[jira] [Work logged] (KNOX-3175) Client credential flow validation drains request body

Thu, 31 Jul 2025 06:46:48 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3175?focusedWorklogId=977108&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-977108
 ]

ASF GitHub Bot logged work on KNOX-3175:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 31/Jul/25 13:45
            Start Date: 31/Jul/25 13:45
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #1070:
URL: https://github.com/apache/knox/pull/1070

   ## What changes were proposed in this pull request?
   
   This PR simplifies and modernizes the `JWTFederationFilter` implementation 
by replacing the manual parsing of the HTTP request body with the more 
idiomatic usage of `HttpServletRequest.getParameter(...)`. It also updates the 
related unit tests accordingly.
   
   **Simplified client credentials handling:**
   
   - Removed custom logic to read and parse the request body 
`(getRequestBodyString(...)` and 
`RequestBodyUtils.getRequestBodyParameter(...))`.
   - Replaced it with calls to `request.getParameter(...)`, leveraging the 
Servlet API to extract parameters from form-encoded POST requests.
   
   **Improved client secret validation logic:**
   
   - Ensured that passing client_secret via query parameters is explicitly 
blocked, with an appropriate exception message.
   
   **Refactored test cases:**
   
   - Updated tests to align with the new `getParameter(...)`-based logic.
   - Replaced `getInputStream()` mocking with expectations for 
`getParameter(...)` and `getQueryString()`.
   - Introduced helper methods (e.g., `ensureClientCredentials(...)`) to 
improve readability and reusability of test logic.
   
   ## How was this patch tested?
   
   Built the project and ran unit tests.
   
   Executed the same `beeline` queries which I used to reproduce the issue in 
the first place.
   
   1. Using a JWT Token
   ```
   beeline -u 
'jdbc:hive2://KNOX_HOST:8443/;ssl=true;sslTrustStore=gateway-client-trust.jks;trustStorePassword=changeit;transportMode=http;httpPath=gateway/token/hive'
 -n Token -p 
eyJqa3UiOiJodHRwczovL2NjeWNsb3VkLTEuc21vbG5hci5yb290LmNvbW9wcy5zaXRlOjg0NDMvZ2F0ZXdheS9ob21lcGFnZS9rbm94dG9rZW4vYXBpL3YyL2p3a3MuanNvbiIsImtpZCI6IjBzQXZlbDc5eTdvbTU3ZmF2RDBvRFczeDlteUJhRU5FYW4tQm5LTFAxT2MiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJrbm94dWkiLCJhdWQiOiJjZHAtcHJveHktdG9rZW4iLCJqa3UiOiJodHRwczovL2NjeWNsb3VkLTEuc21vbG5hci5yb290LmNvbW9wcy5zaXRlOjg0NDMvZ2F0ZXdheS9ob21lcGFnZS9rbm94dG9rZW4vYXBpL3YyL2p3a3MuanNvbiIsImtpZCI6IjBzQXZlbDc5eTdvbTU3ZmF2RDBvRFczeDlteUJhRU5FYW4tQm5LTFAxT2MiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNzU0MDM5NjgwLCJtYW5hZ2VkLnRva2VuIjoidHJ1ZSIsImtub3guaWQiOiI0MGE0ZjJmMy1iNTU1LTQ4ODEtYWY1Ni02Njg1NTM1MzIwODUifQ.dBMzOExmhc_Fz-RBCvJhzUXRcFdznqf5QBcwqRxpIH4UnRG3Qd_qxSvGA5rE1WMszsOOg9J2Q6wMapWI7TcMdAmMupU-2Jt5k2Kdieer2htOmckgiB7Qf_6qXuaUzZUV_rItr94GdWo4tRXOGy72c-EEjmNjgViXojZkfMJaM_gJunUY1cM9VZAFZTZfHZrKJTOa_EJ-VzvDHc-je3laxkVnfA6u2NhRabVkX--iXjTlNgs_ZeilgWQeg7m2aAALp5LfNetMgN97VM3hAY6FCfULlBkHLAl1dZDlf2U1P158FYs4bU8proXHs0fOVTQG_Z6JtL3qnfxs9SEAmSGn66ZxFWwqC9TBkdgHJ8JN37F6in_QcJLr6oD_QGDOm_ashJM_uM5D3sPrkjd46Yv9IJZnltYW8KsvRHBiRZ-sG55vyWE3tlT4H8LwD4KTvO_UKR_9Q2-EMBiSpl5D85Tb0f3AeyIgV9R9c7LpETukF0qPKeyPh260WEsyZtD4cfPa
 -f test.sql
   SLF4J: Class path contains multiple SLF4J bindings.
   ...
   Connecting to 
jdbc:hive2://KNOX_HOST:8443/;ssl=true;sslTrustStore=gateway-client-trust.jks;trustStorePassword=changeit;transportMode=http;httpPath=gateway/token/hive
   Connected to: Apache Hive (version 3.1.3000)
   Driver: Hive JDBC (version 3.1.3000)
   Transaction isolation: TRANSACTION_REPEATABLE_READ
   0: jdbc:hive2://HIVE_HOST> SHOW TABLES;
   INFO  : Compiling 
command(queryId=hive_20250731132544_463084af-2553-47b1-9532-c6deff5a4ae2): SHOW 
TABLES
   INFO  : Semantic Analysis Completed (retrial = false)
   INFO  : Created Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, 
type:string, comment:from deserializer)], properties:null)
   INFO  : Completed compiling 
command(queryId=hive_20250731132544_463084af-2553-47b1-9532-c6deff5a4ae2); Time 
taken: 0.007 seconds
   INFO  : Executing 
command(queryId=hive_20250731132544_463084af-2553-47b1-9532-c6deff5a4ae2): SHOW 
TABLES
   INFO  : Starting task [Stage-0:DDL] in serial mode
   INFO  : Completed executing 
command(queryId=hive_20250731132544_463084af-2553-47b1-9532-c6deff5a4ae2); Time 
taken: 0.014 seconds
   INFO  : OK
   +-----------+
   | tab_name  |
   +-----------+
   +-----------+
   No rows selected (0.499 seconds)
   0: jdbc:hive2://HIVE_HOST> Closing: 0: 
jdbc:hive2://KNOX_HOST:8443/;ssl=true;sslTrustStore=gateway-client-trust.jks;trustStorePassword=changeit;transportMode=http;httpPath=gateway/token/hive
   ```
   
