From 5da678d30465f5f9454f70f2bb2d4bb0891e209a Mon Sep 17 00:00:00 2001
From: Eduard Tihomirov <tikhomirov@micord.ru>
Date: Thu, 12 Sep 2024 14:44:11 +0300
Subject: [PATCH] SUPPORT-8427: Fix

---
 .../ervu/security/esia/config/EsiaConfig.java | 21 ---------
 .../esia/service/EsiaAuthService.java         | 44 +++++++++++++------
 config/patches/default.cli                    |  3 --
 config/standalone/dev/standalone.xml          |  1 -
 4 files changed, 30 insertions(+), 39 deletions(-)

diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java
index 1ed60af1..a97cdd00 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java
@@ -23,12 +23,6 @@ public class EsiaConfig {
   @Value("${esia-uri.base-uri:#{null}}")
   private String esiaBaseUri;
 
-  @Value("${esia-uri.code-path:#{null}}")
-  private String esiaCodePath;
-
-  @Value("${esia-uri.token-path:#{null}}")
-  private String esiaTokenPath;
-
   @Value("${esia-client-id:#{null}}")
   private String clientId;
 
@@ -38,9 +32,6 @@ public class EsiaConfig {
   @Value("${sign-url:#{null}}")
   private String signUrl;
 
-  @Value("${esia-uri.logout:#{null}}")
-  private String logoutUrl;
-
   @Value("${client-cert-hash:#{null}}")
   private String clientCertHash;
 
@@ -50,14 +41,6 @@ public class EsiaConfig {
   @Value("${esia.connection-timeout:30}")
   private long connectionTimeout;
 
-  public String getEsiaCodeUri() {
-    return esiaCodePath;
-  }
-
-  public String getEsiaTokenUri() {
-    return esiaTokenPath;
-  }
-
   public String getEsiaOrgScopes() {
     String[] scopeItems = esiaOrgScopes.split(",");
     return String.join(" ", Arrays.stream(scopeItems).map(item -> orgScopeUrl + item.trim()).toArray(String[]::new));
@@ -84,10 +67,6 @@ public class EsiaConfig {
     return signUrl;
   }
 
-  public String getLogoutUrl() {
-    return logoutUrl;
-  }
-
   public String getClientCertHash() {return clientCertHash;}
 
   public long getRequestTimeout() {
diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
index ebd1dd93..84266ac5 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
@@ -19,6 +19,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import org.springframework.beans.factory.annotation.Value;
 import ru.micord.ervu.security.esia.config.EsiaConfig;
 import ru.micord.ervu.security.esia.model.FormUrlencoded;
 import ru.micord.ervu.security.esia.model.EsiaAccessToken;
@@ -37,6 +38,9 @@ import ru.micord.ervu.security.webbpm.jwt.model.Token;
 @Service
 public class EsiaAuthService {
 
+  @Value("${cookie-path:#{null}}")
+  private String path;
+
   @Autowired
   private ObjectMapper objectMapper;
 
@@ -74,7 +78,7 @@ public class EsiaAuthService {
 
       String responseType = "code";
 
-      String authUrl = esiaConfig.getEsiaCodeUri();
+      String authUrl = esiaConfig.getEsiaBaseUri() + "aas/oauth2/v2/ac";
 
       URL url = new URL(authUrl);
       Map<String, String> params = mapOf("scope", scope,
@@ -146,7 +150,7 @@ public class EsiaAuthService {
       parameters.put("code", esiaAuthCode);
 
       String clientSecret = signMap(parameters);
-      String authUrl = esiaConfig.getEsiaTokenUri();
+      String authUrl = esiaConfig.getEsiaBaseUri() + "aas/oauth2/v3/te";
       String postBody = new FormUrlencoded()
           .setParameter("client_id", clientId)
           .setParameter("code", esiaAuthCode)
@@ -179,22 +183,28 @@ public class EsiaAuthService {
       if (!hasRole) {
         throw new RuntimeException("The user does not have the required role");
       }
-      String path = request.getContextPath();
+      String cookiePath = null;
+      if (path != null) {
+        cookiePath = path;
+      }
+      else {
+        cookiePath = request.getContextPath();
+      }
       Cookie cookie = new Cookie("access_token", accessToken);
       cookie.setHttpOnly(true);
-      cookie.setPath(path);
+      cookie.setPath(cookiePath);
       response.addCookie(cookie);
 
       String refreshToken = tokenResponse.getRefresh_token();
       Cookie cookieRefresh = new Cookie("refresh_token", refreshToken);
       cookieRefresh.setHttpOnly(true);
-      cookieRefresh.setPath(path);
+      cookieRefresh.setPath(cookiePath);
       response.addCookie(cookieRefresh);
 
       EsiaAccessToken esiaAccessToken = ulDataService.readToken(accessToken);
       Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), tokenResponse.getExpires_in());
       Cookie authToken = new Cookie("auth_token", token.getValue());
-      authToken.setPath(path);
+      authToken.setPath(cookiePath);
       authToken.setHttpOnly(true);
       response.addCookie(authToken);
       SecurityContextHolder.getContext()
@@ -203,7 +213,7 @@ public class EsiaAuthService {
 
