From 21fe553076974e8b944aa97b0e0985a00da9d1dc Mon Sep 17 00:00:00 2001 From: rusirijayodaillesinghe Date: Thu, 8 Feb 2024 13:40:00 +0530 Subject: [PATCH 1/7] Adds the fix "Fix the issue with hostname verification in resend account confirmation email flow." --- .../product/src/main/extensions/basicauth.jsp | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/modules/distribution/product/src/main/extensions/basicauth.jsp b/modules/distribution/product/src/main/extensions/basicauth.jsp index 3677d95b3d..6119a643a3 100644 --- a/modules/distribution/product/src/main/extensions/basicauth.jsp +++ b/modules/distribution/product/src/main/extensions/basicauth.jsp @@ -16,6 +16,9 @@ ~ under the License. --%> +<%@ page import="org.apache.cxf.jaxrs.client.Client" %> +<%@ page import="org.apache.cxf.configuration.jsse.TLSClientParameters" %> +<%@ page import="org.apache.cxf.transport.http.HTTPConduit" %> <%@ page import="org.apache.cxf.jaxrs.client.JAXRSClientFactory" %> <%@ page import="org.apache.cxf.jaxrs.provider.json.JSONProvider" %> <%@ page import="org.apache.cxf.jaxrs.client.WebClient" %> @@ -47,6 +50,12 @@ <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.ApplicationDataRetrievalClientException" %> <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.PreferenceRetrievalClient" %> <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.PreferenceRetrievalClientException" %> +<%@ page import="org.wso2.carbon.utils.CustomHostNameVerifier" %> +<%@ page import="javax.net.ssl.HostnameVerifier" %> +<%@ page import="static org.wso2.carbon.CarbonConstants.ALLOW_ALL" %> +<%@ page import="static org.wso2.carbon.CarbonConstants.DEFAULT_AND_LOCALHOST" %> +<%@ page import="static org.wso2.carbon.CarbonConstants.HOST_NAME_VERIFIER" %> +<%@ page import="org.apache.http.conn.ssl.AllowAllHostnameVerifier" %> @@ -206,6 +215,32 @@ SelfUserRegistrationResource selfUserRegistrationResource = JAXRSClientFactory .create(url, SelfUserRegistrationResource.class, providers); + + Client client = WebClient.client(selfUserRegistrationResource); + HTTPConduit conduit = WebClient.getConfig(client).getHttpConduit(); + TLSClientParameters tlsParams = conduit.getTlsClientParameters(); + if (tlsParams == null) { + tlsParams = new TLSClientParameters(); + } + HostnameVerifier allowAllHostnameVerifier = new AllowAllHostnameVerifier(); + if (EndpointConfigManager.isHostnameVerificationEnabled()) { + if (DEFAULT_AND_LOCALHOST.equals(System.getProperty(HOST_NAME_VERIFIER))) { + /* + * If hostname verifier is set to DefaultAndLocalhost, allow following domains in addition to the + * hostname: + * ["::1", "127.0.0.1", "localhost", "localhost.localdomain"] + */ + tlsParams.setHostnameVerifier(new CustomHostNameVerifier()); + } else if (ALLOW_ALL.equals(System.getProperty(HOST_NAME_VERIFIER))) { + // If hostname verifier is set to AllowAll, disable hostname verification. + tlsParams.setHostnameVerifier(allowAllHostnameVerifier); + } + } else { + // Disable hostname verification + tlsParams.setHostnameVerifier(allowAllHostnameVerifier); + } + conduit.setTlsClientParameters(tlsParams); + WebClient.client(selfUserRegistrationResource).header("Authorization", header); Response selfRegistrationResponse = selfUserRegistrationResource.regenerateCode(selfRegistrationRequest); if (selfRegistrationResponse != null && selfRegistrationResponse.getStatus() == HttpStatus.SC_CREATED) { From 7d6a75a672fe4c9effa31d87231f7f29a6b5f3b3 Mon Sep 17 00:00:00 2001 From: rusirijayodaillesinghe Date: Mon, 19 Feb 2024 11:47:39 +0530 Subject: [PATCH 2/7] Adds the fix "Validate callback urls & fix open redirection vulnerability" --- .../self-registration-with-verification.jsp | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp b/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp