escape only values

ydb-platform · Nov 27, 2024 · 18ba292 · 18ba292
1 parent 767932d
commit 18ba292
Show file tree

Hide file tree

Showing 21 changed files with 171 additions and 168 deletions.
diff --git a/ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp
@@ -38,19 +38,19 @@ void THandlerImpersonateStart::Bootstrap(const NActors::TActorContext& ctx) {
     TStringBuf impersonatedCookieValue = GetCookie(cookies, CreateNameImpersonatedCookie(Settings.ClientId));
 
     if (sessionToken.empty()) {
-        return ReplyBadRequestAndDie("Wrong impersonate parameter: session cookie not found", ctx);
+        return ReplyBadRequestAndPassAway("Wrong impersonate parameter: session cookie not found");
     }
     if (!impersonatedCookieValue.empty()) {
-        return ReplyBadRequestAndDie("Wrong impersonate parameter: impersonated cookie already exists", ctx);
+        return ReplyBadRequestAndPassAway("Wrong impersonate parameter: impersonated cookie already exists");
     }
     if (serviceAccountId.empty()) {
-        return ReplyBadRequestAndDie("Wrong impersonate parameter: service_account_id not found", ctx);
+        return ReplyBadRequestAndPassAway("Wrong impersonate parameter: service_account_id not found");
     }
 
     RequestImpersonatedToken(sessionToken, serviceAccountId, ctx);
 }
 
-void THandlerImpersonateStart::RequestImpersonatedToken(const TString& sessionToken, const TString& serviceAccountId, const NActors::TActorContext& ctx) {
+void THandlerImpersonateStart::RequestImpersonatedToken(TString& sessionToken, TString& serviceAccountId, const NActors::TActorContext& ctx) {
     BLOG_D("Request impersonated token");
     NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetImpersonateEndpointURL());
     httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
@@ -62,18 +62,18 @@ void THandlerImpersonateStart::RequestImpersonatedToken(const TString& sessionTo
     }
     httpRequest->Set("Authorization", token); // Bearer included
 
+    CGIEscape(sessionToken);
+    CGIEscape(serviceAccountId);
     TStringBuilder body;
     body << "session=" << sessionToken
          << "&service_account_id=" << serviceAccountId;
-    TString bodyStr = body;
-    CGIEscape(bodyStr);
-    httpRequest->Set<&NHttp::THttpRequest::Body>(bodyStr);
+    httpRequest->Set<&NHttp::THttpRequest::Body>(body);
 
     ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
     Become(&THandlerImpersonateStart::StateWork);
 }
 
-void THandlerImpersonateStart::ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx) {
+void THandlerImpersonateStart::ProcessImpersonatedToken(const TString& impersonatedToken) {
     TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
     TString impersonatedCookieValue = Base64Encode(impersonatedToken);
     BLOG_D("Set impersonated cookie: (" << impersonatedCookieName << ": " << NKikimr::MaskTicket(impersonatedCookieValue) << ")");
@@ -82,10 +82,10 @@ void THandlerImpersonateStart::ProcessImpersonatedToken(const TString& impersona
     responseHeaders.Set("Set-Cookie", CreateSecureCookie(impersonatedCookieName, impersonatedCookieValue));
     SetCORS(Request, &responseHeaders);
     NHttp::THttpOutgoingResponsePtr httpResponse = Request->CreateResponse("200", "OK", responseHeaders);
-    ReplyAndDie(httpResponse, ctx);
+    ReplyAndPassAway(httpResponse);
 }
 
