From 1291380611d24c64fed27314c21c779179264ba5 Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Thu, 10 Dec 2020 11:34:39 -0800
Subject: [PATCH] dynamiccodec.Codec uses securecookie.JSONEncoder

Signed-off-by: aram price <pricear@vmware.com>
---
 internal/oidc/dynamiccodec/codec.go      | 12 +++++++++---
 internal/oidc/dynamiccodec/codec_test.go | 22 ++++++++++++----------
 2 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/internal/oidc/dynamiccodec/codec.go b/internal/oidc/dynamiccodec/codec.go
index a28c6b08..13407f70 100644
--- a/internal/oidc/dynamiccodec/codec.go
+++ b/internal/oidc/dynamiccodec/codec.go
@@ -23,7 +23,9 @@ type Codec struct {
 	encryptionKeyFunc KeyFunc
 }
 
-// New creates a new Codec that will use the provided keyFuncs for its key source.
+// New creates a new Codec that will use the provided keyFuncs for its key source, and
+// use the securecookie.JSONEncoder. The securecookie.JSONEncoder is used because the default
+// securecookie.GobEncoder is less compact and more difficult to make forward compatible.
 func New(signingKeyFunc, encryptionKeyFunc KeyFunc) *Codec {
 	return &Codec{
 		signingKeyFunc:    signingKeyFunc,
@@ -33,10 +35,14 @@ func New(signingKeyFunc, encryptionKeyFunc KeyFunc) *Codec {
 
 // Encode implements oidc.Encode().
 func (c *Codec) Encode(name string, value interface{}) (string, error) {
-	return securecookie.New(c.signingKeyFunc(), c.encryptionKeyFunc()).Encode(name, value)
+	encoder := securecookie.New(c.signingKeyFunc(), c.encryptionKeyFunc())
+	encoder.SetSerializer(securecookie.JSONEncoder{})
+	return encoder.Encode(name, value)
 }
 
 // Decode implements oidc.Decode().
 func (c *Codec) Decode(name string, value string, into interface{}) error {
-	return securecookie.New(c.signingKeyFunc(), c.encryptionKeyFunc()).Decode(name, value, into)
+	decoder := securecookie.New(c.signingKeyFunc(), c.encryptionKeyFunc())
+	decoder.SetSerializer(securecookie.JSONEncoder{})
+	return decoder.Decode(name, value, into)
 }
diff --git a/internal/oidc/dynamiccodec/codec_test.go b/internal/oidc/dynamiccodec/codec_test.go
index 35a5f8b4..e85a77fe 100644
--- a/internal/oidc/dynamiccodec/codec_test.go
+++ b/internal/oidc/dynamiccodec/codec_test.go
@@ -4,6 +4,7 @@
 package dynamiccodec
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -11,10 +12,10 @@ import (
 
 func TestCodec(t *testing.T) {
 	tests := []struct {
-		name             string
-		keys             func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte)
-		wantEncoderError string
-		wantDecoderError string
+		name                   string
+		keys                   func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte)
+		wantEncoderErrorPrefix string
+		wantDecoderError       string
 	}{
 		{
 			name: "good signing and encryption keys",
@@ -31,7 +32,7 @@ func TestCodec(t *testing.T) {
 			keys: func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte) {
 				*encoderEncryptionKey = []byte("this-secret-is-not-16-bytes")
 			},
-			wantEncoderError: "securecookie: error - caused by: crypto/aes: invalid key size 27",
+			wantEncoderErrorPrefix: "securecookie: error - caused by: crypto/aes: invalid key size 27",
 		},
 		{
 			name: "good signing keys and bad decoding encryption key",
@@ -45,7 +46,7 @@ func TestCodec(t *testing.T) {
 			keys: func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte) {
 				*encoderSigningKey = nil
 			},
-			wantEncoderError: "securecookie: hash key is not set",
+			wantEncoderErrorPrefix: "securecookie: hash key is not set",
 		},
 		{
 			name: "bad decoder signing key",
@@ -66,7 +67,7 @@ func TestCodec(t *testing.T) {
 			keys: func(encoderSigningKey, encoderEncryptionKey, decoderSigningKey, decoderEncryptionKey *[]byte) {
 				*encoderEncryptionKey = []byte("16-byte-no-match")
 			},
-			wantDecoderError: "securecookie: error - caused by: securecookie: error - caused by: gob: encoded unsigned integer out of range",
+			wantDecoderError: "securecookie: error - caused by: securecookie: error - caused by: invalid character '",
 		},
 	}
 	for _, test := range tests {
@@ -85,8 +86,8 @@ func TestCodec(t *testing.T) {
 				func() []byte { return encoderEncryptionKey })
 
 			encoded, err := encoder.Encode("some-name", "some-message")
-			if test.wantEncoderError != "" {
-				require.EqualError(t, err, test.wantEncoderError)
+			if test.wantEncoderErrorPrefix != "" {
+				require.EqualError(t, err, test.wantEncoderErrorPrefix)
 				return
 			}
 			require.NoError(t, err)
@@ -97,7 +98,8 @@ func TestCodec(t *testing.T) {
 			var decoded string
 			err = decoder.Decode("some-name", encoded, &decoded)
 			if test.wantDecoderError != "" {
-				require.EqualError(t, err, test.wantDecoderError)
+				require.Error(t, err)
+				require.True(t, strings.HasPrefix(err.Error(), test.wantDecoderError))
 				return
 			}
 			require.NoError(t, err)