Support multipart UI token cookies

When cookie name+value length exceeds 4096 bytes, it is silently rejected by most of the browsers per https://datatracker.ietf.org/doc/html/rfc6265#section-6.1. Since we don't control access & refresh token lengths and encryption scheme, we need to split value and set/remove multiple cookies in such cases.
wendigo · Feb 22, 2024 · 386a3d4 · 386a3d4
1 parent d8fb63f
commit 386a3d4
Show file tree

Hide file tree

Showing 6 changed files with 314 additions and 78 deletions.
diff --git a/core/trino-main/src/main/java/io/trino/server/ui/FormWebUiAuthenticationFilter.java b/core/trino-main/src/main/java/io/trino/server/ui/FormWebUiAuthenticationFilter.java
@@ -35,6 +35,7 @@
 import java.security.SecureRandom;
 import java.time.ZonedDateTime;
 import java.util.Date;
+import java.util.Map;
 import java.util.Optional;
 import java.util.function.Function;
 
@@ -70,6 +71,8 @@ public class FormWebUiAuthenticationFilter
     private final FormAuthenticator formAuthenticator;
     private final Optional<Authenticator> authenticator;
 
+    private static final MultipartUiCookie MULTIPART_COOKIE = new MultipartUiCookie(TRINO_UI_COOKIE, "/ui");
+
     @Inject
     public FormWebUiAuthenticationFilter(
             FormWebUiConfig config,
@@ -225,21 +228,16 @@ public static ResponseBuilder redirectFromSuccessfulLoginResponse(String redirec
         return Response.seeOther(redirectLocation);
     }
 
-    public Optional<NewCookie> checkLoginCredentials(String username, String password, boolean secure)
+    public Optional<NewCookie[]> checkLoginCredentials(String username, String password, boolean secure)
     {
         return formAuthenticator.isValidCredential(username, password, secure)
                 .map(user -> createAuthenticationCookie(user, secure));
     }
 
     private Optional<String> getAuthenticatedUsername(ContainerRequestContext request)
     {
-        Cookie cookie = request.getCookies().get(TRINO_UI_COOKIE);
-        if (cookie == null) {
-            return Optional.empty();
-        }
-
         try {
-            return Optional.of(parseJwt(cookie.getValue()));
+            return MULTIPART_COOKIE.read(request.getCookies()).map(this::parseJwt);
         }
         catch (JwtException e) {
             return Optional.empty();
@@ -249,35 +247,14 @@ private Optional<String> getAuthenticatedUsername(ContainerRequestContext reques
         }
     }
 
-    private NewCookie createAuthenticationCookie(String userName, boolean secure)
+    private NewCookie[] createAuthenticationCookie(String userName, boolean secure)
     {
-        String jwt = jwtGenerator.apply(userName);
-        return new NewCookie(
-                TRINO_UI_COOKIE,
-                jwt,
-                "/ui",
-                null,
-                Cookie.DEFAULT_VERSION,
-                null,
-                NewCookie.DEFAULT_MAX_AGE,
-                null,
-                secure,
-                true);
+        return MULTIPART_COOKIE.create(jwtGenerator.apply(userName), null, secure);
     }
 
-    public static NewCookie getDeleteCookie(boolean secure)
+    public static NewCookie[] getDeleteCookies(Map<String, Cookie> existingCookies, boolean isSecure)
     {
-        return new NewCookie(
-                TRINO_UI_COOKIE,
-                "delete",
-                "/ui",
-                null,
-                Cookie.DEFAULT_VERSION,
-                null,
-                0,
-                null,
-                secure,
-                true);
+        return MULTIPART_COOKIE.delete(existingCookies, isSecure);
     }
 
     public boolean isPasswordAllowed(boolean secure)

diff --git a/core/trino-main/src/main/java/io/trino/server/ui/LoginResource.java b/core/trino-main/src/main/java/io/trino/server/ui/LoginResource.java
@@ -39,7 +39,7 @@
 import static io.trino.server.ui.FormWebUiAuthenticationFilter.LOGIN_FORM_URI;
 import static io.trino.server.ui.FormWebUiAuthenticationFilter.UI_LOGIN;
 import static io.trino.server.ui.FormWebUiAuthenticationFilter.UI_LOGOUT;
-import static io.trino.server.ui.FormWebUiAuthenticationFilter.getDeleteCookie;
+import static io.trino.server.ui.FormWebUiAuthenticationFilter.getDeleteCookies;
 import static io.trino.server.ui.FormWebUiAuthenticationFilter.redirectFromSuccessfulLoginResponse;
 import static jakarta.ws.rs.core.MediaType.TEXT_HTML;
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -89,7 +89,7 @@ public Response login(
             return Response.seeOther(DISABLED_LOCATION_URI).build();
         }
 
