Do not expire invitations on GET requests #1128
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/169322795 The labels on this github issue will be updated when the story is started. |
|
|
Just to say I've tested this in a production-like environment now and it appears to work as intended:
GOV.UK PaaS will be updating our UAA fork to run this code until it's merged into upstream. |
|
Hi @richardTowers - we haven't gotten to this yet, but it's on our list. Hopefully we can review early next week! |
|
Hello @richardTowers - The UAA team still plans to review this PR for merge. We're currently focused on some Spring Boot and k8s related changes that have consumed our available time/resource. We appreciate the submission, and haven't forgotten our need to review it. |
tlwr
force-pushed
the
do-not-expire-invitations-on-get-requests
branch
from
578cc96
to
82385c5
Compare
|
Hi, I've rebased this onto the We've been running this in production since @richardTowers raised this PR, on our fork, and it is working perfectly. Our users no longer report that their invitations have expired due to email client shenanigans, we haven't had a support ticket about this in months. |
tlwr
force-pushed
the
do-not-expire-invitations-on-get-requests
branch
5 times, most recently
from
cead29e
to
032a85b
Compare
tlwr
force-pushed
the
do-not-expire-invitations-on-get-requests
branch
from
032a85b
to
01db516
Compare
tlwr
pushed a commit
to alphagov/paas-uaa-release
that referenced
this pull request
Sep 10, 2020
v74.24.0 and our patch from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
tlwr
pushed a commit
to alphagov/paas-cf
that referenced
this pull request
Sep 10, 2020
from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
tlwr
pushed a commit
to alphagov/paas-cf
that referenced
this pull request
Sep 10, 2020
from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
tlwr
pushed a commit
to alphagov/paas-cf
that referenced
this pull request
Sep 10, 2020
from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
tlwr
pushed a commit
to alphagov/paas-cf
that referenced
this pull request
Sep 14, 2020
from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
tlwr
pushed a commit
to alphagov/paas-cf
that referenced
this pull request
Sep 15, 2020
from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
tlwr
pushed a commit
to alphagov/paas-cf
that referenced
this pull request
Sep 15, 2020
from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
tlwr
pushed a commit
to alphagov/paas-cf
that referenced
this pull request
Sep 15, 2020
from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
AP-Hunt
pushed a commit
to alphagov/paas-uaa-release
that referenced
this pull request
Nov 23, 2020
v74.28.0 and our patch from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk> Signed-off-by: Andy Hunt <andy.hunt@digital.cabinet-office.gov.uk>
|
Moving our conversation from slack. We plan to create a story for us to look at this--we can't right now because of some competing priorities. One security qualm that came up in our discussion--without spending a lot of time to validate--is that the PR expands the amount of time that the invite link is valid. If y’all have already thought through these scenarios we’d appreciate some input on their security implications.. We also discussed solving the problem as described in this StackExchange post, where the email has a GET link to a page where you confirm acceptance with a POST button, which gets around the lack of expiration. This seemed like a good alternative solution to us. Thanks for your engagement on the issue and we hope to get back to you soon. |
|
Hi @thausler786! I think the solution you describe ("the email has a GET link to a page where you confirm acceptance with a POST button") is pretty much how things work at the moment, and is how things would work following this PR. The user already has to fill in a form and click a button to accept the invitation. The only problem at the moment is that the initial GET request rotates the invitation code (so the old one is expired, and a new one is placed in the form). If this GET request is done by a non-human user agent (like an email client pre-fetching the link) then the whole system doesn't work. From a security perspective, this only extends the time that the invitation code is valid in the situation where a user or process follows the link, but doesn't complete the form. Otherwise, the invitation codes still retain their standard expiry. I can't think of a scenario where that would give a malicious user an advantage (but perhaps someone with a more sneaky mind could think of something). |
|
A brief look at the code change suggests to me that the PR has no impact on the maximum lifetime of an invite (disclaimer: I wasn't involved in writing it, and I'm not very familiar with the code base). The invite codes still have an expiry time, the only difference is that the invitation code isn't automatically expired in the situations described above. We've been running this code in two production Cloud Foundry deployments since the PR was raised (23rd October 2019) and we haven't felt there was a concern around invite codes in that time. I think when it comes down to it, we're not really fussed by which approach is taken to solve the problem we set out to solve. I think what we're most interested in is making sure invitation links don't expire at the wrong time, and that we're eventually able to swap back to running from the upstream releases. |
richardTowers
force-pushed
the
do-not-expire-invitations-on-get-requests
branch
from
01db516
to
2f8600e
Compare
At the moment, when the user visits: ``` /invitations/accept?code=some-code ``` the invitation code from their email is immediately expired and replaced with a newly generated code which is put in a hidden input in the HTML form. Each time the user submits the form, the code is expired and (if necessary - e.g. if there's a validation issue) replaced with a new one. This is fine so long as the user fills the form in immediately, but there are a number of edge cases where this approach causes usability problems: 1) If the user refreshes the page it will tell them their invitation has expired. 2) If the user closes the tab without submitting the form, and then follows the invitation link from their email later it will show as expired. 3) If the user's email client or web browser pre-fetches the link for any reason (e.g. virus scanning / spam detection / performance optimisation) then the link will not work when they follow it for real. The third issue is the most serious. We (GOV.UK PaaS) have had some very users working in places that pre-fetch links in emails (for some reason or other), and this means they're completely unable to accept invitations. Judging from the irate support tickets we've had from these users the experience is pretty frustrating. This commit changes the GET request to /invitations/accept so that it does not expire the token (unless the invitation is being auto-accepted). The POST handler is unchanged, so if the user actually submits the form then the token will change (as it did before), even if there's a validation issue that prevents the invitation being accepted. This change fixes the usability issues, and makes the behaviour more consistent with HTTP's semantics (in the sense that GET requests should be "safe" - should not modify the state of the server).
