From 781adae61ee4a244f976d6c4dcc22be3664dc219 Mon Sep 17 00:00:00 2001
From: srosse <stephane.rosse@frentix.com>
Date: Thu, 30 Aug 2018 18:18:48 +0200
Subject: [PATCH] OO-3612: adapt the hash algorithm to SEB 2.2 new way to
 handle the trailing / of an URL

---
 .../manager/AssessmentModeManagerImpl.java    |  9 ++++++++
 .../manager/AssessmentModeManagerTest.java    | 21 +++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/src/main/java/org/olat/course/assessment/manager/AssessmentModeManagerImpl.java b/src/main/java/org/olat/course/assessment/manager/AssessmentModeManagerImpl.java
index e4c6a426712..9238dccef0f 100644
--- a/src/main/java/org/olat/course/assessment/manager/AssessmentModeManagerImpl.java
+++ b/src/main/java/org/olat/course/assessment/manager/AssessmentModeManagerImpl.java
@@ -319,6 +319,15 @@ public class AssessmentModeManagerImpl implements AssessmentModeManager {
 				if(safeExamHash != null && safeExamHash.equals(hash)) {
 					safe = true;
 				}
+
+				if(!safe && url.endsWith("/")) {
+					String strippedUrl = url.substring(0, url.length() - 1);
+					String strippedHash = Encoder.sha256Exam(strippedUrl + safeExamBrowserKey);
+					if(safeExamHash != null && safeExamHash.equals(strippedHash)) {
+						safe = true;
+					}
+				}
+				
 				if(debug) {
 					if(safeExamHash == null) {
 						log.debug("Failed safeexambrowser request hash is null for URL: " + url + " and key: " + safeExamBrowserKey);
diff --git a/src/test/java/org/olat/course/assessment/manager/AssessmentModeManagerTest.java b/src/test/java/org/olat/course/assessment/manager/AssessmentModeManagerTest.java
index d70807ef439..d8ae37030a9 100644
--- a/src/test/java/org/olat/course/assessment/manager/AssessmentModeManagerTest.java
+++ b/src/test/java/org/olat/course/assessment/manager/AssessmentModeManagerTest.java
@@ -1036,6 +1036,27 @@ public class AssessmentModeManagerTest extends OlatTestCase {
 		Assert.assertTrue(allowed);
 	}
 	
+	/**
+	 * SEB 2.1 and SEB 2.2 use slightly different URLs to calculate
+	 * the hash. The first use the raw URL, the second remove the
+	 * trailing /.
+	 */
+	@Test
+	public void isSafelyAllowed_seb22() {
+		String safeExamBrowserKey = "a3fa755508fa1ed69de26840012fb397bb0a527b55ca35f299fa89cb4da232c6";
+		String url = "http://kivik.frentix.com";
+		String hash = Encoder.sha256Exam(url + safeExamBrowserKey);
+
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setServerName("kivik.frentix.com");
+		request.setScheme("http");
+		request.addHeader("x-safeexambrowser-requesthash", hash);
+		request.setRequestURI("/");
+		
+		boolean allowed = assessmentModeMgr.isSafelyAllowed(request, safeExamBrowserKey);
+		Assert.assertTrue(allowed);
+	}
+	
 	@Test
 	public void isSafelyAllowed_fail() {
 		String safeExamBrowserKey = "gdfkhjsduzezrutuzsf";
-- 
GitLab