This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new ebbf8d6 KNOX-2145 - WhitelistUtils should have an HTTPS_ONLY template
(#212)
ebbf8d6 is described below
commit ebbf8d6bcba267c956ea469111ca443afddf77b6
Author: Kevin Risden <[email protected]>
AuthorDate: Thu Dec 5 10:12:18 2019 -0500
KNOX-2145 - WhitelistUtils should have an HTTPS_ONLY template (#212)
Signed-off-by: Kevin Risden <[email protected]>
---
.../apache/knox/gateway/util/WhitelistUtils.java | 37 +++++++++---------
.../knox/gateway/util/WhitelistUtilsTest.java | 44 +++++++++++++++-------
2 files changed, 47 insertions(+), 34 deletions(-)
diff --git
a/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
b/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
index 1bd43be..4a81b87 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
@@ -27,27 +27,26 @@ import java.util.List;
import java.util.Locale;
public class WhitelistUtils {
-
static final String DEFAULT_CONFIG_VALUE = "DEFAULT";
+ static final String DEFAULT_DISPATCH_WHITELIST_TEMPLATE =
"^\\/.*$;^https?:\\/\\/%s:[0-9]+\\/?.*$";
- static final String LOCALHOST_REGEXP_SEGMENT =
"(localhost|127\\.0\\.0\\.1|0:0:0:0:0:0:0:1|::1)";
+ static final String HTTPS_ONLY_CONFIG_VALUE = "HTTPS_ONLY";
+ static final String HTTPS_ONLY_DISPATCH_WHITELIST_TEMPLATE =
"^\\/.*$;^https:\\/\\/%s:[0-9]+\\/?.*$";
+ static final String LOCALHOST_REGEXP_SEGMENT =
"(localhost|127\\.0\\.0\\.1|0:0:0:0:0:0:0:1|::1)";
static final String LOCALHOST_REGEXP = "^" + LOCALHOST_REGEXP_SEGMENT + "$";
- static final String DEFAULT_DISPATCH_WHITELIST_TEMPLATE =
"^\\/.*$;^https?:\\/\\/%s:[0-9]+\\/?.*$";
-
private static final String IP_ADDRESS_REGEX =
"^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$";
private static final SpiGatewayMessages LOG =
MessagesFactory.get(SpiGatewayMessages.class);
private static final List<String> DEFAULT_SERVICE_ROLES =
Collections.singletonList("KNOXSSO");
-
public static String getDispatchWhitelist(HttpServletRequest request) {
String whitelist = null;
- GatewayConfig config =
- (GatewayConfig)
request.getServletContext().getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE);
+ GatewayConfig config = (GatewayConfig) request.getServletContext()
+
.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE);
if (config != null) {
List<String> whitelistedServiceRoles = new ArrayList<>();
whitelistedServiceRoles.addAll(DEFAULT_SERVICE_ROLES);
@@ -58,7 +57,10 @@ public class WhitelistUtils {
// Check the whitelist against the URL to be dispatched
whitelist = config.getDispatchWhitelist();
if (whitelist == null ||
whitelist.equalsIgnoreCase(DEFAULT_CONFIG_VALUE)) {
- whitelist = deriveDefaultDispatchWhitelist(request);
+ whitelist = deriveDefaultDispatchWhitelist(request,
DEFAULT_DISPATCH_WHITELIST_TEMPLATE);
+ LOG.derivedDispatchWhitelist(whitelist);
+ } else if (whitelist.equalsIgnoreCase(HTTPS_ONLY_CONFIG_VALUE)) {
+ whitelist = deriveDefaultDispatchWhitelist(request,
HTTPS_ONLY_DISPATCH_WHITELIST_TEMPLATE);
LOG.derivedDispatchWhitelist(whitelist);
}
}
@@ -67,8 +69,8 @@ public class WhitelistUtils {
return whitelist;
}
-
