This is an automated email from the ASF dual-hosted git repository.
pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 4a70b467f6 NIFI-14947 Added Host Validation to StandardIssuerProvider
4a70b467f6 is described below
commit 4a70b467f6cf7ee24003510b1209a903309c9a51
Author: exceptionfactory <[email protected]>
AuthorDate: Tue Sep 9 14:49:29 2025 -0500
NIFI-14947 Added Host Validation to StandardIssuerProvider
- Replaced invalid host characters with hyphen character
Signed-off-by: Pierre Villard <[email protected]>
This closes #10288.
---
.../jwt/provider/StandardIssuerProvider.java | 19 ++++++++++---
.../jwt/provider/StandardIssuerProviderTest.java | 33 +++++++++++++---------
2 files changed, 34 insertions(+), 18 deletions(-)
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/StandardIssuerProvider.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/StandardIssuerProvider.java
index 739d3ac3e5..0976d2b976 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/StandardIssuerProvider.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/StandardIssuerProvider.java
@@ -18,13 +18,20 @@ package org.apache.nifi.web.security.jwt.provider;
import java.net.InetAddress;
import java.net.URI;
+import java.net.URISyntaxException;
import java.net.UnknownHostException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
/**
* Standard Issuer Provider with configurable host and port for HTTPS URI
construction
*/
public class StandardIssuerProvider implements IssuerProvider {
- private static final String URI_FORMAT = "https://%s:%d";;
+ private static final String HTTPS_SCHEME = "https";
+
+ private static final Pattern HOST_CHARACTERS_PATTERN =
Pattern.compile("[^a-zA-Z0-9-.]");
+
+ private static final String REPLACEMENT_CHARACTER = "-";
private final URI issuer;
@@ -36,8 +43,11 @@ public class StandardIssuerProvider implements
IssuerProvider {
*/
public StandardIssuerProvider(final String host, final int port) {
final String resolvedHost = getResolvedHost(host);
- final String uri = URI_FORMAT.formatted(resolvedHost, port);
- this.issuer = URI.create(uri);
+ try {
+ this.issuer = new URI(HTTPS_SCHEME, null, resolvedHost, port,
null, null, null);
+ } catch (final URISyntaxException e) {
+ throw new IllegalStateException("URI construction failed with Host
[%s]".formatted(resolvedHost), e);
+ }
}
/**
@@ -59,7 +69,8 @@ public class StandardIssuerProvider implements IssuerProvider
{
resolvedHost = host;
}
- return resolvedHost;
+ final Matcher resolvedHostMatcher =
HOST_CHARACTERS_PATTERN.matcher(resolvedHost);
+ return resolvedHostMatcher.replaceAll(REPLACEMENT_CHARACTER);
}
private String getLocalHost() {
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/provider/StandardIssuerProviderTest.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/provider/StandardIssuerProviderTest.java
index 95438ffddf..07b61dd444 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/provider/StandardIssuerProviderTest.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/provider/StandardIssuerProviderTest.java
@@ -18,20 +18,21 @@ package org.apache.nifi.web.security.jwt.provider;
import org.junit.jupiter.api.Test;
-import java.net.InetAddress;
import java.net.URI;
-import java.net.UnknownHostException;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNull;
-import static org.junit.jupiter.api.Assumptions.assumeFalse;
class StandardIssuerProviderTest {
private static final String HTTPS_SCHEME = "https";
private static final String LOCALHOST = "localhost.localdomain";
+ private static final String HOST_INVALID = "local_host-1.local";
+
+ private static final String HOST_VALID = "local-host-1.local";
+
private static final int PORT = 8443;
private static final String EMPTY = "";
@@ -52,27 +53,31 @@ class StandardIssuerProviderTest {
@Test
void testGetIssuerNullHostResolved() {
- final String localHost = getLocalHost();
- assumeFalse(localHost == null);
-
final StandardIssuerProvider provider = new
StandardIssuerProvider(null, PORT);
final URI issuer = provider.getIssuer();
assertNotNull(issuer);
assertEquals(HTTPS_SCHEME, issuer.getScheme());
- assertEquals(localHost, issuer.getHost());
+ final String host = issuer.getHost();
+ assertNotNull(host, "Host not found in Issuer [%s]".formatted(issuer));
assertEquals(PORT, issuer.getPort());
assertEquals(EMPTY, issuer.getPath());
assertNull(issuer.getQuery());
}
- private String getLocalHost() {
- try {
- final InetAddress localHostAddress = InetAddress.getLocalHost();
- return localHostAddress.getCanonicalHostName();
- } catch (final UnknownHostException e) {
- return null;
- }
+ @Test
+ void testGetIssuerInvalidHost() {
+ final StandardIssuerProvider provider = new
StandardIssuerProvider(HOST_INVALID, PORT);
+
+ final URI issuer = provider.getIssuer();
+
+ assertNotNull(issuer);
+ assertEquals(HTTPS_SCHEME, issuer.getScheme());
+ final String host = issuer.getHost();
+ assertEquals(HOST_VALID, host);
+ assertEquals(PORT, issuer.getPort());
+ assertEquals(EMPTY, issuer.getPath());
+ assertNull(issuer.getQuery());
}
}
