Merge branch 'stable-3.8'

geminicaprograms · geminicaprograms · commit eb56de73b88c · 2023-10-11T08:12:15.000+02:00
* stable-3.8:
  Avoid using 'objectUnderTest' term in GitHubOAuthConfigTest
  Honour the cookieDomain also for the OAuth scope selection
  Revert "Build OAuth redirect URL when X-Forwarded-Host is present"
  Build OAuth redirect URL when X-Forwarded-Host is present
  Fix HTTP session leaks during OAuth reauthentication
  Stop filtering Gerrti's static resources with OAuthFilter

Change-Id: I263195c4ced7e83bc2d62ae25543a098995706ae
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubLogin.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubLogin.java
@@ -158,6 +158,7 @@ private String getScopesKey(HttpServletRequest request, HttpServletResponse resp
       Cookie scopeCookie = new Cookie("scope", scopeRequested);
       scopeCookie.setPath("/");
       scopeCookie.setMaxAge((int) SCOPE_COOKIE_NEVER_EXPIRES);
+      config.getCookieDomain().ifPresent(scopeCookie::setDomain);
       response.addCookie(scopeCookie);
     }
 
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java
@@ -34,6 +34,7 @@
 import java.util.Comparator;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 import java.util.function.Function;
 import java.util.stream.Collectors;
@@ -78,6 +79,7 @@ public class GitHubOAuthConfig {
   public final long httpReadTimeout;
   private final Map<String, KeyConfig> keyConfigMap;
   private final KeyConfig currentKeyConfig;
+  private final Optional<String> cookieDomain;
 
   @Inject
   protected GitHubOAuthConfig(@GerritServerConfig Config config, CanonicalWebUrl canonicalWebUrl) {
@@ -110,6 +112,7 @@ protected GitHubOAuthConfig(@GerritServerConfig Config config, CanonicalWebUrl c
     logoutRedirectUrl = config.getString(CONF_SECTION, null, "logoutRedirectUrl");
 
     enabled = config.getString("auth", null, "type").equalsIgnoreCase(AuthType.HTTP.toString());
+    cookieDomain = Optional.ofNullable(config.getString("auth", null, "cookieDomain"));
     scopes = getScopes(config);
     sortedScopesKeys =
         scopes.keySet().stream()
@@ -207,6 +210,10 @@ public KeyConfig getKeyConfig(String subsection) {
     return keyConfigMap.get(subsection);
   }
 
+  public Optional<String> getCookieDomain() {
+    return cookieDomain;
+  }
+
   public class KeyConfig {
 
     public static final int PASSWORD_LENGTH_DEFAULT = 16;
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/HttpSessionProvider.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/HttpSessionProvider.java
@@ -13,12 +13,16 @@
 // limitations under the License.
 package com.googlesource.gerrit.plugins.github.oauth;
 
+import com.google.common.base.Supplier;
+import com.google.common.base.Suppliers;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
+import java.util.Optional;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 
 public abstract class HttpSessionProvider<T> implements ScopedProvider<T> {
+  private final Supplier<String> singletonKey = Suppliers.memoize(() -> getClass().getName());
 
   @Inject private Provider<T> provider;
 
@@ -32,19 +36,23 @@ public T get() {
   @Override
   public T get(final HttpServletRequest req) {
     HttpSession session = req.getSession();
-    String singletonKey = getClass().getName();
 
     synchronized (this) {
       @SuppressWarnings("unchecked")
-      T instance = (T) session.getAttribute(singletonKey);
+      T instance = (T) session.getAttribute(singletonKey.get());
       if (instance == null) {
         instance = provider.get();
-        session.setAttribute(singletonKey, instance);
+        session.setAttribute(singletonKey.get(), instance);
       }
       return instance;
     }
   }
 
