Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix regression with legacy redirect patterns #2035

Merged
merged 4 commits into from
Sep 28, 2022
Merged

Fix regression with legacy redirect patterns #2035

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3271d9d
Fix regression with legacy redirect patterns
strehle Sep 22, 2022
4534cea
refactoring and test added
strehle Sep 23, 2022
83c2398
cleanup
strehle Sep 23, 2022
772a7eb
Merge branch 'develop' of github.com:cloudfoundry/uaa into fix/issue/…
strehle Sep 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 9 additions & 5 deletions server/src/main/java/org/cloudfoundry/identity/uaa/oauth/beans/LegacyRedirectResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@

public class LegacyRedirectResolver extends org.cloudfoundry.identity.uaa.oauth.beans.org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver {
private static final Logger logger = LoggerFactory.getLogger(LegacyRedirectResolver.class);

public static final String LEGACY_PORT_WILDCAR = ":*";

static final String MSG_TEMPLATE = "OAuth client %s is configured with a redirect_uri which performs implicit or " +
"wildcard matching in legacy redirect uri matching mode. In this instance, the requested uri %s matches the " +
"configured uri %s. Please consider configuring your requested redirect uri to exactly match the " +
Expand Down Expand Up @@ -101,9 +104,10 @@ private void logConfiguredRedirectUrisWhichOnlyMatchFuzzily(String clientId, Set
// when the standard Spring library class disagrees (i.e. when it acts more strictly).
registeredRedirectUris.stream()
.filter(registeredRedirectUri ->
requestedRedirect != null &&
registeredRedirectUri.contains(LEGACY_PORT_WILDCAR) ||
(requestedRedirect != null &&
this.redirectMatches(requestedRedirect, registeredRedirectUri) &&
!specCompliantRedirectMatcher.redirectMatches(requestedRedirect, registeredRedirectUri)
!specCompliantRedirectMatcher.redirectMatches(requestedRedirect, registeredRedirectUri))
)
.forEach(registeredRedirectUri ->
logger.warn(String.format(MSG_TEMPLATE, clientId,
Expand All @@ -113,8 +117,8 @@ private void logConfiguredRedirectUrisWhichOnlyMatchFuzzily(String clientId, Set
}

private static String normalizeWildcardUri(String uriClient) {
boolean hasWildcarPort = uriClient.contains(":*");
String uri = hasWildcarPort ? uriClient.replace(":*", StringUtils.EMPTY) : uriClient;
boolean hasWildcarPort = uriClient.contains(LEGACY_PORT_WILDCAR);
String uri = hasWildcarPort ? uriClient.replace(LEGACY_PORT_WILDCAR, StringUtils.EMPTY) : uriClient;
UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUriString(uri);
UriComponents nonNormalizedUri = uriComponentsBuilder.build();

Expand All @@ -132,7 +136,7 @@ private static String normalizeWildcardUri(String uriClient) {
throw new IllegalArgumentException("URI host and scheme must not be null");
}

return uriComponentsBuilder.build().toString().replace(":99999", ":*");
return uriComponentsBuilder.build().toString().replace(":99999", LEGACY_PORT_WILDCAR);
}

private static String redactSensitiveInformation(String uri) {
Expand Down
2 changes: 1 addition & 1 deletion server/src/main/java/org/cloudfoundry/identity/uaa/util/UaaUrlUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ private static UriComponentsBuilder getURIBuilder(
"(([a-zA-Z0-9\\-\\*\\_]+\\.){0,255}" + //subdomains (RFC1035) limited, regex backtracking disabled
"[a-zA-Z0-9\\-\\_]+\\.)?" + //hostname
"[a-zA-Z0-9\\-]+" + //tld
"(:[0-9]+)?(/.*|$)" //port and path
"((:[0-9]+)|(:\\*))?(/.*|$)" //port and path
);

public static boolean isValidRegisteredRedirectUrl(String url) {
Expand Down
12 changes: 12 additions & 0 deletions ...r/src/test/java/org/cloudfoundry/identity/uaa/oauth/beans/LegacyRedirectResolverTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,18 @@ void warnsOnExplicitDomainExpansion() {
);
}

@Test
void warnsOnPortWildCard() {
final String configuredRedirectUri = "https://example.com:*/*";
final String requestedRedirectUri = "https://example.com:443/callback";
ClientDetails client = createClient("foo", configuredRedirectUri);

resolver.resolveRedirect(requestedRedirectUri, client);
assertThat(logEvents, hasItem(
warning(expectedWarning(client.getClientId(), requestedRedirectUri, configuredRedirectUri)))
);
}

@Test
void warnsOnImplicitPathExpansion() {
final String configuredRedirectUri = "https://example.com/";
Expand Down
9 changes: 9 additions & 0 deletions server/src/test/java/org/cloudfoundry/identity/uaa/util/UaaUrlUtilsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -647,6 +647,15 @@ void getRequestPathCombinesServletPathAndPathInfo(
assertEquals(expected, UaaUrlUtils.getRequestPath(request));
}

@Test
void testLegacyUriWithPortWildCard() {
assertTrue(UaaUrlUtils.isValidRegisteredRedirectUrl("http://localhost:*/callback"));

assertFalse(UaaUrlUtils.isValidRegisteredRedirectUrl(Strings.EMPTY_STRING));
assertFalse(UaaUrlUtils.isValidRegisteredRedirectUrl("http://localhost:80*/callback"));
assertFalse(UaaUrlUtils.isValidRegisteredRedirectUrl("http://localhost:*8/callback"));
}

private static void validateRedirectUri(List<String> urls, boolean result) {
Map<String, String> failed = getUnsuccessfulUrls(urls, result);
if (!failed.isEmpty()) {
Expand Down