Enable get and query strings for check_token endpoint

[#144040709] https://www.pivotaltracker.com/story/show/144040709
cloudfoundry · Apr 22, 2017 · 80d9398 · 80d9398
1 parent 8d94c5b
commit 80d9398
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 6 deletions.
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/CheckTokenEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/CheckTokenEndpoint.java
@@ -39,10 +39,13 @@
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.stream.Collectors;
 
+import static java.util.Collections.emptyList;
 import static org.springframework.http.HttpStatus.NOT_ACCEPTABLE;
+import static org.springframework.util.StringUtils.commaDelimitedListToSet;
 import static org.springframework.util.StringUtils.hasText;
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 
@@ -60,10 +63,10 @@ public void setTokenServices(ResourceServerTokenServices resourceServerTokenServ
         this.resourceServerTokenServices = resourceServerTokenServices;
     }
 
-    private boolean allowQueryString = false;
+    private Boolean allowQueryString = null;
 
     public boolean isAllowQueryString() {
-        return allowQueryString;
+        return (allowQueryString == null) ? true : allowQueryString;
     }
 
     public void setAllowQueryString(boolean allowQueryString) {
@@ -81,7 +84,7 @@ public Claims checkToken(@RequestParam("token") String value,
                              @RequestParam(name = "scopes", required = false, defaultValue = "") List<String> scopes,
                              HttpServletRequest request) throws HttpRequestMethodNotSupportedException {
 
-        if (hasText(request.getQueryString())) {
+        if (hasText(request.getQueryString()) && !isAllowQueryString()) {
             logger.debug("Call to /oauth/token contains a query string. Aborting.");
             throw new HttpRequestMethodNotSupportedException("POST");
         }
@@ -121,7 +124,15 @@ public Claims checkToken(@RequestParam("token") String value,
 
     @RequestMapping(value = "/check_token")
     public void checkToken(HttpServletRequest request) throws HttpRequestMethodNotSupportedException {
-        throw new HttpRequestMethodNotSupportedException(request.getMethod());
+        if (isAllowQueryString()) {
+            String token = request.getParameter("token");
+            String scope = request.getParameter("scope");
+            checkToken(
+                token, hasText(scope) ? new LinkedList<>(commaDelimitedListToSet(scope)) : emptyList(),
+                request);
+        } else {
+            throw new HttpRequestMethodNotSupportedException(request.getMethod());
+        }
     }
 
 

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/UaaTokenEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/UaaTokenEndpoint.java
@@ -44,8 +44,8 @@ public class UaaTokenEndpoint extends TokenEndpoint {
 
     private Boolean allowQueryString = null;
 
-    public Boolean isAllowQueryString() {
+    public boolean isAllowQueryString() {
-        return allowQueryString;
+        return allowQueryString == null ? true : allowQueryString;
     }
 
     public void setAllowQueryString(boolean allowQueryString) {

diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/CheckTokenEndpointTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/CheckTokenEndpointTests.java
@@ -52,6 +52,7 @@
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.client.BaseClientDetails;
 import org.springframework.security.oauth2.provider.client.InMemoryClientDetailsService;
+import org.springframework.web.HttpRequestMethodNotSupportedException;
 
 import java.net.URISyntaxException;
 import java.util.ArrayList;
@@ -779,6 +780,33 @@ public void testValidateAudParameter() throws Exception {
         assertTrue(aud.contains("client"));
     }
 
+    @Test
+    public void by_default_query_string_is_allowed() throws Exception {
+        setAccessToken(tokenServices.createAccessToken(authentication));
+        request.setQueryString("token="+getAccessToken());
+        endpoint.checkToken(getAccessToken(), Collections.emptyList(), request);
+    }
+
+    @Test
+    public void by_default_get_is_allowed() throws Exception {
+        setAccessToken(tokenServices.createAccessToken(authentication));
+        request.setQueryString("token="+getAccessToken());
+        request.setParameter("token", getAccessToken());
+        endpoint.checkToken(request);
+    }
+
+    @Test(expected = HttpRequestMethodNotSupportedException.class)
+    public void disable_query_string() throws Exception {
+        endpoint.setAllowQueryString(false);
+        by_default_query_string_is_allowed();
+    }
+
+    @Test(expected = HttpRequestMethodNotSupportedException.class)
+    public void disable_get_method() throws Exception {
+        endpoint.setAllowQueryString(false);
+        by_default_get_is_allowed();
+    }
+
     @Test
     public void testClientId() throws Exception {
         setAccessToken(tokenServices.createAccessToken(authentication));

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/CheckTokenEndpointMockMvcTest.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/CheckTokenEndpointMockMvcTest.java
@@ -20,6 +20,7 @@
 import org.cloudfoundry.identity.uaa.mock.token.AbstractTokenMockMvcTests;
 import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
@@ -50,6 +51,7 @@ public class CheckTokenEndpointMockMvcTest extends AbstractTokenMockMvcTests {
     public static final String CLIENTSECRET = "secret";
     private String token;
     private String basic;
+    private boolean allowQueryString;
 
     @Before
     public void get_token_to_check() throws Exception {
@@ -70,8 +72,16 @@ public void get_token_to_check() throws Exception {
         Map<String,Object> tokenMap = JsonUtils.readValue(content, new TypeReference<Map<String, Object>>() {});
         token = (String) tokenMap.get("access_token");
         basic = new String(Base64.encodeBase64((CLIENTID+":"+CLIENTSECRET).getBytes()));
+        allowQueryString = getWebApplicationContext().getBean(CheckTokenEndpoint.class).isAllowQueryString();
+        getWebApplicationContext().getBean(CheckTokenEndpoint.class).setAllowQueryString(false);
     }
 
+    @After
+    public void resetAllowQueryString() throws Exception {
+        getWebApplicationContext().getBean(CheckTokenEndpoint.class).setAllowQueryString(allowQueryString);
+    }
+
+
     @Test
     public void check_token_get() throws Exception {
         check_token(get("/check_token"), status().isMethodNotAllowed())
@@ -93,6 +103,12 @@ public void check_token_post() throws Exception {
         check_token(post("/check_token"), status().isOk());
     }
 
+    @Test
+    public void check_token_get_when_allowed() throws Exception {
+        getWebApplicationContext().getBean(CheckTokenEndpoint.class).setAllowQueryString(true);
+        check_token(get("/check_token"), status().isOk());
+    }
+
     @Test
     public void check_token_delete() throws Exception {
         check_token(MockMvcRequestBuilders.delete("/check_token"),status().isMethodNotAllowed())