Author: jtarrio Date: Sat May 7 01:20:08 2011 New Revision: 1100426 URL: http://svn.apache.org/viewvc?rev=1100426&view=rev Log: Apply gadget blacklist for proxy and makeRequest requests
After a gadget has been blacklisted, it may still remain loaded in some browsers and continue issuing requests. This applies the blacklist to proxy and makeRequest so they will no longer be processed for blacklisted gadgets. Review: http://codereview.appspot.com/4462041/ Modified: shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ProxyHandlerTest.java Modified: shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java?rev=1100426&r1=1100425&r2=1100426&view=diff ============================================================================== --- shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java (original) +++ shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java Sat May 7 01:20:08 2011 @@ -33,6 +33,7 @@ import org.apache.shindig.config.Contain import org.apache.shindig.gadgets.AuthType; import org.apache.shindig.gadgets.FeedProcessor; import org.apache.shindig.gadgets.FetchResponseUtils; +import org.apache.shindig.gadgets.GadgetBlacklist; import org.apache.shindig.gadgets.GadgetException; import org.apache.shindig.gadgets.GadgetException.Code; import org.apache.shindig.gadgets.http.HttpRequest; @@ -76,15 +77,18 @@ public class MakeRequestHandler { private final RequestPipeline requestPipeline; private final ResponseRewriterRegistry contentRewriterRegistry; private final Provider<FeedProcessor> feedProcessorProvider; + private final GadgetBlacklist gadgetBlacklist; @Inject public MakeRequestHandler(RequestPipeline requestPipeline, @RewriterRegistry(rewriteFlow = RewriteFlow.DEFAULT) ResponseRewriterRegistry contentRewriterRegistry, - Provider<FeedProcessor> feedProcessorProvider) { + Provider<FeedProcessor> feedProcessorProvider, + GadgetBlacklist gadgetBlacklist) { this.requestPipeline = requestPipeline; this.contentRewriterRegistry = contentRewriterRegistry; this.feedProcessorProvider = feedProcessorProvider; + this.gadgetBlacklist = gadgetBlacklist; } /** @@ -94,6 +98,11 @@ public class MakeRequestHandler { throws GadgetException, IOException { HttpRequest rcr = buildHttpRequest(request); + if (rcr.getGadget() != null && gadgetBlacklist.isBlacklisted(rcr.getGadget())) { + throw new GadgetException(GadgetException.Code.BLACKLISTED_GADGET, + "The requested content is unavailable", HttpResponse.SC_FORBIDDEN); + } + // Serialize the response HttpResponse results = requestPipeline.execute(rcr); Modified: shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java?rev=1100426&r1=1100425&r2=1100426&view=diff ============================================================================== --- shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java (original) +++ shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java Sat May 7 01:20:08 2011 @@ -26,6 +26,7 @@ import com.google.inject.name.Named; import org.apache.commons.io.IOUtils; import org.apache.commons.lang.StringUtils; import org.apache.shindig.common.uri.Uri; +import org.apache.shindig.gadgets.GadgetBlacklist; import org.apache.shindig.gadgets.GadgetException; import org.apache.shindig.gadgets.http.HttpRequest; import org.apache.shindig.gadgets.http.HttpResponse; @@ -53,16 +54,19 @@ public class ProxyHandler { private final RequestPipeline requestPipeline; private final ResponseRewriterRegistry contentRewriterRegistry; protected final boolean remapInternalServerError; + private final GadgetBlacklist gadgetBlacklist; @Inject public ProxyHandler(RequestPipeline requestPipeline, @RewriterRegistry(rewriteFlow = RewriteFlow.DEFAULT) ResponseRewriterRegistry contentRewriterRegistry, @Named("shindig.proxy.remapInternalServerError") - Boolean remapInternalServerError) { + Boolean remapInternalServerError, + GadgetBlacklist gadgetBlacklist) { this.requestPipeline = requestPipeline; this.contentRewriterRegistry = contentRewriterRegistry; this.remapInternalServerError = remapInternalServerError; + this.gadgetBlacklist = gadgetBlacklist; } /** @@ -84,6 +88,11 @@ public class ProxyHandler { "No url parameter in request", HttpResponse.SC_BAD_REQUEST); } + if (rcr.getGadget() != null && gadgetBlacklist.isBlacklisted(rcr.getGadget())) { + throw new GadgetException(GadgetException.Code.BLACKLISTED_GADGET, + "The requested content is unavailable", HttpResponse.SC_FORBIDDEN); + } + HttpResponse results = requestPipeline.execute(rcr); if (results.isError()) { Modified: shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java?rev=1100426&r1=1100425&r2=1100426&view=diff ============================================================================== --- shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java (original) +++ shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java Sat May 7 01:20:08 2011 @@ -21,6 +21,7 @@ package org.apache.shindig.gadgets.servl import static junitx.framework.StringAssert.assertStartsWith; import static org.easymock.EasyMock.capture; import static org.easymock.EasyMock.expect; +import static org.easymock.EasyMock.isA; import com.google.common.collect.Lists; @@ -31,6 +32,7 @@ import org.apache.shindig.common.testing import org.apache.shindig.common.uri.Uri; import org.apache.shindig.config.ContainerConfig; import org.apache.shindig.gadgets.AuthType; +import org.apache.shindig.gadgets.GadgetBlacklist; import org.apache.shindig.gadgets.GadgetException; import org.apache.shindig.gadgets.http.HttpRequest; import org.apache.shindig.gadgets.http.HttpResponse; @@ -62,8 +64,9 @@ public class MakeRequestHandlerTest exte private static final String RESPONSE_BODY = "makeRequest response body"; private static final SecurityToken DUMMY_TOKEN = new FakeGadgetToken(); + private final GadgetBlacklist gadgetBlacklist = mock(GadgetBlacklist.class); private final MakeRequestHandler handler - = new MakeRequestHandler(pipeline, rewriterRegistry, feedProcessorProvider); + = new MakeRequestHandler(pipeline, rewriterRegistry, feedProcessorProvider, gadgetBlacklist); private void expectGetAndReturnBody(String response) throws Exception { expectGetAndReturnBody(AuthType.NONE, response); @@ -171,6 +174,22 @@ public class MakeRequestHandlerTest exte assertEquals(-1, httpRequest.getCacheTtl()); } + @Test + public void GetRequestWithBlacklistedGadget() throws Exception { + expect(request.getParameter(Param.GADGET.getKey())).andReturn("http://some/gadget.xml";).anyTimes(); + expect(gadgetBlacklist.isBlacklisted(isA(Uri.class))).andReturn(true); + replay(); + boolean exceptionThrown = false; + try { + handler.fetch(request, recorder); + } catch (GadgetException e) { + exceptionThrown = true; + assertEquals(403, e.getHttpStatusCode()); + assertEquals(GadgetException.Code.BLACKLISTED_GADGET, e.getCode()); + } + assertTrue(exceptionThrown); + verify(); + } @Test public void testExplicitHeaders() throws Exception { Modified: shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java?rev=1100426&r1=1100425&r2=1100426&view=diff ============================================================================== --- shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java (original) +++ shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java Sat May 7 01:20:08 2011 @@ -23,6 +23,7 @@ import static junitx.framework.StringAss import static org.easymock.EasyMock.expect; import org.apache.shindig.common.uri.Uri; +import org.apache.shindig.gadgets.GadgetBlacklist; import org.apache.shindig.gadgets.GadgetException; import org.apache.shindig.gadgets.http.HttpRequest; import org.apache.shindig.gadgets.http.HttpResponse; @@ -50,8 +51,10 @@ public class MakeRequestServletTest exte private static final Enumeration<String> EMPTY_ENUM = Collections.enumeration(Collections.<String>emptyList()); + private final GadgetBlacklist gadgetBlacklist = mock(GadgetBlacklist.class); private final MakeRequestServlet servlet = new MakeRequestServlet(); - private final MakeRequestHandler handler = new MakeRequestHandler(pipeline, null, feedProcessorProvider); + private final MakeRequestHandler handler = + new MakeRequestHandler(pipeline, null, feedProcessorProvider, gadgetBlacklist); private final HttpRequest internalRequest = new HttpRequest(REQUEST_URL); private final HttpResponse internalResponse = new HttpResponse(RESPONSE_BODY); Modified: shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ProxyHandlerTest.java URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ProxyHandlerTest.java?rev=1100426&r1=1100425&r2=1100426&view=diff ============================================================================== --- shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ProxyHandlerTest.java (original) +++ shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ProxyHandlerTest.java Sat May 7 01:20:08 2011 @@ -27,6 +27,7 @@ import org.apache.shindig.common.uri.Uri import org.apache.shindig.common.util.FakeTimeSource; import org.apache.shindig.config.ContainerConfig; import org.apache.shindig.gadgets.Gadget; +import org.apache.shindig.gadgets.GadgetBlacklist; import org.apache.shindig.gadgets.GadgetException; import org.apache.shindig.gadgets.http.HttpRequest; import org.apache.shindig.gadgets.http.HttpResponse; @@ -46,6 +47,7 @@ import org.easymock.EasyMock; import static org.easymock.EasyMock.capture; import static org.easymock.EasyMock.expect; import