Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: [P4PU-405] disable session management #64

Merged
merged 3 commits into from
Sep 4, 2024
Merged

feat: [P4PU-405] disable session management #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2007c4a
P4PU-393 updated filter chain to avoid cookie usage updated also log …
oleksiybozhykntt Sep 2, 2024
ecb31d0
P4PU-393 updated filter chain to avoid cookie usage updated also log …
oleksiybozhykntt Sep 2, 2024
35a461f
Merge branch 'develop' of https://github.com/pagopa/arc-be into P4PU-…
oleksiybozhykntt Sep 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package it.gov.pagopa.arc.config;

import it.gov.pagopa.arc.security.InMemoryOAuth2AuthorizationRequestRepository;
import it.gov.pagopa.arc.security.JwtAuthenticationFilter;
import it.gov.pagopa.arc.service.CustomAuthenticationSuccessHandler;
import org.springframework.context.annotation.Bean;
Expand Down Expand Up @@ -29,6 +30,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
.authorizationEndpoint(authConfig ->
authConfig
.baseUri("/login")
.authorizationRequestRepository(new InMemoryOAuth2AuthorizationRequestRepository())
)
.redirectionEndpoint(redirection ->
redirection
Expand Down
46 changes: 46 additions & 0 deletions src/main/java/it/gov/pagopa/arc/security/InMemoryOAuth2AuthorizationRequestRepository.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
package it.gov.pagopa.arc.security;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.util.StringUtils;

public class InMemoryOAuth2AuthorizationRequestRepository implements
AuthorizationRequestRepository<OAuth2AuthorizationRequest> {

private final Map<String, OAuth2AuthorizationRequest> authorizationRequestMap = new ConcurrentHashMap<>();
private static final String STATE = "state";

@Override
public OAuth2AuthorizationRequest loadAuthorizationRequest(HttpServletRequest request) {
String state = request.getParameter(STATE);
if (StringUtils.hasText(state)) {
return authorizationRequestMap.get(state);
}
return null;
}

@Override
public void saveAuthorizationRequest(OAuth2AuthorizationRequest authorizationRequest, HttpServletRequest request, HttpServletResponse response) {
String state = authorizationRequest.getState();
if (StringUtils.hasText(state)) {
// Save the authorization request in the map using the state as the key
authorizationRequestMap.put(state, authorizationRequest);
}
}

@Override
public OAuth2AuthorizationRequest removeAuthorizationRequest(HttpServletRequest request,
HttpServletResponse response) {
String state = request.getParameter(STATE);
if (StringUtils.hasText(state)) {
// Remove and return the authorization request from the map
return authorizationRequestMap.remove(state);
}
return null;
}

}
8 changes: 6 additions & 2 deletions src/main/resources/application.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,5 +52,9 @@ logging:
level:
org:
springframework:
security: DEBUG
web: DEBUG
security: INFO
web: INFO
session:
web:
http:
SessionRepositoryFilter: INFO
102 changes: 102 additions & 0 deletions ...est/java/it/gov/pagopa/arc/security/InMemoryOAuth2AuthorizationRequestRepositoryTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
package it.gov.pagopa.arc.security;

import static org.junit.jupiter.api.Assertions.*;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;

class InMemoryOAuth2AuthorizationRequestRepositoryTest {

private InMemoryOAuth2AuthorizationRequestRepository repository;
private HttpServletRequest request;
private HttpServletResponse response;
private OAuth2AuthorizationRequest authorizationRequest;
@BeforeEach
void setUp() {
repository = new InMemoryOAuth2AuthorizationRequestRepository();
request = mock(HttpServletRequest.class);
response = mock(HttpServletResponse.class);
authorizationRequest = mock(OAuth2AuthorizationRequest.class);
}

@Test
void givenAuthorizationRequestThenSaveIt() {
// Setup
String state = "state123";
when(authorizationRequest.getState()).thenReturn(state);
when(request.getParameter("state")).thenReturn(state);
// Execute
repository.saveAuthorizationRequest(authorizationRequest, request, response);

// Verify
assertEquals(authorizationRequest, repository.loadAuthorizationRequest(request));

when(request.getParameter("state")).thenReturn(null);
}

@Test
void givenAuthorizationRequestThenFailCauseStateNotInRequest(){
when(authorizationRequest.getState()).thenReturn(null);
when(request.getParameter("state")).thenReturn(null);
// Execute
repository.saveAuthorizationRequest(authorizationRequest, request, response);

// Verify
assertNull(repository.loadAuthorizationRequest(request));
}

@Test
void testLoadAuthorizationRequest() {
// Setup
String state = "state123";
when(request.getParameter("state")).thenReturn(state);
when(authorizationRequest.getState()).thenReturn(state);

repository.saveAuthorizationRequest(authorizationRequest, request, response);

// Execute
OAuth2AuthorizationRequest loadedRequest = repository.loadAuthorizationRequest(request);

// Verify
assertNotNull(loadedRequest);
assertEquals(authorizationRequest, loadedRequest);
}

@Test
void givenValidStateThenRemoveAuthRequest() {
// Setup
String state = "state123";
when(request.getParameter("state")).thenReturn(state);
when(authorizationRequest.getState()).thenReturn(state);

repository.saveAuthorizationRequest(authorizationRequest, request, response);

// Execute
OAuth2AuthorizationRequest removedRequest = repository.removeAuthorizationRequest(request, response);

// Verify
assertNotNull(removedRequest);
assertEquals(authorizationRequest, removedRequest);
assertNull(repository.loadAuthorizationRequest(request));
}

@Test
void givenInvalidStateThenFailToRemoveAuthRequest(){
when(request.getParameter("state")).thenReturn(null);
when(authorizationRequest.getState()).thenReturn(null);

repository.saveAuthorizationRequest(authorizationRequest, request, response);

// Execute
OAuth2AuthorizationRequest removedRequest = repository.removeAuthorizationRequest(request, response);

// Verify
assertNull(removedRequest);
}

}