Add HttpCookieOAuth2AuthorizationRequestRepository

Fixes spring-projectsgh-6374

Author: Gittenburg

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/HttpCookieOAuth2AuthorizationRequestRepository.java

@@ -0,0 +1,164 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.web;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import org.springframework.core.convert.ConversionService;
+import org.springframework.core.convert.support.DefaultConversionService;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.util.Assert;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.*;
+
+/**
+ * An cookie-based implementation of an {@link AuthorizationRequestRepository}
+ * {@link OAuth2AuthorizationRequest} useful for stateless OAuth2 clients.
+ *
+ * @author Gittenburg
+ * @see AuthorizationRequestRepository
+ * @see OAuth2AuthorizationRequest
+ */
+public class HttpCookieOAuth2AuthorizationRequestRepository implements AuthorizationRequestRepository<OAuth2AuthorizationRequest> {
+	private static final String COOKIE_NAME =
+		HttpCookieOAuth2AuthorizationRequestRepository.class.getName() +  ".AUTHORIZATION_REQUEST";
+
+	private final ObjectMapper objectMapper = new ObjectMapper();
+
+	private final ConversionService conversionService = new DefaultConversionService();
+
+	@Override
+	public OAuth2AuthorizationRequest loadAuthorizationRequest(HttpServletRequest request) {
+		Assert.notNull(request, "request cannot be null");
+
+		if (request.getCookies() == null)
+			return null;
+
+		Cookie cookie = Arrays.stream(request.getCookies()).filter(c -> c.getName().equals(COOKIE_NAME)).findFirst().get();
+		if (cookie == null)
+			return null;
+
+		// We do not use (de)serialization for untrusted data because that can lead to security vulnerabilities.
+
+		JsonNode node = null;
+		try {
+			node = objectMapper.reader().readTree(Base64.getDecoder().decode(cookie.getValue().getBytes()));
+		} catch (IOException e) {
+			return null;
+		}
+
+		Map<String, Object> attributesMap = new HashMap<>();
+		node.get("attributes").fields().forEachRemaining(entry -> {
+			attributesMap.put(entry.getKey(), entry.getValue().textValue());
+		});
+		Map<String, Object> additionalParamsMap = new HashMap<>();
+		node.get("additionalParams").fields().forEachRemaining(entry -> {
+			additionalParamsMap.put(entry.getKey(), entry.getValue().textValue());
+		});
+		Set<String> scopes = new HashSet<>();
+		node.withArray("scopes").forEach(scopeNode -> scopes.add(scopeNode.asText()));
+
+		return OAuth2AuthorizationRequest.authorizationCode()
+			.authorizationUri(node.get("authorizationUri").textValue())
+			.authorizationRequestUri(node.get("authorizationRequestUri").textValue())
+			.clientId(node.get("clientId").textValue())
+			.redirectUri(node.get("redirectUri").textValue())
+			.state(node.get("state").textValue())
+			.scopes(scopes)
+			.attributes(attributesMap)
+			.additionalParameters(additionalParamsMap)
+			.build();
+	}
+
+	@Override
+	public void saveAuthorizationRequest(OAuth2AuthorizationRequest authorizationRequest, HttpServletRequest request, HttpServletResponse response) {
+		Assert.notNull(request, "request cannot be null");
+		Assert.notNull(response, "response cannot be null");
+
+		if (authorizationRequest == null){
+			response.addCookie(expiredCookie(request));
+			return;
+		}
+
+		ObjectNode node = objectMapper.createObjectNode();
+		node.put("authorizationUri", authorizationRequest.getAuthorizationUri());
+		node.put("authorizationRequestUri", authorizationRequest.getAuthorizationRequestUri());
+
+		node.put("clientId", authorizationRequest.getClientId());
+		node.put("redirectUri", authorizationRequest.getRedirectUri());
+		ArrayNode scopeArrayNode = node.putArray("scopes");
+		authorizationRequest.getScopes().forEach(scopeArrayNode::add);
+		node.put("state", authorizationRequest.getState());
+
+		ObjectNode attributesNode = node.putObject("attributes");
+		authorizationRequest.getAttributes().forEach((key, value) -> {
+			attributesNode.put(key, conversionService.convert(value, String.class));
+		});
+
+		ObjectNode additionalParamsNode = node.putObject("additionalParams");
+		authorizationRequest.getAdditionalParameters().forEach((key, value) -> {
+			additionalParamsNode.put(key, conversionService.convert(value, String.class));
+		});
+		response.addCookie(buildCookie(Base64.getEncoder().encodeToString(node.toString().getBytes()), request));
+	}
+
+	/**
+	 * Builds a cookie to store the authorization request
+	 * @param value the value to save in the cookie
+	 * @param request the request to which we will respond with the cookie
+	 * @return the created cookie
+	 */
+	private Cookie buildCookie(String value, HttpServletRequest request){
+		Cookie cookie = new Cookie(COOKIE_NAME, value);
+		cookie.setPath("/");
+		cookie.setHttpOnly(true);
+		cookie.setSecure(request.isSecure());
+		cookie.setMaxAge(120); // expire after two minutes
+		return cookie;
+	}
+
+	/**
+	 * Builds an expired cookie
+	 * @param request the request to which we will respond with the cookie
+	 * @return the expired cookie
+	 */
+	private Cookie expiredCookie(HttpServletRequest request){
+		Cookie cookie = buildCookie("", request);
+		cookie.setMaxAge(0);
+		return cookie;
+	}
+
+	@Override
+	public OAuth2AuthorizationRequest removeAuthorizationRequest(HttpServletRequest request, HttpServletResponse response) {
+		Assert.notNull(request, "request cannot be null");
+		Assert.notNull(response, "response cannot be null");
+		response.addCookie(expiredCookie(request));
+		return loadAuthorizationRequest(request);
+	}
+
+	@Override
+	public OAuth2AuthorizationRequest removeAuthorizationRequest(HttpServletRequest request) {
+		Assert.notNull(request, "request cannot be null");
+		// we cannot actually remove the authorizationRequest here because we don't have access to the httpServletResponse
+		return loadAuthorizationRequest(request);
+	}
+}

