-
Notifications
You must be signed in to change notification settings - Fork 827
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Zonify logout: redirect links/parameters/whitelist/flag
https://www.pivotaltracker.com/story/show/108723714 [#108723714]
- Loading branch information
Showing
10 changed files
with
317 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
59 changes: 59 additions & 0 deletions
59
...in/java/org/cloudfoundry/identity/uaa/authentication/ZoneAwareWhitelistLogoutHandler.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
/* | ||
* ***************************************************************************** | ||
* Cloud Foundry | ||
* Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved. | ||
* This product is licensed to you under the Apache License, Version 2.0 (the "License"). | ||
* You may not use this product except in compliance with the License. | ||
* | ||
* This product includes a number of subcomponents with | ||
* separate copyright notices and license terms. Your use of these | ||
* subcomponents is subject to the terms and conditions of the | ||
* subcomponent's license, as noted in the LICENSE file. | ||
* ***************************************************************************** | ||
*/ | ||
|
||
package org.cloudfoundry.identity.uaa.authentication; | ||
|
||
|
||
import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration; | ||
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.oauth2.provider.ClientDetailsService; | ||
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; | ||
|
||
import javax.servlet.ServletException; | ||
import javax.servlet.http.HttpServletRequest; | ||
import javax.servlet.http.HttpServletResponse; | ||
import java.io.IOException; | ||
|
||
public class ZoneAwareWhitelistLogoutHandler implements LogoutSuccessHandler { | ||
|
||
private final ClientDetailsService clientDetailsService; | ||
|
||
public ZoneAwareWhitelistLogoutHandler(ClientDetailsService clientDetailsService) { | ||
this.clientDetailsService = clientDetailsService; | ||
} | ||
|
||
@Override | ||
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { | ||
getZoneHandler().onLogoutSuccess(request, response, authentication); | ||
} | ||
|
||
protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) { | ||
return getZoneHandler().determineTargetUrl(request, response); | ||
} | ||
|
||
protected WhitelistLogoutHandler getZoneHandler() { | ||
IdentityZoneConfiguration config = IdentityZoneHolder.get().getConfig(); | ||
if (config==null) { | ||
config = new IdentityZoneConfiguration(); | ||
} | ||
WhitelistLogoutHandler handler = new WhitelistLogoutHandler(config.getLinks().getLogout().getWhitelist()); | ||
handler.setTargetUrlParameter(config.getLinks().getLogout().getRedirectParameterName()); | ||
handler.setDefaultTargetUrl(config.getLinks().getLogout().getRedirectUrl()); | ||
handler.setAlwaysUseDefaultTargetUrl(config.getLinks().getLogout().isDisableRedirectParameter()); | ||
handler.setClientDetailsService(clientDetailsService); | ||
return handler; | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
156 changes: 156 additions & 0 deletions
156
...va/org/cloudfoundry/identity/uaa/authentication/ZoneAwareWhitelistLogoutHandlerTests.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,156 @@ | ||
/* | ||
* ***************************************************************************** | ||
* Cloud Foundry | ||
* Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved. | ||
* This product is licensed to you under the Apache License, Version 2.0 (the "License"). | ||
* You may not use this product except in compliance with the License. | ||
* | ||
* This product includes a number of subcomponents with | ||
* separate copyright notices and license terms. Your use of these | ||
* subcomponents is subject to the terms and conditions of the | ||
* subcomponent's license, as noted in the LICENSE file. | ||
* ***************************************************************************** | ||
*/ | ||
|
||
package org.cloudfoundry.identity.uaa.authentication; | ||
|
||
import org.cloudfoundry.identity.uaa.zone.IdentityZone; | ||
import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration; | ||
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; | ||
import org.junit.After; | ||
import org.junit.Before; | ||
import org.junit.Test; | ||
import org.springframework.mock.web.MockHttpServletRequest; | ||
import org.springframework.mock.web.MockHttpServletResponse; | ||
import org.springframework.security.oauth2.provider.ClientDetailsService; | ||
import org.springframework.security.oauth2.provider.NoSuchClientException; | ||
import org.springframework.security.oauth2.provider.client.BaseClientDetails; | ||
|
||
import java.util.Arrays; | ||
import java.util.Collections; | ||
|
||
import static org.junit.Assert.assertEquals; | ||
import static org.junit.Assert.assertTrue; | ||
import static org.mockito.Mockito.mock; | ||
import static org.mockito.Mockito.when; | ||
import static org.springframework.security.oauth2.common.util.OAuth2Utils.CLIENT_ID; | ||
|
||
|
||
public class ZoneAwareWhitelistLogoutHandlerTests { | ||
|
||
private MockHttpServletRequest request = new MockHttpServletRequest(); | ||
private MockHttpServletResponse response = new MockHttpServletResponse(); | ||
private BaseClientDetails client = new BaseClientDetails(CLIENT_ID, "", "", "", "", "http://*.testing.com,http://testing.com"); | ||
