[
https://issues.apache.org/jira/browse/TINKERPOP-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17582344#comment-17582344
]
Rusi Popov commented on TINKERPOP-2782:
---------------------------------------
In addition, the UnifiedHandler, line 298 imposes that the BYTECODE requests
must have exactly one alias g bound. This condition is not needed (though it
could reveal more restrictions like that imposed further in the requests'
processing). There is no such restriction on EVAL requests. It seems partial
and obsolete.
*Suggestion*
Change lines 298-299:
{code:java}
if (aliases.get().size() != 1 ||
!aliases.get().containsKey(Tokens.VAL_TRAVERSAL_SOURCE_ALIAS)) {
final String msg = String.format("A message with [%s] op code requires the
[%s] argument to be a Map containing one alias assignment named '%s'.",
...
{code}
to
{code:java}
if (!aliases.get().containsKey(Tokens.VAL_TRAVERSAL_SOURCE_ALIAS)) {
final String msg = String.format("A message with [%s] op code requires the
[%s] argument to be a Map containing the alias assignment named '%s'.",
...
{code}
> WebSocketAuthorizationHandler does not transfer the request's sessionId,
> needed in UnifiedHandler
> -------------------------------------------------------------------------------------------------
>
> Key: TINKERPOP-2782
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2782
> Project: TinkerPop
> Issue Type: Bug
> Components: server
> Affects Versions: 3.6.0, 3.5.2, 3.5.3, 3.6.1, 3.5.4
> Reporter: Rusi Popov
> Priority: Major
>
> When the gremlin-server.yaml configures the gremlin server to use the
> UnifiedChannelizer with an explicit Authorizer:
> {code:yaml}
> channelizer: org.apache.tinkerpop.gremlin.server.channel.UnifiedChannelizer
> authorization:
> authorizer: <some class>
> {code}
> the UnifiedChannelizer registers
> org.apache.tinkerpop.gremlin.server.handler.WebSocketAuthorizationHandler
> before org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler in the
> pipeline.
> The WebSocketAuthorizationHandler uses the Authorizer to transform the
> bytecode, builds a new request message with the transformed bytecode, and
> pushes the new message down the pipeline for processing:
> (in 3.6.1 these are lines 66-77)
> {code:java}
> case Tokens.OPS_BYTECODE:
> final Bytecode bytecode = (Bytecode)
> requestMessage.getArgs().get(Tokens.ARGS_GREMLIN);
> final Map<String, String> aliases = (Map<String, String>)
> requestMessage.getArgs().get(Tokens.ARGS_ALIASES);
> final Bytecode restrictedBytecode = authorizer.authorize(user, bytecode,
> aliases);
> final RequestMessage restrictedMsg =
> RequestMessage.build(Tokens.OPS_BYTECODE).
> overrideRequestId(requestMessage.getRequestId()).
> processor("traversal").
> addArg(Tokens.ARGS_GREMLIN, restrictedBytecode).
> addArg(Tokens.ARGS_ALIASES, aliases).create();
> ctx.fireChannelRead(restrictedMsg);
> break;
> {code}
> Next is the org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler, which
> uses session ID for session detection:
> (lines 146-147)
> {code:java}
> final Optional<String> optMultiTaskSession =
> msg.optionalArgs(Tokens.ARGS_SESSION);
> final String sessionId =
> optMultiTaskSession.orElse(msg.getRequestId().toString());
> {code}
> *The problem:*
> WebSocketAuthorizationHandler does not transfer the Tokens.ARGS_SESSION to
> the UnifiedHandler so it uses request's ID as every time a new session ID
> *Suggestion:*
> in WebSocketAuthorizationHandler iterate on the args and copy every arg but
> ARGS_GREMLIN, then set the latter to the restricted bytecode.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