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/HttpCookieOAuth2AuthorizationRequestRepositoryTests.java

@@ -0,0 +1,208 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.web;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+
+import javax.servlet.http.Cookie;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+/**
+ * Tests for {@link HttpCookieOAuth2AuthorizationRequestRepository}.
+ *
+ * @author Gittenburg
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class HttpCookieOAuth2AuthorizationRequestRepositoryTests {
+	private HttpCookieOAuth2AuthorizationRequestRepository authorizationRequestRepository =
+			new HttpCookieOAuth2AuthorizationRequestRepository();
+
+	@Test(expected = IllegalArgumentException.class)
+	public void loadAuthorizationRequestWhenHttpServletRequestIsNullThenThrowIllegalArgumentException() {
+		this.authorizationRequestRepository.loadAuthorizationRequest(null);
+	}
+
+	@Test
+	public void loadAuthorizationRequestWhenNotSavedThenReturnNull() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.addParameter(OAuth2ParameterNames.STATE, "state-1234");
+		OAuth2AuthorizationRequest authorizationRequest =
+				this.authorizationRequestRepository.loadAuthorizationRequest(request);
+
+		assertThat(authorizationRequest).isNull();
+	}
+
+	@Test
+	public void loadAuthorizationRequestWhenSavedAndStateParameterNullThenReturnNull() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+
+		OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest().build();
+		this.authorizationRequestRepository.saveAuthorizationRequest(
+				authorizationRequest, request, new MockHttpServletResponse());
+
+		assertThat(this.authorizationRequestRepository.loadAuthorizationRequest(request)).isNull();
+	}
+
+	@Test
+	public void saveAuthorizationRequestWhenHttpServletRequestIsNullThenThrowIllegalArgumentException() {
+		OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest().build();
+
+		assertThatThrownBy(() -> this.authorizationRequestRepository.saveAuthorizationRequest(
+				authorizationRequest, null, new MockHttpServletResponse()))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void saveAuthorizationRequestWhenHttpServletResponseIsNullThenThrowIllegalArgumentException() {
+		OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest().build();
+
+		assertThatThrownBy(() -> this.authorizationRequestRepository.saveAuthorizationRequest(
+				authorizationRequest, new MockHttpServletRequest(), null))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void saveAuthorizationRequestWhenNotNullThenSaved() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest().build();
+		this.authorizationRequestRepository.saveAuthorizationRequest(
+				authorizationRequest, request, response);
+
+		request.setCookies(response.getCookies());
+
+		OAuth2AuthorizationRequest loadedAuthorizationRequest =
+				this.authorizationRequestRepository.loadAuthorizationRequest(request);
+
+		assertThat(loadedAuthorizationRequest.getAttributes()).isEqualTo(authorizationRequest.getAttributes());
+		assertThat(loadedAuthorizationRequest.getAdditionalParameters()).isEqualTo(authorizationRequest.getAdditionalParameters());
+		assertThat(loadedAuthorizationRequest.getAuthorizationRequestUri()).isEqualTo(authorizationRequest.getAuthorizationRequestUri());
+		assertThat(loadedAuthorizationRequest.getAuthorizationUri()).isEqualTo(authorizationRequest.getAuthorizationUri());
+		assertThat(loadedAuthorizationRequest.getGrantType()).isEqualTo(authorizationRequest.getGrantType());
+		assertThat(loadedAuthorizationRequest.getRedirectUri()).isEqualTo(authorizationRequest.getRedirectUri());