-void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx) {
+void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event) {
     NHttp::THttpOutgoingResponsePtr httpResponse;
     if (event->Get()->Error.empty() && event->Get()->Response) {
         NHttp::THttpIncomingResponsePtr response = event->Get()->Response;
@@ -98,7 +98,7 @@ void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRespon
                 const NJson::TJsonValue* jsonImpersonatedToken;
                 if (jsonValue.GetValuePointer("impersonation", &jsonImpersonatedToken)) {
                     TString impersonatedToken = jsonImpersonatedToken->GetStringRobust();
-                    ProcessImpersonatedToken(impersonatedToken, ctx);
+                    ProcessImpersonatedToken(impersonatedToken);
                     return;
                 } else {
                     errorMessage = "Wrong OIDC provider response: impersonated token not found";
@@ -109,35 +109,35 @@ void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRespon
             NHttp::THeadersBuilder responseHeaders;
             responseHeaders.Set("Content-Type", "text/plain");
             SetCORS(Request, &responseHeaders);
-            return ReplyAndDie(Request->CreateResponse("400", "Bad Request", responseHeaders, errorMessage), ctx);
+            return ReplyAndPassAway(Request->CreateResponse("400", "Bad Request", responseHeaders, errorMessage));
         } else {
             NHttp::THeadersBuilder responseHeaders;
             NHttp::THeaders headers(response->Headers);
             if (headers.Has("Content-Type")) {
                 responseHeaders.Set("Content-Type", headers.Get("Content-Type"));
             }
             SetCORS(Request, &responseHeaders);
-            return ReplyAndDie(Request->CreateResponse(response->Status, response->Message, responseHeaders, response->Body), ctx);
+            return ReplyAndPassAway(Request->CreateResponse(response->Status, response->Message, responseHeaders, response->Body));
         }
     } else {
         NHttp::THeadersBuilder responseHeaders;
         responseHeaders.Set("Content-Type", "text/plain");
         SetCORS(Request, &responseHeaders);
-        return ReplyAndDie(Request->CreateResponse("400", "Bad Request", responseHeaders, event->Get()->Error), ctx);
+        return ReplyAndPassAway(Request->CreateResponse("400", "Bad Request", responseHeaders, event->Get()->Error));
     }
 }
 
-void THandlerImpersonateStart::ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx) {
-    ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
-    Die(ctx);
+void THandlerImpersonateStart::ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse) {
+    Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
+    PassAway();
 }
 
-void THandlerImpersonateStart::ReplyBadRequestAndDie(const TString& errorMessage, const NActors::TActorContext& ctx) {
+void THandlerImpersonateStart::ReplyBadRequestAndPassAway(const TString& errorMessage) {
     NHttp::THeadersBuilder responseHeaders;
     responseHeaders.Set("Content-Type", "text/plain");
     SetCORS(Request, &responseHeaders);
     NHttp::THttpOutgoingResponsePtr httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, errorMessage);
-    ReplyAndDie(httpResponse, ctx);
+    ReplyAndPassAway(httpResponse);
 }
 
 TImpersonateStartPageHandler::TImpersonateStartPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)

diff --git a/ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h b/ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h
@@ -23,15 +23,15 @@ class THandlerImpersonateStart : public NActors::TActorBootstrapped<THandlerImpe
                              const NActors::TActorId& httpProxyId,
                              const TOpenIdConnectSettings& settings);
     void Bootstrap(const NActors::TActorContext& ctx);
-    void RequestImpersonatedToken(const TString&, const TString&, const NActors::TActorContext&);
-    void ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx);
-    void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx);
-    void ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx);
-    void ReplyBadRequestAndDie(const TString& errorMessage, const NActors::TActorContext& ctx);
+    void RequestImpersonatedToken(TString&, TString&, const NActors::TActorContext&);
+    void ProcessImpersonatedToken(const TString& impersonatedToken);
+    void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event);
+    void ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse);
+    void ReplyBadRequestAndPassAway(const TString& errorMessage);
 
     STFUNC(StateWork) {
         switch (ev->GetTypeRewrite()) {
-            HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingResponse, Handle);
+            hFunc(NHttp::TEvHttpProxy::TEvHttpIncomingResponse, Handle);
             cFunc(TEvents::TEvPoisonPill::EventType, PassAway);
         }
     }

diff --git a/ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp
@@ -15,7 +15,7 @@ THandlerImpersonateStop::THandlerImpersonateStop(const NActors::TActorId& sender
     , Settings(settings)
 {}
 
-void THandlerImpersonateStop::Bootstrap(const NActors::TActorContext& ctx) {
+void THandlerImpersonateStop::Bootstrap() {
     TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
     BLOG_D("Clear impersonated cookie: (" << impersonatedCookieName << ")");
 
