This is an automated email from the ASF dual-hosted git repository. ocket8888 pushed a commit to branch 5.1.x in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
commit fa0083f1dc04f2c90cfbf136880b8541a0d10cfc Author: mattjackson220 <[email protected]> AuthorDate: Fri Jan 14 09:50:24 2022 -0700 updated Oauth (#6508) (cherry picked from commit b5585545a2fcce8ad8dbf604c23f0ab34596fd10) --- traffic_ops/traffic_ops_golang/login/login.go | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/traffic_ops/traffic_ops_golang/login/login.go b/traffic_ops/traffic_ops_golang/login/login.go index 0733ba1..0d91d0a 100644 --- a/traffic_ops/traffic_ops_golang/login/login.go +++ b/traffic_ops/traffic_ops_golang/login/login.go @@ -217,7 +217,6 @@ func TokenLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc { // OauthLoginHandler accepts a JSON web token previously obtained from an OAuth provider, decodes it, validates it, authorizes the user against the database, and returns the login result as either an error or success message func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { - handleErrs := tc.GetHandleErrorsFunc(w, r) defer r.Body.Close() authenticated := false resp := struct { @@ -233,7 +232,17 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc { }{} if err := json.NewDecoder(r.Body).Decode(¶meters); err != nil { - handleErrs(http.StatusBadRequest, err) + api.HandleErr(w, r, nil, http.StatusBadRequest, err, nil) + return + } + + matched, err := VerifyUrlOnWhiteList(parameters.AuthCodeTokenUrl, cfg.ConfigTrafficOpsGolang.WhitelistedOAuthUrls) + if err != nil { + api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, err) + return + } + if !matched { + api.HandleErr(w, r, nil, http.StatusForbidden, nil, errors.New("Key URL from token is not included in the whitelisted urls. Received: "+parameters.AuthCodeTokenUrl)) return } @@ -249,7 +258,7 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc { req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(parameters.ClientId+":"+cfg.OAuthClientSecret))) // per RFC6749 section 2.3.1 } if err != nil { - log.Errorf("obtaining token using code from oauth provider: %s", err.Error()) + api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, fmt.Errorf("obtaining token using code from oauth provider: %w", err)) return } @@ -258,7 +267,7 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc { } response, err := client.Do(req) if err != nil { - log.Errorf("getting an http client: %s", err.Error()) + api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, fmt.Errorf("getting an http client: %w", err)) return } defer response.Body.Close() @@ -289,8 +298,7 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc { } if encodedToken == "" { - log.Errorf("Token not found in request but is required") - handleErrs(http.StatusBadRequest, errors.New("Token not found in request but is required")) + api.HandleErr(w, r, nil, http.StatusBadRequest, errors.New("Token not found in request but is required"), nil) return } @@ -324,8 +332,7 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc { return selectedKey, nil }) if err != nil { - handleErrs(http.StatusInternalServerError, errors.New("Error decoding token with message: "+err.Error())) - log.Errorf("Error decoding token: %s\n", err.Error()) + api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, errors.New("Error decoding token with message: "+err.Error())) return } @@ -357,7 +364,7 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc { respBts, err := json.Marshal(resp) if err != nil { - handleErrs(http.StatusInternalServerError, err) + api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, err) return } w.Header().Set(rfc.ContentType, rfc.ApplicationJSON)
