updated Oauth (#6508)

(cherry picked from commit b558554)
apache · Jan 19, 2022 · fa0083f · fa0083f
1 parent 238f1a3
commit fa0083f
Showing 1 changed file with 16 additions and 9 deletions.
diff --git a/traffic_ops/traffic_ops_golang/login/login.go b/traffic_ops/traffic_ops_golang/login/login.go
@@ -217,7 +217,6 @@ func TokenLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 // OauthLoginHandler accepts a JSON web token previously obtained from an OAuth provider, decodes it, validates it, authorizes the user against the database, and returns the login result as either an error or success message
 func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		handleErrs := tc.GetHandleErrorsFunc(w, r)
 		defer r.Body.Close()
 		authenticated := false
 		resp := struct {
@@ -233,7 +232,17 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 		}{}
 
 		if err := json.NewDecoder(r.Body).Decode(&parameters); err != nil {
-			handleErrs(http.StatusBadRequest, err)
+			api.HandleErr(w, r, nil, http.StatusBadRequest, err, nil)
+			return
+		}
+
+		matched, err := VerifyUrlOnWhiteList(parameters.AuthCodeTokenUrl, cfg.ConfigTrafficOpsGolang.WhitelistedOAuthUrls)
+		if err != nil {
+			api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, err)
+			return
+		}
+		if !matched {
+			api.HandleErr(w, r, nil, http.StatusForbidden, nil, errors.New("Key URL from token is not included in the whitelisted urls. Received: "+parameters.AuthCodeTokenUrl))
 			return
 		}
 
@@ -249,7 +258,7 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 			req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(parameters.ClientId+":"+cfg.OAuthClientSecret))) // per RFC6749 section 2.3.1
 		}
 		if err != nil {
-			log.Errorf("obtaining token using code from oauth provider: %s", err.Error())
+			api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, fmt.Errorf("obtaining token using code from oauth provider: %w", err))
 			return
 		}
 
@@ -258,7 +267,7 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 		}
 		response, err := client.Do(req)
 		if err != nil {
-			log.Errorf("getting an http client: %s", err.Error())
+			api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, fmt.Errorf("getting an http client: %w", err))
 			return
 		}
 		defer response.Body.Close()
@@ -289,8 +298,7 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 		}
 
 		if encodedToken == "" {
-			log.Errorf("Token not found in request but is required")
-			handleErrs(http.StatusBadRequest, errors.New("Token not found in request but is required"))
+			api.HandleErr(w, r, nil, http.StatusBadRequest, errors.New("Token not found in request but is required"), nil)
 			return
 		}
 
@@ -324,8 +332,7 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 			return selectedKey, nil
 		})
 		if err != nil {
-			handleErrs(http.StatusInternalServerError, errors.New("Error decoding token with message: "+err.Error()))
-			log.Errorf("Error decoding token: %s\n", err.Error())
+			api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, errors.New("Error decoding token with message: "+err.Error()))
 			return
 		}
 
@@ -357,7 +364,7 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 
 		respBts, err := json.Marshal(resp)
 		if err != nil {
-			handleErrs(http.StatusInternalServerError, err)
+			api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, err)
 			return
 		}
 		w.Header().Set(rfc.ContentType, rfc.ApplicationJSON)