[nifi] branch main updated: NIFI-10899 Added SameSite Policy to Application Cookies
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 45a31c7286 NIFI-10899 Added SameSite Policy to Application Cookies 45a31c7286 is described below commit 45a31c7286b89a12487054078c9f1adea18b0fcb Author: exceptionfactory AuthorDate: Tue Nov 29 14:04:10 2022 -0600 NIFI-10899 Added SameSite Policy to Application Cookies - Added __Secure prefix to Application Cookie Names Signed-off-by: Nathan Gough This closes #6735. --- .../web/security/cookie/ApplicationCookieName.java | 24 -- ...licationCookieName.java => SameSitePolicy.java} | 26 +++--- .../cookie/StandardApplicationCookieService.java | 17 +++- .../csrf/StandardCookieCsrfTokenRepository.java| 58 +++-- .../StandardApplicationCookieServiceTest.java | 33 .../StandardCookieCsrfTokenRepositoryTest.java | 94 +- 6 files changed, 133 insertions(+), 119 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/ApplicationCookieName.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/ApplicationCookieName.java index dbbea5c9bb..13476d6d2c 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/ApplicationCookieName.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/ApplicationCookieName.java @@ -22,21 +22,35 @@ import org.apache.nifi.web.security.http.SecurityCookieName; * Application Cookie Names */ public enum ApplicationCookieName { -AUTHORIZATION_BEARER(SecurityCookieName.AUTHORIZATION_BEARER.getName()), +/** Authorization Bearer contains signed JSON Web Token and requires Strict Same Site handling */ +AUTHORIZATION_BEARER(SecurityCookieName.AUTHORIZATION_BEARER.getName(), SameSitePolicy.STRICT), -LOGOUT_REQUEST_IDENTIFIER("nifi-logout-request-identifier"), +/** Cross-Site Request Forgery mitigation token requires Strict Same Site handling */ +REQUEST_TOKEN(SecurityCookieName.REQUEST_TOKEN.getName(), SameSitePolicy.STRICT), -OIDC_REQUEST_IDENTIFIER("nifi-oidc-request-identifier"), +/** Logout Requests can interact with external identity providers requiring no Same Site restrictions */ +LOGOUT_REQUEST_IDENTIFIER("__Secure-Logout-Request-Identifier", SameSitePolicy.NONE), -SAML_REQUEST_IDENTIFIER("nifi-saml-request-identifier"); +/** OpenID Connect Requests use external identity providers requiring no Same Site restrictions */ +OIDC_REQUEST_IDENTIFIER("__Secure-OIDC-Request-Identifier", SameSitePolicy.NONE), + +/** SAML Requests use external identity providers requiring no Same Site restrictions */ +SAML_REQUEST_IDENTIFIER("__Secure-SAML-Request-Identifier", SameSitePolicy.NONE); private final String cookieName; -ApplicationCookieName(final String cookieName) { +private final SameSitePolicy sameSitePolicy; + +ApplicationCookieName(final String cookieName, final SameSitePolicy sameSitePolicy) { this.cookieName = cookieName; +this.sameSitePolicy = sameSitePolicy; } public String getCookieName() { return cookieName; } + +public SameSitePolicy getSameSitePolicy() { +return sameSitePolicy; +} } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/ApplicationCookieName.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/SameSitePolicy.java similarity index 59% copy from nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/ApplicationCookieName.java copy to nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/SameSitePolicy.java index dbbea5c9bb..fc5a79f540 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/ApplicationCookieName.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/SameSitePolicy.java @@ -16,27 +16,23 @@ */ package org.apache.nifi.web.security.cookie; -import org.apache.nifi.web.security.http.SecurityCookieName; - /** - * Application Cookie Names + * Cookie Sa
[nifi] branch main updated (ab7ce58fb1 -> 3dc48f0894)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git from ab7ce58fb1 NIFI-10947 This closes #6758. Upgraded Apache Commons Net to 3.9.0 add 3dc48f0894 NIFI-10916 - Controller Service allowable values dropdown list should be sorted No new revisions were added by this update. Summary of changes: .../src/main/java/org/apache/nifi/web/api/dto/DtoFactory.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
[nifi] branch main updated: NIFI-10937, NIFI-10938, NIFI-10939: When restoring flow from XML, properly parse XML for registry clients, looking for 'id' tag instead of 'identifier' tag. Fixed typo in e
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new e1c8c96111 NIFI-10937, NIFI-10938, NIFI-10939: When restoring flow from XML, properly parse XML for registry clients, looking for 'id' tag instead of 'identifier' tag. Fixed typo in error message about Reporting Task for Registry Clients. Updated StandardFlowComparator so that we compare sub-process groups' contents only if the Flow Coordinates are different by more than their version e1c8c96111 is described below commit e1c8c968c6634160dfe0dad3f6f6c6b56b4d Author: Mark Payne AuthorDate: Fri Dec 2 16:31:34 2022 -0500 NIFI-10937, NIFI-10938, NIFI-10939: When restoring flow from XML, properly parse XML for registry clients, looking for 'id' tag instead of 'identifier' tag. Fixed typo in error message about Reporting Task for Registry Clients. Updated StandardFlowComparator so that we compare sub-process groups' contents only if the Flow Coordinates are different by more than their version Signed-off-by: Nathan Gough This closes #6752. --- .../nifi/registry/flow/GhostFlowRegistryClient.java| 4 ++-- .../controller/serialization/FlowFromDOMFactory.java | 2 +- .../apache/nifi/fingerprint/FingerprintFactory.java| 17 + .../registry/flow/diff/StandardFlowComparator.java | 18 ++ 4 files changed, 18 insertions(+), 23 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/src/main/java/org/apache/nifi/registry/flow/GhostFlowRegistryClient.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/src/main/java/org/apache/nifi/registry/flow/GhostFlowRegistryClient.java index 3f5228e1e2..93983d992e 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/src/main/java/org/apache/nifi/registry/flow/GhostFlowRegistryClient.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/src/main/java/org/apache/nifi/registry/flow/GhostFlowRegistryClient.java @@ -51,9 +51,9 @@ public class GhostFlowRegistryClient implements FlowRegistryClient { public Collection validate(final ValidationContext context) { return Collections.singleton(new ValidationResult.Builder() .input("Any Property") -.subject("Missing Reporting Task") +.subject("Missing Registry Client") .valid(false) -.explanation("Reporting Task is of type " + canonicalClassName + ", but this is not a valid Reporting Task type") +.explanation("Registry Client is of type " + canonicalClassName + ", but this is not a valid Registry Client type") .build()); } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/serialization/FlowFromDOMFactory.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/serialization/FlowFromDOMFactory.java index 8b5e84414e..fcf5d29cff 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/serialization/FlowFromDOMFactory.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/serialization/FlowFromDOMFactory.java @@ -161,7 +161,7 @@ public class FlowFromDOMFactory { return getFlowRegistryClientFromOldStyleConfig(element); } -dto.setId(getString(element, "identifier")); +dto.setId(getString(element, "id")); dto.setName(getString(element, "name")); dto.setDescription(getString(element, "description")); dto.setUri(getString(element, "uri")); diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/fingerprint/FingerprintFactory.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/fingerprint/FingerprintFactory.java index cc5c84fbb4..524b91fb95 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/fingerprint/FingerprintFactory.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/fingerprint/FingerprintFactory.java @@ -197,22 +197,7 @@ public class FingerprintFactory { registryClientDtos.add(FlowFromDOMFactory.getFlowRegistryClient(flowRegistryElement, encryptor, encodingVersion));
[nifi] branch main updated: NIFI-10177: Implemented ID token logout and revoke access token logout for NiFi Registry when using OIDC/OAuth 2.0 providers NIFI-10177: Addressed latest PR reviews. Reword
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 844751cec0 NIFI-10177: Implemented ID token logout and revoke access token logout for NiFi Registry when using OIDC/OAuth 2.0 providers NIFI-10177: Addressed latest PR reviews. Reworded comments in the logout endpoint, use nifi registry properties to configure HTTP client timeouts for OIDC logout request, used NiFiUserUtils.getNiFiUserIdentity to retrieve identity used to delete the key 844751cec0 is described below commit 844751cec0cbef47f60f861df38819522ccf9286 Author: Emilio Setiadarma AuthorDate: Thu Nov 3 19:51:08 2022 -0700 NIFI-10177: Implemented ID token logout and revoke access token logout for NiFi Registry when using OIDC/OAuth 2.0 providers NIFI-10177: Addressed latest PR reviews. Reworded comments in the logout endpoint, use nifi registry properties to configure HTTP client timeouts for OIDC logout request, used NiFiUserUtils.getNiFiUserIdentity to retrieve identity used to delete the key Signed-off-by: Nathan Gough This closes #6637. --- nifi-registry/nifi-registry-assembly/NOTICE| 7 + .../nifi-registry-web-api/pom.xml | 4 + .../nifi/registry/web/api/AccessResource.java | 379 + .../nifi/registry/web/api/ApplicationResource.java | 3 + .../authentication/jwt/JwtIdentityProvider.java| 2 +- .../security/authentication/jwt/JwtService.java| 22 +- .../authentication/oidc/OidcIdentityProvider.java | 27 +- .../security/authentication/oidc/OidcService.java | 45 ++- .../oidc/StandardOidcIdentityProvider.java | 129 ++- .../authentication/oidc/OidcServiceTest.java | 14 +- .../nifi/registry/web/filter/LogoutFilter.java | 3 +- .../src/main/webapp/nf-registry.js | 4 +- .../src/main/webapp/services/nf-registry.api.js| 4 +- 13 files changed, 535 insertions(+), 108 deletions(-) diff --git a/nifi-registry/nifi-registry-assembly/NOTICE b/nifi-registry/nifi-registry-assembly/NOTICE index 07548043b5..9a3925e883 100644 --- a/nifi-registry/nifi-registry-assembly/NOTICE +++ b/nifi-registry/nifi-registry-assembly/NOTICE @@ -260,6 +260,13 @@ The following binary components are provided under the Apache Software License v Guava Copyright 2015 The Guava Authors + (ASLv2) Apache HttpComponents Client + The following NOTICE information applies: +Copyright 1999-2022 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (https://www.apache.org/). + Common Development and Distribution License 1.1 diff --git a/nifi-registry/nifi-registry-core/nifi-registry-web-api/pom.xml b/nifi-registry/nifi-registry-core/nifi-registry-web-api/pom.xml index bee75d862f..ae71667c81 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-web-api/pom.xml +++ b/nifi-registry/nifi-registry-core/nifi-registry-web-api/pom.xml @@ -480,5 +480,9 @@ 2.5.18 test + +org.springframework.security +spring-security-oauth2-resource-server + diff --git a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java index 3c5db2670a..162cb10243 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java +++ b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java @@ -20,6 +20,7 @@ import com.nimbusds.oauth2.sdk.AuthorizationCode; import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant; import com.nimbusds.oauth2.sdk.AuthorizationGrant; import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; import com.nimbusds.oauth2.sdk.id.State; import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse; import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser; @@ -31,6 +32,14 @@ import io.swagger.annotations.ApiResponse; import io.swagger.annotations.ApiResponses; import io.swagger.annotations.Authorization; import org.apache.commons.lang3.StringUtils; +import org.apache.http.NameValuePair; +import org.apache.http.client.config.RequestConfig; +import org.apache.http.client.entity.UrlEncodedFormEntity; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import
[nifi] branch main updated: NIFI-10785 Allow publishing AMQP message with null header value NIFI-10785 addressing review comment NIFI-10785 addressing review comments (remove unnecessary property to i
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 3a7ec5d542 NIFI-10785 Allow publishing AMQP message with null header value NIFI-10785 addressing review comment NIFI-10785 addressing review comments (remove unnecessary property to ignore null headers) 3a7ec5d542 is described below commit 3a7ec5d5429606eb6e15592aedc97434f080fd13 Author: Nandor Soma Abonyi AuthorDate: Thu Nov 10 23:45:52 2022 +0100 NIFI-10785 Allow publishing AMQP message with null header value NIFI-10785 addressing review comment NIFI-10785 addressing review comments (remove unnecessary property to ignore null headers) Signed-off-by: Nathan Gough This closes #6649. --- .../apache/nifi/amqp/processors/PublishAMQP.java | 78 +++ .../nifi/amqp/processors/PublishAMQPTest.java | 111 + 2 files changed, 103 insertions(+), 86 deletions(-) diff --git a/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/PublishAMQP.java b/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/PublishAMQP.java index 4bd94f3a41..6a8c7ac645 100644 --- a/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/PublishAMQP.java +++ b/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/PublishAMQP.java @@ -16,25 +16,15 @@ */ package org.apache.nifi.amqp.processors; -import java.io.IOException; -import java.io.InputStream; -import java.util.ArrayList; -import java.util.Collections; -import java.util.Date; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.function.Consumer; -import java.util.regex.Pattern; - -import org.apache.nifi.annotation.behavior.SystemResourceConsideration; +import com.rabbitmq.client.AMQP; +import com.rabbitmq.client.AMQP.BasicProperties; +import com.rabbitmq.client.Connection; import org.apache.nifi.annotation.behavior.InputRequirement; import org.apache.nifi.annotation.behavior.InputRequirement.Requirement; -import org.apache.nifi.annotation.behavior.SystemResource; import org.apache.nifi.annotation.behavior.ReadsAttribute; import org.apache.nifi.annotation.behavior.ReadsAttributes; +import org.apache.nifi.annotation.behavior.SystemResource; +import org.apache.nifi.annotation.behavior.SystemResourceConsideration; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.Tags; import org.apache.nifi.components.PropertyDescriptor; @@ -45,13 +35,19 @@ import org.apache.nifi.processor.ProcessContext; import org.apache.nifi.processor.ProcessSession; import org.apache.nifi.processor.Relationship; import org.apache.nifi.processor.exception.ProcessException; -import org.apache.nifi.processor.io.InputStreamCallback; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.stream.io.StreamUtils; -import com.rabbitmq.client.AMQP; -import com.rabbitmq.client.AMQP.BasicProperties; -import com.rabbitmq.client.Connection; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.function.Consumer; +import java.util.regex.Pattern; @Tags({ "amqp", "rabbit", "put", "message", "send", "publish" }) @InputRequirement(Requirement.INPUT_REQUIRED) @@ -89,6 +85,7 @@ public class PublishAMQP extends AbstractAMQPProcessor { .expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES) .addValidator(Validator.VALID) .build(); + public static final PropertyDescriptor ROUTING_KEY = new PropertyDescriptor.Builder() .name("Routing Key") .description("The name of the Routing Key that will be used by AMQP to route messages from the exchange to a destination queue(s). " @@ -99,6 +96,7 @@ public class PublishAMQP extends AbstractAMQPProcessor { .expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES) .addValidator(StandardValidators.NON_EMPTY_VALIDATOR) .build(); + public static final PropertyDescriptor HEADER_SEPARATOR = new PropertyDescriptor.Builder() .name("header.separator") .displayName("Header Separator") @@ -108,10 +106,12 @@ public class PublishAMQP extends AbstractAMQPProcessor { .addValidator(StandardValidators.SINGLE_CHAR_VALIDATOR) .required(false)
[nifi] branch main updated: NIFI-10755 Refactored SSLContext creation using nifi-security-ssl
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 5bc8e49c7a NIFI-10755 Refactored SSLContext creation using nifi-security-ssl 5bc8e49c7a is described below commit 5bc8e49c7ab85be8b1e4ec3ff950f463e84f8607 Author: exceptionfactory AuthorDate: Thu Nov 3 11:36:08 2022 -0500 NIFI-10755 Refactored SSLContext creation using nifi-security-ssl - Added TrustManagerBuilder to nifi-security-ssl - Removed SslContextFactory and CertificateUtils from nifi-registry - Refactored c2-client-http - Refactored minifi-bootstrap - Refactored nifi-site-to-site-client - Refactored nifi-registry-client - Refactored nifi-registry-framework - Refactored nifi-toolkit-admin - Refactored nifi-toolkit-cli Signed-off-by: Nathan Gough This closes #6618. --- c2/c2-client-bundle/c2-client-http/pom.xml | 5 + .../apache/nifi/c2/client/http/C2HttpClient.java | 61 +- minifi/minifi-bootstrap/pom.xml| 9 + .../ingestors/PullHttpChangeIngestor.java | 62 +- .../ingestors/RestChangeIngestorSSLTest.java | 90 ++- minifi/pom.xml | 5 + .../security/ssl/StandardSslContextBuilder.java| 23 +- .../security/ssl/StandardTrustManagerBuilder.java | 91 +++ .../nifi/security/ssl/TrustManagerBuilder.java | 31 + nifi-commons/nifi-site-to-site-client/pom.xml | 10 + .../nifi/remote/client/SiteToSiteClient.java | 71 ++- .../nifi/remote/client/http/TestHttpClient.java| 2 +- .../nifi-registry-client/pom.xml | 5 + .../registry/client/NiFiRegistryClientConfig.java | 89 ++- .../nifi-registry-framework/pom.xml| 5 + .../security/ldap/LdapIdentityProvider.java| 63 +- .../ldap/tenants/LdapUserGroupProvider.java| 78 ++- .../registry/security/util/CertificateUtils.java | 671 - .../registry/security/util/SslContextFactory.java | 249 nifi-toolkit/nifi-toolkit-admin/pom.xml| 5 + .../toolkit/admin/client/NiFiClientFactory.groovy | 82 ++- nifi-toolkit/nifi-toolkit-cli/pom.xml | 5 + .../cli/impl/client/nifi/NiFiClientConfig.java | 90 ++- 23 files changed, 480 insertions(+), 1322 deletions(-) diff --git a/c2/c2-client-bundle/c2-client-http/pom.xml b/c2/c2-client-bundle/c2-client-http/pom.xml index e5bfd786e9..8d106670de 100644 --- a/c2/c2-client-bundle/c2-client-http/pom.xml +++ b/c2/c2-client-bundle/c2-client-http/pom.xml @@ -38,6 +38,11 @@ limitations under the License. c2-client-base 1.19.0-SNAPSHOT + +org.apache.nifi +nifi-security-ssl +1.19.0-SNAPSHOT + com.squareup.okhttp3 okhttp diff --git a/c2/c2-client-bundle/c2-client-http/src/main/java/org/apache/nifi/c2/client/http/C2HttpClient.java b/c2/c2-client-bundle/c2-client-http/src/main/java/org/apache/nifi/c2/client/http/C2HttpClient.java index bf9c083a0a..293851c0f5 100644 --- a/c2/c2-client-bundle/c2-client-http/src/main/java/org/apache/nifi/c2/client/http/C2HttpClient.java +++ b/c2/c2-client-bundle/c2-client-http/src/main/java/org/apache/nifi/c2/client/http/C2HttpClient.java @@ -23,15 +23,11 @@ import static okhttp3.RequestBody.create; import java.io.FileInputStream; import java.io.IOException; import java.security.KeyStore; -import java.security.NoSuchAlgorithmException; import java.util.Optional; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicReference; -import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import okhttp3.MediaType; import okhttp3.MultipartBody; @@ -47,6 +43,9 @@ import org.apache.nifi.c2.protocol.api.C2Heartbeat; import org.apache.nifi.c2.protocol.api.C2HeartbeatResponse; import org.apache.nifi.c2.protocol.api.C2OperationAck; import org.apache.nifi.c2.serializer.C2Serializer; +import org.apache.nifi.security.ssl.StandardKeyStoreBuilder; +import org.apache.nifi.security.ssl.StandardSslContextBuilder; +import org.apache.nifi.security.ssl.StandardTrustManagerBuilder; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -195,50 +194,40 @@ public class C2HttpClient implements C2Client { final String keystoreLocation = clientConfig.getKeystoreFilename(); final String keystoreType = clientConfig.getKeystoreType(); final String keystorePass = clientConfig.getKeystorePass(); - assertKeystorePropertiesSet(keystoreLocation, keystorePass, keystoreType); -// prepare the keystore -final
[nifi] branch main updated: NIFI-10833 - Fix grammar error in ListenHTTP log msg
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 7a449dbcee NIFI-10833 - Fix grammar error in ListenHTTP log msg 7a449dbcee is described below commit 7a449dbcee668b39d85f850e549ae0a4d88be01b Author: Arpad Boda AuthorDate: Wed Nov 16 21:51:37 2022 +0100 NIFI-10833 - Fix grammar error in ListenHTTP log msg --- .../src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java index a35b9edc73..14a4ff3145 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java @@ -562,7 +562,7 @@ public class ListenHTTP extends AbstractSessionFactoryProcessor { for (final String id : findOldFlowFileIds(context)) { final FlowFileEntryTimeWrapper wrapper = flowFileMap.remove(id); if (wrapper != null) { -getLogger().warn("failed to received acknowledgment for HOLD with ID {} sent by {}; rolling back session", id, wrapper.getClientIP()); +getLogger().warn("failed to receive acknowledgment for HOLD with ID {} sent by {}; rolling back session", id, wrapper.getClientIP()); wrapper.session.rollback(); } }
[nifi] branch main updated: NIFI-10787 - Cannot commit flows to nifi registry after updating our nifi release to 1.18.0 NifiRegistryFlowRegistryClient defines the PropertyDescriptor PROPERTY_URL nam
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 009d641576 NIFI-10787 - Cannot commit flows to nifi registry after updating our nifi release to 1.18.0 NifiRegistryFlowRegistryClient defines the PropertyDescriptor PROPERTY_URL name as small case "url". The map bases on the name property of the PropertyDescriptor object. Here searching with uppercase value of "URL" causes the map lookup to fail and cause a NPE later on. Therefore, it is changed as "url" 009d641576 is described below commit 009d641576499c5cdfb940a422996bbdce7dfda3 Author: sedadgn AuthorDate: Fri Nov 11 14:29:58 2022 +0100 NIFI-10787 - Cannot commit flows to nifi registry after updating our nifi release to 1.18.0 NifiRegistryFlowRegistryClient defines the PropertyDescriptor PROPERTY_URL name as small case "url". The map bases on the name property of the PropertyDescriptor object. Here searching with uppercase value of "URL" causes the map lookup to fail and cause a NPE later on. Therefore, it is changed as "url" NIFI-10787 - Added constant for property descriptor "url" in NiFiRegistryFlowMapper to make it more clear. NIFI-10787 - Added change to unit test. NIFI-10787 - Updated unit test to validate that NiFi registry url is being set and retrieved. Signed-off-by: Nathan Gough This closes #6655. --- .../registry/flow/mapping/NiFiRegistryFlowMapper.java | 5 - .../flow/mapping/NiFiRegistryFlowMapperTest.java | 19 ++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/registry/flow/mapping/NiFiRegistryFlowMapper.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/registry/flow/mapping/NiFiRegistryFlowMapper.java index f5b2a754c0..c04e94b6c2 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/registry/flow/mapping/NiFiRegistryFlowMapper.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/registry/flow/mapping/NiFiRegistryFlowMapper.java @@ -17,6 +17,7 @@ package org.apache.nifi.registry.flow.mapping; + import org.apache.commons.lang3.ClassUtils; import org.apache.nifi.bundle.BundleCoordinate; import org.apache.nifi.components.PropertyDescriptor; @@ -102,6 +103,7 @@ import java.util.stream.Collectors; public class NiFiRegistryFlowMapper { private static final String ENCRYPTED_PREFIX = "enc{"; private static final String ENCRYPTED_SUFFIX = "}"; +private static final String REGISTRY_URL_DESCRIPTOR_NAME = "url"; private final ExtensionManager extensionManager; private final FlowMappingOptions flowMappingOptions; @@ -193,7 +195,8 @@ public class NiFiRegistryFlowMapper { // This is specific for the {@code NifiRegistryFlowRegistryClient}, purely for backward compatibility private String getRegistryUrl(final FlowRegistryClientNode registry) { -return registry.getComponentType().equals("org.apache.nifi.registry.flow.NifiRegistryFlowRegistryClient") ? registry.getRawPropertyValue(registry.getPropertyDescriptor("URL")) : ""; +return registry.getComponentType().endsWith("NifiRegistryFlowRegistryClient") + ? registry.getRawPropertyValue(registry.getPropertyDescriptor(REGISTRY_URL_DESCRIPTOR_NAME)) : ""; } private InstantiatedVersionedProcessGroup mapGroup(final ProcessGroup group, final ControllerServiceProvider serviceProvider, diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/registry/flow/mapping/NiFiRegistryFlowMapperTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/registry/flow/mapping/NiFiRegistryFlowMapperTest.java index 9caded0063..fa5152a4a6 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/registry/flow/mapping/NiFiRegistryFlowMapperTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/registry/flow/mapping/NiFiRegistryFlowMapperTest.java @@ -17,6 +17,7 @@ package org.apache.nifi.registry.flow.mapping; +import org.apache.commons.lang3.StringUtils; import org.apache.nifi.authorization.resource.ComponentAuthorizable; import org.apache.nifi.bundle.BundleCoordinate; import org.apache.nifi.components.Pr
