status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-02-22 10:28:31 +00:00
Code Issues Projects Releases Wiki Activity
consul/ui/packages/consul-ui/app/services/repository/oidc-provider.js
John Cowen 05a28c3111
ui: [BUGFIX] Properly encode non-URL safe characters in OIDC responses (#10901) 
This commit fixes 2 problems with our OIDC flow in the UI, the first is straightforwards, the second is relatively more in depth:

1: A typo (1.10.1 only)

During #10503 we injected our settings service into the our oidc-provider service, there are some comments in the PR as to the whys and wherefores for this change (https://github.com/hashicorp/consul/pull/10503/files#diff-aa2ffda6d0a966ba631c079fa3a5f60a2a1bdc7eed5b3a98ee7b5b682f1cb4c3R28)

Fixing the typo so it was no longer looking for an unknown service (repository/settings > settings)
fixed this.

2: URL encoding (1.9.x, 1.10.x)

TL;DR: /oidc/authorize/provider/with/slashes/code/with/slashes/status/with/slashes should be /oidc/authorize/provider%2Fwith%2Fslashes/code%2Fwith%2Fslashes/status%2Fwith%2Fslashes

When we receive our authorization response back from the OIDC 3rd party, we POST the code and status data from that response back to consul via acallback as part of the OIDC flow. From what I remember back when this feature was originally added, the method is a POST request to avoid folks putting secret-like things into API requests/URLs/query params that are more likely to be visible to the human eye, and POSTing is expected behaviour.

Additionally, in the UI we identify all external resources using unique resource identifiers. Our OIDC flow uses these resources and their identifiers to perform the OIDC flow using a declarative state machine. If any information in these identifiers uses non-URL-safe characters then these characters require URL encoding and we added a helper a while back to specifically help us to do this once we started using this for things that required URL encoding.

The final fix here make sure that we URL encode code and status before using them with one of our unique resource identifiers, just like we do with the majority of other places where we use these identifiers.
2021-08-24 16:58:45 +01:00

92 lines
3.4 KiB
JavaScript
Raw Blame History

import { inject as service } from '@ember/service';
import RepositoryService from 'consul-ui/services/repository';
import { getOwner } from '@ember/application';
import { set } from '@ember/object';
import dataSource from 'consul-ui/decorators/data-source';
const modelName = 'oidc-provider';
const OAUTH_PROVIDER_NAME = 'oidc-with-url';
export default class OidcProviderService extends RepositoryService {
@service('torii') manager;
@service('settings') settings;
init() {
super.init(...arguments);
this.provider = getOwner(this).lookup(`torii-provider:${OAUTH_PROVIDER_NAME}`);
}
getModelName() {
return modelName;
}
@dataSource('/:ns/:dc/oidc/providers')
async findAllByDatacenter() {
return super.findAllByDatacenter(...arguments);
}
@dataSource('/:ns/:dc/oidc/provider/:id')
async findBySlug(params) {
// This addition is mainly due to ember-data book-keeping This is one of
// the only places where Consul w/namespaces enabled doesn't return a
// response with a Namespace property, but in order to keep ember-data
// id's happy we need to fake one. Usually when we make a request to consul
// with an empty `ns=` Consul will use the namespace that is assigned to
// the token, and when we get the response we can pick that back off the
// responses `Namespace` property. As we don't receive a `Namespace`
// property here, we have to figure this out ourselves. Biut we also want
// to make this completely invisible to 'the application engineer/a
// template engineer'. This feels like the best place/way to do it as we
// are already in a asynchronous method, and we avoid adding extra 'just
// for us' parameters to the query object. There is a chance that as we
// are discovering the tokens default namespace on the frontend and
// assigning that to the ns query param, the token default namespace 'may'
// have changed by the time the request hits the backend. As this is
// extremely unlikely and in the scheme of things not a big deal, we
// decided that doing this here is ok and avoids doing this in a more
// complicated manner.
const token = (await this.settings.findBySlug('token')) || {};
return super.findBySlug({
ns: params.ns || token.Namespace || 'default',
dc: params.dc,
id: params.id,
});
}
@dataSource('/:ns/:dc/oidc/authorize/:id/:code/:state')
authorize(params, configuration = {}) {
return this.store.authorize(this.getModelName(), params);
}
logout(id, code, state, dc, nspace, configuration = {}) {
// TODO: Temporarily call this secret, as we alreayd do that with
// self in the `store` look to see whether we should just call it id like
// the rest
const query = {
id: id,
};
return this.store.logout(this.getModelName(), query);
}
close() {
this.manager.close(OAUTH_PROVIDER_NAME);
}
findCodeByURL(src) {
// TODO: Maybe move this to the provider itself
set(this.provider, 'baseUrl', src);
return this.manager.open(OAUTH_PROVIDER_NAME, {}).catch(e => {
let err;
switch (true) {
case e.message.startsWith('remote was closed'):
err = new Error('Remote was closed');
err.statusCode = 499;
break;
default:
err = new Error(e.message);
err.statusCode = 500;
}
this.store.adapterFor(this.getModelName()).error(err);
});
}
}
Reference in New Issue View Git Blame Copy Permalink