feat: Make cookie samesite configurable (#1545)

* Add configuration property for cookie samesite

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Use tomcat samesite enum

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Implement samesite in cookie

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Add samesite test to integration tests

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Add clarifying comment

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Change default to strict

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Use max age properly

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Move set-cookie behaviour to common util

Signed-off-by: Carson Cook <carson.cook@ibm.com>

* Add samesite for auth token in uri

Signed-off-by: Carson Cook <carson.cook@ibm.com>

Co-authored-by: Jakub Balhar <jakub@balhar.net>

Author: CarsonCook

apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java

@@ -10,6 +10,7 @@
 package org.zowe.apiml.security.common.config;
 
 import lombok.Data;
+import org.apache.tomcat.util.http.SameSiteCookies;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.stereotype.Component;
@@ -76,7 +77,8 @@ public static class CookieProperties {
         private boolean cookieSecure = true;
         private String cookiePath = "/";
         private String cookieComment = "API Mediation Layer security token";
-        private Integer cookieMaxAge = -1;
+        private Integer cookieMaxAge = null;
+        private SameSiteCookies cookieSameSite = SameSiteCookies.STRICT;
     }
 
     @Data

apiml-security-common/src/main/java/org/zowe/apiml/security/common/login/SuccessfulLoginHandler.java

@@ -9,19 +9,18 @@
  */
 package org.zowe.apiml.security.common.login;
 
-import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
-import org.zowe.apiml.security.common.token.TokenAuthentication;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.stereotype.Component;
+import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
+import org.zowe.apiml.security.common.token.TokenAuthentication;
+import org.zowe.apiml.util.CookieUtil;
 
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-
 /**
  * Handles the successful login
  */
@@ -54,13 +53,21 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
      * @param response send back this response
      */
     private void setCookie(String token, HttpServletResponse response) {
-        Cookie tokenCookie = new Cookie(authConfigurationProperties.getCookieProperties().getCookieName(), token);
-        tokenCookie.setComment(authConfigurationProperties.getCookieProperties().getCookieComment());
-        tokenCookie.setPath(authConfigurationProperties.getCookieProperties().getCookiePath());
-        tokenCookie.setHttpOnly(true);
-        tokenCookie.setMaxAge(authConfigurationProperties.getCookieProperties().getCookieMaxAge());
-        tokenCookie.setSecure(authConfigurationProperties.getCookieProperties().isCookieSecure());
+        // SameSite attribute is not supported in Cookie used in HttpServletResponse.addCookie,
+        // so specify Set-Cookie header directly
+
+        AuthConfigurationProperties.CookieProperties cp = authConfigurationProperties.getCookieProperties();
+        String cookieHeader = CookieUtil.setCookieHeader(
+            cp.getCookieName(),
+            token,
+            cp.getCookieComment(),
+            cp.getCookiePath(),
+            cp.getCookieSameSite().getValue(),
+            cp.getCookieMaxAge(),
+            true,
+            cp.isCookieSecure()
+        );
 
-        response.addCookie(tokenCookie);
+        response.addHeader("Set-Cookie", cookieHeader);
     }
 }

apiml-security-common/src/test/java/org/zowe/apiml/security/common/config/AuthConfigurationPropertiesTest.java

@@ -30,4 +30,10 @@ void shouldReturnWhenZosmfIsConfigured() {
         authConfigurationProperties.getZosmf().setServiceId("ZOSMF_SID");
         assertEquals("ZOSMF_SID", authConfigurationProperties.validatedZosmfServiceId());
     }
+
+    @Test
+    void whenGetDefaultCookieSameSite_thenReturnStrict() {
+        String sameSite = authConfigurationProperties.getCookieProperties().getCookieSameSite().getValue();
+        assertEquals("Strict", sameSite);
+    }
 }

apiml-security-common/src/test/java/org/zowe/apiml/security/common/login/SuccessfulLoginHandlerTest.java

@@ -9,18 +9,22 @@
  */
 package org.zowe.apiml.security.common.login;
 
-import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
-import org.zowe.apiml.security.common.token.TokenAuthentication;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.springframework.http.HttpStatus;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
+import org.zowe.apiml.security.common.token.TokenAuthentication;
+
+import javax.servlet.http.Cookie;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.*;
 
 class SuccessfulLoginHandlerTest {
+    private final TokenAuthentication dummyAuth = new TokenAuthentication("TEST_TOKEN_STRING");
+
     private AuthConfigurationProperties authConfigurationProperties;
     private MockHttpServletRequest httpServletRequest;
     private MockHttpServletResponse httpServletResponse;
@@ -35,15 +39,38 @@ void setup() {
         successfulLoginHandler = new SuccessfulLoginHandler(authConfigurationProperties);
     }
 
