oidc proxy AuthorizationServer redirect on wrong state (#4641)

Author: StekPerepolnen

ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp

@@ -467,6 +467,62 @@ Y_UNIT_TEST_SUITE(Mvp) {
         OidcFullAuthorizationFlow(redirectStrategy);
     }
 
+    void OidcWrongStateAuthorizationFlow(TRedirectStrategyBase& redirectStrategy) {
+        TPortManager tp;
+        ui16 sessionServicePort = tp.GetPort(8655);
+        TMvpTestRuntime runtime;
+        runtime.Initialize();
+
+        TOpenIdConnectSettings settings {
+            .SessionServiceEndpoint = "localhost:" + ToString(sessionServicePort),
+            .AuthorizationServerAddress = "https://auth.cloud.yandex.ru",
+            .ClientSecret = "0123456789abcdef"
+        };
+
+        const NActors::TActorId edge = runtime.AllocateEdgeActor();
+
+        TSessionServiceMock sessionServiceMock;
+        sessionServiceMock.AllowedAccessTokens.insert("valid_access_token");
+        grpc::ServerBuilder builder;
+        builder.AddListeningPort(settings.SessionServiceEndpoint, grpc::InsecureServerCredentials()).RegisterService(&sessionServiceMock);
+        std::unique_ptr<grpc::Server> sessionServer(builder.BuildAndStart());
+
+        const NActors::TActorId sessionCreator = runtime.Register(new NMVP::TSessionCreator(edge, settings));
+        const TString state = "test_state";
+        const TString wrongState = "wrong_state";
+        const TString hostProxy = "oidcproxy.yandex.net";
+        TStringBuilder request;
+        request << "GET /auth/callback?code=code_template&state=" << state << " HTTP/1.1\r\n";
+        request << "Host: " + hostProxy + "\r\n";
+        request << "Cookie: " << CreateNameYdbOidcCookie(settings.ClientSecret, wrongState) << "=" << GenerateCookie(wrongState, "/requested/page", settings.ClientSecret, redirectStrategy.IsAjaxRequest()) << "\r\n";
+        NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
+        EatWholeString(incomingRequest, redirectStrategy.CreateRequest(request));
+        incomingRequest->Endpoint->Secure = true;
+        runtime.Send(new IEventHandle(sessionCreator, edge, new NHttp::TEvHttpProxy::TEvHttpIncomingRequest(incomingRequest)));
+
+        TAutoPtr<IEventHandle> handle;
+        NHttp::TEvHttpProxy::TEvHttpOutgoingResponse* outgoingResponseEv = runtime.GrabEdgeEvent<NHttp::TEvHttpProxy::TEvHttpOutgoingResponse>(handle);
+        UNIT_ASSERT_STRINGS_EQUAL(outgoingResponseEv->Response->Status, "302");
+        const NHttp::THeaders headers(outgoingResponseEv->Response->Headers);
+        UNIT_ASSERT(headers.Has("Location"));
+        TString location = TString(headers.Get("Location"));
+        UNIT_ASSERT_STRING_CONTAINS(location, "https://auth.cloud.yandex.ru/oauth/authorize");
+        UNIT_ASSERT_STRING_CONTAINS(location, "response_type=code");
+        UNIT_ASSERT_STRING_CONTAINS(location, "scope=openid");
+        UNIT_ASSERT_STRING_CONTAINS(location, "client_id=" + TOpenIdConnectSettings::CLIENT_ID);
+        UNIT_ASSERT_STRING_CONTAINS(location, "redirect_uri=https://" + hostProxy + "/auth/callback");
+    }
+
+    Y_UNIT_TEST(OpenIdConnectotWrongStateAuthorizationFlow) {
+        TRedirectStrategy redirectStrategy;
+        OidcWrongStateAuthorizationFlow(redirectStrategy);
+    }
+
+    Y_UNIT_TEST(OpenIdConnectotWrongStateAuthorizationFlowAjax) {
+        TAjaxRedirectStrategy redirectStrategy;
+        OidcWrongStateAuthorizationFlow(redirectStrategy);
+    }
+
     Y_UNIT_TEST(OpenIdConnectSessionServiceCreateAuthorizationFail) {
         TPortManager tp;
         ui16 sessionServicePort = tp.GetPort(8655);

ydb/mvp/oidc_proxy/oidc_session_create.h

@@ -142,7 +142,7 @@ class THandlerSessionCreate : public NActors::TActorBootstrapped<THandlerSession
         NHttp::THeaders headers(Request->Headers);
         NHttp::TCookies cookies(headers.Get("cookie"));
 
-        if (!code.Empty() && IsStateValid(state, cookies, ctx)) {
+        if (IsStateValid(state, cookies, ctx) && !code.Empty()) {
             NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.AuthorizationServerAddress + "/oauth/token");
             httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
             httpRequest->Set("Authorization", "Basic " + Settings.GetAuthorizationString());
@@ -151,8 +151,7 @@ class THandlerSessionCreate : public NActors::TActorBootstrapped<THandlerSession
             httpRequest->Set<&NHttp::THttpRequest::Body>(body);
             ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
         } else {
-            ResponseHeaders.Set("Content-Type", "text/plain");
-            NHttp::THttpOutgoingResponsePtr response = Request->CreateResponse("400", "Bad Request", ResponseHeaders, "Parameters state and code are invalid");
+            NHttp::THttpOutgoingResponsePtr response = GetHttpOutgoingResponsePtr(TStringBuf(), Request, Settings, ResponseHeaders, IsAjaxRequest);
             ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(response));
             TBase::Die(ctx);
             return;