From 9a2fdef3dc22b3163ab08af1ab7115aff80d4cd5 Mon Sep 17 00:00:00 2001 From: kochetkov Date: Mon, 12 May 2025 11:07:17 +0300 Subject: [PATCH 1/5] SUPPORT-9164 add progress bar --- frontend/src/ts/modules/security/guard/auth.guard.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/frontend/src/ts/modules/security/guard/auth.guard.ts b/frontend/src/ts/modules/security/guard/auth.guard.ts index fb1b936..427904d 100644 --- a/frontend/src/ts/modules/security/guard/auth.guard.ts +++ b/frontend/src/ts/modules/security/guard/auth.guard.ts @@ -2,7 +2,7 @@ import {Injectable} from "@angular/core"; import {ActivatedRouteSnapshot, CanActivate, Router, RouterStateSnapshot} from "@angular/router"; import {Observable} from "rxjs"; import {HttpClient, HttpParams} from "@angular/common/http"; -import {MessagesService} from "@webbpm/base-package"; +import {MessagesService, ProgressIndicationService} from "@webbpm/base-package"; import {AuthenticationService} from "../authentication.service"; import {EsiaErrorDetail} from "../EsiaErrorDetail"; @@ -13,6 +13,7 @@ export abstract class AuthGuard implements CanActivate { protected router: Router, private httpClient: HttpClient, private authenticationService: AuthenticationService, + private progressIndicationService: ProgressIndicationService, private messageService: MessagesService ) { } @@ -44,6 +45,7 @@ export abstract class AuthGuard implements CanActivate { return false; } if (code && state) { + this.progressIndicationService.showProgressBar(); const params = new HttpParams().set('code', code).set('state', state); this.httpClient.get("esia/auth", { @@ -57,6 +59,7 @@ export abstract class AuthGuard implements CanActivate { .toPromise() .then( () => { + this.progressIndicationService.hideProgressBar(); window.open(url.origin + url.pathname, "_self"); }) .catch(reason => { @@ -64,7 +67,8 @@ export abstract class AuthGuard implements CanActivate { json.messages.forEach((errorMessage) => { this.messageService.error(errorMessage, json); }) - }); + }) + .finally(() => this.progressIndicationService.hideProgressBar()); return false; } else { From 906a897372d92291b5474173c79cf76f47759e2a Mon Sep 17 00:00:00 2001 From: kochetkov Date: Mon, 12 May 2025 11:15:52 +0300 Subject: [PATCH 2/5] SUPPORT-9164 fix --- .../ru/micord/ervu/security/esia/service/EsiaAuthService.java | 2 +- .../ervu/security/webbpm/jwt/helper/SecurityHelper.java | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 6a1d03f..40ce84d 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -126,7 +126,7 @@ public class EsiaAuthService { String clientSecret = signMap(parameters); EsiaAuthInfoStore.addState(prnsUUID, state, esiaConfig.getEsiaStateCookieLifeTime(), esiaConfig.getEsiaLoginAttemptsCount()); - ResponseCookie prnsCookie = securityHelper.createCookie(PRNS_UUID, prnsUUID, "/") + ResponseCookie prnsCookie = securityHelper.createAccessCookie(PRNS_UUID, prnsUUID) .maxAge(esiaConfig.getEsiaStateCookieLifeTime()) .build(); securityHelper.addResponseCookie(response, prnsCookie); diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java index 3f002db..ec240df 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java @@ -92,4 +92,8 @@ public final class SecurityHelper { .secure(accessCookieSecure) .sameSite(accessCookieSameSite); } + + public ResponseCookie.ResponseCookieBuilder createAccessCookie(String name, String value) { + return createCookie(name, value, accessCookiePath); + } } From aeeb8422dcad31cd93fcb157ebbc4f28c4bdcc9d Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Tue, 13 May 2025 10:09:43 +0300 Subject: [PATCH 3/5] SUPPORT-9164: Fix --- .../ervu/security/esia/EsiaAuthInfoStore.java | 15 ++++++++++----- .../security/esia/service/EsiaAuthService.java | 13 +++---------- .../webbpm/jwt/helper/SecurityHelper.java | 10 +++++++--- 3 files changed, 20 insertions(+), 