[ISSUE #7737]: Support Nonce Validate, add unit tests

Author: Roiocam

plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/constant/AuthConstants.java

@@ -73,15 +73,32 @@ public class AuthConstants {
      * LDAP Ignore partial result exception.
      */
     public static final String NACOS_CORE_AUTH_IGNORE_PARTIAL_RESULT_EXCEPTION = "nacos.core.auth.ldap.ignore.partial.result.exception";
-
-    public static final String LDAP_DEFAULT_ENCODED_PASSWORD = PasswordEncoderUtil.encode(System.getProperty("ldap.default.password", "nacos"));
 
-    public static final String LDAP_PREFIX = "LDAP_";
+    public static final String LDAP_DEFAULT_ENCODED_PASSWORD = PasswordEncoderUtil.encode(
+            System.getProperty("ldap.default.password", "nacos"));
 
-    public static final String OIDC_PREFIX = "OIDC_";
+    public static final String LDAP_PREFIX = "LDAP_";
 
     /**
      * Maximum allowed password length.
      */
     public static final int MAX_PASSWORD_LENGTH = 72;
+    
+    /**
+     * OIDC Related Constants.
+     */
+    
+    public static final String OIDC_PREFIX = "OIDC_";
+    
+    public static final String OIDC_STATE = "oidc_state";
+    
+    public static final String OIDC_NONCE = "oidc_nonce";
+    
+    public static final String OIDC_PARAM_ORIGIN = "origin";
+    
+    public static final String OIDC_PARAM_TOKEN = "token";
+    
+    public static final String OIDC_PARAM_MSG = "msg";
+    
+    public static final String LOGIN_PAGE = "/#/login";
 }

plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/controller/OIDCController.java

@@ -22,14 +22,17 @@
 import com.alibaba.nacos.plugin.auth.exception.AccessException;
 import com.alibaba.nacos.plugin.auth.impl.constant.AuthConstants;
 import com.alibaba.nacos.plugin.auth.impl.oidc.OIDCClient;
-import com.alibaba.nacos.plugin.auth.impl.oidc.OIDCConfigurations;
+import com.alibaba.nacos.plugin.auth.impl.oidc.OIDCConfigs;
 import com.alibaba.nacos.plugin.auth.impl.oidc.OIDCProvider;
 import com.alibaba.nacos.plugin.auth.impl.oidc.OIDCService;
+import com.alibaba.nacos.plugin.auth.impl.oidc.OIDCState;
 import com.alibaba.nacos.plugin.auth.impl.users.NacosUser;
 import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.nimbusds.jose.util.Base64URL;
 import com.nimbusds.oauth2.sdk.AuthorizationCode;
 import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
 import com.nimbusds.openid.connect.sdk.claims.UserInfo;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -60,19 +63,40 @@ public class OIDCController {
 
     private final OIDCService oidcService;
 
+    @Autowired
     public OIDCController(OIDCClient oidcClient, OIDCService oidcService) {
         this.oidcClient = oidcClient;
         this.oidcService = oidcService;
     }
 
+    private static String buildRedirectUriWithPayload(String origin, String resultCode, String result) {
+        // split the origin URL into base URL and hash route
+        int hashIndex = origin.indexOf('#');
+        String baseUrl = hashIndex != -1 ? origin.substring(0, hashIndex) : origin;
+        String hashRoute = hashIndex != -1 ? origin.substring(hashIndex) : "";
+        
+        // build redirect url with hash route and token
+        UriComponentsBuilder redirectUriBuilder = UriComponentsBuilder.fromUriString(baseUrl);
+        if (!hashRoute.isEmpty()) {
+            StringBuilder sb = new StringBuilder(hashRoute);
+            if (hashRoute.contains("?")) {
+                sb.append("&");
+            } else {
+                sb.append("?");
+            }
+            hashRoute = sb.append(resultCode).append("=").append(result).toString();
+        }
+        return redirectUriBuilder.build().toUriString() + hashRoute;
+    }
+    
     /**
      * Get current OIDC provider.
      */
     @GetMapping("/provider")
     public OIDCProvider getProvider() {
-        String providerKey = OIDCConfigurations.getProvider();
+        String providerKey = OIDCConfigs.getProvider();
         OIDCProvider provider = new OIDCProvider();
-        provider.setName(OIDCConfigurations.getNameByKey(providerKey));
+        provider.setName(OIDCConfigs.getNameByKey(providerKey));
         provider.setKey(providerKey);
         return provider;
 
@@ -89,13 +113,12 @@ public OIDCProvider getProvider() {
     public void startAuthentication(@RequestParam("origin") String origin, HttpServletResponse response,
             HttpSession session) throws IOException {
 
-        String callbackUri = ServletUriComponentsBuilder.fromCurrentContextPath().path(CALLBACK_PATH)
-                .queryParam("origin", origin).toUriString();
+        String callbackUri = ServletUriComponentsBuilder.fromCurrentContextPath().path(CALLBACK_PATH).toUriString();
 
