Skip to content

Commit 18ba292

Browse files
StekPerepolnenStekPerepolnen
committed
escape only values
1 parent 767932d commit 18ba292

21 files changed

+171
-168
lines changed

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -38,19 +38,19 @@ void THandlerImpersonateStart::Bootstrap(const NActors::TActorContext& ctx) {
3838
TStringBuf impersonatedCookieValue = GetCookie(cookies, CreateNameImpersonatedCookie(Settings.ClientId));
3939

4040
if (sessionToken.empty()) {
41-
return ReplyBadRequestAndDie("Wrong impersonate parameter: session cookie not found", ctx);
41+
return ReplyBadRequestAndPassAway("Wrong impersonate parameter: session cookie not found");
4242
}
4343
if (!impersonatedCookieValue.empty()) {
44-
return ReplyBadRequestAndDie("Wrong impersonate parameter: impersonated cookie already exists", ctx);
44+
return ReplyBadRequestAndPassAway("Wrong impersonate parameter: impersonated cookie already exists");
4545
}
4646
if (serviceAccountId.empty()) {
47-
return ReplyBadRequestAndDie("Wrong impersonate parameter: service_account_id not found", ctx);
47+
return ReplyBadRequestAndPassAway("Wrong impersonate parameter: service_account_id not found");
4848
}
4949

5050
RequestImpersonatedToken(sessionToken, serviceAccountId, ctx);
5151
}
5252

53-
void THandlerImpersonateStart::RequestImpersonatedToken(const TString& sessionToken, const TString& serviceAccountId, const NActors::TActorContext& ctx) {
53+
void THandlerImpersonateStart::RequestImpersonatedToken(TString& sessionToken, TString& serviceAccountId, const NActors::TActorContext& ctx) {
5454
BLOG_D("Request impersonated token");
5555
NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetImpersonateEndpointURL());
5656
httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
@@ -62,18 +62,18 @@ void THandlerImpersonateStart::RequestImpersonatedToken(const TString& sessionTo
6262
}
6363
httpRequest->Set("Authorization", token); // Bearer included
6464

65+
CGIEscape(sessionToken);
66+
CGIEscape(serviceAccountId);
6567
TStringBuilder body;
6668
body << "session=" << sessionToken
6769
<< "&service_account_id=" << serviceAccountId;
68-
TString bodyStr = body;
69-
CGIEscape(bodyStr);
70-
httpRequest->Set<&NHttp::THttpRequest::Body>(bodyStr);
70+
httpRequest->Set<&NHttp::THttpRequest::Body>(body);
7171

7272
ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
7373
Become(&THandlerImpersonateStart::StateWork);
7474
}
7575

76-
void THandlerImpersonateStart::ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx) {
76+
void THandlerImpersonateStart::ProcessImpersonatedToken(const TString& impersonatedToken) {
7777
TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
7878
TString impersonatedCookieValue = Base64Encode(impersonatedToken);
7979
BLOG_D("Set impersonated cookie: (" << impersonatedCookieName << ": " << NKikimr::MaskTicket(impersonatedCookieValue) << ")");
@@ -82,10 +82,10 @@ void THandlerImpersonateStart::ProcessImpersonatedToken(const TString& impersona
8282
responseHeaders.Set("Set-Cookie", CreateSecureCookie(impersonatedCookieName, impersonatedCookieValue));
8383
SetCORS(Request, &responseHeaders);
8484
NHttp::THttpOutgoingResponsePtr httpResponse = Request->CreateResponse("200", "OK", responseHeaders);
85-
ReplyAndDie(httpResponse, ctx);
85+
ReplyAndPassAway(httpResponse);
8686
}
8787