- private static String deriveDefaultDispatchWhitelist(HttpServletRequest
request) {
+ private static String deriveDefaultDispatchWhitelist(HttpServletRequest
request,
+ String
whitelistTemplate) {
String defaultWhitelist = null;
// Check first for the X-Forwarded-Host header, and use it to determine
the domain
@@ -83,25 +85,24 @@ public class WhitelistUtils {
}
if (domain != null) {
- defaultWhitelist = defineWhitelistForDomain(domain);
+ defaultWhitelist = defineWhitelistForDomain(domain, whitelistTemplate);
} else {
if (!requestedHost.matches(LOCALHOST_REGEXP)) { // localhost will be
handled subsequently
// Use the requested host address/name for the whitelist
LOG.unableToDetermineKnoxDomainForDefaultWhitelist(requestedHost);
- defaultWhitelist = String.format(Locale.ROOT,
DEFAULT_DISPATCH_WHITELIST_TEMPLATE, requestedHost);
+ defaultWhitelist = String.format(Locale.ROOT, whitelistTemplate,
requestedHost);
}
}
// If the whitelist has not been determined at this point, default to just
the local/relative whitelist
if (defaultWhitelist == null) {
LOG.unableToDetermineKnoxDomainForDefaultWhitelist("localhost");
- defaultWhitelist = String.format(Locale.ROOT,
DEFAULT_DISPATCH_WHITELIST_TEMPLATE, LOCALHOST_REGEXP_SEGMENT);
+ defaultWhitelist = String.format(Locale.ROOT, whitelistTemplate,
LOCALHOST_REGEXP_SEGMENT);
}
return defaultWhitelist;
}
-
private static String getDomain(String hostname) {
String domain = null;
@@ -120,19 +121,17 @@ public class WhitelistUtils {
return domain;
}
-
- private static String defineWhitelistForDomain(String domain) {
+ private static String defineWhitelistForDomain(String domain, String
whitelistTemplate) {
String whitelist = null;
if (domain != null && !domain.isEmpty()) {
String domainPattern = ".+" + domain.replaceAll("\\.", "\\\\.");
- whitelist = String.format(Locale.ROOT,
DEFAULT_DISPATCH_WHITELIST_TEMPLATE, "(" + domainPattern + ")");
+ whitelist = String.format(Locale.ROOT, whitelistTemplate, "(" +
domainPattern + ")");
}
return whitelist;
}
-
private static String stripPort(String hostName) {
String result = hostName;
@@ -143,6 +142,4 @@ public class WhitelistUtils {
return result;
}
-
-
}
diff --git
a/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
b/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
index 0f0804d..411a1f3 100644
---
a/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
+++
b/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
@@ -34,11 +34,10 @@ import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
public class WhitelistUtilsTest {
-
private static final List<String> LOCALHOST_NAMES =
Arrays.asList("localhost", "127.0.0.1", "0:0:0:0:0:0:0:1", "::1");
@Test
- public void testDefault() throws Exception {
+ public void testDefault() {
String whitelist =
doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.emptyList(),
null), "TEST");
assertNull("The test service role is not configured to honor the
whitelist, so there should be none returned.",
whitelist);
@@ -48,13 +47,13 @@ public class WhitelistUtilsTest {
* KNOXSSO is implicitly included in the set of service roles for which the
whitelist will be applied.