+  public void clear(final HttpServletRequest req) {
+    Optional.ofNullable(req.getSession(false))
+        .ifPresent((s) -> s.removeAttribute(singletonKey.get()));
+  }
+
   @Override
   public HttpServletRequest getScopedRequest() {
     return httpRequestProvider.get();
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthFilter.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthFilter.java
@@ -37,7 +37,9 @@ public class OAuthFilter implements Filter {
   private static final org.slf4j.Logger log = LoggerFactory.getLogger(OAuthFilter.class);
   private static Pattern GIT_HTTP_REQUEST_PATTERN = Pattern.compile(GitOverHttpServlet.URL_REGEX);
   private static final Set<String> GERRIT_STATIC_RESOURCES_EXTS =
-      Sets.newHashSet("css", "png", "jpg", "gif", "woff", "otf", "ttf", "map", "js", "swf", "txt");
+      Sets.newHashSet(
+          "css", "gif", "ico", "jpeg", "jpg", "js", "map", "otf", "pdf", "png", "rtf", "svg", "swf",
+          "text", "tif", "tiff", "ttf", "txt", "woff", "woff2");
   private static final Set<String> GERRIT_ALLOWED_PATHS = Sets.newHashSet("Documentation");
   private static final Set<String> GERRIT_ALLOWED_PAGES = Sets.newHashSet("scope.html");
 
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthWebFilter.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthWebFilter.java
@@ -104,15 +104,16 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         chain.doFilter(httpRequest, httpResponse);
       }
     } finally {
-      HttpSession httpSession = httpRequest.getSession();
+      HttpSession httpSession = httpRequest.getSession(false);
       if (gerritCookie != null && httpSession != null) {
         String gerritCookieValue = gerritCookie.getValue();
         String gerritSessionValue = (String) httpSession.getAttribute("GerritAccount");
 
         if (gerritSessionValue == null) {
           httpSession.setAttribute("GerritAccount", gerritCookieValue);
         } else if (!gerritSessionValue.equals(gerritCookieValue)) {
-          httpSession.invalidate();
+          httpSession.setAttribute("GerritAccount", null);
+          loginProvider.clear(httpRequest);
         }
       }
     }
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/ScopedProvider.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/ScopedProvider.java
@@ -19,5 +19,7 @@
 public interface ScopedProvider<T> extends Provider<T> {
   T get(HttpServletRequest request);
 
+  void clear(HttpServletRequest request);
+
   HttpServletRequest getScopedRequest();
 }
diff --git a/github-oauth/src/test/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfigTest.java b/github-oauth/src/test/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfigTest.java
@@ -28,6 +28,7 @@
 import com.google.inject.AbstractModule;
 import com.google.inject.Guice;
 import com.google.inject.util.Providers;
+import java.util.Optional;
 import org.eclipse.jgit.lib.Config;
 import org.junit.Before;
 import org.junit.Test;
@@ -70,12 +71,10 @@ public void shouldReadASpecificKeyConfig() {
     config.setString(CONF_KEY_SECTION, keySubsection, CIPHER_ALGO_CONFIG_LABEL, cipherAlgorithm);
     config.setString(CONF_KEY_SECTION, keySubsection, SECRET_KEY_CONFIG_LABEL, secretKeyAlgorithm);
 
-    GitHubOAuthConfig objectUnderTest = objectUnderTest();
-
-    assertEquals(objectUnderTest.getCurrentKeyConfig().isCurrent(), true);
-    assertEquals(objectUnderTest.getCurrentKeyConfig().getCipherAlgorithm(), cipherAlgorithm);
-    assertEquals(objectUnderTest.getCurrentKeyConfig().getSecretKeyAlgorithm(), secretKeyAlgorithm);
-    assertEquals(objectUnderTest.getCurrentKeyConfig().getKeyId(), keySubsection);
+    assertEquals(githubOAuthConfig().getCurrentKeyConfig().isCurrent(), true);
+    assertEquals(githubOAuthConfig().getCurrentKeyConfig().getCipherAlgorithm(), cipherAlgorithm);
+    assertEquals(githubOAuthConfig().getCurrentKeyConfig().getSecretKeyAlgorithm(), secretKeyAlgorithm);
+    assertEquals(githubOAuthConfig().getCurrentKeyConfig().getKeyId(), keySubsection);
   }
 
