wip do not use

Author: fhanik

server/src/main/java/org/cloudfoundry/identity/uaa/SpringServletXmlSecurityConfiguration.java

@@ -64,8 +64,8 @@ public class SpringServletXmlSecurityConfiguration {
             "/saml_error",
             "/favicon.ico",
             "/oauth_error",
-            "/session",
-            "/session_management",
+            "/session", "/z/*/session",
+            "/session_management", "/z/*/session_management",
             "/oauth/token/.well-known/openid-configuration", "/z/*/oauth/token/.well-known/openid-configuration",
             "/.well-known/openid-configuration", "/z/*/.well-known/openid-configuration",
             "/logged_out", "/z/*/logged_out"

server/src/main/java/org/cloudfoundry/identity/uaa/login/SessionController.java

@@ -13,25 +13,32 @@
  *******************************************************************************/
 package org.cloudfoundry.identity.uaa.login;
 
+import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 
+import jakarta.servlet.http.HttpServletRequest;
+
 @Controller
 public class SessionController {
 
-    @RequestMapping("/session")
-    public String session(Model model, @RequestParam String clientId, @RequestParam String messageOrigin) {
+    @RequestMapping({"/session", "/z/{subdomain}/session"})
+    public String session(Model model, HttpServletRequest request,
+            @RequestParam String clientId, @RequestParam String messageOrigin) {
         // We need to maintain this version of the session page to continue compatibility with the
         // original version of uaa-singular.
+        model.addAttribute("pathPrefix", UaaUrlUtils.getZonePathPrefix(request));
         model.addAttribute("clientId", clientId);
         model.addAttribute("messageOrigin", messageOrigin);
         return "session";
     }
 
-    @RequestMapping("/session_management")
-    public String sessionManagement(Model model, @RequestParam String clientId, @RequestParam String messageOrigin) {
+    @RequestMapping({"/session_management", "/z/{subdomain}/session_management"})
+    public String sessionManagement(Model model, HttpServletRequest request,
+            @RequestParam String clientId, @RequestParam String messageOrigin) {
+        model.addAttribute("pathPrefix", UaaUrlUtils.getZonePathPrefix(request));
         model.addAttribute("clientId", clientId);
         model.addAttribute("messageOrigin", messageOrigin);
         return "session_management";

server/src/main/resources/templates/web/error.html

@@ -7,7 +7,7 @@
         <div th:if="${error_message_code}" class="alert alert-error">
             <p th:text="#{${error_message_code}}">Error Message</p>
         </div>
-        <img src="/resources/images/sad_cloud.png" th:src="@{/resources/images/sad_cloud.png}" role="presentation" />
+        <img src="/resources/images/sad_cloud.png" th:src="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/resources/images/sad_cloud.png' : '/resources/images/sad_cloud.png'}" role="presentation" />
     </div>
     <h2>
         Uh oh.<br />

server/src/main/resources/templates/web/session.html

@@ -2,7 +2,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
   <script type="text/javascript" src="/resources/javascripts/session/session_message_handler.js"
-          th:src="@{'/resources/javascripts/session/session_message_handler.js'}"></script>
+          th:src="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/resources/javascripts/session/session_message_handler.js' : '/resources/javascripts/session/session_message_handler.js'}"></script>
 </head>
 <body>
   <input type="hidden" id="clientId" th:value="${clientId}">

server/src/main/resources/templates/web/session_management.html

@@ -1,10 +1,10 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
-    <script type="application/javascript" th:src="@{'/resources/javascripts/session/sjcl.js'}"></script>
-    <script type="application/javascript" th:src="@{'/resources/javascripts/session/session.js'}"></script>
+    <script type="application/javascript" th:src="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/resources/javascripts/session/sjcl.js' : '/resources/javascripts/session/sjcl.js'}"></script>
+    <script type="application/javascript" th:src="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/resources/javascripts/session/session.js' : '/resources/javascripts/session/session.js'}"></script>
     <script type="application/javascript"
-            th:src="@{'/resources/javascripts/session/session_management_message_handler.js'}"></script>
+            th:src="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/resources/javascripts/session/session_management_message_handler.js' : '/resources/javascripts/session/session_management_message_handler.js'}"></script>
 </head>
 <body>
     <input type="hidden" id="clientId" th:value="${clientId}">

server/src/test/java/org/cloudfoundry/identity/uaa/login/HomeControllerViewTests.java

@@ -92,6 +92,12 @@ private static String expectedHref(ZoneRequestPathMode mode, String path) {
         return prefix.isEmpty() ? "href=\"" + path + "\"" : "href=\"" + prefix + path + "\"";
     }
 
+    /** Expected resource path in response (e.g. script src, img src): {@code /resources/...} or {@code /z/test-zone/resources/...}. */
+    private static String expectedResourcePath(ZoneRequestPathMode mode, String path) {
+        String prefix = mode.redirectPrefix();
+        return prefix.isEmpty() ? path : prefix + path;
+    }
+
     /** Ensures current zone has test branding so error-page assertions (footer, logo) pass for ZONE_PATH. */
     private void applyTestBrandingToCurrentZone() {
         IdentityZoneConfiguration newConfiguration = new IdentityZoneConfiguration();
@@ -212,9 +218,10 @@ void errorPageContainsCorrectNavLinks(ZoneRequestPathMode mode) throws Exception
     @EnumSource(ZoneRequestPathMode.class)
     void errorPageContainsCorrectResourceLink(ZoneRequestPathMode mode) throws Exception {
         mode.setZone();
+        String imagePath = "/resources/images/sad_cloud.png";
         mockMvc.perform(request(mode, "/error"))
                 .andExpect(status().isOk())
-                .andExpect(content().string(containsString("src=\"/resources/images/sad_cloud.png\"")));
+                .andExpect(content().string(containsString("src=\"" + expectedResourcePath(mode, imagePath) + "\"")));
     }
 
     static Stream<Arguments> errorBrandingParams() {

server/src/test/java/org/cloudfoundry/identity/uaa/login/SessionControllerViewTests.java

