malliaridis commented on code in PR #3754: URL: https://github.com/apache/solr/pull/3754#discussion_r2807768220
########## solr/ui/src/commonMain/kotlin/org/apache/solr/ui/components/auth/AuthUtils.kt: ########## @@ -0,0 +1,91 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.solr.ui.components.auth + +import kotlin.io.encoding.Base64 +import kotlin.io.encoding.Base64.PaddingOption +import kotlin.random.Random +import okio.ByteString +import okio.ByteString.Companion.encodeUtf8 + +/** + * Characters allowed by RFC 7636 for the code verifier + */ +internal const val CODE_VERIFIER_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~" + +internal const val CODE_VERIFIER_LENGTH = 128 + +/** + * Characters to use for the state generation during OAuth flows. + */ +internal const val STATE_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" + +/** + * Length of the state value during OAuth flows. + */ +internal const val STATE_LENGTH = 32 + +/** + * Generates a code verifier that is used during OAuth flows. + * + * @return Code verifier that adheres to the allowed characters defined in [CODE_VERIFIER_CHARSET] + * and the required length as defined by [CODE_VERIFIER_LENGTH]. + */ +internal fun generateCodeVerifier(): String = buildString { + repeat(CODE_VERIFIER_LENGTH) { + append(CODE_VERIFIER_CHARSET[Random.nextInt(CODE_VERIFIER_CHARSET.length)]) + } +} + +/** + * Generates a code challenge that is used during OAuth flows. + * + * @param verifier Code verifier as generated by [generateCodeVerifier]. + * @return The URL-safe, Base64-encoded code challenge. + */ +internal fun generateCodeChallenge(verifier: String): String { + val sha256Bytes: ByteString = verifier.encodeUtf8().sha256() + return Base64.UrlSafe.withPadding(PaddingOption.ABSENT).encode(sha256Bytes.toByteArray()) +} + +/** + * Generates an OAuth state that is used during OAuth flows. + * + * @return State value with characters from [STATE_CHARSET] and length [STATE_LENGTH]. + */ +internal fun generateOAuthState(): String = buildString { + repeat(STATE_LENGTH) { + append(STATE_CHARSET[Random.nextInt(STATE_CHARSET.length)]) + } +} + +/** + * Retrieve the redirect URI for the OAuth flow. + * + * This URI is platform-specific, as it generates different redirect URIs based on the current + * target / origin. + * + * Note that in future scenarios we will have to support a changed location path, as the user is + * allowed to customize the base path that is right now /solr/ui/. Review Comment: I think parameterizing this should not be difficult, just a topic we have to cover with some tests. ########## solr/ui/src/commonMain/kotlin/org/apache/solr/ui/components/auth/AuthUtils.kt: ########## @@ -0,0 +1,91 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.solr.ui.components.auth + +import kotlin.io.encoding.Base64 +import kotlin.io.encoding.Base64.PaddingOption +import kotlin.random.Random +import okio.ByteString +import okio.ByteString.Companion.encodeUtf8 + +/** + * Characters allowed by RFC 7636 for the code verifier + */ +internal const val CODE_VERIFIER_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~" + +internal const val CODE_VERIFIER_LENGTH = 128 + +/** + * Characters to use for the state generation during OAuth flows. + */ +internal const val STATE_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" + +/** + * Length of the state value during OAuth flows. + */ +internal const val STATE_LENGTH = 32 + +/** + * Generates a code verifier that is used during OAuth flows. + * + * @return Code verifier that adheres to the allowed characters defined in [CODE_VERIFIER_CHARSET] + * and the required length as defined by [CODE_VERIFIER_LENGTH]. + */ +internal fun generateCodeVerifier(): String = buildString { + repeat(CODE_VERIFIER_LENGTH) { + append(CODE_VERIFIER_CHARSET[Random.nextInt(CODE_VERIFIER_CHARSET.length)]) + } +} + +/** + * Generates a code challenge that is used during OAuth flows. + * + * @param verifier Code verifier as generated by [generateCodeVerifier]. + * @return The URL-safe, Base64-encoded code challenge. + */ +internal fun generateCodeChallenge(verifier: String): String { + val sha256Bytes: ByteString = verifier.encodeUtf8().sha256() + return Base64.UrlSafe.withPadding(PaddingOption.ABSENT).encode(sha256Bytes.toByteArray()) +} + +/** + * Generates an OAuth state that is used during OAuth flows. + * + * @return State value with characters from [STATE_CHARSET] and length [STATE_LENGTH]. + */ +internal fun generateOAuthState(): String = buildString { + repeat(STATE_LENGTH) { + append(STATE_CHARSET[Random.nextInt(STATE_CHARSET.length)]) + } +} + +/** + * Retrieve the redirect URI for the OAuth flow. + * + * This URI is platform-specific, as it generates different redirect URIs based on the current + * target / origin. + * + * Note that in future scenarios we will have to support a changed location path, as the user is + * allowed to customize the base path that is right now /solr/ui/. + * + * TODO Implement the function so that it also allows overriding the callback path. This will + * allow us to customize the base path of Solr without affecting the new UI. Review Comment: I have seen some implementation in the server / webapp files that are allowing the configuration of the base path. Not sure if that is a thing, but as you mentioned, it may be possible that people run Solr under a different base path with a proxy and it would render the authentication invalid. So we may have to handle this more dynamically, but it would require additional testing. So I decided to add it as a technical debt for now to focus on more important topics. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
