From d0de61c3b860a69a86c584c12d50a5b88c168507 Mon Sep 17 00:00:00 2001
From: StekPerepolnen <arykov@ydb.tech>
Date: Thu, 7 Nov 2024 10:38:02 +0000
Subject: [PATCH 1/3] add oidc cookie logs

---
 ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp | 15 +++++++++++++--
 ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp              |  4 +++-
 ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp |  7 ++++++-
 ydb/mvp/oidc_proxy/openid_connect.cpp             |  4 ++--
 4 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp
index d965ad91f66e..07584f95cf5a 100644
--- a/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp
+++ b/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp
@@ -22,11 +22,22 @@ void THandlerSessionServiceCheckNebius::StartOidcProcess(const NActors::TActorCo
     NHttp::THeaders headers(Request->Headers);
     LOG_DEBUG_S(ctx, EService::MVP, "Start OIDC process");
 
-    NHttp::TCookies cookies(headers.Get("Cookie"));
+    TString sessionCookieName = CreateNameSessionCookie(Settings.ClientId);
+
+    TStringBuf cookieParser(headers["Cookie"]);
+    TString sessionCookieValue;
+    for (TStringBuf param = cookieParser.NextTok(';'); !param.empty(); param = cookieParser.NextTok(';')) {
+        param.SkipPrefix(" ");
+        TStringBuf name = param.NextTok('=');
+        if (name == sessionCookieName) {
+            sessionCookieValue = param;
+            LOG_DEBUG_S(ctx, EService::MVP, "Using session cookie (" << sessionCookieName << ": " << NKikimr::MaskTicket(sessionCookieValue) << ")");
+        }
+    }
 
     TString sessionToken;
     try {
-        Base64StrictDecode(cookies.Get(CreateNameSessionCookie(Settings.ClientId)), sessionToken);
+        Base64StrictDecode(sessionCookieValue, sessionToken);
     } catch (std::exception& e) {
         LOG_DEBUG_S(ctx, EService::MVP, "Base64Decode session cookie: " << e.what());
         sessionToken.clear();
diff --git a/ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp b/ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp
index 0299a78b9d24..bc1a80568b17 100644
--- a/ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp
+++ b/ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp
@@ -392,10 +392,12 @@ Y_UNIT_TEST_SUITE(Mvp) {
         std::unique_ptr<grpc::Server> sessionServer(builder.BuildAndStart());
 
         NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
+        TString sessionCookieName = CreateNameSessionCookie(settings.ClientId);
+        TString sessionCookieValue = Base64Encode("session_cookie");
         EatWholeString(incomingRequest, "GET /" + allowedProxyHost + "/counters HTTP/1.1\r\n"
                                 "Host: oidcproxy.net\r\n"
                                 "Cookie: yc_session=allowed_session_cookie;"
-                                + CreateSecureCookie(settings.ClientId, "session_cookie") + "\r\n\r\n");
+                                + CreateSecureCookie(sessionCookieName, sessionCookieValue) + "\r\n\r\n");
         runtime.Send(new IEventHandle(target, edge, new NHttp::TEvHttpProxy::TEvHttpIncomingRequest(incomingRequest)));
         TAutoPtr<IEventHandle> handle;
 
diff --git a/ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp
index 3b2234d29580..25b919c54907 100644
--- a/ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp
+++ b/ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp
@@ -1,6 +1,7 @@
 #include <ydb/library/actors/http/http.h>
 #include "openid_connect.h"
 #include "oidc_session_create_nebius.h"
+#include <library/cpp/string_utils/base64/base64.h>
 
 namespace NMVP {
 namespace NOIDC {
@@ -33,8 +34,12 @@ void THandlerSessionCreateNebius::RequestSessionToken(const TString& code, const
 }
 
 void THandlerSessionCreateNebius::ProcessSessionToken(const TString& sessionToken, const NActors::TActorContext& ctx) {
+    TString sessionCookieName = CreateNameSessionCookie(Settings.ClientId);
+    TString sessionCookieValue = Base64Encode(sessionToken);
+    LOG_DEBUG_S(ctx, EService::MVP, "Set session cookie: (" << sessionCookieName << ": " << NKikimr::MaskTicket(sessionCookieValue) << ")");
+
     NHttp::THeadersBuilder responseHeaders;
-    responseHeaders.Set("Set-Cookie", CreateSecureCookie(Settings.ClientId, sessionToken));
+    responseHeaders.Set("Set-Cookie", CreateSecureCookie(sessionCookieName, sessionCookieValue));
     responseHeaders.Set("Location", Context.GetRequestedAddress());
     NHttp::THttpOutgoingResponsePtr httpResponse;
     httpResponse = Request->CreateResponse("302", "Cookie set", responseHeaders);
diff --git a/ydb/mvp/oidc_proxy/openid_connect.cpp b/ydb/mvp/oidc_proxy/openid_connect.cpp
index dec1ab9aa070..fbc7714c5979 100644
--- a/ydb/mvp/oidc_proxy/openid_connect.cpp
+++ b/ydb/mvp/oidc_proxy/openid_connect.cpp
@@ -114,9 +114,9 @@ const TString& GetAuthCallbackUrl() {
     return callbackUrl;
 }
 