   @Test
@@ -89,7 +88,7 @@ public void shouldReturnTheExpectedKeyConfigAsCurrent() {
     config.setString(
         CONF_KEY_SECTION, someOtherKeyConfig, PASSWORD_DEVICE_CONFIG_LABEL, testPasswordDevice);
 
-    assertEquals(objectUnderTest().getCurrentKeyConfig().getKeyId(), currentKeyConfig);
+    assertEquals(githubOAuthConfig().getCurrentKeyConfig().getKeyId(), currentKeyConfig);
   }
 
   @Test
@@ -103,16 +102,14 @@ public void shouldReadMultipleKeyConfigs() {
     config.setString(
         CONF_KEY_SECTION, someOtherKeyConfig, PASSWORD_DEVICE_CONFIG_LABEL, testPasswordDevice);
 
-    GitHubOAuthConfig objectUnderTest = objectUnderTest();
-
-    assertEquals(objectUnderTest.getKeyConfig(currentKeyConfig).getKeyId(), currentKeyConfig);
-    assertEquals(objectUnderTest.getKeyConfig(someOtherKeyConfig).getKeyId(), someOtherKeyConfig);
+    assertEquals(githubOAuthConfig().getKeyConfig(currentKeyConfig).getKeyId(), currentKeyConfig);
+    assertEquals(githubOAuthConfig().getKeyConfig(someOtherKeyConfig).getKeyId(), someOtherKeyConfig);
   }
 
   @Test
   public void shouldThrowWhenNoKeyIdIsConfigured() {
     IllegalStateException illegalStateException =
-        assertThrows(IllegalStateException.class, this::objectUnderTest);
+        assertThrows(IllegalStateException.class, this::githubOAuthConfig);
 
     assertEquals(
         illegalStateException.getMessage(),
@@ -125,7 +122,7 @@ public void shouldThrowWhenNoKeyIdIsConfigured() {
   public void shouldThrowWhenNoKeyConfigIsSetAsCurrent() {
     config.setBoolean(CONF_KEY_SECTION, "someKeyConfig", CURRENT_CONFIG_LABEL, false);
 
-    assertThrows(IllegalStateException.class, this::objectUnderTest);
+    assertThrows(IllegalStateException.class, this::githubOAuthConfig);
   }
 
   @Test
@@ -134,7 +131,7 @@ public void shouldThrowWhenKeyConfigContainsDelimiterCharacter() {
     config.setBoolean(CONF_KEY_SECTION, invalidSubsection, CURRENT_CONFIG_LABEL, false);
 
     IllegalStateException illegalStateException =
-        assertThrows(IllegalStateException.class, this::objectUnderTest);
+        assertThrows(IllegalStateException.class, this::githubOAuthConfig);
 
     assertEquals(
         illegalStateException.getMessage(),
@@ -148,7 +145,7 @@ public void shouldThrowWhenMoreThanOneKeyConfigIsSetAsCurrent() {
     config.setBoolean(CONF_KEY_SECTION, "someKeyConfig", CURRENT_CONFIG_LABEL, true);
     config.setBoolean(CONF_KEY_SECTION, "someOtherKeyConfig", CURRENT_CONFIG_LABEL, true);
 
-    assertThrows(IllegalStateException.class, this::objectUnderTest);
+    assertThrows(IllegalStateException.class, this::githubOAuthConfig);
   }
 
   @Test
@@ -157,7 +154,7 @@ public void shouldThrowWhenKeyIdMissesPasswordDevice() {
     config.setBoolean(CONF_KEY_SECTION, someKeyConfig, CURRENT_CONFIG_LABEL, true);
 
