Skip to content

Commit

Permalink
oauth: properly stop filter chain when a response was sent (#14476)
Browse files Browse the repository at this point in the history
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
  • Loading branch information
Raúl Gutiérrez Segalés authored Dec 18, 2020
1 parent c3e4a00 commit 65c15b4
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 13 deletions.
14 changes: 7 additions & 7 deletions source/extensions/filters/http/oauth2/filter.cc
Original file line number Diff line number Diff line change
Expand Up @@ -212,12 +212,12 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he
Http::Utility::Url state_url;
if (!state_url.initialize(state, false)) {
sendUnauthorizedResponse();
return Http::FilterHeadersStatus::StopAllIterationAndBuffer;
return Http::FilterHeadersStatus::StopIteration;
}
// Avoid infinite redirect storm
if (config_->redirectPathMatcher().match(state_url.pathAndQueryParams())) {
sendUnauthorizedResponse();
return Http::FilterHeadersStatus::StopAllIterationAndBuffer;
return Http::FilterHeadersStatus::StopIteration;
}
Http::ResponseHeaderMapPtr response_headers{
Http::createHeaderMap<Http::ResponseHeaderMapImpl>(
Expand Down Expand Up @@ -283,7 +283,7 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he

config_->stats().oauth_unauthorized_rq_.inc();

return Http::FilterHeadersStatus::StopAllIterationAndBuffer;
return Http::FilterHeadersStatus::StopIteration;
}

// At this point, we *are* on /_oauth. We believe this request comes from the authorization
Expand All @@ -292,14 +292,14 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he
const auto query_parameters = Http::Utility::parseQueryString(path_str);
if (query_parameters.find(queryParamsError()) != query_parameters.end()) {
sendUnauthorizedResponse();
return Http::FilterHeadersStatus::StopAllIterationAndBuffer;
return Http::FilterHeadersStatus::StopIteration;
}

// if the data we need is not present on the URL, stop execution
if (query_parameters.find(queryParamsCode()) == query_parameters.end() ||
query_parameters.find(queryParamsState()) == query_parameters.end()) {
sendUnauthorizedResponse();
return Http::FilterHeadersStatus::StopAllIterationAndBuffer;
return Http::FilterHeadersStatus::StopIteration;
}

auth_code_ = query_parameters.at(queryParamsCode());
Expand All @@ -308,7 +308,7 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he
Http::Utility::Url state_url;
if (!state_url.initialize(state_, false)) {
sendUnauthorizedResponse();
return Http::FilterHeadersStatus::StopAllIterationAndBuffer;
return Http::FilterHeadersStatus::StopIteration;
}

Formatter::FormatterImpl formatter(config_->redirectUri());
Expand Down Expand Up @@ -359,7 +359,7 @@ Http::FilterHeadersStatus OAuth2Filter::signOutUser(const Http::RequestHeaderMap
response_headers->setLocation(new_path);
decoder_callbacks_->encodeHeaders(std::move(response_headers), true, SIGN_OUT);

return Http::FilterHeadersStatus::StopAllIterationAndBuffer;
return Http::FilterHeadersStatus::StopIteration;
}

void OAuth2Filter::onGetAccessTokenSuccess(const std::string& access_code,
Expand Down
12 changes: 6 additions & 6 deletions test/extensions/filters/http/oauth2/filter_test.cc
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,7 @@ TEST_F(OAuth2Test, RequestSignout) {
};
EXPECT_CALL(decoder_callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), true));

EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndBuffer,
EXPECT_EQ(Http::FilterHeadersStatus::StopIteration,
filter_->decodeHeaders(request_headers, false));
}

Expand Down Expand Up @@ -255,7 +255,7 @@ TEST_F(OAuth2Test, OAuthErrorNonOAuthHttpCallback) {

EXPECT_CALL(decoder_callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), true));

EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndBuffer,
EXPECT_EQ(Http::FilterHeadersStatus::StopIteration,
filter_->decodeHeaders(request_headers, false));
}

Expand All @@ -281,7 +281,7 @@ TEST_F(OAuth2Test, OAuthErrorQueryString) {
EXPECT_CALL(decoder_callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), false));
EXPECT_CALL(decoder_callbacks_, encodeData(_, true));

EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndBuffer,
EXPECT_EQ(Http::FilterHeadersStatus::StopIteration,
filter_->decodeHeaders(request_headers, false));

EXPECT_EQ(scope_.counterFromString("test.oauth_failure").value(), 1);
Expand Down Expand Up @@ -421,7 +421,7 @@ TEST_F(OAuth2Test, OAuthTestInvalidUrlInStateQueryParam) {
EXPECT_CALL(*validator_, token()).WillRepeatedly(ReturnRef(legit_token));

EXPECT_CALL(decoder_callbacks_, encodeHeaders_(HeaderMapEqualRef(&expected_headers), false));
EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndBuffer,
EXPECT_EQ(Http::FilterHeadersStatus::StopIteration,
filter_->decodeHeaders(request_headers, false));
}

Expand Down Expand Up @@ -455,7 +455,7 @@ TEST_F(OAuth2Test, OAuthTestCallbackUrlInStateQueryParam) {

EXPECT_CALL(decoder_callbacks_,
encodeHeaders_(HeaderMapEqualRef(&expected_response_headers), false));
EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndBuffer,
EXPECT_EQ(Http::FilterHeadersStatus::StopIteration,
filter_->decodeHeaders(request_headers, false));

Http::TestRequestHeaderMapImpl final_request_headers{
Expand Down Expand Up @@ -564,7 +564,7 @@ TEST_F(OAuth2Test, OAuthTestFullFlowPostWithParameters) {
EXPECT_CALL(decoder_callbacks_, encodeHeaders_(HeaderMapEqualRef(&first_response_headers), true));

// This represents the beginning of the OAuth filter.
EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndBuffer,
EXPECT_EQ(Http::FilterHeadersStatus::StopIteration,
filter_->decodeHeaders(first_request_headers, false));

// This represents the callback request from the authorization server.
Expand Down

0 comments on commit 65c15b4

Please sign in to comment.