richardTowers
force-pushed
the
do-not-expire-invitations-on-get-requests
branch
from
2f8600e
to
42b09c5
Compare
|
I've rebased this against |
|
Thanks! We've prioritized a story for us to look at this here |
|
@thausler786 Any news on getting this reviewed and merged? This is causing delays in our ability to respond to CVEs as we are having to maintain our own fork. |
|
Hi @thausler786 I can't access the story you linked. What's the state of play? Is there a timeline to this making it in to a release? |
mogds
pushed a commit
to alphagov/paas-uaa-release
that referenced
this pull request
Apr 16, 2021
v74.24.0 and our patch from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
mogds
pushed a commit
to alphagov/paas-uaa-release
that referenced
this pull request
Apr 16, 2021
v74.24.0 and our patch from cloudfoundry/uaa#1128 Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
|
From the end-users usability point of view, the invite code should not expire after the first hit from the browser. It can happen that the user closes the browser or tab without submitting the password. Request you to prioritize this feature and merge the PR ASAP |
|
@peterhaochen47 OK with you to accept it, since I see no technical reason |
akarollil
added a commit
to GESoftware-CF/uaa
that referenced
this pull request
Aug 5, 2021
* tag 'v75.6.0': Update UAA image reference in k8s deployment template to 75.6.0 Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1639) Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1638) fix generateDocs PKCE support in IDP (OIDC) proxy authorization flow (cloudfoundry#1606) fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (cloudfoundry#1632) fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (cloudfoundry#1633) Do not expire invitations on GET requests (cloudfoundry#1128) revert back revert to last working fix bundle install update (cloudfoundry#1627) update kramdown 2.3.1 (cloudfoundry#1626) Fix bug with origin chooser and selected allowed provider configuration update activesupport 5.2.4.3 (cloudfoundry#1625) update jquery (cloudfoundry#1618) Update Font-Awesome (cloudfoundry#1617) Bump commons-io from 2.10.0 to 2.11.0 (cloudfoundry#1616) rebase rebase merge develop Bump passay version 1.6.1 (cloudfoundry#1612) Bump Spring Dependencies (cloudfoundry#1611) Bump k8s.io/client-go from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1609) Bump k8s.io/apimachinery from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1608) Add workaround for revoke access dialog from issue cloudfoundry#1036 (cloudfoundry#1254) Bump spring oauth2 version to 2.5.1.RELEASE (cloudfoundry#1601) Bump addressable from 2.5.0 to 2.8.0 in /uaa/slate (cloudfoundry#1603) Add property option for mail.smtp.ssl.protocols (cloudfoundry#1605) Add property option for mail.smtp.ssl.protocols (cloudfoundry#1604) Fix CF-UAA version number Bump maven dependencies (cloudfoundry#1600) Bump Tomcat dependency Bump github.com/onsi/gomega from 1.13.0 to 1.14.0 in /k8s (cloudfoundry#1599) cleanup code from sonar findings and add additional tests cleanup code from sonar findings and add additional tests More test parameters for UaaUrlUtils.findMatchingRedirectUri() tests fix: Open Redirect Security Issue via some UAA endpoints, including logout.do BigInteger encoding fixed (cloudfoundry#1579) Set startStopTimeout to be configurable (cloudfoundry#1594) switch to StaleUrlCache origin sync Bump jasmine-core from 3.7.1 to 3.8.0 in /uaa (cloudfoundry#1598) Bump jasmine from 3.7.0 to 3.8.0 in /uaa (cloudfoundry#1597) Bump dependency (cloudfoundry#1596) Performance optimation: Prevent expensive duplicate key exception and use upsert instead (cloudfoundry#1562) Refactor: query minimal user information everywhere authorities not needed (cloudfoundry#1322) Allow to use Account Chooser without Idp Discovery (cloudfoundry#1550) Bump k8s.io/client-go from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1586) Bump commons-io from 2.7 to 2.10.0 (cloudfoundry#1582) Update dependencies.gradle update Create dependencies.gradle cleanup PR - remove orphan class - use new class in all tests - dependency cosmetics Bump k8s.io/api from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1585) Bump github.com/onsi/gomega from 1.11.0 to 1.13.0 in /k8s (cloudfoundry#1573) Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.4 in /k8s (cloudfoundry#1575) Bump k8s.io/apimachinery from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1587) Github userUserInfo from local configuration (cloudfoundry#1595) Add '-Xdebug' jvm args to application container run in cargo if '-Dxdebug=true' option is sepcified for 'gradle run'. (cloudfoundry#1592) Bump Guava Dependencies (cloudfoundry#1581) Document the 'userInfoUrl' property for OAuth identity provider config Bump Spring Dependencies (cloudfoundry#1591) Fix issue 1584 Test that we redirect when client allows only SAML Backfill test cases for using refresh token value that was created with refresh_token_validity seconds specified [#178076368] Bump Spring Dependencies (cloudfoundry#1580) fix: test token audience claim in an unordered way Bump Spring