[nifi] branch main updated: NIFI-10243: allow ControlRate to throttle on combination of data rate or flowfile rate
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 2bfefc3e5b NIFI-10243: allow ControlRate to throttle on combination of data rate or flowfile rate 2bfefc3e5b is described below commit 2bfefc3e5bd126d41181011f9a86701cf3f2c828 Author: Mark Bean AuthorDate: Mon Oct 10 15:00:25 2022 -0400 NIFI-10243: allow ControlRate to throttle on combination of data rate or flowfile rate NIFI-10243: fix typos NIFI-10243: re-ordered property in ControlRate NIFI-10243: minor updates to make code cleaner based on PR comments Signed-off-by: Nathan Gough This closes #6506. --- .../nifi/processors/standard/ControlRate.java | 306 ++--- .../additionalDetails.html | 64 + .../nifi/processors/standard/TestControlRate.java | 271 +- 3 files changed, 540 insertions(+), 101 deletions(-) diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ControlRate.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ControlRate.java index 4634f041e1..34b9a8144b 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ControlRate.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ControlRate.java @@ -16,21 +16,6 @@ */ package org.apache.nifi.processors.standard; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.concurrent.ConcurrentHashMap; -import java.util.concurrent.ConcurrentMap; -import java.util.concurrent.TimeUnit; -import java.util.concurrent.atomic.AtomicLong; -import java.util.concurrent.locks.ReentrantLock; -import java.util.regex.Pattern; - import org.apache.nifi.annotation.behavior.InputRequirement; import org.apache.nifi.annotation.behavior.InputRequirement.Requirement; import org.apache.nifi.annotation.behavior.SideEffectFree; @@ -42,7 +27,6 @@ import org.apache.nifi.components.AllowableValue; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationResult; -import org.apache.nifi.components.Validator; import org.apache.nifi.expression.ExpressionLanguageScope; import org.apache.nifi.flowfile.FlowFile; import org.apache.nifi.logging.ComponentLog; @@ -59,6 +43,21 @@ import org.apache.nifi.util.timebuffer.LongEntityAccess; import org.apache.nifi.util.timebuffer.TimedBuffer; import org.apache.nifi.util.timebuffer.TimestampedLong; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.ConcurrentMap; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicLong; +import java.util.concurrent.locks.ReentrantLock; +import java.util.regex.Pattern; + @SideEffectFree @TriggerSerially @InputRequirement(Requirement.INPUT_REQUIRED) @@ -71,30 +70,58 @@ public class ControlRate extends AbstractProcessor { public static final String DATA_RATE = "data rate"; public static final String FLOWFILE_RATE = "flowfile count"; public static final String ATTRIBUTE_RATE = "attribute value"; +public static final String DATA_OR_FLOWFILE_RATE = "data rate or flowfile count"; + public static final AllowableValue DATA_RATE_VALUE = new AllowableValue(DATA_RATE, DATA_RATE, "Rate is controlled by counting bytes transferred per time duration."); public static final AllowableValue FLOWFILE_RATE_VALUE = new AllowableValue(FLOWFILE_RATE, FLOWFILE_RATE, -"Rate is controlled by counting flowfiles transferred per time duration"); +"Rate is controlled by counting FlowFiles transferred per time duration"); public static final AllowableValue ATTRIBUTE_RATE_VALUE = new AllowableValue(ATTRIBUTE_RATE, ATTRIBUTE_RATE, "Rate is controlled by accumulating the value of a specified attribute that is transferred per time duration"); +public static final AllowableValue DATA_OR_FLOWFILE_RATE_VALUE = new AllowableValue(DATA_OR_FLOWFILE_RATE, DATA_OR_FLOWFILE_RATE, +"Rate is controlled by counting bytes and FlowFiles transferred per time duration; if eit
[nifi] branch main updated: NIFI-10798 Added Deprecation Logging for Java 8 on Startup
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 3a536e261f NIFI-10798 Added Deprecation Logging for Java 8 on Startup 3a536e261f is described below commit 3a536e261f09cb8ff3cd65fed5765120cdc5bca2 Author: exceptionfactory AuthorDate: Thu Nov 10 15:23:43 2022 -0600 NIFI-10798 Added Deprecation Logging for Java 8 on Startup - Added deprecation warnings for NiFi, Registry, and MiNiFi - Added RuntimeVersionProvider for shared reference to deprecated and minimum versions Signed-off-by: Nathan Gough This closes #6648. --- README.md | 4 ++ minifi/minifi-bootstrap/pom.xml| 4 ++ .../nifi/minifi/bootstrap/command/StartRunner.java | 10 .../service/MiNiFiExecCommandProvider.java | 8 ++- minifi/pom.xml | 5 ++ nifi-bootstrap/pom.xml | 5 ++ .../java/org/apache/nifi/bootstrap/RunNiFi.java| 11 +++- .../org/apache/nifi/bootstrap/util/OSUtils.java| 2 +- .../bootstrap/util/RuntimeVersionProvider.java | 58 ++ .../nifi-registry-bootstrap/pom.xml| 5 ++ .../nifi/registry/bootstrap/RunNiFiRegistry.java | 12 - 11 files changed, 114 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 66f2fba88d..4b17be2e54 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,10 @@ Apache NiFi was made for dataflow. It supports highly configurable directed grap - Pluggable fine-grained role-based authentication/authorization - Multiple teams can manage and share specific portions of the flow +## Minimum Recommendations +* JDK 11.0.16 +* Apache Maven 3.8.6 + ## Minimum Requirements * JDK 8 Update 251 * Apache Maven 3.6.0 diff --git a/minifi/minifi-bootstrap/pom.xml b/minifi/minifi-bootstrap/pom.xml index b2cb78d8d3..c125a2e160 100644 --- a/minifi/minifi-bootstrap/pom.xml +++ b/minifi/minifi-bootstrap/pom.xml @@ -49,6 +49,10 @@ limitations under the License. org.apache.nifi nifi-bootstrap-utils + +org.apache.nifi +nifi-deprecation-log + org.apache.nifi nifi-expression-language diff --git a/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/command/StartRunner.java b/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/command/StartRunner.java index edea4ca8a0..9b29360d54 100644 --- a/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/command/StartRunner.java +++ b/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/command/StartRunner.java @@ -43,6 +43,9 @@ import java.util.concurrent.locks.Condition; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; import org.apache.nifi.bootstrap.util.OSUtils; +import org.apache.nifi.bootstrap.util.RuntimeVersionProvider; +import org.apache.nifi.deprecation.log.DeprecationLogger; +import org.apache.nifi.deprecation.log.DeprecationLoggerFactory; import org.apache.nifi.minifi.bootstrap.MiNiFiParameters; import org.apache.nifi.minifi.bootstrap.RunMiNiFi; import org.apache.nifi.minifi.bootstrap.ShutdownHook; @@ -60,6 +63,8 @@ import org.apache.nifi.util.Tuple; public class StartRunner implements CommandRunner { private static final int STARTUP_WAIT_SECONDS = 60; +private static final DeprecationLogger deprecationLogger = DeprecationLoggerFactory.getLogger(StartRunner.class); + private final CurrentPortProvider currentPortProvider; private final BootstrapFileProvider bootstrapFileProvider; private final PeriodicStatusReporterManager periodicStatusReporterManager; @@ -110,6 +115,11 @@ public class StartRunner implements CommandRunner { return; } +final int javaMajorVersion = RuntimeVersionProvider.getMajorVersion(); +if (RuntimeVersionProvider.isMajorVersionDeprecated(javaMajorVersion)) { +deprecationLogger.warn("Support for Java {} is deprecated. Java {} is the minimum recommended version", javaMajorVersion, RuntimeVersionProvider.getMinimumMajorVersion()); +} + File prevLockFile = bootstrapFileProvider.getLockFile(); if (prevLockFile.exists() && !prevLockFile.delete()) { CMD_LOGGER.warn("Failed to delete previous lock file {}; this file should be cleaned up manually", prevLockFile); diff --git a/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/service/MiNiFiExecCommandProvider.java b/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/service/MiNiFiExecCommandProvider.java index 7c52a99c68..a28deb9497 100644 --- a/mini
[nifi] branch main updated: NIFI-10780 Improved Event Server to avoid dropping messages
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 588e04cd07 NIFI-10780 Improved Event Server to avoid dropping messages 588e04cd07 is described below commit 588e04cd0771d9895554e106ef401e24f096bc96 Author: exceptionfactory AuthorDate: Tue Nov 8 11:53:00 2022 -0600 NIFI-10780 Improved Event Server to avoid dropping messages - Improved ByteArrayMessageChannelHandler to call BlockingQueue.offer() while the server is not shutting down - Improved NettyEventServer to use ChannelFuture.await() for closing the channel to allow shutdown to proceed - Added test method for EventDroppedException handling Signed-off-by: Nathan Gough This closes #6634. --- ...ntException.java => EventDroppedException.java} | 15 ++-- .../nifi/event/transport/EventException.java | 9 + .../event/transport/netty/NettyEventServer.java| 9 - .../channel/ByteArrayMessageChannelHandler.java| 24 +++- .../netty/StringNettyEventSenderFactoryTest.java | 45 ++ 5 files changed, 97 insertions(+), 5 deletions(-) diff --git a/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/EventException.java b/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/EventDroppedException.java similarity index 72% copy from nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/EventException.java copy to nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/EventDroppedException.java index 4c40719b28..98c97d1907 100644 --- a/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/EventException.java +++ b/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/EventDroppedException.java @@ -17,16 +17,25 @@ package org.apache.nifi.event.transport; /** - * Event Exception indicating issues when transporting events + * Event Dropped Exception indicating when a handler drops one or more events */ -public class EventException extends RuntimeException { +public class EventDroppedException extends EventException { +/** + * Event Exception + * + * @param message Message + */ +public EventDroppedException(final String message) { +super(message); +} + /** * Event Exception * * @param message Message * @param cause Throwable cause */ -public EventException(final String message, final Throwable cause) { +public EventDroppedException(final String message, final Throwable cause) { super(message, cause); } } diff --git a/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/EventException.java b/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/EventException.java index 4c40719b28..55337aec10 100644 --- a/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/EventException.java +++ b/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/EventException.java @@ -20,6 +20,15 @@ package org.apache.nifi.event.transport; * Event Exception indicating issues when transporting events */ public class EventException extends RuntimeException { +/** + * Event Exception + * + * @param message Message + */ +public EventException(final String message) { +super(message); +} + /** * Event Exception * diff --git a/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/netty/NettyEventServer.java b/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/netty/NettyEventServer.java index 391fc2daf5..fb8aae59de 100644 --- a/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/netty/NettyEventServer.java +++ b/nifi-nar-bundles/nifi-extension-utils/nifi-event-transport/src/main/java/org/apache/nifi/event/transport/netty/NettyEventServer.java @@ -17,7 +17,9 @@ package org.apache.nifi.event.transport.netty; import io.netty.channel.Channel; +import io.netty.channel.ChannelFuture; import io.netty.channel.EventLoopGroup; +import org.apache.nifi.event.transport.EventException; import org.apache.nifi.event.transport.EventServer; import org.apache.nifi.event.transport.configuration.ShutdownQuietPeriod; import org.apache.nifi.event.transport.configuration.ShutdownTimeout; @@ -6
[nifi] branch main updated: NIFI-10317 Taking care of NullPointerException if AMQP header value is null NIFI-10317 refactoring to remove repeated conversions to string from char NIFI-10317 correctly h
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 747b5d4d9e NIFI-10317 Taking care of NullPointerException if AMQP header value is null NIFI-10317 refactoring to remove repeated conversions to string from char NIFI-10317 correctly handle null values: null vs "null" NIFI-10317 adding test NIFI-10317 - Updated ConsumeAMQPTest to test for null and empty header values. NIFI-10317 - Updated ConsumeAMQPTest to use hard coded string values when testing. Made convertMapToString() private. 747b5d4d9e is described below commit 747b5d4d9e933f6ced31c8735f7e8eb791449a71 Author: SaumyaGurtu AuthorDate: Mon Sep 19 11:57:27 2022 +0530 NIFI-10317 Taking care of NullPointerException if AMQP header value is null NIFI-10317 refactoring to remove repeated conversions to string from char NIFI-10317 correctly handle null values: null vs "null" NIFI-10317 adding test NIFI-10317 - Updated ConsumeAMQPTest to test for null and empty header values. NIFI-10317 - Updated ConsumeAMQPTest to use hard coded string values when testing. Made convertMapToString() private. Signed-off-by: Nathan Gough This closes #6382. --- .../apache/nifi/amqp/processors/ConsumeAMQP.java | 27 +++-- .../nifi/amqp/processors/ConsumeAMQPTest.java | 64 ++ 2 files changed, 37 insertions(+), 54 deletions(-) diff --git a/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/ConsumeAMQP.java b/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/ConsumeAMQP.java index 734d3efd40..87cefc7922 100644 --- a/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/ConsumeAMQP.java +++ b/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/ConsumeAMQP.java @@ -43,6 +43,7 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; +import java.util.stream.Collectors; @Tags({"amqp", "rabbit", "get", "message", "receive", "consume"}) @InputRequirement(Requirement.INPUT_FORBIDDEN) @@ -170,7 +171,7 @@ public class ConsumeAMQP extends AbstractAMQPProcessor { final BasicProperties amqpProperties = response.getProps(); final Envelope envelope = response.getEnvelope(); final Map attributes = buildAttributes(amqpProperties, envelope, context.getProperty(REMOVE_CURLY_BRACES).asBoolean(), - context.getProperty(HEADER_SEPARATOR).toString().charAt(0)); +context.getProperty(HEADER_SEPARATOR).toString()); flowFile = session.putAllAttributes(flowFile, attributes); session.getProvenanceReporter().receive(flowFile, connection.toString() + "/" + context.getProperty(QUEUE).getValue()); @@ -184,12 +185,12 @@ public class ConsumeAMQP extends AbstractAMQPProcessor { } } -private Map buildAttributes(final BasicProperties properties, final Envelope envelope, boolean removeCurlyBraces, Character valueSeperatorForHeaders) { +private Map buildAttributes(final BasicProperties properties, final Envelope envelope, boolean removeCurlyBraces, String valueSeperatorForHeaders) { final Map attributes = new HashMap<>(); addAttribute(attributes, ATTRIBUTES_PREFIX + "appId", properties.getAppId()); addAttribute(attributes, ATTRIBUTES_PREFIX + "contentEncoding", properties.getContentEncoding()); addAttribute(attributes, ATTRIBUTES_PREFIX + "contentType", properties.getContentType()); -addAttribute(attributes, ATTRIBUTES_PREFIX + "headers", buildHeaders(properties.getHeaders(), removeCurlyBraces,valueSeperatorForHeaders)); +addAttribute(attributes, ATTRIBUTES_PREFIX + "headers", buildHeaders(properties.getHeaders(), removeCurlyBraces, valueSeperatorForHeaders)); addAttribute(attributes, ATTRIBUTES_PREFIX + "deliveryMode", properties.getDeliveryMode()); addAttribute(attributes, ATTRIBUTES_PREFIX + "priority", properties.getPriority()); addAttribute(attributes, ATTRIBUTES_PREFIX + "correlationId", properties.getCorrelationId()); @@ -213,31 +214,21 @@ public class ConsumeAMQP extends AbstractAMQPProcessor { attributes.put(attributeName, value.toString()); } -private String buildHeaders(Map headers, boolean removeCurlyBraces,Character valueSeparatorForHeaders) { +private String buildHeaders(Map headers, boolean removeCurlyBraces, String valueSeparatorForHeaders) { if
[nifi] branch main updated: NIFI-10737 Corrected ListenBeats buffer handling
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 7c1a7da116 NIFI-10737 Corrected ListenBeats buffer handling 7c1a7da116 is described below commit 7c1a7da1169f66fce490def753f9a0a228a4f75b Author: exceptionfactory AuthorDate: Mon Oct 31 22:30:32 2022 -0500 NIFI-10737 Corrected ListenBeats buffer handling - Added test class for ListenBeats - Removed unnecessary dependencies - Implemented BatchDecoder for reading Beats Protocol frames - Refactored protocol and handler classes Signed-off-by: Nathan Gough This closes #6608. --- .../nifi-beats-processors/pom.xml | 46 +-- .../apache/nifi/processors/beats/ListenBeats.java | 180 -- .../nifi/processors/beats/frame/BeatsDecoder.java | 328 -- .../nifi/processors/beats/frame/BeatsEncoder.java | 47 --- .../nifi/processors/beats/frame/BeatsFrame.java| 115 --- .../beats/handler/BatchChannelInboundHandler.java | 83 + .../processors/beats/handler/BatchDecoder.java | 380 + .../beats/handler/MessageAckEncoder.java | 65 .../processors/beats/netty/BeatsFrameDecoder.java | 81 - .../beats/netty/BeatsMessageChannelHandler.java| 57 .../Batch.java}| 21 +- .../BatchMessage.java} | 18 +- .../FrameType.java}| 29 +- .../FrameTypeDecoder.java} | 25 +- .../BeatsState.java => protocol/MessageAck.java} | 20 +- .../ProtocolCode.java} | 15 +- .../ProtocolCodeDecoder.java} | 21 +- .../ProtocolException.java}| 25 +- .../ProtocolVersion.java} | 23 +- .../ProtocolVersionDecoder.java} | 25 +- .../beats/response/BeatsChannelResponse.java | 42 --- .../processors/beats/response/BeatsResponse.java | 62 .../BeatsMessageServerFactory.java | 25 +- .../nifi/processors/beats/ListenBeatsTest.java | 244 + .../processors/beats/frame/TestBeatsEncoder.java | 49 --- .../processors/beats/frame/TestBeatsFrame.java | 39 --- 26 files changed, 995 insertions(+), 1070 deletions(-) diff --git a/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/pom.xml b/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/pom.xml index 91a030f4e1..1aeccb4b81 100644 --- a/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/pom.xml +++ b/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/pom.xml @@ -34,31 +34,18 @@ org.apache.nifi nifi-event-listen 1.19.0-SNAPSHOT - - -org.apache.nifi -nifi-security-socket-ssl -1.19.0-SNAPSHOT - - -com.google.code.gson -gson - - -org.apache.nifi -nifi-socket-utils -1.19.0-SNAPSHOT + + +org.apache.nifi +nifi-security-socket-ssl + + org.apache.nifi nifi-utils 1.19.0-SNAPSHOT - -org.apache.nifi -nifi-flowfile-packager -1.19.0-SNAPSHOT - org.apache.nifi nifi-ssl-context-service-api @@ -71,25 +58,4 @@ test - - - - -jigsaw - -(1.8,) - - - -jakarta.xml.bind -jakarta.xml.bind-api - - -org.glassfish.jaxb -jaxb-runtime - - - - diff --git a/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java b/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java index 86cc2df339..4248c31dcf 100644 --- a/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java +++ b/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java @@ -16,20 +16,18 @@ */ package org.apache.nifi.processors.beats; -import org.apache.commons.lang3.StringUtils; import org.apache.nifi.annotation.behavior.InputRequirement; import org.apache.nifi.annotation.behavior.WritesAttribute; import org.apache.nifi.annotation.behavior.WritesAttributes; imp
[nifi] branch main updated: NIFI-10506 Moved Repository Encryption to Admin Guide
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new f3cd416816 NIFI-10506 Moved Repository Encryption to Admin Guide f3cd416816 is described below commit f3cd416816ae0d0dc86d7bb7fc97601e4c315619 Author: exceptionfactory AuthorDate: Wed Nov 2 12:30:02 2022 -0500 NIFI-10506 Moved Repository Encryption to Admin Guide - Removed Repository Encryption section from User Guide - Added Configuration Change Considerations section Signed-off-by: Nathan Gough This closes #6615. --- .../src/main/asciidoc/administration-guide.adoc| 149 - nifi-docs/src/main/asciidoc/user-guide.adoc| 144 2 files changed, 147 insertions(+), 146 deletions(-) diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc index b4fd84dce1..5829b4dbf7 100644 --- a/nifi-docs/src/main/asciidoc/administration-guide.adoc +++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc @@ -1599,11 +1599,156 @@ Being added to both the view and modify policies for the process group, User2 ca image:user2-edit-connection.png["User2 Edit Connection"] +[[repository-encryption]] +== Repository Encryption + +NiFi supports encryption of local repositories using a configurable Key Provider to enable protection of information +on the filesystem. Repository encryption configuration uses a version number to indicate the cipher algorithms, metadata +format, and repository implementation classes. This approach provides a generalized method for configuration without the +need to customize each repository implementation class. + +Repository encryption incurs a performance cost due to the overhead of cipher operations. Filesystem encryption at the +operating system level provides an alternative solution, with different performance characteristics. For deployments +where filesystem encryption is not configured, repository encryption provides an enhanced level of data protection. +Due to increased performance requirements, more computing resources may be necessary to achieve sufficient throughput +when enabling repository encryption. + +The security of repository encryption depends on a combination of the cipher algorithms and the protection of encryption +keys. Key protection and key rotation are important parts of securing an encrypted repository configuration. +Key protection involves limiting access to the Key Provider and key rotation requires manual updates to generate and +specify a new encryption key. + +=== Configuration Change Considerations + +Disabling repository encryption on existing installations requires removing existing repository contents, and +restarting the system after making configuration changes. For this reason, flow administrators should confirm that the +system has processed all available FlowFiles to avoid losing information when disabling repository encryption. + +=== Repository Encryption Protocol Version 1 + +The first version of support for repository encryption includes the following cipher algorithms: + +[options="header"] +|=== +|Repository Type |Cipher Algorithm +|Content Repository|AES/CTR/NoPadding +|FlowFile Repository |AES/GCM/NoPadding +|FlowFile Swap Manager |AES/GCM/NoPadding +|Provenance Repository |AES/GCM/NoPadding +|=== + +The following classes provide the direct repository encryption implementation, extending standard classes: + +[options="header"] +|=== +|Repository Type |Class +|Content Repository|org.apache.nifi.content.EncryptedFileSystemRepository +|FlowFile Repository |org.apache.nifi.wali.EncryptedSequentialAccessWriteAheadLog +|FlowFile Swap Manager |org.apache.nifi.controller.EncryptedFileSystemSwapManager +|Provenance Repository |org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository +|=== + + Encryption Metadata Serialization + +Each repository implementation class leverages standard cipher operations to perform encryption and decryption. In order +to support AES, the encryption process writes metadata associated with each encryption operation. Encryption protocol +version 1 uses Java Object serialization to write objects containing the encryption Key Identifier, the cipher +Initialization Vector, and other required properties. Serialized objects include the following required properties: + +[options="header"] +|= +|Property Name |Property Type |Description +|keyId |String|Encryption key identifier +|ivBytes |byte[]|Cipher initialization vector +|algorithm |String|Cipher algorithm +|version