-    @Test
-    void testOnAuthenticationSuccess() {
-        successfulLoginHandler.onAuthenticationSuccess(
-            httpServletRequest,
-            httpServletResponse,
-            new TokenAuthentication("TEST_TOKEN_STRING")
-        );
+    @Nested
+    class WhenAuthenticationIsSuccessful {
+        @Test
+        void givenAuthentication_thenReturn204AndCookie() {
+            executeLoginHandler();
+
+            assertEquals(HttpStatus.NO_CONTENT.value(), httpServletResponse.getStatus());
+
+            Cookie cookie = httpServletResponse.getCookie(authConfigurationProperties.getCookieProperties().getCookieName());
+            assertNotNull(cookie);
+
+            AuthConfigurationProperties.CookieProperties cp = authConfigurationProperties.getCookieProperties();
+            assertEquals(cp.getCookieName(), cookie.getName());
+            assertEquals(dummyAuth.getCredentials(), cookie.getValue());
+            assertEquals(cp.getCookiePath(), cookie.getPath());
+            assertEquals(-1, cookie.getMaxAge());
+            assertTrue(cookie.isHttpOnly());
+            assertTrue(cookie.getSecure());
+        }
+
+        @Test
+        void givenCookieSecureNotSet_thenReturnCookieWithoutSecure() {
+            authConfigurationProperties.getCookieProperties().setCookieSecure(false);
+            executeLoginHandler();
+
+            Cookie cookie = httpServletResponse.getCookie(authConfigurationProperties.getCookieProperties().getCookieName());
+            assertNotNull(cookie);
+            assertFalse(cookie.getSecure());
+        }
+    }
 
-        assertEquals(HttpStatus.NO_CONTENT.value(), httpServletResponse.getStatus());
-        assertNotNull(httpServletResponse.getCookie(authConfigurationProperties.getCookieProperties().getCookieName()));
+    private void executeLoginHandler() {
+        successfulLoginHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, dummyAuth);
     }
 }

common-service-core/src/main/java/org/zowe/apiml/util/CookieUtil.java

@@ -18,12 +18,38 @@
 @UtilityClass
 public final class CookieUtil {
 
+    public static String setCookieHeader(String name, String value, String comment, String path, String sameSite,
+                                         Integer maxAge, boolean isHttpOnly, boolean isSecure) {
+        String cookieHeader = String.format(
+            "%s=%s; Comment=%s; Path=%s; SameSite=%s;",
+            name,
+            value,
+            comment,
+            path,
+            sameSite
+        );
+
+        if (maxAge != null) {
+            cookieHeader += " Max-Age=" + maxAge + ";";
+        }
+
+        if (isHttpOnly) {
+            cookieHeader += " HttpOnly;";
+        }
+
+        if (isSecure) {
+            cookieHeader += " Secure;";
+        }
+
+        return cookieHeader;
+    }
+
     /**
      * It replace or add cookie into header string value (see header with name "Cookie").
      *
      * @param cookieHeader original header string value
-     * @param name name of cookie to add or replace
-     * @param value value of cookie to add or replace
+     * @param name         name of cookie to add or replace
+     * @param value        value of cookie to add or replace
      * @return new header string, which contains a new cookie
      */
     public static String setCookie(String cookieHeader, String name, String value) {
@@ -51,7 +77,7 @@ public static String setCookie(String cookieHeader, String name, String value) {
      * cookie, it return original header value string.
      *
      * @param cookieHeader original header string value
-     * @param name name of cookie to remove
+     * @param name         name of cookie to remove
      * @return new header string, without a specified cookie
      */
     public static String removeCookie(String cookieHeader, String name) {

common-service-core/src/test/java/org/zowe/apiml/util/CookieUtilTest.java

@@ -9,8 +9,12 @@
  */
 package org.zowe.apiml.util;
 
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.StringContains.containsString;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertSame;
 
@@ -35,4 +39,52 @@ void removeCookie() {
         assertEquals("", CookieUtil.removeCookie("a=1;a=2;a=3", "a"));
     }
 