@@ -25,12 +25,12 @@ void THandlerImpersonateStop::Bootstrap(const NActors::TActorContext& ctx) {
 
     NHttp::THttpOutgoingResponsePtr httpResponse;
     httpResponse = Request->CreateResponse("200", "OK", responseHeaders);
-    ReplyAndDie(httpResponse, ctx);
+    ReplyAndPassAway(httpResponse);
 }
 
-void THandlerImpersonateStop::ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx) {
-    ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
-    Die(ctx);
+void THandlerImpersonateStop::ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse) {
+    Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
+    PassAway();
 }
 
 TImpersonateStopPageHandler::TImpersonateStopPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)

diff --git a/ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.h b/ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.h
@@ -23,8 +23,8 @@ class THandlerImpersonateStop : public NActors::TActorBootstrapped<THandlerImper
                             const NActors::TActorId& httpProxyId,
                             const TOpenIdConnectSettings& settings);
 
-    void Bootstrap(const NActors::TActorContext& ctx);
-    void ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx);
+    void Bootstrap();
+    void ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse);
 };
 
 class TImpersonateStopPageHandler : public NActors::TActor<TImpersonateStopPageHandler> {

diff --git a/ydb/mvp/oidc_proxy/oidc_protected_page.cpp b/ydb/mvp/oidc_proxy/oidc_protected_page.cpp
@@ -20,36 +20,36 @@ THandlerSessionServiceCheck::THandlerSessionServiceCheck(const NActors::TActorId
 
 void THandlerSessionServiceCheck::Bootstrap(const NActors::TActorContext& ctx) {
     if (!CheckRequestedHost()) {
-        return ReplyAndDie(CreateResponseForbiddenHost(), ctx);
+        return ReplyAndPassAway(CreateResponseForbiddenHost());
     }
     NHttp::THeaders headers(Request->Headers);
     TStringBuf authHeader = headers.Get(AUTH_HEADER_NAME);
     if (Request->Method == "OPTIONS" || IsAuthorizedRequest(authHeader)) {
-        ForwardUserRequest(TString(authHeader), ctx);
+        ForwardUserRequest(TString(authHeader));
     } else {
         StartOidcProcess(ctx);
     }
 }
 
-void THandlerSessionServiceCheck::HandleProxy(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx) {
+void THandlerSessionServiceCheck::HandleProxy(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event) {
     if (event->Get()->Response != nullptr) {
         NHttp::THttpIncomingResponsePtr response = event->Get()->Response;
         BLOG_D("Incoming response for protected resource: " << response->Status);
         if (NeedSendSecureHttpRequest(response)) {
-            return SendSecureHttpRequest(response, ctx);
+            return SendSecureHttpRequest(response);
         }
         NHttp::THeadersBuilder headers = GetResponseHeaders(response);
         TStringBuf contentType = headers.Get("Content-Type").NextTok(';');
         if (contentType == "text/html") {
             TString newBody = FixReferenceInHtml(response->Body, response->GetRequest()->Host);
-            return ReplyAndDie(Request->CreateResponse(response->Status, response->Message, headers, newBody), ctx);
+            return ReplyAndPassAway(Request->CreateResponse(response->Status, response->Message, headers, newBody));
         } else {
-            return ReplyAndDie(Request->CreateResponse(response->Status, response->Message, headers, response->Body), ctx);
+            return ReplyAndPassAway(Request->CreateResponse(response->Status, response->Message, headers, response->Body));
         }
     } else {
         static constexpr size_t MAX_LOGGED_SIZE = 1024;
         BLOG_D("Can not process request to protected resource:\n" << event->Get()->Request->GetObfuscatedData().substr(0, MAX_LOGGED_SIZE));
-        return ReplyAndDie(CreateResponseForNotExistingResponseFromProtectedResource(event->Get()->GetError()), ctx);
+        return ReplyAndPassAway(CreateResponseForNotExistingResponseFromProtectedResource(event->Get()->GetError()));
     }
 }
 
