From dd41eed904cc31125b97da70b0ddf32ec5be190f Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 26 Aug 2024 16:40:00 +0800 Subject: [PATCH 01/15] fix cookie subdomain Signed-off-by: Huabing Zhao --- .../extensions/filters/http/oauth2/filter.cc | 39 ++++++++++++++----- .../extensions/filters/http/oauth2/filter.h | 5 ++- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/source/extensions/filters/http/oauth2/filter.cc b/source/extensions/filters/http/oauth2/filter.cc index 77e2496f2234..e403e83a9c52 100644 --- a/source/extensions/filters/http/oauth2/filter.cc +++ b/source/extensions/filters/http/oauth2/filter.cc @@ -235,9 +235,13 @@ void OAuth2CookieValidator::setParams(const Http::RequestHeaderMap& headers, bool OAuth2CookieValidator::canUpdateTokenByRefreshToken() const { return !refresh_token_.empty(); } bool OAuth2CookieValidator::hmacIsValid() const { + std::string cookie_domain = host_; + if (!cookie_domain_.empty()) { + cookie_domain = cookie_domain_; + } return ( - (encodeHmacBase64(secret_, host_, expires_, token_, id_token_, refresh_token_) == hmac_) || - (encodeHmacHexBase64(secret_, host_, expires_, token_, id_token_, refresh_token_) == hmac_)); + (encodeHmacBase64(secret_, cookie_domain, expires_, token_, id_token_, refresh_token_) == hmac_) || + (encodeHmacHexBase64(secret_, cookie_domain, expires_, token_, id_token_, refresh_token_) == hmac_)); } bool OAuth2CookieValidator::timestampIsValid() const { @@ -254,7 +258,8 @@ bool OAuth2CookieValidator::isValid() const { return hmacIsValid() && timestampI OAuth2Filter::OAuth2Filter(FilterConfigSharedPtr config, std::unique_ptr&& oauth_client, TimeSource& time_source) - : validator_(std::make_shared(time_source, config->cookieNames())), + : validator_(std::make_shared(time_source, config->cookieNames(), + config->cookieDomain())), oauth_client_(std::move(oauth_client)), config_(std::move(config)), time_source_(time_source) { @@ -500,18 +505,26 @@ Http::FilterHeadersStatus OAuth2Filter::signOutUser(const Http::RequestHeaderMap {{Http::Headers::get().Status, std::to_string(enumToInt(Http::Code::Found))}})}; const std::string new_path = absl::StrCat(headers.getSchemeValue(), "://", host_, "/"); + + std::string cookie_delete_format_string = CookieDeleteFormatString; + if (!config_->cookieDomain().empty()) { + cookie_delete_format_string = + absl::StrCat(cookie_delete_format_string, + fmt::format(CookieDomainFormatString, config_->cookieDomain())); + } + response_headers->addReferenceKey( Http::Headers::get().SetCookie, - fmt::format(CookieDeleteFormatString, config_->cookieNames().oauth_hmac_)); + fmt::format(cookie_delete_format_string, config_->cookieNames().oauth_hmac_)); response_headers->addReferenceKey( Http::Headers::get().SetCookie, - fmt::format(CookieDeleteFormatString, config_->cookieNames().bearer_token_)); + fmt::format(cookie_delete_format_string, config_->cookieNames().bearer_token_)); response_headers->addReferenceKey( Http::Headers::get().SetCookie, - fmt::format(CookieDeleteFormatString, config_->cookieNames().id_token_)); + fmt::format(cookie_delete_format_string, config_->cookieNames().id_token_)); response_headers->addReferenceKey( Http::Headers::get().SetCookie, - fmt::format(CookieDeleteFormatString, config_->cookieNames().refresh_token_)); + fmt::format(cookie_delete_format_string, config_->cookieNames().refresh_token_)); response_headers->setLocation(new_path); decoder_callbacks_->encodeHeaders(std::move(response_headers), true, SIGN_OUT); @@ -542,11 +555,17 @@ std::string OAuth2Filter::getEncodedToken() const { auto token_secret = config_->tokenSecret(); std::vector token_secret_vec(token_secret.begin(), token_secret.end()); std::string encoded_token; + + domain = host_; + if (!config_->cookieDomain().empty()) { + domain = config_->cookieDomain(); + } + if (config_->forwardBearerToken()) { - encoded_token = - encodeHmac(token_secret_vec, host_, new_expires_, access_token_, id_token_, refresh_token_); + encoded_token = encodeHmac(token_secret_vec, domain, new_expires_, access_token_, id_token_, + refresh_token_); } else { - encoded_token = encodeHmac(token_secret_vec, host_, new_expires_); + encoded_token = encodeHmac(token_secret_vec, domain, new_expires_); } return encoded_token; } diff --git a/source/extensions/filters/http/oauth2/filter.h b/source/extensions/filters/http/oauth2/filter.h index 7ba18e318b00..b10edfb6d1ef 100644 --- a/source/extensions/filters/http/oauth2/filter.h +++ b/source/extensions/filters/http/oauth2/filter.h @@ -204,8 +204,8 @@ class CookieValidator { class OAuth2CookieValidator : public CookieValidator { public: - explicit OAuth2CookieValidator(TimeSource& time_source, const CookieNames& cookie_names) - : time_source_(time_source), cookie_names_(cookie_names) {} + explicit OAuth2CookieValidator(TimeSource& time_source, const CookieNames& cookie_names, const std::string& cookie_domain) + : time_source_(time_source), cookie_names_(cookie_names),cookie_domain_(cookie_domain) {} const std::string& token() const override { return token_; } const std::string& refreshToken() const override { return refresh_token_; } @@ -226,6 +226,7 @@ class OAuth2CookieValidator : public CookieValidator { absl::string_view host_; TimeSource& time_source_; const CookieNames cookie_names_; + const std::string cookie_domain_; }; /** From 5275df19fc1e68ab24d6472ef24c3201834b9577 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 26 Aug 2024 10:15:14 +0000 Subject: [PATCH 02/15] fix Signed-off-by: Huabing Zhao --- .../extensions/filters/http/oauth2/filter.cc | 29 ++++++++++--------- .../extensions/filters/http/oauth2/filter.h | 5 ++-- 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/source/extensions/filters/http/oauth2/filter.cc b/source/extensions/filters/http/oauth2/filter.cc index e403e83a9c52..79acf523ab5d 100644 --- a/source/extensions/filters/http/oauth2/filter.cc +++ b/source/extensions/filters/http/oauth2/filter.cc @@ -235,13 +235,14 @@ void OAuth2CookieValidator::setParams(const Http::RequestHeaderMap& headers, bool OAuth2CookieValidator::canUpdateTokenByRefreshToken() const { return !refresh_token_.empty(); } bool OAuth2CookieValidator::hmacIsValid() const { - std::string cookie_domain = host_; + absl::string_view cookie_domain = host_; if (!cookie_domain_.empty()) { cookie_domain = cookie_domain_; } - return ( - (encodeHmacBase64(secret_, cookie_domain, expires_, token_, id_token_, refresh_token_) == hmac_) || - (encodeHmacHexBase64(secret_, cookie_domain, expires_, token_, id_token_, refresh_token_) == hmac_)); + return ((encodeHmacBase64(secret_, cookie_domain, expires_, token_, id_token_, refresh_token_) == + hmac_) || + (encodeHmacHexBase64(secret_, cookie_domain, expires_, token_, id_token_, + refresh_token_) == hmac_)); } bool OAuth2CookieValidator::timestampIsValid() const { @@ -506,25 +507,27 @@ Http::FilterHeadersStatus OAuth2Filter::signOutUser(const Http::RequestHeaderMap const std::string new_path = absl::StrCat(headers.getSchemeValue(), "://", host_, "/"); - std::string cookie_delete_format_string = CookieDeleteFormatString; + std::string cookie_domain; if (!config_->cookieDomain().empty()) { - cookie_delete_format_string = - absl::StrCat(cookie_delete_format_string, - fmt::format(CookieDomainFormatString, config_->cookieDomain())); + cookie_domain = fmt::format(CookieDomainFormatString, config_->cookieDomain()); } response_headers->addReferenceKey( Http::Headers::get().SetCookie, - fmt::format(cookie_delete_format_string, config_->cookieNames().oauth_hmac_)); + absl::StrCat(fmt::format(CookieDeleteFormatString, config_->cookieNames().oauth_hmac_), + cookie_domain)); response_headers->addReferenceKey( Http::Headers::get().SetCookie, - fmt::format(cookie_delete_format_string, config_->cookieNames().bearer_token_)); + absl::StrCat(fmt::format(CookieDeleteFormatString, config_->cookieNames().bearer_token_), + cookie_domain)); response_headers->addReferenceKey( Http::Headers::get().SetCookie, - fmt::format(cookie_delete_format_string, config_->cookieNames().id_token_)); + absl::StrCat(fmt::format(CookieDeleteFormatString, config_->cookieNames().id_token_), + cookie_domain)); response_headers->addReferenceKey( Http::Headers::get().SetCookie, - fmt::format(cookie_delete_format_string, config_->cookieNames().refresh_token_)); + absl::StrCat(fmt::format(CookieDeleteFormatString, config_->cookieNames().refresh_token_), + cookie_domain)); response_headers->setLocation(new_path); decoder_callbacks_->encodeHeaders(std::move(response_headers), true, SIGN_OUT); @@ -556,7 +559,7 @@ std::string OAuth2Filter::getEncodedToken() const { std::vector token_secret_vec(token_secret.begin(), token_secret.end()); std::string encoded_token; - domain = host_; + absl::string_view domain = host_; if (!config_->cookieDomain().empty()) { domain = config_->cookieDomain(); } diff --git a/source/extensions/filters/http/oauth2/filter.h b/source/extensions/filters/http/oauth2/filter.h index b10edfb6d1ef..08a271f40cae 100644 --- a/source/extensions/filters/http/oauth2/filter.h +++ b/source/extensions/filters/http/oauth2/filter.h @@ -204,8 +204,9 @@ class CookieValidator { class OAuth2CookieValidator : public CookieValidator { public: - explicit OAuth2CookieValidator(TimeSource& time_source, const CookieNames& cookie_names, const std::string& cookie_domain) - : time_source_(time_source), cookie_names_(cookie_names),cookie_domain_(cookie_domain) {} + explicit OAuth2CookieValidator(TimeSource& time_source, const CookieNames& cookie_names, + const std::string& cookie_domain) + : time_source_(time_source), cookie_names_(cookie_names), cookie_domain_(cookie_domain) {} const std::string& token() const override { return token_; } const std::string& refreshToken() const override { return refresh_token_; } From 24fd543262e147f372e824a91ddddf6b7703a597 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 12:07:40 +0800 Subject: [PATCH 03/15] fix test Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 10 ++++++---- .../filters/http/oauth2/oauth_integration_test.cc | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index a32ae62de283..9c8cc36416e4 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -171,7 +171,7 @@ class OAuth2Test : public testing::TestWithParam { } // Validates the behavior of the cookie validator. - void expectValidCookies(const CookieNames& cookie_names) { + void expectValidCookies(const CookieNames& cookie_names, const std::string& cookie_domain) { // Set SystemTime to a fixed point so we get consistent HMAC encodings between test runs. test_time_.setSystemTime(SystemTime(std::chrono::seconds(0))); @@ -188,7 +188,8 @@ class OAuth2Test : public testing::TestWithParam { absl::StrCat(cookie_names.oauth_hmac_, "=dCu0otMcLoaGF73jrT+R8rGA0pnWyMgNf4+GivGrHEI=")}, }; - auto cookie_validator = std::make_shared(test_time_, cookie_names); + auto cookie_validator = + std::make_shared(test_time_, cookie_names, cookie_domain); EXPECT_EQ(cookie_validator->token(), ""); EXPECT_EQ(cookie_validator->refreshToken(), ""); cookie_validator->setParams(request_headers, "mock-secret"); @@ -881,13 +882,14 @@ TEST_F(OAuth2Test, AjaxDoesNotRedirect) { // Validates