From 2007c4ab9dd2ab3e04615f49f963e4cc17149a7d Mon Sep 17 00:00:00 2001
From: oleksiybozhykntt <oleksiy.bozhyk@nttdata.com>
Date: Mon, 2 Sep 2024 11:15:25 +0200
Subject: [PATCH 1/2] P4PU-393 updated filter chain to avoid cookie usage
 updated also log level

---
 .../pagopa/arc/config/OAuth2LoginConfig.java  |   2 +
 ...yOAuth2AuthorizationRequestRepository.java |  46 ++++++++
 src/main/resources/application.yml            |   8 +-
 ...th2AuthorizationRequestRepositoryTest.java | 102 ++++++++++++++++++
 4 files changed, 156 insertions(+), 2 deletions(-)
 create mode 100644 src/main/java/it/gov/pagopa/arc/security/InMemoryOAuth2AuthorizationRequestRepository.java
 create mode 100644 src/test/java/it/gov/pagopa/arc/security/InMemoryOAuth2AuthorizationRequestRepositoryTest.java

diff --git a/src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java b/src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java
index 8fdfdafa..151bb833 100644
--- a/src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java
+++ b/src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java
@@ -1,5 +1,6 @@
 package it.gov.pagopa.arc.config;
 
+import it.gov.pagopa.arc.security.InMemoryOAuth2AuthorizationRequestRepository;
 import it.gov.pagopa.arc.security.JwtAuthenticationFilter;
 import it.gov.pagopa.arc.service.CustomAuthenticationSuccessHandler;
 import org.springframework.context.annotation.Bean;
@@ -29,6 +30,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
             .authorizationEndpoint(authConfig ->
                 authConfig
                     .baseUri("/login")
+                    .authorizationRequestRepository(new InMemoryOAuth2AuthorizationRequestRepository()) // Use a custom repository
             )
             .redirectionEndpoint(redirection ->
                 redirection
diff --git a/src/main/java/it/gov/pagopa/arc/security/InMemoryOAuth2AuthorizationRequestRepository.java b/src/main/java/it/gov/pagopa/arc/security/InMemoryOAuth2AuthorizationRequestRepository.java
new file mode 100644
index 00000000..60e50f8e
--- /dev/null
+++ b/src/main/java/it/gov/pagopa/arc/security/InMemoryOAuth2AuthorizationRequestRepository.java
@@ -0,0 +1,46 @@
+package it.gov.pagopa.arc.security;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.util.StringUtils;
+
+public class InMemoryOAuth2AuthorizationRequestRepository implements
+    AuthorizationRequestRepository<OAuth2AuthorizationRequest> {
+
+  private final Map<String, OAuth2AuthorizationRequest> authorizationRequestMap = new ConcurrentHashMap<>();
+  private static final String STATE = "state";
+
+  @Override
+  public OAuth2AuthorizationRequest loadAuthorizationRequest(HttpServletRequest request) {
+    String state = request.getParameter(STATE);
+    if (StringUtils.hasText(state)) {
+      return authorizationRequestMap.get(state);
+    }
+    return null;
+  }
+
+  @Override
+  public void saveAuthorizationRequest(OAuth2AuthorizationRequest authorizationRequest, HttpServletRequest request, HttpServletResponse response) {
+    String state = authorizationRequest.getState();
+    if (StringUtils.hasText(state)) {
+      // Save the authorization request in the map using the state as the key
+      authorizationRequestMap.put(state, authorizationRequest);
+    }
+  }
+
+  @Override
+  public OAuth2AuthorizationRequest removeAuthorizationRequest(HttpServletRequest request,
+      HttpServletResponse response) {
+    String state = request.getParameter(STATE);
+    if (StringUtils.hasText(state)) {
+      // Remove and return the authorization request from the map
+      return authorizationRequestMap.remove(state);
+    }
+    return null;
+  }
+
+}
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 1a379bd3..27a338c1 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -52,5 +52,9 @@ logging:
   level:
     org:
       springframework:
-        security: DEBUG
-        web: DEBUG
\ No newline at end of file
+        security: INFO
+        web: INFO
+        session:
+          web:
+            http:
+              SessionRepositoryFilter: INFO
\ No newline at end of file
diff --git a/src/test/java/it/gov/pagopa/arc/security/InMemoryOAuth2AuthorizationRequestRepositoryTest.java b/src/test/java/it/gov/pagopa/arc/security/InMemoryOAuth2AuthorizationRequestRepositoryTest.java
new file mode 100644
index 00000000..bea4c341
