[brooklyn-server] 01/07: disable host geo lookup by default outside of dev environment

Fri, 15 Sep 2023 05:42:50 -0700 

This is an automated email from the ASF dual-hosted git repository.

heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git

commit c3883be7f377402d1bc284412d84e474347ea3e1
Author: Alex Heneveld <[email protected]>
AuthorDate: Fri Sep 15 10:00:14 2023 +0100

    disable host geo lookup by default outside of dev environment
    
    not used much, can trigger security alerts; easy to enable with feature flag
---
 .../java/org/apache/brooklyn/core/BrooklynFeatureEnablement.java | 7 +++++++
 .../apache/brooklyn/core/location/geo/GeoBytesHostGeoLookup.java | 3 ++-
 .../org/apache/brooklyn/core/location/geo/HostGeoLookup.java     | 9 +++++++--
 .../apache/brooklyn/core/location/geo/MaxMind2HostGeoLookup.java | 1 +
 .../apache/brooklyn/core/location/geo/UtraceHostGeoLookup.java   | 1 +
 5 files changed, 18 insertions(+), 3 deletions(-)

diff --git 
a/core/src/main/java/org/apache/brooklyn/core/BrooklynFeatureEnablement.java 
b/core/src/main/java/org/apache/brooklyn/core/BrooklynFeatureEnablement.java
index 2991799cd6..f5e57b6e25 100644
--- a/core/src/main/java/org/apache/brooklyn/core/BrooklynFeatureEnablement.java
+++ b/core/src/main/java/org/apache/brooklyn/core/BrooklynFeatureEnablement.java
@@ -137,6 +137,12 @@ public class BrooklynFeatureEnablement {
      */
     public static final String FEATURE_DISALLOW_REPARENTING = 
"brooklyn.disallowReparenting";
 
+    /**
+     * Whether lookup of the location of the host is permitted, either 'true' 
or 'false'.
+     * Since 1.1 defaults to 'false' normally to prevent odd outbound traffic, 
but 'true' in development environments for tests to run.
+     */
+    public static final String FEATURE_HOST_GEO_LOOKUP = 
"brooklyn.hostGeoLookup";
+
     /**
      * Values explicitly set by Java calls.
      */
@@ -175,6 +181,7 @@ public class BrooklynFeatureEnablement {
         setDefault(FEATURE_AUTO_FIX_CATALOG_REF_ON_REBIND, false);
         setDefault(FEATURE_SSH_ASYNC_EXEC, false);
         setDefault(FEATURE_VALIDATE_LOCATION_SSH_KEYS, true);
+        setDefault(FEATURE_HOST_GEO_LOOKUP, 
BrooklynVersion.isDevelopmentEnvironment());
     }
     
     static {
diff --git 
a/core/src/main/java/org/apache/brooklyn/core/location/geo/GeoBytesHostGeoLookup.java
 
b/core/src/main/java/org/apache/brooklyn/core/location/geo/GeoBytesHostGeoLookup.java
index 9863603f1a..73f3a523f6 100644
--- 
a/core/src/main/java/org/apache/brooklyn/core/location/geo/GeoBytesHostGeoLookup.java
+++ 
b/core/src/main/java/org/apache/brooklyn/core/location/geo/GeoBytesHostGeoLookup.java
@@ -80,6 +80,8 @@ public class GeoBytesHostGeoLookup implements HostGeoLookup {
     
     @Override
     public HostGeoInfo getHostGeoInfo(InetAddress address) throws 
MalformedURLException, IOException {
+        if (isHostGeoLookupGloballyDisabled()) return null;
+
         String url = getPropertiesLookupUrlFor(address);
         if (log.isDebugEnabled())
             log.debug("Geo info lookup for "+address+" at "+url);
@@ -101,5 +103,4 @@ public class GeoBytesHostGeoLookup implements HostGeoLookup 
{
             return null;
         }
     }
-    
 }
diff --git 
a/core/src/main/java/org/apache/brooklyn/core/location/geo/HostGeoLookup.java 
b/core/src/main/java/org/apache/brooklyn/core/location/geo/HostGeoLookup.java
index ec25e07a1b..73345e3626 100644
--- 
a/core/src/main/java/org/apache/brooklyn/core/location/geo/HostGeoLookup.java
+++ 
b/core/src/main/java/org/apache/brooklyn/core/location/geo/HostGeoLookup.java
@@ -20,8 +20,13 @@ package org.apache.brooklyn.core.location.geo;
 
 import java.net.InetAddress;
 
+import org.apache.brooklyn.core.BrooklynFeatureEnablement;
+
 public interface HostGeoLookup {
 
-    public HostGeoInfo getHostGeoInfo(InetAddress address) throws Exception;
-    
+    HostGeoInfo getHostGeoInfo(InetAddress address) throws Exception;
+
+    default boolean isHostGeoLookupGloballyDisabled() {
+        return 
!BrooklynFeatureEnablement.isEnabled(BrooklynFeatureEnablement.FEATURE_HOST_GEO_LOOKUP);
+    }
 }
diff --git 
a/core/src/main/java/org/apache/brooklyn/core/location/geo/MaxMind2HostGeoLookup.java
 
b/core/src/main/java/org/apache/brooklyn/core/location/geo/MaxMind2HostGeoLookup.java
index cb7994c413..43f073afcd 100644
--- 
a/core/src/main/java/org/apache/brooklyn/core/location/geo/MaxMind2HostGeoLookup.java
+++ 
b/core/src/main/java/org/apache/brooklyn/core/location/geo/MaxMind2HostGeoLookup.java
@@ -64,6 +64,7 @@ public class MaxMind2HostGeoLookup implements HostGeoLookup {
     
     @Override
     public HostGeoInfo getHostGeoInfo(InetAddress address) throws 
MalformedURLException, IOException {
+        if (isHostGeoLookupGloballyDisabled()) return null;
         if (lookupFailed) return null;
         
         DatabaseReader ll = getDatabaseReader();
diff --git 
a/core/src/main/java/org/apache/brooklyn/core/location/geo/UtraceHostGeoLookup.java
 
b/core/src/main/java/org/apache/brooklyn/core/location/geo/UtraceHostGeoLookup.java
index 62fd437a71..725650d39b 100644
--- 
a/core/src/main/java/org/apache/brooklyn/core/location/geo/UtraceHostGeoLookup.java
+++ 
b/core/src/main/java/org/apache/brooklyn/core/location/geo/UtraceHostGeoLookup.java
@@ -99,6 +99,7 @@ Beyond this you get blacklisted and requests may time out, or 
return none.
     /** does the {@link #retrieveHostGeoInfo(InetAddress)}, but in the 
background with a default timeout */
     @Override
     public HostGeoInfo getHostGeoInfo(InetAddress address) throws 
MalformedURLException, IOException {
+        if (isHostGeoLookupGloballyDisabled()) return null;
         if (Duration.sinceUtc(LAST_FAILURE_UTC).compareTo(RETRY_INTERVAL) < 0) 
{
             // wait at least 60s since a failure
             return null;

Reply via email to