Dependencies (cloudfoundry#1577) Bump bouncyCastleVersion from 1.68 to 1.69 Small improvements for the consent form (cloudfoundry#1561) Use Claims class to desrialize the token string. feat: output message when DB cannot be initialized refactor: extract variable formatting: whitespaces do not sleep more than 1 minute fix: test runner flakes fix: authTime can be later than 2037 Bump nokogiri from 1.11.0 to 1.11.4 in /uaa/slate Backfilled unit test Make Java 11 our minimum Additional test cases to verify that ldap bindSecret is not included in the response for the CVE issue where the delete-identity-provider response contained sensitive data #178139149 (cloudfoundry#1572) Adjust unit test to new constructor signature, after rebasing on top of the 'develop' branch Share common 'userInfoUrl' property between OIDC and OAuth2 config + Use it to fetch OAuth2 user info Various code/spaces improvements Implement support for Github OAuth 2.0 provider feat: error log on internal error feat: validate java version Fixed the CVE issue where the delete-identity-provider response contains relyingPartySecret value #178139149 Fix comment Include passcode prompt in json response if discovery or account chooser are enabled Bump bcprov-jdk15on from 1.66 to 1.67 in /server (cloudfoundry#1564) Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:4c7f2d881bc9c4a075232064e906d032c9512b03b87c06cbb2501560cb2f14e4 Return existing records on update failure Restore explicit imports. login_hint should not automatically bypass discovery logic Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/api (cloudfoundry#1544) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/app (cloudfoundry#1546) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /server (cloudfoundry#1545) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /statsd (cloudfoundry#1547) Bump jasmine-core from 3.6.0 to 3.7.1 in /uaa Bump jasmine from 3.6.4 to 3.7.0 in /uaa Bump k8s.io/client-go from 0.20.5 to 0.21.0 in /k8s Bump k8s.io/apimachinery from 0.20.5 to 0.21.0 in /k8s Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.1 in /k8s Bump Spring Dependencies (cloudfoundry#1559) refactor: extract shared code into helper methods Rename variable and test case for clarity Invert boolean method to have a more intuitive naming Add additional tests Only update user if token not issued by UAA Fix wrong username mapping on jwt Bearer with UAA token Bump tomcat-embed-core from 9.0.37 to 9.0.44 in /uaa (cloudfoundry#1548) Bump k8s.io/client-go from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1541) Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.2 in /k8s (cloudfoundry#1535) Bump k8s.io/api from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1542) refactor: rename Bump github.com/onsi/gomega from 1.10.4 to 1.11.0 in /k8s (cloudfoundry#1532) Dependeny Updagtes (cloudfoundry#1538) refactor: implement recommendation from thymeleaf (cloudfoundry#1512) Fix typo feat: for unit tests, add time out to waiting for DB to start Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc Bump dependency Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c Add MockMvc Test to show performance improvement Fix bug with invalid login_hint on login page Move read configurations and parameters to allow earlier decisions Restructure login method to not read all IdentityProviders on login_hint Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:37fcf63a156b75174fbc7be0e3809d64cda6851de0bfe6fa7f12793d919de96a Added "final" modifier for method-local constant better name for matches function capitilize first letter of log sentence meaningful name for number of url-decode attempts javadoc explaining integrity bypass fix fix double dot path traversal integrity check bypass redirect resolver tests should cover path traversal bypass for both registered paths containing wildcards and those that do not unit tests for redirect_uri path integrity check bypass add lombok dependency Add PKCE support
akarollil
added a commit
to GESoftware-CF/uaa
that referenced
this pull request
Aug 5, 2021
* tag 'v75.6.0': Update UAA image reference in k8s deployment template to 75.6.0 Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1639) Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1638) fix generateDocs PKCE support in IDP (OIDC) proxy authorization flow (cloudfoundry#1606) fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (cloudfoundry#1632) fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (cloudfoundry#1633) Do not expire invitations on GET requests (cloudfoundry#1128) revert back revert to last working fix bundle install update (cloudfoundry#1627) update kramdown 2.3.1 (cloudfoundry#1626) Fix bug with origin chooser and selected allowed provider configuration update activesupport 5.2.4.3 (cloudfoundry#1625) update jquery (cloudfoundry#1618) Update Font-Awesome (cloudfoundry#1617) Bump commons-io from 2.10.0 to 2.11.0 (cloudfoundry#1616) rebase rebase merge develop Bump passay version 1.6.1 (cloudfoundry#1612) Bump Spring Dependencies (cloudfoundry#1611) Bump k8s.io/client-go from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1609) Bump