static org.easymock.EasyMock.isA; + import org.junit.Test; import java.util.Arrays; @@ -53,21 +55,24 @@ import java.util.List; import java.util.Map; public class ProxyHandlerTest extends EasyMockTestCase { + private final static String GADGET = "http://some/gadget.xml";; private final static String URL_ONE = "http://www.example.org/test.html";; private final static String DATA_ONE = "hello world"; public final RequestPipeline pipeline = mock(RequestPipeline.class); + private GadgetBlacklist gadgetBlacklist = mock(GadgetBlacklist.class); public CaptureRewriter rewriter = new CaptureRewriter(); public ResponseRewriterRegistry rewriterRegistry = new DefaultResponseRewriterRegistry(Arrays.<ResponseRewriter>asList(rewriter), null); private ProxyUriManager.ProxyUri request; private final ProxyHandler proxyHandler - = new ProxyHandler(pipeline, rewriterRegistry, true); + = new ProxyHandler(pipeline, rewriterRegistry, true, gadgetBlacklist); private void expectGetAndReturnData(String url, byte[] data) throws Exception { HttpRequest req = new HttpRequest(Uri.parse(url)); HttpResponse resp = new HttpResponseBuilder().setResponse(data).create(); + expect(gadgetBlacklist.isBlacklisted(isA(Uri.class))).andReturn(false); expect(pipeline.execute(req)).andReturn(resp); } @@ -75,20 +80,21 @@ public class ProxyHandlerTest extends Ea throws Exception { HttpRequest req = new HttpRequest(Uri.parse(url)); HttpResponse resp = new HttpResponseBuilder().addAllHeaders(headers).create(); + expect(gadgetBlacklist.isBlacklisted(isA(Uri.class))).andReturn(false); expect(pipeline.execute(req)).andReturn(resp); } - + private void setupProxyRequestMock(String host, String url, boolean noCache, int refresh, String rewriteMime, String fallbackUrl) throws Exception { request = new ProxyUriManager.ProxyUri( - refresh, false, noCache, ContainerConfig.DEFAULT_CONTAINER, null, Uri.parse(url)); + refresh, false, noCache, ContainerConfig.DEFAULT_CONTAINER, GADGET, Uri.parse(url)); request.setFallbackUrl(fallbackUrl); request.setRewriteMimeType(rewriteMime); } private void setupNoArgsProxyRequestMock(String host, String url) throws Exception { request = new ProxyUriManager.ProxyUri( - -1, false, false, ContainerConfig.DEFAULT_CONTAINER, null, + -1, false, false, ContainerConfig.DEFAULT_CONTAINER, GADGET, url != null ? Uri.parse(url) : null); } @@ -112,6 +118,26 @@ public class ProxyHandlerTest extends Ea } @Test + public void testBlacklistedGadget() throws Exception { + String url = "http://example.org/mypage.html";; + String domain = "example.org"; + String gadget = "http://blacklisted/gadget.xml";; + setupProxyRequestMock(domain, url, true, -1, null, null); + expect(gadgetBlacklist.isBlacklisted(isA(Uri.class))).andReturn(true); + replay(); + boolean exceptionCaught = false; + try { + proxyHandler.fetch(request); + } catch (GadgetException e) { + exceptionCaught = true; + assertEquals(GadgetException.Code.BLACKLISTED_GADGET, e.getCode()); + assertEquals(HttpResponse.SC_FORBIDDEN, e.getHttpStatusCode()); + } + assertTrue(exceptionCaught); + verify(); + } + + @Test public void testInvalidHeaderDropped() throws Exception { String url = "http://example.org/mypage.html";; String domain = "example.org"; @@ -301,6 +327,7 @@ public class ProxyHandlerTest extends Ea .addHeader("Content-Type", contentType) .create(); + expect(gadgetBlacklist.isBlacklisted(isA(Uri.class))).andReturn(false); expect(pipeline.execute((HttpRequest) EasyMock.anyObject())).andReturn(resp); replay(); @@ -311,7 +338,7 @@ public class ProxyHandlerTest extends Ea ResponseRewriterRegistry rewriterRegistry = new DefaultResponseRewriterRegistry( Arrays.<ResponseRewriter>asList(rewriter), null); - ProxyHandler proxyHandler = new ProxyHandler(pipeline, rewriterRegistry, true); + ProxyHandler proxyHandler = new ProxyHandler(pipeline, rewriterRegistry, true, gadgetBlacklist); request.setReturnOriginalContentOnError(true); HttpResponse recorder = proxyHandler.fetch(request); @@ -338,6 +365,7 @@ public class ProxyHandlerTest extends Ea .addHeader("Content-Type", contentType) .create(); + expect(gadgetBlacklist.isBlacklisted(isA(Uri.class))).andReturn(false); expect(pipeline.execute((HttpRequest) EasyMock.anyObject())).andReturn(resp); replay(); @@ -348,7 +376,7 @@ public class ProxyHandlerTest extends Ea ResponseRewriterRegistry rewriterRegistry = new DefaultResponseRewriterRegistry( Arrays.<ResponseRewriter>asList(rewriter), null); - ProxyHandler proxyHandler = new ProxyHandler(pipeline, rewriterRegistry, true); + ProxyHandler proxyHandler = new ProxyHandler(pipeline, rewriterRegistry, true, gadgetBlacklist); boolean exceptionCaught = false; try {
