much. But if someone found a flaw in the random number generator, bcrypt would give us just a tiny bit more protection against someone brute-forcing the hash to recover the key.

[crenshaw-dev]

Actually... why hash at all? The server token is already 32 random bytes. Couldn't it serve directly as the key? Since this hashed key disappears at GC, seems like it's functionally the same as just using the server token directly.

[crenshaw-dev]

(I'm assuming we don't let users set that secret to some arbitrary string.)

[alexmt]

🤦 I should have look at how server signature is generated. Removed hashing completelly

[jannfis]

I was thinking: What if we decided at some point in time to make the server's signature different from what it is now (e.g. smaller or larger, different format, etc)? Also, I think now we have made the Encrypt() and Decrypt() functions public in our package, but they are of limited use now, i.e. only usable with our server's signature. SHA256 in contrast has a constant output of 32 bytes, for any given passphrase, even if it comes at some additional computational cost.

[alexmt]

Sorry resolved this thread before I noticed your comment @jannfis . I think you are right. I don't want to accidentally break SSO tomorrow. I've fallback to original @crenshaw-dev 's suggestion: use scrypt to generate keys from the keyphrase (bcrypt does not support generating 32 bytes long keys). According to docs, it is actually very memory expensive so I changed the code to generate key only once when settings are loaded/updated. Now crypto package has Encrypt/Decrypt functions that can be used with any key and function that generates encryption key using server signature.

[crenshaw-dev]

LGTM

[jannfis]

LGTM

[jannfis]

Thanks for thorough review, everyone!

[alexmt]

I've noticed that one conversation was resolved incorrectly, unresolved it, and made some improvements :) . Please see #8241 (comment) for more information.

Sorry for moving back and forth in this PR. Cryptography is definitely not my strength and it was a learning exercise for me.

[crenshaw-dev]

No comments that should block merging. I have a slight preference for explicitly using a "nothing" salt if the hashed passphrase isn't actually a meaningful salt.

[crenshaw-dev]

Is the salt actually helpful for this use case, or is it functionally equivalent to no-salt?

[alexmt]

As I understand it is equivalent of no salt. I think it would be overkill to generate and store salt in argocd-secret Secret just to derive key from server signature

[crenshaw-dev]

Cool, agreed. For readability, what about explicit no salt (empty slice?) or a comment clarifying why we’re using the salt value we’re using.

[alexmt]

done

[jannfis]

LGTM, thanks for the extra mile on this @alexmt

[crenshaw-dev]

s/if/is ?

[alexmt]

fixed

[crenshaw-dev]

LGTM!