Fixed op browser state cookie rewrite

Change-Id: I543a490d343339baab7a3c4334050a9b9782ee5e Signed-off-by: smarcet <smarcet@gmail.com>
2021-04-13 17:15:01 -03:00 · 2021-04-13 17:15:01 -03:00 · e2b542cfea
commit e2b542cfea
parent 5f9fa5f6a7
5 changed files with 12026 additions and 34 deletions
--- a/.phpunit.result.cache
+++ b/.phpunit.result.cache
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@ -326,7 +326,7 @@ final class UserController extends OpenIdController
    {
        if (is_null($this->consent_strategy))
        {
-            return View::make("errors.404");
+            return View::make("errors.400");
        }

        return $this->consent_strategy->getConsent();
--- a/app/Http/Middleware/SecurityHTTPHeadersWriterMiddleware.php
+++ b/app/Http/Middleware/SecurityHTTPHeadersWriterMiddleware.php
@ -23,11 +23,7 @@ use libs\utils\RequestUtils;
 */
 class SecurityHTTPHeadersWriterMiddleware
 {
-    const ExcludedRoutes = [
-        // check_session_iframe
-        '/oauth2/check-session'
-    ];
-	/**
+   /**
 	 * Handle an incoming request.
 	 *
 	 * @param  \Illuminate\Http\Request $request
@ -38,12 +34,7 @@ class SecurityHTTPHeadersWriterMiddleware
 	{

 		$response = $next($request);
-        $routePath  = RequestUtils::getCurrentRoutePath($request);
-        if($routePath && is_string($routePath) && !in_array($routePath,self::ExcludedRoutes)){
-            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
-            $response->headers->set('X-Frame-Options','DENY');
-        }
-		// https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+     	// https://www.owasp.org/index.php/List_of_useful_HTTP_headers
 		$response->headers->set('X-Content-Type-Options','nosniff');
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 		$response->headers->set('X-XSS-Protection','1; mode=block');
--- a/app/Services/OAuth2/PrincipalService.php
+++ b/app/Services/OAuth2/PrincipalService.php
@ -11,6 +11,7 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 **/
+
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Cookie;
 use Illuminate\Support\Facades\Session;
@ -18,6 +19,7 @@ use Illuminate\Support\Facades\Log;
 use OAuth2\Models\IPrincipal;
 use OAuth2\Models\Principal;
 use OAuth2\Services\IPrincipalService;
+
 /**
 * Class PrincipalService
 * @package Services\OAuth2
@ -25,8 +27,8 @@ use OAuth2\Services\IPrincipalService;
 final class PrincipalService implements IPrincipalService
 {

-    const UserIdParam    = 'openstackid.oauth2.principal.user_id';
-    const AuthTimeParam  = 'openstackid.oauth2.principal.auth_time';
+    const UserIdParam = 'openstackid.oauth2.principal.user_id';
+    const AuthTimeParam = 'openstackid.oauth2.principal.auth_time';
    const OPBrowserState = 'openstackid.oauth2.principal.opbs';

    /**
@ -34,27 +36,26 @@ final class PrincipalService implements IPrincipalService
     */
    public function get()
    {
-        $principal        = new Principal;
-        $user_id          = Session::get(self::UserIdParam);
-        $auth_time        = Session::get(self::AuthTimeParam);
+        $principal = new Principal;
+        $user_id = Session::get(self::UserIdParam);
+        $auth_time = Session::get(self::AuthTimeParam);
        $op_browser_state = Session::get(self::OPBrowserState);

        Log::debug(sprintf("PrincipalService::get - user_id %s auth_time %s op_browser_state %s", $user_id, $auth_time, $op_browser_state));
-        if(!Cookie::has(IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME)){
-            Log::debug("PrincipalService::get cookie op_bs is missing trying to set it again ...");
-            Cookie::queue
-            (
-                IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME,
-                $op_browser_state,
-                Config::get("session.lifetime", 120),
-                $path = Config::get("session.path"),
-                $domain = Config::get("session.domain"),
-                $secure = true,
-                $httpOnly = false,
-                $raw = false,
-                $sameSite = 'none'
-            );
-        }
+        // overwrite it
+        Cookie::queue
+        (
+            IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME,
+            $op_browser_state,
+            Config::get("session.lifetime", 120),
+            $path = Config::get("session.path"),
+            $domain = Config::get("session.domain"),
+            $secure = true,
+            $httpOnly = false,
+            $raw = false,
+            $sameSite = 'none'
+        );
+
        $principal->setState
        (
            [
@ -85,7 +86,8 @@ final class PrincipalService implements IPrincipalService
    /**
     * @return string
     */
-    private function calculateBrowserState():string{
+    private function calculateBrowserState(): string
+    {
        return hash('sha256', Session::getId());
    }

@ -101,7 +103,7 @@ final class PrincipalService implements IPrincipalService
        Session::put(self::AuthTimeParam, $auth_time);
        // Maintain a `op_browser_state` cookie along with the `sessionid` cookie that
        // represents the End-User's login state at the OP. If the user is not logged
-        $op_browser_state  = $this->calculateBrowserState();
+        $op_browser_state = $this->calculateBrowserState();
        Cookie::queue
        (
            IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME,
--- a/package-lock.json
+++ b/package-lock.json