k8s.io/apimachinery from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1608) Add workaround for revoke access dialog from issue cloudfoundry#1036 (cloudfoundry#1254) Bump spring oauth2 version to 2.5.1.RELEASE (cloudfoundry#1601) Bump addressable from 2.5.0 to 2.8.0 in /uaa/slate (cloudfoundry#1603) Add property option for mail.smtp.ssl.protocols (cloudfoundry#1605) Add property option for mail.smtp.ssl.protocols (cloudfoundry#1604) Fix CF-UAA version number Bump maven dependencies (cloudfoundry#1600) Bump Tomcat dependency Bump github.com/onsi/gomega from 1.13.0 to 1.14.0 in /k8s (cloudfoundry#1599) cleanup code from sonar findings and add additional tests cleanup code from sonar findings and add additional tests More test parameters for UaaUrlUtils.findMatchingRedirectUri() tests fix: Open Redirect Security Issue via some UAA endpoints, including logout.do BigInteger encoding fixed (cloudfoundry#1579) Set startStopTimeout to be configurable (cloudfoundry#1594) switch to StaleUrlCache origin sync Bump jasmine-core from 3.7.1 to 3.8.0 in /uaa (cloudfoundry#1598) Bump jasmine from 3.7.0 to 3.8.0 in /uaa (cloudfoundry#1597) Bump dependency (cloudfoundry#1596) Performance optimation: Prevent expensive duplicate key exception and use upsert instead (cloudfoundry#1562) Refactor: query minimal user information everywhere authorities not needed (cloudfoundry#1322) Allow to use Account Chooser without Idp Discovery (cloudfoundry#1550) Bump k8s.io/client-go from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1586) Bump commons-io from 2.7 to 2.10.0 (cloudfoundry#1582) Update dependencies.gradle update Create dependencies.gradle cleanup PR - remove orphan class - use new class in all tests - dependency cosmetics Bump k8s.io/api from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1585) Bump github.com/onsi/gomega from 1.11.0 to 1.13.0 in /k8s (cloudfoundry#1573) Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.4 in /k8s (cloudfoundry#1575) Bump k8s.io/apimachinery from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1587) Github userUserInfo from local configuration (cloudfoundry#1595) Add '-Xdebug' jvm args to application container run in cargo if '-Dxdebug=true' option is sepcified for 'gradle run'. (cloudfoundry#1592) Bump Guava Dependencies (cloudfoundry#1581) Document the 'userInfoUrl' property for OAuth identity provider config Bump Spring Dependencies (cloudfoundry#1591) Fix issue 1584 Test that we redirect when client allows only SAML Backfill test cases for using refresh token value that was created with refresh_token_validity seconds specified [#178076368] Bump Spring Dependencies (cloudfoundry#1580) fix: test token audience claim in an unordered way Bump Spring Dependencies (cloudfoundry#1577) Bump bouncyCastleVersion from 1.68 to 1.69 Small improvements for the consent form (cloudfoundry#1561) Use Claims class to desrialize the token string. feat: output message when DB cannot be initialized refactor: extract variable formatting: whitespaces do not sleep more than 1 minute fix: test runner flakes fix: authTime can be later than 2037 Bump nokogiri from 1.11.0 to 1.11.4 in /uaa/slate Backfilled unit test Make Java 11 our minimum Additional test cases to verify that ldap bindSecret is not included in the response for the CVE issue where the delete-identity-provider response contained sensitive data #178139149 (cloudfoundry#1572) Adjust unit test to new constructor signature, after rebasing on top of the 'develop' branch Share common 'userInfoUrl' property between OIDC and OAuth2 config + Use it to fetch OAuth2 user info Various code/spaces improvements Implement support for Github OAuth 2.0 provider feat: error log on internal error feat: validate java version Fixed the CVE issue where the delete-identity-provider response contains relyingPartySecret value #178139149 Fix comment Include passcode prompt in json response if discovery or account chooser are enabled Bump bcprov-jdk15on from 1.66 to 1.67 in /server (cloudfoundry#1564) Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:4c7f2d881bc9c4a075232064e906d032c9512b03b87c06cbb2501560cb2f14e4 Return existing records on update failure Restore explicit imports. login_hint should not automatically bypass discovery logic Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/api (cloudfoundry#1544) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/app (cloudfoundry#1546) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /server (cloudfoundry#1545) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /statsd (cloudfoundry#1547) Bump jasmine-core from 3.6.0 to 3.7.1 in /uaa Bump jasmine from 3.6.4 to 3.7.0 in /uaa Bump k8s.io/client-go from 0.20.5 to 0.21.0 in /k8s Bump k8s.io/apimachinery from 0.20.5 to 0.21.0 in /k8s Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.1 in /k8s Bump Spring Dependencies (cloudfoundry#1559) refactor: extract shared code into helper methods Rename variable and test case for clarity Invert boolean method to have a more intuitive naming Add additional tests Only update user if token not issued by UAA Fix wrong username mapping on