   2. Using a Passcode token
   ```
   beeline -u 
'jdbc:hive2://KNOX_HOST:8443/;ssl=true;sslTrustStore=gateway-client-trust.jks;trustStorePassword=changeit;transportMode=http;httpPath=gateway/token/hive'
 -n Passcode -p 
TkRCaE5HWXlaak10WWpVMU5TMDBPRGd4TFdGbU5UWXROalk0TlRVek5UTXlNRGcxOjpaVE14WkdFM016TXRNRFV3TnkwME5tVmtMVGd6WlRJdFptWTRZamMzWWpRNFpqTXo=
 -f test.sql
   ...
   Connecting to 
jdbc:hive2://KNOX_HOST:8443/;ssl=true;sslTrustStore=gateway-client-trust.jks;trustStorePassword=changeit;transportMode=http;httpPath=gateway/token/hive
   Connected to: Apache Hive (version 3.1.3000)
   Driver: Hive JDBC (version 3.1.3000)
   Transaction isolation: TRANSACTION_REPEATABLE_READ
   0: jdbc:hive2://HIVE_HOST> SHOW TABLES;
   INFO  : Compiling 
command(queryId=hive_20250731132524_3d5498d8-7aa4-4f36-bdae-eb8c70e6a159): SHOW 
TABLES
   INFO  : Semantic Analysis Completed (retrial = false)
   INFO  : Created Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, 
type:string, comment:from deserializer)], properties:null)
   INFO  : Completed compiling 
command(queryId=hive_20250731132524_3d5498d8-7aa4-4f36-bdae-eb8c70e6a159); Time 
taken: 0.01 seconds
   INFO  : Executing 
command(queryId=hive_20250731132524_3d5498d8-7aa4-4f36-bdae-eb8c70e6a159): SHOW 
TABLES
   INFO  : Starting task [Stage-0:DDL] in serial mode
   INFO  : Completed executing 
command(queryId=hive_20250731132524_3d5498d8-7aa4-4f36-bdae-eb8c70e6a159); Time 
taken: 0.075 seconds
   INFO  : OK
   +-----------+
   | tab_name  |
   +-----------+
   +-----------+
   No rows selected (0.558 seconds)
   0: jdbc:hive2://HIVE_HOST> Closing: 0: 
jdbc:hive2://KNOX_HOST:8443/;ssl=true;sslTrustStore=gateway-client-trust.jks;trustStorePassword=changeit;transportMode=http;httpPath=gateway/token/hive
   ```
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 977108)
    Remaining Estimate: 0h
            Time Spent: 10m

> Client credential flow validation drains request body
> -----------------------------------------------------
>
>                 Key: KNOX-3175
>                 URL: https://issues.apache.org/jira/browse/KNOX-3175
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Critical
>             Fix For: 2.1.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Testing a simple Passcode token flow between Knox and Hive (using beeline) 
> constantly fails because the authentication challenge is aborted due to Knox 
> cuts the connection during that operation.
> The reason for that is that Knox consumes the entire request body to find out 
> if this is a Client Credentials flow. We don't need to read those parameters 
> from the request body because Servlet API extracts parameters from 
> form-encoded POST requests (which is the case for OAuth flows).
> We should also preserve the check we added in the scope of KNOX-3037: the 
> client secret parameter MUST NOT be present as a query param.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to