auth: session seal/unseal

auth/sessions.go

@@ -35,8 +35,9 @@ import (
 )
 
 const (
-	hkdfInfo   = "aura-tank-session-keys"
-	defaultAge = 24 * time.Hour
+	hkdfInfo          = "aura-tank-session-keys"
+	defaultAge        = 24 * time.Hour
+	sessionCookieName = "aura-tank-auth-session"
 )
 
 type Session struct {
@@ -48,12 +49,8 @@ type Session struct {
 	Groups    []string
 }
 
-func (s *Session) Seal() ([]byte, error) {
-	return nil, errors.New("not yet implemented")
-}
-
-func (s *Session) Unseal([]byte) error {
-	return errors.New("not yet implemented")
+func (s *Session) Seal() (string, error) {
+	return s.sealer.Encode(sessionCookieName, s)
 }
 
 func (s *Session) Expired() bool {
@@ -102,3 +99,10 @@ func NewSessionManager(cfg SessionsConfig) (sm *SessionManager, err error) {
 func (sm *SessionManager) NewSession() *Session {
 	return &Session{sealer: sm.sealer, Expires: time.Now().Add(sm.maxAge)}
 }
+
+func (sm *SessionManager) UnsealSession(cookie string) (s *Session, err error) {
+	s = &Session{}
+	err = sm.sealer.Decode(sessionCookieName, cookie, s)
+	s.sealer = sm.sealer
+	return
+}

auth/sessions_test.go

@@ -25,6 +25,7 @@
 package auth
 
 import (
+	"reflect"
 	"testing"
 	"time"
 )
@@ -81,3 +82,40 @@ func TestSessionExpiry(t *testing.T) {
 		t.Fatalf("session hasn't expired in time")
 	}
 }
+
+func TestSessionSealUnseal(t *testing.T) {
+	cfg := SessionsConfig{}
+	cfg.Secret = testSecret
+	sm, err := NewSessionManager(cfg)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	in := sm.NewSession()
+	if in == nil {
+		t.Fatalf("session manager returned nil instead of new session")
+	}
+
+	c, err := in.Seal()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	out, err := sm.UnsealSession(c)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if !in.Expires.Equal(out.Expires) {
+		t.Fatalf("session are not equal, expected expiry: %v, got %+v", in.Expires, out.Expires)
+	}
+	if in.Username != out.Username {
+		t.Fatalf("session are not equal, expected username: %q, got %q", in.Username, out.Username)
+	}
+	if in.AllGroups != out.AllGroups {
+		t.Fatalf("session are not equal, expected all-groups: %v, got %v", in.AllGroups, out.AllGroups)
+	}
+	if !reflect.DeepEqual(in.Groups, out.Groups) {
+		t.Fatalf("session are not equal, expected groups: %v, got %v", in.Groups, out.Groups)
+	}
+}