Send unauthorized response to /ui/api calls

Previously async calls executed from `/ui` such as: `/ui/api/cluster` or `/ui/api/stats` could change the nonce cookie, which in turn could cause the already started challenge to fail due to nonce parameter mismatch.
trinodb · Jan 25, 2021 · 88a7998 · 88a7998
1 parent 0d3bb55
commit 88a7998
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/core/trino-main/src/main/java/io/trino/server/ui/OAuth2WebUiAuthenticationFilter.java b/core/trino-main/src/main/java/io/trino/server/ui/OAuth2WebUiAuthenticationFilter.java
@@ -123,6 +123,11 @@ private Optional<Jws<Claims>> getAccessToken(ContainerRequestContext request)
 
     private void needAuthentication(ContainerRequestContext request)
     {
+        // send 401 to REST api calls and redirect to others
+        if (request.getUriInfo().getRequestUri().getPath().startsWith("/ui/api/")) {
+            sendWwwAuthenticate(request, "Unauthorized", ImmutableSet.of(TRINO_FORM_LOGIN));
+            return;
+        }
         OAuthChallenge challenge = service.startWebUiChallenge(request.getUriInfo().getBaseUri().resolve(CALLBACK_ENDPOINT));
         ResponseBuilder response = Response.seeOther(challenge.getRedirectUrl());
         challenge.getNonce().ifPresent(nonce -> response.cookie(NonceCookie.create(nonce, challenge.getChallengeExpiration())));

diff --git a/...in/src/test/java/io/trino/server/security/oauth2/TestOAuth2WebUiAuthenticationFilter.java b/...in/src/test/java/io/trino/server/security/oauth2/TestOAuth2WebUiAuthenticationFilter.java
@@ -167,9 +167,9 @@ public void testUnauthorizedApiCall()
             throws IOException
     {
         try (Response response = httpClient
-                .newCall(uiCall().build())
+                .newCall(apiCall().build())
                 .execute()) {
-            assertRedirectResponse(response);
+            assertUnauthorizedResponse(response);
         }
     }
 
@@ -272,6 +272,13 @@ private Request.Builder uiCall()
                 .get();
     }
 
+    private Request.Builder apiCall()
+    {
+        return new Request.Builder()
+                .url(serverUri.resolve("/ui/api/cluster").toString())
+                .get();
+    }
+
     private void withSuccessfulAuthentication(AuthenticationAssertion assertion)
             throws Exception
     {

diff --git a/core/trino-main/src/test/java/io/trino/server/ui/TestWebUi.java b/core/trino-main/src/test/java/io/trino/server/ui/TestWebUi.java
@@ -81,6 +81,7 @@
 import static javax.servlet.http.HttpServletResponse.SC_OK;
 import static javax.servlet.http.HttpServletResponse.SC_SEE_OTHER;
 import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
+import static javax.ws.rs.core.Response.Status.UNAUTHORIZED;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.testng.Assert.assertTrue;
@@ -586,9 +587,9 @@ private void assertAuth2Authentication(HttpServerInfo httpServerInfo, String acc
         URI baseUri = httpServerInfo.getHttpsUri();
         testRootRedirect(baseUri, client);
         assertRedirect(client, getUiLocation(baseUri), "http://example.com/authorize", false);
-        assertRedirect(client, getValidApiLocation(baseUri), "http://example.com/authorize", false);
+        assertResponseCode(client, getValidApiLocation(baseUri), UNAUTHORIZED.getStatusCode());
         assertRedirect(client, getLocation(baseUri, "/ui/unknown"), "http://example.com/authorize", false);
-        assertRedirect(client, getLocation(baseUri, "/ui/api/unknown"), "http://example.com/authorize", false);
+        assertResponseCode(client, getLocation(baseUri, "/ui/api/unknown"), UNAUTHORIZED.getStatusCode());
 
         // login with the callback endpoint
         assertRedirect(