jwt Bearer with UAA token Bump tomcat-embed-core from 9.0.37 to 9.0.44 in /uaa (cloudfoundry#1548) Bump k8s.io/client-go from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1541) Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.2 in /k8s (cloudfoundry#1535) Bump k8s.io/api from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1542) refactor: rename Bump github.com/onsi/gomega from 1.10.4 to 1.11.0 in /k8s (cloudfoundry#1532) Dependeny Updagtes (cloudfoundry#1538) refactor: implement recommendation from thymeleaf (cloudfoundry#1512) Fix typo feat: for unit tests, add time out to waiting for DB to start Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc Bump dependency Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c Add MockMvc Test to show performance improvement Fix bug with invalid login_hint on login page Move read configurations and parameters to allow earlier decisions Restructure login method to not read all IdentityProviders on login_hint Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:37fcf63a156b75174fbc7be0e3809d64cda6851de0bfe6fa7f12793d919de96a Added "final" modifier for method-local constant better name for matches function capitilize first letter of log sentence meaningful name for number of url-decode attempts javadoc explaining integrity bypass fix fix double dot path traversal integrity check bypass redirect resolver tests should cover path traversal bypass for both registered paths containing wildcards and those that do not unit tests for redirect_uri path integrity check bypass add lombok dependency Add PKCE support
akarollil
added a commit
to GESoftware-CF/uaa
that referenced
this pull request
Aug 11, 2021
Conflicts resolved in a gradle build and dependency files, a bunch of template files, and a couple of tests: UU dependencies.gradle UU k8s/templates/values/image.yml UU server/build.gradle UU server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java UU server/src/main/resources/templates/web/accounts/email_sent.html UU server/src/main/resources/templates/web/accounts/new_activation_email.html UU server/src/main/resources/templates/web/home.html UU server/src/main/resources/templates/web/idp_discovery/account_chooser.html UU server/src/main/resources/templates/web/idp_discovery/password.html UU server/src/test/java/org/cloudfoundry/identity/uaa/oauth/beans/LegacyRedirectResolverTest.java UU uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java * master: Update UAA image reference in k8s deployment template to 75.6.0 Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1639) Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1638) fix generateDocs PKCE support in IDP (OIDC) proxy authorization flow (cloudfoundry#1606) fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (cloudfoundry#1632) fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (cloudfoundry#1633) Do not expire invitations on GET requests (cloudfoundry#1128) revert back revert to last working fix bundle install update (cloudfoundry#1627) update kramdown 2.3.1 (cloudfoundry#1626) Fix bug with origin chooser and selected allowed provider configuration update activesupport 5.2.4.3 (cloudfoundry#1625) update jquery (cloudfoundry#1618) Update Font-Awesome (cloudfoundry#1617) Bump commons-io from 2.10.0 to 2.11.0 (cloudfoundry#1616) rebase rebase merge develop Bump passay version 1.6.1 (cloudfoundry#1612) Bump Spring Dependencies (cloudfoundry#1611) Bump k8s.io/client-go from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1609) Bump k8s.io/apimachinery from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1608) Add workaround for revoke access dialog from issue cloudfoundry#1036 (cloudfoundry#1254) Bump spring oauth2 version to 2.5.1.RELEASE (cloudfoundry#1601) Bump addressable from 2.5.0 to 2.8.0 in /uaa/slate (cloudfoundry#1603) Add property option for mail.smtp.ssl.protocols (cloudfoundry#1605) Add property option for mail.smtp.ssl.protocols (cloudfoundry#1604) Fix CF-UAA version number Bump maven dependencies (cloudfoundry#1600) Bump Tomcat dependency Bump github.com/onsi/gomega from 1.13.0 to 1.14.0 in /k8s (cloudfoundry#1599) cleanup code from sonar findings and add additional tests cleanup code from sonar findings and add additional tests More test parameters for UaaUrlUtils.findMatchingRedirectUri() tests fix: Open Redirect Security Issue via some UAA endpoints, including logout.do BigInteger encoding fixed (cloudfoundry#1579) Set startStopTimeout to be configurable (cloudfoundry#1594) switch to StaleUrlCache origin sync Bump jasmine-core from 3.7.1 to 3.8.0 in /uaa (cloudfoundry#1598) Bump jasmine from 3.7.0 to 3.8.0 in /uaa (cloudfoundry#1597) Bump dependency (cloudfoundry#1596) Performance optimation: Prevent expensive duplicate key exception and use upsert instead (cloudfoundry#1562) Refactor: query minimal user information everywhere authorities not needed (cloudfoundry#1322) Allow to use Account Chooser without Idp Discovery (cloudfoundry#1550) Bump k8s.io/client-go from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1586) Bump commons-io from 2.7 to 2.10.0 (cloudfoundry#1582) Update dependencies.gradle