+    @Nested
+    class WhenGetSetCookieHeader {
+        private static final String NAME = "name";
+        private static final String VALUE = "value";
+        private static final String COMMENT = "comment";
+        private static final String PATH = "/";
+        private static final String SAME_SITE = "samesite";
+
+        @Test
+        void givenAllAttributesSet_thenReturnSetCookieWithAttributes() {
+            String setCookieHeader = CookieUtil.setCookieHeader(
+                NAME, VALUE, COMMENT, PATH, SAME_SITE, 1, true, true
+            );
+
+            assertEquals(setCookieHeader, String.format("%s=%s; Comment=%s; Path=%s; SameSite=%s; Max-Age=%d; HttpOnly; Secure;",
+                NAME,
+                VALUE,
+                COMMENT,
+                PATH,
+                SAME_SITE,
+                1
+            ));
+        }
+
+        @Test
+        void givenNullMaxAge_thenReturnSetCookieWithNoMaxAge() {
+            String setCookieHeader = CookieUtil.setCookieHeader(
+                NAME, VALUE, COMMENT, PATH, SAME_SITE, null, true, true
+            );
+            assertThat(setCookieHeader, not(containsString("Max-Age")));
+        }
+
+        @Test
+        void givenNotHttpOnly_thenReturnSetCookieWithoutHttpOnly() {
+            String setCookieHeader = CookieUtil.setCookieHeader(
+                NAME, VALUE, COMMENT, PATH, SAME_SITE, 1, false, true
+            );
+            assertThat(setCookieHeader, not(containsString("HttpOnly")));
+        }
+
+        @Test
+        void givenNotSecure_thenReturnSetCookieWithoutSecure() {
+            String setCookieHeader = CookieUtil.setCookieHeader(
+                NAME, VALUE, COMMENT, PATH, SAME_SITE, 1, true, false
+            );
+            assertThat(setCookieHeader, not(containsString("Secure")));
+        }
+    }
 }

gateway-service/src/main/java/org/zowe/apiml/gateway/filters/post/ConvertAuthTokenInUriToCookieFilter.java

@@ -9,11 +9,11 @@
  */
 package org.zowe.apiml.gateway.filters.post;
 
-import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import com.netflix.zuul.ZuulFilter;
 import com.netflix.zuul.context.RequestContext;
+import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
+import org.zowe.apiml.util.CookieUtil;
 
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 
 import static org.springframework.cloud.netflix.zuul.filters.support.FilterConstants.POST_TYPE;
@@ -47,13 +47,20 @@ public Object run() {
         AuthConfigurationProperties.CookieProperties cp = authConfigurationProperties.getCookieProperties();
         if ((context.getRequestQueryParams() != null) && context.getRequestQueryParams().containsKey(cp.getCookieName())) {
             HttpServletResponse servletResponse = context.getResponse();
-            Cookie cookie = new Cookie(cp.getCookieName(), context.getRequestQueryParams().get(cp.getCookieName()).get(0));
-            cookie.setPath(cp.getCookiePath());
-            cookie.setSecure(true);
-            cookie.setHttpOnly(true);
-            cookie.setMaxAge(cp.getCookieMaxAge());
-            cookie.setComment(cp.getCookieComment());
-            servletResponse.addCookie(cookie);
+
+            // SameSite attribute is not supported in Cookie used in HttpServletResponse.addCookie,
+            // so specify Set-Cookie header directly
+            String cookieHeader = CookieUtil.setCookieHeader(
+                cp.getCookieName(),
+                context.getRequestQueryParams().get(cp.getCookieName()).get(0),
+                cp.getCookieComment(),
+                cp.getCookiePath(),
+                cp.getCookieSameSite().getValue(),
+                cp.getCookieMaxAge(),
+                true,
+                true
+            );
+            servletResponse.addHeader("Set-Cookie", cookieHeader);
 
             String url = context.getRequest().getRequestURL().toString();
             String newUrl;

integration-tests/src/test/java/org/zowe/apiml/integration/authentication/providers/LoginTest.java

@@ -36,6 +36,7 @@
 import static io.restassured.RestAssured.given;
 import static io.restassured.http.ContentType.JSON;
 import static org.apache.http.HttpStatus.*;
+import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.Matchers.isEmptyString;
 import static org.hamcrest.core.Is.is;
@@ -99,6 +100,8 @@ void givenValidCredentialsInBody(URI loginUrl) {
                     .post(loginUrl)
                 .then()
                     .statusCode(is(SC_NO_CONTENT))
+                    // RestAssured version in use doesn't have SameSite attribute in cookie so validate using the Set-Cookie header
+                    .header("Set-Cookie", containsString("SameSite=Strict"))
                     .cookie(COOKIE_NAME, not(isEmptyString()))
                     .extract().detailedCookie(COOKIE_NAME);
 
@@ -115,6 +118,8 @@ void givenValidCredentialsInHeader(URI loginUrl) {
                     .post(loginUrl)
                 .then()
                     .statusCode(is(SC_NO_CONTENT))
+                    // RestAssured version in use doesn't have SameSite attribute in cookie so validate using the Set-Cookie header
+                    .header("Set-Cookie", containsString("SameSite=Strict"))
                     .cookie(COOKIE_NAME, not(isEmptyString()))
                     .extract().cookie(COOKIE_NAME);