Merge pull request #6952 from ORCID/RestoreProperMatchingSubDomainsVa…

…lidation Sub domains should not match
ORCID · Dec 19, 2023 · a5bf77d · a5bf77d
2 parents 03432d4 + 6cf9d29
commit a5bf77d
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 31 deletions.
diff --git a/orcid-core/src/main/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolver.java b/orcid-core/src/main/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolver.java
@@ -91,6 +91,6 @@ private boolean isEqual(String str1, String str2) {
 
     @Override
     protected boolean hostMatches(String registered, String requested) {
-        return isEqual(registered, requested) || (requested != null && requested.endsWith("." + registered));        
+        return isEqual(registered, requested);
     }
 }
diff --git a/orcid-core/src/test/java/org/orcid/core/oauth/OrcidRefreshTokenTokenGranterTest.java b/orcid-core/src/test/java/org/orcid/core/oauth/OrcidRefreshTokenTokenGranterTest.java
@@ -11,6 +11,7 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
+import java.util.Random;
 import java.util.Set;
 
 import javax.annotation.Resource;
@@ -42,6 +43,8 @@ public class OrcidRefreshTokenTokenGranterTest extends DBUnitTest {
     private static final String CLIENT_ID_2 = "APP-5555555555555556";
     private static final String USER_ORCID = "0000-0000-0000-0001";
 
+    private Random random = new Random(System.currentTimeMillis());
+
     @Resource
     private OrcidOauth2TokenDetailService orcidOauth2TokenDetailService;
 
@@ -119,8 +122,8 @@ public void createRefreshTokenTest() {
         // should be equal
         long time = System.currentTimeMillis();
         String scope = "/activities/update";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = null;
         Date parentTokenExpiration = new Date(time + 10000);
         Long expireIn = null;
@@ -154,8 +157,8 @@ public void createRefreshTokenWithNarrowerScopesTest() {
         long time = System.currentTimeMillis();
         String parentScope = "/activities/update";
         String refreshScope = "/orcid-works/create";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = true;
         Date parentTokenExpiration = new Date(time + 10000);
         Long expireIn = null;
@@ -188,8 +191,8 @@ public void createRefreshTokenWithoutRevokeParent() {
         // should be enabled, refresh should be enabled
         long time = System.currentTimeMillis();
         String parentScope = "/activities/update /read-limited";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = false;
         Date parentTokenExpiration = new Date(time + 10000);
         Long expireIn = null;
@@ -228,8 +231,8 @@ public void createRefreshTokenWithoutRevokeParentAndWithNarrowerScopes() {
         long time = System.currentTimeMillis();
         String parentScope = "/person/read-limited";
         String refreshScope = "/orcid-bio/read-limited";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = false;
         Date parentTokenExpiration = new Date(time + 10000);
         Long expireIn = null;
@@ -262,8 +265,8 @@ public void createRefreshTokenWithExpirationOf10Secs() {
         long time = System.currentTimeMillis();
         String parentScope = "/person/read-limited";
         String refreshScope = "/orcid-bio/read-limited";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = false;
         Date parentTokenExpiration = new Date(time + 10000);
         Long expireIn = 5L;
@@ -299,8 +302,8 @@ public void tryToCreateRefreshTokenWithInvalidScopesTest() {
         long time = System.currentTimeMillis();
         String parentScope = "/person/update";
         String refreshScope = "/orcid-works/read-limited";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = true;
         Date parentTokenExpiration = new Date(time + 10000);
         Long expireIn = null;
@@ -322,8 +325,8 @@ public void tryToCreateRefreshTokenWithThatExpireAfterParentTokenTest() {
         // token, fail
         long time = System.currentTimeMillis();
         String parentScope = "/person/update";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = true;
         Date parentTokenExpiration = new Date(time + 10000);
         Long expireIn = time + (15000);
@@ -345,8 +348,8 @@ public void tryToCreateRefreshTokenWithInvalidClientTest() {
         // client # 2, fail
         long time = System.currentTimeMillis();
         String parentScope = "/person/update";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = true;
         Date parentTokenExpiration = new Date(time + 10000);
         Long expireIn = null;
@@ -367,8 +370,8 @@ public void tryToCreateRefreshTokenWithInvalidClientTest() {
     public void tryToRefreshAnExpiredTokenTest() {
         long time = System.currentTimeMillis();
         String parentScope = "/person/update";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = true;
         Date parentTokenExpiration = new Date(time - 10000);
         Long expireIn = null;
@@ -390,8 +393,8 @@ public void tryToCreateRefreshTokenWithInvalidRefreshTokenTest() {
         // fail
         long time = System.currentTimeMillis();
         String parentScope = "/person/update";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = true;
         Date parentTokenExpiration = new Date(time + 10000);
         Long expireIn = null;
@@ -415,8 +418,8 @@ public void tryToCreateRefreshTokenWithInvalidParentTokenValueTest() {
         // value, fail
         long time = System.currentTimeMillis();
         String parentScope = "/person/update";
-        String tokenValue = "parent-token-" + time;
-        String refreshTokenValue = "refresh-token-" + time;
+        String tokenValue = "parent-token-" + random.nextLong();
+        String refreshTokenValue = "refresh-token-" + random.nextLong();
         Boolean revokeOld = true;
         Date parentTokenExpiration = new Date(time + 15000);
         Long expireIn = null;
@@ -428,7 +431,7 @@ public void tryToCreateRefreshTokenWithInvalidParentTokenValueTest() {
         // We shouldn't care about the access token, it's not required and
         // shouldn't really be there. If the refresh token and client
         // credentials are good, we can generate the refresh token.
-        assertNotNull(refreshedToken);
+        assertNotNull(refreshedToken);                
     } 
 
 }
diff --git a/orcid-core/src/test/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolverTest.java b/orcid-core/src/test/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolverTest.java
@@ -218,14 +218,14 @@ private void redirectUriGeneralTest() {
 
     @Test
     public void redirectMatches_AllowMatchingSubdomainsTest() {
-        // Temp: Subdomain should match if the togglz is OFF
-        assertTrue(resolver.redirectMatches("https://www.orcid.org", "https://orcid.org"));
-        assertTrue(resolver.redirectMatches("https://qa.orcid.org", "https://orcid.org"));        
+        // Subdomain should not match
+        assertFalse(resolver.redirectMatches("https://www.orcid.org", "https://orcid.org"));
+        assertFalse(resolver.redirectMatches("https://qa.orcid.org", "https://orcid.org"));    
 
-        // Acceptance criteria checks: These should pass when the togglz is OFF
-        assertTrue(resolver.redirectMatches("https://subdomain.example.com/", "https://example.com"));
-        assertTrue(resolver.redirectMatches("https://subdomain.example.com/subdirectory", "https://example.com"));
-        assertTrue(resolver.redirectMatches("https://www.example.com", "https://example.com"));
+        // Acceptance criteria checks: subdomains should be rejected
+        assertFalse(resolver.redirectMatches("https://subdomain.example.com/", "https://example.com"));
+        assertFalse(resolver.redirectMatches("https://subdomain.example.com/subdirectory", "https://example.com"));
+        assertFalse(resolver.redirectMatches("https://www.example.com", "https://example.com"));
     }
 
 }