Skip to content
This repository has been archived by the owner on Apr 5, 2022. It is now read-only.

Commit

Permalink
Update dependencies; stronger enforcement of state parameter checks
Browse files Browse the repository at this point in the history
  • Loading branch information
Craig Walls committed Nov 11, 2015
1 parent f04fa5e commit 5151e11
Show file tree
Hide file tree
Showing 7 changed files with 65 additions and 45 deletions.
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ configure(allprojects) {

dependencies {
testCompile("org.springframework:spring-test:${springVersion}")
testCompile("junit:junit-dep:${junitVersion}")
testCompile("junit:junit:${junitVersion}")
testCompile("org.hamcrest:hamcrest-library:${hamcrestVersion}")
testCompile("org.mockito:mockito-core:${mockitoVersion}")
}
Expand Down
20 changes: 10 additions & 10 deletions gradle.properties
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
h2Version=1.3.175
springSecurityVersion=3.2.7.RELEASE
junitVersion=4.11
httpComponentsVersion=4.3.1
springVersion=4.1.6.RELEASE
h2Version=1.4.190
springSecurityVersion=4.0.3.RELEASE
junitVersion=4.12
httpComponentsVersion=4.5.1
springVersion=4.1.8.RELEASE
springSnapshotVersion=latest.integration
hamcrestVersion=1.3
version=1.1.2.RELEASE
jacksonVersion=2.4.5
servletApiVersion=3.0.1
version=1.1.3.BUILD-SNAPSHOT
jacksonVersion=2.6.1
servletApiVersion=3.1.0
springReleaseVersion=latest.release
jspApiVersion=2.2.1
mockitoVersion=1.10.8
mockitoVersion=1.10.19
javaxInjectVersion=1
thymeleafVersion=2.1.2.RELEASE
thymeleafVersion=2.1.4.RELEASE
Original file line number Diff line number Diff line change
Expand Up @@ -18,24 +18,29 @@
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URI;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Properties;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;

import org.apache.http.HttpHost;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.socket.ConnectionSocketFactory;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLContexts;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.protocol.HttpContext;
import org.apache.http.ssl.SSLContextBuilder;
import org.springframework.http.HttpMethod;
import org.springframework.http.client.BufferingClientHttpRequestFactory;
import org.springframework.http.client.ClientHttpRequestFactory;
Expand Down Expand Up @@ -114,31 +119,31 @@ private static CloseableHttpClient getClient(HttpHost proxy) {
}

private static CloseableHttpClient getAllTrustClient(HttpHost proxy) {
return HttpClients.custom()
.setProxy(proxy)
.setSslcontext(getSSLContext())
.setHostnameVerifier(SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)
.build();
}

private static SSLContext getSSLContext() {
try {
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
TrustStrategy allTrust = new TrustStrategy() {
@Override
HttpClientBuilder clientBuilder = HttpClientBuilder.create();
SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() {
public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
return true;
}
};
return SSLContexts.custom().useSSL().loadTrustMaterial(trustStore, allTrust).build();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}).build();
clientBuilder.setSSLContext(sslContext);

HostnameVerifier hostnameVerifier = new NoopHostnameVerifier();

SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext, hostnameVerifier);
Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", PlainConnectionSocketFactory.getSocketFactory())
.register("https", sslSocketFactory)
.build();

PoolingHttpClientConnectionManager connMgr = new PoolingHttpClientConnectionManager( socketFactoryRegistry);
clientBuilder.setConnectionManager(connMgr);

return clientBuilder.build();
} catch (GeneralSecurityException e) {
// shouldn't happen
throw new RuntimeException(e);
}
return null;
}

}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -169,8 +169,8 @@ public Connection<?> completeConnection(OAuth2ConnectionFactory<?> connectionFac
private void verifyStateParameter(NativeWebRequest request) {
String state = request.getParameter("state");
String originalState = extractCachedOAuth2State(request);
if (state != null && !state.equals(originalState)) {
throw new IllegalStateException("The OAuth2 'state' parameter doesn't match.");
if (state == null || !state.equals(originalState)) {
throw new IllegalStateException("The OAuth2 'state' parameter is missing or doesn't match.");
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import static org.springframework.social.connect.web.test.StubOAuthTemplateBehavior.*;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.request;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.*;