[nifi-site] branch main updated: NIFI-10758 Added Security Reporting Guidelines and updated wording
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new 2923c6b NIFI-10758 Added Security Reporting Guidelines and updated wording new d72c52a Merge pull request #69 from exceptionfactory/NIFI-10758 2923c6b is described below commit 2923c6b14a8c535119475f2fd6fad238c1342243 Author: exceptionfactory AuthorDate: Thu Nov 3 16:45:30 2022 -0500 NIFI-10758 Added Security Reporting Guidelines and updated wording --- source/security.html | 79 ++-- 1 file changed, 46 insertions(+), 33 deletions(-) diff --git a/source/security.html b/source/security.html index fc419a6..36df249 100644 --- a/source/security.html +++ b/source/security.html @@ -2,54 +2,67 @@ title: Apache NiFi Security Reports --- - - - - -NiFi Security Vulnerability Disclosure + + +Apache nifi Security -Apache NiFi welcomes the responsible reporting of security vulnerabilities. The NiFi team believes that working with skilled security researchers across the globe is crucial in identifying -weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue -promptly. -Disclosure Policy - -Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. -Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. -Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. -Please read the https://www.apache.org/security/committers.html; target="_blank">Apache Project Security for Committers policy to understand the restrictions around disclosure of security issues in the Apache open source community. - -Specifically, please do not: - -⛔️ Open a Jira disclosing a security vulnerability to the public -⛔️ Send a message to the d...@nifi.apache.org or us...@nifi.apache.org mailing lists disclosing a security vulnerability to the public -⛔️ Send a message to the Apache NiFi Slack instance disclosing a security vulnerability to the public - - - -Exclusions -While researching, we'd like to ask you to refrain from: + +Apache NiFi welcomes the responsible reporting of security vulnerabilities. +Project Management Committee members will collaborate and respond to potential vulnerabilities, providing an +assessment of the concern and a plan of action to remediate verified issues. + +Reporting Policy + +Please read the https://www.apache.org/security/committers.html; target="_blank">Apache Project Security for Committers +policy for general guidelines applicable disclosure of security issues for Apache Software Foundation projects. + + +Do not perform the following actions after discovering a potential security concern: + +⛔️ Open a Jira disclosing a security vulnerability to the public +⛔️ Send a message to the project mailing lists disclosing a security vulnerability to the public +⛔️ Send a message to the project Slack instance disclosing a security vulnerability to the public + + +Reporting Guidelines + +Configuring dangerous operating system commands or custom scripts is not a project security vulnerability. +Authenticated and authorized users are responsible for the security of operating system commands and custom +code. + + +Apache NiFi provides a framework for developing processing pipelines using standard and custom +components. The framework supports configurable permissions that enable authorized users to execute code +using several standard components. Components such as ExecuteProcess and ExecuteStreamCommand support +running operating system commands, while other scripted components support executing custom code using +different programming languages. Configuring these components with untrusted commands or arguments is +contrary to best practices, but it does not constitute of security issue for remediation. + + + +
[nifi] branch main updated: NIFI-10740 Upgraded Spring Security from 5.7.4 to 5.7.5
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 1ab024b3c8 NIFI-10740 Upgraded Spring Security from 5.7.4 to 5.7.5 1ab024b3c8 is described below commit 1ab024b3c833573a620c713a3354c5699e8fe668 Author: exceptionfactory AuthorDate: Mon Oct 31 15:38:03 2022 -0500 NIFI-10740 Upgraded Spring Security from 5.7.4 to 5.7.5 Signed-off-by: Nathan Gough This closes #6607. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 66916adeb4..ee41533caa 100644 --- a/pom.xml +++ b/pom.xml @@ -143,7 +143,7 @@ 1.33 4.1.84.Final 5.3.23 -5.7.4 +5.7.5 1.6.6 2.1.214 3.8.0
[nifi] branch main updated: NIFI-10706 Upgrade spring Security to 5.7.4
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 5e1e7e163e NIFI-10706 Upgrade spring Security to 5.7.4 5e1e7e163e is described below commit 5e1e7e163e553e71c559d49fb92e8e157b47738f Author: UcanInfosec <107478475+ucaninfo...@users.noreply.github.com> AuthorDate: Thu Oct 27 13:03:53 2022 -0400 NIFI-10706 Upgrade spring Security to 5.7.4 Signed-off-by: Nathan Gough This closes #6591. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 21c5c3b865..78186af639 100644 --- a/pom.xml +++ b/pom.xml @@ -143,7 +143,7 @@ 1.33 4.1.84.Final 5.3.23 -5.7.3 +5.7.4 1.6.6 2.1.214 3.8.0
[nifi] branch main updated: NIFI-10696 Update Netty to 4.1.84.Final
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 99a4542c73 NIFI-10696 Update Netty to 4.1.84.Final 99a4542c73 is described below commit 99a4542c73fb2708caf0d7d5ce616d8917d86ada Author: UcanInfosec <107478475+ucaninfo...@users.noreply.github.com> AuthorDate: Thu Oct 27 07:42:50 2022 -0400 NIFI-10696 Update Netty to 4.1.84.Final Signed-off-by: Nathan Gough This closes #6588. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 4b804ec8bb..21c5c3b865 100644 --- a/pom.xml +++ b/pom.xml @@ -141,7 +141,7 @@ 3.12.4 3.10.6.Final 1.33 -4.1.82.Final +4.1.84.Final 5.3.23 5.7.3 1.6.6
[nifi] branch main updated (d390a0becf -> b05bd988b6)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git from d390a0becf NIFI-10673: When a component is added to a ProcessGroup, we had a method called ensureUniqueVersionControlId but the method only took into accounts in that Process Group. Updated methods to now consider components in any Process Group that is part of the same Versioned Flow. Also added system test to verify the problem and the fix. Added Toolkit clients and additional methods as necessary in order to implement system tests add b05bd988b6 NIFI-10700: - Only restart ports if their scheduledState is Running. - Adding unit tests. - Fixing unit test to properly verify Port isn't restarted. No new revisions were added by this update. Summary of changes: .../StandardVersionedComponentSynchronizer.java| 2 +- ...StandardVersionedComponentSynchronizerTest.java | 35 ++ 2 files changed, 36 insertions(+), 1 deletion(-)
[nifi] branch main updated (3ed87a2982 -> 2d5a8b8b0d)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git from 3ed87a2982 NIFI-10594 Render empty lines in Labels add 2d5a8b8b0d NIFI-10503 Changed flow file references to FlowFile in GenerateTableFetch processor docs No new revisions were added by this update. Summary of changes: .../processors/standard/GenerateTableFetch.java| 22 +++--- .../additionalDetails.html | 8 2 files changed, 15 insertions(+), 15 deletions(-)
[nifi] branch main updated: NIFI-9437 Flowfile Expiration cannot exceed 24 days
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 7c33516aee NIFI-9437 Flowfile Expiration cannot exceed 24 days 7c33516aee is described below commit 7c33516aeebf138dc2e2a82880f9bd7f49c7e61f Author: Timea Barna AuthorDate: Thu Oct 20 12:06:31 2022 +0200 NIFI-9437 Flowfile Expiration cannot exceed 24 days NIFI-9437 Addressing review comments, correcting setter in StatelessFlowQueue class Signed-off-by: Nathan Gough This closes #6558. --- .../main/java/org/apache/nifi/controller/queue/FlowFileQueue.java | 2 +- .../org/apache/nifi/controller/queue/AbstractFlowFileQueue.java | 4 ++-- .../clustered/partition/SwappablePriorityQueueLocalPartition.java | 2 +- .../controller/repository/TestWriteAheadFlowFileRepository.java | 2 +- .../apache/nifi/web/search/attributematchers/ExpirationMatcher.java | 2 +- .../test/java/org/apache/nifi/web/controller/ComponentMockUtil.java | 2 +- .../nifi/web/controller/ControllerSearchServiceIntegrationTest.java | 2 +- .../nifi/web/search/attributematchers/ExpirationMatcherTest.java| 4 ++-- .../org/apache/nifi/stateless/queue/StatelessFlowFileQueue.java | 6 +++--- 9 files changed, 13 insertions(+), 13 deletions(-) diff --git a/nifi-framework-api/src/main/java/org/apache/nifi/controller/queue/FlowFileQueue.java b/nifi-framework-api/src/main/java/org/apache/nifi/controller/queue/FlowFileQueue.java index 8ed2d6c149..3016dd54dd 100644 --- a/nifi-framework-api/src/main/java/org/apache/nifi/controller/queue/FlowFileQueue.java +++ b/nifi-framework-api/src/main/java/org/apache/nifi/controller/queue/FlowFileQueue.java @@ -177,7 +177,7 @@ public interface FlowFileQueue { String getFlowFileExpiration(); -int getFlowFileExpiration(TimeUnit timeUnit); +long getFlowFileExpiration(TimeUnit timeUnit); void setFlowFileExpiration(String flowExpirationPeriod); diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/AbstractFlowFileQueue.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/AbstractFlowFileQueue.java index de49ad2701..609734a36a 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/AbstractFlowFileQueue.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/AbstractFlowFileQueue.java @@ -98,8 +98,8 @@ public abstract class AbstractFlowFileQueue implements FlowFileQueue { } @Override -public int getFlowFileExpiration(final TimeUnit timeUnit) { -return (int) timeUnit.convert(expirationPeriod.get().getMillis(), TimeUnit.MILLISECONDS); +public long getFlowFileExpiration(final TimeUnit timeUnit) { +return timeUnit.convert(expirationPeriod.get().getMillis(), TimeUnit.MILLISECONDS); } @Override diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/partition/SwappablePriorityQueueLocalPartition.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/partition/SwappablePriorityQueueLocalPartition.java index ae41e554bc..7fa9ee38dd 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/partition/SwappablePriorityQueueLocalPartition.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/partition/SwappablePriorityQueueLocalPartition.java @@ -138,7 +138,7 @@ public class SwappablePriorityQueueLocalPartition implements LocalQueuePartition return poll(filter, expiredRecords, PollStrategy.UNPENALIZED_FLOWFILES); } -private int getExpiration() { +private long getExpiration() { return flowFileQueue.getFlowFileExpiration(TimeUnit.MILLISECONDS); } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/controller/repository/TestWriteAheadFlowFileRepository.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/controller/repository/TestWriteAheadFlowFileRepository.java index 39696bff4a..52dc3ec786 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/controller/repository/TestWriteAheadFlowFileRepository.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core
[nifi] branch main updated: NIFI-10667 Added Private Key Service interface and implementation
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 9f2ad260bd NIFI-10667 Added Private Key Service interface and implementation 9f2ad260bd is described below commit 9f2ad260bd0de2b3d2be10030bfe8f8eb4101b4e Author: exceptionfactory AuthorDate: Wed Oct 19 08:52:16 2022 -0500 NIFI-10667 Added Private Key Service interface and implementation - Defined PrivateKeyService in nifi-key-service-api - Implemented StandardPrivateKeyService using Bouncy Castle library NIFI-10667 Improved custom validation to avoid repetitive reads NIFI-10667 Added onPropertyModified() to clear Key Reference for validation Signed-off-by: Nathan Gough This closes #6553. --- nifi-assembly/pom.xml | 6 + .../nifi-key-service-api/pom.xml | 29 +++ .../nifi/key/service/api/PrivateKeyService.java| 33 .../nifi-key-service-nar/pom.xml | 37 .../nifi-key-service/pom.xml | 51 + .../key/service/StandardPrivateKeyService.java | 217 + .../reader/BouncyCastlePrivateKeyReader.java | 111 +++ .../key/service/reader/PrivateKeyException.java| 28 +++ .../nifi/key/service/reader/PrivateKeyReader.java | 34 .../org.apache.nifi.controller.ControllerService | 15 ++ .../key/service/StandardPrivateKeyServiceTest.java | 145 ++ .../nifi-key-service-bundle/pom.xml| 28 +++ .../nifi-standard-services-api-nar/pom.xml | 6 + nifi-nar-bundles/nifi-standard-services/pom.xml| 2 + 14 files changed, 742 insertions(+) diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml index 3b932c882e..5e559a5935 100644 --- a/nifi-assembly/pom.xml +++ b/nifi-assembly/pom.xml @@ -227,6 +227,12 @@ language governing permissions and limitations under the License. --> 1.19.0-SNAPSHOT nar + +org.apache.nifi +nifi-key-service-nar +1.19.0-SNAPSHOT +nar + org.apache.nifi nifi-distributed-cache-services-nar diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-key-service-api/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-key-service-api/pom.xml new file mode 100644 index 00..5dca67fe03 --- /dev/null +++ b/nifi-nar-bundles/nifi-standard-services/nifi-key-service-api/pom.xml @@ -0,0 +1,29 @@ +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd;> + +4.0.0 + +org.apache.nifi +nifi-standard-services +1.19.0-SNAPSHOT + +nifi-key-service-api + + +org.apache.nifi +nifi-api + + + diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-key-service-api/src/main/java/org/apache/nifi/key/service/api/PrivateKeyService.java b/nifi-nar-bundles/nifi-standard-services/nifi-key-service-api/src/main/java/org/apache/nifi/key/service/api/PrivateKeyService.java new file mode 100644 index 00..756a573b4d --- /dev/null +++ b/nifi-nar-bundles/nifi-standard-services/nifi-key-service-api/src/main/java/org/apache/nifi/key/service/api/PrivateKeyService.java @@ -0,0 +1,33 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.key.service.api; + +import org.apache.nifi.controller.ControllerService; + +import java.security.PrivateKey; + +/** + * Controller Service abstracting access to Private Keys + */ +public interface PrivateKeyService extends ControllerService { +/** + * Get Private Key + * + * @return Private Key + */ +PrivateKey getPrivateKey(); +} diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-key-service-bundle/nifi-key-service-nar/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-key-service-bundle/n
[nifi] branch main updated (fcefd051d2 -> 9adbba361a)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git from fcefd051d2 NIFI-10652 Corrected dependency scopes for nifi-iceberg-processors add 9adbba361a NIFI-10662 Upgraded Jackson BOM from 2.13.4 to 2.13.4.20221013 No new revisions were added by this update. Summary of changes: pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
[nifi] branch main updated: NIFI-10625 Added support for HTTP/2 in Registry
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new b753c1c72d NIFI-10625 Added support for HTTP/2 in Registry b753c1c72d is described below commit b753c1c72d85c482bcc8bf125023107d79f54ed4 Author: exceptionfactory AuthorDate: Tue Oct 11 14:29:42 2022 -0500 NIFI-10625 Added support for HTTP/2 in Registry - Added nifi-security-ssl for generalized SSLContext creation - Removed static keystore and truststore test files from nifi-registry-jetty Signed-off-by: Nathan Gough This closes #6514. --- nifi-commons/nifi-security-ssl/pom.xml | 25 +++ .../ssl/BuilderConfigurationException.java | 41 .../apache/nifi/security/ssl/KeyStoreBuilder.java | 31 +++ .../nifi/security/ssl/SslContextBuilder.java | 31 +++ .../nifi/security/ssl/StandardKeyStoreBuilder.java | 117 +++ .../security/ssl/StandardSslContextBuilder.java| 171 +++ .../security/ssl/StandardKeyStoreBuilderTest.java | 57 + .../ssl/StandardSslContextBuilderTest.java | 78 +++ nifi-commons/pom.xml | 1 + nifi-registry/nifi-registry-assembly/pom.xml | 1 + .../src/main/asciidoc/administration-guide.adoc| 7 + .../nifi-registry-core/nifi-registry-jetty/pom.xml | 29 +++ .../apache/nifi/registry/jetty/JettyServer.java| 164 ++- .../ApplicationServerConnectorFactory.java | 231 + .../registry/jetty/JettyServerGroovyTest.groovy| 165 --- .../ApplicationServerConnectorFactoryTest.java | 146 + .../test/resources/keystoreDifferentPasswords.jks | Bin 3128 -> 0 bytes .../src/test/resources/keystoreSamePassword.jks| Bin 3128 -> 0 bytes .../src/test/resources/truststore.jks | Bin 935 -> 0 bytes .../properties/NiFiRegistryProperties.java | 12 ++ .../main/resources/conf/nifi-registry.properties | 1 + nifi-registry/pom.xml | 12 ++ 22 files changed, 1008 insertions(+), 312 deletions(-) diff --git a/nifi-commons/nifi-security-ssl/pom.xml b/nifi-commons/nifi-security-ssl/pom.xml new file mode 100644 index 00..b8340373fa --- /dev/null +++ b/nifi-commons/nifi-security-ssl/pom.xml @@ -0,0 +1,25 @@ +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd;> + +4.0.0 + +org.apache.nifi +nifi-commons +1.19.0-SNAPSHOT + +nifi-security-ssl +Shared TLS security components without additional dependencies + + diff --git a/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/BuilderConfigurationException.java b/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/BuilderConfigurationException.java new file mode 100644 index 00..74ad3a96e4 --- /dev/null +++ b/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/BuilderConfigurationException.java @@ -0,0 +1,41 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.security.ssl; + +/** + * Exception indicating runtime failure to create configured objects + */ +public class BuilderConfigurationException extends RuntimeException { +/** + * Builder Configuration Exception Constructor with standard properties + * + * @param message Exception Message + * @param cause Exception Cause + */ +public BuilderConfigurationException(final String message, final Throwable cause) { +super(message, cause); +} + +/** + * Builder Configuration Exception Constructor without Throwable cause + * + * @param message Exception Message + */ +public BuilderConfigurationException(final String message) { +super(message); +} +} diff --git a/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/
[nifi] branch main updated: NIFI-10635: Fix handling of enums in PutDatabaseRecord
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new a76abef270 NIFI-10635: Fix handling of enums in PutDatabaseRecord a76abef270 is described below commit a76abef270f7ac875a509060f81a491ca49b0a9d Author: Matthew Burgess AuthorDate: Wed Oct 12 14:17:50 2022 -0400 NIFI-10635: Fix handling of enums in PutDatabaseRecord Signed-off-by: Nathan Gough This closes #6518. --- .../serialization/record/util/DataTypeUtils.java | 2 + .../processors/standard/PutDatabaseRecord.java | 14 ++- .../processors/standard/DBCPServiceSimpleImpl.java | 23 +-- .../processors/standard/PutDatabaseRecordTest.java | 48 +- 4 files changed, 81 insertions(+), 6 deletions(-) diff --git a/nifi-commons/nifi-record/src/main/java/org/apache/nifi/serialization/record/util/DataTypeUtils.java b/nifi-commons/nifi-record/src/main/java/org/apache/nifi/serialization/record/util/DataTypeUtils.java index 5000c78fe1..d6db0b78fa 100644 --- a/nifi-commons/nifi-record/src/main/java/org/apache/nifi/serialization/record/util/DataTypeUtils.java +++ b/nifi-commons/nifi-record/src/main/java/org/apache/nifi/serialization/record/util/DataTypeUtils.java @@ -2131,6 +2131,8 @@ public class DataTypeUtils { return Types.SMALLINT; case STRING: return Types.VARCHAR; +case ENUM: +return Types.OTHER; case TIME: return Types.TIME; case TIMESTAMP: diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutDatabaseRecord.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutDatabaseRecord.java index 3df3c89388..bcb26ceca5 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutDatabaseRecord.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutDatabaseRecord.java @@ -863,7 +863,19 @@ public class PutDatabaseRecord extends AbstractProcessor { } } else { try { -ps.setObject(index, value, sqlType); +// If the specified field type is OTHER and the SQL type is VARCHAR, the conversion went ok as a string literal but try the OTHER type when setting the parameter. If an error occurs, +// try the normal way of using the sqlType +// This helps with PostgreSQL enums and possibly other scenarios +if (fieldSqlType == Types.OTHER && sqlType == Types.VARCHAR) { +try { +ps.setObject(index, value, fieldSqlType); +} catch (SQLException e) { +// Fall back to default setObject params +ps.setObject(index, value, sqlType); +} +} else { +ps.setObject(index, value, sqlType); +} } catch (SQLException e) { throw new IOException("Unable to setObject() with value " + value + " at index " + index + " of type " + sqlType , e); } diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/DBCPServiceSimpleImpl.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/DBCPServiceSimpleImpl.java index aa1e761097..d1337a7726 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/DBCPServiceSimpleImpl.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/DBCPServiceSimpleImpl.java @@ -20,18 +20,27 @@ import org.apache.nifi.controller.AbstractControllerService; import org.apache.nifi.dbcp.DBCPService; import org.apache.nifi.processor.exception.ProcessException; +import java.nio.file.Path; +import java.nio.file.Paths; import java.sql.Connection; import java.sql.DriverManager; /** - * Simple implementation only for GenerateTableFetch processor testing. + * Simple implementation only for DB processor testing. */ public class DBCPServiceSimpleImpl extends AbstractControllerService implements DBCPService { private String databaseLocation; +private boolean isDerby; +// Default to use Derby connection public DBCPServiceSimpleImpl(final String databaseLocation) { +this(databaseLocation, true); +} + +public DBCPServiceSimpleImpl(final String da
[nifi] branch main updated: NIFI-10648 Upgraded Apache Commons Text to 1.10.0