       Cookie isAuth = new Cookie("is_auth", "true");
       isAuth.setMaxAge(tokenResponse.getExpires_in().intValue());
-      isAuth.setPath(path);
+      isAuth.setPath(cookiePath);
       response.addCookie(isAuth);
       return true;
     }
@@ -242,7 +252,7 @@ public class EsiaAuthService {
       parameters.put("refresh_token", refreshToken);
 
       String clientSecret = signMap(parameters);
-      String authUrl = esiaConfig.getEsiaTokenUri();
+      String authUrl = esiaConfig.getEsiaBaseUri() + "aas/oauth2/v3/te";
       String postBody = new FormUrlencoded()
           .setParameter("client_id", clientId)
           .setParameter("refresh_token", refreshToken)
@@ -273,19 +283,25 @@ public class EsiaAuthService {
       String accessToken = tokenResponse.getAccess_token();
       Cookie cookie = new Cookie("access_token", accessToken);
       cookie.setHttpOnly(true);
-      String path = request.getContextPath();
-      cookie.setPath(path);
+      String cookiePath = null;
+      if (path != null) {
+        cookiePath = path;
+      }
+      else {
+        cookiePath = request.getContextPath();
+      }
+      cookie.setPath(cookiePath);
       response.addCookie(cookie);
 
       String newRefreshToken = tokenResponse.getRefresh_token();
       Cookie cookieRefresh = new Cookie("refresh_token", newRefreshToken);
       cookieRefresh.setHttpOnly(true);
-      cookieRefresh.setPath(path);
+      cookieRefresh.setPath(cookiePath);
       response.addCookie(cookieRefresh);
       EsiaAccessToken esiaAccessToken = ulDataService.readToken(accessToken);
       Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), tokenResponse.getExpires_in());
       Cookie authToken = new Cookie("auth_token", token.getValue());
-      authToken.setPath(path);
+      authToken.setPath(cookiePath);
       authToken.setHttpOnly(true);
       response.addCookie(authToken);
       SecurityContextHolder.getContext()
@@ -294,7 +310,7 @@ public class EsiaAuthService {
 
       Cookie isAuth = new Cookie("is_auth", "true");
       isAuth.setMaxAge(tokenResponse.getExpires_in().intValue());
-      isAuth.setPath(path);
+      isAuth.setPath(cookiePath);
       response.addCookie(isAuth);
     }
     catch (Exception e) {
@@ -346,7 +362,7 @@ public class EsiaAuthService {
             response.addCookie(cookie);
           }
         }
-      String logoutUrl = esiaConfig.getLogoutUrl();
+      String logoutUrl = esiaConfig.getEsiaBaseUri() + "idp/ext/Logout";
       String redirectUrl = esiaConfig.getRedirectUrl();
       URL url = new URL(logoutUrl);
       Map<String, String> params = mapOf(
diff --git a/config/patches/default.cli b/config/patches/default.cli
index 08512905..489f7532 100644
--- a/config/patches/default.cli
+++ b/config/patches/default.cli
@@ -44,10 +44,7 @@ xa-data-source add \
 /system-property=esia-org-scopes:add(value="org_fullname, org_shortname, org_brhs, org_brhs_ctts, org_brhs_addrs, org_type, org_ogrn, org_inn, org_leg, org_kpp, org_ctts, org_addrs, org_grps, org_emps")
 /system-property=esia-org-scope-url:add(value="http://esia.gosuslugi.ru/")
 /system-property=esia-uri.base-uri:add(value="https://esia-portal1.test.gosuslugi.ru/")
-/system-property=esia-uri.code-path:add(value="https://esia-portal1.test.gosuslugi.ru/aas/oauth2/v2/ac")
-/system-property=esia-uri.token-path:add(value="https://esia-portal1.test.gosuslugi.ru/aas/oauth2/v3/te")
 /system-property=esia-client-id:add(value="MNSV89")
 /system-property=esia-redirect-url:add(value="https://lkrp-dev.micord.ru/ul/")
 /system-property=sign-url:add(value="https://ervu-sign-dev.k8s.micord.ru/sign")
-/system-property=esia-uri.logout:add(value="https://esia-portal1.test.gosuslugi.ru/idp/ext/Logout")
 /system-property=client-cert-hash:add(value="04508B4B0B58776A954A0E15F574B4E58799D74C61EE020B3330716C203E3BDD")
diff --git a/config/standalone/dev/standalone.xml b/config/standalone/dev/standalone.xml
index 8b80b120..b1c1d65a 100644
--- a/config/standalone/dev/standalone.xml
+++ b/config/standalone/dev/standalone.xml
@@ -75,7 +75,6 @@
         <property name="esia-client-id" value="MNSV89"/>
         <property name="esia-redirect-url" value="https://lkrp.micord.ru"/>
         <property name="sign-url" value="https://ervu-sign-dev.k8s.micord.ru/sign"/>
-        <property name="sesia-uri.logout" value="https://esia-portal1.test.gosuslugi.ru/idp/ext/Logout"/>
         <property name="client-cert-hash" value="04508B4B0B58776A954A0E15F574B4E58799D74C61EE020B3330716C203E3BDD"/>
     </system-properties>
     <management>