Merge pull request #4328 from cloudfoundry/sso-whitelist

Check sso whitelist in more places
cloudfoundry · May 29, 2020 · da89276 · da89276
2 parents 4d33c4d + 28920c0
commit da89276
Showing 1 changed file with 19 additions and 13 deletions.
diff --git a/src/jetstream/authuaa.go b/src/jetstream/authuaa.go
@@ -435,14 +435,11 @@ func (p *portalProxy) RefreshUAAToken(userGUID string) (t interfaces.TokenRecord
 // We use a single callback so this can be whitelisted in the client
 func (p *portalProxy) ssoLoginToUAA(c echo.Context) error {
 	state := c.QueryParam("state")
-	if len(state) == 0 {
-		err := interfaces.NewHTTPShadowError(
-			http.StatusUnauthorized,
-			"SSO Login: State parameter missing",
-			"SSO Login: State parameter missing")
-		return err
-	}
 
+	stateErr := validateSSORedirectState(state, p.Config.SSOWhiteList)
+	if stateErr != nil {
+		return stateErr
+	}
 	// We use the same callback URL for both UAA and endpoint login
 	// Check if it is an endpoint login and dens to the right handler
 	endpointGUID := c.QueryParam("guid")
@@ -466,6 +463,7 @@ func (p *portalProxy) ssoLoginToUAA(c echo.Context) error {
 		state = fmt.Sprintf("%s/login?SSO_Message=%s", state, url.QueryEscape(msg))
 	}
 
+
 	return c.Redirect(http.StatusTemporaryRedirect, state)
 }
 
@@ -519,24 +517,32 @@ func (p *portalProxy) initSSOlogin(c echo.Context) error {
 	}
 
 	state := c.QueryParam("state")
+	stateErr := validateSSORedirectState(state, p.Config.SSOWhiteList)
+	if stateErr != nil {
+		return stateErr
+	}
+
+	redirectURL := fmt.Sprintf("%s/oauth/authorize?response_type=code&client_id=%s&redirect_uri=%s", p.Config.ConsoleConfig.AuthorizationEndpoint, p.Config.ConsoleConfig.ConsoleClient, url.QueryEscape(getSSORedirectURI(state, state, "")))
+	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
+	return nil
+}
+
+func validateSSORedirectState(state string, whiteListStr string) error {
 	if len(state) == 0 {
 		err := interfaces.NewHTTPShadowError(
 			http.StatusUnauthorized,
-			"SSO Login: Redirect state parameter missing",
-			"SSO Login: Redirect state parameter missing")
+			"SSO Login: State parameter missing",
+			"SSO Login: State parameter missing")
 		return err
 	}
-
-	if !safeSSORedirectState(state, p.Config.SSOWhiteList) {
+	if !safeSSORedirectState(state,whiteListStr) {
 		err := interfaces.NewHTTPShadowError(
 			http.StatusUnauthorized,
 			"SSO Login: Disallowed redirect state",
 			"SSO Login: Disallowed redirect state")
 		return err
 	}
 
-	redirectURL := fmt.Sprintf("%s/oauth/authorize?response_type=code&client_id=%s&redirect_uri=%s", p.Config.ConsoleConfig.AuthorizationEndpoint, p.Config.ConsoleConfig.ConsoleClient, url.QueryEscape(getSSORedirectURI(state, state, "")))
-	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 	return nil
 }