From 16535e14e86d924529ff44b880b25ee55cf6490e Mon Sep 17 00:00:00 2001 From: David Leifker Date: Thu, 22 Dec 2022 14:19:25 -0600 Subject: [PATCH] fix(oidc): fix oidc authentication loop --- datahub-frontend/app/auth/AuthUtils.java | 13 +++++++++++-- .../app/auth/sso/oidc/OidcCallbackLogic.java | 12 ++++++------ .../controllers/AuthenticationController.java | 12 +----------- datahub-frontend/test/app/ApplicationTest.java | 17 ++++++++++++++--- 4 files changed, 32 insertions(+), 22 deletions(-) diff --git a/datahub-frontend/app/auth/AuthUtils.java b/datahub-frontend/app/auth/AuthUtils.java index 9084311adb11ab..60c449045acf49 100644 --- a/datahub-frontend/app/auth/AuthUtils.java +++ b/datahub-frontend/app/auth/AuthUtils.java @@ -6,6 +6,8 @@ import java.time.Duration; import java.time.temporal.ChronoUnit; +import java.util.HashMap; +import java.util.Map; @Slf4j public class AuthUtils { @@ -77,8 +79,8 @@ public static boolean isEligibleForForwarding(Http.Request req) { */ public static boolean hasValidSessionCookie(final Http.Request req) { return req.session().data().containsKey(ACTOR) - && req.cookie(ACTOR) != null - && req.session().data().get(ACTOR).equals(req.cookie(ACTOR).value()); + && req.getCookie(ACTOR).isPresent() + && req.session().data().get(ACTOR).equals(req.getCookie(ACTOR).get().value()); } /** @@ -101,6 +103,13 @@ public static Http.Cookie createActorCookie(final String actorUrn, final Integer .build(); } + public static Map createSessionMap(final String userUrnStr, final String accessToken) { + final Map sessionAttributes = new HashMap<>(); + sessionAttributes.put(ACTOR, userUrnStr); + sessionAttributes.put(ACCESS_TOKEN, accessToken); + return sessionAttributes; + } + private AuthUtils() { } } diff --git a/datahub-frontend/app/auth/sso/oidc/OidcCallbackLogic.java b/datahub-frontend/app/auth/sso/oidc/OidcCallbackLogic.java index 002666e943e709..4130359f7135f9 100644 --- a/datahub-frontend/app/auth/sso/oidc/OidcCallbackLogic.java +++ b/datahub-frontend/app/auth/sso/oidc/OidcCallbackLogic.java @@ -57,10 +57,10 @@ import play.mvc.Result; import auth.sso.SsoManager; -import static auth.AuthUtils.ACCESS_TOKEN; -import static auth.AuthUtils.ACTOR; import static auth.AuthUtils.createActorCookie; -import static com.linkedin.metadata.Constants.*; +import static auth.AuthUtils.createSessionMap; +import static com.linkedin.metadata.Constants.CORP_USER_ENTITY_NAME; +import static com.linkedin.metadata.Constants.GROUP_MEMBERSHIP_ASPECT_NAME; import static play.mvc.Results.internalServerError; @@ -152,9 +152,9 @@ private Result handleOidcCallback(final OidcConfigs oidcConfigs, final Result re // Successfully logged in - Generate GMS login token final String accessToken = _authClient.generateSessionTokenForUser(corpUserUrn.getId()); - context.getNativeSession().adding(ACCESS_TOKEN, accessToken); - context.getNativeSession().adding(ACTOR, corpUserUrn.toString()); - return result.withCookies(createActorCookie(corpUserUrn.toString(), oidcConfigs.getSessionTtlInHours())); + return result + .withSession(createSessionMap(corpUserUrn.toString(), accessToken)) + .withCookies(createActorCookie(corpUserUrn.toString(), oidcConfigs.getSessionTtlInHours())); } return internalServerError( "Failed to authenticate current user. Cannot find valid identity provider profile in session."); diff --git a/datahub-frontend/app/controllers/AuthenticationController.java b/datahub-frontend/app/controllers/AuthenticationController.java index 2af9f5bfd808f7..64ee579b359265 100644 --- a/datahub-frontend/app/controllers/AuthenticationController.java +++ b/datahub-frontend/app/controllers/AuthenticationController.java @@ -12,8 +12,6 @@ import com.typesafe.config.Config; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; -import java.util.HashMap; -import java.util.Map; import java.util.Optional; import javax.annotation.Nonnull; import javax.inject.Inject; @@ -32,8 +30,6 @@ import play.mvc.Results; import security.AuthenticationManager; -import static auth.AuthUtils.ACCESS_TOKEN; -import static auth.AuthUtils.ACTOR; import static auth.AuthUtils.DEFAULT_ACTOR_URN; import static auth.AuthUtils.DEFAULT_SESSION_TTL_HOURS; import static auth.AuthUtils.EMAIL; @@ -46,6 +42,7 @@ import static auth.AuthUtils.TITLE; import static auth.AuthUtils.USER_NAME; import static auth.AuthUtils.createActorCookie; +import static auth.AuthUtils.createSessionMap; import static org.pac4j.core.client.IndirectClient.ATTEMPTED_AUTHENTICATION_SUFFIX; @@ -329,11 +326,4 @@ private Result createSession(String userUrnString, String accessToken) { return Results.ok().withSession(createSessionMap(userUrnString, accessToken)) .withCookies(createActorCookie(userUrnString, ttlInHours)); } - - private Map createSessionMap(final String userUrnStr, final String accessToken) { - final Map sessionAttributes = new HashMap<>(); - sessionAttributes.put(ACTOR, userUrnStr); - sessionAttributes.put(ACCESS_TOKEN, accessToken); - return sessionAttributes; - } } \ No newline at end of file diff --git a/datahub-frontend/test/app/ApplicationTest.java b/datahub-frontend/test/app/ApplicationTest.java index 58a602532fc72c..fa66ad3fe6ce09 100644 --- a/datahub-frontend/test/app/ApplicationTest.java +++ b/datahub-frontend/test/app/ApplicationTest.java @@ -24,10 +24,13 @@ import java.io.IOException; import java.net.InetAddress; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; import java.util.List; import java.util.Map; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; import static play.mvc.Http.Status.NOT_FOUND; import static play.mvc.Http.Status.OK; import static play.test.Helpers.fakeRequest; @@ -72,11 +75,14 @@ protected TestBrowser provideBrowser(int port) { private String _wellKnownUrl; + private static final String TEST_USER = "urn:li:corpuser:testUser@myCompany.com"; + private static final String TEST_TOKEN = "faketoken_YCpYIrjQH4sD3_rAc3VPPFg4"; + @BeforeAll public void init() throws IOException, InterruptedException { _gmsServer = new MockWebServer(); - _gmsServer.enqueue(new MockResponse().setBody("{\"value\":\"urn:li:corpuser:testUser@myCompany.com\"}")); - _gmsServer.enqueue(new MockResponse().setBody("{\"accessToken\":\"faketoken_YCpYIrjQH4sD3_rAc3VPPFg4\"}")); + _gmsServer.enqueue(new MockResponse().setBody(String.format("{\"value\":\"%s\"}", TEST_USER))); + _gmsServer.enqueue(new MockResponse().setBody(String.format("{\"accessToken\":\"%s\"}", TEST_TOKEN))); _gmsServer.start(gmsServerPort()); _oauthServer = new MockOAuth2Server(); @@ -140,8 +146,13 @@ public void testOpenIdConfig() { public void testHappyPathOidc() throws InterruptedException { browser.goTo("/authenticate"); assertEquals("", browser.url()); + Cookie actorCookie = browser.getCookie("actor"); - assertEquals("urn:li:corpuser:testUser@myCompany.com", actorCookie.getValue()); + assertEquals(TEST_USER, actorCookie.getValue()); + + Cookie sessionCookie = browser.getCookie("PLAY_SESSION"); + assertTrue(sessionCookie.getValue().contains("token=" + TEST_TOKEN)); + assertTrue(sessionCookie.getValue().contains("actor=" + URLEncoder.encode(TEST_USER, StandardCharsets.UTF_8))); } }