This is an automated email from the ASF dual-hosted git repository. lmccay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push: new 2a4bba163 KNOX-2824 - Make SameSite attribute on KnoxSSO Cookie Configurable (#647) 2a4bba163 is described below commit 2a4bba1638fdae3c39da1c424bd32da501afae0e Author: lmccay <lmc...@apache.org> AuthorDate: Wed Oct 12 12:20:00 2022 -0400 KNOX-2824 - Make SameSite attribute on KnoxSSO Cookie Configurable (#647) --- .../gateway/service/knoxsso/WebSSOResource.java | 10 ++++++++- .../service/knoxsso/WebSSOResourceTest.java | 25 ++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java index 39725129a..6f14bd219 100644 --- a/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java +++ b/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java @@ -76,6 +76,7 @@ public class WebSSOResource { private static final String SSO_COOKIE_SECURE_ONLY_INIT_PARAM = "knoxsso.cookie.secure.only"; private static final String SSO_COOKIE_MAX_AGE_INIT_PARAM = "knoxsso.cookie.max.age"; private static final String SSO_COOKIE_DOMAIN_SUFFIX_PARAM = "knoxsso.cookie.domain.suffix"; + private static final String SSO_COOKIE_SAMESITE_PARAM = "knoxsso.cookie.samesite"; private static final String SSO_COOKIE_TOKEN_TTL_PARAM = "knoxsso.token.ttl"; private static final String SSO_COOKIE_TOKEN_AUDIENCES_PARAM = "knoxsso.token.audiences"; private static final String SSO_COOKIE_TOKEN_SIG_ALG = "knoxsso.token.sigalg"; @@ -93,6 +94,7 @@ public class WebSSOResource { private static final String ORIGINAL_URL_REQUEST_PARAM = "originalUrl"; private static final String ORIGINAL_URL_COOKIE_NAME = "original-url"; private static final String DEFAULT_SSO_COOKIE_NAME = "hadoop-jwt"; + private static final String SSO_COOKIE_SAMESITE_DEFAULT = "Strict"; private static final long TOKEN_TTL_DEFAULT = 30000L; static final String RESOURCE_PATH = "/api/v1/websso"; private String cookieName; @@ -108,6 +110,8 @@ public class WebSSOResource { private String clusterName; private String tokenIssuer; + private String sameSiteValue; + @Context HttpServletRequest request; @@ -136,6 +140,10 @@ public class WebSSOResource { if (expectedParams != null) { ssoExpectedparams = Arrays.asList(expectedParams.split(",")); } + + this.sameSiteValue = StringUtils.isBlank(context.getInitParameter(SSO_COOKIE_SAMESITE_PARAM)) + ? SSO_COOKIE_SAMESITE_DEFAULT + : context.getInitParameter(SSO_COOKIE_SAMESITE_PARAM); } private void setSignatureAlogrithm() throws AliasServiceException { @@ -405,7 +413,7 @@ public class WebSSOResource { if (maxAge != -1) { setCookie.append("; Max-Age=").append(maxAge); } - setCookie.append("; SameSite=None"); + setCookie.append("; SameSite=").append(this.sameSiteValue); response.setHeader("Set-Cookie", setCookie.toString()); LOGGER.addedJWTCookie(); } catch (Exception e) { diff --git a/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java b/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java index d1d625429..5f6389e09 100644 --- a/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java +++ b/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java @@ -414,6 +414,31 @@ public class WebSSOResourceTest { assertEquals(expectedknoxSsoSecureOnly, cookie.getSecure()); } + @Test + public void testSameConfigurableSite() throws Exception { + testSameSite("None", "None"); // explicitly set to None + testSameSite(null, "Strict"); // default value + testSameSite("Lax", "Lax"); // explicitly set to Lax + } + + private void testSameSite(String knoxSsoCookiesameSite, String expectedknoxSsoSecureOnly) throws Exception { + configureCommonExpectations(Collections.singletonMap("knoxsso.cookie.samesite", knoxSsoCookiesameSite == null ? null : knoxSsoCookiesameSite)); + + final WebSSOResource webSSOResponse = new WebSSOResource(); + webSSOResponse.request = request; + webSSOResponse.response = responseWrapper; + webSSOResponse.context = context; + webSSOResponse.init(); + + // Issue a token + webSSOResponse.doGet(); + + // Check the cookie + final Cookie cookie = responseWrapper.getCookie("hadoop-jwt"); + assertNotNull(cookie); + assertTrue(((CookieResponseWrapper)responseWrapper).headers.get("Set-Cookie").contains("SameSite=" + expectedknoxSsoSecureOnly)); + } + @Test public void testOverflowTTL() throws Exception { configureCommonExpectations(Collections.singletonMap("knoxsso.token.ttl", String.valueOf(Long.MAX_VALUE)));