-        AuthenticationRequest authRequest = oidcClient.createAuthenticationRequest(callbackUri);
+        AuthenticationRequest authRequest = oidcClient.createAuthenticationRequest(callbackUri, origin);
 
-        session.setAttribute("oidc_state", authRequest.getState().getValue());
-        session.setAttribute("oidc_nonce", authRequest.getNonce().getValue());
+        session.setAttribute(AuthConstants.OIDC_STATE, authRequest.getState().getValue());
+        session.setAttribute(AuthConstants.OIDC_NONCE, authRequest.getNonce().getValue());
 
         // Redirect to Authentication endpoint
         response.sendRedirect(authRequest.toURI().toString());
@@ -112,29 +135,39 @@ public void startAuthentication(@RequestParam("origin") String origin, HttpServl
      */
     @GetMapping("/callback")
     public void callback(@RequestParam("code") String code, @RequestParam("state") String returnedState,
-            @RequestParam("origin") String origin, HttpServletResponse response, HttpSession session)
-            throws IOException {
+            HttpServletResponse response, HttpSession session) throws IOException {
 
         // Check if the state is valid
-        String originalState = (String) session.getAttribute("oidc_state");
-        if (originalState == null || !originalState.equals(returnedState)) {
-            String uriString = buildRedirectUriWithPayload(origin, "msg", "Invalid state");
+        String originalState = (String) session.getAttribute(AuthConstants.OIDC_STATE);
+        if (originalState == null) {
+            String missingOrigin = ServletUriComponentsBuilder.fromCurrentContextPath().path(AuthConstants.LOGIN_PAGE)
+                    .toUriString();
+            String uriString = buildRedirectUriWithPayload(missingOrigin, AuthConstants.OIDC_PARAM_MSG,
+                    "Session expired");
+            response.sendRedirect(uriString);
+            return;
+        }
+        String json = Base64URL.from(originalState).decodeToString();
+        OIDCState state = JacksonUtils.toObj(json, OIDCState.class);
+        if (!originalState.equals(returnedState)) {
+            String uriString = buildRedirectUriWithPayload(state.getOrigin(), AuthConstants.OIDC_PARAM_MSG,
+                    "Invalid state");
             response.sendRedirect(uriString);
             return;
         }
 
         // Exchange the authorization code for the information
-        String callbackUri = ServletUriComponentsBuilder.fromCurrentContextPath().path(CALLBACK_PATH)
-                .queryParam("origin", origin).toUriString();
-        UserInfo userInfo = oidcClient.getUserInfo(new AuthorizationCode(code), callbackUri);
+        String callbackUri = ServletUriComponentsBuilder.fromCurrentContextPath().path(CALLBACK_PATH).toUriString();
+        UserInfo userInfo = oidcClient.getUserInfo(new AuthorizationCode(code), callbackUri, state.getNonce());
 
         // Extract the username from the user info
         String preferredUsername = userInfo.getPreferredUsername();
         NacosUser nacosUser;
         try {
             nacosUser = oidcService.getUser(preferredUsername);
         } catch (AccessException e) {
-            String uriString = buildRedirectUriWithPayload(origin, "msg", "User not found");
+            String uriString = buildRedirectUriWithPayload(state.getOrigin(), AuthConstants.OIDC_PARAM_MSG,
+                    "User not found");
             response.sendRedirect(uriString);
             return;
         }
@@ -153,30 +186,10 @@ public void callback(@RequestParam("code") String code, @RequestParam("state") S
 
         byte[] resultCodedBytes = Base64.encodeBase64(result.toString().getBytes(StandardCharsets.UTF_8));
 
-        String uriString = buildRedirectUriWithPayload(origin, "token",
+        String uriString = buildRedirectUriWithPayload(state.getOrigin(), AuthConstants.OIDC_PARAM_TOKEN,
                 new String(resultCodedBytes, StandardCharsets.UTF_8));
 
         response.sendRedirect(uriString);
     }
 
-    private static String buildRedirectUriWithPayload(String origin, String resultCode, String result) {
-        // split the origin URL into base URL and hash route
-        int hashIndex = origin.indexOf('#');
-        String baseUrl = hashIndex != -1 ? origin.substring(0, hashIndex) : origin;
-        String hashRoute = hashIndex != -1 ? origin.substring(hashIndex) : "";
-        
-        // build redirect url with hash route and token
-        UriComponentsBuilder redirectUriBuilder = UriComponentsBuilder.fromUriString(baseUrl);
-        if (!hashRoute.isEmpty()) {
-            StringBuilder sb = new StringBuilder(hashRoute);
-            if (hashRoute.contains("?")) {
-                sb.append("&");
-            } else {
-                sb.append("?");
-            }
-            hashRoute = sb.append(resultCode).append("=").append(result).toString();
-        }
-        return redirectUriBuilder.build().toUriString() + hashRoute;
-    }
-    
 }