the behavior of the cookie validator. TEST_F(OAuth2Test, CookieValidator) { expectValidCookies( - CookieNames{"BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken"}); + CookieNames{"BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken"}, ""); } // Validates the behavior of the cookie validator with custom cookie names. TEST_F(OAuth2Test, CookieValidatorWithCustomNames) { expectValidCookies(CookieNames{"CustomBearerToken", "CustomOauthHMAC", "CustomOauthExpires", - "CustomIdToken", "CustomRefreshToken"}); + "CustomIdToken", "CustomRefreshToken"}, + ""); } // Validates the behavior of the cookie validator when the combination of some fields could be same. diff --git a/test/extensions/filters/http/oauth2/oauth_integration_test.cc b/test/extensions/filters/http/oauth2/oauth_integration_test.cc index f66efdbdd296..616639992e80 100644 --- a/test/extensions/filters/http/oauth2/oauth_integration_test.cc +++ b/test/extensions/filters/http/oauth2/oauth_integration_test.cc @@ -260,7 +260,7 @@ name: oauth Http::Headers::get().Cookie, absl::StrCat(default_cookie_names_.refresh_token_, "=", refreshToken)); - OAuth2CookieValidator validator{api_->timeSource(), default_cookie_names_}; + OAuth2CookieValidator validator{api_->timeSource(), default_cookie_names_, ""}; validator.setParams(validate_headers, std::string(hmac_secret)); return validator.isValid(); } From ebe27548999596295530d69a4e631c722ee123f4 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 12:22:27 +0800 Subject: [PATCH 04/15] fix test Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index 9c8cc36416e4..198c575e5f3c 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -968,7 +968,7 @@ TEST_F(OAuth2Test, CookieValidatorInvalidExpiresAt) { auto cookie_validator = std::make_shared( test_time_, - CookieNames{"BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken"}); + CookieNames{"BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken"}, ""); cookie_validator->setParams(request_headers, "mock-secret"); EXPECT_TRUE(cookie_validator->hmacIsValid()); From d4583c579c2e03969b937c6502afe23fbb7a54fd Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 12:25:39 +0800 Subject: [PATCH 05/15] fix test Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index 198c575e5f3c..b68f4b5c8f15 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -988,7 +988,7 @@ TEST_F(OAuth2Test, CookieValidatorCanUpdateToken) { auto cookie_validator = std::make_shared( test_time_, - CookieNames("BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken")); + CookieNames("BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken"), ""); cookie_validator->setParams(request_headers, "mock-secret"); EXPECT_TRUE(cookie_validator->canUpdateTokenByRefreshToken()); @@ -1990,7 +1990,7 @@ TEST_F(OAuth2Test, CookieValidatorInTransition) { auto cookie_validator = std::make_shared( test_time_, - CookieNames{"BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken"}); + CookieNames{"BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken"}, ""); cookie_validator->setParams(request_headers_base64only, "mock-secret"); EXPECT_TRUE(cookie_validator->hmacIsValid()); From 3466bd455d3af6c26b0fc2bcada56741faf4042e Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 12:30:17 +0800 Subject: [PATCH 06/15] fix test Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index b68f4b5c8f15..0a9b5e8b2c41 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -911,7 +911,7 @@ TEST_F(OAuth2Test, CookieValidatorSame) { absl::StrCat(cookie_names.oauth_hmac_, "=MSq8mkNQGdXx2LKGlLHMwSIj8rLZRnrHE6EWvvTUFx0=")}, }; - auto cookie_validator = std::make_shared(test_time_, cookie_names); + auto cookie_validator = std::make_shared(test_time_, cookie_names, ""); EXPECT_EQ(cookie_validator->token(), ""); cookie_validator->setParams(request_headers, "mock-secret"); From ddc3d4ec39b76cb7c3ff82e0dc969626b58c438a Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 13:04:50 +0800 Subject: [PATCH 07/15] fix test Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index 0a9b5e8b2c41..7b6575288dc7 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -1400,7 +1400,7 @@ TEST_F(OAuth2Test, OAuthTestFullFlowPostWithCookieDomain) { Http::TestRequestHeaderMapImpl second_response_headers{ {Http::Headers::get().Status.get(), "302"}, {Http::Headers::get().SetCookie.get(), - "OauthHMAC=fV62OgLipChTQQC3UFgDp+l5sCiSb3zt7nCoJiVivWw=;" + "OauthHMAC=aPoIhN7QYMrYc9nTGCCWgd3rJpZIEdjOtxPDdmVDS6E=;" "domain=example.com;path=/;Max-Age=;secure;HttpOnly"}, {Http::Headers::get().SetCookie.get(), "OauthExpires=;domain=example.com;path=/;Max-Age=;secure;HttpOnly"}, From 0232ad13f01b5ae4e6011d6545f6c36a06564145 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 13:17:50 +0800 Subject: [PATCH 08/15] add test for hmac with domain Signed-off-by: Huabing Zhao --- .../filters/http/oauth2/filter_test.cc | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index 7b6575288dc7..5a518ed6e21e 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -892,6 +892,32 @@ TEST_F(OAuth2Test, CookieValidatorWithCustomNames) { ""); } +// Validates the behavior of the cookie validator with custom cookie domain. +TEST_F(OAuth2Test, CookieValidatorCanUpdateToken) { + Http::TestRequestHeaderMapImpl request_headers{ + {Http::Headers::get().Host.get(), "traffic.example.com"}, + {Http::Headers::get().Path.get(), "/anypath"}, + {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get}, + {Http::Headers::get().Cookie.get(), + fmt::format("{}={}", cookie_names.oauth_expires_, expires_at_s)}, + {Http::Headers::get().Cookie.get(), absl::StrCat(cookie_names.bearer_token_, "=xyztoken")}, + {Http::Headers::get().Cookie.get(), + absl::StrCat(cookie_names.oauth_hmac_, "=dCu0otMcLoaGF73jrT+R8rGA0pnWyMgNf4+GivGrHEI=")}, + }; + + auto cookie_validator = std::make_shared( + test_time_, + CookieNames("BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken"), "example.com"); + + EXPECT_EQ(cookie_validator->token(), ""); + EXPECT_EQ(cookie_validator->refreshToken(), ""); + cookie_validator->setParams(request_headers, "mock-secret"); + + EXPECT_TRUE(cookie_validator->hmacIsValid()); + EXPECT_TRUE(cookie_validator->timestampIsValid()); + EXPECT_TRUE(cookie_validator->isValid()); +} + // Validates the behavior of the cookie validator when the combination of some fields could be same. TEST_F(OAuth2Test, CookieValidatorSame) { test_time_.setSystemTime(SystemTime(std::chrono::seconds(0))); @@ -1400,7 +1426,7 @@ TEST_F(OAuth2Test, OAuthTestFullFlowPostWithCookieDomain) { Http::TestRequestHeaderMapImpl second_response_headers{ {Http::Headers::get().Status.get(), "302"}, {Http::Headers::get().SetCookie.get(), - "OauthHMAC=aPoIhN7QYMrYc9nTGCCWgd3rJpZIEdjOtxPDdmVDS6E=;" + "OauthHMAC=fV62OgLipChTQQC3UFgDp+l5sCiSb3zt7nCoJiVivWw=;" "domain=example.com;path=/;Max-Age=;secure;HttpOnly"}, {Http::Headers::get().SetCookie.get(), "OauthExpires=;domain=example.com;path=/;Max-Age=;secure;HttpOnly"}, From 74c3bd66ceb0bb35a23d8d625f3bdddac2cb120c Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 13:20:57 +0800 Subject: [PATCH 09/15] add test for hmac with domain Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index 5a518ed6e21e..d5f107c46306 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -893,7 +893,7 @@ TEST_F(OAuth2Test, CookieValidatorWithCustomNames) { } // Validates the behavior of the cookie validator with custom cookie