update Create dependencies.gradle cleanup PR - remove orphan class - use new class in all tests - dependency cosmetics Bump k8s.io/api from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1585) Bump github.com/onsi/gomega from 1.11.0 to 1.13.0 in /k8s (cloudfoundry#1573) Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.4 in /k8s (cloudfoundry#1575) Bump k8s.io/apimachinery from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1587) Github userUserInfo from local configuration (cloudfoundry#1595) Add '-Xdebug' jvm args to application container run in cargo if '-Dxdebug=true' option is sepcified for 'gradle run'. (cloudfoundry#1592) Bump Guava Dependencies (cloudfoundry#1581) Document the 'userInfoUrl' property for OAuth identity provider config Bump Spring Dependencies (cloudfoundry#1591) Fix issue 1584 Test that we redirect when client allows only SAML Backfill test cases for using refresh token value that was created with refresh_token_validity seconds specified [#178076368] Bump Spring Dependencies (cloudfoundry#1580) fix: test token audience claim in an unordered way Bump Spring Dependencies (cloudfoundry#1577) Bump bouncyCastleVersion from 1.68 to 1.69 Small improvements for the consent form (cloudfoundry#1561) Use Claims class to desrialize the token string. feat: output message when DB cannot be initialized refactor: extract variable formatting: whitespaces do not sleep more than 1 minute fix: test runner flakes fix: authTime can be later than 2037 Bump nokogiri from 1.11.0 to 1.11.4 in /uaa/slate Backfilled unit test Make Java 11 our minimum Additional test cases to verify that ldap bindSecret is not included in the response for the CVE issue where the delete-identity-provider response contained sensitive data #178139149 (cloudfoundry#1572) Adjust unit test to new constructor signature, after rebasing on top of the 'develop' branch Share common 'userInfoUrl' property between OIDC and OAuth2 config + Use it to fetch OAuth2 user info Various code/spaces improvements Implement support for Github OAuth 2.0 provider feat: error log on internal error feat: validate java version Fixed the CVE issue where the delete-identity-provider response contains relyingPartySecret value #178139149 Fix comment Include passcode prompt in json response if discovery or account chooser are enabled Bump bcprov-jdk15on from 1.66 to 1.67 in /server (cloudfoundry#1564) Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:4c7f2d881bc9c4a075232064e906d032c9512b03b87c06cbb2501560cb2f14e4 Return existing records on update failure Restore explicit imports. login_hint should not automatically bypass discovery logic Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/api (cloudfoundry#1544) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/app (cloudfoundry#1546) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /server (cloudfoundry#1545) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /statsd (cloudfoundry#1547) Bump jasmine-core from 3.6.0 to 3.7.1 in /uaa Bump jasmine from 3.6.4 to 3.7.0 in /uaa Bump k8s.io/client-go from 0.20.5 to 0.21.0 in /k8s Bump k8s.io/apimachinery from 0.20.5 to 0.21.0 in /k8s Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.1 in /k8s Bump Spring Dependencies (cloudfoundry#1559) refactor: extract shared code into helper methods Rename variable and test case for clarity Invert boolean method to have a more intuitive naming Add additional tests Only update user if token not issued by UAA Fix wrong username mapping on jwt Bearer with UAA token Bump tomcat-embed-core from 9.0.37 to 9.0.44 in /uaa (cloudfoundry#1548) Bump k8s.io/client-go from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1541) Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.2 in /k8s (cloudfoundry#1535) Bump k8s.io/api from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1542) refactor: rename Bump github.com/onsi/gomega from 1.10.4 to 1.11.0 in /k8s (cloudfoundry#1532) Dependeny Updagtes (cloudfoundry#1538) refactor: implement recommendation from thymeleaf (cloudfoundry#1512) Fix typo feat: for unit tests, add time out to waiting for DB to start Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc Bump dependency Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c Add MockMvc Test to show performance improvement Fix bug with invalid login_hint on login page Move read configurations and parameters to allow earlier decisions Restructure login method to not read all IdentityProviders on login_hint Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:37fcf63a156b75174fbc7be0e3809d64cda6851de0bfe6fa7f12793d919de96a Added "final" modifier for method-local constant better name for matches function capitilize first letter of log sentence meaningful name for number of url-decode attempts javadoc explaining integrity bypass fix fix double dot path traversal integrity check bypass redirect resolver tests should cover path traversal bypass for both registered paths containing wildcards and those that do not unit tests for redirect_uri path integrity check bypass add lombok dependency Add PKCE support
akarollil
added a commit
to GESoftware-CF/uaa
