[knox] branch master updated: KNOX-2824 - Make SameSite attribute on KnoxSSO Cookie Configurable (#647)

Wed, 12 Oct 2022 09:21:29 -0700 

This is an automated email from the ASF dual-hosted git repository.

lmccay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 2a4bba163 KNOX-2824 - Make SameSite attribute on KnoxSSO Cookie 
Configurable (#647)
2a4bba163 is described below

commit 2a4bba1638fdae3c39da1c424bd32da501afae0e
Author: lmccay <[email protected]>
AuthorDate: Wed Oct 12 12:20:00 2022 -0400

    KNOX-2824 - Make SameSite attribute on KnoxSSO Cookie Configurable (#647)
---
 .../gateway/service/knoxsso/WebSSOResource.java    | 10 ++++++++-
 .../service/knoxsso/WebSSOResourceTest.java        | 25 ++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git 
a/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
 
b/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
index 39725129a..6f14bd219 100644
--- 
a/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
+++ 
b/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
@@ -76,6 +76,7 @@ public class WebSSOResource {
   private static final String SSO_COOKIE_SECURE_ONLY_INIT_PARAM = 
"knoxsso.cookie.secure.only";
   private static final String SSO_COOKIE_MAX_AGE_INIT_PARAM = 
"knoxsso.cookie.max.age";
   private static final String SSO_COOKIE_DOMAIN_SUFFIX_PARAM = 
"knoxsso.cookie.domain.suffix";
+  private static final String SSO_COOKIE_SAMESITE_PARAM = 
"knoxsso.cookie.samesite";
   private static final String SSO_COOKIE_TOKEN_TTL_PARAM = "knoxsso.token.ttl";
   private static final String SSO_COOKIE_TOKEN_AUDIENCES_PARAM = 
"knoxsso.token.audiences";
   private static final String SSO_COOKIE_TOKEN_SIG_ALG = 
"knoxsso.token.sigalg";
@@ -93,6 +94,7 @@ public class WebSSOResource {
   private static final String ORIGINAL_URL_REQUEST_PARAM = "originalUrl";
   private static final String ORIGINAL_URL_COOKIE_NAME = "original-url";
   private static final String DEFAULT_SSO_COOKIE_NAME = "hadoop-jwt";
+  private static final String SSO_COOKIE_SAMESITE_DEFAULT = "Strict";
   private static final long TOKEN_TTL_DEFAULT = 30000L;
   static final String RESOURCE_PATH = "/api/v1/websso";
   private String cookieName;
@@ -108,6 +110,8 @@ public class WebSSOResource {
   private String clusterName;
   private String tokenIssuer;
 
+  private String sameSiteValue;
+
   @Context
   HttpServletRequest request;
 
@@ -136,6 +140,10 @@ public class WebSSOResource {
     if (expectedParams != null) {
       ssoExpectedparams = Arrays.asList(expectedParams.split(","));
     }
+
+    this.sameSiteValue = 
StringUtils.isBlank(context.getInitParameter(SSO_COOKIE_SAMESITE_PARAM))
+            ? SSO_COOKIE_SAMESITE_DEFAULT
+            : context.getInitParameter(SSO_COOKIE_SAMESITE_PARAM);
   }
 
   private void setSignatureAlogrithm() throws AliasServiceException {
@@ -405,7 +413,7 @@ public class WebSSOResource {
       if (maxAge != -1) {
         setCookie.append("; Max-Age=").append(maxAge);
       }
-      setCookie.append("; SameSite=None");
+      setCookie.append("; SameSite=").append(this.sameSiteValue);
       response.setHeader("Set-Cookie", setCookie.toString());
       LOGGER.addedJWTCookie();
     } catch (Exception e) {
diff --git 
a/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
 
b/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
index d1d625429..5f6389e09 100644
--- 
a/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
+++ 
b/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
@@ -414,6 +414,31 @@ public class WebSSOResourceTest {
     assertEquals(expectedknoxSsoSecureOnly, cookie.getSecure());
   }
 
+  @Test
+  public void testSameConfigurableSite() throws Exception {
+    testSameSite("None", "None"); // explicitly set to None
+    testSameSite(null, "Strict"); // default value
+    testSameSite("Lax", "Lax"); // explicitly set to Lax
+  }
+
+  private void testSameSite(String knoxSsoCookiesameSite, String 
expectedknoxSsoSecureOnly) throws Exception {
+    
configureCommonExpectations(Collections.singletonMap("knoxsso.cookie.samesite", 
knoxSsoCookiesameSite == null ? null : knoxSsoCookiesameSite));
+
+    final WebSSOResource webSSOResponse = new WebSSOResource();
+    webSSOResponse.request = request;
+    webSSOResponse.response = responseWrapper;
+    webSSOResponse.context = context;
+    webSSOResponse.init();
+
+    // Issue a token
+    webSSOResponse.doGet();
+
+    // Check the cookie
+    final Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
+    assertNotNull(cookie);
+    
assertTrue(((CookieResponseWrapper)responseWrapper).headers.get("Set-Cookie").contains("SameSite="
 + expectedknoxSsoSecureOnly));
+  }
+
   @Test
   public void testOverflowTTL() throws Exception {
     configureCommonExpectations(Collections.singletonMap("knoxsso.token.ttl", 
String.valueOf(Long.MAX_VALUE)));

Reply via email to