domain. -TEST_F(OAuth2Test, CookieValidatorCanUpdateToken) { +TEST_F(OAuth2Test, CookieValidatorWithCookieDomain) { Http::TestRequestHeaderMapImpl request_headers{ {Http::Headers::get().Host.get(), "traffic.example.com"}, {Http::Headers::get().Path.get(), "/anypath"}, From f32f61f6612c0ae4e2459daca76906856ab5aa5b Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 13:25:51 +0800 Subject: [PATCH 10/15] add test for hmac with domain Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index d5f107c46306..635026b5a2eb 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -894,6 +894,11 @@ TEST_F(OAuth2Test, CookieValidatorWithCustomNames) { // Validates the behavior of the cookie validator with custom cookie domain. TEST_F(OAuth2Test, CookieValidatorWithCookieDomain) { + test_time_.setSystemTime(SystemTime(std::chrono::seconds(0))); + auto cookie_names = + CookieNames{"BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken"}; + const auto expires_at_s = DateUtil::nowToSeconds(test_time_.timeSystem()) + 5; + Http::TestRequestHeaderMapImpl request_headers{ {Http::Headers::get().Host.get(), "traffic.example.com"}, {Http::Headers::get().Path.get(), "/anypath"}, @@ -905,9 +910,8 @@ TEST_F(OAuth2Test, CookieValidatorWithCookieDomain) { absl::StrCat(cookie_names.oauth_hmac_, "=dCu0otMcLoaGF73jrT+R8rGA0pnWyMgNf4+GivGrHEI=")}, }; - auto cookie_validator = std::make_shared( - test_time_, - CookieNames("BearerToken", "OauthHMAC", "OauthExpires", "IdToken", "RefreshToken"), "example.com"); + auto cookie_validator = + std::make_shared(test_time_, cookie_names, "example.com"); EXPECT_EQ(cookie_validator->token(), ""); EXPECT_EQ(cookie_validator->refreshToken(), ""); From e62fc19e92b6bd44c3a93ed93a5f86504a792aef Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 14:20:19 +0800 Subject: [PATCH 11/15] fix test Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index 635026b5a2eb..9023e43bdf42 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -907,7 +907,7 @@ TEST_F(OAuth2Test, CookieValidatorWithCookieDomain) { fmt::format("{}={}", cookie_names.oauth_expires_, expires_at_s)}, {Http::Headers::get().Cookie.get(), absl::StrCat(cookie_names.bearer_token_, "=xyztoken")}, {Http::Headers::get().Cookie.get(), - absl::StrCat(cookie_names.oauth_hmac_, "=dCu0otMcLoaGF73jrT+R8rGA0pnWyMgNf4+GivGrHEI=")}, + absl::StrCat(cookie_names.oauth_hmac_, "zgWoFFmB6rbPHQQYQj35H+Fz+GYZgUrh/C48y0WHWRM=")}, }; auto cookie_validator = From 9bcc560be30a397fce02095560788ea438e8ee5e Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 14:25:58 +0800 Subject: [PATCH 12/15] fix test Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index 9023e43bdf42..beed803a188c 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -907,7 +907,7 @@ TEST_F(OAuth2Test, CookieValidatorWithCookieDomain) { fmt::format("{}={}", cookie_names.oauth_expires_, expires_at_s)}, {Http::Headers::get().Cookie.get(), absl::StrCat(cookie_names.bearer_token_, "=xyztoken")}, {Http::Headers::get().Cookie.get(), - absl::StrCat(cookie_names.oauth_hmac_, "zgWoFFmB6rbPHQQYQj35H+Fz+GYZgUrh/C48y0WHWRM=")}, + absl::StrCat(cookie_names.oauth_hmac_, "aPoIhN7QYMrYc9nTGCCWgd3rJpZIEdjOtxPDdmVDS6E=")}, }; auto cookie_validator = From 8ca0d938feef527282db82c6926369bd6ac7af79 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 14:30:52 +0800 Subject: [PATCH 13/15] fix test Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index beed803a188c..cc2bacb2ecd6 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -907,7 +907,7 @@ TEST_F(OAuth2Test, CookieValidatorWithCookieDomain) { fmt::format("{}={}", cookie_names.oauth_expires_, expires_at_s)}, {Http::Headers::get().Cookie.get(), absl::StrCat(cookie_names.bearer_token_, "=xyztoken")}, {Http::Headers::get().Cookie.get(), - absl::StrCat(cookie_names.oauth_hmac_, "aPoIhN7QYMrYc9nTGCCWgd3rJpZIEdjOtxPDdmVDS6E=")}, + absl::StrCat(cookie_names.oauth_hmac_, "=zgWoFFmB6rbPHQQYQj35H+Fz+GYZgUrh/C48y0WHWRM=")}, }; auto