[oidc proxy] Improve error message for forbidden host and null response (#8785)

Author: molotkov-and

ydb/mvp/oidc_proxy/oidc_protected_page.h

@@ -34,7 +34,6 @@ class THandlerSessionServiceCheck : public NActors::TActorBootstrapped<THandlerS
     TString RequestedPageScheme;
     bool IsAjaxRequest = false;
 
-    const static inline TStringBuf NOT_FOUND_HTML_PAGE = "<html><head><title>404 Not Found</title></head><body bgcolor=\"white\"><center><h1>404 Not Found</h1></center></body></html>";
     const static inline TStringBuf IAM_TOKEN_SCHEME = "Bearer ";
     const static inline TStringBuf IAM_TOKEN_SCHEME_LOWER = "bearer ";
     const static inline TStringBuf AUTH_HEADER_NAME = "Authorization";
@@ -54,7 +53,7 @@ class THandlerSessionServiceCheck : public NActors::TActorBootstrapped<THandlerS
 
     virtual void Bootstrap(const NActors::TActorContext& ctx) {
         if (!CheckRequestedHost()) {
-            ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(Request->CreateResponseNotFound(NOT_FOUND_HTML_PAGE, "text/html")));
+            ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(CreateResponseForbiddenHost()));
             Die(ctx);
             return;
         }
@@ -86,7 +85,9 @@ class THandlerSessionServiceCheck : public NActors::TActorBootstrapped<THandlerS
                 httpResponse = Request->CreateResponse( response->Status, response->Message, headers, response->Body);
             }
         } else {
-            httpResponse = Request->CreateResponseNotFound(NOT_FOUND_HTML_PAGE, "text/html");
+            static constexpr size_t MAX_LOGGED_SIZE = 1024;
+            LOG_DEBUG_S(ctx, EService::MVP, "Can not process request to protected resource:\n" << event->Get()->Request->GetRawData().substr(0, MAX_LOGGED_SIZE));
+            httpResponse = CreateResponseForNotExistingResponseFromProtectedResource(event->Get()->GetError());
         }
         ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
         Die(ctx);
@@ -230,6 +231,33 @@ class THandlerSessionServiceCheck : public NActors::TActorBootstrapped<THandlerS
         NHttp::CrackURL(ProtectedPageUrl, scheme, host, uri);
         return TStringBuilder() << '/' << host << location;
     }
+
+    NHttp::THttpOutgoingResponsePtr CreateResponseForbiddenHost() {
+        NHttp::THeadersBuilder headers;
+        headers.Set("Content-Type", "text/html");
+        SetCORS(Request, &headers);
+
+        TStringBuf scheme, host, uri;
+        NHttp::CrackURL(ProtectedPageUrl, scheme, host, uri);
+        TStringBuilder html;
+        html << "<html><head><title>403 Forbidden</title></head><body bgcolor=\"white\"><center><h1>";
+        html << "403 Forbidden host: " << host;
+        html << "</h1></center></body></html>";
+
+        return Request->CreateResponse("403", "Forbidden", headers, html);
+    }
+
+    NHttp::THttpOutgoingResponsePtr CreateResponseForNotExistingResponseFromProtectedResource(const TString& errorMessage) {
+        NHttp::THeadersBuilder headers;
+        headers.Set("Content-Type", "text/html");
+        SetCORS(Request, &headers);
+
+        TStringBuilder html;
+        html << "<html><head><title>400 Bad Request</title></head><body bgcolor=\"white\"><center><h1>";
+        html << "400 Bad Request. Can not process request to protected resource: " << errorMessage;
+        html << "</h1></center></body></html>";
+        return Request->CreateResponse("400", "Bad Request", headers, html);
+    }
 };
 
 }  // NMVP

ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp

@@ -952,7 +952,7 @@ Y_UNIT_TEST_SUITE(Mvp) {
         const TString hostProxy = "oidcproxy.net";
         const TString protectedPage = "/counters";
 
-        auto checkAllowedHostList = [&] (const TString& requestedHost, const TString& expectedStatus) {
+        auto checkAllowedHostList = [&] (const TString& requestedHost, const TString& expectedStatus, const TString& expectedBodyContent = "") {
             const TString url = "/" + requestedHost + protectedPage;
             TStringBuilder httpRequest;
             httpRequest << "GET " + url + " HTTP/1.1\r\n"
@@ -968,14 +968,54 @@ Y_UNIT_TEST_SUITE(Mvp) {
             TAutoPtr<IEventHandle> handle;
             NHttp::TEvHttpProxy::TEvHttpOutgoingResponse* outgoingResponseEv = runtime.GrabEdgeEvent<NHttp::TEvHttpProxy::TEvHttpOutgoingResponse>(handle);
             UNIT_ASSERT_STRINGS_EQUAL(outgoingResponseEv->Response->Status, expectedStatus);
+            if (!expectedBodyContent.empty()) {
+                UNIT_ASSERT_STRING_CONTAINS(outgoingResponseEv->Response->Body, expectedBodyContent);
+            }
         };
 
         for (const TString& allowedHost : allowedProxyHosts) {
             checkAllowedHostList(allowedHost, "302");
         }
 