index ea299d3ed4..989475414f 100644 --- a/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp +++ b/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp @@ -27,6 +27,9 @@ <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.IdentityManagementEndpointConstants" %> <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.IdentityManagementServiceUtil" %> <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.IdentityManagementEndpointUtil" %> +<%@ page import="org.wso2.carbon.identity.recovery.IdentityRecoveryConstants" %> +<%@ page import="org.wso2.carbon.identity.base.IdentityRuntimeException" %> +<%@ page import="org.wso2.carbon.identity.recovery.util.Utils" %> <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.ApiException" %> <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.api.ReCaptchaApi" %> <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.model.ReCaptchaProperties" %> @@ -107,6 +110,22 @@ return; } + try { + if (StringUtils.isNotBlank(callback) && !Utils.validateCallbackURL(callback, tenantDomain, + IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_CALLBACK_REGEX)) { + request.setAttribute("error", true); + request.setAttribute("errorMsg", IdentityManagementEndpointUtil.i18n(recoveryResourceBundle, + "Callback.url.format.invalid")); + request.getRequestDispatcher("error.jsp").forward(request, response); + return; + } + } catch (IdentityRuntimeException e) { + request.setAttribute("error", true); + request.setAttribute("errorMsg", e.getMessage()); + request.getRequestDispatcher("error.jsp").forward(request, response); + return; + } + if (StringUtils.isBlank(callback)) { callback = IdentityManagementEndpointUtil.getUserPortalUrl( application.getInitParameter(IdentityManagementEndpointConstants.ConfigConstants.USER_PORTAL_URL), tenantDomain); From 233f4b8f8fffeaa23007009d8854304db8940942 Mon Sep 17 00:00:00 2001 From: rusirijayodaillesinghe Date: Mon, 19 Feb 2024 13:22:19 +0530 Subject: [PATCH 3/7] Adds the fix "Fix tenantDomain param issue when T is capital in param" --- modules/distribution/product/src/main/extensions/header.jsp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/distribution/product/src/main/extensions/header.jsp b/modules/distribution/product/src/main/extensions/header.jsp index c461e380e5..99d246b21c 100644 --- a/modules/distribution/product/src/main/extensions/header.jsp +++ b/modules/distribution/product/src/main/extensions/header.jsp @@ -31,6 +31,9 @@ <% String tenant = request.getParameter("tenantDomain"); + if (tenant == null) { + tenant = request.getParameter("TenantDomain"); + } if (tenant == null) { String cb = request.getParameter("callback"); cb = StringUtils.replace(cb, " ", ""); @@ -39,7 +42,7 @@ String decodedValue = uri.getQuery(); String[] params = decodedValue.split("&"); for (String param : params) { - if (param.startsWith("tenantDomain=")) { + if (param.startsWith("tenantDomain=") || param.startsWith("TenantDomain=")) { String[] keyVal = param.split("="); tenant = keyVal[1]; } From bfbd95a5c0219e6aa1cd2ec49c351221dfdbc5e8 Mon Sep 17 00:00:00 2001 From: rusirijayodaillesinghe Date: Tue, 20 Feb 2024 11:33:15 +0530 Subject: [PATCH 4/7] Adds the fix "Add auth endpoint parameter filtering config" --- .../product/src/main/resources/conf/infer.