88-
void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx) {
88+
void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event) {
8989
NHttp::THttpOutgoingResponsePtr httpResponse;
9090
if (event->Get()->Error.empty() && event->Get()->Response) {
9191
NHttp::THttpIncomingResponsePtr response = event->Get()->Response;
@@ -98,7 +98,7 @@ void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRespon
9898
const NJson::TJsonValue* jsonImpersonatedToken;
9999
if (jsonValue.GetValuePointer("impersonation", &jsonImpersonatedToken)) {
100100
TString impersonatedToken = jsonImpersonatedToken->GetStringRobust();
101-
ProcessImpersonatedToken(impersonatedToken, ctx);
101+
ProcessImpersonatedToken(impersonatedToken);
102102
return;
103103
} else {
104104
errorMessage = "Wrong OIDC provider response: impersonated token not found";
@@ -109,35 +109,35 @@ void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRespon
109109
NHttp::THeadersBuilder responseHeaders;
110110
responseHeaders.Set("Content-Type", "text/plain");
111111
SetCORS(Request, &responseHeaders);
112-
return ReplyAndDie(Request->CreateResponse("400", "Bad Request", responseHeaders, errorMessage), ctx);
112+
return ReplyAndPassAway(Request->CreateResponse("400", "Bad Request", responseHeaders, errorMessage));
113113
} else {
114114
NHttp::THeadersBuilder responseHeaders;
115115
NHttp::THeaders headers(response->Headers);
116116
if (headers.Has("Content-Type")) {
117117
responseHeaders.Set("Content-Type", headers.Get("Content-Type"));
118118
}
119119
SetCORS(Request, &responseHeaders);
120-
return ReplyAndDie(Request->CreateResponse(response->Status, response->Message, responseHeaders, response->Body), ctx);
120+
return ReplyAndPassAway(Request->CreateResponse(response->Status, response->Message, responseHeaders, response->Body));
121121
}
122122
} else {
123123
NHttp::THeadersBuilder responseHeaders;
124124
responseHeaders.Set("Content-Type", "text/plain");
125125
SetCORS(Request, &responseHeaders);
126-
return ReplyAndDie(Request->CreateResponse("400", "Bad Request", responseHeaders, event->Get()->Error), ctx);
126+
return ReplyAndPassAway(Request->CreateResponse("400", "Bad Request", responseHeaders, event->Get()->Error));
127127
}
128128
}
129129

130-
void THandlerImpersonateStart::ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx) {
131-
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
132-
Die(ctx);
130+
void THandlerImpersonateStart::ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse) {
131+
Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
132+
PassAway();
133133
}
134134

135-
void THandlerImpersonateStart::ReplyBadRequestAndDie(const TString& errorMessage, const NActors::TActorContext& ctx) {
135+
void THandlerImpersonateStart::ReplyBadRequestAndPassAway(const TString& errorMessage) {
136136
NHttp::THeadersBuilder responseHeaders;
137137
responseHeaders.Set("Content-Type", "text/plain");
138138
SetCORS(Request, &responseHeaders);
139139
NHttp::THttpOutgoingResponsePtr httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, errorMessage);
140-
ReplyAndDie(httpResponse, ctx);
140+
ReplyAndPassAway(httpResponse);
141141
}
142142

143143
TImpersonateStartPageHandler::TImpersonateStartPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -23,15 +23,15 @@ class THandlerImpersonateStart : public NActors::TActorBootstrapped<THandlerImpe
2323
const NActors::TActorId& httpProxyId,
2424
const TOpenIdConnectSettings& settings);
2525
void Bootstrap(const NActors::TActorContext& ctx);
26-
void RequestImpersonatedToken(const TString&, const TString&, const NActors::TActorContext&);
27-
void ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx);
28-
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx);
29-
void ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx);
30-
void ReplyBadRequestAndDie(const TString& errorMessage, const NActors::TActorContext& ctx);
26+
void RequestImpersonatedToken(TString&, TString&, const NActors::TActorContext&);
27+
void ProcessImpersonatedToken(const TString& impersonatedToken);
28+
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event);
29+
void ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse);
30+
void ReplyBadRequestAndPassAway(const TString& errorMessage);
3131

3232
STFUNC(StateWork) {
3333
switch (ev->GetTypeRewrite()) {
34-
HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingResponse, Handle);
34+
hFunc(NHttp::TEvHttpProxy::TEvHttpIncomingResponse, Handle);
3535
cFunc(TEvents::TEvPoisonPill::EventType, PassAway);
3636
}
3737
}

ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ THandlerImpersonateStop::THandlerImpersonateStop(const NActors::TActorId& sender
1515
, Settings(settings)
1616
{}
1717

18-
void THandlerImpersonateStop::Bootstrap(const NActors::TActorContext& ctx) {
18+
void THandlerImpersonateStop::Bootstrap() {
1919
TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
2020
BLOG_D("Clear impersonated cookie: (" << impersonatedCookieName << ")");
2121