-        Optional<NewCookie> authenticationCookie = formWebUiAuthenticationManager.checkLoginCredentials(username, password, securityContext.isSecure());
+        Optional<NewCookie[]> authenticationCookie = formWebUiAuthenticationManager.checkLoginCredentials(username, password, securityContext.isSecure());
         if (authenticationCookie.isEmpty()) {
             // authentication failed, redirect back to the login page
             return Response.seeOther(LOGIN_FORM_URI).build();
@@ -113,7 +113,7 @@ public Response logout(@Context HttpHeaders httpHeaders, @Context UriInfo uriInf
             redirectLocation = DISABLED_LOCATION_URI;
         }
         return Response.seeOther(redirectLocation)
-                .cookie(getDeleteCookie(securityContext.isSecure()))
+                .cookie(getDeleteCookies(httpHeaders.getCookies(), securityContext.isSecure()))
                 .build();
     }
 }
diff --git a/core/trino-main/src/main/java/io/trino/server/ui/MultipartUiCookie.java b/core/trino-main/src/main/java/io/trino/server/ui/MultipartUiCookie.java
@@ -0,0 +1,142 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.server.ui;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
+import jakarta.ws.rs.core.Cookie;
+import jakarta.ws.rs.core.NewCookie;
+
+import java.time.Instant;
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.regex.Pattern;
+
+import static com.google.common.base.Strings.isNullOrEmpty;
+import static jakarta.ws.rs.core.NewCookie.DEFAULT_MAX_AGE;
+import static java.util.Objects.requireNonNull;
+
+public class MultipartUiCookie
+{
+    // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis/#section-5.6-3.4.1
+    public static final int MAXIMUM_COOKIE_SIZE = 4096;
+
+    private final String cookieName;
+    private final Pattern cookiePattern;
+    private final String location;
+
+    public MultipartUiCookie(String cookieName, String location)
+    {
+        this.cookieName = requireNonNull(cookieName, "cookieName is null");
+        this.cookiePattern = Pattern.compile("^" + Pattern.quote(cookieName) + "(_\\d+)?$");
+        this.location = requireNonNull(location, "location is null");
+    }
+
+    public NewCookie[] create(String token, Instant tokenExpiration, boolean isSecure)
+    {
+        Date expiration = Optional.ofNullable(tokenExpiration).map(Date::from).orElse(null);
+        ImmutableList.Builder<NewCookie> cookiesToSet = ImmutableList.builder();
+        int index = 0;
+        for (String part : splitValueByLength(token)) {
+            cookiesToSet.add(new NewCookie.Builder(cookieName(index++))
+                    .value(part)
+                    .path(location)
+                    .domain(null)
+                    .comment(null)
+                    .maxAge(DEFAULT_MAX_AGE)
+                    .expiry(expiration)
+                    .secure(isSecure)
+                    .httpOnly(true)
+                    .build());
+        }
+        return cookiesToSet.build().toArray(new NewCookie[0]);
+    }
+
+    public Optional<String> read(Map<String, Cookie> existingCookies)
+    {
+        long cookiesCount = existingCookies.values().stream()
+                .filter(this::matchesName)
+                .filter(cookie -> !isNullOrEmpty(cookie.getValue()))
+                .count();
+
+        if (cookiesCount == 0) {
+            return Optional.empty();
+        }
+
+        StringBuilder token = new StringBuilder();
+        for (int i = 0; i < cookiesCount; i++) {
+            Cookie cookie = existingCookies.get(cookieName(i));
+            if (cookie == null || isNullOrEmpty(cookie.getValue())) {
+                return Optional.empty(); // non continuous
+            }
+            token.append(cookie.getValue());
+        }
+        return Optional.of(token.toString());
+    }
+
+    public NewCookie[] delete(Map<String, Cookie> existingCookies, boolean isSecured)
+    {
+        ImmutableSet.Builder<NewCookie> cookiesToDelete = ImmutableSet.builder();
+        cookiesToDelete.add(deleteCookie(cookieName, isSecured)); // Always invalidate first cookie even if it doesn't exist
+        for (Cookie existingCookie : existingCookies.values()) {
+            if (matchesName(existingCookie)) {
+                cookiesToDelete.add(deleteCookie(existingCookie.getName(), isSecured));
+            }
+        }
+        return cookiesToDelete.build().toArray(new NewCookie[0]);
+    }
+
+    private List<String> splitValueByLength(String value)
+    {
+        return Splitter.fixedLength(maximumCookieValueLength()).splitToList(value);
+    }
+
+    private boolean matchesName(Cookie cookie)
+    {
+        return cookiePattern.matcher(cookie.getName()).matches();
+    }
+
+    @VisibleForTesting
+    String cookieName(int index)
+    {
+        if (index == 0) {
+            return cookieName;
+        }
+
+        return cookieName + '_' + index;
+    }
+
+    int maximumCookieValueLength()
+    {
+        // A browser should be able to accept at least 300 cookies with a maximum size of 4096 bytes, as stipulated by RFC 2109 (#6.3), RFC 2965 (#5.3), and RFC 6265
+        return MAXIMUM_COOKIE_SIZE - cookieName(999).length();
+    }
+
+    private NewCookie deleteCookie(String name, boolean isSecured)
+    {
+        return new NewCookie.Builder(name)
+                .value("delete")
+                .path(location)
+                .domain(null)
+                .maxAge(0)
+                .expiry(null)
+                .secure(isSecured)
+                .httpOnly(true)
+                .build();
+    }
+}
diff --git a/core/trino-main/src/main/java/io/trino/server/ui/OAuthIdTokenCookie.java b/core/trino-main/src/main/java/io/trino/server/ui/OAuthIdTokenCookie.java
@@ -17,48 +17,31 @@
 import jakarta.ws.rs.core.NewCookie;
 
