consent: Restrict fc & bc logout to sid parameter (ory#1691)

Closes ory#1660 Co-authored-by: Joshua Obasaju <[email protected]>
discogs · Jan 15, 2020 · d68838e · d68838e
1 parent 0761156
commit d68838e
Show file tree

Hide file tree

Showing 37 changed files with 435 additions and 535 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -401,6 +401,11 @@ workflows:
             - test-e2e-mysql
             - test-e2e-cockroach
             - test-e2e-plugin
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /master/
       - sdk/release:
           requires:
             - test

diff --git a/Makefile b/Makefile
@@ -42,9 +42,7 @@ docker:
 .PHONY: e2e
 e2e:
 		make test-resetdb
-		export TEST_DATABASE_MYSQL='mysql://root:secret@(127.0.0.1:3444)/mysql?parseTime=true'
-		export TEST_DATABASE_POSTGRESQL='postgres://postgres:[email protected]:3445/hydra?sslmode=disable'
-		export TEST_DATABASE_COCKROACHDB='cockroach://[email protected]:3446/defaultdb?sslmode=disable'
+		source ./scripts/test-env.sh
 		./test/e2e/circle-ci.bash memory
 		./test/e2e/circle-ci.bash memory-jwt
 		./test/e2e/circle-ci.bash postgres
@@ -113,4 +111,4 @@ install:
 .PHONY: init
 init:
 		GO111MODULE=on go get .
-		GO111MODULE=on go install github.com/ory/go-acc
+		GO111MODULE=on go install github.com/ory/go-acc
diff --git a/client/handler.go b/client/handler.go
@@ -204,6 +204,10 @@ func (h *Handler) List(w http.ResponseWriter, r *http.Request, ps httprouter.Par
 
 	pagination.Header(w, r.URL, n, limit, offset)
 
+	if c == nil {
+		c = []Client{}
+	}
+
 	h.r.Writer().Write(w, r, c)
 }
 

diff --git a/client/sql_migration_files.go b/client/sql_migration_files.go
diff --git a/consent/manager.go b/consent/manager.go
@@ -61,8 +61,8 @@ type Manager interface {
 	CreateForcedObfuscatedLoginSession(ctx context.Context, session *ForcedObfuscatedLoginSession) error
 	GetForcedObfuscatedLoginSession(ctx context.Context, client, obfuscated string) (*ForcedObfuscatedLoginSession, error)
 
-	ListUserAuthenticatedClientsWithFrontChannelLogout(ctx context.Context, subject string) ([]client.Client, error)
-	ListUserAuthenticatedClientsWithBackChannelLogout(ctx context.Context, subject string) ([]client.Client, error)
+	ListUserAuthenticatedClientsWithFrontChannelLogout(ctx context.Context, subject, sid string) ([]client.Client, error)
+	ListUserAuthenticatedClientsWithBackChannelLogout(ctx context.Context, subject, sid string) ([]client.Client, error)
 
 	CreateLogoutRequest(ctx context.Context, request *LogoutRequest) error
 	GetLogoutRequest(ctx context.Context, challenge string) (*LogoutRequest, error)

diff --git a/consent/manager_memory.go b/consent/manager_memory.go
@@ -30,8 +30,9 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/ory/fosite"
-	"github.com/ory/hydra/x"
 	"github.com/ory/x/pagination"
+
+	"github.com/ory/hydra/x"
 )
 
 type MemoryManager struct {
@@ -459,29 +460,37 @@ func (m *MemoryManager) VerifyAndInvalidateLoginRequest(ctx context.Context, ver
 	return nil, errors.WithStack(x.ErrNotFound)
 }
 
-func (m *MemoryManager) ListUserAuthenticatedClientsWithFrontChannelLogout(ctx context.Context, subject string) ([]client.Client, error) {
+func (m *MemoryManager) ListUserAuthenticatedClientsWithFrontChannelLogout(ctx context.Context, subject, sid string) ([]client.Client, error) {
 	m.m["consentRequests"].RLock()
 	defer m.m["consentRequests"].RUnlock()
 