cookie_validator = From 3f41180004351bda17c1f54aee747b1b70e5e070 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 07:00:14 +0000 Subject: [PATCH 14/15] fix test Signed-off-by: Huabing Zhao --- test/extensions/filters/http/oauth2/filter_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index cc2bacb2ecd6..b73bcf58906e 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -1430,7 +1430,7 @@ TEST_F(OAuth2Test, OAuthTestFullFlowPostWithCookieDomain) { Http::TestRequestHeaderMapImpl second_response_headers{ {Http::Headers::get().Status.get(), "302"}, {Http::Headers::get().SetCookie.get(), - "OauthHMAC=fV62OgLipChTQQC3UFgDp+l5sCiSb3zt7nCoJiVivWw=;" + "OauthHMAC=aPoIhN7QYMrYc9nTGCCWgd3rJpZIEdjOtxPDdmVDS6E=;" "domain=example.com;path=/;Max-Age=;secure;HttpOnly"}, {Http::Headers::get().SetCookie.get(), "OauthExpires=;domain=example.com;path=/;Max-Age=;secure;HttpOnly"}, From 9ee8f953994d388ef18b8dab7151490363fe837c Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 27 Aug 2024 15:14:26 +0800 Subject: [PATCH 15/15] minor wording Signed-off-by: Huabing Zhao --- source/extensions/filters/http/oauth2/filter.cc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source/extensions/filters/http/oauth2/filter.cc b/source/extensions/filters/http/oauth2/filter.cc index 79acf523ab5d..9b23e534798d 100644 --- a/source/extensions/filters/http/oauth2/filter.cc +++ b/source/extensions/filters/http/oauth2/filter.cc @@ -136,25 +136,25 @@ Http::Utility::QueryParamsMulti buildAutorizationQueryParams( return query_params; } -std::string encodeHmacHexBase64(const std::vector& secret, absl::string_view host, +std::string encodeHmacHexBase64(const std::vector& secret, absl::string_view domain, absl::string_view expires, absl::string_view token = "", absl::string_view id_token = "", absl::string_view refresh_token = "") { auto& crypto_util = Envoy::Common::Crypto::UtilitySingleton::get(); const auto hmac_payload = - absl::StrJoin({host, expires, token, id_token, refresh_token}, HmacPayloadSeparator); + absl::StrJoin({domain, expires, token, id_token, refresh_token}, HmacPayloadSeparator); std::string encoded_hmac; absl::Base64Escape(Hex::encode(crypto_util.getSha256Hmac(secret, hmac_payload)), &encoded_hmac); return encoded_hmac; } -std::string encodeHmacBase64(const std::vector& secret, absl::string_view host, +std::string encodeHmacBase64(const std::vector& secret, absl::string_view domain, absl::string_view expires, absl::string_view token = "", absl::string_view id_token = "", absl::string_view refresh_token = "") { auto& crypto_util = Envoy::Common::Crypto::UtilitySingleton::get(); const auto hmac_payload = - absl::StrJoin({host, expires, token, id_token, refresh_token}, HmacPayloadSeparator); + absl::StrJoin({domain, expires, token, id_token, refresh_token}, HmacPayloadSeparator); std::string base64_encoded_hmac; std::vector hmac_result = crypto_util.getSha256Hmac(secret, hmac_payload); @@ -163,10 +163,10 @@ std::string encodeHmacBase64(const std::vector& secret, absl::string_vi return base64_encoded_hmac; } -std::string encodeHmac(const std::vector& secret, absl::string_view host, +std::string encodeHmac(const std::vector& secret, absl::string_view domain, absl::string_view expires, absl::string_view token = "", absl::string_view id_token = "", absl::string_view refresh_token = "") { - return encodeHmacBase64(secret, host, expires, token, id_token, refresh_token); + return encodeHmacBase64(secret, domain, expires, token, id_token, refresh_token); } } // namespace