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 0dc02e26d2 NIFI-10648 Upgraded Apache Commons Text to 1.10.0 0dc02e26d2 is described below commit 0dc02e26d2116d32b30bf2c16cfee5e66f6b6a93 Author: exceptionfactory AuthorDate: Fri Oct 14 09:19:57 2022 -0500 NIFI-10648 Upgraded Apache Commons Text to 1.10.0 - Added org.apache.commons.text.version property in root Maven configuration - Removed direct version references in favor of managed dependency version Signed-off-by: Nathan Gough This closes #6531. --- nifi-commons/nifi-expression-language/pom.xml | 1 - nifi-commons/nifi-flowfile-packager/pom.xml | 1 - nifi-nar-bundles/nifi-azure-bundle/pom.xml | 5 - .../nifi-cassandra-bundle/nifi-cassandra-processors/pom.xml | 1 - .../nifi-elasticsearch-bundle/nifi-elasticsearch-processors/pom.xml | 1 - .../nifi-record-utils/nifi-standard-record-utils/pom.xml| 1 - .../nifi-framework/nifi-headless-server/pom.xml | 1 - .../nifi-framework/nifi-web/nifi-jetty/pom.xml | 1 - nifi-nar-bundles/nifi-hbase-bundle/nifi-hbase-processors/pom.xml| 1 - nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/pom.xml | 1 - nifi-nar-bundles/nifi-hive-bundle/nifi-hive_1_1-processors/pom.xml | 1 - nifi-nar-bundles/nifi-spark-bundle/nifi-livy-processors/pom.xml | 1 - .../nifi-record-serialization-services/pom.xml | 1 - pom.xml | 6 ++ 14 files changed, 6 insertions(+), 17 deletions(-) diff --git a/nifi-commons/nifi-expression-language/pom.xml b/nifi-commons/nifi-expression-language/pom.xml index 17bf8b2ec3..476b381129 100644 --- a/nifi-commons/nifi-expression-language/pom.xml +++ b/nifi-commons/nifi-expression-language/pom.xml @@ -95,7 +95,6 @@ org.apache.commons commons-text -1.8 org.apache.commons diff --git a/nifi-commons/nifi-flowfile-packager/pom.xml b/nifi-commons/nifi-flowfile-packager/pom.xml index 9fd0e9aeea..8534746059 100644 --- a/nifi-commons/nifi-flowfile-packager/pom.xml +++ b/nifi-commons/nifi-flowfile-packager/pom.xml @@ -34,7 +34,6 @@ org.apache.commons commons-text -1.8 diff --git a/nifi-nar-bundles/nifi-azure-bundle/pom.xml b/nifi-nar-bundles/nifi-azure-bundle/pom.xml index d6299133e9..01d99b716c 100644 --- a/nifi-nar-bundles/nifi-azure-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-azure-bundle/pom.xml @@ -54,11 +54,6 @@ azure-storage ${microsoft.azure-storage.version} - -org.apache.commons -commons-text -1.8 - com.google.guava guava diff --git a/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/pom.xml b/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/pom.xml index 1be6552067..f7f9ad7873 100644 --- a/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/pom.xml +++ b/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/pom.xml @@ -92,7 +92,6 @@ org.apache.commons commons-text -1.8 diff --git a/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-processors/pom.xml b/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-processors/pom.xml index fa3608a762..bd6bb25caa 100644 --- a/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-processors/pom.xml +++ b/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-processors/pom.xml @@ -56,7 +56,6 @@ language governing permissions and limitations under the License. --> org.apache.commons commons-text -1.8 org.apache.nifi diff --git a/nifi-nar-bundles/nifi-extension-utils/nifi-record-utils/nifi-standard-record-utils/pom.xml b/nifi-nar-bundles/nifi-extension-utils/nifi-record-utils/nifi-standard-record-utils/pom.xml index 56891a291e..3362c79ea0 100644 --- a/nifi-nar-bundles/nifi-extension-utils/nifi-record-utils/nifi-standard-record-utils/pom.xml +++ b/nifi-nar-bundles/nifi-extension-utils/nifi-record-utils/nifi-standard-record-utils/pom.xml @@ -59,7 +59,6 @@ org.apache.commons commons-text -1.8 org.apache.nifi diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-headless-server/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/n
[nifi] branch main updated (1ebeb2db7a -> 97dc4b67aa)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git from 1ebeb2db7a NIFI-10610 Removed quotation from minifi-env.bat add 97dc4b67aa NIFI-10569 Added Maximum Thread property to HandleHttpRequest No new revisions were added by this update. Summary of changes: .../processors/standard/HandleHttpRequest.java | 19 - .../processors/standard/HandleHttpRequestTest.java | 78 ++ .../standard/ITestHandleHttpRequest.java | 94 -- 3 files changed, 96 insertions(+), 95 deletions(-) create mode 100644 nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/HandleHttpRequestTest.java
[nifi] branch main updated: NIFI-10586 Prioritized ssh-rsa algorithm in SFTP Processors
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new d1145ee34e NIFI-10586 Prioritized ssh-rsa algorithm in SFTP Processors d1145ee34e is described below commit d1145ee34e8bbaf9b104989637421cf9c6d9a393 Author: exceptionfactory AuthorDate: Mon Oct 3 17:27:58 2022 -0500 NIFI-10586 Prioritized ssh-rsa algorithm in SFTP Processors - The default configuration prioritizes ssh-rsa when Key Algorithms Allowed is not specified Signed-off-by: Nathan Gough This closes #6479. --- .../nifi/processors/standard/ssh/StandardSSHConfigProvider.java | 6 ++ .../processors/standard/ssh/StandardSSHConfigProviderTest.java| 8 +++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ssh/StandardSSHConfigProvider.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ssh/StandardSSHConfigProvider.java index 7ecde5b191..567857ddda 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ssh/StandardSSHConfigProvider.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ssh/StandardSSHConfigProvider.java @@ -67,6 +67,12 @@ public class StandardSSHConfigProvider implements SSHConfigProvider { getOptionalProperty(context, KEY_EXCHANGE_ALGORITHMS_ALLOWED).ifPresent(property -> config.setKeyExchangeFactories(getFilteredValues(property, config.getKeyExchangeFactories(; getOptionalProperty(context, MESSAGE_AUTHENTICATION_CODES_ALLOWED).ifPresent(property -> config.setMACFactories(getFilteredValues(property, config.getMACFactories(; +final String keyAlgorithmsAllowed = context.getProperty(KEY_ALGORITHMS_ALLOWED).evaluateAttributeExpressions().getValue(); +if (keyAlgorithmsAllowed == null) { +// Prioritize ssh-rsa when Key Algorithms Allowed is not specified +config.prioritizeSshRsaKeyAlgorithm(); +} + return config; } diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/ssh/StandardSSHConfigProviderTest.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/ssh/StandardSSHConfigProviderTest.java index 88a983c1ac..45e7b69bba 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/ssh/StandardSSHConfigProviderTest.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/ssh/StandardSSHConfigProviderTest.java @@ -50,7 +50,7 @@ import static org.mockito.Mockito.when; @ExtendWith(MockitoExtension.class) public class StandardSSHConfigProviderTest { -private static final Config DEFAULT_CONFIG = new DefaultConfig(); +private static final Config DEFAULT_CONFIG; private static final String FIRST_ALLOWED_CIPHER = "aes128-ctr"; @@ -66,6 +66,12 @@ public class StandardSSHConfigProviderTest { private static final String IDENTIFIER = UUID.randomUUID().toString(); +static { +final DefaultConfig prioritizedConfig = new DefaultConfig(); +prioritizedConfig.prioritizeSshRsaKeyAlgorithm(); +DEFAULT_CONFIG = prioritizedConfig; +} + @Mock private PropertyContext context;
[nifi] branch main updated: NIFI-9637: Adding GcpSecretManagerParameterProvider
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 518f413d9f NIFI-9637: Adding GcpSecretManagerParameterProvider 518f413d9f is described below commit 518f413d9fa12e7fdf62c7ef33aefe33d1a2d596 Author: Joe Gresock AuthorDate: Sat Sep 10 10:35:21 2022 -0400 NIFI-9637: Adding GcpSecretManagerParameterProvider Signed-off-by: Nathan Gough This closes #6394. --- .../nifi-gcp-bundle/nifi-gcp-nar/pom.xml | 5 + .../nifi-gcp-parameter-providers/pom.xml | 84 + .../gcp/GcpSecretManagerParameterProvider.java | 200 .../org.apache.nifi.parameter.ParameterProvider| 16 ++ .../additionalDetails.html | 55 ++ .../gcp/TestGcpSecretManagerParameterProvider.java | 208 + .../org.mockito.plugins.MockMaker | 15 ++ nifi-nar-bundles/nifi-gcp-bundle/pom.xml | 1 + 8 files changed, 584 insertions(+) diff --git a/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-nar/pom.xml b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-nar/pom.xml index 168756d348..b1f69f73b8 100644 --- a/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-nar/pom.xml +++ b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-nar/pom.xml @@ -41,5 +41,10 @@ nifi-gcp-processors 1.18.0-SNAPSHOT + +org.apache.nifi +nifi-gcp-parameter-providers +1.18.0-SNAPSHOT + diff --git a/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-parameter-providers/pom.xml b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-parameter-providers/pom.xml new file mode 100644 index 00..91ac70afa5 --- /dev/null +++ b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-parameter-providers/pom.xml @@ -0,0 +1,84 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd;> +4.0.0 + +org.apache.nifi +nifi-gcp-bundle +1.18.0-SNAPSHOT + + +nifi-gcp-parameter-providers +jar + + +org.apache.nifi +nifi-api + + +org.apache.nifi +nifi-utils +1.18.0-SNAPSHOT +provided + + +org.apache.nifi +nifi-gcp-services-api +1.18.0-SNAPSHOT +provided + + +org.slf4j +jcl-over-slf4j + + +com.google.cloud +google-cloud-secretmanager + + +commons-logging +commons-logging + + + + +com.google.auth +google-auth-library-oauth2-http + + +com.google.code.findbugs +jsr305 + + +commons-logging +commons-logging + + + + +org.apache.nifi +nifi-expression-language +1.18.0-SNAPSHOT +test + + +org.apache.nifi +nifi-mock +1.18.0-SNAPSHOT +test + + + diff --git a/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-parameter-providers/src/main/java/org/apache/nifi/parameter/gcp/GcpSecretManagerParameterProvider.java b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-parameter-providers/src/main/java/org/apache/nifi/parameter/gcp/GcpSecretManagerParameterProvider.java new file mode 100644 index 00..19ffa06c56 --- /dev/null +++ b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-parameter-providers/src/main/java/org/apache/nifi/parameter/gcp/GcpSecretManagerParameterProvider.java @@ -0,0 +1,200 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.parameter.gcp; + +import
[nifi] branch main updated: NIFI-9451 - Add 'Input Character Set' property for PutEmail and additional tests
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new f586f8f4cf NIFI-9451 - Add 'Input Character Set' property for PutEmail and additional tests f586f8f4cf is described below commit f586f8f4cf59661561328a7d480ac5e9ebe77248 Author: Emilio Setiadarma AuthorDate: Mon Aug 8 11:33:47 2022 -0700 NIFI-9451 - Add 'Input Character Set' property for PutEmail and additional tests Signed-off-by: Nathan Gough This closes #6313. --- .../apache/nifi/processors/standard/PutEmail.java | 107 - .../nifi/processors/standard/TestPutEmail.java | 79 +-- 2 files changed, 152 insertions(+), 34 deletions(-) diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutEmail.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutEmail.java index 1f35e50cd9..fad0d29cd5 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutEmail.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutEmail.java @@ -16,24 +16,6 @@ */ package org.apache.nifi.processors.standard; -import java.io.IOException; -import java.io.UnsupportedEncodingException; -import java.nio.charset.Charset; -import java.nio.charset.StandardCharsets; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.Date; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Map.Entry; -import java.util.Properties; -import java.util.Set; -import java.util.regex.Matcher; -import java.util.regex.Pattern; - import jakarta.activation.DataHandler; import jakarta.mail.Authenticator; import jakarta.mail.Message; @@ -50,7 +32,6 @@ import jakarta.mail.internet.MimeMultipart; import jakarta.mail.internet.MimeUtility; import jakarta.mail.internet.PreencodedMimeBodyPart; import jakarta.mail.util.ByteArrayDataSource; - import org.apache.commons.codec.binary.Base64; import org.apache.nifi.annotation.behavior.DynamicProperty; import org.apache.nifi.annotation.behavior.InputRequirement; @@ -79,6 +60,24 @@ import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.stream.io.StreamUtils; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Properties; +import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + @SupportsBatching @Tags({"email", "put", "notify", "smtp"}) @InputRequirement(Requirement.INPUT_REQUIRED) @@ -245,6 +244,17 @@ public class PutEmail extends AbstractProcessor { .allowableValues("true", "false") .defaultValue("false") .build(); +public static final PropertyDescriptor INPUT_CHARACTER_SET = new PropertyDescriptor.Builder() +.name("input-character-set") +.displayName("Input Character Set") +.description("Specifies the character set of the FlowFile contents " ++ "for reading input FlowFile contents to generate the message body " ++ "or as an attachment to the message. " ++ "If not set, UTF-8 will be the default value.") +.required(true) +.addValidator(StandardValidators.CHARACTER_SET_VALIDATOR) +.defaultValue(StandardCharsets.UTF_8.name()) +.build(); public static final Relationship REL_SUCCESS = new Relationship.Builder() .name("success") @@ -255,7 +265,6 @@ public class PutEmail extends AbstractProcessor { .description("FlowFiles that fail to send will be routed to this relationship") .build(); -private static final Charset CONTENT_CHARSET = StandardCharsets.UTF_8; private List properties; @@ -297,8 +306,10 @@ public class PutEmail extends AbstractProcessor { properties.add(SUBJECT); properties.add(MESSAGE); properties.add(CONTENT_AS_MESSAGE); +properties.add(INPUT_CHARACTER_SET); properties.add(ATTA
[nifi] branch main updated: NIFI-10534 - Update pom.xml for spring.version from 5.3.22 to 5.3.23.
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 91ad4548a8 NIFI-10534 - Update pom.xml for spring.version from 5.3.22 to 5.3.23. 91ad4548a8 is described below commit 91ad4548a8767e858c2637e8c278667c030d9bbb Author: mr1716 AuthorDate: Wed Sep 21 15:55:38 2022 -0400 NIFI-10534 - Update pom.xml for spring.version from 5.3.22 to 5.3.23. Signed-off-by: Nathan Gough This closes #6442. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 6b056dfea1..a978a7d92f 100644 --- a/pom.xml +++ b/pom.xml @@ -140,7 +140,7 @@ 3.10.6.Final 1.32 4.1.81.Final -5.3.22 +5.3.23 5.7.3 1.6.6 2.1.214
[nifi] branch main updated: NIFI-10492 - Update pom.xml for graphics2d from 0.32 to 0.40
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 62811f5afe NIFI-10492 - Update pom.xml for graphics2d from 0.32 to 0.40 62811f5afe is described below commit 62811f5afe618c84afa45af3f729483fe5806b3e Author: mr1716 AuthorDate: Tue Sep 13 07:42:47 2022 -0400 NIFI-10492 - Update pom.xml for graphics2d from 0.32 to 0.40 Signed-off-by: Nathan Gough This closes #6412. --- nifi-nar-bundles/nifi-poi-bundle/nifi-poi-processors/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nifi-nar-bundles/nifi-poi-bundle/nifi-poi-processors/pom.xml b/nifi-nar-bundles/nifi-poi-bundle/nifi-poi-processors/pom.xml index 7477de989d..87f833aae0 100644 --- a/nifi-nar-bundles/nifi-poi-bundle/nifi-poi-processors/pom.xml +++ b/nifi-nar-bundles/nifi-poi-bundle/nifi-poi-processors/pom.xml @@ -52,7 +52,7 @@ de.rototor.pdfbox graphics2d -0.32 +0.40 commons-logging
[nifi] branch main updated (eaaff4ede9 -> 4bfa776cf7)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git from eaaff4ede9 NIFI-10364: Simplified connection/session handling in SmbjClientService add 4bfa776cf7 NIFI-10484 Upgraded Dependency Check Plugin from 7.1.1 to 7.1.2 No new revisions were added by this update. Summary of changes: pom.xml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
[nifi] branch main updated: NIFI-10407 Improved reliability of GetSmbFileTest
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new c19d6a0db1 NIFI-10407 Improved reliability of GetSmbFileTest c19d6a0db1 is described below commit c19d6a0db15588a89f79c1e0ff8650270d77c94c Author: exceptionfactory AuthorDate: Mon Aug 29 14:40:21 2022 -0500 NIFI-10407 Improved reliability of GetSmbFileTest - Changed TestRunner.run() to avoid clearing internal cache between runs - Updated Mockito usage with annotations Signed-off-by: Nathan Gough This closes #6346. --- .../apache/nifi/processors/smb/GetSmbFileTest.java | 98 -- 1 file changed, 55 insertions(+), 43 deletions(-) diff --git a/nifi-nar-bundles/nifi-smb-bundle/nifi-smb-processors/src/test/java/org/apache/nifi/processors/smb/GetSmbFileTest.java b/nifi-nar-bundles/nifi-smb-bundle/nifi-smb-processors/src/test/java/org/apache/nifi/processors/smb/GetSmbFileTest.java index 83e6e03bd1..da209a06bb 100644 --- a/nifi-nar-bundles/nifi-smb-bundle/nifi-smb-processors/src/test/java/org/apache/nifi/processors/smb/GetSmbFileTest.java +++ b/nifi-nar-bundles/nifi-smb-bundle/nifi-smb-processors/src/test/java/org/apache/nifi/processors/smb/GetSmbFileTest.java @@ -30,11 +30,14 @@ import com.hierynomus.smbj.session.Session; import com.hierynomus.smbj.share.DiskShare; import com.hierynomus.smbj.share.File; import org.apache.nifi.flowfile.attributes.CoreAttributes; +import org.apache.nifi.util.MockFlowFile; import org.apache.nifi.util.TestRunner; import org.apache.nifi.util.TestRunners; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import org.mockito.MockitoAnnotations; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; import java.io.ByteArrayInputStream; import java.io.IOException; @@ -44,35 +47,39 @@ import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors; +import static org.junit.jupiter.api.Assertions.assertTrue; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anySet; import static org.mockito.Mockito.eq; +import static org.mockito.Mockito.lenient; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; +@ExtendWith(MockitoExtension.class) public class GetSmbFileTest { private TestRunner testRunner; +@Mock private SMBClient smbClient; + +@Mock private Connection connection; + +@Mock private Session session; + +@Mock private DiskShare diskShare; private final static String HOSTNAME = "host"; private final static String SHARE = "share"; private final static String DIRECTORY = "nifi\\input"; -private final static String DOMAIN = ""; private final static String USERNAME = "user"; private final static String PASSWORD = "pass"; private void setupSmbProcessor() throws IOException { -smbClient = mock(SMBClient.class); -connection = mock(Connection.class); -session = mock(Session.class); -diskShare = mock(DiskShare.class); - when(smbClient.connect(any(String.class))).thenReturn(connection); when(connection.authenticate(any(AuthenticationContext.class))).thenReturn(session); when(session.connectShare(SHARE)).thenReturn(diskShare); @@ -81,9 +88,6 @@ public class GetSmbFileTest { testRunner.setProperty(GetSmbFile.HOSTNAME, HOSTNAME); testRunner.setProperty(GetSmbFile.SHARE, SHARE); testRunner.setProperty(GetSmbFile.DIRECTORY, DIRECTORY); -if (!DOMAIN.isEmpty()) { -testRunner.setProperty(GetSmbFile.DOMAIN, DOMAIN); -} testRunner.setProperty(GetSmbFile.USERNAME, USERNAME); testRunner.setProperty(GetSmbFile.PASSWORD, PASSWORD); @@ -95,7 +99,7 @@ public class GetSmbFileTest { private FileIdBothDirectoryInformation mockFile(String path, String filename, String fileContent, long fileAttributes) { File smbfile = mock(File.class); final String fullpath = path + "\\" + filename; -when(diskShare.openFile( +lenient().when(diskShare.openFile( eq(fullpath), anySet(), anySet(), @@ -103,26 +107,26 @@ public class GetSmbFileTest { any(SMB2CreateDisposition.class), anySet() )).thenReturn(smbfile); -when(smbfile.getFileName()).thenReturn(filename); +lenient().when(smbfile.getFileName()).thenReturn(filename); if (fileContent != null) { InputStream is = new ByteArrayInputS
[nifi] branch main updated: NIFI-10384 Upgraded Avatica to 1.22.0 for Hive 3
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 6350829676 NIFI-10384 Upgraded Avatica to 1.22.0 for Hive 3 6350829676 is described below commit 6350829676df8e06350174e3c65749a8a322bdca Author: exceptionfactory AuthorDate: Mon Aug 22 15:38:21 2022 -0500 NIFI-10384 Upgraded Avatica to 1.22.0 for Hive 3 Signed-off-by: Nathan Gough This closes #6323. --- nifi-dependency-check-maven/suppressions.xml | 5 + nifi-nar-bundles/nifi-hive-bundle/pom.xml| 7 +++ 2 files changed, 12 insertions(+) diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml index 02b12ca644..4397a9a5a3 100644 --- a/nifi-dependency-check-maven/suppressions.xml +++ b/nifi-dependency-check-maven/suppressions.xml @@ -149,6 +149,11 @@ ^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$ CVE-2020-13955 + +CVE-2020-13955 applies to Apache Calcite Core not Apache Calcite Avatica subproject +^pkg:maven/org\.apache\.calcite\.avatica\/avatica(-metrics)?@.*$ +CVE-2020-13955 + OpenTSDB vulnerabilities do not apply to HBase Async library ^pkg:maven/org\.hbase/asynchbase@.*$ diff --git a/nifi-nar-bundles/nifi-hive-bundle/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/pom.xml index a276cf7b36..d31ad02b5a 100644 --- a/nifi-nar-bundles/nifi-hive-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-hive-bundle/pom.xml @@ -61,6 +61,12 @@ calcite-core ${calcite.version} + + +org.apache.calcite.avatica +avatica +${avatica.version} + org.yaml @@ -113,6 +119,7 @@ 2.6.2 3.1.3 ${hive3.version} +1.22.0 1.31.0 1.6.0
[nifi] branch main updated: NIFI-10408 Added build user method to LdapUserGroupProvider
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 3a6d724b44 NIFI-10408 Added build user method to LdapUserGroupProvider 3a6d724b44 is described below commit 3a6d724b4482d64d46aa64ccb7a59b074b172e01 Author: exceptionfactory AuthorDate: Mon Aug 29 17:17:49 2022 -0500 NIFI-10408 Added build user method to LdapUserGroupProvider - Introduced blank user identity checking with improved error reporting for misconfigured mapping - Simplified LDAP ThreadFactory configuration - Replaced String.format() with placeholders for debug logging - Replaced deprecated FormatUtils.getTimeDuration with getPreciseTimeDuration Signed-off-by: Nathan Gough This closes #6351. --- .../nifi/ldap/tenants/LdapUserGroupProvider.java | 202 +++-- .../ldap/tenants/LdapUserGroupProviderTest.java| 101 ++- 2 files changed, 166 insertions(+), 137 deletions(-) diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java index 2dd0827970..2f3f108adf 100644 --- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java +++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java @@ -17,6 +17,7 @@ package org.apache.nifi.ldap.tenants; import org.apache.commons.lang3.StringUtils; +import org.apache.commons.lang3.concurrent.BasicThreadFactory; import org.apache.nifi.authentication.exception.ProviderCreationException; import org.apache.nifi.authentication.exception.ProviderDestructionException; import org.apache.nifi.authorization.AuthorizerConfigurationContext; @@ -147,16 +148,12 @@ public class LdapUserGroupProvider implements UserGroupProvider { @Override public void initialize(final UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException { -ldapSync = Executors.newSingleThreadScheduledExecutor(new ThreadFactory() { -final ThreadFactory factory = Executors.defaultThreadFactory(); - -@Override -public Thread newThread(Runnable r) { -final Thread thread = factory.newThread(r); -thread.setName(String.format("%s (%s) - background sync thread", getClass().getSimpleName(), initializationContext.getIdentifier())); -return thread; -} -}); +final String namingPattern = String.format("%s (%s) - background sync thread", getClass().getSimpleName(), initializationContext.getIdentifier()); +final ThreadFactory threadFactory = new BasicThreadFactory.Builder() +.daemon(true) +.namingPattern(namingPattern) +.build(); +ldapSync = Executors.newSingleThreadScheduledExecutor(threadFactory); } @Override @@ -179,56 +176,53 @@ public class LdapUserGroupProvider implements UserGroupProvider { rawAuthenticationStrategy.getValue(), StringUtils.join(LdapAuthenticationStrategy.values(), ", "))); } -switch (authenticationStrategy) { -case ANONYMOUS: -context.setAnonymousReadOnly(true); -break; -default: -final String userDn = configurationContext.getProperty(PROP_MANAGER_DN).getValue(); -final String password = configurationContext.getProperty(PROP_MANAGER_PASSWORD).getValue(); - -context.setUserDn(userDn); -context.setPassword(password); - -switch (authenticationStrategy) { -case SIMPLE: -context.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy()); -break; -case LDAPS: -context.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy()); - -// indicate a secure connection -baseEnvironment.put(Context.SECURITY_PROTOCOL, "ssl"); - -// get the configured ssl context -final SSLContext ldapsSslContext = getConfiguredSslContext(configurationContext); -if (ldapsSslContext != null) { -// initialize the ldaps socket factory prior to use - LdapsSocketFactory.initialize(ldapsSslContext.getSocketFactory()); -