         for (const TString& forbiddenHost : forbiddenProxyHosts) {
-            checkAllowedHostList(forbiddenHost, "404");
+            checkAllowedHostList(forbiddenHost, "403", "403 Forbidden host: " + forbiddenHost);
         }
     }
+
+    Y_UNIT_TEST(OpenIdConnectHandleNullResponseFromProtectedResource) {
+        TPortManager tp;
+        ui16 sessionServicePort = tp.GetPort(8655);
+        TMvpTestRuntime runtime;
+        runtime.Initialize();
+
+        const TString allowedProxyHost {"ydb.viewer.page"};
+
+        TOpenIdConnectSettings settings {
+            .SessionServiceEndpoint = "localhost:" + ToString(sessionServicePort),
+            .AllowedProxyHosts = {allowedProxyHost},
+        };
+
+        const NActors::TActorId edge = runtime.AllocateEdgeActor();
+        const NActors::TActorId target = runtime.Register(new NMVP::TProtectedPageHandler(edge, settings));
+
+        const TString iamToken {"protected_page_iam_token"};
+        NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
+        EatWholeString(incomingRequest, "GET /" + allowedProxyHost + "/counters HTTP/1.1\r\n"
+                                "Host: oidcproxy.net\r\n"
+                                "Authorization: Bearer " + iamToken + "\r\n");
+        runtime.Send(new IEventHandle(target, edge, new NHttp::TEvHttpProxy::TEvHttpIncomingRequest(incomingRequest)));
+        TAutoPtr<IEventHandle> handle;
+
+        auto outgoingRequestEv = runtime.GrabEdgeEvent<NHttp::TEvHttpProxy::TEvHttpOutgoingRequest>(handle);
+        UNIT_ASSERT_STRINGS_EQUAL(outgoingRequestEv->Request->Host, allowedProxyHost);
+        UNIT_ASSERT_STRINGS_EQUAL(outgoingRequestEv->Request->URL, "/counters");
+        UNIT_ASSERT_STRING_CONTAINS(outgoingRequestEv->Request->Headers, "Authorization: Bearer " + iamToken);
+
+        const TString expectedError = "Response is NULL for some reason";
+        runtime.Send(new IEventHandle(handle->Sender, edge, new NHttp::TEvHttpProxy::TEvHttpIncomingResponse(outgoingRequestEv->Request, nullptr, expectedError)));
+
+        auto outgoingResponseEv = runtime.GrabEdgeEvent<NHttp::TEvHttpProxy::TEvHttpOutgoingResponse>(handle);
+        UNIT_ASSERT_STRINGS_EQUAL(outgoingResponseEv->Response->Status, "400");
+        UNIT_ASSERT_STRING_CONTAINS(outgoingResponseEv->Response->Body, expectedError);
+    }
 }

ydb/mvp/oidc_proxy/openid_connect.cpp

@@ -55,17 +55,6 @@ TString CreateRedirectUrl(const TRedirectUrlParameters& parameters) {
     return locationHeaderValue;
 }
 
-void SetCORS(const NHttp::THttpIncomingRequestPtr& request, NHttp::THeadersBuilder* const headers) {
-    TString origin = TString(NHttp::THeaders(request->Headers)["Origin"]);
-    if (origin.empty()) {
-        origin = "*";
-    }
-    headers->Set("Access-Control-Allow-Origin", origin);
-    headers->Set("Access-Control-Allow-Credentials", "true");
-    headers->Set("Access-Control-Allow-Headers", "Content-Type,Authorization,Origin,Accept");
-    headers->Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST");
-}
-
 NHttp::THttpOutgoingResponsePtr CreateResponseForAjaxRequest(const NHttp::THttpIncomingRequestPtr& request, NHttp::THeadersBuilder& headers, const TString& redirectUrl) {
     headers.Set("Content-Type", "application/json; charset=utf-8");
     SetCORS(request, &headers);
@@ -84,6 +73,17 @@ TStringBuf GetRequestedUrl(const NHttp::THttpIncomingRequestPtr& request, bool i
 
 } // namespace
 
+void SetCORS(const NHttp::THttpIncomingRequestPtr& request, NHttp::THeadersBuilder* const headers) {
+    TString origin = TString(NHttp::THeaders(request->Headers)["Origin"]);
+    if (origin.empty()) {
+        origin = "*";
+    }
+    headers->Set("Access-Control-Allow-Origin", origin);
+    headers->Set("Access-Control-Allow-Credentials", "true");
+    headers->Set("Access-Control-Allow-Headers", "Content-Type,Authorization,Origin,Accept");
+    headers->Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST");
+}
+
 TString HmacSHA256(TStringBuf key, TStringBuf data) {
     unsigned char hash[SHA256_DIGEST_LENGTH];
     ui32 hl = SHA256_DIGEST_LENGTH;

ydb/mvp/oidc_proxy/openid_connect.h

@@ -58,6 +58,7 @@ TString CreateNameYdbOidcCookie(TStringBuf key, TStringBuf state);
 TString CreateNameSessionCookie(TStringBuf key);
 const TString& GetAuthCallbackUrl();
 TString CreateSecureCookie(const TString& name, const TString& value);
+void SetCORS(const NHttp::THttpIncomingRequestPtr& request, NHttp::THeadersBuilder* const headers);
 
 template <typename TSessionService>
 std::unique_ptr<NYdbGrpc::TServiceConnection<TSessionService>> CreateGRpcServiceConnection(const TString& endpoint) {