@@ -25,12 +25,12 @@ void THandlerImpersonateStop::Bootstrap(const NActors::TActorContext& ctx) {
2525

2626
NHttp::THttpOutgoingResponsePtr httpResponse;
2727
httpResponse = Request->CreateResponse("200", "OK", responseHeaders);
28-
ReplyAndDie(httpResponse, ctx);
28+
ReplyAndPassAway(httpResponse);
2929
}
3030

31-
void THandlerImpersonateStop::ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx) {
32-
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
33-
Die(ctx);
31+
void THandlerImpersonateStop::ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse) {
32+
Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
33+
PassAway();
3434
}
3535

3636
TImpersonateStopPageHandler::TImpersonateStopPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)

ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,8 @@ class THandlerImpersonateStop : public NActors::TActorBootstrapped<THandlerImper
2323
const NActors::TActorId& httpProxyId,
2424
const TOpenIdConnectSettings& settings);
2525

26-
void Bootstrap(const NActors::TActorContext& ctx);
27-
void ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx);
26+
void Bootstrap();
27+
void ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse);
2828
};
2929

3030
class TImpersonateStopPageHandler : public NActors::TActor<TImpersonateStopPageHandler> {

ydb/mvp/oidc_proxy/oidc_protected_page.cpp

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -20,36 +20,36 @@ THandlerSessionServiceCheck::THandlerSessionServiceCheck(const NActors::TActorId
2020

2121
void THandlerSessionServiceCheck::Bootstrap(const NActors::TActorContext& ctx) {
2222
if (!CheckRequestedHost()) {
23-
return ReplyAndDie(CreateResponseForbiddenHost(), ctx);
23+
return ReplyAndPassAway(CreateResponseForbiddenHost());
2424
}
2525
NHttp::THeaders headers(Request->Headers);
2626
TStringBuf authHeader = headers.Get(AUTH_HEADER_NAME);
2727
if (Request->Method == "OPTIONS" || IsAuthorizedRequest(authHeader)) {
28-
ForwardUserRequest(TString(authHeader), ctx);
28+
ForwardUserRequest(TString(authHeader));
2929
} else {
3030
StartOidcProcess(ctx);
3131
}
3232
}
3333

34-
void THandlerSessionServiceCheck::HandleProxy(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx) {
34+
void THandlerSessionServiceCheck::HandleProxy(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event) {
3535
if (event->Get()->Response != nullptr) {
3636
NHttp::THttpIncomingResponsePtr response = event->Get()->Response;
3737
BLOG_D("Incoming response for protected resource: " << response->Status);
3838
if (NeedSendSecureHttpRequest(response)) {
39-
return SendSecureHttpRequest(response, ctx);
39+
return SendSecureHttpRequest(response);
4040
}
4141
NHttp::THeadersBuilder headers = GetResponseHeaders(response);
4242
TStringBuf contentType = headers.Get("Content-Type").NextTok(';');
4343
if (contentType == "text/html") {
4444
TString newBody = FixReferenceInHtml(response->Body, response->GetRequest()->Host);
45-
return ReplyAndDie(Request->CreateResponse(response->Status, response->Message, headers, newBody), ctx);
45+
return ReplyAndPassAway(Request->CreateResponse(response->Status, response->Message, headers, newBody));
4646
} else {
47-
return ReplyAndDie(Request->CreateResponse(response->Status, response->Message, headers, response->Body), ctx);
47+
return ReplyAndPassAway(Request->CreateResponse(response->Status, response->Message, headers, response->Body));
4848
}
4949
} else {
5050
static constexpr size_t MAX_LOGGED_SIZE = 1024;
5151
BLOG_D("Can not process request to protected resource:\n" << event->Get()->Request->GetObfuscatedData().substr(0, MAX_LOGGED_SIZE));
52-
return ReplyAndDie(CreateResponseForNotExistingResponseFromProtectedResource(event->Get()->GetError()), ctx);
52+
return ReplyAndPassAway(CreateResponseForNotExistingResponseFromProtectedResource(event->Get()->GetError()));
5353
}
5454
}
5555