[nifi] branch main updated: NIFI-10313 Removed Expiration Token on Authentication Errors
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new b777978293 NIFI-10313 Removed Expiration Token on Authentication Errors b777978293 is described below commit b777978293bd9ae1d1c1af6fa981ce6f9ab1638a Author: exceptionfactory AuthorDate: Wed Aug 24 16:40:15 2022 -0500 NIFI-10313 Removed Expiration Token on Authentication Errors - Updated standard user interface error handler to clear the Access-Token-Expiration item from Session Storage when receiving an error with the WWW-Authenticate Header indicating a problem with the Bearer Token Signed-off-by: Nathan Gough This closes #6334. --- .../src/main/webapp/js/nf/nf-error-handler.js | 26 +- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-error-handler.js b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-error-handler.js index 583b666d46..cb7f0fa2ba 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-error-handler.js +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-error-handler.js @@ -21,20 +21,24 @@ if (typeof define === 'function' && define.amd) { define(['jquery', 'nf.Dialog', -'nf.Common'], -function ($, nfDialog, nfCommon) { -return (nf.ErrorHandler = factory($, nfDialog, nfCommon)); +'nf.Common', +'nf.AuthorizationStorage'], +function ($, nfDialog, nfCommon, nfAuthorizationStorage) { +return (nf.ErrorHandler = factory($, nfDialog, nfCommon, nfAuthorizationStorage)); }); } else if (typeof exports === 'object' && typeof module === 'object') { module.exports = (nf.ErrorHandler = factory(require('jquery'), require('nf.Dialog'), -require('nf.Common'))); +require('nf.Common'), +require('nf.AuthorizationStorage') +)); } else { nf.ErrorHandler = factory(root.$, root.nf.Dialog, -root.nf.Common); +root.nf.Common, +root.nf.AuthorizationStorage); } -}(this, function ($, nfDialog, nfCommon) { +}(this, function ($, nfDialog, nfCommon, nfAuthorizationStorage) { 'use strict'; var self = { @@ -47,6 +51,9 @@ */ handleAjaxError: function (xhr, status, error) { if (status === 'canceled') { +// Remove Token from storage for session expiration +nfAuthorizationStorage.removeToken(); + if ($('#splash').is(':visible')) { $('#message-title').text('Session Expired'); $('#message-content').text('Your session has expired. Please reload to log in again.'); @@ -65,6 +72,13 @@ return; } +// Remove Token from storage when REST API returns WWW-Authenticate Bearer indicating authorization errors +var authenticateHeader = xhr.getResponseHeader('WWW-Authenticate'); +var bearerPattern = new RegExp('^Bearer.*$'); +if (bearerPattern.test(authenticateHeader)) { +nfAuthorizationStorage.removeToken(); +} + // if an error occurs while the splash screen is visible close the canvas show the error message if ($('#splash').is(':visible')) { if (xhr.status === 401) {
[nifi] branch main updated: NIFI-10321 Send Session Expired message for Expired JWT errors
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 777238eb32 NIFI-10321 Send Session Expired message for Expired JWT errors 777238eb32 is described below commit 777238eb323db75bce0285d89add2f6bd87eddef Author: exceptionfactory AuthorDate: Tue Aug 23 16:18:09 2022 -0500 NIFI-10321 Send Session Expired message for Expired JWT errors Signed-off-by: Nathan Gough This closes #6332. --- .../security/StandardAuthenticationEntryPoint.java | 23 +++-- .../StandardAuthenticationEntryPointTest.java | 29 ++ 2 files changed, 39 insertions(+), 13 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java index ebf2da74d1..561652de8f 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java @@ -25,8 +25,8 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint; import org.springframework.security.web.AuthenticationEntryPoint; +import org.springframework.util.StringUtils; -import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; @@ -45,6 +45,10 @@ public class StandardAuthenticationEntryPoint implements AuthenticationEntryPoin protected static final String UNAUTHORIZED = "Unauthorized"; +protected static final String EXPIRED_JWT = "Expired JWT"; + +protected static final String SESSION_EXPIRED = "Session Expired"; + private static final String ROOT_PATH = "/"; private static final ApplicationCookieService applicationCookieService = new StandardApplicationCookieService(); @@ -62,32 +66,35 @@ public class StandardAuthenticationEntryPoint implements AuthenticationEntryPoin * @param response HTTP Servlet Response * @param exception Authentication Exception * @throws IOException Thrown on response processing failures - * @throws ServletException Thrown on response processing failures */ @Override -public void commence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException exception) throws IOException, ServletException { +public void commence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException exception) throws IOException { if (exception instanceof OAuth2AuthenticationException) { bearerTokenAuthenticationEntryPoint.commence(request, response, exception); } else { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); } removeAuthorizationBearerCookie(request, response); -sendErrorMessage(response); +sendErrorMessage(response, exception); } -private void sendErrorMessage(final HttpServletResponse response) throws IOException { +private void sendErrorMessage(final HttpServletResponse response, final AuthenticationException exception) throws IOException { response.setContentType(MediaType.TEXT_PLAIN_VALUE); -final String message = getErrorMessage(response); +final String message = getErrorMessage(response, exception); try (final PrintWriter writer = response.getWriter()) { writer.print(message); } } -private String getErrorMessage(final HttpServletResponse response) { +private String getErrorMessage(final HttpServletResponse response, final AuthenticationException exception) { // Use WWW-Authenticate Header from BearerTokenAuthenticationEntryPoint when found final String authenticateHeader = response.getHeader(AUTHENTICATE_HEADER); final String errorMessage = authenticateHeader == null ? UNAUTHORIZED : authenticateHeader; -return errorMessage.replaceFirst(BEARER_HEADER, UNAUTHORIZED); +final String formattedErrorMessage = errorMessage.replaceFirst(BEARER_HEADER, UNAUTHORIZED); + +// Use simplified message for Expired JWT exceptions +final String exceptionMessage =
[nifi] branch main updated: NIFI-10348 Upgraded Tomcat Embed to 8.5.82 for Flume NAR
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 90aa778a6c NIFI-10348 Upgraded Tomcat Embed to 8.5.82 for Flume NAR 90aa778a6c is described below commit 90aa778a6ca4723623465709222e66d5cc5cdbc2 Author: exceptionfactory AuthorDate: Thu Aug 11 09:18:59 2022 -0500 NIFI-10348 Upgraded Tomcat Embed to 8.5.82 for Flume NAR - Upgraded tomcat-embed-core from 8.5.46 to 8.5.82 for Flume components Signed-off-by: Nathan Gough This closes #6292. --- nifi-nar-bundles/nifi-flume-bundle/pom.xml | 6 ++ 1 file changed, 6 insertions(+) diff --git a/nifi-nar-bundles/nifi-flume-bundle/pom.xml b/nifi-nar-bundles/nifi-flume-bundle/pom.xml index 01e7264a0f..d94f9f3a22 100644 --- a/nifi-nar-bundles/nifi-flume-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-flume-bundle/pom.xml @@ -40,6 +40,12 @@ netty ${netty.3.version} + + +org.apache.tomcat.embed +tomcat-embed-core +8.5.82 +
[nifi] branch main updated: NIFI-10350 Corrected Registry User Authorization for OIDC
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 6bfc798515 NIFI-10350 Corrected Registry User Authorization for OIDC 6bfc798515 is described below commit 6bfc798515635fcf3ea2ba6e2ad29e8383556901 Author: exceptionfactory AuthorDate: Thu Aug 11 15:03:13 2022 -0500 NIFI-10350 Corrected Registry User Authorization for OIDC - Moved refresh of Registry Configuration to checkLogin functions - Refreshing Registry Configuration allows the user interface to reflect the correct status for OIDC and other authentication strategies Signed-off-by: Nathan Gough This closes #6295. --- .../login/dialogs/nf-registry-user-login.js | 10 +++--- .../services/nf-registry.auth-guard.service.js | 20 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/components/login/dialogs/nf-registry-user-login.js b/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/components/login/dialogs/nf-registry-user-login.js index 29b947529b..043937b646 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/components/login/dialogs/nf-registry-user-login.js +++ b/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/components/login/dialogs/nf-registry-user-login.js @@ -56,13 +56,9 @@ NfRegistryUserLogin.prototype = { var self = this; this.nfRegistryApi.postToLogin(username.value, password.value).subscribe(function (response) { if (response || response.status === 200) { -//successful login update registry config -self.nfRegistryApi.getRegistryConfig().subscribe(function (registryConfig) { -self.nfRegistryService.registry.config = registryConfig; -self.nfRegistryService.currentUser.anonymous = false; -self.dialogRef.close(); - self.nfRegistryLoginAuthGuard.checkLogin(self.nfRegistryService.redirectUrl); -}); +self.nfRegistryService.currentUser.anonymous = false; +self.dialogRef.close(); + self.nfRegistryLoginAuthGuard.checkLogin(self.nfRegistryService.redirectUrl); } }); }, diff --git a/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/services/nf-registry.auth-guard.service.js b/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/services/nf-registry.auth-guard.service.js index 4300835020..962e181ae6 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/services/nf-registry.auth-guard.service.js +++ b/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/services/nf-registry.auth-guard.service.js @@ -78,6 +78,11 @@ NfRegistryUsersAdministrationAuthGuard.prototype = { // render the logout button if there is a token locally if (self.nfStorage.getItem('jwt') !== null) { self.nfRegistryService.currentUser.canLogout = true; + +// Update Registry Configuration following successful login + self.nfRegistryApi.getRegistryConfig().subscribe(function (registryConfig) { +self.nfRegistryService.registry.config = registryConfig; +}); } // redirect to explorer perspective if not admin @@ -201,6 +206,11 @@ NfRegistryWorkflowsAdministrationAuthGuard.prototype = { // render the logout button if there is a token locally if (self.nfStorage.getItem('jwt') !== null) { self.nfRegistryService.currentUser.canLogout = true; + +// Update Registry Configuration following successful login + self.nfRegistryApi.getRegistryConfig().subscribe(function (registryConfig) { +self.nfRegistryService.registry.config = registryConfig; +}); } // redirect to explorer perspective if not admin @@ -303,6 +313,11 @@ NfRegistryLoginAuthGuard.prototype = { // render the logout button if there is a token locally if (self.nfStorage.getItem('jwt') !== null) { self.nfRegistryService.currentUser.canLogout = true; + +// Update Registry Configuration following successful login
[nifi] branch main updated: NIFI-10368 Upgraded jQuery UI from 1.12.1 to 1.13.2
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 0a065538e2 NIFI-10368 Upgraded jQuery UI from 1.12.1 to 1.13.2 0a065538e2 is described below commit 0a065538e25c4d3f06df651bfd7a2e93b17e72b0 Author: exceptionfactory AuthorDate: Wed Aug 17 16:20:20 2022 -0500 NIFI-10368 Upgraded jQuery UI from 1.12.1 to 1.13.2 Signed-off-by: Nathan Gough This closes #6312. --- .../nifi-web-ui/src/main/frontend/package-lock.json | 20 +--- .../nifi-web-ui/src/main/frontend/package.json | 2 +- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package-lock.json b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package-lock.json index c18f1a73da..da06a46175 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package-lock.json +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package-lock.json @@ -22,7 +22,7 @@ "jquery": "3.6.0", "jquery-form": "3.50.0", "jquery-minicolors": "2.1.10", -"jquery-ui-dist": "1.12.1", +"jquery-ui-dist": "1.13.2", "JSON2": "0.1.0", "jsonlint": "1.6.3", "lodash": "4.17.21", @@ -468,9 +468,12 @@ } }, "node_modules/jquery-ui-dist": { - "version": "1.12.1", - "resolved": "https://registry.npmjs.org/jquery-ui-dist/-/jquery-ui-dist-1.12.1.tgz;, - "integrity": "sha1-XAgV08xvkP9fqvWyaKbiO0ypBPo=" + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/jquery-ui-dist/-/jquery-ui-dist-1.13.2.tgz;, + "integrity": "sha512-oVDRd1NLtTbBwpRKAYdIRgpWVDzeBhfy7Gu0RmY6JEaZtmBq6kDn1pm5SgDiAotrnDS+RoTRXO6xvcNTxA9tOA==", + "dependencies": { +"jquery": ">=1.8.0 <4.0.0" + } }, "node_modules/json-format": { "version": "1.0.1", @@ -1027,9 +1030,12 @@ } }, "jquery-ui-dist": { - "version": "1.12.1", - "resolved": "https://registry.npmjs.org/jquery-ui-dist/-/jquery-ui-dist-1.12.1.tgz;, - "integrity": "sha1-XAgV08xvkP9fqvWyaKbiO0ypBPo=" + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/jquery-ui-dist/-/jquery-ui-dist-1.13.2.tgz;, + "integrity": "sha512-oVDRd1NLtTbBwpRKAYdIRgpWVDzeBhfy7Gu0RmY6JEaZtmBq6kDn1pm5SgDiAotrnDS+RoTRXO6xvcNTxA9tOA==", + "requires": { +"jquery": ">=1.8.0 <4.0.0" + } }, "json-format": { "version": "1.0.1", diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package.json b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package.json index 5a7dccdb44..1fb7de320e 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package.json +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package.json @@ -35,7 +35,7 @@ "jquery": "3.6.0", "jquery-form": "3.50.0", "jquery-minicolors": "2.1.10", -"jquery-ui-dist": "1.12.1", +"jquery-ui-dist": "1.13.2", "JSON2": "0.1.0", "jsonlint": "1.6.3", "lodash": "4.17.21",
[nifi] branch main updated: NIFI-10322 Corrected Cookie path when removing Bearer Token
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 77033ec11a NIFI-10322 Corrected Cookie path when removing Bearer Token 77033ec11a is described below commit 77033ec11aa7e738aaa32e80957b4a1538923f18 Author: exceptionfactory AuthorDate: Mon Aug 8 22:57:29 2022 -0500 NIFI-10322 Corrected Cookie path when removing Bearer Token - Appended root path to Cookie path attribute when removing Bearer Tokens as part of unauthorized response handling - Updated Saml2AuthenticationSuccessHandler to follow standard Cookie path building strategy Signed-off-by: Nathan Gough This closes #6278. --- .../security/StandardAuthenticationEntryPoint.java | 4 +- .../Saml2AuthenticationSuccessHandler.java | 4 +- .../StandardAuthenticationEntryPointTest.java | 43 -- .../Saml2AuthenticationSuccessHandlerTest.java | 51 +++--- 4 files changed, 92 insertions(+), 10 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java index dbe7eea195..ebf2da74d1 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java @@ -45,6 +45,8 @@ public class StandardAuthenticationEntryPoint implements AuthenticationEntryPoin protected static final String UNAUTHORIZED = "Unauthorized"; +private static final String ROOT_PATH = "/"; + private static final ApplicationCookieService applicationCookieService = new StandardApplicationCookieService(); private final BearerTokenAuthenticationEntryPoint bearerTokenAuthenticationEntryPoint; @@ -91,7 +93,7 @@ public class StandardAuthenticationEntryPoint implements AuthenticationEntryPoin private void removeAuthorizationBearerCookie(final HttpServletRequest request, final HttpServletResponse response) { final Optional authorizationBearer = applicationCookieService.getCookieValue(request, ApplicationCookieName.AUTHORIZATION_BEARER); if (authorizationBearer.isPresent()) { -final URI uri = RequestUriBuilder.fromHttpServletRequest(request).build(); +final URI uri = RequestUriBuilder.fromHttpServletRequest(request).path(ROOT_PATH).build(); applicationCookieService.removeCookie(uri, response, ApplicationCookieName.AUTHORIZATION_BEARER); } } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandler.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandler.java index 9e3b2ce1c6..646a5e5ab6 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandler.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandler.java @@ -47,6 +47,8 @@ import java.util.stream.Collectors; public class Saml2AuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler { private static final String UI_PATH = "/nifi/"; +private static final String ROOT_PATH = "/"; + private final ApplicationCookieService applicationCookieService = new StandardApplicationCookieService(); private final BearerTokenProvider bearerTokenProvider; @@ -108,7 +110,7 @@ public class Saml2AuthenticationSuccessHandler extends SimpleUrlAuthenticationSu */ @Override public String determineTargetUrl(final HttpServletRequest request, final HttpServletResponse response, final Authentication authentication) { -final URI resourceUri = RequestUriBuilder.fromHttpServletRequest(request).build(); +final URI resourceUri = RequestUriBuilder.fromHttpServletRequest(request).path(ROOT_PATH).build(); processAuthentication(response, authentication, resourceUri); final URI targetUri = RequestUriBuilder.fromHttpServletRequest(request).path(UI_PATH).build(); diff
[nifi] branch main updated: NIFI-10217 Refactored Registry Spring Security Configuration
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new a4ea92ea3b NIFI-10217 Refactored Registry Spring Security Configuration a4ea92ea3b is described below commit a4ea92ea3bc647e5afe40790fb121948d1fee2fe Author: exceptionfactory AuthorDate: Mon Jul 11 15:04:22 2022 -0500 NIFI-10217 Refactored Registry Spring Security Configuration Signed-off-by: Nathan Gough This closes #6196. --- .../web/security/NiFiRegistrySecurityConfig.java | 147 ++--- 1 file changed, 43 insertions(+), 104 deletions(-) diff --git a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java index 86f956fe6f..cfcc8a3a6c 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java +++ b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java @@ -33,28 +33,24 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.authentication.ProviderManager; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.http.SessionCreationPolicy; -import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.AuthenticationEntryPoint; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; -import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import java.io.IOException; /** - * NiFi Registry Web Api Spring security + * Spring Security Filter Configuration */ @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) -public class NiFiRegistrySecurityConfig extends WebSecurityConfigurerAdapter { +public class NiFiRegistrySecurityConfig { private static final Logger logger = LoggerFactory.getLogger(NiFiRegistrySecurityConfig.class); @@ -67,28 +63,32 @@ public class NiFiRegistrySecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private Authorizer authorizer; -private final AnonymousIdentityFilter anonymousAuthenticationFilter = new AnonymousIdentityFilter(); - @Autowired private X509IdentityProvider x509IdentityProvider; -private IdentityFilter x509AuthenticationFilter; -private IdentityAuthenticationProvider x509AuthenticationProvider; @Autowired private JwtIdentityProvider jwtIdentityProvider; -private IdentityFilter jwtAuthenticationFilter; -private IdentityAuthenticationProvider jwtAuthenticationProvider; - -private ResourceAuthorizationFilter resourceAuthorizationFilter; -public NiFiRegistrySecurityConfig() { -super(true); // disable defaults -} - -@Override -protected void configure(HttpSecurity http) throws Exception { -http +@Bean +public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception { +return http +.addFilterBefore(x509AuthenticationFilter(), AnonymousAuthenticationFilter.class) +.addFilterBefore(jwtAuthenticationFilter(), AnonymousAuthenticationFilter.class) +// Add Resource Authorization after Spring Security but before Jersey Resources +.addFilterAfter(resourceAuthorizationFilter(), FilterSecurityInterceptor.class) +.anonymous().authenticationFilter(new AnonymousIdentityFilter()).and() +.csrf().disable() +.logout().disable() .rememberMe().disable() +.requestCache().disable() +.servletApi().disable() +.securityContext().disable() +.sessionManagement
[nifi] branch main updated: NIFI-10319 - Update pom.xml
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 0fd262efca NIFI-10319 - Update pom.xml 0fd262efca is described below commit 0fd262efca33b8dea6a996fa9ac096310a94bba7 Author: UcanInfosec <107478475+ucaninfo...@users.noreply.github.com> AuthorDate: Thu Aug 4 09:20:39 2022 -0400 NIFI-10319 - Update pom.xml Signed-off-by: Nathan Gough This closes #6270. --- nifi-nar-bundles/nifi-hive-bundle/pom.xml | 2 +- .../nifi-sql-reporting-bundle/nifi-sql-reporting-tasks/pom.xml | 2 +- nifi-nar-bundles/nifi-standard-bundle/pom.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nifi-nar-bundles/nifi-hive-bundle/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/pom.xml index 65f5f9a577..a276cf7b36 100644 --- a/nifi-nar-bundles/nifi-hive-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-hive-bundle/pom.xml @@ -113,7 +113,7 @@ 2.6.2 3.1.3 ${hive3.version} -1.27.0 +1.31.0 1.6.0 diff --git a/nifi-nar-bundles/nifi-sql-reporting-bundle/nifi-sql-reporting-tasks/pom.xml b/nifi-nar-bundles/nifi-sql-reporting-bundle/nifi-sql-reporting-tasks/pom.xml index 01726ef2b8..373b9fa4df 100644 --- a/nifi-nar-bundles/nifi-sql-reporting-bundle/nifi-sql-reporting-tasks/pom.xml +++ b/nifi-nar-bundles/nifi-sql-reporting-bundle/nifi-sql-reporting-tasks/pom.xml @@ -62,7 +62,7 @@ org.apache.calcite calcite-core -1.21.0 +1.31.0 commons-logging diff --git a/nifi-nar-bundles/nifi-standard-bundle/pom.xml b/nifi-nar-bundles/nifi-standard-bundle/pom.xml index 9251c5b466..c4f7bfd810 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-standard-bundle/pom.xml @@ -272,7 +272,7 @@ org.apache.calcite calcite-core -1.28.0 +1.31.0 log4j
[nifi] branch main updated: NIFI-10301 Aligned fluent-hc with httpclient version
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 589136ac11 NIFI-10301 Aligned fluent-hc with httpclient version 589136ac11 is described below commit 589136ac11288a1d0c0a267c08ce102e45279cfc Author: exceptionfactory AuthorDate: Fri Jul 29 14:21:06 2022 -0500 NIFI-10301 Aligned fluent-hc with httpclient version Signed-off-by: Nathan Gough This closes #6259. --- pom.xml | 11 +++ 1 file changed, 11 insertions(+) diff --git a/pom.xml b/pom.xml index 607413949e..4a09df5d86 100644 --- a/pom.xml +++ b/pom.xml @@ -249,6 +249,17 @@ httpcore ${org.apache.httpcomponents.httpcore.version} + +org.apache.httpcomponents +fluent-hc + ${org.apache.httpcomponents.httpclient.version} + + +commons-logging +commons-logging + + +
