openinfra
/
openstackid
Code Issues Proposed changes

Fixes on session cookies 

Marked opbs and rps cookies a non encrypted
formerly these cookies were encrypted so were useless from
js side.

Change-Id: Ic1627ab91585bd70e66cf546fd98e0f81b60962f
This commit is contained in:
Sebastian Marcet 2018-08-07 16:58:00 -03:00
parent bcd66970b7
commit 9c646d9766
4 changed files with 45 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Http/Controllers/OAuth2/OAuth2ProviderController.php
View File

@ -264,8 +264,10 @@ final class OAuth2ProviderController extends Controller
*/
public function endSession()
{
if(!$this->auth_service->isUserLogged())
if(!$this->auth_service->isUserLogged()) {
Log::debug("OAuth2ProviderController::endSession user is not logged!");
return Response::view('errors.404', array(), 404);
}
$request = new OAuth2LogoutRequest
(

3
app/Http/Middleware/EncryptCookies.php
View File

@ -15,7 +15,8 @@ class EncryptCookies extends BaseEncrypter
* @var array
*/
protected $except = [
//
'opbs',
'rps',
];
protected function decrypt(Request $request)

6
app/Services/OAuth2/PrincipalService.php
View File

@ -14,6 +14,7 @@
use Illuminate\Support\Facades\Cookie;
use Illuminate\Support\Facades\Session;
use Illuminate\Support\Facades\Log;
use OAuth2\Models\IPrincipal;
use OAuth2\Models\Principal;
use OAuth2\Services\IPrincipalService;
@ -59,6 +60,8 @@ final class PrincipalService implements IPrincipalService
*/
public function save(IPrincipal $principal)
{
Log::debug("PrincipalService::save");
$this->register
(
$principal->getUserId(),
@ -73,10 +76,12 @@ final class PrincipalService implements IPrincipalService
*/
public function register($user_id, $auth_time)
{
Log::debug(sprintf("PrincipalService::register user_id %s auth_time %s", $user_id, $auth_time));
Session::put(self::UserIdParam, $user_id);
Session::put(self::AuthTimeParam, $auth_time);
$opbs = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
Cookie::queue('opbs', $opbs, $minutes = 2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
Log::debug(sprintf("PrincipalService::register opbs %s", $opbs));
Session::put(self::OPBrowserState, $opbs);
Session::save();
}
@ -86,6 +91,7 @@ final class PrincipalService implements IPrincipalService
*/
public function clear()
{
Log::debug("PrincipalService::clear");
Session::remove(self::UserIdParam);
Session::remove(self::AuthTimeParam);
Session::remove(self::OPBrowserState);

44
app/libs/OAuth2/OAuth2Protocol.php
View File

@ -1363,51 +1363,75 @@ final class OAuth2Protocol implements IOAuth2Protocol
{
try
{
$this->log_service->debug_msg("OAuth2Protocol::endSession");
$this->last_request = $request;
if (is_null($this->last_request))
if (is_null($this->last_request)) {
$this->log_service->debug_msg("OAuth2Protocol::endSession last request is null");
throw new InvalidOAuth2Request;
}
if(!$this->last_request->isValid())
if(!$this->last_request->isValid()) {
$this->log_service->debug_msg(sprintf("OAuth2Protocol::endSession last request is invalid error %s", $this->last_request->getLastValidationError()));
throw new InvalidOAuth2Request($this->last_request->getLastValidationError());
}
if(! $this->last_request instanceof OAuth2LogoutRequest) throw new InvalidOAuth2Request;
if(!$this->last_request instanceof OAuth2LogoutRequest) throw new InvalidOAuth2Request;
$id_token_hint = $this->last_request->getIdTokenHint();
$jwt = BasicJWTFactory::build($id_token_hint);
if((!$jwt instanceof IJWT))
if((!$jwt instanceof IJWT)) {
$this->log_service->debug_msg("OAuth2Protocol::endSession invalid id_token_hint!");
throw new InvalidOAuth2Request('invalid id_token_hint!');
}
$client_id = $jwt->getClaimSet()->getAudience();
if(is_null($client_id)) throw new InvalidClientException('claim aud not set on id_token_hint!');
if(is_null($client_id)) {
$this->log_service->debug_msg("OAuth2Protocol::endSession claim aud not set on id_token_hint!");
throw new InvalidClientException('claim aud not set on id_token_hint!');
}
$client = $this->client_repository->getClientById($client_id->getString());
if(is_null($client)) throw new InvalidClientException('client not found!');
if(is_null($client)){
$this->log_service->debug_msg("OAuth2Protocol::endSession client not found!");
throw new InvalidClientException('client not found!');
}
$redirect_logout_uri = $this->last_request->getPostLogoutRedirectUri();
$state = $this->last_request->getState();
if(!empty($redirect_logout_uri) && !$client->isPostLogoutUriAllowed($redirect_logout_uri))
if(!empty($redirect_logout_uri) && !$client->isPostLogoutUriAllowed($redirect_logout_uri)) {
$this->log_service->debug_msg("OAuth2Protocol::endSession post_logout_redirect_uri not allowed!");
throw new InvalidOAuth2Request('post_logout_redirect_uri not allowed!');
}
$user_id = $jwt->getClaimSet()->getSubject();
if(is_null($user_id)) throw new InvalidOAuth2Request('claim sub not set on id_token_hint!');
if(is_null($user_id)){
$this->log_service->debug_msg("OAuth2Protocol::endSession claim sub not set on id_token_hint!");
throw new InvalidOAuth2Request('claim sub not set on id_token_hint!');
}
$user_id = $this->auth_service->unwrapUserId(intval($user_id->getString()));
$user = $this->auth_service->getUserByExternalId($user_id);
if(is_null($user)) throw new InvalidOAuth2Request('user not found!');
if(is_null($user)){
$this->log_service->debug_msg("OAuth2Protocol::endSession user not found!");
throw new InvalidOAuth2Request('user not found!');
}
if($this->principal_service->get()->getUserId() !== $user->getId())
if($this->principal_service->get()->getUserId() !== $user->getId()) {
$this->log_service->debug_msg("OAuth2Protocol::endSession user does not match with current session!");
throw new InvalidOAuth2Request('user does not match with current session!');
}
$this->auth_service->logout();