Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Am 159 merge 3.19.2 into master #2247

Merged
merged 29 commits into from
Nov 28, 2022
Merged
Changes from 1 commit
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
329641c
chore: prepare next version
graviteeio Sep 27, 2022
3abd5a0
AM-67: removed set primary from email factor
Oct 6, 2022
0b6eb5d
AM-60: fixed Kafka audit reporter null pointer exception
Oct 7, 2022
e84fe88
fix: avoid overflow using integer divider onn timeMillis, prefer the …
leleueri Oct 11, 2022
fd15215
AM-69: fixed post logout query param issue
Oct 5, 2022
2107043
chore: prepare next version
graviteeio Oct 19, 2022
7730276
chore: prepare next version
graviteeio Oct 21, 2022
b8c5755
fix: use PostLogoutUrls defined at domain level if nothing is define …
leleueri Oct 17, 2022
b6d5f96
fix: check the validity of request_uri parameter when it is a URL
leleueri Oct 21, 2022
a64a34c
fix: do not restrict user claim coming from external idps to the stan…
leleueri Oct 19, 2022
a16f897
fix: group update using SCIM must preserve the roles assigned to the …
leleueri Oct 21, 2022
d1c4036
fix: do not limit the number of result during searchUser for forgot p…
leleueri Oct 19, 2022
725f501
AM-112 upgrade dependencies based on snyk scan
leleueri Oct 25, 2022
5df47b5
AM-118 manage email field during user update
leleueri Oct 25, 2022
587a589
AM-120 remove check on URL fragments for request_uri
leleueri Oct 26, 2022
b262283
AM-61 fix UI refresh issue
leleueri Oct 27, 2022
68c65f2
3.15.14
graviteeio Oct 28, 2022
3e6f6da
AM-113 Merge 3.15.14
leleueri Oct 28, 2022
95b7fa1
Merge pull request #2208 from gravitee-io/AM-113-merge-3.15.14
leleueri Nov 2, 2022
035ea0a
AM-128 initialize social idps to use them into the Register template
leleueri Oct 28, 2022
0379b29
fix: Allow secondary LDAP URL
farmborough Sep 28, 2022
8c40d55
AM-125 add forgotPassword action into identity first login page
leleueri Oct 31, 2022
54c332f
AM-66 Evaluation WebAuthn settings before reading the origin during F…
leleueri Nov 2, 2022
adef72f
3.18.10
graviteeio Nov 4, 2022
08a61e9
AM-114 Merge AM 3.18.10 into 3.19.x
leleueri Nov 9, 2022
2fd46ea
AM-119 hide the skip button on MFA enroll page if the MFA is required
leleueri Nov 9, 2022
c1e52f3
Merge pull request #2223 from gravitee-io/AM-114-merge-3.18.10
leleueri Nov 10, 2022
520f85c
3.19.2
graviteeio Nov 10, 2022
d941a18
AM-159 merge AM 3.19.2 into master
leleueri Nov 25, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: use PostLogoutUrls defined at domain level if nothing is define …
…at app level

     to validate the redirection after user logout

fixes AM-62
leleueri committed Oct 24, 2022

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit b8c57555dada8c5bb4ee8054c070385fe933d918
Original file line number Diff line number Diff line change
@@ -20,8 +20,8 @@
import io.gravitee.am.common.jwt.Claims;
import io.gravitee.am.common.oidc.Parameters;
import io.gravitee.am.common.oidc.StandardClaims;
import io.gravitee.am.common.web.UriBuilder;
import io.gravitee.am.common.utils.ConstantKeys;
import io.gravitee.am.common.web.UriBuilder;
import io.gravitee.am.gateway.handler.common.vertx.utils.RequestUtils;
import io.gravitee.am.gateway.handler.root.resources.endpoint.ParamUtils;
import io.gravitee.am.gateway.handler.root.service.user.UserService;
@@ -45,6 +45,8 @@
import java.util.List;
import java.util.Map;

import static org.springframework.util.CollectionUtils.isEmpty;

