diff --git a/fcli-core/fcli-common/src/main/java/com/fortify/cli/common/session/cli/cmd/AbstractSessionLogoutCommand.java b/fcli-core/fcli-common/src/main/java/com/fortify/cli/common/session/cli/cmd/AbstractSessionLogoutCommand.java index 9a940925f6..9219fd1149 100644 --- a/fcli-core/fcli-common/src/main/java/com/fortify/cli/common/session/cli/cmd/AbstractSessionLogoutCommand.java +++ b/fcli-core/fcli-common/src/main/java/com/fortify/cli/common/session/cli/cmd/AbstractSessionLogoutCommand.java @@ -30,9 +30,13 @@ public JsonNode getJsonNode() { var sessionHelper = getSessionHelper(); if ( sessionHelper.exists(sessionName) ) { result = sessionHelper.sessionSummaryAsObjectNode(sessionName); - logout(sessionName, sessionHelper.get(sessionName, true)); - // TODO Optionally delete all variables - getSessionHelper().destroy(sessionName); + try { + logout(sessionName, sessionHelper.get(sessionName, false)); + } catch (Exception e){ + throw e; + } finally { + getSessionHelper().destroy(sessionName); + } } return result; } @@ -46,6 +50,10 @@ public String getActionCommandResult() { public boolean isSingular() { return false; } - + + /******************************************************************************* + * This method will always be invoked on existing sessions, independent of whether the session has expired + * This is to ensure cleanup of the local session directory and tokens stored in ssc (if the token has already been cleaned up by ssc this should not result in an error) + *******************************************************************************/ protected abstract void logout(String sessionName, D sessionDescriptor); } diff --git a/fcli-core/fcli-ssc/src/main/java/com/fortify/cli/ssc/token/helper/SSCTokenConverter.java b/fcli-core/fcli-ssc/src/main/java/com/fortify/cli/ssc/token/helper/SSCTokenConverter.java index b65463474b..a119822f0d 100644 --- a/fcli-core/fcli-ssc/src/main/java/com/fortify/cli/ssc/token/helper/SSCTokenConverter.java +++ b/fcli-core/fcli-ssc/src/main/java/com/fortify/cli/ssc/token/helper/SSCTokenConverter.java @@ -13,10 +13,13 @@ package com.fortify.cli.ssc.token.helper; import java.nio.charset.StandardCharsets; +import java.util.regex.Pattern; import org.apache.commons.codec.binary.Base64; + public final class SSCTokenConverter { + private static Pattern applicationTokenPattern = Pattern.compile("^[\\da-f]{8}(?:-[\\da-f]{4}){3}-[\\da-f]{12}$"); private SSCTokenConverter() {} public static final String toApplicationToken(String token) { @@ -28,7 +31,7 @@ public static final char[] toApplicationToken(char[] token) { } public static final String toRestToken(String token) { - return isApplicationToken(token) ? encode(token) : token; + return isApplicationToken(token) ? encode(token) : validateRestTokenFormat(token); } public static final char[] toRestToken(char[] token) { @@ -36,11 +39,23 @@ public static final char[] toRestToken(char[] token) { } public static final boolean isApplicationToken(String token) { - return token.matches("^[\\da-f]{8}(?:-[\\da-f]{4}){3}-[\\da-f]{12}$"); + return applicationTokenPattern.matcher(token).matches(); } private static final String decode(String token) { - return new String(Base64.decodeBase64(token), StandardCharsets.UTF_8); + return validateApplicationTokenFormat(new String(Base64.decodeBase64(token), StandardCharsets.UTF_8)); + } + + private static final String validateApplicationTokenFormat(String token) { + if(!isApplicationToken(token)) { + throw new IllegalArgumentException("The provided token could not be decoded to a valid application token format"); + } + return token; + } + + private static final String validateRestTokenFormat(String token) { + decode(token); + return token; } private static final String encode(String token) {