 import java.time.Instant;
-import java.util.Date;
 import java.util.Map;
 import java.util.Optional;
 
 import static io.trino.server.ui.FormWebUiAuthenticationFilter.UI_LOCATION;
-import static java.util.function.Predicate.not;
 
 public final class OAuthIdTokenCookie
 {
     // prefix according to: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.3.1
     public static final String ID_TOKEN_COOKIE = "__Secure-Trino-ID-Token";
+    private static final MultipartUiCookie MULTIPART_COOKIE = new MultipartUiCookie(ID_TOKEN_COOKIE, UI_LOCATION);
 
     private OAuthIdTokenCookie() {}
 
     public static NewCookie[] create(String token, Instant tokenExpiration)
     {
-        return new NewCookie[] {new NewCookie.Builder(ID_TOKEN_COOKIE)
-                .value(token)
-                .path(UI_LOCATION)
-                .domain(null)
-                .expiry(Date.from(tokenExpiration))
-                .secure(true)
-                .httpOnly(true)
-                .build()};
+        return MULTIPART_COOKIE.create(token, tokenExpiration, true);
     }
 
     public static Optional<String> read(Map<String, Cookie> availableCookies)
     {
-        return Optional.ofNullable(availableCookies.get(ID_TOKEN_COOKIE))
-                .map(Cookie::getValue)
-                .filter(not(String::isBlank));
+        return MULTIPART_COOKIE.read(availableCookies);
     }
 
     public static NewCookie[] delete(Map<String, Cookie> availableCookies)
     {
-        return new NewCookie[] {new NewCookie.Builder(ID_TOKEN_COOKIE)
-                .value("delete")
-                .path(UI_LOCATION)
-                .domain(null)
-                .maxAge(0)
-                .secure(true)
-                .httpOnly(true)
-                .build()};
+        return MULTIPART_COOKIE.delete(availableCookies, true);
     }
 }
diff --git a/core/trino-main/src/main/java/io/trino/server/ui/OAuthWebUiCookie.java b/core/trino-main/src/main/java/io/trino/server/ui/OAuthWebUiCookie.java
@@ -17,49 +17,31 @@
 import jakarta.ws.rs.core.NewCookie;
 
 import java.time.Instant;
-import java.util.Date;
 import java.util.Map;
 import java.util.Optional;
 
 import static io.trino.server.ui.FormWebUiAuthenticationFilter.UI_LOCATION;
-import static java.util.function.Predicate.not;
 
 public final class OAuthWebUiCookie
 {
     // prefix according to: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.3.1
     public static final String OAUTH2_COOKIE = "__Secure-Trino-OAuth2-Token";
+    private static final MultipartUiCookie MULTIPART_COOKIE = new MultipartUiCookie(OAUTH2_COOKIE, UI_LOCATION);
 
     private OAuthWebUiCookie() {}
 
     public static NewCookie[] create(String token, Instant tokenExpiration)
     {
-        return new NewCookie[] {new NewCookie.Builder(OAUTH2_COOKIE)
-                .path(UI_LOCATION)
-                .domain(null)
-                .value(token)
-                .expiry(Date.from(tokenExpiration))
-                .secure(true)
-                .httpOnly(true)
-                .build()};
+        return MULTIPART_COOKIE.create(token, tokenExpiration, true);
     }
 
     public static Optional<String> read(Map<String, Cookie> availableCookies)
     {
-        return Optional.ofNullable(availableCookies.get(OAUTH2_COOKIE))
-                .map(Cookie::getValue)
-                .filter(not(String::isBlank));
+        return MULTIPART_COOKIE.read(availableCookies);
     }
 
     public static NewCookie[] delete(Map<String, Cookie> availableCookies)
     {
-        return new NewCookie[] {new NewCookie.Builder(OAUTH2_COOKIE)
-                .value("delete")
-                .path(UI_LOCATION)
-                .domain(null)
-                .maxAge(0)
-                .expiry(null)
-                .secure(true)
-                .httpOnly(true)
-                .build()};
+        return MULTIPART_COOKIE.delete(availableCookies, true);
     }
 }