18 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java index 20889a3..ad9ec56 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java @@ -105,19 +105,24 @@ public class EsiaAuthInfoStore { }); } - public static boolean containsState(String prnsUUID, String state) { + public static String getNotContainsStateErrorMessage(String prnsUUID, String state) { List states = PRNS_UUID_STATE_MAP.get(prnsUUID); if (states == null) { - return false; + return "State invalid. No state found for prnsUUID: " + prnsUUID; } long currentTime = System.currentTimeMillis(); - states.removeIf(expiringState -> expiringState.getExpiryTime() < currentTime); + + StringBuilder statesStringBuilder = new StringBuilder(); for (ExpiringState expiringState : states) { if (expiringState.getState().equals(state)) { - return true; + if (expiringState.getExpiryTime() < currentTime) { + return "State invalid. State : " + state + " expired at : " + expiringState.getExpiryTime(); + } + return null; } + statesStringBuilder.append(expiringState.getState(), 0, 8).append(", "); } - return false; + return "State invalid. Backend states :" + statesStringBuilder + " cookie state :" + state; } public static void removeState(String prnsUUID) { diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 40ce84d..a0354da 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -34,8 +34,6 @@ import org.springframework.security.core.context.SecurityContext; import ru.micord.ervu.audit.constants.AuditConstants; import ru.micord.ervu.audit.service.AuditService; import org.springframework.web.util.WebUtils; -import ru.micord.ervu.audit.constants.AuditConstants; -import ru.micord.ervu.audit.service.AuditService; import ru.micord.ervu.kafka.model.Document; import ru.micord.ervu.kafka.model.Person; import ru.micord.ervu.kafka.model.Response; @@ -60,9 +58,6 @@ import ru.micord.ervu.security.webbpm.jwt.model.Token; import ru.cg.webbpm.modules.core.runtime.api.MessageBundleUtils; -import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.getCurrentUserEsiaId; -import ru.cg.webbpm.modules.core.runtime.api.MessageBundleUtils; - /** * @author Eduard Tihomirov */ @@ -527,11 +522,9 @@ public class EsiaAuthService { return "State invalid. Cookie not found"; } String prnsUUID = cookie.getValue(); - if (!EsiaAuthInfoStore.containsState(prnsUUID, state)) { - return "State invalid. State from ESIA not equals with state before"; - } + String errorMessage = EsiaAuthInfoStore.getNotContainsStateErrorMessage(prnsUUID, state); EsiaAuthInfoStore.removeState(prnsUUID); - securityHelper.clearCookie(response, PRNS_UUID, "/"); - return null; + securityHelper.clearAccessCookie(response, PRNS_UUID); + return errorMessage; } } diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java index ec240df..e552348 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java @@ -26,6 +26,7 @@ public final class SecurityHelper { private boolean accessCookieSecure; @Value("${cookie.same.site:Lax}") private String accessCookieSameSite; + private static final String PRNS_UUID = "prns_uuid"; @PostConstruct private void init() { @@ -36,9 +37,7 @@ public final class SecurityHelper { } public void clearAccessCookies(HttpServletResponse response) { - ResponseCookie emptyAuthToken = createCookie(AUTH_TOKEN, null, accessCookiePath) - .maxAge(0).build(); - addResponseCookie(response, emptyAuthToken); + clearCookie(response, AUTH_TOKEN, accessCookiePath); ResponseCookie emptyAuthMarker = createCookie(AUTH_MARKER, null, "/") .maxAge(0) @@ -46,6 +45,7 @@ public final class SecurityHelper { .httpOnly(false) .build(); addResponseCookie(response, emptyAuthMarker); + clearCookie(response, PRNS_UUID, accessCookiePath); } public void clearCookie(HttpServletResponse response, String name, String path) { @@ -96,4 +96,8 @@ public final class SecurityHelper { public