From 8cca863df9be2e43d115a08af81a2aca9d6fe675 Mon Sep 17 00:00:00 2001
From: Michael Muller <mmuller@google.com>
Date: Tue, 16 Jun 2020 15:07:13 -0400
Subject: [PATCH] Fix cookie processing for RDAP URL update (#630)

* Fix cookie processing for RDAP URL update

The existing code only does cookie processing on the _first_ Set-Cookie
header.  Therefore, if the "id" cookie used for authentication is defined in
anything other than the first Set-Cookie header (as it now is), we don't find
it.

Replace the cookie processing stanza with a line that processes all cookies in
all Set-Cookie headers.
---
 .../registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java      | 3 ++-
 .../registry/rdap/UpdateRegistrarRdapBaseUrlsActionTest.java  | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java b/core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java
index 3e8480d30..e9721d8b9 100644
--- a/core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java
+++ b/core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java
@@ -101,7 +101,8 @@ public final class UpdateRegistrarRdapBaseUrlsAction implements Runnable {
     HttpResponse response = request.execute();
 
     Optional<HttpCookie> idCookie =
-        HttpCookie.parse(response.getHeaders().getFirstHeaderStringValue("Set-Cookie")).stream()
+        response.getHeaders().getHeaderStringValues("Set-Cookie").stream()
+            .flatMap(value -> HttpCookie.parse(value).stream())
             .filter(cookie -> cookie.getName().equals(COOKIE_ID))
             .findAny();
     checkState(
diff --git a/core/src/test/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsActionTest.java b/core/src/test/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsActionTest.java
index 7dd459d2e..d9857b20d 100644
--- a/core/src/test/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsActionTest.java
+++ b/core/src/test/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsActionTest.java
@@ -319,6 +319,10 @@ public final class UpdateRegistrarRdapBaseUrlsActionTest extends ShardableTestCa
 
   private static void addValidResponses(TestHttpTransport httpTransport) {
     MockLowLevelHttpResponse loginResponse = new MockLowLevelHttpResponse();
+    loginResponse.addHeader(
+        "Set-Cookie",
+        "JSESSIONID=bogusid; "
+            + "Expires=Tue, 11-Jun-2019 16:34:21 GMT; Path=/; Secure; HttpOnly");
     loginResponse.addHeader(
         "Set-Cookie",
         "id=myAuthenticationId; "