that referenced
this pull request
Aug 12, 2021
Merge conflicts fixed in the following: UU uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml UU uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java * master: Update UAA image reference in k8s deployment template to 75.6.0 Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1639) Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1638) fix generateDocs PKCE support in IDP (OIDC) proxy authorization flow (cloudfoundry#1606) fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (cloudfoundry#1632) fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (cloudfoundry#1633) Do not expire invitations on GET requests (cloudfoundry#1128) revert back revert to last working fix bundle install update (cloudfoundry#1627) update kramdown 2.3.1 (cloudfoundry#1626) Fix bug with origin chooser and selected allowed provider configuration update activesupport 5.2.4.3 (cloudfoundry#1625) update jquery (cloudfoundry#1618) Update Font-Awesome (cloudfoundry#1617) Bump commons-io from 2.10.0 to 2.11.0 (cloudfoundry#1616) rebase rebase merge develop Bump passay version 1.6.1 (cloudfoundry#1612) Bump Spring Dependencies (cloudfoundry#1611) Bump k8s.io/client-go from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1609) Bump k8s.io/apimachinery from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1608) Add workaround for revoke access dialog from issue cloudfoundry#1036 (cloudfoundry#1254) Bump spring oauth2 version to 2.5.1.RELEASE (cloudfoundry#1601) Bump addressable from 2.5.0 to 2.8.0 in /uaa/slate (cloudfoundry#1603) Add property option for mail.smtp.ssl.protocols (cloudfoundry#1605) Add property option for mail.smtp.ssl.protocols (cloudfoundry#1604) Fix CF-UAA version number Bump maven dependencies (cloudfoundry#1600) Bump Tomcat dependency Bump github.com/onsi/gomega from 1.13.0 to 1.14.0 in /k8s (cloudfoundry#1599) cleanup code from sonar findings and add additional tests cleanup code from sonar findings and add additional tests More test parameters for UaaUrlUtils.findMatchingRedirectUri() tests fix: Open Redirect Security Issue via some UAA endpoints, including logout.do BigInteger encoding fixed (cloudfoundry#1579) Set startStopTimeout to be configurable (cloudfoundry#1594) switch to StaleUrlCache origin sync Bump jasmine-core from 3.7.1 to 3.8.0 in /uaa (cloudfoundry#1598) Bump jasmine from 3.7.0 to 3.8.0 in /uaa (cloudfoundry#1597) Bump dependency (cloudfoundry#1596) Performance optimation: Prevent expensive duplicate key exception and use upsert instead (cloudfoundry#1562) Refactor: query minimal user information everywhere authorities not needed (cloudfoundry#1322) Allow to use Account Chooser without Idp Discovery (cloudfoundry#1550) Bump k8s.io/client-go from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1586) Bump commons-io from 2.7 to 2.10.0 (cloudfoundry#1582) Update dependencies.gradle update Create dependencies.gradle cleanup PR - remove orphan class - use new class in all tests - dependency cosmetics Bump k8s.io/api from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1585) Bump github.com/onsi/gomega from 1.11.0 to 1.13.0 in /k8s (cloudfoundry#1573) Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.4 in /k8s (cloudfoundry#1575) Bump k8s.io/apimachinery from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1587) Github userUserInfo from local configuration (cloudfoundry#1595) Add '-Xdebug' jvm args to application container run in cargo if '-Dxdebug=true' option is sepcified for 'gradle run'. (cloudfoundry#1592) Bump Guava Dependencies (cloudfoundry#1581) Document the 'userInfoUrl' property for OAuth identity provider config Bump Spring Dependencies (cloudfoundry#1591) Fix issue 1584 Test that we redirect when client allows only SAML Backfill test cases for using refresh token value that was created with refresh_token_validity seconds specified [#178076368] Bump Spring Dependencies (cloudfoundry#1580) fix: test token audience claim in an unordered way Bump Spring Dependencies (cloudfoundry#1577) Bump bouncyCastleVersion from 1.68 to 1.69 Small improvements for the consent form (cloudfoundry#1561) Use Claims class to desrialize the token string. feat: output message when DB cannot be initialized refactor: extract variable formatting: whitespaces do not sleep more than 1 minute fix: test runner flakes fix: authTime can be later than 2037 Bump nokogiri from 1.11.0 to 1.11.4 in /uaa/slate Backfilled unit test Make Java 11 our minimum Additional test cases to verify that ldap bindSecret is not included in the response for the CVE issue where the delete-identity-provider response contained sensitive data #178139149 (cloudfoundry#1572) Adjust unit test to new constructor signature, after rebasing on top of the 'develop' branch Share common 'userInfoUrl' property between OIDC and OAuth2 config + Use it to fetch OAuth2 user info Various code/spaces improvements Implement support for Github OAuth 2.0 provider feat: error log on internal error feat: validate java version Fixed the CVE issue where the delete-identity-provider response contains relyingPartySecret value #178139149 Fix