-TString CreateSecureCookie(const TString& key, const TString& value) {
+TString CreateSecureCookie(const TString& name, const TString& value) {
     TStringBuilder cookieBuilder;
-    cookieBuilder << CreateNameSessionCookie(key) << "=" << Base64Encode(value)
+    cookieBuilder << name << "=" << value
             << "; Path=/; Secure; HttpOnly; SameSite=None; Partitioned";
     return cookieBuilder;
 }

From d2fbeef7dd475b7638374e24f36faa3bba1a4d7c Mon Sep 17 00:00:00 2001
From: Andrei Rykov <a.rykov.nn@gmail.com>
Date: Thu, 7 Nov 2024 12:55:39 +0100
Subject: [PATCH 2/3] Update ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp

Co-authored-by: Andrey Molotkov <molotkov-and@ydb.tech>
---
 ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp
index 07584f95cf5a..c13a1d35bc7b 100644
--- a/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp
+++ b/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp
@@ -22,18 +22,13 @@ void THandlerSessionServiceCheckNebius::StartOidcProcess(const NActors::TActorCo
     NHttp::THeaders headers(Request->Headers);
     LOG_DEBUG_S(ctx, EService::MVP, "Start OIDC process");
 
+    NHttp::TCookies cookies(headers.Get("Cookie"));
     TString sessionCookieName = CreateNameSessionCookie(Settings.ClientId);
-
-    TStringBuf cookieParser(headers["Cookie"]);
-    TString sessionCookieValue;
-    for (TStringBuf param = cookieParser.NextTok(';'); !param.empty(); param = cookieParser.NextTok(';')) {
-        param.SkipPrefix(" ");
-        TStringBuf name = param.NextTok('=');
-        if (name == sessionCookieName) {
-            sessionCookieValue = param;
-            LOG_DEBUG_S(ctx, EService::MVP, "Using session cookie (" << sessionCookieName << ": " << NKikimr::MaskTicket(sessionCookieValue) << ")");
-        }
+    TStringBuf sessionCookieValue = cookies.Get(sessionCookieName);
+    if (!sessionCookieValue.Empty()) {
+        LOG_DEBUG_S(ctx, EService::MVP, "Using session cookie (" << sessionCookieName << ": " << NKikimr::MaskTicket(sessionCookieValue) << ")");
     }
+    
 
     TString sessionToken;
     try {

From 1610f85e02d64e67c499fe7130710968d083ed4c Mon Sep 17 00:00:00 2001
From: Andrei Rykov <a.rykov.nn@gmail.com>
Date: Thu, 7 Nov 2024 13:07:06 +0100
Subject: [PATCH 3/3] Update ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp

Co-authored-by: Andrey Molotkov <molotkov-and@ydb.tech>
---
 ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp | 3 ++-
 ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp              | 4 +---
 ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp | 1 +
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp
index c13a1d35bc7b..b4ea27d14749 100644
--- a/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp
+++ b/ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp
@@ -1,6 +1,7 @@
 #include <library/cpp/json/json_reader.h>
 #include <library/cpp/string_utils/base64/base64.h>
 #include <ydb/library/actors/http/http.h>
+#include <ydb/library/security/util.h>
 #include <ydb/mvp/core/appdata.h>
 #include <ydb/mvp/core/mvp_tokens.h>
 #include <ydb/mvp/core/mvp_log.h>
@@ -28,7 +29,7 @@ void THandlerSessionServiceCheckNebius::StartOidcProcess(const NActors::TActorCo
     if (!sessionCookieValue.Empty()) {
         LOG_DEBUG_S(ctx, EService::MVP, "Using session cookie (" << sessionCookieName << ": " << NKikimr::MaskTicket(sessionCookieValue) << ")");
     }
-    
+
 
     TString sessionToken;
     try {
diff --git a/ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp b/ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp
index bc1a80568b17..a052aab7944d 100644
--- a/ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp
+++ b/ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp
@@ -392,12 +392,10 @@ Y_UNIT_TEST_SUITE(Mvp) {
         std::unique_ptr<grpc::Server> sessionServer(builder.BuildAndStart());
 
         NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
-        TString sessionCookieName = CreateNameSessionCookie(settings.ClientId);
-        TString sessionCookieValue = Base64Encode("session_cookie");
         EatWholeString(incomingRequest, "GET /" + allowedProxyHost + "/counters HTTP/1.1\r\n"
                                 "Host: oidcproxy.net\r\n"
                                 "Cookie: yc_session=allowed_session_cookie;"
-                                + CreateSecureCookie(sessionCookieName, sessionCookieValue) + "\r\n\r\n");
+                                + CreateNameSessionCookie(settings.ClientId) + "=" + Base64Encode("session_cookie") + "\r\n\r\n");
         runtime.Send(new IEventHandle(target, edge, new NHttp::TEvHttpProxy::TEvHttpIncomingRequest(incomingRequest)));
         TAutoPtr<IEventHandle> handle;
 
diff --git a/ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp
index 25b919c54907..964a602baacf 100644
--- a/ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp
+++ b/ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp
@@ -1,4 +1,5 @@
 #include <ydb/library/actors/http/http.h>
+#include <ydb/library/security/util.h>
 #include "openid_connect.h"
 #include "oidc_session_create_nebius.h"
 #include <library/cpp/string_utils/base64/base64.h>