private ClientDetailsService clientDetailsService = mock(ClientDetailsService.class); | ||
private ZoneAwareWhitelistLogoutHandler handler; | ||
IdentityZoneConfiguration configuration = new IdentityZoneConfiguration(); | ||
IdentityZoneConfiguration original; | ||
|
||
|
||
@Before | ||
public void setUp() throws Exception { | ||
original = IdentityZone.getUaa().getConfig(); | ||
configuration.getLinks().getLogout() | ||
.setRedirectUrl("/login") | ||
.setDisableRedirectParameter(true) | ||
.setRedirectParameterName("redirect"); | ||
when(clientDetailsService.loadClientByClientId(CLIENT_ID)).thenReturn(client); | ||
handler = new ZoneAwareWhitelistLogoutHandler(clientDetailsService); | ||
IdentityZoneHolder.get().setConfig(configuration); | ||
} | ||
|
||
@After | ||
public void tearDown() throws Exception { | ||
IdentityZoneHolder.clear(); | ||
IdentityZone.getUaa().setConfig(original); | ||
} | ||
|
||
@Test | ||
public void test_defaults() throws Exception { | ||
WhitelistLogoutHandler whandler = handler.getZoneHandler(); | ||
assertEquals(Collections.EMPTY_LIST, whandler.getWhitelist()); | ||
assertEquals("redirect", whandler.getTargetUrlParameter()); | ||
assertEquals("/login", whandler.getDefaultTargetUrl1()); | ||
assertTrue(whandler.isAlwaysUseDefaultTargetUrl()); | ||
} | ||
|
||
@Test | ||
public void test_null_config_defaults() throws Exception { | ||
IdentityZoneHolder.get().setConfig(null); | ||
test_default_redirect_uri(); | ||
} | ||
|
||
|
||
@Test | ||
public void test_default_redirect_uri() throws Exception { | ||
assertEquals("/login", handler.determineTargetUrl(request, response)); | ||
assertEquals("/login", handler.determineTargetUrl(request, response)); | ||
configuration.getLinks().getLogout().setDisableRedirectParameter(false); | ||
assertEquals("/login", handler.determineTargetUrl(request, response)); | ||
} | ||
|
||
@Test | ||
public void test_whitelist_reject() throws Exception { | ||
configuration.getLinks().getLogout().setWhitelist(Arrays.asList("http://testing.com")); | ||
configuration.getLinks().getLogout().setDisableRedirectParameter(false); | ||
request.setParameter("redirect", "http://testing.com"); | ||
assertEquals("http://testing.com", handler.determineTargetUrl(request, response)); | ||
request.setParameter("redirect", "http://www.testing.com"); | ||
assertEquals("/login", handler.determineTargetUrl(request, response)); | ||
} | ||
|
||
@Test | ||
public void test_allow_open_redirect() throws Exception { | ||
configuration.getLinks().getLogout().setWhitelist(null); | ||
configuration.getLinks().getLogout().setDisableRedirectParameter(false); | ||
request.setParameter("redirect", "http://testing.com"); | ||
assertEquals("http://testing.com", handler.determineTargetUrl(request, response)); | ||
request.setParameter("redirect", "http://www.testing.com"); | ||
assertEquals("http://www.testing.com", handler.determineTargetUrl(request, response)); | ||
} | ||
|
||
@Test | ||
public void test_whitelist_redirect() throws Exception { | ||
configuration.getLinks().getLogout().setWhitelist(Arrays.asList("http://somethingelse.com")); | ||
configuration.getLinks().getLogout().setDisableRedirectParameter(false); | ||
request.setParameter("redirect", "http://somethingelse.com"); | ||
assertEquals("http://somethingelse.com", handler.determineTargetUrl(request, response)); | ||
} | ||
|
||
@Test | ||
public void test_whitelist_redirect_with_wildcard() throws Exception { | ||
configuration.getLinks().getLogout().setWhitelist(Arrays.asList("http://*.somethingelse.com")); | ||
configuration.getLinks().getLogout().setDisableRedirectParameter(false); | ||
request.setParameter("redirect", "http://www.somethingelse.com"); | ||
assertEquals("http://www.somethingelse.com", handler.determineTargetUrl(request, response)); | ||
} | ||
|
||
@Test | ||
public void test_client_redirect() throws Exception { | ||
configuration.getLinks().getLogout().setWhitelist(Arrays.asList("http://somethingelse.com")); | ||
configuration.getLinks().getLogout().setDisableRedirectParameter(false); | ||
request.setParameter("redirect", "http://testing.com"); | ||
request.setParameter(CLIENT_ID, CLIENT_ID); | ||
assertEquals("http://testing.com", handler.determineTargetUrl(request, response)); | ||
} | ||
|
||
@Test | ||
public void client_not_found_exception() throws Exception { | ||
when(clientDetailsService.loadClientByClientId("test")).thenThrow(new NoSuchClientException("test")); | ||
configuration.getLinks().getLogout().setWhitelist(Arrays.asList("http://testing.com")); | ||
configuration.getLinks().getLogout().setDisableRedirectParameter(false); | ||
request.setParameter("redirect", "http://notwhitelisted.com"); | ||
request.setParameter(CLIENT_ID, "test"); | ||
assertEquals("/login", handler.determineTargetUrl(request, response)); | ||
} | ||
|
||
@Test | ||
public void test_client_redirect_using_wildcard() throws Exception { | ||
configuration.getLinks().getLogout().setWhitelist(Arrays.asList("http://testing.com")); | ||
configuration.getLinks().getLogout().setDisableRedirectParameter(false); | ||
request.setParameter(CLIENT_ID, CLIENT_ID); | ||
request.setParameter("redirect", "http://www.testing.com"); | ||
assertEquals("http://www.testing.com", handler.determineTargetUrl(request, response)); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.