*/
@Test
- public void testDefaultKnoxSSO() throws Exception {
+ public void testDefaultKnoxSSO() {
String whitelist =
doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.emptyList(),
null), "KNOXSSO");
assertNotNull(whitelist);
}
@Test
- public void testDefaultForAffectedServiceRole() throws Exception {
+ public void testDefaultForAffectedServiceRole() {
final String serviceRole = "TEST";
GatewayConfig config =
createMockGatewayConfig(Collections.singletonList(serviceRole), null);
@@ -71,7 +70,7 @@ public class WhitelistUtilsTest {
}
@Test
- public void testDefaultDomainWhitelist() throws Exception {
+ public void testDefaultDomainWhitelist() {
final String serviceRole = "TEST";
String whitelist =
@@ -93,7 +92,7 @@ public class WhitelistUtilsTest {
}
@Test
- public void testDefaultDomainWhitelistWithXForwardedHost() throws Exception {
+ public void testDefaultDomainWhitelistWithXForwardedHost() {
final String serviceRole = "TEST";
String whitelist =
@@ -106,7 +105,7 @@ public class WhitelistUtilsTest {
}
@Test
- public void testDefaultDomainWhitelistWithXForwardedHostAndPort() throws
Exception {
+ public void testDefaultDomainWhitelistWithXForwardedHostAndPort() {
final String serviceRole = "TEST";
String whitelist =
@@ -120,7 +119,7 @@ public class WhitelistUtilsTest {
}
@Test
- public void testConfiguredWhitelist() throws Exception {
+ public void testConfiguredWhitelist() {
final String serviceRole = "TEST";
final String WHITELIST = "^.*\\.my\\.domain\\.com.*$";
@@ -132,7 +131,7 @@ public class WhitelistUtilsTest {
}
@Test
- public void testLocalhostAddressAsHostName() throws Exception {
+ public void testLocalhostAddressAsHostName() {
final String serviceRole = "TEST";
// InetAddress#getCanonicalHostName() sometimes returns the IP address as
the host name
String whitelist =
doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole),
null),
@@ -143,7 +142,7 @@ public class WhitelistUtilsTest {
}
@Test
- public void testExplicitlyConfiguredDefaultWhitelist() throws Exception {
+ public void testExplicitlyConfiguredDefaultWhitelist() {
final String serviceRole = "TEST";
final String WHITELIST = "DEFAULT";
@@ -155,6 +154,21 @@ public class WhitelistUtilsTest {
RegExUtils.checkWhitelist(whitelist, "http://localhost:9099/";));
}
+ @Test
+ public void testExplicitlyConfiguredHttpsOnlyWhitelist() {
+ final String serviceRole = "TEST";
+ final String WHITELIST = "HTTPS_ONLY";
+
+ String whitelist =
+
doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole),
WHITELIST),
+ serviceRole);
+ assertNotNull(whitelist);
+ assertFalse("Expected to not match whitelist given the explicitly
configured HTTPS_ONLY whitelist.",
+ RegExUtils.checkWhitelist(whitelist, "http://localhost:9099/";));
+ assertTrue("Expected to match whitelist given the explicitly configured
HTTPS_ONLY whitelist.",
+ RegExUtils.checkWhitelist(whitelist, "https://localhost:9099/";));
+ }
+
private String doTestGetDispatchWhitelist(GatewayConfig config, String
serviceRole) {
return doTestGetDispatchWhitelist(config, "localhost", serviceRole);
}
@@ -185,9 +199,10 @@ public class WhitelistUtilsTest {
String result = null;
if (xForwardedHost != null && !xForwardedHost.isEmpty()) {
try {
- Method method =
WhitelistUtils.class.getDeclaredMethod("deriveDefaultDispatchWhitelist",
HttpServletRequest.class);
+ Method method =
WhitelistUtils.class.getDeclaredMethod("deriveDefaultDispatchWhitelist",
+ HttpServletRequest.class, String.class);
method.setAccessible(true);
- result = (String) method.invoke(null, request);
+ result = (String) method.invoke(null, request,
WhitelistUtils.DEFAULT_DISPATCH_WHITELIST_TEMPLATE);
} catch (Exception e) {
e.printStackTrace();
}
@@ -205,9 +220,10 @@ public class WhitelistUtilsTest {
String domain = (String) getDomainMethod.invoke(null, serverName);
// Then, invoke the method for defining the whitelist based on the domain
we just derived (which may be invalid)
- Method defineWhitelistMethod =
WhitelistUtils.class.getDeclaredMethod("defineWhitelistForDomain",
String.class);
+ Method defineWhitelistMethod =
WhitelistUtils.class.getDeclaredMethod("defineWhitelistForDomain",
+ String.class, String.class);
defineWhitelistMethod.setAccessible(true);
- return (String) defineWhitelistMethod.invoke(null, domain);
+ return (String) defineWhitelistMethod.invoke(null, domain,
WhitelistUtils.DEFAULT_DISPATCH_WHITELIST_TEMPLATE);
}
private static GatewayConfig createMockGatewayConfig(final List<String>
serviceRoles, final String whitelist) {
