From 2824c542c17161159ce7e91ab2b4f8bfd3b8cb3e Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Wed, 4 Dec 2024 18:47:49 +0530 Subject: [PATCH] Improve getCookie adaptive function to verify signature using new method --- .../pom.xml | 1 + .../auth/functions/http/CookieFunctionImpl.java | 14 ++++++++++++-- .../auth/functions/http/GetCookieFunctionImpl.java | 10 +++++++++- .../auth/functions/http/SetCookieFunctionImpl.java | 6 ++++-- pom.xml | 2 +- 5 files changed, 27 insertions(+), 6 deletions(-) diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/pom.xml b/components/org.wso2.carbon.identity.conditional.auth.functions.http/pom.xml index b5d96f4c..0b413c6a 100644 --- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/pom.xml +++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/pom.xml @@ -193,6 +193,7 @@ org.wso2.carbon.identity.conditional.auth.functions.common.auth, org.wso2.carbon.identity.conditional.auth.functions.common.model, org.wso2.carbon.identity.core.cache; version="${carbon.identity.package.import.version.range}", + org.wso2.carbon.context, diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/CookieFunctionImpl.java b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/CookieFunctionImpl.java index 5a6d4e24..45cfc5b1 100644 --- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/CookieFunctionImpl.java +++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/CookieFunctionImpl.java @@ -25,6 +25,7 @@ import org.json.simple.JSONObject; import org.json.simple.parser.JSONParser; import org.json.simple.parser.ParseException; +import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.core.SameSiteCookie; import org.wso2.carbon.core.ServletCookie; import org.wso2.carbon.core.util.CryptoException; @@ -34,6 +35,7 @@ import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletResponse; import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants; import org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants; +import org.wso2.carbon.identity.core.util.IdentityUtil; import java.nio.charset.StandardCharsets; import java.util.HashMap; @@ -71,7 +73,8 @@ public void setCookie(JsServletResponse response, String name, Object... params) boolean encrypt = Optional.ofNullable((Boolean) properties.get(HTTPConstants.ENCRYPT)).orElse(false); if (sign) { try { - signature = Base64.encode(SignatureUtil.doSignature(value)); + String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); + signature = Base64.encode(IdentityUtil.signWithTenantKey(value, tenantDomain)); } catch (Exception e) { log.error("Error occurred when signing the cookie value.", e); return; @@ -180,7 +183,14 @@ public String getCookieValue(JsServletRequest request, Object... params) { if (validateSignature) { byte[] signature = Base64.decode((String) cookieValueJSON.get(HTTPConstants.SIGNATURE)); try { - boolean isValid = SignatureUtil.validateSignature(valueString, signature); + String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext() + .getTenantDomain(); + boolean isValid = IdentityUtil.validateSignatureFromTenant(valueString, signature, + tenantDomain); + // Fallback mechanism for already signed cookies. + if (!isValid) { + isValid = SignatureUtil.validateSignature(valueString, signature); + } if (!isValid) { log.error("Cookie signature didn't matched with the cookie value."); return null; diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/GetCookieFunctionImpl.java b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/GetCookieFunctionImpl.java index 02b95051..e70535a6 100644 --- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/GetCookieFunctionImpl.java +++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/GetCookieFunctionImpl.java @@ -26,11 +26,13 @@ import org.json.simple.JSONObject; import org.json.simple.parser.JSONParser; import org.json.simple.parser.ParseException; +import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.core.util.CryptoException; import org.wso2.carbon.core.util.CryptoUtil; import org.wso2.carbon.core.util.SignatureUtil; import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletRequest; import org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants; +import org.wso2.carbon.identity.core.util.IdentityUtil; import java.nio.charset.StandardCharsets; import java.util.Map; @@ -99,7 +101,13 @@ public String getCookieValue(JsServletRequest request, Object... params) { if (validateSignature) { byte[] signature = Base64.decode((String) cookieValueJSON.get(HTTPConstants.SIGNATURE)); try { - boolean isValid = SignatureUtil.validateSignature(valueString, signature); + String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext() + .getTenantDomain(); + boolean isValid = IdentityUtil.validateSignatureFromTenant(valueString, signature, tenantDomain); + // Fallback mechanism for already signed cookies. + if (!isValid) { + isValid = SignatureUtil.validateSignature(valueString, signature); + } if (!isValid) { log.error("Cookie signature didn't matched with the cookie value."); return null; diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/SetCookieFunctionImpl.java b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/SetCookieFunctionImpl.java index 3a8d090a..8eb4979a 100644 --- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/SetCookieFunctionImpl.java +++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/SetCookieFunctionImpl.java @@ -24,14 +24,15 @@ import org.apache.commons.logging.LogFactory; import org.graalvm.polyglot.HostAccess; import org.json.simple.JSONObject; +import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.core.SameSiteCookie; import org.wso2.carbon.core.ServletCookie; import org.wso2.carbon.core.util.CryptoException; import org.wso2.carbon.core.util.CryptoUtil; -import org.wso2.carbon.core.util.SignatureUtil; import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletResponse; import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants; import org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants; +import org.wso2.carbon.identity.core.util.IdentityUtil; import java.nio.charset.StandardCharsets; import java.util.Map; @@ -66,7 +67,8 @@ public void setCookie(JsServletResponse response, String name, Object... params) boolean encrypt = Optional.ofNullable((Boolean) properties.get(HTTPConstants.ENCRYPT)).orElse(false); if (sign) { try { - signature = Base64.encode(SignatureUtil.doSignature(value)); + String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); + signature = Base64.encode(IdentityUtil.signWithTenantKey(value, tenantDomain)); } catch (Exception e) { log.error("Error occurred when signing the cookie value.", e); return; diff --git a/pom.xml b/pom.xml index bafb73cb..94088158 100644 --- a/pom.xml +++ b/pom.xml @@ -523,7 +523,7 @@ 4.10.22 [4.6.0, 5.0.0) [1.0.1, 2.0.0) - 7.4.7 + 7.7.22 1.0.89 5.20.447 [5.14.0, 8.0.0)