[nifi] branch main updated: NIFI-10259 Improved HTTP error handling for authentication failures
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new a661b035e8 NIFI-10259 Improved HTTP error handling for authentication failures a661b035e8 is described below commit a661b035e8903c69d63f8427d4f2f7bdaf309d89 Author: exceptionfactory AuthorDate: Thu Jul 21 17:06:41 2022 -0500 NIFI-10259 Improved HTTP error handling for authentication failures - Added Standard AuthenticationEntryPoint - Configured AuthenticationEntryPoint for SecurityFilterChain and BearerTokenAuthenticationFilter Signed-off-by: Nathan Gough This closes #6233. --- .../nifi/web/NiFiWebApiSecurityConfiguration.java | 6 +- .../security/StandardAuthenticationEntryPoint.java | 98 ++ .../JwtAuthenticationSecurityConfiguration.java| 9 ++ .../StandardAuthenticationEntryPointTest.java | 112 + 4 files changed, 222 insertions(+), 3 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java index a1b366c091..d43824d122 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java @@ -17,6 +17,7 @@ package org.apache.nifi.web; import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.StandardAuthenticationEntryPoint; import org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationFilter; import org.apache.nifi.web.security.csrf.CsrfCookieRequestMatcher; import org.apache.nifi.web.security.csrf.StandardCookieCsrfTokenRepository; @@ -28,7 +29,6 @@ import org.apache.nifi.web.security.saml2.web.authentication.logout.Saml2SingleL import org.apache.nifi.web.security.x509.X509AuthenticationFilter; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.http.HttpStatus; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.ProviderManager; @@ -44,7 +44,6 @@ import org.springframework.security.saml2.provider.service.web.authentication.lo import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.ExceptionTranslationFilter; import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; -import org.springframework.security.web.authentication.HttpStatusEntryPoint; import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.security.web.util.matcher.AndRequestMatcher; @@ -72,6 +71,7 @@ public class NiFiWebApiSecurityConfiguration { public SecurityFilterChain securityFilterChain( final HttpSecurity http, final NiFiProperties properties, +final StandardAuthenticationEntryPoint authenticationEntryPoint, final X509AuthenticationFilter x509AuthenticationFilter, final BearerTokenAuthenticationFilter bearerTokenAuthenticationFilter, final KnoxAuthenticationFilter knoxAuthenticationFilter, @@ -118,7 +118,7 @@ public class NiFiWebApiSecurityConfiguration { ) ) .exceptionHandling(exceptionHandling -> exceptionHandling -.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)) +.authenticationEntryPoint(authenticationEntryPoint) ) .addFilterBefore(x509AuthenticationFilter, AnonymousAuthenticationFilter.class) .addFilterBefore(bearerTokenAuthenticationFilter, AnonymousAuthenticationFilter.class) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java new file mode 100644 index 00..dbe7eea195 --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java @@ -0,0 +1,98 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under
[nifi] branch main updated: NIFI-10233 Corrected Anonymous Authentication for HTTP Access
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 047b3611bf NIFI-10233 Corrected Anonymous Authentication for HTTP Access 047b3611bf is described below commit 047b3611bf411fb0398591df73f1798020c4efab Author: exceptionfactory AuthorDate: Thu Jul 14 16:17:28 2022 -0500 NIFI-10233 Corrected Anonymous Authentication for HTTP Access - Enabled Standard Anonymous Authentication Filter when unencrypted HTTP is enabled Signed-off-by: Nathan Gough This closes #6209. --- .../src/main/java/org/apache/nifi/util/NiFiProperties.java | 9 + .../org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java index e620475c79..ec6385fe6c 100644 --- a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java +++ b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java @@ -696,6 +696,15 @@ public class NiFiProperties extends ApplicationProperties { return sslPort; } +/** + * Is HTTP without TLS enabled based on configuring nifi.web.http.port property + * + * @return HTTP enabled status + */ +public boolean isHttpEnabled() { +return getPort() != null; +} + public boolean isHTTPSConfigured() { return getSslPort() != null; } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java index 53f7be935c..a1b366c091 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java @@ -128,7 +128,7 @@ public class NiFiWebApiSecurityConfiguration { http.addFilterBefore(knoxAuthenticationFilter, AnonymousAuthenticationFilter.class); } -if (properties.isAnonymousAuthenticationAllowed()) { +if (properties.isAnonymousAuthenticationAllowed() || properties.isHttpEnabled()) { http.addFilterAfter(anonymousAuthenticationFilter, AnonymousAuthenticationFilter.class); }
[nifi] branch main updated: NIFI-10216 Refactored NiFi Web API Security Configuration
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new a9b5bebb15 NIFI-10216 Refactored NiFi Web API Security Configuration a9b5bebb15 is described below commit a9b5bebb1545bfd555abaac43421309fa3d5f0be Author: exceptionfactory AuthorDate: Wed Apr 20 10:11:52 2022 -0500 NIFI-10216 Refactored NiFi Web API Security Configuration - Removed extension of deprecated WebSecurityConfigurerAdapter - Moved Filter bean configuration associated configuration classes - Set default Spring Security log level to INFO - Adjusted CSRF Token Repository to leverage simplified RequestUriBuilder for retrieving allowed context paths Signed-off-by: Nathan Gough This closes #6195 --- .../java/org/apache/nifi/web/util/WebUtils.java| 2 +- .../src/main/resources/conf/logback.xml| 4 +- .../nifi/web/NiFiWebApiSecurityConfiguration.java | 302 ++--- .../web/security/NiFiAuthenticationProvider.java | 12 +- .../NiFiAnonymousAuthenticationFilter.java | 5 - .../AuthenticationSecurityConfiguration.java | 10 + .../JwtAuthenticationSecurityConfiguration.java| 17 ++ .../KnoxAuthenticationSecurityConfiguration.java | 10 + .../X509AuthenticationSecurityConfiguration.java | 12 + .../csrf/StandardCookieCsrfTokenRepository.java| 15 +- .../StandardCookieCsrfTokenRepositoryTest.java | 19 +- 11 files changed, 147 insertions(+), 261 deletions(-) diff --git a/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/WebUtils.java b/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/WebUtils.java index fc1fc08487..024570b140 100644 --- a/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/WebUtils.java +++ b/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/WebUtils.java @@ -128,7 +128,7 @@ public final class WebUtils { // Check it against the allowed list if (!allowedContextPaths.contains(determinedContextPath)) { -final String msg = "The provided context path [" + determinedContextPath + "] was not registered as allowed [" + allowedContextPaths + "]"; +final String msg = "The provided context path [" + determinedContextPath + "] was not registered as allowed " + allowedContextPaths; throw new UriBuilderException(msg); } } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/logback.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/logback.xml index fe60fbf6e7..507bbdd38f 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/logback.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/logback.xml @@ -128,6 +128,7 @@ + @@ -173,9 +174,6 @@ - - - diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java index 129435dce8..53f7be935c 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java @@ -18,115 +18,119 @@ package org.apache.nifi.web; import org.apache.nifi.util.NiFiProperties; import org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationFilter; -import org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationProvider; import org.apache.nifi.web.security.csrf.CsrfCookieRequestMatcher; import org.apache.nifi.web.security.csrf.StandardCookieCsrfTokenRepository; -import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider; -import org.apache.nifi.web.security.jwt.resolver.StandardBearerTokenResolver; import org.apache.nifi.web.security.knox.KnoxAuthenticationFilter; -import org.apache.nifi.web.security.knox.KnoxAuthenticationProvider; import org.apache.nifi.web.security.log.AuthenticationUserFilter; import org.apache.nifi.web.security.oidc.OIDCEndpoints; import org.apache.nifi.web.security.saml2.web.authentication.logout.Saml2LocalLogoutFilter; import org.apache.nifi.web.security.saml2.web.authentication.logout.Saml2SingleLogoutFilter; import org.apache.nifi.web.security.x509.X509Authenticatio
[nifi] branch main updated: NIFI-10163 - Corrected StandardProcessSession.exportTo() byte counting - Removed bytesWritten incrementing from exportTo methods
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 943197c18b NIFI-10163 - Corrected StandardProcessSession.exportTo() byte counting - Removed bytesWritten incrementing from exportTo methods 943197c18b is described below commit 943197c18b3b0ae3f3eb6c2dcf396a95c2389506 Author: exceptionfactory AuthorDate: Thu Jun 23 15:26:07 2022 -0500 NIFI-10163 - Corrected StandardProcessSession.exportTo() byte counting - Removed bytesWritten incrementing from exportTo methods Signed-off-by: Nathan Gough This closes #6153. --- .../repository/StandardProcessSession.java | 3 +- .../repository/StandardProcessSessionTest.java | 167 + 2 files changed, 169 insertions(+), 1 deletion(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/controller/repository/StandardProcessSession.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/controller/repository/StandardProcessSession.java index e969d029e1..5c99617e7d 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/controller/repository/StandardProcessSession.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/controller/repository/StandardProcessSession.java @@ -3611,7 +3611,6 @@ public class StandardProcessSession implements ProcessSession, ProvenanceEventEn claimCache.flush(record.getCurrentClaim()); final long copyCount = context.getContentRepository().exportTo(record.getCurrentClaim(), destination, append, record.getCurrentClaimOffset(), source.getSize()); bytesRead += copyCount; -bytesWritten += copyCount; } catch (final ContentNotFoundException nfe) { handleContentNotFound(nfe, record); } catch (final Throwable t) { @@ -3657,6 +3656,8 @@ public class StandardProcessSession implements ProcessSession, ProvenanceEventEn throw cnfe; } finally { decrementReadCount(source); +final long streamBytesRead = countingStream.getBytesRead(); +bytesRead += streamBytesRead; // if cnfeThrown is true, we don't need to re-throw the Exception; it will propagate. if (!cnfeThrown && ffais.getContentNotFoundException() != null) { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/test/java/org/apache/nifi/controller/repository/StandardProcessSessionTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/test/java/org/apache/nifi/controller/repository/StandardProcessSessionTest.java new file mode 100644 index 00..a7c6b921d3 --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/test/java/org/apache/nifi/controller/repository/StandardProcessSessionTest.java @@ -0,0 +1,167 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.controller.repository; + +import org.apache.nifi.connectable.Connectable; +import org.apache.nifi.controller.lifecycle.TaskTermination; +import org.apache.nifi.controller.repository.claim.ContentClaim; +import org.apache.nifi.controller.repository.claim.ContentClaimWriteCache; +import org.apache.nifi.flowfile.FlowFile; +import org.apache.nifi.processor.ProcessSession; +import org.apache.nifi.provenance.InternalProvenanceReporter; +import org.apache.nifi.provenance.ProvenanceRepository; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.ArgumentCaptor; +import org.mockito.Captor; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; + +import
[nifi] branch main updated (7a47c8cfbd -> 0458b6432d)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git from 7a47c8cfbd NIFI-10162 Reorganized InvokeHTTP Properties add 0458b6432d NIFI-10158 Corrected ListFTP expression support for Hostname and Port No new revisions were added by this update. Summary of changes: .../standard/ftp/StandardFTPClientProvider.java| 13 +++-- .../apache/nifi/processors/standard/TestFTP.java | 55 -- 2 files changed, 50 insertions(+), 18 deletions(-)
[nifi] branch main updated: NIFI-10100 Upgraded Jersey to 2.35
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new bd45eb4995 NIFI-10100 Upgraded Jersey to 2.35 bd45eb4995 is described below commit bd45eb4995ad661f5b524e08bb0f6785cf0cdfb0 Author: exceptionfactory AuthorDate: Tue Jun 7 12:30:31 2022 -0500 NIFI-10100 Upgraded Jersey to 2.35 - Replaced individual version references with Jersey BOM dependency Signed-off-by: Nathan Gough This closes #6106. --- minifi/minifi-c2/minifi-c2-assembly/pom.xml| 6 +-- minifi/minifi-c2/minifi-c2-jetty/pom.xml | 2 +- minifi/minifi-c2/minifi-c2-service/pom.xml | 1 - minifi/minifi-c2/pom.xml | 12 -- minifi/pom.xml | 16 nifi-commons/nifi-web-utils/pom.xml| 16 nifi-nar-bundles/nifi-ambari-bundle/pom.xml| 10 - .../nifi-confluent-schema-registry-service/pom.xml | 2 - nifi-nar-bundles/nifi-datadog-bundle/pom.xml | 5 --- .../nifi-framework-nar/pom.xml | 1 - .../nifi-framework/nifi-web/nifi-jetty/pom.xml | 4 +- .../nifi-framework/nifi-web/nifi-web-api/pom.xml | 2 +- nifi-nar-bundles/nifi-framework-bundle/pom.xml | 44 -- .../nifi-yandex-processors/pom.xml | 3 -- .../nifi-site-to-site-reporting-bundle/pom.xml | 5 --- nifi-nar-bundles/nifi-standard-bundle/pom.xml | 21 --- .../nifi-hwx-schema-registry-service/pom.xml | 4 -- .../nifi-update-attribute-ui/pom.xml | 17 - .../nifi-registry-client/pom.xml | 5 --- nifi-registry/nifi-registry-core/pom.xml | 5 --- .../nifi-stateless-engine/pom.xml | 1 - nifi-stateless/pom.xml | 5 --- nifi-system-tests/nifi-system-test-suite/pom.xml | 1 - nifi-toolkit/nifi-toolkit-admin/pom.xml| 3 -- nifi-toolkit/nifi-toolkit-cli/pom.xml | 2 - nifi-toolkit/nifi-toolkit-tls/pom.xml | 2 - pom.xml| 16 +++- 27 files changed, 19 insertions(+), 192 deletions(-) diff --git a/minifi/minifi-c2/minifi-c2-assembly/pom.xml b/minifi/minifi-c2/minifi-c2-assembly/pom.xml index 148a6efe7b..957fa9146b 100644 --- a/minifi/minifi-c2/minifi-c2-assembly/pom.xml +++ b/minifi/minifi-c2/minifi-c2-assembly/pom.xml @@ -139,23 +139,19 @@ limitations under the License. org.glassfish.jersey.ext -jersey-spring4 -${jersey.version} +jersey-spring5 org.glassfish.jersey.containers jersey-container-jetty-http -${jersey.version} org.glassfish.jersey.containers jersey-container-servlet -${jersey.version} org.glassfish.jersey.core jersey-client -${jersey.version} org.slf4j diff --git a/minifi/minifi-c2/minifi-c2-jetty/pom.xml b/minifi/minifi-c2/minifi-c2-jetty/pom.xml index d5cbf8ff03..acf1fd5ca3 100644 --- a/minifi/minifi-c2/minifi-c2-jetty/pom.xml +++ b/minifi/minifi-c2/minifi-c2-jetty/pom.xml @@ -33,7 +33,7 @@ limitations under the License. org.glassfish.jersey.ext -jersey-spring4 +jersey-spring5 org.glassfish.jersey.containers diff --git a/minifi/minifi-c2/minifi-c2-service/pom.xml b/minifi/minifi-c2/minifi-c2-service/pom.xml index 97de3fb79e..a8e4a4bae1 100644 --- a/minifi/minifi-c2/minifi-c2-service/pom.xml +++ b/minifi/minifi-c2/minifi-c2-service/pom.xml @@ -111,7 +111,6 @@ limitations under the License. org.glassfish.jersey.core jersey-server -${jersey.version} provided diff --git a/minifi/minifi-c2/pom.xml b/minifi/minifi-c2/pom.xml index 416d0cece4..a92ab7351c 100644 --- a/minifi/minifi-c2/pom.xml +++ b/minifi/minifi-c2/pom.xml @@ -35,16 +35,4 @@ limitations under the License. minifi-c2-docker minifi-c2-integration-tests - - - - -org.glassfish.jersey -jersey-bom -${jersey.version} -pom -import - - - diff --git a/minifi/pom.xml b/minifi/pom.xml index 796d4003a7..583fc40f4f 100644 --- a/minifi/pom.xml +++ b/minifi/pom.xml @@ -40,7 +40,6 @@ limitations under the License. minifi-integration-tests -2.29 1.19.0 1.11.172 2.2.0 @@ -764,21 +763,6 @@ limitations under the License. org.apache.avro avro
svn commit: r1901946 - /nifi/site/trunk/security.html
Author: thenatog Date: Wed Jun 15 16:04:25 2022 New Revision: 1901946 URL: http://svn.apache.org/viewvc?rev=1901946=rev Log: NIFI-10113 - Fixed mitigation on NiFi security page. Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1901946=1901945=1901946=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Wed Jun 15 16:04:25 2022 @@ -174,15 +174,20 @@ CVE-2022-33140: Improper Neutralization of Command Elements in Shell User Group Provider Severity: High -Products Affected: Apache NiFi, Apache NiFi Registry +Products Affected: + +Apache NiFi +Apache NiFi Registry + Versions Affected: -This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. +This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. +This issue affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups to execute the command. -Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services. +Mitigation: NiFi and NiFi Registry version 1.16.3 has completely removed the shell commands from the ShellUserGroupProvider that received user arguments. Credit: This issue was discovered by an anonymous reporter CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140; target="_blank">Mitre Database CVE-2022-33140 NiFi Jira: https://issues.apache.org/jira/browse/NIFI-10114; target="_blank">NIFI-10114
[nifi-site] branch main updated: NIFI-10113 - Fixed mitigation on NiFi security page.
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new 9452fa7 NIFI-10113 - Fixed mitigation on NiFi security page. 9452fa7 is described below commit 9452fa75f6247b1283fe70083442ff7f3538d8a8 Author: Nathan Gough AuthorDate: Wed Jun 15 11:40:40 2022 -0400 NIFI-10113 - Fixed mitigation on NiFi security page. --- src/pages/html/security.hbs | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index 5c3293c..fc419a6 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -68,15 +68,20 @@ title: Apache NiFi Security Reports CVE-2022-33140: Improper Neutralization of Command Elements in Shell User Group Provider Severity: High -Products Affected: Apache NiFi, Apache NiFi Registry +Products Affected: + +Apache NiFi +Apache NiFi Registry + Versions Affected: -This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. +This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. +This issue affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user gr [...] -Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services. +Mitigation: NiFi and NiFi Registry version 1.16.3 has completely removed the shell commands from the ShellUserGroupProvider that received user arguments. Credit: This issue was discovered by an anonymous reporter CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140; target="_blank">Mitre Database CVE-2022-33140 NiFi Jira: https://issues.apache.org/jira/browse/NIFI-10114; target="_blank">NIFI-10114
svn commit: r1901943 - in /nifi/site/trunk: people.html security.html
Author: thenatog Date: Wed Jun 15 15:20:48 2022 New Revision: 1901943 URL: http://svn.apache.org/viewvc?rev=1901943=rev Log: NIFI-10113 - Updated NiFi security page with details on CVE-2022-33140 Modified: nifi/site/trunk/people.html nifi/site/trunk/security.html Modified: nifi/site/trunk/people.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/people.html?rev=1901943=1901942=1901943=diff == --- nifi/site/trunk/people.html (original) +++ nifi/site/trunk/people.html Wed Jun 15 15:20:48 2022 @@ -435,6 +435,11 @@ Martin Zink + +bsimon +Bence Simon + + Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1901943=1901942=1901943=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Wed Jun 15 15:20:48 2022 @@ -161,6 +161,38 @@ +Fixed in Apache NiFi 1.16.3 + + + + + +Vulnerabilities + + + + +CVE-2022-33140: Improper Neutralization of Command Elements in Shell User Group Provider +Severity: High +Products Affected: Apache NiFi, Apache NiFi Registry +Versions Affected: + +This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. + + +Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. +The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups to execute the command. +Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services. +Credit: This issue was discovered by an anonymous reporter +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140; target="_blank">Mitre Database CVE-2022-33140 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-10114; target="_blank">NIFI-10114 +NiFi PR: https://github.com/apache/nifi/pull/6122; target="_blank">PR 6122 +Released: June 15, 2022 + + + + + Fixed in Apache NiFi 1.16.1
[nifi-site] branch main updated: NIFI-10113 - Updated NiFi security page with details on CVE-2022-33140
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new 7293db3 NIFI-10113 - Updated NiFi security page with details on CVE-2022-33140 7293db3 is described below commit 7293db3394e7c9f8f7604ce16c35f72558aa7c1f Author: Nathan Gough AuthorDate: Wed Jun 15 11:17:30 2022 -0400 NIFI-10113 - Updated NiFi security page with details on CVE-2022-33140 --- src/pages/html/security.hbs | 32 1 file changed, 32 insertions(+) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index c0d1ae3..5c3293c 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -53,6 +53,38 @@ title: Apache NiFi Security Reports + + +Fixed in Apache NiFi 1.16.3 + + + + + +Vulnerabilities + + + + +CVE-2022-33140: Improper Neutralization of Command Elements in Shell User Group Provider +Severity: High +Products Affected: Apache NiFi, Apache NiFi Registry +Versions Affected: + +This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. + + +Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. +The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user gr [...] +Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services. +Credit: This issue was discovered by an anonymous reporter +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140; target="_blank">Mitre Database CVE-2022-33140 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-10114; target="_blank">NIFI-10114 +NiFi PR: https://github.com/apache/nifi/pull/6122; target="_blank">PR 6122 +Released: June 15, 2022 + + + Fixed in Apache NiFi 1.16.1
svn commit: r1901791 - /nifi/site/trunk/registry-security.html
Author: thenatog Date: Thu Jun 9 21:05:34 2022 New Revision: 1901791 URL: http://svn.apache.org/viewvc?rev=1901791=rev Log: Corrected error on NiFi Registry security page Modified: nifi/site/trunk/registry-security.html Modified: nifi/site/trunk/registry-security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/registry-security.html?rev=1901791=1901790=1901791=diff == --- nifi/site/trunk/registry-security.html (original) +++ nifi/site/trunk/registry-security.html Thu Jun 9 21:05:34 2022 @@ -171,8 +171,8 @@ Description: If NiFi Registry uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry. Mitigation: The fix to invalidate the server-side authentication token immediately after the user clicks 'Log Out' was applied in the Apache NiFi Registry 0.6.0 release. CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9482; target="_blank">Mitre Database: CVE-2020-9482 -NiFi Registry Jira: https://issues.apache.org/jira/browse/NIFIREG-387; target="_blank">NIFIREG-387 -NiFi Registry PR: https://github.com/apache/nifi-registry/pull/277; target="_blank">PR 277 +NiFi Registry Jira: https://issues.apache.org/jira/browse/NIFIREG-361; target="_blank">NIFIREG-361 +NiFi Registry PR: https://github.com/apache/nifi-registry/pull/259; target="_blank">PR 259 Released: April 7, 2020
[nifi-site] branch main updated: NIFIREG-361 - Fixed error on registry security page.
