disable SRI checks for external resources in Okta's responses

bogeylnj · Feb 22, 2019 · d9b7836 · AlainODea · Feb 25, 2019 · bogeylnj
1 parent 29ce6ab
commit d9b7836
Showing 1 changed file with 66 additions and 2 deletions.
diff --git a/src/main/java/com/okta/tools/authentication/BrowserAuthentication.java b/src/main/java/com/okta/tools/authentication/BrowserAuthentication.java
@@ -1,5 +1,6 @@
 package com.okta.tools.authentication;
 
+import com.amazonaws.util.IOUtils;
 import com.okta.tools.OktaAwsCliEnvironment;
 import com.okta.tools.helpers.CookieHelper;
 import com.okta.tools.util.NodeListIterable;
@@ -15,10 +16,11 @@
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import sun.net.www.protocol.https.HttpsURLConnectionImpl;
 
 import javax.annotation.Nonnull;
-import java.io.IOException;
-import java.net.URI;
+import java.io.*;
+import java.net.*;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.CountDownLatch;
@@ -61,6 +63,7 @@ public void start(final Stage stage) throws IOException {
         URI uri = URI.create(ENVIRONMENT.oktaAwsAppUrl);
         initializeCookies(uri);
 
+        registerCustomProtocolHandler();
         webEngine.getLoadWorker().stateProperty()
                 .addListener((ov, oldState, newState) -> {
                     if (webEngine.getDocument() != null) {
@@ -157,4 +160,65 @@ private void finishAuthentication(Stage stage, String samlResponseForAws) {
         stage.close();
         USER_AUTH_COMPLETE.countDown();
     }
+
+
+    /** https://stackoverflow.com/questions/52572853/failed-integrity-metadata-check-in-javafx-webview-ignores-systemprop
+     *
+     * javaFX.WebEngine with >1.8.0._162 cannot handle "integrity=" (attribute &lt;link&gt; or &lt;script&gt;) checks on files retrievals properly.
+     * This custom stream handler will disable the integrity checks by replacing "integrity=" and "integrity =" with a "integrity.disabled" counterpart
+     * This is very susceptible to breaking if Okta changes the response body again as we are making changes based on the format of the characters in their response
+     */
+    private void registerCustomProtocolHandler() {
+        try {
+            URL.setURLStreamHandlerFactory(new URLStreamHandlerFactory() {
+                @Override
+                public URLStreamHandler createURLStreamHandler(String protocol) {
+                    if ("https".equals(protocol)) {
+                        return new sun.net.www.protocol.https.Handler() {
+                            @Override
+                            protected URLConnection openConnection(URL url, Proxy proxy) throws IOException {
+                                // Leaving sysout comments here for debugging and clarity if the tool does break again because of an Okta Update
+                                //System.out.format("openConnection %s (%s, %s)\n", url, url.getHost(), url.getPath());
+
+                                final HttpsURLConnectionImpl httpsURLConnection = (HttpsURLConnectionImpl) super.openConnection(url, proxy);
+                                if ("<companyname>.okta.com".equals(url.getHost()) && "/<application_path>".equals(url.getPath())) {
+
+                                    return new URLConnection(url) {
+                                        @Override
+                                        public void connect() throws IOException {
+                                            httpsURLConnection.connect();
+                                        }
+
+                                        public InputStream getInputStream() throws IOException {
+                                            byte[] content = IOUtils.toByteArray(httpsURLConnection.getInputStream());
+                                            String contentAsString = new String(content, "UTF-8");
+
+                                            //System.out.println("########################## got stream content ##############################");
+                                            //System.out.println(contentAsString);
+                                            ByteArrayOutputStream baos = new ByteArrayOutputStream();
+                                            //contentAsString = contentAsString.replaceAll(",\"ENG_ENABLE_SCRIPT_INTEGRITY\"", ""); // nested SRIs?
+                                            baos.write(contentAsString.replaceAll("integrity ?=", "integrity.disabled=").getBytes("UTF-8"));
+                                            return new ByteArrayInputStream(baos.toByteArray());
+                                        }
+
+                                        public OutputStream getOutputStream() throws IOException {
+                                            return httpsURLConnection.getOutputStream();
+                                        }
+
+                                    };
+
+                                } else {
+                                    return httpsURLConnection;
+                                }
+                            }
+
+                        };
+                    }
+                    return null;
+                }
+            });
+        } catch (Throwable t) {
+            System.out.println("Unable to register custom protocol handler");
+        }
+    }
 }