comment Include passcode prompt in json response if discovery or account chooser are enabled Bump bcprov-jdk15on from 1.66 to 1.67 in /server (cloudfoundry#1564) Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:4c7f2d881bc9c4a075232064e906d032c9512b03b87c06cbb2501560cb2f14e4 Return existing records on update failure Restore explicit imports. login_hint should not automatically bypass discovery logic Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/api (cloudfoundry#1544) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/app (cloudfoundry#1546) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /server (cloudfoundry#1545) Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /statsd (cloudfoundry#1547) Bump jasmine-core from 3.6.0 to 3.7.1 in /uaa Bump jasmine from 3.6.4 to 3.7.0 in /uaa Bump k8s.io/client-go from 0.20.5 to 0.21.0 in /k8s Bump k8s.io/apimachinery from 0.20.5 to 0.21.0 in /k8s Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.1 in /k8s Bump Spring Dependencies (cloudfoundry#1559) refactor: extract shared code into helper methods Rename variable and test case for clarity Invert boolean method to have a more intuitive naming Add additional tests Only update user if token not issued by UAA Fix wrong username mapping on jwt Bearer with UAA token Bump tomcat-embed-core from 9.0.37 to 9.0.44 in /uaa (cloudfoundry#1548) Bump k8s.io/client-go from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1541) Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.2 in /k8s (cloudfoundry#1535) Bump k8s.io/api from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1542) refactor: rename Bump github.com/onsi/gomega from 1.10.4 to 1.11.0 in /k8s (cloudfoundry#1532) Dependeny Updagtes (cloudfoundry#1538) refactor: implement recommendation from thymeleaf (cloudfoundry#1512) Fix typo feat: for unit tests, add time out to waiting for DB to start Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc Bump dependency Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c Add MockMvc Test to show performance improvement Fix bug with invalid login_hint on login page Move read configurations and parameters to allow earlier decisions Restructure login method to not read all IdentityProviders on login_hint Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:37fcf63a156b75174fbc7be0e3809d64cda6851de0bfe6fa7f12793d919de96a Added "final" modifier for method-local constant better name for matches function capitilize first letter of log sentence meaningful name for number of url-decode attempts javadoc explaining integrity bypass fix fix double dot path traversal integrity check bypass redirect resolver tests should cover path traversal bypass for both registered paths containing wildcards and those that do not unit tests for redirect_uri path integrity check bypass add lombok dependency Add PKCE support
schmie
added a commit
to alphagov/paas-cf
that referenced
this pull request
Sep 9, 2021
This is in line with cf-deployment 16.23. We are switching from our fork to the upstream version, since a [PR with a bugfix for expiring invitation links](cloudfoundry/uaa#1128) was at long last merged.
schmie
added a commit
to alphagov/paas-cf
that referenced
this pull request
Sep 9, 2021
A bugfix for an invitation link expiry issue has been merged ([PR](cloudfoundry/uaa#1128)). Thus we switch back to upstream and this test is no longer required.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
At the moment, when the user visits:
the invitation code from their email is immediately expired and replaced
with a newly generated code which is put in a hidden input in the HTML
form. Each time the user submits the form, the code is expired and (if
necessary - e.g. if there's a validation issue) replaced with a new one.
This is fine so long as the user fills the form in immediately, but
there are a number of edge cases where this approach causes usability
problems:
expired.
follows the invitation link from their email later it will show as
expired.
any reason (e.g. virus scanning / spam detection / performance
optimisation) then the link will not work when they follow it for
real.
The third issue is the most serious.
We (GOV.UK PaaS) have had some users working in places that
pre-fetch links in emails (for some reason or other), and this means
they're completely unable to accept invitations. Judging from the irate
support tickets we've had from these users the experience is pretty
frustrating.
This commit changes the GET request to /invitations/accept so that it
does not expire the token (unless the invitation is being auto-accepted).
The POST handler is unchanged, so if the user actually submits the form
then the token will change (as it did before), even if there's a
validation issue that prevents the invitation being accepted.
This change fixes the usability issues, and makes the behaviour more
consistent with HTTP's semantics (in the sense that GET requests should
be "safe" - should not modify the state of the server).
I haven't tested this in a production-like setting yet, but I should have time to tomorrow.
This fixes #587 (which I don't think should be closed).