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/distribution/product/src/main/resources/conf/infer.json b/modules/distribution/product/src/main/resources/conf/infer.json index 57c5a63a5e..7eafae85b9 100644 --- a/modules/distribution/product/src/main/resources/conf/infer.json +++ b/modules/distribution/product/src/main/resources/conf/infer.json @@ -136,5 +136,13 @@ "broker.transport.amqp.enabled": false, "apim.throttling.enable_policy_deployment": false } + }, + "authenticationendpoint.enable_shortened_urls": { + "false": { + "authentication.endpoint.redirect_params.filter_policy": "exclude", + "authentication.endpoint.redirect_params.parameters": [ + "loggedInUser" + ] + } } } From e5bd7d300940baf387ce02b0dfec013de27fdf9f Mon Sep 17 00:00:00 2001 From: rusirijayodaillesinghe Date: Tue, 20 Feb 2024 20:03:14 +0530 Subject: [PATCH 5/7] Remove the if clause related to isIdentifierFirstLogin which is not used in api manager --- .../product/src/main/extensions/login.jsp | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/modules/distribution/product/src/main/extensions/login.jsp b/modules/distribution/product/src/main/extensions/login.jsp index af318156f8..839efd9c00 100644 --- a/modules/distribution/product/src/main/extensions/login.jsp +++ b/modules/distribution/product/src/main/extensions/login.jsp @@ -142,28 +142,6 @@ String username = null; String usernameIdentifier = null; - if (isIdentifierFirstLogin(inputType)) { - String authAPIURL = application.getInitParameter(Constants.AUTHENTICATION_REST_ENDPOINT_URL); - if (StringUtils.isBlank(authAPIURL)) { - authAPIURL = IdentityUtil.getServerURL("/api/identity/auth/v1.1/", true, true); - } - if (!authAPIURL.endsWith("/")) { - authAPIURL += "/"; - } - authAPIURL += "context/" + request.getParameter("sessionDataKey"); - String contextProperties = AuthContextAPIClient.getContextProperties(authAPIURL); - Gson gson = new Gson(); - Map parameters = gson.fromJson(contextProperties, Map.class); - if (parameters != null) { - username = (String) parameters.get("username"); - usernameIdentifier = (String) parameters.get("username"); - } else { - String redirectURL = "error.do"; - response.sendRedirect(redirectURL); - return; - } - } - // Login context request url. String sessionDataKey = request.getParameter("sessionDataKey"); String appName = request.getParameter("sp"); From aa98157ce3c53b3cedfe2b6764ee7ab89233ace8 Mon Sep 17 00:00:00 2001 From: rusirijayodaillesinghe Date: Wed, 21 Feb 2024 15:46:26 +0530 Subject: [PATCH 6/7] Add the fix "Show account lock error message on the login page" --- .../product/src/main/extensions/basicauth.jsp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/distribution/product/src/main/extensions/basicauth.jsp b/modules/distribution/product/src/main/extensions/basicauth.jsp index 6119a643a3..4099a3be9d 100644 --- a/modules/distribution/product/src/main/extensions/basicauth.jsp +++ b/modules/distribution/product/src/main/extensions/basicauth.jsp @@ -268,7 +268,13 @@ } %> - <% if (Boolean.parseBoolean(loginFailed)) { %> + <% if (StringUtils.equals(request.getParameter("errorCode"), IdentityCoreConstants.USER_ACCOUNT_LOCKED_ERROR_CODE) && + StringUtils.equals(request.getParameter("remainingAttempts"), "0") ) { %> +
+ <%=AuthenticationEndpointUtil.i18n(resourceBundle, "error.user.account.locked.incorrect.login.attempts")%> +
+ <% } else if (Boolean.parseBoolean(loginFailed) && + !errorCode.equals(IdentityCoreConstants.USER_ACCOUNT_NOT_CONFIRMED_ERROR_CODE)) { %>
<%= AuthenticationEndpointUtil.i18n(resourceBundle, errorMessage) %>
From 112d595b33dabd7bd9a792d4404951f8a2e8c5d2 Mon Sep 17 00:00:00 2001 From: rusirijayodaillesinghe Date: Mon, 26 Feb 2024 14:02:41 +0530 Subject: [PATCH 7/7] Fix formatting --- .../product/src/main/extensions/privacy-policy-content.jsp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/distribution/product/src/main/extensions/privacy-policy-content.jsp b/modules/distribution/product/src/main/extensions/privacy-policy-content.jsp index cf5cedd06f..f97687b650 100644 --- a/modules/distribution/product/src/main/extensions/privacy-policy-content.jsp +++ b/modules/distribution/product/src/main/extensions/privacy-policy-content.jsp @@ -16,7 +16,7 @@ ~ under the License. --%> -<%-- page content --> +<%-- page content --%>