--- /dev/null
+++ b/src/test/java/it/gov/pagopa/arc/security/InMemoryOAuth2AuthorizationRequestRepositoryTest.java
@@ -0,0 +1,102 @@
+package it.gov.pagopa.arc.security;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+
+class InMemoryOAuth2AuthorizationRequestRepositoryTest {
+
+  private InMemoryOAuth2AuthorizationRequestRepository repository;
+  private HttpServletRequest request;
+  private HttpServletResponse response;
+  private OAuth2AuthorizationRequest authorizationRequest;
+  @BeforeEach
+  void setUp() {
+    repository = new InMemoryOAuth2AuthorizationRequestRepository();
+    request = mock(HttpServletRequest.class);
+    response = mock(HttpServletResponse.class);
+    authorizationRequest = mock(OAuth2AuthorizationRequest.class);
+  }
+
+  @Test
+  void givenAuthorizationRequestThenSaveIt() {
+    // Setup
+    String state = "state123";
+    when(authorizationRequest.getState()).thenReturn(state);
+    when(request.getParameter("state")).thenReturn(state);
+    // Execute
+    repository.saveAuthorizationRequest(authorizationRequest, request, response);
+
+    // Verify
+    assertEquals(authorizationRequest, repository.loadAuthorizationRequest(request));
+
+    when(request.getParameter("state")).thenReturn(null);
+  }
+
+  @Test
+  void givenAuthorizationRequestThenFailCauseStateNotInRequest(){
+    when(authorizationRequest.getState()).thenReturn(null);
+    when(request.getParameter("state")).thenReturn(null);
+    // Execute
+    repository.saveAuthorizationRequest(authorizationRequest, request, response);
+
+    // Verify
+    assertNull(repository.loadAuthorizationRequest(request));
+  }
+
+  @Test
+  void testLoadAuthorizationRequest() {
+    // Setup
+    String state = "state123";
+    when(request.getParameter("state")).thenReturn(state);
+    when(authorizationRequest.getState()).thenReturn(state);
+
+    repository.saveAuthorizationRequest(authorizationRequest, request, response);
+
+    // Execute
+    OAuth2AuthorizationRequest loadedRequest = repository.loadAuthorizationRequest(request);
+
+    // Verify
+    assertNotNull(loadedRequest);
+    assertEquals(authorizationRequest, loadedRequest);
+  }
+
+  @Test
+  void givenValidStateThenRemoveAuthRequest() {
+    // Setup
+    String state = "state123";
+    when(request.getParameter("state")).thenReturn(state);
+    when(authorizationRequest.getState()).thenReturn(state);
+
+    repository.saveAuthorizationRequest(authorizationRequest, request, response);
+
+    // Execute
+    OAuth2AuthorizationRequest removedRequest = repository.removeAuthorizationRequest(request, response);
+
+    // Verify
+    assertNotNull(removedRequest);
+    assertEquals(authorizationRequest, removedRequest);
+    assertNull(repository.loadAuthorizationRequest(request));
+  }
+
+  @Test
+  void givenInvalidStateThenFailToRemoveAuthRequest(){
+    when(request.getParameter("state")).thenReturn(null);
+    when(authorizationRequest.getState()).thenReturn(null);
+
+    repository.saveAuthorizationRequest(authorizationRequest, request, response);
+
+    // Execute
+    OAuth2AuthorizationRequest removedRequest = repository.removeAuthorizationRequest(request, response);
+
+    // Verify
+    assertNull(removedRequest);
+  }
+
+}
\ No newline at end of file

From ecb31d02e69837360d6755fd328edb50e56aa26b Mon Sep 17 00:00:00 2001
From: oleksiybozhykntt <oleksiy.bozhyk@nttdata.com>
Date: Mon, 2 Sep 2024 11:15:53 +0200
Subject: [PATCH 2/2] P4PU-393 updated filter chain to avoid cookie usage
 updated also log level

---
 src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java b/src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java
index 151bb833..4c0c1ea2 100644
--- a/src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java
+++ b/src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java
@@ -30,7 +30,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
             .authorizationEndpoint(authConfig ->
                 authConfig
                     .baseUri("/login")
-                    .authorizationRequestRepository(new InMemoryOAuth2AuthorizationRequestRepository()) // Use a custom repository
+                    .authorizationRequestRepository(new InMemoryOAuth2AuthorizationRequestRepository())
             )
             .redirectionEndpoint(redirection ->
                 redirection