Skip to content

Commit

Permalink
concord-server: fix session token handling (#1032)
Browse files Browse the repository at this point in the history 
Bring back the handling of the "session tokens as usernames" special case.
  • Loading branch information
@ibodrov
ibodrov authored Nov 8, 2024
1 parent 617f77b commit d007d3b
Show file tree
Hide file tree
Showing 4 changed files with 82 additions and 11 deletions.
35 changes: 29 additions & 6 deletions ...labs/concord/it/server/BearerTokenIT.java → ...ver/StandardAuthenticationHandlersIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*
* http://www.apache.org/licenses/LICENSE-2.0
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Expand All @@ -20,24 +20,47 @@
* =====
*/

import com.walmartlabs.concord.it.common.ServerClient;
import com.walmartlabs.concord.client2.ProcessEntry;
import com.walmartlabs.concord.client2.StartProcessResponse;
import org.junit.jupiter.api.Test;

import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.util.Map;

import static com.walmartlabs.concord.it.common.ITUtils.archive;
import static com.walmartlabs.concord.it.common.ServerClient.*;
import static org.junit.jupiter.api.Assertions.assertEquals;

public class BearerTokenIT {
public class StandardAuthenticationHandlersIT extends AbstractServerIT {

@Test
public void test() throws Exception {
public void testBearerToken() throws Exception {
URL urlObj = new URL(ITConstants.SERVER_URL + "/api/v1/org?limit=1");
HttpURLConnection httpCon = (HttpURLConnection) urlObj.openConnection();

httpCon.setRequestProperty("Authorization", "Bearer " + ServerClient.DEFAULT_API_KEY);
httpCon.setRequestProperty("Authorization", "Bearer " + DEFAULT_API_KEY);

int responseCode = httpCon.getResponseCode();
assertEquals(HttpURLConnection.HTTP_OK, responseCode);
}

@Test
public void testSessionTokenAsUsername() throws Exception {
URI dir = SuspendIT.class.getResource("sessionTokenAsUsername").toURI();
byte[] payload = archive(dir);

// ---

String targetUrl = getApiClient().getBaseUri() + "/api/v1/org?limit=1";
StartProcessResponse spr = start(Map.of(
"archive", payload,
"arguments.targetUrl", targetUrl));

// ---

ProcessEntry pir = waitForStatus(getApiClient(), spr.getInstanceId(), ProcessEntry.StatusEnum.FINISHED);
assertLog(".*statusCode=200.*", getLog(pir.getInstanceId()));
}
}
23 changes: 23 additions & 0 deletions ...r/src/test/resources/com/walmartlabs/concord/it/server/sessionTokenAsUsername/concord.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
configuration:
runtime: "concord-v2"
flows:
default:
- script: js
body: |
const Base64 = Java.type('java.util.Base64');
const auth = processInfo.sessionToken + ":";
result.set('auth', Base64.getEncoder().withoutPadding().encodeToString(auth.getBytes()));
out:
auth: ${result.auth}

- task: http
in:
method: GET
headers:
Authorization: "Basic ${auth}"
url: ${targetUrl}
ignoreErrors: false
response: json
out: response

- log: "statusCode=${response.statusCode}"
14 changes: 10 additions & 4 deletions ...mpl/src/main/java/com/walmartlabs/concord/server/security/BasicAuthenticationHandler.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@

/**
* Handles basic authentication (username/password).
*
* @see SessionTokenAuthenticationHandler for a special case of session tokens passed as usernames.
*/
public class BasicAuthenticationHandler implements AuthenticationHandler {

Expand Down Expand Up @@ -64,12 +66,16 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r
auth = new String(Base64.getDecoder().decode(auth));

var idx = auth.indexOf(":");
if (idx + 1 == auth.length()) {
throw new IllegalArgumentException("Invalid basic auth header");
if (idx < 0) {
// invalid auth header
return null;
}

if (idx < 0 || idx + 1 >= auth.length()) {
throw new IllegalArgumentException("Invalid basic auth header");
if (idx + 1 == auth.length()) {
// no password
// it might be a session token that is passed as a username
// we let the SessionTokenAuthenticationHandler to handle it
return null;
}

var username = auth.substring(0, idx).trim();
Expand Down
21 changes: 20 additions & 1 deletion .../main/java/com/walmartlabs/concord/server/security/SessionTokenAuthenticationHandler.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.HttpHeaders;
import java.util.Base64;
import java.util.UUID;

Expand All @@ -40,6 +41,8 @@
*/
public class SessionTokenAuthenticationHandler implements AuthenticationHandler {

private static final String BASIC_AUTH_PREFIX = "Basic ";

private final SecretStoreConfiguration secretCfg;

@Inject
Expand All @@ -53,7 +56,23 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r

var encryptedToken = req.getHeader(Constants.Headers.SESSION_TOKEN);
if (encryptedToken == null) {
return null;
// handle the special case of session tokens passed as usernames
var auth = req.getHeader(HttpHeaders.AUTHORIZATION);
if (auth == null) {
// no session token header and no basic auth header, skip
return null;
}

auth = auth.substring(BASIC_AUTH_PREFIX.length());
auth = new String(Base64.getDecoder().decode(auth));

var idx = auth.indexOf(":");
if (idx < 0 || idx != auth.length() - 1) {
// invalid auth header or a non-empty password, skip
return null;
}

encryptedToken = auth.substring(0, idx);
}

var decryptedValue = decryptSessionKey(encryptedToken);
Expand Down

0 comments on commit d007d3b

Please sign in to comment.