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new c113b6b NIFIREG-361 - Fixed error on registry security page. c113b6b is described below commit c113b6b2738c524a9dde72a61c26a164e6b0262f Author: Nathan Gough AuthorDate: Thu Jun 9 17:00:58 2022 -0400 NIFIREG-361 - Fixed error on registry security page. --- src/pages/html/registry-security.hbs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/html/registry-security.hbs b/src/pages/html/registry-security.hbs index ed4db49..449012c 100644 --- a/src/pages/html/registry-security.hbs +++ b/src/pages/html/registry-security.hbs @@ -65,8 +65,8 @@ title: Apache NiFi Registry Security Reports Description: If NiFi Registry uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry. Mitigation: The fix to invalidate the server-side authentication token immediately after the user clicks 'Log Out' was applied in the Apache NiFi Registry 0.6.0 release. CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9482; target="_blank">Mitre Database: CVE-2020-9482 -NiFi Registry Jira: https://issues.apache.org/jira/browse/NIFIREG-387; target="_blank">NIFIREG-387 -NiFi Registry PR: https://github.com/apache/nifi-registry/pull/277; target="_blank">PR 277 +NiFi Registry Jira: https://issues.apache.org/jira/browse/NIFIREG-361; target="_blank">NIFIREG-361 +NiFi Registry PR: https://github.com/apache/nifi-registry/pull/259; target="_blank">PR 259 Released: April 7, 2020
[nifi] branch main updated: NIFI-10088 Set SSH Transport Timeout using SFTP Data Timeout property
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 4aa0d31d9f NIFI-10088 Set SSH Transport Timeout using SFTP Data Timeout property 4aa0d31d9f is described below commit 4aa0d31d9f43848714463eda2c4d3539825b73d6 Author: exceptionfactory AuthorDate: Fri Jun 3 10:50:42 2022 -0500 NIFI-10088 Set SSH Transport Timeout using SFTP Data Timeout property Signed-off-by: Nathan Gough This closes #6097. --- .../nifi/processors/standard/ssh/StandardSSHClientProvider.java| 7 +++ 1 file changed, 7 insertions(+) diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ssh/StandardSSHClientProvider.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ssh/StandardSSHClientProvider.java index 2924934a4a..1a612c9292 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ssh/StandardSSHClientProvider.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ssh/StandardSSHClientProvider.java @@ -20,6 +20,7 @@ import net.schmizz.keepalive.KeepAlive; import net.schmizz.sshj.Config; import net.schmizz.sshj.SSHClient; import net.schmizz.sshj.connection.Connection; +import net.schmizz.sshj.transport.Transport; import net.schmizz.sshj.transport.TransportException; import net.schmizz.sshj.transport.verification.PromiscuousVerifier; import net.schmizz.sshj.userauth.keyprovider.KeyFormat; @@ -146,6 +147,12 @@ public class StandardSSHClientProvider implements SSHClientProvider { final int dataTimeout = context.getProperty(DATA_TIMEOUT).asTimePeriod(TimeUnit.MILLISECONDS).intValue(); client.setTimeout(dataTimeout); +// Set Transport and Connection timeouts using Socket Data Timeout property +final Transport transport = client.getTransport(); +transport.setTimeoutMs(dataTimeout); +final Connection connection = client.getConnection(); +connection.setTimeoutMs(dataTimeout); + final boolean strictHostKeyChecking = context.getProperty(STRICT_HOST_KEY_CHECKING).asBoolean(); final String hostKeyFilePath = context.getProperty(HOST_KEY_FILE).getValue(); if (StringUtils.isNotBlank(hostKeyFilePath)) {
[nifi] branch main updated: NIFI-10079 Upgraded ZooKeeper from 3.5.9 to 3.8.0
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 1342ea7025 NIFI-10079 Upgraded ZooKeeper from 3.5.9 to 3.8.0 1342ea7025 is described below commit 1342ea70250840f1543d11a8e0d62c58590f049d Author: exceptionfactory AuthorDate: Thu Jun 2 16:43:01 2022 -0500 NIFI-10079 Upgraded ZooKeeper from 3.5.9 to 3.8.0 Signed-off-by: Nathan Gough This closes #6096. --- nifi-external/nifi-spark-receiver/pom.xml | 3 --- .../nifi-framework/nifi-framework-core/pom.xml | 10 ++ .../nifi/controller/state/server/ZooKeeperStateServer.java | 6 -- .../nifi/leader/election/ITSecureClientZooKeeperFactory.java | 2 +- nifi-nar-bundles/nifi-framework-bundle/pom.xml | 7 ++- nifi-nar-bundles/nifi-hive-bundle/pom.xml | 1 - nifi-nar-bundles/nifi-ranger-bundle/pom.xml| 4 nifi-nar-bundles/nifi-spark-bundle/pom.xml | 4 .../nifi-hbase_1_1_2-client-service-bundle/pom.xml | 1 - .../nifi-hbase_2-client-service-bundle/pom.xml | 1 - .../nifi-registry-extensions/nifi-registry-ranger/pom.xml | 4 nifi-toolkit/nifi-toolkit-zookeeper-migrator/pom.xml | 1 - pom.xml| 1 + 13 files changed, 22 insertions(+), 23 deletions(-) diff --git a/nifi-external/nifi-spark-receiver/pom.xml b/nifi-external/nifi-spark-receiver/pom.xml index ddf3cf008c..531fa13582 100644 --- a/nifi-external/nifi-spark-receiver/pom.xml +++ b/nifi-external/nifi-spark-receiver/pom.xml @@ -22,9 +22,6 @@ org.apache.nifi nifi-spark-receiver - -3.5.9 - diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml index d06bfeb8f6..a3aaa8cf27 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml @@ -175,6 +175,16 @@ nifi-flowfile-repo-serialization 1.17.0-SNAPSHOT + + +io.dropwizard.metrics +metrics-core + + + +org.xerial.snappy +snappy-java + org.apache.zookeeper zookeeper diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/server/ZooKeeperStateServer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/server/ZooKeeperStateServer.java index 4caf58d213..f19e12ef5d 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/server/ZooKeeperStateServer.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/server/ZooKeeperStateServer.java @@ -118,7 +118,8 @@ public class ZooKeeperStateServer extends ZooKeeperServerMain { embeddedZkServer.setMaxSessionTimeout(config.getMaxSessionTimeout()); connectionFactory = ServerCnxnFactory.createFactory(); -connectionFactory.configure(getAvailableSocketAddress(config), config.getMaxClientCnxns(), quorumPeerConfig.isSslQuorum()); +final int listenBacklog = quorumPeerConfig.getClientPortListenBacklog(); +connectionFactory.configure(getAvailableSocketAddress(config), config.getMaxClientCnxns(), listenBacklog, quorumPeerConfig.isSslQuorum()); connectionFactory.startup(embeddedZkServer); } catch (InterruptedException e) { Thread.currentThread().interrupt(); @@ -136,7 +137,8 @@ public class ZooKeeperStateServer extends ZooKeeperServerMain { try { transactionLog = new FileTxnSnapLog(quorumPeerConfig.getDataLogDir(), quorumPeerConfig.getDataDir()); connectionFactory = ServerCnxnFactory.createFactory(); - connectionFactory.configure(getAvailableSocketAddress(quorumPeerConfig), quorumPeerConfig.getMaxClientCnxns(), quorumPeerConfig.isSslQuorum()); +final int listenBacklog = quorumPeerConfig.getClientPortListenBacklog(); + connectionFactory.configure(getAvailableSocketAddress(quorumPeerConfig), quorumPeerConfig.getMaxClientCnxns(), listenBacklog, quorumPeerConfig.isSslQuorum()); quorumPeer = new QuorumPeer(); diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test
[nifi] branch main updated: NIFI-3869 Added HTTP/2 support to ListenHTTP and HandleHttpRequest
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new e0976f42d3 NIFI-3869 Added HTTP/2 support to ListenHTTP and HandleHttpRequest e0976f42d3 is described below commit e0976f42d33d151035d7bd8207342afb53d12745 Author: exceptionfactory AuthorDate: Fri May 13 13:27:05 2022 -0500 NIFI-3869 Added HTTP/2 support to ListenHTTP and HandleHttpRequest Signed-off-by: Nathan Gough This closes #6048. --- nifi-commons/nifi-jetty-configuration/pom.xml | 39 + .../connector/ApplicationLayerProtocol.java| 36 .../connector/ServerConnectorFactory.java | 31 .../connector/StandardServerConnectorFactory.java | 193 + .../alpn/ALPNServerConnectionFactory.java | 64 +++ .../connector/alpn/StandardALPNProcessor.java | 123 + .../StandardServerConnectorFactoryTest.java| 172 ++ nifi-commons/pom.xml | 1 + nifi-nar-bundles/nifi-jetty-bundle/pom.xml | 10 ++ .../nifi-standard-processors/pom.xml | 13 ++ .../processors/standard/HandleHttpRequest.java | 99 +++ .../processors/standard/HandleHttpResponse.java| 1 - .../nifi/processors/standard/ListenHTTP.java | 86 - .../standard/http/HttpProtocolStrategy.java| 68 .../nifi/processors/standard/TestListenHTTP.java | 10 +- pom.xml| 13 ++ 16 files changed, 835 insertions(+), 124 deletions(-) diff --git a/nifi-commons/nifi-jetty-configuration/pom.xml b/nifi-commons/nifi-jetty-configuration/pom.xml new file mode 100644 index 00..8d8e2e7390 --- /dev/null +++ b/nifi-commons/nifi-jetty-configuration/pom.xml @@ -0,0 +1,39 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd;> +4.0.0 + +org.apache.nifi +nifi-commons +1.17.0-SNAPSHOT + +nifi-jetty-configuration +jar + + +org.eclipse.jetty +jetty-server + + +org.eclipse.jetty.http2 +http2-server + + +org.eclipse.jetty +jetty-alpn-server + + + diff --git a/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/ApplicationLayerProtocol.java b/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/ApplicationLayerProtocol.java new file mode 100644 index 00..9561d75471 --- /dev/null +++ b/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/ApplicationLayerProtocol.java @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.jetty.configuration.connector; + +/** + * Application Layer Protocols supported for Server Connectors + */ +public enum ApplicationLayerProtocol { +HTTP_1_1("http/1.1"), + +H2("h2"); + +private String protocol; + +ApplicationLayerProtocol(final String protocol) { +this.protocol = protocol; +} + +public String getProtocol() { +return protocol; +} +} diff --git a/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/ServerConnectorFactory.java b/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/ServerConnectorFactory.java new file mode 100644 index 00..20440d2055 --- /dev/null +++ b/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/ServerConnectorFactory.java @@ -0,0 +1,31 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for
[nifi] branch main updated: NIFI-9995 Replaced Custom Filters with Spring Security HeaderWriter
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new ea75a0a996 NIFI-9995 Replaced Custom Filters with Spring Security HeaderWriter ea75a0a996 is described below commit ea75a0a996ad937dcf501ab1dda8411b93d2f093 Author: exceptionfactory AuthorDate: Fri May 6 08:18:52 2022 -0500 NIFI-9995 Replaced Custom Filters with Spring Security HeaderWriter Signed-off-by: Nathan Gough This closes #6020. --- .../filter/StandardRequestFilterProvider.java | 38 +++-- .../filter/RestApiRequestFilterProviderTest.java | 10 +- .../filter/StandardRequestFilterProviderTest.java | 12 +- .../headers/ContentSecurityPolicyFilter.java | 57 .../headers/StrictTransportSecurityFilter.java | 58 .../headers/XContentTypeOptionsFilter.java | 58 .../web/security/headers/XFrameOptionsFilter.java | 58 .../web/security/headers/XSSProtectionFilter.java | 58 .../security/headers/HTTPHeaderFiltersTest.java| 160 - 9 files changed, 31 insertions(+), 478 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/filter/StandardRequestFilterProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/filter/StandardRequestFilterProvider.java index eab2f70815..f8f8aaea59 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/filter/StandardRequestFilterProvider.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/filter/StandardRequestFilterProvider.java @@ -20,18 +20,21 @@ import org.apache.commons.lang3.StringUtils; import org.apache.nifi.processor.DataUnit; import org.apache.nifi.util.FormatUtils; import org.apache.nifi.util.NiFiProperties; -import org.apache.nifi.web.security.headers.ContentSecurityPolicyFilter; -import org.apache.nifi.web.security.headers.StrictTransportSecurityFilter; -import org.apache.nifi.web.security.headers.XContentTypeOptionsFilter; -import org.apache.nifi.web.security.headers.XFrameOptionsFilter; -import org.apache.nifi.web.security.headers.XSSProtectionFilter; import org.apache.nifi.web.security.requests.ContentLengthFilter; import org.apache.nifi.web.server.log.RequestAuthenticationFilter; import org.eclipse.jetty.servlet.FilterHolder; import org.eclipse.jetty.servlets.DoSFilter; +import org.springframework.security.web.header.HeaderWriter; +import org.springframework.security.web.header.HeaderWriterFilter; +import org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter; +import org.springframework.security.web.header.writers.HstsHeaderWriter; +import org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter; +import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter; +import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter; import javax.servlet.Filter; import java.util.ArrayList; +import java.util.Arrays; import java.util.List; import java.util.Objects; import java.util.concurrent.TimeUnit; @@ -42,6 +45,8 @@ import java.util.concurrent.TimeUnit; public class StandardRequestFilterProvider implements RequestFilterProvider { private static final int MAX_CONTENT_SIZE_DISABLED = 0; +private static final String STANDARD_CONTENT_POLICY = "frame-ancestors 'self'"; + /** * Get Filters using provided NiFi Properties * @@ -54,13 +59,9 @@ public class StandardRequestFilterProvider implements RequestFilterProvider { final List filters = new ArrayList<>(); -filters.add(getFilterHolder(XFrameOptionsFilter.class)); -filters.add(getFilterHolder(ContentSecurityPolicyFilter.class)); -filters.add(getFilterHolder(XSSProtectionFilter.class)); -filters.add(getFilterHolder(XContentTypeOptionsFilter.class)); +filters.add(getHeaderWriterFilter()); if (properties.isHTTPSConfigured()) { -filters.add(getFilterHolder(StrictTransportSecurityFilter.class)); filters.add(getFilterHolder(RequestAuthenticationFilter.class)); } @@ -92,6 +93,21 @@ public class StandardRequestFilterProvider implements RequestFilterProvider { return filter; } +private FilterHolder getHeaderWriterFilter() { +final List headerWriters = Arrays.asList( +new ContentSecurityPolicyHeaderWriter(STANDARD_CONTENT_POLICY), +new HstsHeaderWriter(), +new XContentTypeOptionsHeaderWriter(), +
[nifi] branch main updated: NIFI-9988 Corrected Property Decryption for Authorizers and Providers
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 272325cb4e NIFI-9988 Corrected Property Decryption for Authorizers and Providers 272325cb4e is described below commit 272325cb4ed00682d4d1471ccda8e670f3ef504e Author: exceptionfactory AuthorDate: Wed May 4 12:48:34 2022 -0500 NIFI-9988 Corrected Property Decryption for Authorizers and Providers - Updated Protection Scheme Resolver to support both Name matching and Path matching Signed-off-by: Nathan Gough This closes #6017. --- .../nifi/properties/scheme/StandardProtectionSchemeResolver.java | 4 +++- .../properties/scheme/StandardProtectionSchemeResolverTest.java | 9 + 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/nifi-commons/nifi-property-protection-factory/src/main/java/org/apache/nifi/properties/scheme/StandardProtectionSchemeResolver.java b/nifi-commons/nifi-property-protection-factory/src/main/java/org/apache/nifi/properties/scheme/StandardProtectionSchemeResolver.java index 0c797b3b93..44557963e4 100644 --- a/nifi-commons/nifi-property-protection-factory/src/main/java/org/apache/nifi/properties/scheme/StandardProtectionSchemeResolver.java +++ b/nifi-commons/nifi-property-protection-factory/src/main/java/org/apache/nifi/properties/scheme/StandardProtectionSchemeResolver.java @@ -37,7 +37,9 @@ public class StandardProtectionSchemeResolver implements ProtectionSchemeResolve public ProtectionScheme getProtectionScheme(final String scheme) { Objects.requireNonNull(scheme, "Scheme required"); return Arrays.stream(PropertyProtectionScheme.values()) -.filter(propertyProtectionScheme -> propertyProtectionScheme.name().equals(scheme)) +.filter(propertyProtectionScheme -> +propertyProtectionScheme.name().equals(scheme) || scheme.startsWith(propertyProtectionScheme.getPath()) +) .findFirst() .orElseThrow(() -> new SensitivePropertyProtectionException(String.format("Protection Scheme [%s] not supported", scheme))); } diff --git a/nifi-commons/nifi-property-protection-factory/src/test/java/org/apache/nifi/properties/scheme/StandardProtectionSchemeResolverTest.java b/nifi-commons/nifi-property-protection-factory/src/test/java/org/apache/nifi/properties/scheme/StandardProtectionSchemeResolverTest.java index 9cfc4994f7..c8893b2231 100644 --- a/nifi-commons/nifi-property-protection-factory/src/test/java/org/apache/nifi/properties/scheme/StandardProtectionSchemeResolverTest.java +++ b/nifi-commons/nifi-property-protection-factory/src/test/java/org/apache/nifi/properties/scheme/StandardProtectionSchemeResolverTest.java @@ -30,6 +30,8 @@ public class StandardProtectionSchemeResolverTest { private static final String AES_GCM_PATH = "aes/gcm"; +private static final String AES_GCM_256_PATH = "aes/gcm/256"; + private static final String UNKNOWN = "UNKNOWN"; private StandardProtectionSchemeResolver resolver; @@ -46,6 +48,13 @@ public class StandardProtectionSchemeResolverTest { assertEquals(AES_GCM_PATH, protectionScheme.getPath()); } +@Test +public void getProtectionSchemeAesGcm256Found() { +final ProtectionScheme protectionScheme = resolver.getProtectionScheme(AES_GCM_256_PATH); +assertNotNull(protectionScheme); +assertEquals(AES_GCM_PATH, protectionScheme.getPath()); +} + @Test public void getProtectionSchemeUnknownNotFound() { final SensitivePropertyProtectionException exception = assertThrows(SensitivePropertyProtectionException.class, () -> resolver.getProtectionScheme(UNKNOWN));
svn commit: r1900396 - /nifi/site/trunk/security.html
Author: thenatog Date: Fri Apr 29 20:21:54 2022 New Revision: 1900396 URL: http://svn.apache.org/viewvc?rev=1900396=rev Log: NIFI-9868 - Added CVE release information for NiFi 1.16.1 to security.html Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1900396=1900395=1900396=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Fri Apr 29 20:21:54 2022 @@ -158,7 +158,74 @@ Thank you for helping keep Apache NiFi and our users safe! - + + + +Fixed in Apache NiFi 1.16.1 + + + + + +Vulnerabilities + + + + +CVE-2022-29265: Apache NiFi Improper Restriction of XML External Entity References in Multiple Components +Severity: Moderate +Versions Affected: + +Apache NiFi 0.0.1 - 1.16.0 + + +Description: Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. +The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. +The following Processors attempt to resolve XML External Entity references when configured with default property values: + + +EvaluateXPath +EvaluateXQuery +ValidateXml + + + +Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. + +Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services. +Credit: This issue was discovered by David Handermann (exceptionfactory.com) +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29265; target="_blank">Mitre Database CVE-2022-29265 + +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9901; target="_blank">NIFI-9901, https://issues.apache.org/jira/browse/NIFI-9943; target="_blank">NIFI-9943 + + +NiFi PR: https://github.com/apache/nifi/pull/5962; target="_blank">PR 5962, https://github.com/apache/nifi/pull/5986; target="_blank">PR 5986, https://github.com/apache/nifi/pull/5994; target="_blank">PR 5994 + +Released: April 29, 2022 + + + + + +Dependency Vulnerabilities + + + + +CVE-2020-36518: Apache NiFi's use of jackson-databind +Severity: Moderate +Versions Affected: + +Apache NiFi 0.0.1 - 1.16.0 + + +Description: The vulnerable jackson-databind dependency allows a Java stack overflow exception and denial of service via a large depth of nested objects. +Mitigation: We have upgraded the jackson-databind version that NiFi uses from 2.13.2 to 2.13.2.20220328. +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518; target="_blank">Mitre Database CVE-2020-36518 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9952; target="_blank">NIFI-9952 +Released: April 29, 2022 + +
[nifi-site] branch main updated: NIFI-9868 - Added CVE release information for NiFi 1.16.1 to security.html
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new 6e970b0 NIFI-9868 - Added CVE release information for NiFi 1.16.1 to security.html 6e970b0 is described below commit 6e970b02f6c323c6dd5d7b59741d64af96a995e9 Author: Nathan Gough AuthorDate: Fri Apr 29 16:18:50 2022 -0400 NIFI-9868 - Added CVE release information for NiFi 1.16.1 to security.html --- src/pages/html/security.hbs | 69 - 1 file changed, 68 insertions(+), 1 deletion(-) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index c07d08a..c0d1ae3 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -52,7 +52,74 @@ title: Apache NiFi Security Reports Thank you for helping keep Apache NiFi and our users safe! - + + + +Fixed in Apache NiFi 1.16.1 + + + + + +Vulnerabilities + + + + +CVE-2022-29265: Apache NiFi Improper Restriction of XML External Entity References in Multiple Components +Severity: Moderate +Versions Affected: + +Apache NiFi 0.0.1 - 1.16.0 + + +Description: Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. +The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. +The following Processors attempt to resolve XML External Entity references when configured with default property values: + + +EvaluateXPath +EvaluateXQuery +ValidateXml + + + +Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. + +Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services. +Credit: This issue was discovered by David Handermann (exceptionfactory.com) +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29265; target="_blank">Mitre Database CVE-2022-29265 + +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9901; target="_blank">NIFI-9901, https://issues.apache.org/jira/browse/NIFI-9943; target="_blank">NIFI-9943 + + +NiFi PR: https://github.com/apache/nifi/pull/5962; target="_blank">PR 5962, https://github.com/apache/nifi/pull/5986; target="_blank">PR 5986, https://github.com/apache/nifi/pull/5994; target="_blank">PR 5994 + +Released: April 29, 2022 + + + + + +Dependency Vulnerabilities + + + + +CVE-2020-36518: Apache NiFi's use of jackson-databind +Severity: Moderate +Versions Affected: + +Apache NiFi 0.0.1 - 1.16.0 + + +Description: The vulnerable jackson-databind dependency allows a Java stack overflow exception and denial of service via a large depth of nested objects. +Mitigation: We have upgraded the jackson-databind version that NiFi uses from 2.13.2 to 2.13.2.20220328. +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518; target="_blank">Mitre Database CVE-2020-36518 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9952; target="_blank">NIFI-9952 +Released: April 29, 2022 + +
[nifi] branch main updated: NIFI-9918: 'Parse XML Attributes' property added to XMLReader NIFI-9918: Fixed review findings NIFI-9918: Example added to XMLReader's additionalDetails.html on the new pro
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 6ee3d32ca3 NIFI-9918: 'Parse XML Attributes' property added to XMLReader NIFI-9918: Fixed review findings NIFI-9918: Example added to XMLReader's additionalDetails.html on the new property. Minor documentation fixes. 6ee3d32ca3 is described below commit 6ee3d32ca3e5a901c65d05d1ec3b9fb186dce659 Author: Peter Gyori AuthorDate: Thu Mar 31 15:16:55 2022 +0200 NIFI-9918: 'Parse XML Attributes' property added to XMLReader NIFI-9918: Fixed review findings NIFI-9918: Example added to XMLReader's additionalDetails.html on the new property. Minor documentation fixes. Signed-off-by: Nathan Gough This closes #5964. --- .../main/java/org/apache/nifi/xml/XMLReader.java | 21 +- .../java/org/apache/nifi/xml/XMLRecordReader.java | 120 +- .../apache/nifi/xml/inference/XmlRecordSource.java | 20 +- .../additionalDetails.html | 196 +++- .../org/apache/nifi/xml/TestInferXmlSchema.java| 25 ++- .../java/org/apache/nifi/xml/TestXMLReader.java| 21 +- .../org/apache/nifi/xml/TestXMLRecordReader.java | 247 +++-- 7 files changed, 461 insertions(+), 189 deletions(-) diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/src/main/java/org/apache/nifi/xml/XMLReader.java b/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/src/main/java/org/apache/nifi/xml/XMLReader.java index 20ee5195c6..7a5efd49c5 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/src/main/java/org/apache/nifi/xml/XMLReader.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/src/main/java/org/apache/nifi/xml/XMLReader.java @@ -29,6 +29,7 @@ import org.apache.nifi.logging.ComponentLog; import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.schema.access.SchemaAccessStrategy; +import org.apache.nifi.schema.access.SchemaAccessUtils; import org.apache.nifi.schema.access.SchemaNotFoundException; import org.apache.nifi.schema.inference.SchemaInferenceEngine; import org.apache.nifi.schema.inference.RecordSourceFactory; @@ -106,12 +107,27 @@ public class XMLReader extends SchemaRegistryService implements RecordReaderFact .required(false) .build(); +public static final PropertyDescriptor PARSE_XML_ATTRIBUTES = new PropertyDescriptor.Builder() +.name("parse_xml_attributes") +.displayName("Parse XML Attributes") +.description("When 'Schema Access Strategy' is 'Infer Schema' and this property is 'true' then XML attributes are parsed and " + +"added to the record as new fields. When the schema is inferred but this property is 'false', " + +"XML attributes and their values are ignored.") +.expressionLanguageSupported(ExpressionLanguageScope.NONE) +.allowableValues("true", "false") +.defaultValue("true") +.required(false) +.dependsOn(SchemaAccessUtils.SCHEMA_ACCESS_STRATEGY, INFER_SCHEMA) +.build(); + +private volatile boolean parseXmlAttributes; private volatile String dateFormat; private volatile String timeFormat; private volatile String timestampFormat; @OnEnabled public void onEnabled(final ConfigurationContext context) { +this.parseXmlAttributes = context.getProperty(PARSE_XML_ATTRIBUTES).asBoolean(); this.dateFormat = context.getProperty(DateTimeUtils.DATE_FORMAT).getValue(); this.timeFormat = context.getProperty(DateTimeUtils.TIME_FORMAT).getValue(); this.timestampFormat = context.getProperty(DateTimeUtils.TIMESTAMP_FORMAT).getValue(); @@ -120,6 +136,7 @@ public class XMLReader extends SchemaRegistryService implements RecordReaderFact @Override protected List getSupportedPropertyDescriptors() { final List properties = new ArrayList<>(super.getSupportedPropertyDescriptors()); +properties.add(PARSE_XML_ATTRIBUTES); properties.add(SchemaInferenceUtil.SCHEMA_CACHE); properties.add(RECORD_FORMAT); properties.add(ATTRIBUTE_PREFIX); @@ -143,7 +160,7 @@ public class XMLReader extends SchemaRegistryService implements RecordReaderFact final RecordSourceFactory sourceFactory = (variables, contentStream) -> { String cont
[nifi] branch main updated: NIFI-9950 Identify MariaDB database type and use MySQL migration scripts
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 3a15d4fbe5 NIFI-9950 Identify MariaDB database type and use MySQL migration scripts 3a15d4fbe5 is described below commit 3a15d4fbe5c35a4c5adcf1e1046a37cfd8c12b89 Author: Bryan Bende AuthorDate: Thu Apr 21 15:35:48 2022 -0400 NIFI-9950 Identify MariaDB database type and use MySQL migration scripts Signed-off-by: Nathan Gough This closes 5989. --- .../registry/db/CustomFlywayConfiguration.java | 3 ++- nifi-registry/nifi-registry-core/pom.xml | 26 ++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/db/CustomFlywayConfiguration.java b/nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/db/CustomFlywayConfiguration.java index 4fc2694c2d..42e2946b70 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/db/CustomFlywayConfiguration.java +++ b/nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/db/CustomFlywayConfiguration.java @@ -23,6 +23,7 @@ import org.flywaydb.core.internal.database.DatabaseTypeRegister; import org.flywaydb.core.internal.database.postgresql.PostgreSQLDatabaseType; import org.flywaydb.core.internal.jdbc.JdbcUtils; import org.flywaydb.database.mysql.MySQLDatabaseType; +import org.flywaydb.database.mysql.mariadb.MariaDBDatabaseType; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.boot.autoconfigure.flyway.FlywayConfigurationCustomizer; @@ -58,7 +59,7 @@ public class CustomFlywayConfiguration implements FlywayConfigurationCustomizer final DatabaseType databaseType = getDatabaseType(configuration.getDataSource()); LOGGER.info("Determined database type is {}", databaseType.getName()); -if (databaseType instanceof MySQLDatabaseType) { +if (databaseType instanceof MySQLDatabaseType || databaseType instanceof MariaDBDatabaseType) { LOGGER.info("Setting migration locations to {}", Arrays.asList(LOCATIONS_MYSQL)); configuration.locations(LOCATIONS_MYSQL); } else if (databaseType instanceof PostgreSQLDatabaseType) { diff --git a/nifi-registry/nifi-registry-core/pom.xml b/nifi-registry/nifi-registry-core/pom.xml index 6a18176ae0..76eb5cf949 100644 --- a/nifi-registry/nifi-registry-core/pom.xml +++ b/nifi-registry/nifi-registry-core/pom.xml @@ -182,6 +182,32 @@ + +mariadb-10_2-test +verify + +integration-test +verify + + + + mariadb-10-2 + + + + +mariadb-10_3-test +verify + +integration-test +verify + + + + mariadb-10-3 + + + postgres10-test verify
svn commit: r1899628 - /nifi/site/trunk/security.html
Author: thenatog Date: Wed Apr 6 20:31:30 2022 New Revision: 1899628 URL: http://svn.apache.org/viewvc?rev=1899628=rev Log: NIFI-9780 - Updated CVE-2022-26850 with bcrypt finding and downgraded to Low severity. Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1899628=1899627=1899628=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Wed Apr 6 20:31:30 2022 @@ -174,13 +174,14 @@ CVE-2022-26850: Apache NiFi insufficiently protected credentials -Severity: Medium +Severity: Low Versions Affected: Apache NiFi 1.14.0 - 1.15.3 -Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. +Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. The Login Identity Providers configuration file contains the username and a bcrypt hash of the configured password. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. +Bcrypt is a password-hashing algorithm that incorporates a random salt and a specified cost factor, designed to maintain resistance to brute-force attacks. Use of the bcrypt algorithm minimizes the impact of disclosing the single-user credentials stored in Login Identity Providers. Mitigation: NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory. Credit: This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh). Report available here: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq; target="_blank">JLLeitschuh Github CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26850; target="_blank">Mitre Database: CVE-2022-26850
[nifi-site] branch main updated: NIFI-9780 - Updated CVE-2022-26850 with bcrypt finding and downgraded to Low severity.
