This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 5b1dbeb HDDS-6204. Cleanup handling malformed authorization header
(#2999)
5b1dbeb is described below
commit 5b1dbeb0537289075d4baf46f3447b18126e9d60
Author: UENISHI Kota <[email protected]>
AuthorDate: Mon Feb 7 21:28:09 2022 +0900
HDDS-6204. Cleanup handling malformed authorization header (#2999)
---
.../hadoop/ozone/s3/OzoneClientProducer.java | 17 ++++------
.../hadoop/ozone/s3/exception/S3ErrorTable.java | 2 +-
.../hadoop/ozone/s3/TestOzoneClientProducer.java | 39 +++++++++++++++++++++-
3 files changed, 46 insertions(+), 12 deletions(-)
diff --git
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
index 9b186e8..0cd5b4a 100644
---
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
+++
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientProducer.java
@@ -44,7 +44,7 @@ import org.slf4j.LoggerFactory;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_OM_CLIENT_PROTOCOL_VERSION;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_OM_CLIENT_PROTOCOL_VERSION_KEY;
import static org.apache.hadoop.ozone.s3.exception.S3ErrorTable.INTERNAL_ERROR;
-import static
org.apache.hadoop.ozone.s3.exception.S3ErrorTable.MALFORMED_HEADER;
+import static org.apache.hadoop.ozone.s3.exception.S3ErrorTable.ACCESS_DENIED;
/**
* This class creates the OzoneClient for the Rest endpoints.
@@ -90,7 +90,12 @@ public class OzoneClientProducer {
}
String awsAccessId = signatureInfo.getAwsAccessId();
- validateAccessId(awsAccessId);
+ // ONLY validate aws access id when needed.
+ if (awsAccessId == null || awsAccessId.equals("")) {
+ LOG.debug("Malformed s3 header. awsAccessID: ", awsAccessId);
+ throw ACCESS_DENIED;
+ }
+
return new S3Auth(stringToSign,
signatureInfo.getSignature(),
awsAccessId);
@@ -123,14 +128,6 @@ public class OzoneClientProducer {
}
}
- // ONLY validate aws access id when needed.
- private void validateAccessId(String awsAccessId) throws Exception {
- if (awsAccessId == null || awsAccessId.equals("")) {
- LOG.error("Malformed s3 header. awsAccessID: ", awsAccessId);
- throw wrapOS3Exception(MALFORMED_HEADER);
- }
- }
-
public void setOzoneConfiguration(OzoneConfiguration config) {
this.ozoneConfiguration = config;
}
diff --git
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/exception/S3ErrorTable.java
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/exception/S3ErrorTable.java
index 70dcff1..d36e81d 100644
---
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/exception/S3ErrorTable.java
+++
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/exception/S3ErrorTable.java
@@ -65,7 +65,7 @@ public final class S3ErrorTable {
public static final OS3Exception MALFORMED_HEADER = new OS3Exception(
"AuthorizationHeaderMalformed", "The authorization header you provided "
+
- "is invalid.", HTTP_NOT_FOUND);
+ "is invalid.", HTTP_BAD_REQUEST);
public static final OS3Exception NO_SUCH_KEY = new OS3Exception(
"NoSuchKey", "The specified key does not exist", HTTP_NOT_FOUND);
diff --git
a/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/TestOzoneClientProducer.java
b/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/TestOzoneClientProducer.java
index 83305f0..d02c3cc 100644
---
a/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/TestOzoneClientProducer.java
+++
b/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3/TestOzoneClientProducer.java
@@ -17,6 +17,7 @@
*/
package org.apache.hadoop.ozone.s3;
+import javax.ws.rs.WebApplicationException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.MultivaluedMap;
@@ -31,6 +32,9 @@ import org.apache.hadoop.ozone.OzoneConfigKeys;
import org.apache.hadoop.ozone.om.OMConfigKeys;
import org.apache.hadoop.ozone.s3.signature.AWSSignatureProcessor;
+import static java.net.HttpURLConnection.HTTP_BAD_REQUEST;
+import static java.net.HttpURLConnection.HTTP_FORBIDDEN;
+
import static
org.apache.hadoop.ozone.s3.signature.SignatureParser.AUTHORIZATION_HEADER;
import static
org.apache.hadoop.ozone.s3.signature.SignatureProcessor.CONTENT_MD5;
import static
org.apache.hadoop.ozone.s3.signature.SignatureProcessor.CONTENT_TYPE;
@@ -118,7 +122,10 @@ public class TestOzoneClientProducer {
},
{
null, null, null, null, null, null
- }
+ },
+ {
+ "", null, null, null, null, null
+ },
});
}
@@ -133,6 +140,36 @@ public class TestOzoneClientProducer {
}
@Test
+ public void testGetSignature() {
+ try {
+ System.err.println("Testing: " + authHeader);
+ OzoneConfiguration configuration = new OzoneConfiguration();
+ configuration.set(OMConfigKeys.OZONE_OM_SERVICE_IDS_KEY, "ozone1");
+ configuration.set(OMConfigKeys.OZONE_OM_ADDRESS_KEY, "ozone1addr:9399");
+ producer.setOzoneConfiguration(configuration);
+ producer.getSignature();
+ if ("".equals(authHeader)) {
+ fail("Empty AuthHeader must fail");
+ }
+ } catch (WebApplicationException ex) {
+ if (authHeader == null || authHeader.equals("")) {
+ // Empty auth header should be 403
+ Assert.assertEquals(HTTP_FORBIDDEN, ex.getResponse().getStatus());
+ // TODO: Should return XML in body like this (bot not for now):
+ // <Error>
+ // <Code>AccessDenied</Code><Message>Access Denied</Message>
+ // <RequestId>...</RequestId><HostId>...</HostId>
+ // </Error>
+ } else {
+ // Other requests have stale timestamp and thus should fail
+ Assert.assertEquals(HTTP_BAD_REQUEST, ex.getResponse().getStatus());
+ }
+ } catch (Exception ex) {
+ fail("Unexpected exception: " + ex);
+ }
+ }
+
+ @Test
public void testGetClientFailureWithMultipleServiceIds() {
try {
OzoneConfiguration configuration = new OzoneConfiguration();
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
