Honour the cookieDomain also for the OAuth scope selection
Gerrit defines the cookieDomain for associating the authentication
cookie with a service; however, the cookie domain was not honoured
for the scope selection, making more difficult for users to switch
between different sites.
Example:
- User john logged in to site-1.gerrit.mycompany.com
- Gerrit cookie associated to .gerrit.mycompany.com
- User john login/logout to site-2.gerrit.mycompany.com
- The OAuth scope selection is lost
The OAuth scope cookie must respect the same cookieDomain defined
in the auth section of gerrit.config.
Change-Id: I0317bd38badb04c12a959973e80ffe726b3df168
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubLogin.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubLogin.java
index 6db2338..ece944d 100644
--- a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubLogin.java
+++ b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubLogin.java
@@ -157,6 +157,7 @@
Cookie scopeCookie = new Cookie("scope", scopeRequested);
scopeCookie.setPath("/");
scopeCookie.setMaxAge((int) SCOPE_COOKIE_NEVER_EXPIRES);
+ config.getCookieDomain().ifPresent(scopeCookie::setDomain);
response.addCookie(scopeCookie);
}
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java
index 7ef81d1..d86feda 100644
--- a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java
+++ b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java
@@ -34,6 +34,7 @@
import java.util.Comparator;
import java.util.List;
import java.util.Map;
+import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.stream.Collectors;
@@ -78,6 +79,7 @@
public final long httpReadTimeout;
private final Map<String, KeyConfig> keyConfigMap;
private final KeyConfig currentKeyConfig;
+ private final Optional<String> cookieDomain;
@Inject
protected GitHubOAuthConfig(@GerritServerConfig Config config, CanonicalWebUrl canonicalWebUrl) {
@@ -110,6 +112,7 @@
logoutRedirectUrl = config.getString(CONF_SECTION, null, "logoutRedirectUrl");
enabled = config.getString("auth", null, "type").equalsIgnoreCase(AuthType.HTTP.toString());
+ cookieDomain = Optional.ofNullable(config.getString("auth", null, "cookieDomain"));
scopes = getScopes(config);
sortedScopesKeys =
scopes.keySet().stream()
@@ -207,6 +210,10 @@
return keyConfigMap.get(subsection);
}
+ public Optional<String> getCookieDomain() {
+ return cookieDomain;
+ }
+
public class KeyConfig {
public static final int PASSWORD_LENGTH_DEFAULT = 16;
diff --git a/github-oauth/src/test/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfigTest.java b/github-oauth/src/test/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfigTest.java
index a5bf767..aae8fcc 100644
--- a/github-oauth/src/test/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfigTest.java
+++ b/github-oauth/src/test/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfigTest.java
@@ -28,6 +28,7 @@
import com.google.inject.AbstractModule;
import com.google.inject.Guice;
import com.google.inject.util.Providers;
+import java.util.Optional;
import org.eclipse.jgit.lib.Config;
import org.junit.Before;
import org.junit.Test;
@@ -166,7 +167,33 @@
illegalStateException.getMessage());
}
+ @Test
+ public void shouldReturnEmptyCookieDomainByDefault() {
+ setupEncryptionConfig();
+ assertEquals(Optional.empty(), objectUnderTest().getCookieDomain());
+ }
+
+ @Test
+ public void shouldReturnTheCookieDomainFromAuth() {
+ setupEncryptionConfig();
+ String myDomain = ".mydomain.com";
+ config.setString("auth", null, "cookieDomain", myDomain);
+
+ assertEquals(Optional.of(myDomain), objectUnderTest().getCookieDomain());
+ }
+
private GitHubOAuthConfig objectUnderTest() {
return new GitHubOAuthConfig(config, canonicalWebUrl);
}
+
+ private void setupEncryptionConfig() {
+ String keySubsection = "someKeyConfig";
+ String cipherAlgorithm = "AES/CFB8/NoPadding";
+ String secretKeyAlgorithm = "DES";
+ config.setBoolean(CONF_KEY_SECTION, keySubsection, CURRENT_CONFIG_LABEL, true);
+ config.setString(
+ CONF_KEY_SECTION, keySubsection, PASSWORD_DEVICE_CONFIG_LABEL, testPasswordDevice);
+ config.setString(CONF_KEY_SECTION, keySubsection, CIPHER_ALGO_CONFIG_LABEL, cipherAlgorithm);
+ config.setString(CONF_KEY_SECTION, keySubsection, SECRET_KEY_CONFIG_LABEL, secretKeyAlgorithm);
+ }
}