+	preventDupes := make(map[string]bool)
 	var rs []client.Client
 	for _, cr := range m.consentRequests {
-		if cr.Subject == subject && len(cr.Client.FrontChannelLogoutURI) > 0 {
+		if cr.Subject == subject &&
+			len(cr.Client.FrontChannelLogoutURI) > 0 &&
+			cr.LoginSessionID == sid &&
+			!preventDupes[cr.Client.GetID()] {
+
 			rs = append(rs, *cr.Client)
+			preventDupes[cr.Client.GetID()] = true
 		}
 	}
 
 	return rs, nil
 }
 
-func (m *MemoryManager) ListUserAuthenticatedClientsWithBackChannelLogout(ctx context.Context, subject string) ([]client.Client, error) {
+func (m *MemoryManager) ListUserAuthenticatedClientsWithBackChannelLogout(ctx context.Context, subject, sid string) ([]client.Client, error) {
 	m.m["consentRequests"].RLock()
 	defer m.m["consentRequests"].RUnlock()
 
 	clientsMap := make(map[string]bool)
-
 	var rs []client.Client
 	for _, cr := range m.consentRequests {
-		if cr.Subject == subject && len(cr.Client.BackChannelLogoutURI) > 0 && !clientsMap[cr.Client.GetID()] {
+		if cr.Subject == subject &&
+			cr.LoginSessionID == sid &&
+			len(cr.Client.BackChannelLogoutURI) > 0 &&
+			!(clientsMap[cr.Client.GetID()]) {
 			rs = append(rs, *cr.Client)
 			clientsMap[cr.Client.GetID()] = true
 		}

diff --git a/consent/manager_sql.go b/consent/manager_sql.go
@@ -518,17 +518,17 @@ func (m *SQLManager) resolveHandledConsentRequests(ctx context.Context, requests
 	return aa, nil
 }
 
-func (m *SQLManager) ListUserAuthenticatedClientsWithFrontChannelLogout(ctx context.Context, subject string) ([]client.Client, error) {
-	return m.listUserAuthenticatedClients(ctx, subject, "front")
+func (m *SQLManager) ListUserAuthenticatedClientsWithFrontChannelLogout(ctx context.Context, subject, sid string) ([]client.Client, error) {
+	return m.listUserAuthenticatedClients(ctx, subject, sid, "front")
 }
 
-func (m *SQLManager) ListUserAuthenticatedClientsWithBackChannelLogout(ctx context.Context, subject string) ([]client.Client, error) {
-	return m.listUserAuthenticatedClients(ctx, subject, "back")
+func (m *SQLManager) ListUserAuthenticatedClientsWithBackChannelLogout(ctx context.Context, subject, sid string) ([]client.Client, error) {
+	return m.listUserAuthenticatedClients(ctx, subject, sid, "back")
 }
 
-func (m *SQLManager) listUserAuthenticatedClients(ctx context.Context, subject string, channel string) ([]client.Client, error) {
+func (m *SQLManager) listUserAuthenticatedClients(ctx context.Context, subject, sid, channel string) ([]client.Client, error) {
 	var ids []string
-	if err := m.DB.SelectContext(ctx, &ids, m.DB.Rebind(fmt.Sprintf(`SELECT DISTINCT(c.id) FROM hydra_client as c JOIN hydra_oauth2_consent_request as r ON (c.id = r.client_id) WHERE r.subject=? AND c.%schannel_logout_uri!='' and c.%schannel_logout_uri IS NOT NULL`, channel, channel)), subject); err != nil {
+	if err := m.DB.SelectContext(ctx, &ids, m.DB.Rebind(fmt.Sprintf(`SELECT DISTINCT(c.id) FROM hydra_client as c JOIN hydra_oauth2_consent_request as r ON (c.id = r.client_id) WHERE r.subject=? AND c.%schannel_logout_uri!='' AND c.%schannel_logout_uri IS NOT NULL AND r.login_session_id = ?`, channel, channel)), subject, sid); err != nil {
 		if err == sql.ErrNoRows {
 			return nil, errors.WithStack(x.ErrNotFound)
 		}