ResponseCookie.ResponseCookieBuilder createAccessCookie(String name, String value) { return createCookie(name, value, accessCookiePath); } + + public void clearAccessCookie(HttpServletResponse response, String name) { + clearCookie(response, name, accessCookiePath); + } } From 5d6709e97d037fb40829ef014a205c91b677d01c Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Tue, 13 May 2025 12:34:22 +0300 Subject: [PATCH 4/5] SUPPORT-9164: Fix --- .../ervu/security/SecurityConstants.java | 3 +++ .../ervu/security/esia/EsiaAuthInfoStore.java | 11 +++++---- .../esia/service/EsiaAuthService.java | 23 ++++++++++--------- .../webbpm/jwt/helper/SecurityHelper.java | 6 ++--- .../webbpm/jwt/util/SecurityUtil.java | 5 ++-- 5 files changed, 26 insertions(+), 22 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/SecurityConstants.java b/backend/src/main/java/ru/micord/ervu/security/SecurityConstants.java index 1853716..feafe00 100644 --- a/backend/src/main/java/ru/micord/ervu/security/SecurityConstants.java +++ b/backend/src/main/java/ru/micord/ervu/security/SecurityConstants.java @@ -2,4 +2,7 @@ package ru.micord.ervu.security; public class SecurityConstants { public static final String ESIA_LOGOUT = "/esia/logout"; + public static final String AUTH_TOKEN = "auth_token"; + public static final String AUTH_MARKER = "webbpm.ervu-lkrp-fl"; + public static final String PRNS_UUID = "prns_uuid_fl"; } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java index ad9ec56..b05860f 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java @@ -9,6 +9,7 @@ import java.util.concurrent.CopyOnWriteArrayList; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.support.MessageSourceAccessor; +import ru.micord.ervu.security.esia.exception.EsiaException; import ru.micord.ervu.security.esia.model.ExpiringState; import ru.micord.ervu.security.esia.model.ExpiringToken; @@ -105,10 +106,10 @@ public class EsiaAuthInfoStore { }); } - public static String getNotContainsStateErrorMessage(String prnsUUID, String state) { + public static void validateState(String prnsUUID, String state) { List states = PRNS_UUID_STATE_MAP.get(prnsUUID); if (states == null) { - return "State invalid. No state found for prnsUUID: " + prnsUUID; + throw new EsiaException("State invalid. No state found"); } long currentTime = System.currentTimeMillis(); @@ -116,13 +117,13 @@ public class EsiaAuthInfoStore { for (ExpiringState expiringState : states) { if (expiringState.getState().equals(state)) { if (expiringState.getExpiryTime() < currentTime) { - return "State invalid. State : " + state + " expired at : " + expiringState.getExpiryTime(); + throw new EsiaException("State invalid. State : " + state + " expired at : " + expiringState.getExpiryTime()); } - return null; + return; } statesStringBuilder.append(expiringState.getState(), 0, 8).append(", "); } - return "State invalid. Backend states :" + statesStringBuilder + " cookie state :" + state; + throw new EsiaException("State invalid. Backend states :" + statesStringBuilder + " cookie state :" + state); } public static void removeState(String prnsUUID) { diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index a0354da..891b501 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -58,6 +58,8 @@ import ru.micord.ervu.security.webbpm.jwt.model.Token; import ru.cg.webbpm.modules.core.runtime.api.MessageBundleUtils; +import static ru.micord.ervu.security.SecurityConstants.PRNS_UUID; + /** * @author Eduard Tihomirov */ @@ -66,7 +68,6 @@ public class EsiaAuthService { private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private static final MessageSourceAccessor MESSAGE_SOURCE = MessageBundleUtils.createAccessor( "messages/common_errors_messages"); - private static final String PRNS_UUID = "prns_uuid"; @Autowired private ObjectMapper objectMapper; @@ -178,10 +179,7 @@ public class EsiaAuthService { String prnOid = null; Long expiresIn = null; long signSecret = 0, requestAccessToken = 0, verifySecret = 0; - String verifyStateResult = verifyStateFromCookie(request, state, response); - if (verifyStateResult != null) { - throw new EsiaException(verifyStateResult); - } + verifyStateFromCookie(request, state, response); try { String clientId = esiaConfig.getClientId(); DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyy.MM.dd HH:mm:ss xx"); @@ -516,15 +514,18 @@ public class EsiaAuthService { } } - private String verifyStateFromCookie(HttpServletRequest request, String state, HttpServletResponse response) { + private void verifyStateFromCookie(HttpServletRequest request, String state, HttpServletResponse response) { Cookie cookie = WebUtils.getCookie(request, PRNS_UUID); if (cookie == null) { - return "State invalid. Cookie not found"; + throw new RuntimeException("State invalid. Cookie not found"); } String prnsUUID = cookie.getValue(); - String errorMessage = EsiaAuthInfoStore.getNotContainsStateErrorMessage(prnsUUID, state); - EsiaAuthInfoStore.removeState(prnsUUID); - securityHelper.clearAccessCookie(response, PRNS_UUID); - return errorMessage; + try { + EsiaAuthInfoStore.validateState(prnsUUID, state); + } + finally { + EsiaAuthInfoStore.removeState(prnsUUID); + securityHelper.clearAccessCookie(response, PRNS_UUID); + } } } diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java index e552348..20cfe7a 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java @@ -14,8 +14,9 @@ import org.springframework.web.context.request.RequestAttributes; import org.springframework.web.context.request.RequestContextHolder; import static org.springframework.web.context.request.RequestAttributes.REFERENCE_REQUEST; -import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.AUTH_MARKER; -import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.AUTH_TOKEN; +import static ru.micord.ervu.security.SecurityConstants.AUTH_MARKER; +import static ru.micord.ervu.security.SecurityConstants.AUTH_TOKEN; +import static ru.micord.ervu.security.SecurityConstants.PRNS_UUID; public final class SecurityHelper { @Value("${cookie.path:#{null}}") @@ -26,7 +27,6 @@ public final class SecurityHelper { private boolean accessCookieSecure; @Value("${cookie.same.site:Lax}") private String accessCookieSameSite; - private static final String PRNS_UUID = "prns_uuid"; @PostConstruct private void init() { diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java index d1dcafe..08cc035 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java @@ -10,10 +10,9 @@ import org.springframework.web.util.WebUtils; import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication; import ru.micord.ervu.security.webbpm.jwt.UserIdsPair; -public final class SecurityUtil { - public static final String AUTH_TOKEN = "auth_token"; +import static ru.micord.ervu.security.SecurityConstants.AUTH_TOKEN; - public static final String AUTH_MARKER = "webbpm.ervu-lkrp-fl"; +public final class SecurityUtil { private SecurityUtil() { //empty From 488174e1d67117ad0a5ed6092329b10890d2729a Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Tue, 13 May 2025 12:40:07 +0300 Subject: [PATCH 5/5] SUPPORT-9164: Fix --- .../ru/micord/ervu/security/esia/service/EsiaAuthService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 891b501..e5c2588 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -517,7 +517,7 @@ public class EsiaAuthService { private void verifyStateFromCookie(HttpServletRequest request, String state, HttpServletResponse response) { Cookie cookie = WebUtils.getCookie(request, PRNS_UUID); if (cookie == null) { - throw new RuntimeException("State invalid. Cookie not found"); + throw new EsiaException("State invalid. Cookie not found"); } String prnsUUID = cookie.getValue(); try {