@@ -0,0 +1,124 @@
+package org.cloudfoundry.identity.uaa.login;
+
+import org.cloudfoundry.identity.uaa.TestClassNullifier;
+import org.cloudfoundry.identity.uaa.extensions.PollutionPreventionExtension;
+import org.cloudfoundry.identity.uaa.util.ZoneRequestPathMode;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.EnumSource;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Import;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.junit.jupiter.SpringJUnitConfig;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.servlet.config.annotation.DefaultServletHandlerConfigurer;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * View tests for SessionController. Each test is parameterized by {@link ZoneRequestPathMode} so that
+ * both default paths ({@code /session}, {@code /session_management}) and zone paths ({@code /z/{subdomain}/session}, ...) are covered.
+ * Asserts that paths in the response content (e.g. script src) are correct for the mode.
+ */
+@ExtendWith(PollutionPreventionExtension.class)
+@WebAppConfiguration
+@SpringJUnitConfig(classes = SessionControllerViewTests.ContextConfiguration.class)
+@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_EACH_TEST_METHOD)
+class SessionControllerViewTests extends TestClassNullifier {
+
+    private static final String CLIENT_ID = "test-client";
+    private static final String MESSAGE_ORIGIN = "https://origin.example.com";
+
+    /** GET request for the given path; uses /z/{subdomain} when mode is ZONE_PATH so handler mapping matches. */
+    private static MockHttpServletRequestBuilder request(ZoneRequestPathMode mode, String pathSuffix) {
+        if (mode.redirectPrefix().isEmpty()) {
+            return get(pathSuffix);
+        }
+        return get("/z/{subdomain}" + pathSuffix, mode.getSubdomain());
+    }
+
+    /** Expected script src path in response: {@code /resources/...} or {@code /z/test-zone/resources/...}. */
+    private static String expectedResourcePath(ZoneRequestPathMode mode, String path) {
+        String prefix = mode.redirectPrefix();
+        return prefix.isEmpty() ? path : prefix + path;
+    }
+
+    @Autowired
+    private WebApplicationContext webApplicationContext;
+
+    private MockMvc mockMvc;
+
+    @BeforeEach
+    void beforeEach() {
+        SecurityContextHolder.clearContext();
+        IdentityZoneHolder.clear();
+        mockMvc = MockMvcBuilders.webAppContextSetup(webApplicationContext).build();
+    }
+
+    @AfterEach
+    void afterEach() {
+        SecurityContextHolder.clearContext();
+        IdentityZoneHolder.clear();
+    }
+
+    @ParameterizedTest
+    @EnumSource(ZoneRequestPathMode.class)
+    void sessionPageReturnsOkAndContainsExpectedPaths(ZoneRequestPathMode mode) throws Exception {
+        mode.setZone();
+        String scriptPath = "/resources/javascripts/session/session_message_handler.js";
+        mockMvc.perform(request(mode, "/session")
+                        .param("clientId", CLIENT_ID)
+                        .param("messageOrigin", MESSAGE_ORIGIN))
+                .andExpect(status().isOk())
+                .andExpect(content().string(containsString("src=\"" + expectedResourcePath(mode, scriptPath) + "\"")))
+                .andExpect(content().string(containsString(CLIENT_ID)))
+                .andExpect(content().string(containsString(MESSAGE_ORIGIN)));
+    }
+
+    @ParameterizedTest
+    @EnumSource(ZoneRequestPathMode.class)
+    void sessionManagementPageReturnsOkAndContainsExpectedPaths(ZoneRequestPathMode mode) throws Exception {
+        mode.setZone();
+        String sjcl = "/resources/javascripts/session/sjcl.js";
+        String sessionJs = "/resources/javascripts/session/session.js";
+        String handlerJs = "/resources/javascripts/session/session_management_message_handler.js";
+        mockMvc.perform(request(mode, "/session_management")
+                        .param("clientId", CLIENT_ID)
+                        .param("messageOrigin", MESSAGE_ORIGIN))
+                .andExpect(status().isOk())
+                .andExpect(content().string(containsString("src=\"" + expectedResourcePath(mode, sjcl) + "\"")))
+                .andExpect(content().string(containsString("src=\"" + expectedResourcePath(mode, sessionJs) + "\"")))
+                .andExpect(content().string(containsString("src=\"" + expectedResourcePath(mode, handlerJs) + "\"")))
+                .andExpect(content().string(containsString(CLIENT_ID)))
+                .andExpect(content().string(containsString(MESSAGE_ORIGIN)));
+    }
+
+    @EnableWebMvc
+    @Import(ThymeleafConfig.class)
+    static class ContextConfiguration implements WebMvcConfigurer {
+
+        @Override
+        public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
+            configurer.enable();
+        }
+
+        @Bean
+        SessionController sessionController() {
+            return new SessionController();
+        }
+    }
+}