     IllegalStateException illegalStateException =
-        assertThrows(IllegalStateException.class, this::objectUnderTest);
+        assertThrows(IllegalStateException.class, this::githubOAuthConfig);
 
     assertEquals(
         String.format(
@@ -166,7 +163,33 @@ public void shouldThrowWhenKeyIdMissesPasswordDevice() {
         illegalStateException.getMessage());
   }
 
-  private GitHubOAuthConfig objectUnderTest() {
+  @Test
+  public void shouldReturnEmptyCookieDomainByDefault() {
+    setupEncryptionConfig();
+    assertEquals(Optional.empty(), githubOAuthConfig().getCookieDomain());
+  }
+
+  @Test
+  public void shouldReturnTheCookieDomainFromAuth() {
+    setupEncryptionConfig();
+    String myDomain = ".mydomain.com";
+    config.setString("auth", null, "cookieDomain", myDomain);
+
+    assertEquals(Optional.of(myDomain), githubOAuthConfig().getCookieDomain());
+  }
+
+  private GitHubOAuthConfig githubOAuthConfig() {
     return new GitHubOAuthConfig(config, canonicalWebUrl);
   }
+
+  private void setupEncryptionConfig() {
+    String keySubsection = "someKeyConfig";
+    String cipherAlgorithm = "AES/CFB8/NoPadding";
+    String secretKeyAlgorithm = "DES";
+    config.setBoolean(CONF_KEY_SECTION, keySubsection, CURRENT_CONFIG_LABEL, true);
+    config.setString(
+        CONF_KEY_SECTION, keySubsection, PASSWORD_DEVICE_CONFIG_LABEL, testPasswordDevice);
+    config.setString(CONF_KEY_SECTION, keySubsection, CIPHER_ALGO_CONFIG_LABEL, cipherAlgorithm);
+    config.setString(CONF_KEY_SECTION, keySubsection, SECRET_KEY_CONFIG_LABEL, secretKeyAlgorithm);
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -158,6 +158,7 @@ private String getScopesKey(HttpServletRequest request, HttpServletResponse resp`
`158`	`158`	`Cookie scopeCookie = new Cookie("scope", scopeRequested);`
`159`	`159`	`scopeCookie.setPath("/");`
`160`	`160`	`scopeCookie.setMaxAge((int) SCOPE_COOKIE_NEVER_EXPIRES);`
	`161`	`+ config.getCookieDomain().ifPresent(scopeCookie::setDomain);`
`161`	`162`	`response.addCookie(scopeCookie);`
`162`	`163`	`}`
`163`	`164`
Original file line number	Diff line number	Diff line change
`@@ -104,15 +104,16 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha`
`104`	`104`	`chain.doFilter(httpRequest, httpResponse);`
`105`	`105`	`}`
`106`	`106`	`} finally {`
`107`		`- HttpSession httpSession = httpRequest.getSession();`
	`107`	`+ HttpSession httpSession = httpRequest.getSession(false);`
`108`	`108`	`if (gerritCookie != null && httpSession != null) {`
`109`	`109`	`String gerritCookieValue = gerritCookie.getValue();`
`110`	`110`	`String gerritSessionValue = (String) httpSession.getAttribute("GerritAccount");`
`111`	`111`
`112`	`112`	`if (gerritSessionValue == null) {`
`113`	`113`	`httpSession.setAttribute("GerritAccount", gerritCookieValue);`
`114`	`114`	`} else if (!gerritSessionValue.equals(gerritCookieValue)) {`
`115`		`- httpSession.invalidate();`
	`115`	`+ httpSession.setAttribute("GerritAccount", null);`
	`116`	`+ loginProvider.clear(httpRequest);`
`116`	`117`	`}`
`117`	`118`	`}`
`118`	`119`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,5 +19,7 @@`
`19`	`19`	`public interface ScopedProvider<T> extends Provider<T> {`
`20`	`20`	`T get(HttpServletRequest request);`
`21`	`21`
	`22`	`+ void clear(HttpServletRequest request);`
	`23`	`+`
`22`	`24`	`HttpServletRequest getScopedRequest();`
`23`	`25`	`}`