fix(jans-auth-server): forced clientWhiteList when session is valid f…

…or post_logout_redirect_uri (allowPostLogoutRedirectWithoutValidation=true ) #4672 (#4681)

jans-auth-server/server/src/main/java/io/jans/as/server/session/ws/rs/EndSessionRestWebServiceImpl.java

@@ -24,7 +24,6 @@
 import io.jans.as.model.session.EndSessionErrorResponseType;
 import io.jans.as.model.session.EndSessionRequestParam;
 import io.jans.as.model.token.JsonWebResponse;
-import io.jans.as.model.util.URLPatternList;
 import io.jans.as.model.util.Util;
 import io.jans.as.server.audit.ApplicationAuditLogger;
 import io.jans.as.server.model.audit.Action;
@@ -116,6 +115,9 @@ public class EndSessionRestWebServiceImpl implements EndSessionRestWebService {
     @Inject
     private AbstractCryptoProvider cryptoProvider;
 
+    @Inject
+    private EndSessionService endSessionService;
+
     @Override
     public Response requestEndSession(String idTokenHint, String postLogoutRedirectUri, String state, String sid,
                                       HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityContext sec) {
@@ -295,7 +297,7 @@ private boolean allowPostLogoutRedirect(String postLogoutRedirectUri) {
         final Boolean allowPostLogoutRedirectWithoutValidation = appConfiguration.getAllowPostLogoutRedirectWithoutValidation();
         return allowPostLogoutRedirectWithoutValidation != null &&
                 allowPostLogoutRedirectWithoutValidation &&
-                new URLPatternList(appConfiguration.getClientWhiteList()).isUrlListed(postLogoutRedirectUri);
+                endSessionService.isUrlWhiteListed(postLogoutRedirectUri);
     }
 
     private SessionId validateSidRequestParameter(String sid, String postLogoutRedirectUri) {
@@ -409,8 +411,8 @@ private String validatePostLogoutRedirectUri(String postLogoutRedirectUri, Pair<
             if (StringUtils.isBlank(postLogoutRedirectUri)) {
                 return "";
             }
-            if (isTrue(appConfiguration.getAllowPostLogoutRedirectWithoutValidation())) {
-                log.trace("Skipped post_logout_redirect_uri validation (because allowPostLogoutRedirectWithoutValidation=true)");
+            if (isTrue(appConfiguration.getAllowPostLogoutRedirectWithoutValidation()) && endSessionService.isUrlWhiteListed(postLogoutRedirectUri)) {
+                log.trace("Skipped post_logout_redirect_uri validation (because allowPostLogoutRedirectWithoutValidation=true and it's white listed)");
                 return postLogoutRedirectUri;
             }
 

jans-auth-server/server/src/main/java/io/jans/as/server/session/ws/rs/EndSessionService.java

@@ -0,0 +1,26 @@
+package io.jans.as.server.session.ws.rs;
+
+import io.jans.as.model.configuration.AppConfiguration;
+import io.jans.as.model.util.URLPatternList;
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
+import org.slf4j.Logger;
+
+/**
+ * @author Yuriy Z
+ */
+@Named
+public class EndSessionService {
+
+    @Inject
+    private Logger log;
+
+    @Inject
+    private AppConfiguration appConfiguration;
+
+    public boolean isUrlWhiteListed(String url) {
+        final boolean result = new URLPatternList(appConfiguration.getClientWhiteList()).isUrlListed(url);
+        log.trace("White listed result: {}, url: {}", result, url);
+        return result;
+    }
+}

jans-auth-server/server/src/test/java/io/jans/as/server/session/ws/rs/EndSessionServiceTest.java

@@ -0,0 +1,48 @@
+package io.jans.as.server.session.ws.rs;
+
+import com.google.common.collect.Lists;
+import io.jans.as.model.configuration.AppConfiguration;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.testng.MockitoTestNGListener;
+import org.slf4j.Logger;
+import org.testng.annotations.Listeners;
+import org.testng.annotations.Test;
+
+import static org.mockito.Mockito.when;
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertTrue;
+
+/**
+ * @author Yuriy Z
+ */
+@Listeners(MockitoTestNGListener.class)
+public class EndSessionServiceTest {
+
+    @InjectMocks
+    private EndSessionService endSessionService;
+
+    @Mock
+    private Logger log;
+
+    @Mock
+    private AppConfiguration appConfiguration;
+
+    @Test
+    public void isUrlWhiteListed_whenClientWhiteListAllows_shouldReturnTrue() {
+        when(appConfiguration.getClientWhiteList()).thenReturn(Lists.newArrayList("white.com"));
+
+        assertTrue(endSessionService.isUrlWhiteListed("https://white.com/path"));
+        assertTrue(endSessionService.isUrlWhiteListed("https://white.com/path?param=value"));
+        assertTrue(endSessionService.isUrlWhiteListed("http://white.com/path?param=value"));
+    }
+
+    @Test
+    public void isUrlWhiteListed_whenClientWhiteListDoesNotAllow_shouldReturnFalse() {
+        when(appConfiguration.getClientWhiteList()).thenReturn(Lists.newArrayList("some.com"));
+
+        assertFalse(endSessionService.isUrlWhiteListed("https://white.com/path"));
+        assertFalse(endSessionService.isUrlWhiteListed("https://white.com/path?param=value"));
+        assertFalse(endSessionService.isUrlWhiteListed("http://white.com/path?param=value"));
+    }
+}

jans-auth-server/server/src/test/resources/testng.xml

@@ -29,6 +29,7 @@
             <class name="io.jans.as.server.authorize.ws.rs.AuthorizeActionTest" />
             <class name="io.jans.as.server.register.ws.rs.SsaValidationConfigServiceTest" />
             <class name="io.jans.as.server.session.ws.rs.EndSessionRestWebServiceImplTest" />
+            <class name="io.jans.as.server.session.ws.rs.EndSessionServiceTest" />
         </classes>
     </test>