import java.util.ArrayList;
Expand Down Expand Up @@ -291,9 +292,10 @@ public void oauth2Callback() throws Exception {
List<ConnectInterceptor<?>> interceptors = getConnectInterceptor();
connectController.setConnectInterceptors(interceptors);
connectController.afterPropertiesSet();
MockMvc mockMvc = standaloneSetup(connectController).build();
MockMvc mockMvc = standaloneSetup(connectController)
.build();
assertEquals(0, connectionRepository.findConnections("oauth2Provider").size());
mockMvc.perform(get("/connect/oauth2Provider").param("code", "oauth2Code"))
mockMvc.perform(get("/connect/oauth2Provider").param("code", "oauth2Code").param("state", "STATE").sessionAttr("oauth2State", "STATE"))
.andExpect(redirectedUrl("/connect/oauth2Provider"));
List<Connection<?>> connections = connectionRepository.findConnections("oauth2Provider");
assertEquals(1, connections.size());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -354,9 +354,11 @@ public void completeConnection_OAuth2() {
ConnectSupport support = new ConnectSupport();
MockHttpServletRequest mockRequest = new PortAwareMockHttpServletRequest();
mockRequest.addParameter("code", "authorization-grant");
mockRequest.addParameter("state", "STATE");
mockRequest.setScheme("http");
mockRequest.setServerName("somesite.com");
mockRequest.setRequestURI("/connect/someprovider");
mockRequest.getSession().setAttribute("oauth2State", "STATE");
ServletWebRequest request = new ServletWebRequest(mockRequest);
Connection<?> connection = support.completeConnection(new TestOAuth2ConnectionFactory(), request);
assertEquals("TestUser", connection.getDisplayName());
Expand Down Expand Up @@ -466,6 +468,11 @@ public TestOAuth2ConnectionFactory() {
super("someprovider", SERVICE_PROVIDER, API_ADAPTER);
}

// @Override
// public boolean supportsStateParameter() {
// return false;
// }

@Override
public Connection<TestApi> createConnection(AccessGrant accessGrant) {
return new OAuth2Connection<TestApi>("someprovider", "providerUserId", accessGrant.getAccessToken(),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import static org.hamcrest.Matchers.*;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.request;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.*;

import java.util.Arrays;
Expand Down Expand Up @@ -227,7 +228,8 @@ public void oauth2Callback_noMatchingUser() throws Exception {
ProviderSignInController providerSignInController = new ProviderSignInController(connectionFactoryLocator, usersConnectionRepository, null);
providerSignInController.afterPropertiesSet();
MockMvc mockMvc = standaloneSetup(providerSignInController).build();
mockMvc.perform(get("/signin/oauth2Provider").param("code", "authcode"))
mockMvc.perform(get("/signin/oauth2Provider").param("code", "authcode").param("state", "STATE")
.sessionAttr("oauth2State", "STATE"))
.andExpect(redirectedUrl("/signup"))
.andExpect(request().sessionAttribute(ProviderSignInAttempt.class.getName(), notNullValue()));
// TODO: Assert attempt contents
Expand All @@ -243,7 +245,8 @@ public void oauth2Callback_noMatchingUser_customSignUpUrl() throws Exception {
controller.setSignUpUrl("/register");
controller.afterPropertiesSet();
MockMvc mockMvc = standaloneSetup(controller).build();
mockMvc.perform(get("/signin/oauth2Provider").param("code", "authcode"))
mockMvc.perform(get("/signin/oauth2Provider").param("code", "authcode").param("state", "STATE")
.sessionAttr("oauth2State", "STATE"))
.andExpect(redirectedUrl("/register"))
.andExpect(request().sessionAttribute(ProviderSignInAttempt.class.getName(), notNullValue()));
// TODO: Assert attempt contents
Expand Down Expand Up @@ -286,7 +289,8 @@ public void oauth2Callback_multipleMatchingUsers() throws Exception {
ProviderSignInController providerSignInController = new ProviderSignInController(connectionFactoryLocator, usersConnectionRepository, null);
providerSignInController.afterPropertiesSet();
MockMvc mockMvc = standaloneSetup(providerSignInController).build();
mockMvc.perform(get("/signin/oauth2Provider").param("code", "authcode"))
mockMvc.perform(get("/signin/oauth2Provider").param("code", "authcode").param("state", "STATE")
.sessionAttr("oauth2State", "STATE"))
.andExpect(redirectedUrl("/signin?error=multiple_users"));
}

Expand All @@ -300,7 +304,8 @@ public void oauth2Callback_multipleMatchingUsers_customSignInUrl() throws Except
controller.afterPropertiesSet();
controller.setSignInUrl("/customsignin?someparameter=1234");
MockMvc mockMvc = standaloneSetup(controller).build();
mockMvc.perform(get("/signin/oauth2Provider").param("code", "authcode"))
mockMvc.perform(get("/signin/oauth2Provider").param("code", "authcode").param("state", "STATE")
.sessionAttr("oauth2State", "STATE"))
.andExpect(redirectedUrl("/customsignin?someparameter=1234&error=multiple_users"));
}

Expand Down Expand Up @@ -342,7 +347,8 @@ private void performOAuth2Callback(String originalUrl, String postSignInUrl) thr
controller.setPostSignInUrl(postSignInUrl);
}
MockMvc mockMvc = standaloneSetup(controller).build();
mockMvc.perform(get("/signin/oauth2Provider").param("code", "authcode"))
mockMvc.perform(get("/signin/oauth2Provider").param("code", "authcode").param("state", "STATE")
.sessionAttr("oauth2State", "STATE"))
.andExpect(redirectedUrl(calculateExpectedRedirectUrl(originalUrl, postSignInUrl)));
// TODO: Verify that the connection is updated (connectionRepository.updateConnection() is called)
}
Expand Down

0 comments on commit 5151e11

Please sign in to comment.