@@ -79,7 +79,7 @@ bool THandlerSessionServiceCheck::IsAuthorizedRequest(TStringBuf authHeader) {
7979
return to_lower(ToString(authHeader)).StartsWith(IAM_TOKEN_SCHEME_LOWER);
8080
}
8181

82-
void THandlerSessionServiceCheck::ForwardUserRequest(TStringBuf authHeader, const NActors::TActorContext& ctx, bool secure) {
82+
void THandlerSessionServiceCheck::ForwardUserRequest(TStringBuf authHeader, bool secure) {
8383
BLOG_D("Forward user request bypass OIDC");
8484
NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequest(Request->Method, ProtectedPageUrl);
8585
ForwardRequestHeaders(httpRequest);
@@ -92,7 +92,7 @@ void THandlerSessionServiceCheck::ForwardUserRequest(TStringBuf authHeader, cons
9292
if (RequestedPageScheme.empty()) {
9393
httpRequest->Secure = secure;
9494
}
95-
ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
95+
Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
9696
}
9797

9898
TString THandlerSessionServiceCheck::FixReferenceInHtml(TStringBuf html, TStringBuf host, TStringBuf findStr) {
@@ -173,11 +173,11 @@ NHttp::THeadersBuilder THandlerSessionServiceCheck::GetResponseHeaders(const NHt
173173
return resultHeaders;
174174
}
175175

176-
void THandlerSessionServiceCheck::SendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response, const NActors::TActorContext& ctx) {
176+
void THandlerSessionServiceCheck::SendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response) {
177177
NHttp::THttpOutgoingRequestPtr request = response->GetRequest();
178178
BLOG_D("Try to send request to HTTPS port");
179179
NHttp::THeadersBuilder headers {request->Headers};
180-
ForwardUserRequest(headers.Get(AUTH_HEADER_NAME), ctx, true);
180+
ForwardUserRequest(headers.Get(AUTH_HEADER_NAME), true);
181181
}
182182

183183
TString THandlerSessionServiceCheck::GetFixedLocationHeader(TStringBuf location) {
@@ -226,9 +226,9 @@ NHttp::THttpOutgoingResponsePtr THandlerSessionServiceCheck::CreateResponseForNo
226226
return Request->CreateResponse("400", "Bad Request", headers, html);
227227
}
228228

229-
void THandlerSessionServiceCheck::ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx) {
230-
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
231-
Die(ctx);
229+
void THandlerSessionServiceCheck::ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse) {
230+
Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
231+
PassAway();
232232
}
233233

234234
} // NMVP::NOIDC

ydb/mvp/oidc_proxy/oidc_protected_page.h

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -32,24 +32,24 @@ class THandlerSessionServiceCheck : public NActors::TActorBootstrapped<THandlerS
3232
const TOpenIdConnectSettings& settings);
3333

3434
virtual void Bootstrap(const NActors::TActorContext& ctx);
35-
void HandleProxy(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx);
35+
void HandleProxy(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event);
3636

3737
protected:
3838
virtual void StartOidcProcess(const NActors::TActorContext& ctx) = 0;
39-
virtual void ForwardUserRequest(TStringBuf authHeader, const NActors::TActorContext& ctx, bool secure = false);
39+
virtual void ForwardUserRequest(TStringBuf authHeader, bool secure = false);
4040
virtual bool NeedSendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response) const = 0;
4141

4242
bool CheckRequestedHost();
4343
void ForwardRequestHeaders(NHttp::THttpOutgoingRequestPtr& request) const;
44-
void ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx);
44+
void ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse);
4545

4646
static bool IsAuthorizedRequest(TStringBuf authHeader);
4747
static TString FixReferenceInHtml(TStringBuf html, TStringBuf host, TStringBuf findStr);
4848
static TString FixReferenceInHtml(TStringBuf html, TStringBuf host);
4949

5050
private:
5151
NHttp::THeadersBuilder GetResponseHeaders(const NHttp::THttpIncomingResponsePtr& response);
52-
void SendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response, const NActors::TActorContext& ctx);
52+
void SendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response);
5353
TString GetFixedLocationHeader(TStringBuf location);
5454
NHttp::THttpOutgoingResponsePtr CreateResponseForbiddenHost();
5555
NHttp::THttpOutgoingResponsePtr CreateResponseForNotExistingResponseFromProtectedResource(const TString& errorMessage);

0 commit comments

Comments
 (0)