opendev/gerrit
Code Issues Proposed changes

Merge branch 'stable-2.10' into stable-2.11

Browse Source 
* stable-2.10:
  OAuth: Respect servlet context path in URL for login token
  Invalidate OAuth session after web_sessions cache expiration

Change-Id: Id66e2ef07c164c17fa7839ea5c5ae19f26abd621
This commit is contained in:
David Pursehouse
2015-04-14 14:29:30 +09:00
parent 503cffe35b 3cab540024
commit e6af899893
2 changed files with 28 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthSession.java
View File

@@ -22,6 +22,8 @@ import com.google.gerrit.extensions.auth.oauth.OAuthToken;
import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo;
import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; import com.google.gerrit.extensions.auth.oauth.OAuthVerifier;
import com.google.gerrit.extensions.registration.DynamicItem; import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.extensions.restapi.Url;
import com.google.gerrit.httpd.CanonicalWebUrl;
import com.google.gerrit.httpd.WebSession; import com.google.gerrit.httpd.WebSession;
import com.google.gerrit.reviewdb.client.Account; import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.server.account.AccountException; import com.google.gerrit.server.account.AccountException;
@@ -36,8 +38,6 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import java.io.IOException; import java.io.IOException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom; import java.security.SecureRandom;
@@ -53,17 +53,20 @@ class OAuthSession {
private final String state; private final String state;
private final DynamicItem<WebSession> webSession; private final DynamicItem<WebSession> webSession;
private final AccountManager accountManager; private final AccountManager accountManager;
private final CanonicalWebUrl urlProvider;
private OAuthServiceProvider serviceProvider; private OAuthServiceProvider serviceProvider;
private OAuthToken token; private OAuthToken token;
private OAuthUserInfo user; private OAuthUserInfo user;
private String redirectUrl; private String redirectToken;
@Inject @Inject
OAuthSession(DynamicItem<WebSession> webSession, OAuthSession(DynamicItem<WebSession> webSession,
AccountManager accountManager) { AccountManager accountManager,
CanonicalWebUrl urlProvider) {
this.state = generateRandomState(); this.state = generateRandomState();
this.webSession = webSession; this.webSession = webSession;
this.accountManager = accountManager; this.accountManager = accountManager;
this.urlProvider = urlProvider;
} }
boolean isLoggedIn() { boolean isLoggedIn() {
@@ -95,7 +98,7 @@ class OAuthSession {
if (isLoggedIn()) { if (isLoggedIn()) {
log.debug("Login-SUCCESS " + this); log.debug("Login-SUCCESS " + this);
authenticateAndRedirect(response); authenticateAndRedirect(request, response);
return true; return true;
} else { } else {
response.sendError(SC_UNAUTHORIZED); response.sendError(SC_UNAUTHORIZED);
@@ -103,15 +106,22 @@ class OAuthSession {
} }
} else { } else {
log.debug("Login-PHASE1 " + this); log.debug("Login-PHASE1 " + this);
redirectUrl = request.getRequestURI(); redirectToken = request.getRequestURI();
// We are here in content of filter.
// Due to this Jetty limitation:
// https://bz.apache.org/bugzilla/show_bug.cgi?id=28323
// we cannot use LoginUrlToken.getToken() method,
// because it relies on getPathInfo() and it is always null here.
redirectToken = redirectToken.substring(
request.getContextPath().length());
response.sendRedirect(oauth.getAuthorizationUrl() + response.sendRedirect(oauth.getAuthorizationUrl() +
"&state=" + state); "&state=" + state);
return false; return false;
} }
} }
private void authenticateAndRedirect(HttpServletResponse rsp) private void authenticateAndRedirect(HttpServletRequest req,
throws IOException { HttpServletResponse rsp) throws IOException {
com.google.gerrit.server.account.AuthRequest areq = com.google.gerrit.server.account.AuthRequest areq =
new com.google.gerrit.server.account.AuthRequest(user.getExternalId()); new com.google.gerrit.server.account.AuthRequest(user.getExternalId());
AuthResult arsp; AuthResult arsp;
@@ -164,16 +174,17 @@ class OAuthSession {
} }
webSession.get().login(arsp, true); webSession.get().login(arsp, true);
String suffix = redirectUrl.substring( String suffix = redirectToken.substring(
OAuthWebFilter.GERRIT_LOGIN.length() + 1); OAuthWebFilter.GERRIT_LOGIN.length() + 1);
suffix = URLDecoder.decode(suffix, StandardCharsets.UTF_8.name()); StringBuilder rdr = new StringBuilder(urlProvider.get(req));
rsp.sendRedirect(suffix); rdr.append(Url.decode(suffix));
rsp.sendRedirect(rdr.toString());
} }
void logout() { void logout() {
token = null; token = null;
user = null; user = null;
redirectUrl = null; redirectToken = null;
serviceProvider = null; serviceProvider = null;
} }

6
gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java
View File

@@ -89,18 +89,22 @@ class OAuthWebFilter implements Filter {
FilterChain chain) throws IOException, ServletException { FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpSession httpSession = ((HttpServletRequest) request).getSession(false); HttpSession httpSession = ((HttpServletRequest) request).getSession(false);
OAuthSession oauthSession = oauthSessionProvider.get();
if (currentUserProvider.get().isIdentifiedUser()) { if (currentUserProvider.get().isIdentifiedUser()) {
if (httpSession != null) { if (httpSession != null) {
httpSession.invalidate(); httpSession.invalidate();
} }
chain.doFilter(request, response); chain.doFilter(request, response);
return; return;
} else {
if (oauthSession.isLoggedIn()) {
oauthSession.logout();
}
} }
HttpServletResponse httpResponse = (HttpServletResponse) response; HttpServletResponse httpResponse = (HttpServletResponse) response;
String provider = httpRequest.getParameter("provider"); String provider = httpRequest.getParameter("provider");
OAuthSession oauthSession = oauthSessionProvider.get();
OAuthServiceProvider service = ssoProvider == null OAuthServiceProvider service = ssoProvider == null
? oauthSession.getServiceProvider() ? oauthSession.getServiceProvider()
: ssoProvider; : ssoProvider;