From 28920c09d3d6e2b947fc4662e5d1ce0eb0cb1766 Mon Sep 17 00:00:00 2001 From: Ben Berry Date: Thu, 21 May 2020 16:53:29 -0700 Subject: [PATCH] refactor sso state checks into single function Signed-off-by: Ben Berry --- src/jetstream/authuaa.go | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/src/jetstream/authuaa.go b/src/jetstream/authuaa.go index 04b93a9b5e..2fee5c0eb4 100644 --- a/src/jetstream/authuaa.go +++ b/src/jetstream/authuaa.go @@ -435,14 +435,11 @@ func (p *portalProxy) RefreshUAAToken(userGUID string) (t interfaces.TokenRecord // We use a single callback so this can be whitelisted in the client func (p *portalProxy) ssoLoginToUAA(c echo.Context) error { state := c.QueryParam("state") - if len(state) == 0 { - err := interfaces.NewHTTPShadowError( - http.StatusUnauthorized, - "SSO Login: State parameter missing", - "SSO Login: State parameter missing") - return err - } + stateErr := validateSSORedirectState(state, p.Config.SSOWhiteList) + if stateErr != nil { + return stateErr + } // We use the same callback URL for both UAA and endpoint login // Check if it is an endpoint login and dens to the right handler endpointGUID := c.QueryParam("guid") @@ -466,13 +463,6 @@ func (p *portalProxy) ssoLoginToUAA(c echo.Context) error { state = fmt.Sprintf("%s/login?SSO_Message=%s", state, url.QueryEscape(msg)) } - if !safeSSORedirectState(state, p.Config.SSOWhiteList) { - err := interfaces.NewHTTPShadowError( - http.StatusUnauthorized, - "SSO Login: Disallowed redirect state", - "SSO Login: Disallowed redirect state") - return err - } return c.Redirect(http.StatusTemporaryRedirect, state) } @@ -527,15 +517,25 @@ func (p *portalProxy) initSSOlogin(c echo.Context) error { } state := c.QueryParam("state") + stateErr := validateSSORedirectState(state, p.Config.SSOWhiteList) + if stateErr != nil { + return stateErr + } + + redirectURL := fmt.Sprintf("%s/oauth/authorize?response_type=code&client_id=%s&redirect_uri=%s", p.Config.ConsoleConfig.AuthorizationEndpoint, p.Config.ConsoleConfig.ConsoleClient, url.QueryEscape(getSSORedirectURI(state, state, ""))) + c.Redirect(http.StatusTemporaryRedirect, redirectURL) + return nil +} + +func validateSSORedirectState(state string, whiteListStr string) error { if len(state) == 0 { err := interfaces.NewHTTPShadowError( http.StatusUnauthorized, - "SSO Login: Redirect state parameter missing", - "SSO Login: Redirect state parameter missing") + "SSO Login: State parameter missing", + "SSO Login: State parameter missing") return err } - - if !safeSSORedirectState(state, p.Config.SSOWhiteList) { + if !safeSSORedirectState(state,whiteListStr) { err := interfaces.NewHTTPShadowError( http.StatusUnauthorized, "SSO Login: Disallowed redirect state", @@ -543,8 +543,6 @@ func (p *portalProxy) initSSOlogin(c echo.Context) error { return err } - redirectURL := fmt.Sprintf("%s/oauth/authorize?response_type=code&client_id=%s&redirect_uri=%s", p.Config.ConsoleConfig.AuthorizationEndpoint, p.Config.ConsoleConfig.ConsoleClient, url.QueryEscape(getSSORedirectURI(state, state, ""))) - c.Redirect(http.StatusTemporaryRedirect, redirectURL) return nil }