+		assertThat(loadedAuthorizationRequest.getScopes()).isEqualTo(authorizationRequest.getScopes());
+		assertThat(loadedAuthorizationRequest.getState()).isEqualTo(authorizationRequest.getState());
+		assertThat(loadedAuthorizationRequest.getClientId()).isEqualTo(authorizationRequest.getClientId());
+	}
+
+	@Test
+	public void saveAuthorizationRequestWhenRequestInsecureThenCookiesInsecure(){
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setSecure(false);
+
+		OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest().build();
+		this.authorizationRequestRepository.saveAuthorizationRequest(
+				authorizationRequest, request, response);
+		for (Cookie cookie: response.getCookies()){
+			assertThat(!cookie.getSecure());
+		}
+	}
+
+	@Test
+	public void saveAuthorizationRequestWhenRequestSecureThenCookiesSecure(){
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setSecure(true);
+
+		OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest().build();
+		this.authorizationRequestRepository.saveAuthorizationRequest(
+				authorizationRequest, request, response);
+
+		assertThat(response.getCookies().length).isEqualTo(1);
+		assertThat(response.getCookies()[0].getSecure());
+	}
+
+	@Test
+	public void saveAuthorizationRequestWhenNullThenCookiesExpired() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest().build();
+
+		this.authorizationRequestRepository.saveAuthorizationRequest(
+				null, request, response);
+
+		assertThat(response.getCookies().length).isEqualTo(1);
+		assertThat(response.getCookies()[0].getMaxAge()).isEqualTo(0);
+	}
+
+	@Test
+	public void removeAuthorizationRequestWhenNotNullThenCookiesExpired() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		this.authorizationRequestRepository.removeAuthorizationRequest(request, response);
+
+		assertThat(response.getCookies().length).isEqualTo(1);
+		assertThat(response.getCookies()[0].getMaxAge()).isEqualTo(0);
+	}
+
+	@Test
+	public void removeAuthorizationRequestWhenHttpServletRequestIsNullThenThrowIllegalArgumentException() {
+		assertThatThrownBy(() -> this.authorizationRequestRepository.removeAuthorizationRequest(
+				null, new MockHttpServletResponse())).isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void removeAuthorizationRequestWhenHttpServletResponseIsNullThenThrowIllegalArgumentException() {
+		assertThatThrownBy(() -> this.authorizationRequestRepository.removeAuthorizationRequest(
+				new MockHttpServletRequest(), null)).isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void removeAuthorizationRequestWhenNotSavedThenNotRemoved() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.addParameter(OAuth2ParameterNames.STATE, "state-1234");
+
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		OAuth2AuthorizationRequest removedAuthorizationRequest =
+				this.authorizationRequestRepository.removeAuthorizationRequest(request, response);
+
+		assertThat(removedAuthorizationRequest).isNull();
+	}
+
+	private OAuth2AuthorizationRequest.Builder createAuthorizationRequest() {
+		Map<String, Object> additionalParams = new HashMap<>();
+		additionalParams.put("param1", "value1");
+		additionalParams.put("param2", "value2");
+
+		Map<String, Object> attributes = new HashMap<>();
+		attributes.put("attr1", "value1");
+		attributes.put("attr2", "value2");
+
+		return OAuth2AuthorizationRequest.authorizationCode()
+				.authorizationUri("https://example.com/oauth2/authorize")
+				.authorizationRequestUri("https://example.com/example")
+				.scope("one", "two", "three")
+				.clientId("client-id-1234")
+				.additionalParameters(additionalParams)
+				.attributes(attributes)
+				.state("state-1234");
+	}
+}