From f55bd5fe868b680657112ff5f8faf702122b7368 Mon Sep 17 00:00:00 2001 From: IlyasBaqqari-CabinetOffice Date: Fri, 19 Apr 2024 15:53:28 +0100 Subject: [PATCH 1/3] Make secure cookie builder set domain. --- .../gov/cabinetoffice/gapuserservice/util/WebUtil.java | 9 +++++++++ .../gapuserservice/web/LoginControllerV2.java | 5 ++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java b/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java index 76a3ecf2..224e2c1d 100644 --- a/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java +++ b/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java @@ -36,6 +36,15 @@ public static Cookie buildSecureCookie(final String name, final String value) { return cookie; } + public static Cookie buildSecureCookie(final String name, final String domain, final String value) { + final Cookie cookie = new Cookie(name, value); + cookie.setSecure(true); + cookie.setHttpOnly(true); + cookie.setDomain(domain); + cookie.setPath("/"); + return cookie; + } + public static Cookie buildSecureCookie(final String name, final String value, final Integer maxAge) { final Cookie cookie = buildSecureCookie(name, value); cookie.setMaxAge(maxAge); diff --git a/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java b/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java index 81efe8b6..2427e446 100644 --- a/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java +++ b/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java @@ -71,6 +71,9 @@ public class LoginControllerV2 { @Value("${jwt.cookie-name}") public String userServiceCookieName; + @Value("${jwt.cookie-domain") + public String userServiceCookieDomain; + @Value("${admin-base-url}") private String adminBaseUrl; @@ -248,7 +251,7 @@ private Cookie addCustomJwtCookie(final HttpServletResponse response, final boolean isAdmin) { final Map customJwtClaims = oneLoginService.generateCustomJwtClaims(userInfo, idToken); final String customServiceJwt = customJwtService.generateToken(customJwtClaims, isAdmin); - final Cookie customJwt = WebUtil.buildSecureCookie(userServiceCookieName, customServiceJwt); + final Cookie customJwt = WebUtil.buildSecureCookie(userServiceCookieName, userServiceCookieDomain, customServiceJwt); response.addCookie(customJwt); return customJwt; } From 4cf0d966e65c437d4aaf8fd42f5ec8f57f7828c3 Mon Sep 17 00:00:00 2001 From: IlyasBaqqari-CabinetOffice Date: Fri, 19 Apr 2024 16:29:47 +0100 Subject: [PATCH 2/3] Update test --- .../gapuserservice/web/LoginControllerV2Test.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java b/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java index 830f4c88..13176a36 100644 --- a/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java +++ b/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java @@ -91,6 +91,7 @@ void setUp() { loginController = new LoginControllerV2(oneLoginService, customJwtService, configProperties, encryptionService, oneLoginUserService, findProperties, loggingUtils); ReflectionTestUtils.setField(loginController, "userServiceCookieName", "userServiceCookieName"); + ReflectionTestUtils.setField(loginController, "userServiceCookieDomain", "userServiceCookieDomain"); ReflectionTestUtils.setField(loginController, "adminBaseUrl", "http:localhost:3000/adminBaseUrl"); ReflectionTestUtils.setField(loginController, "applicantBaseUrl", "http:localhost:3000/applicantBaseUrl"); ReflectionTestUtils.setField(loginController, "techSupportAppBaseUrl", "http:localhost:3000/techSupportAppBaseUrl"); @@ -290,7 +291,7 @@ void shouldCreateJwtCookie() throws JSONException { final String customToken = "a-custom-valid-token"; final HttpServletResponse response = Mockito.spy(new MockHttpServletResponse()); final Map claims = Map.of("claim1", "value1", "claim2", "value2"); - final Cookie cookie = WebUtil.buildSecureCookie("userServiceCookieName", "jwtToken"); + final Cookie cookie = WebUtil.buildSecureCookie("userServiceCookieName", "userServiceCookieDomain", "jwtToken"); final JSONObject tokenResponse = new JSONObject(); tokenResponse.put("id_token", idToken).put("access_token", accessToken); From 06af97a45c933e945e73e229f24a24a9a3132469 Mon Sep 17 00:00:00 2001 From: IlyasBaqqari-CabinetOffice Date: Mon, 22 Apr 2024 10:56:55 +0100 Subject: [PATCH 3/3] Refactor method buildSecureCookie for consistency --- .../java/gov/cabinetoffice/gapuserservice/util/WebUtil.java | 2 +- .../gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java | 2 +- .../cabinetoffice/gapuserservice/web/LoginControllerV2Test.java | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java b/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java index 224e2c1d..c455f043 100644 --- a/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java +++ b/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java @@ -36,7 +36,7 @@ public static Cookie buildSecureCookie(final String name, final String value) { return cookie; } - public static Cookie buildSecureCookie(final String name, final String domain, final String value) { + public static Cookie buildSecureCookie(final String name, final String value, final String domain) { final Cookie cookie = new Cookie(name, value); cookie.setSecure(true); cookie.setHttpOnly(true); diff --git a/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java b/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java index 2427e446..a4b2ef01 100644 --- a/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java +++ b/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java @@ -251,7 +251,7 @@ private Cookie addCustomJwtCookie(final HttpServletResponse response, final boolean isAdmin) { final Map customJwtClaims = oneLoginService.generateCustomJwtClaims(userInfo, idToken); final String customServiceJwt = customJwtService.generateToken(customJwtClaims, isAdmin); - final Cookie customJwt = WebUtil.buildSecureCookie(userServiceCookieName, userServiceCookieDomain, customServiceJwt); + final Cookie customJwt = WebUtil.buildSecureCookie(userServiceCookieName, customServiceJwt, userServiceCookieDomain); response.addCookie(customJwt); return customJwt; } diff --git a/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java b/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java index 13176a36..abf25a84 100644 --- a/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java +++ b/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java @@ -291,7 +291,7 @@ void shouldCreateJwtCookie() throws JSONException { final String customToken = "a-custom-valid-token"; final HttpServletResponse response = Mockito.spy(new MockHttpServletResponse()); final Map claims = Map.of("claim1", "value1", "claim2", "value2"); - final Cookie cookie = WebUtil.buildSecureCookie("userServiceCookieName", "userServiceCookieDomain", "jwtToken"); + final Cookie cookie = WebUtil.buildSecureCookie("userServiceCookieName", "jwtToken", "userServiceCookieDomain"); final JSONObject tokenResponse = new JSONObject(); tokenResponse.put("id_token", idToken).put("access_token", accessToken);