/**
* @author Eric LELEU (eric.leleu at graviteesource.com)
* @author GraviteeSource Team
@@ -123,8 +125,7 @@ protected void doRedirect(Client client, RoutingContext routingContext, String e
// The OP also MUST NOT perform post-logout redirection if the post_logout_redirect_uri value supplied
// does not exactly match one of the previously registered post_logout_redirect_uris values.
// if client is null, check security domain options
List<String> registeredUris = client != null ? client.getPostLogoutRedirectUris() :
(domain.getOidc() != null ? domain.getOidc().getPostLogoutRedirectUris() : null);
List<String> registeredUris = client != null && !isEmpty(client.getPostLogoutRedirectUris()) ? client.getPostLogoutRedirectUris() : (domain.getOidc() != null ? domain.getOidc().getPostLogoutRedirectUris() : null);
if (!isMatchingRedirectUri(logoutRedirectUrl, registeredUris, domain.isRedirectUriStrictMatching() || domain.usePlainFapiProfile())) {
routingContext.fail(new InvalidRequestException("The post_logout_redirect_uri MUST match the registered callback URLs"));
return;
Original file line number Diff line number Diff line change
@@ -47,7 +47,9 @@
import org.mockito.junit.MockitoJUnitRunner;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;

import static org.mockito.ArgumentMatchers.*;
import static org.mockito.Mockito.mock;
@@ -112,6 +114,104 @@ public void shouldInvokeLogoutEndpoint_targetUrl_noClient() throws Exception {
HttpStatusCode.FOUND_302, "Found", null);
}


@Test
public void shouldInvokeLogoutEndpoint_targetUrl_alloaw_atDomainLevel_appUrls_not_defined() throws Exception {
Client client = new Client();
client.setClientId("123");
// no redirectUris registered for logout at App Level
client.setPostLogoutRedirectUris(null);
when(clientSyncService.findById("client-id")).thenReturn(Maybe.just(client));
when(userService.logout(any(), eq(false), any())).thenReturn(Completable.complete());

final OIDCSettings oidcSettings = new OIDCSettings();
// redirect logout URI defined at domain level
oidcSettings.setPostLogoutRedirectUris(List.of("https://test"));
when(domain.getOidc()).thenReturn(oidcSettings);

router.route().order(-1).handler(routingContext -> {
User endUser = new User();
endUser.setClient("client-id");
routingContext.getDelegate().setUser(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(endUser));
routingContext.next();
});

testRequest(
HttpMethod.GET, "/logout?target_url=https%3A%2F%2Ftest",
null,
resp -> {
String location = resp.headers().get("location");
assertNotNull(location);
assertTrue(location.equals("https://test"));
},
HttpStatusCode.FOUND_302, "Found", null);
}

@Test
public void shouldInvokeLogoutEndpoint_targetUrl_alloaw_atDomainLevel_appUrls_not_defined_emptyList() throws Exception {
Client client = new Client();
client.setClientId("123");
// no redirectUris registered for logout at App Level
client.setPostLogoutRedirectUris(Collections.emptyList());
when(clientSyncService.findById("client-id")).thenReturn(Maybe.just(client));
when(userService.logout(any(), eq(false), any())).thenReturn(Completable.complete());

final OIDCSettings oidcSettings = new OIDCSettings();
// redirect logout URI defined at domain level
oidcSettings.setPostLogoutRedirectUris(List.of("https://test"));
when(domain.getOidc()).thenReturn(oidcSettings);

router.route().order(-1).handler(routingContext -> {
User endUser = new User();
endUser.setClient("client-id");
routingContext.getDelegate().setUser(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(endUser));
routingContext.next();
});

testRequest(
HttpMethod.GET, "/logout?target_url=https%3A%2F%2Ftest",
null,
resp -> {
String location = resp.headers().get("location");
assertNotNull(location);
assertTrue(location.equals("https://test"));
},
HttpStatusCode.FOUND_302, "Found", null);
}

@Test
public void shouldInvokeLogoutEndpoint_targetUrl_not_allowed_atDomainLevel_appUrls_not_defined() throws Exception {
Client client = new Client();
client.setClientId("123");
// no redirectUris registered for logout at App Level
client.setPostLogoutRedirectUris(null);
when(clientSyncService.findById("client-id")).thenReturn(Maybe.just(client));
when(userService.logout(any(), eq(false), any())).thenReturn(Completable.complete());

final OIDCSettings oidcSettings = new OIDCSettings();
// redirect logout URI defined at domain level
oidcSettings.setPostLogoutRedirectUris(List.of("https://test"));
when(domain.getOidc()).thenReturn(oidcSettings);

router.route().order(-1).handler(routingContext -> {
User endUser = new User();
endUser.setClient("client-id");
routingContext.getDelegate().setUser(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(endUser));
routingContext.next();
});

testRequest(
HttpMethod.GET, "/logout?target_url=https%3A%2F%2Fnot-allowed",
null,
resp -> {
String location = resp.headers().get("location");
assertNotNull(location);
assertTrue(location.endsWith("invalid_request&error_description=The+post_logout_redirect_uri+MUST+match+the+registered+callback+URLs"));
},
HttpStatusCode.FOUND_302, "Found", null);
}


@Test
public void shouldInvokeLogoutEndpoint_targetUrl_client_noRestriction() throws Exception {
Client client = new Client();