@@ -79,7 +79,7 @@ bool THandlerSessionServiceCheck::IsAuthorizedRequest(TStringBuf authHeader) {
     return to_lower(ToString(authHeader)).StartsWith(IAM_TOKEN_SCHEME_LOWER);
 }
 
-void THandlerSessionServiceCheck::ForwardUserRequest(TStringBuf authHeader, const NActors::TActorContext& ctx, bool secure) {
+void THandlerSessionServiceCheck::ForwardUserRequest(TStringBuf authHeader, bool secure) {
     BLOG_D("Forward user request bypass OIDC");
     NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequest(Request->Method, ProtectedPageUrl);
     ForwardRequestHeaders(httpRequest);
@@ -92,7 +92,7 @@ void THandlerSessionServiceCheck::ForwardUserRequest(TStringBuf authHeader, cons
     if (RequestedPageScheme.empty()) {
         httpRequest->Secure = secure;
     }
-    ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
+    Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
 }
 
 TString THandlerSessionServiceCheck::FixReferenceInHtml(TStringBuf html, TStringBuf host, TStringBuf findStr) {
@@ -173,11 +173,11 @@ NHttp::THeadersBuilder THandlerSessionServiceCheck::GetResponseHeaders(const NHt
     return resultHeaders;
 }
 
-void THandlerSessionServiceCheck::SendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response, const NActors::TActorContext& ctx) {
+void THandlerSessionServiceCheck::SendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response) {
     NHttp::THttpOutgoingRequestPtr request = response->GetRequest();
     BLOG_D("Try to send request to HTTPS port");
     NHttp::THeadersBuilder headers {request->Headers};
-    ForwardUserRequest(headers.Get(AUTH_HEADER_NAME), ctx, true);
+    ForwardUserRequest(headers.Get(AUTH_HEADER_NAME), true);
 }
 
 TString THandlerSessionServiceCheck::GetFixedLocationHeader(TStringBuf location) {
@@ -226,9 +226,9 @@ NHttp::THttpOutgoingResponsePtr THandlerSessionServiceCheck::CreateResponseForNo
     return Request->CreateResponse("400", "Bad Request", headers, html);
 }
 
-void THandlerSessionServiceCheck::ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx) {
-    ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
-    Die(ctx);
+void THandlerSessionServiceCheck::ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse) {
+    Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
+    PassAway();
 }
 
 } // NMVP::NOIDC
diff --git a/ydb/mvp/oidc_proxy/oidc_protected_page.h b/ydb/mvp/oidc_proxy/oidc_protected_page.h
@@ -32,24 +32,24 @@ class THandlerSessionServiceCheck : public NActors::TActorBootstrapped<THandlerS
                                 const TOpenIdConnectSettings& settings);
 
     virtual void Bootstrap(const NActors::TActorContext& ctx);
-    void HandleProxy(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx);
+    void HandleProxy(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event);
 
 protected:
     virtual void StartOidcProcess(const NActors::TActorContext& ctx) = 0;
-    virtual void ForwardUserRequest(TStringBuf authHeader, const NActors::TActorContext& ctx, bool secure = false);
+    virtual void ForwardUserRequest(TStringBuf authHeader, bool secure = false);
     virtual bool NeedSendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response) const = 0;
 
     bool CheckRequestedHost();
     void ForwardRequestHeaders(NHttp::THttpOutgoingRequestPtr& request) const;
-    void ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx);
+    void ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse);
 
     static bool IsAuthorizedRequest(TStringBuf authHeader);
     static TString FixReferenceInHtml(TStringBuf html, TStringBuf host, TStringBuf findStr);
     static TString FixReferenceInHtml(TStringBuf html, TStringBuf host);
 
 private:
     NHttp::THeadersBuilder GetResponseHeaders(const NHttp::THttpIncomingResponsePtr& response);
-    void SendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response, const NActors::TActorContext& ctx);
+    void SendSecureHttpRequest(const NHttp::THttpIncomingResponsePtr& response);
     TString GetFixedLocationHeader(TStringBuf location);
     NHttp::THttpOutgoingResponsePtr CreateResponseForbiddenHost();
     NHttp::THttpOutgoingResponsePtr CreateResponseForNotExistingResponseFromProtectedResource(const TString& errorMessage);