[jira] [Created] (TINKERPOP-2782) WebSocketAuthorizationHandler does not transfer the request's sessionId, needed in UnifiedHandler

Sun, 07 Aug 2022 01:17:07 -0700 

Rusi Popov created TINKERPOP-2782:
-------------------------------------

             Summary: WebSocketAuthorizationHandler does not transfer the 
request's sessionId, needed in UnifiedHandler
                 Key: TINKERPOP-2782
                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2782
             Project: TinkerPop
          Issue Type: Bug
          Components: server
    Affects Versions: 3.5.4, 3.6.1, 3.5.3, 3.5.2, 3.6.0
            Reporter: Rusi Popov


When the gremlin-server.yaml configures the gremlin server to use the 
UnifiedChannelizer with an explicit Authorizer:

{code:yaml}
channelizer: org.apache.tinkerpop.gremlin.server.channel.UnifiedChannelizer
authorization:

     authorizer: <some class>
{code}
the UnifiedChannelizer registers 
org.apache.tinkerpop.gremlin.server.handler.WebSocketAuthorizationHandler 
before org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler in the 
pipeline.

The WebSocketAuthorizationHandler uses the Authorizer to transform the 
bytecode, builds a new request message with the transformed bytecode, and 
pushes the new message down the pipeline for processing:
(in 3.6.1 these are lines) 
{code:java}
case Tokens.OPS_BYTECODE:
    final Bytecode bytecode = (Bytecode) 
requestMessage.getArgs().get(Tokens.ARGS_GREMLIN);
    final Map<String, String> aliases = (Map<String, String>) 
requestMessage.getArgs().get(Tokens.ARGS_ALIASES);
    final Bytecode restrictedBytecode = authorizer.authorize(user, bytecode, 
aliases);
    final RequestMessage restrictedMsg = 
RequestMessage.build(Tokens.OPS_BYTECODE).
            overrideRequestId(requestMessage.getRequestId()).
            processor("traversal").
            addArg(Tokens.ARGS_GREMLIN, restrictedBytecode).
            addArg(Tokens.ARGS_ALIASES, aliases).create();
    ctx.fireChannelRead(restrictedMsg);
    break;
{code}

Next is the  org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler, which 
uses session ID for session detection:
(lines 146-147)
{code:java}
final Optional<String> optMultiTaskSession = 
msg.optionalArgs(Tokens.ARGS_SESSION);
final String sessionId = 
optMultiTaskSession.orElse(msg.getRequestId().toString());
{code}

*The problem:*
WebSocketAuthorizationHandler does not transfer the Tokens.ARGS_SESSION to the 
UnifiedHandler so it uses request's ID as every time a new session ID 

*Suggestion:*
in WebSocketAuthorizationHandler iterate on the args and copy every arg but 
ARGS_GREMLIN, then set the latter to the restricted bytecode.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to