OIDC: Add support redirects (#8151)

Author: molotkov-and

ydb/mvp/oidc_proxy/oidc_protected_page.h

@@ -192,12 +192,12 @@ class THandlerSessionServiceCheck : public NActors::TActorBootstrapped<THandlerS
         request->Set("Accept-Encoding", "deflate");
     }
 
-    static NHttp::THeadersBuilder GetResponseHeaders(const NHttp::THttpIncomingResponsePtr& response) {
+private:
+    NHttp::THeadersBuilder GetResponseHeaders(const NHttp::THttpIncomingResponsePtr& response) {
         static const TVector<TStringBuf> HEADERS_WHITE_LIST = {
             "Content-Type",
             "Connection",
             "X-Worker-Name",
-            "Location",
             "Set-Cookie",
             "Access-Control-Allow-Origin",
             "Access-Control-Allow-Credentials",
@@ -211,16 +211,25 @@ class THandlerSessionServiceCheck : public NActors::TActorBootstrapped<THandlerS
                 resultHeaders.Set(header, headers.Get(header));
             }
         }
+        static const TString LOCATION_HEADER_NAME = "Location";
+        if (headers.Has(LOCATION_HEADER_NAME)) {
+            resultHeaders.Set(LOCATION_HEADER_NAME, GetFixedLocationHeader(headers.Get(LOCATION_HEADER_NAME)));
+        }
         return resultHeaders;
     }
 
-private:
     void SendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response, const NActors::TActorContext& ctx) {
         NHttp::THttpOutgoingRequestPtr request = response->GetRequest();
         LOG_DEBUG_S(ctx, EService::MVP, "Try to send request to HTTPS port");
         NHttp::THeadersBuilder headers {request->Headers};
         ForwardUserRequest(headers.Get(AUTH_HEADER_NAME), ctx, true);
     }
+
+    TString GetFixedLocationHeader(TStringBuf location) {
+        TStringBuf scheme, host, uri;
+        NHttp::CrackURL(ProtectedPageUrl, scheme, host, uri);
+        return TStringBuilder() << '/' << host << location;
+    }
 };
 
 }  // NMVP

ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp

@@ -253,6 +253,54 @@ Y_UNIT_TEST_SUITE(Mvp) {
     }
 
 
+    Y_UNIT_TEST(OpenIdConnectFixLocationHeader) {
+        TPortManager tp;
+        ui16 sessionServicePort = tp.GetPort(8655);
+        TMvpTestRuntime runtime;
+        runtime.Initialize();
+
+        const TString allowedProxyHost {"ydb.viewer.page:1234"};
+
+        TOpenIdConnectSettings settings {
+            .SessionServiceEndpoint = "localhost:" + ToString(sessionServicePort),
+            .AllowedProxyHosts = {allowedProxyHost},
+            .AccessServiceType = NMvp::yandex_v2
+        };
+
+        const NActors::TActorId edge = runtime.AllocateEdgeActor();
+        const NActors::TActorId target = runtime.Register(new NMVP::TProtectedPageHandler(edge, settings));
+
+        TSessionServiceMock sessionServiceMock;
+        sessionServiceMock.AllowedCookies.second = "allowed_session_cookie";
+        grpc::ServerBuilder builder;
+        builder.AddListeningPort(settings.SessionServiceEndpoint, grpc::InsecureServerCredentials()).RegisterService(&sessionServiceMock);
+        std::unique_ptr<grpc::Server> sessionServer(builder.BuildAndStart());
+
+        NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
+        EatWholeString(incomingRequest, "GET /" + allowedProxyHost + "/counters HTTP/1.1\r\n"
+                                "Host: oidcproxy.net\r\n"
+                                "Cookie: yc_session=allowed_session_cookie\r\n\r\n");
+        runtime.Send(new IEventHandle(target, edge, new NHttp::TEvHttpProxy::TEvHttpIncomingRequest(incomingRequest)));
+        TAutoPtr<IEventHandle> handle;
+
+        auto outgoingRequestEv = runtime.GrabEdgeEvent<NHttp::TEvHttpProxy::TEvHttpOutgoingRequest>(handle);
+        UNIT_ASSERT_STRINGS_EQUAL(outgoingRequestEv->Request->Host, allowedProxyHost);
+        UNIT_ASSERT_STRINGS_EQUAL(outgoingRequestEv->Request->URL, "/counters");
+        UNIT_ASSERT_STRING_CONTAINS(outgoingRequestEv->Request->Headers, "Authorization: Bearer protected_page_iam_token");
+        UNIT_ASSERT_EQUAL(outgoingRequestEv->Request->Secure, false);
+        NHttp::THttpIncomingResponsePtr incomingResponse = new NHttp::THttpIncomingResponse(outgoingRequestEv->Request);
+        EatWholeString(incomingResponse, "HTTP/1.1 307 Temporary Redirect\r\n"
+                                        "Connection: close\r\n"
+                                        "Location: /node/12345/counters\r\n"
+                                        "Content-Length:0\r\n\r\n");
+        runtime.Send(new IEventHandle(handle->Sender, edge, new NHttp::TEvHttpProxy::TEvHttpIncomingResponse(outgoingRequestEv->Request, incomingResponse)));
+
+        auto outgoingResponseEv = runtime.GrabEdgeEvent<NHttp::TEvHttpProxy::TEvHttpOutgoingResponse>(handle);
+        UNIT_ASSERT_STRINGS_EQUAL(outgoingResponseEv->Response->Status, "307");
+        UNIT_ASSERT_STRING_CONTAINS(outgoingResponseEv->Response->Headers, "Location: /" + allowedProxyHost + "/node/12345/counters");
+    }
+
+
     Y_UNIT_TEST(OpenIdConnectExchangeNebius) {
         TPortManager tp;
         ui16 sessionServicePort = tp.GetPort(8655);