From d5bc187dac5e29b18c48a1cf4bca9349028a7050 Mon Sep 17 00:00:00 2001
From: achmelo <37397715+achmelo@users.noreply.github.com>
Date: Thu, 21 Jul 2022 14:24:03 +0200
Subject: [PATCH] fix: remove multiple tokens from cookies (#2514)

Signed-off-by: achmelo <a.chmelo@gmail.com>
---
 .../service/schema/HttpBasicPassTicketScheme.java |  8 ++++++--
 .../security/service/schema/JwtCommand.java       | 15 ++++++++++-----
 .../security/service/schema/SafIdtScheme.java     |  4 ++--
 .../security/service/schema/ZosmfScheme.java      |  4 ++--
 4 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/HttpBasicPassTicketScheme.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/HttpBasicPassTicketScheme.java
index f409792af7..782c7bfd2b 100644
--- a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/HttpBasicPassTicketScheme.java
+++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/HttpBasicPassTicketScheme.java
@@ -45,6 +45,7 @@ public class HttpBasicPassTicketScheme implements IAuthenticationScheme {
     private final PassTicketService passTicketService;
     private final AuthSourceService authSourceService;
     private final String cookieName;
+    private final String patCookieName;
 
     public HttpBasicPassTicketScheme(
         PassTicketService passTicketService,
@@ -54,6 +55,7 @@ public HttpBasicPassTicketScheme(
         this.passTicketService = passTicketService;
         this.authSourceService = authSourceService;
         cookieName = authConfigurationProperties.getCookieProperties().getCookieName();
+        patCookieName = authConfigurationProperties.getCookieProperties().getCookieNamePAT();
     }
 
     @Override
@@ -102,7 +104,7 @@ public AuthenticationCommand createCommand(Authentication authentication, AuthSo
         final String value = "Basic " + encoded;
 //        passticket is valid only once, therefore this command needs to expire immediately and each call should generate new passticket
         long expiration = System.currentTimeMillis();
-        return new PassTicketCommand(value, cookieName, expiration);
+        return new PassTicketCommand(value, cookieName, patCookieName, expiration);
     }
 
     @Override
@@ -120,6 +122,7 @@ public static class PassTicketCommand extends AuthenticationCommand {
 
         String authorizationValue;
         String cookieName;
+        String patCookieName;
         Long expireAt;
 
         @Override
@@ -127,7 +130,8 @@ public void apply(InstanceInfo instanceInfo) {
             if (authorizationValue != null) {
                 final RequestContext context = RequestContext.getCurrentContext();
                 context.addZuulRequestHeader(HttpHeaders.AUTHORIZATION, authorizationValue);
-                JwtCommand.removeCookie(context, cookieName);
+                String[] cookiesToBeRemoved = new String[]{cookieName,patCookieName};
+                JwtCommand.removeCookie(context, cookiesToBeRemoved);
             }
         }
 
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/JwtCommand.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/JwtCommand.java
index e71a60415b..21ed6eadda 100644
--- a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/JwtCommand.java
+++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/JwtCommand.java
@@ -26,13 +26,18 @@ public static void setCookie(RequestContext context, String name, String value)
         );
     }
 
-    public static void removeCookie(RequestContext context, String name) {
-        context.addZuulRequestHeader(COOKIE_HEADER,
-            CookieUtil.removeCookie(
-                context.getRequest().getHeader(COOKIE_HEADER),
+    public static void removeCookie(RequestContext context, String[] names) {
+        String cookie = context.getRequest().getHeader(COOKIE_HEADER);
+        for (String name : names) {
+            cookie = CookieUtil.removeCookie(
+                cookie,
                 name
-            )
+            );
+        }
+        context.addZuulRequestHeader(COOKIE_HEADER,
+            cookie
         );
+
     }
 
     @Override
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/SafIdtScheme.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/SafIdtScheme.java
index 1bbd866d76..91edc5f7d5 100644
--- a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/SafIdtScheme.java
+++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/SafIdtScheme.java
@@ -155,8 +155,8 @@ public void apply(InstanceInfo instanceInfo) {
                 final RequestContext context = RequestContext.getCurrentContext();
                 // add header with SafIdt token to request and remove APIML token from Cookie if exists
                 context.addZuulRequestHeader(SAF_TOKEN_HEADER, safIdentityToken);
-                JwtCommand.removeCookie(context, authConfigurationProperties.getCookieProperties().getCookieName());
-                JwtCommand.removeCookie(context, authConfigurationProperties.getCookieProperties().getCookieNamePAT());
+                String[] cookiesToBeRemoved = new String[]{authConfigurationProperties.getCookieProperties().getCookieName(), authConfigurationProperties.getCookieProperties().getCookieNamePAT()};
+                JwtCommand.removeCookie(context, cookiesToBeRemoved);
             }
         }
 
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/ZosmfScheme.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/ZosmfScheme.java
index 15bd9401f0..2a83b846cc 100644
--- a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/ZosmfScheme.java
+++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/ZosmfScheme.java
@@ -119,8 +119,8 @@ public void apply(InstanceInfo instanceInfo) {
                 final RequestContext context = RequestContext.getCurrentContext();
                 if (AuthSource.Origin.ZOSMF.equals(authSourceOrigin)) {
                     // token is generated by z/OSMF, fix set cookies
-                    removeCookie(context, authConfigurationProperties.getCookieProperties().getCookieName());
-                    removeCookie(context, authConfigurationProperties.getCookieProperties().getCookieNamePAT());
+                    String[] cookiesToBeRemoved = new String[]{authConfigurationProperties.getCookieProperties().getCookieName(),authConfigurationProperties.getCookieProperties().getCookieNamePAT()};
+                    removeCookie(context, cookiesToBeRemoved);
                     setCookie(context, ZosmfService.TokenType.JWT.getCookieName(), cookieValue);
                 } else if (AuthSource.Origin.ZOWE.equals(authSourceOrigin)) {
                     // user use Zowe own JWT token, for communication with z/OSMF there should be LTPA token, use it