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new d18679e NIFI-9780 - Updated CVE-2022-26850 with bcrypt finding and downgraded to Low severity. d18679e is described below commit d18679e276742e687946bc89010bf25bcd2b225b Author: Nathan Gough AuthorDate: Wed Apr 6 16:25:19 2022 -0400 NIFI-9780 - Updated CVE-2022-26850 with bcrypt finding and downgraded to Low severity. --- src/pages/html/security.hbs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index 0f5ee58..c07d08a 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -68,13 +68,14 @@ title: Apache NiFi Security Reports CVE-2022-26850: Apache NiFi insufficiently protected credentials -Severity: Medium +Severity: Low Versions Affected: Apache NiFi 1.14.0 - 1.15.3 -Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. +Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. The Login Identity Providers configuration file contains the username and a bcrypt hash of the configured password. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which [...] +Bcrypt is a password-hashing algorithm that incorporates a random salt and a specified cost factor, designed to maintain resistance to brute-force attacks. Use of the bcrypt algorithm minimizes the impact of disclosing the single-user credentials stored in Login Identity Providers. Mitigation: NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory. Credit: This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh). Report available here: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq; target="_blank">JLLeitschuh Github CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26850; target="_blank">Mitre Database: CVE-2022-26850
svn commit: r1899626 - /nifi/site/trunk/security.html
Author: thenatog Date: Wed Apr 6 18:11:49 2022 New Revision: 1899626 URL: http://svn.apache.org/viewvc?rev=1899626=rev Log: NIFI-9780 - Updated security.html with version correction and reporter github. Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1899626=1899625=1899626=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Wed Apr 6 18:11:49 2022 @@ -177,12 +177,12 @@ Severity: Medium Versions Affected: -Apache NiFi 1.14.0 - 1.15.1 +Apache NiFi 1.14.0 - 1.15.3 Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. Mitigation: NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory. -Credit: This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh). +Credit: This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh). Report available here: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq; target="_blank">JLLeitschuh Github CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26850; target="_blank">Mitre Database: CVE-2022-26850 NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9785; target="_blank">NIFI-9785 NiFi PR: https://github.com/apache/nifi/pull/5856; target="_blank">PR 5856
[nifi-site] branch main updated: NIFI-9780 - Updated security.html with version correction and reporter github.
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new 04479c3 NIFI-9780 - Updated security.html with version correction and reporter github. 04479c3 is described below commit 04479c3faa63fb0c56fa98377c868fd0403224fd Author: Nathan Gough AuthorDate: Wed Apr 6 13:55:47 2022 -0400 NIFI-9780 - Updated security.html with version correction and reporter github. --- src/pages/html/security.hbs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index bcacf0d..0f5ee58 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -71,12 +71,12 @@ title: Apache NiFi Security Reports Severity: Medium Versions Affected: -Apache NiFi 1.14.0 - 1.15.1 +Apache NiFi 1.14.0 - 1.15.3 Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. Mitigation: NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory. -Credit: This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh). +Credit: This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh). Report available here: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq; target="_blank">JLLeitschuh Github CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26850; target="_blank">Mitre Database: CVE-2022-26850 NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9785; target="_blank">NIFI-9785 NiFi PR: https://github.com/apache/nifi/pull/5856; target="_blank">PR 5856
svn commit: r1899619 - /nifi/site/trunk/people.html
Author: thenatog Date: Wed Apr 6 14:52:11 2022 New Revision: 1899619 URL: http://svn.apache.org/viewvc?rev=1899619=rev Log: Added amarkovics to people.html Modified: nifi/site/trunk/people.html Modified: nifi/site/trunk/people.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/people.html?rev=1899619=1899618=1899619=diff == --- nifi/site/trunk/people.html (original) +++ nifi/site/trunk/people.html Wed Apr 6 14:52:11 2022 @@ -425,6 +425,11 @@ Denes Arvay + +amarkovics +Ãdám Markovics + +
[nifi-site] branch main updated: NIFI-9780 - Updated security.html page for 1.16.0 release.
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new e99974e NIFI-9780 - Updated security.html page for 1.16.0 release. e99974e is described below commit e99974e2b0beb50e89da00912555e0fb18a145ef Author: Nathan Gough AuthorDate: Tue Apr 5 22:58:46 2022 -0400 NIFI-9780 - Updated security.html page for 1.16.0 release. --- src/pages/html/security.hbs | 52 + 1 file changed, 52 insertions(+) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index 8483a10..bcacf0d 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -53,6 +53,58 @@ title: Apache NiFi Security Reports + + + +Fixed in Apache NiFi 1.16.0 + + + + + +Vulnerabilities + + + + +CVE-2022-26850: Apache NiFi insufficiently protected credentials +Severity: Medium +Versions Affected: + +Apache NiFi 1.14.0 - 1.15.1 + + +Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. +Mitigation: NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory. +Credit: This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh). +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26850; target="_blank">Mitre Database: CVE-2022-26850 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9785; target="_blank">NIFI-9785 +NiFi PR: https://github.com/apache/nifi/pull/5856; target="_blank">PR 5856 +Released: March 27, 2022 + + + + + +Dependency Vulnerabilities + + + + +CVE-2021-42392: Apache NiFi's use of H2 database +Severity: Important +Versions Affected: + +Apache NiFi 0.0.1 - 1.15.3 + + +Description: Apache NiFi uses H2 database for storing various NiFi runtime details. H2 database had a critical vulnerability similar to Log4Shell which potentially allows JNDI remote codebase loading. In NiFi, by default, console access to the database is restricted to local machine access only and remote access is disabled which limited the severity of this vulnerability. More detailed information on the H2 vulnerability can be found in https://thesecmaster.com/how-t [...] +Mitigation: We have upgraded the H2 version that NiFi uses from 1.4.199 to 2.1.210. The vulnerability is also mitigated with more recent versions of Java (6u211 , 7u201, 8u191, 11.0.1 onwards). +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392; target="_blank">Mitre Database: CVE-2021-42392 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9585; target="_blank">NIFI-9585 +Released: March 27, 2022 + +
svn commit: r1899600 - /nifi/site/trunk/security.html
Author: thenatog Date: Wed Apr 6 03:52:36 2022 New Revision: 1899600 URL: http://svn.apache.org/viewvc?rev=1899600=rev Log: NIFI-9780 - Updated security.html page for 1.16.0 release. Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1899600=1899599=1899600=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Wed Apr 6 03:52:36 2022 @@ -162,6 +162,58 @@ +Fixed in Apache NiFi 1.16.0 + + + + + +Vulnerabilities + + + + +CVE-2022-26850: Apache NiFi insufficiently protected credentials +Severity: Medium +Versions Affected: + +Apache NiFi 1.14.0 - 1.15.1 + + +Description: When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. +Mitigation: NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory. +Credit: This issue was discovered by Jonathan Leitschuh (https://twitter.com/jlleitschuh). +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26850; target="_blank">Mitre Database: CVE-2022-26850 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9785; target="_blank">NIFI-9785 +NiFi PR: https://github.com/apache/nifi/pull/5856; target="_blank">PR 5856 +Released: March 27, 2022 + + + + + +Dependency Vulnerabilities + + + + +CVE-2021-42392: Apache NiFi's use of H2 database +Severity: Important +Versions Affected: + +Apache NiFi 0.0.1 - 1.15.3 + + +Description: Apache NiFi uses H2 database for storing various NiFi runtime details. H2 database had a critical vulnerability similar to Log4Shell which potentially allows JNDI remote codebase loading. In NiFi, by default, console access to the database is restricted to local machine access only and remote access is disabled which limited the severity of this vulnerability. More detailed information on the H2 vulnerability can be found in https://thesecmaster.com/how-to-fix-cve-2021-42392-a-critical-unauthenticated-rce-in-h2-database-console/;>this blog post. +Mitigation: We have upgraded the H2 version that NiFi uses from 1.4.199 to 2.1.210. The vulnerability is also mitigated with more recent versions of Java (6u211 , 7u201, 8u191, 11.0.1 onwards). +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392; target="_blank">Mitre Database: CVE-2021-42392 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9585; target="_blank">NIFI-9585 +Released: March 27, 2022 + + + + + Fixed in Apache NiFi 1.15.1
[nifi] branch main updated: NIFI-9859 Upgraded Apache Curator from 5.2.0 to 5.2.1
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new c9dee4d NIFI-9859 Upgraded Apache Curator from 5.2.0 to 5.2.1 c9dee4d is described below commit c9dee4ddba006bd8ae407cf893b0760ba5070b3a Author: exceptionfactory AuthorDate: Fri Apr 1 09:23:23 2022 -0500 NIFI-9859 Upgraded Apache Curator from 5.2.0 to 5.2.1 Signed-off-by: Nathan Gough This closes #5923. --- nifi-nar-bundles/nifi-framework-bundle/pom.xml | 2 +- nifi-toolkit/nifi-toolkit-zookeeper-migrator/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/pom.xml index 1eb5062..4082e55 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/pom.xml @@ -23,7 +23,7 @@ pom NiFi: Framework Bundle -5.2.0 +5.2.1 3.5.9 diff --git a/nifi-toolkit/nifi-toolkit-zookeeper-migrator/pom.xml b/nifi-toolkit/nifi-toolkit-zookeeper-migrator/pom.xml index a0a8070..9f3e9e7 100644 --- a/nifi-toolkit/nifi-toolkit-zookeeper-migrator/pom.xml +++ b/nifi-toolkit/nifi-toolkit-zookeeper-migrator/pom.xml @@ -24,7 +24,7 @@ 1.16.0-SNAPSHOT -5.2.0 +5.2.1
[nifi] branch main updated: NIFI-9852 Upgraded Spring Framework from 5.3.16 to 5.3.18
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 7fde2bb NIFI-9852 Upgraded Spring Framework from 5.3.16 to 5.3.18 7fde2bb is described below commit 7fde2bbfd1afdd6037765340eca9fc675542323e Author: exceptionfactory AuthorDate: Thu Mar 31 11:48:00 2022 -0500 NIFI-9852 Upgraded Spring Framework from 5.3.16 to 5.3.18 - Upgraded Spring Boot from 2.6.4 to 2.6.6 Signed-off-by: Nathan Gough This closes #5921. --- nifi-registry/pom.xml | 2 +- pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nifi-registry/pom.xml b/nifi-registry/pom.xml index e6fc25e..c36fe06 100644 --- a/nifi-registry/pom.xml +++ b/nifi-registry/pom.xml @@ -37,7 +37,7 @@ 2.1 -2.6.4 +2.6.6 8.4.2 7.0.0 3.12.0 diff --git a/pom.xml b/pom.xml index c734f1d..51360cc 100644 --- a/pom.xml +++ b/pom.xml @@ -123,7 +123,7 @@ 3.11.2 3.10.6.Final 4.1.74.Final -5.3.16 +5.3.18 5.6.2 2.1.210
[nifi] branch main updated: NIFI-9844 Refactored Encryptor tests using JUnit 5
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new cf21bc4 NIFI-9844 Refactored Encryptor tests using JUnit 5 cf21bc4 is described below commit cf21bc47cd63e316eaa4a899f8b3373a6ca1b1fc Author: exceptionfactory AuthorDate: Mon Mar 28 23:05:09 2022 -0500 NIFI-9844 Refactored Encryptor tests using JUnit 5 - Refactored Keyed and Password Based Encryptor tests from Groovy to Java Signed-off-by: Nathan Gough This closes #5913. --- .../util/crypto/KeyedEncryptorGroovyTest.groovy| 254 .../crypto/PasswordBasedEncryptorGroovyTest.groovy | 699 - .../security/util/crypto/KeyedEncryptorTest.java | 117 .../util/crypto/OpenPGPKeyBasedEncryptorTest.java | 130 +--- .../crypto/OpenPGPPasswordBasedEncryptorTest.java | 125 +--- .../util/crypto/PasswordBasedEncryptorTest.java| 240 +++ 6 files changed, 402 insertions(+), 1163 deletions(-) diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/security/util/crypto/KeyedEncryptorGroovyTest.groovy b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/security/util/crypto/KeyedEncryptorGroovyTest.groovy deleted file mode 100644 index ab2d0f7..000 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/security/util/crypto/KeyedEncryptorGroovyTest.groovy +++ /dev/null @@ -1,254 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License") you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.security.util.crypto - -import org.apache.commons.codec.binary.Hex -import org.apache.nifi.processor.exception.ProcessException -import org.apache.nifi.processor.io.StreamCallback -import org.apache.nifi.security.util.EncryptionMethod -import org.apache.nifi.security.util.KeyDerivationFunction -import org.apache.nifi.stream.io.exception.BytePatternNotFoundException -import org.bouncycastle.jce.provider.BouncyCastleProvider -import org.junit.BeforeClass -import org.junit.Test -import org.junit.Assert -import org.slf4j.Logger -import org.slf4j.LoggerFactory - -import javax.crypto.SecretKey -import javax.crypto.spec.SecretKeySpec -import java.nio.charset.StandardCharsets -import java.security.Security - -class KeyedEncryptorGroovyTest { -private static final Logger logger = LoggerFactory.getLogger(KeyedEncryptorGroovyTest.class) - -private static final String TEST_RESOURCES_PREFIX = "src/test/resources/TestEncryptContent/" - -private static final String KEY_HEX = "0123456789ABCDEFFEDCBA9876543210" -private static final SecretKey KEY = new SecretKeySpec(Hex.decodeHex(KEY_HEX as char[]), "AES") - -@BeforeClass -static void setUpOnce() throws Exception { -Security.addProvider(new BouncyCastleProvider()) - -logger.metaClass.methodMissing = { String name, args -> -logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}") -} -} - -@Test -void testShouldEncryptAndDecrypt() throws Exception { -// Arrange -final String PLAINTEXT = "This is a plaintext message." -logger.info("Plaintext: {}", PLAINTEXT) -InputStream plainStream = new ByteArrayInputStream(PLAINTEXT.getBytes("UTF-8")) - -OutputStream cipherStream = new ByteArrayOutputStream() -OutputStream recoveredStream = new ByteArrayOutputStream() - -EncryptionMethod encryptionMethod = EncryptionMethod.AES_CBC -logger.info("Using ${encryptionMethod.name()}") - -// Act -KeyedEncryptor encryptor = new KeyedEncryptor(encryptionMethod, KEY) - -StreamCallback encryptionCallback = encryptor.getEncryptionCallback() -StreamCallback decryptionCallback = encryptor.getDecryptionCallback() - -encryptionCallback.process(plainStream, cipherStream) - -final byte[] cipherBytes = ((ByteArrayOutputStream) cipherS
[nifi] branch main updated: NIFI-9797 Corrected AccessToken.isExpired() margin calculation
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 77c45ca NIFI-9797 Corrected AccessToken.isExpired() margin calculation 77c45ca is described below commit 77c45cabc5c236b9b3cb563b143e53abafbd1921 Author: exceptionfactory AuthorDate: Mon Mar 14 16:39:47 2022 -0500 NIFI-9797 Corrected AccessToken.isExpired() margin calculation Signed-off-by: Nathan Gough This closes #5867. --- .../java/org/apache/nifi/oauth2/AccessToken.java | 10 ++-- .../org/apache/nifi/oauth2/AccessTokenTest.java| 69 ++ .../StandardOauth2AccessTokenProviderTest.java | 57 -- 3 files changed, 86 insertions(+), 50 deletions(-) diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-api/src/main/java/org/apache/nifi/oauth2/AccessToken.java b/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-api/src/main/java/org/apache/nifi/oauth2/AccessToken.java index 622c9b0..d0a6dff 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-api/src/main/java/org/apache/nifi/oauth2/AccessToken.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-api/src/main/java/org/apache/nifi/oauth2/AccessToken.java @@ -17,10 +17,11 @@ package org.apache.nifi.oauth2; -import java.time.Duration; import java.time.Instant; public class AccessToken { +private static final int EXPIRY_MARGIN_SECONDS = 5; + private String accessToken; private String refreshToken; private String tokenType; @@ -29,8 +30,6 @@ public class AccessToken { private final Instant fetchTime; -public static final int EXPIRY_MARGIN = 5000; - public AccessToken() { this.fetchTime = Instant.now(); } @@ -89,8 +88,7 @@ public class AccessToken { } public boolean isExpired() { -boolean expired = Duration.between(Instant.now(), fetchTime.plusSeconds(expiresIn - EXPIRY_MARGIN)).isNegative(); - -return expired; +final Instant expirationTime = fetchTime.plusSeconds(expiresIn).plusSeconds(EXPIRY_MARGIN_SECONDS); +return Instant.now().isAfter(expirationTime); } } diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-api/src/test/java/org/apache/nifi/oauth2/AccessTokenTest.java b/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-api/src/test/java/org/apache/nifi/oauth2/AccessTokenTest.java new file mode 100644 index 000..6f77e62 --- /dev/null +++ b/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-api/src/test/java/org/apache/nifi/oauth2/AccessTokenTest.java @@ -0,0 +1,69 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.oauth2; + +import org.junit.jupiter.api.Test; + +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +public class AccessTokenTest { +private static final String ACCESS_TOKEN = "ACCESS"; + +private static final String REFRESH_TOKEN = "REFRESH"; + +private static final String TOKEN_TYPE = "Bearer"; + +private static final String SCOPES = "default"; + +private static final long TWO_SECONDS_AGO = -2; + +private static final long TEN_SECONDS_AGO = -10; + +private static final long IN_SIXTY_SECONDS = 60; + +@Test +public void testIsExpiredTenSecondsAgo() { +final AccessToken accessToken = getAccessToken(TEN_SECONDS_AGO); + +assertTrue(accessToken.isExpired()); +} + +@Test +public void testIsExpiredTwoSecondsAgo() { +final AccessToken accessToken = getAccessToken(TWO_SECONDS_AGO); + +assertFalse(accessToken.isExpired()); +} + +@Test +public void testIsExpiredInSixtySeconds() { +final AccessToken accessToken = getAccessToken(IN_SIXTY_SECONDS); + +assertFalse(accessToken.isExpired()); +} + +private AccessToken getAccessToken(final long expiresInSeconds) { +return new AccessToken( +
[nifi] branch main updated: NIFI-9795 - checkstyle, rat issues in nifi-system-test-suite module
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new a7abe6d NIFI-9795 - checkstyle, rat issues in nifi-system-test-suite module a7abe6d is described below commit a7abe6d722067a4f4a38372916f32051b79ea72b Author: Paul Grey AuthorDate: Mon Mar 14 12:35:22 2022 -0400 NIFI-9795 - checkstyle, rat issues in nifi-system-test-suite module Signed-off-by: Nathan Gough This closes #5864. --- .../apache/nifi/tests/system/clustering/OffloadIT.java| 1 - .../src/test/resources/simplelogger.properties| 15 +++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/nifi-system-tests/nifi-system-test-suite/src/test/java/org/apache/nifi/tests/system/clustering/OffloadIT.java b/nifi-system-tests/nifi-system-test-suite/src/test/java/org/apache/nifi/tests/system/clustering/OffloadIT.java index 9f81d66..e806cef 100644 --- a/nifi-system-tests/nifi-system-test-suite/src/test/java/org/apache/nifi/tests/system/clustering/OffloadIT.java +++ b/nifi-system-tests/nifi-system-test-suite/src/test/java/org/apache/nifi/tests/system/clustering/OffloadIT.java @@ -31,7 +31,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.IOException; -import java.util.Collection; import java.util.Collections; public class OffloadIT extends NiFiSystemIT { diff --git a/nifi-system-tests/nifi-system-test-suite/src/test/resources/simplelogger.properties b/nifi-system-tests/nifi-system-test-suite/src/test/resources/simplelogger.properties index fc7646b..f2fcde2 100644 --- a/nifi-system-tests/nifi-system-test-suite/src/test/resources/simplelogger.properties +++ b/nifi-system-tests/nifi-system-test-suite/src/test/resources/simplelogger.properties @@ -1,2 +1,17 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + org.slf4j.simpleLogger.showDateTime=true org.slf4j.simpleLogger.dateTimeFormat=-MM-dd HH:mm:ss:SSS Z
[nifi] branch main updated (546f986 -> 859d5fe)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git. from 546f986 NIFI-9775 Create RuntimeManifestService add 859d5fe NIFI-9785 Improved Login Credentials Writer File Handling No new revisions were added by this update. Summary of changes: .../writer/StandardLoginCredentialsWriter.java | 37 +++--- .../writer/StandardLoginCredentialsWriterTest.java | 17 ++ 2 files changed, 35 insertions(+), 19 deletions(-)
[nifi] branch main updated (4719f78 -> d17fcf6)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git. from 4719f78 NIFI-9580: UI work for framework-level retry in Processors (#5666) add d17fcf6 NIFI-9735 Corrected Jetty Duplicate Mapping Warning No new revisions were added by this update. Summary of changes: .../src/main/java/org/apache/nifi/web/server/JettyServer.java| 9 + 1 file changed, 1 insertion(+), 8 deletions(-)
[nifi] branch main updated: NIFI-9607: Honor Update Keys when Quoting Identifiers in PutDatabaseRecord
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 03165ad NIFI-9607: Honor Update Keys when Quoting Identifiers in PutDatabaseRecord 03165ad is described below commit 03165ad817bae0c981f82e92c5b916324da5a5bf Author: Matthew Burgess AuthorDate: Fri Jan 21 16:52:11 2022 -0500 NIFI-9607: Honor Update Keys when Quoting Identifiers in PutDatabaseRecord NIFI-9607: Fixed wrong column name in WHERE clause for generateUpdate Signed-off-by: Nathan Gough This closes #5701. --- .../processors/standard/PutDatabaseRecord.java | 30 ++ .../standard/TestPutDatabaseRecord.groovy | 47 ++ 2 files changed, 60 insertions(+), 17 deletions(-) diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutDatabaseRecord.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutDatabaseRecord.java index bc8a1f0..4756d80 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutDatabaseRecord.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutDatabaseRecord.java @@ -603,14 +603,10 @@ public class PutDatabaseRecord extends AbstractProcessor { throw new IllegalArgumentException(format("Cannot process %s because Table Name is null or empty", flowFile)); } -// Always get the primary keys if Update Keys is empty. Otherwise if we have an Insert statement first, the table will be -// cached but the primary keys will not be retrieved, causing future UPDATE statements to not have primary keys available -final boolean includePrimaryKeys = updateKeys == null; - final SchemaKey schemaKey = new PutDatabaseRecord.SchemaKey(catalog, schemaName, tableName); final TableSchema tableSchema = schemaCache.get(schemaKey, key -> { try { -final TableSchema schema = TableSchema.from(con, catalog, schemaName, tableName, settings.translateFieldNames, includePrimaryKeys, log); +final TableSchema schema = TableSchema.from(con, catalog, schemaName, tableName, settings.translateFieldNames, updateKeys, log); getLogger().debug("Fetched Table Schema {} for table name {}", schema, tableName); return schema; } catch (SQLException e) { @@ -1189,12 +1185,8 @@ public class PutDatabaseRecord extends AbstractProcessor { } } -// Set the WHERE clause based on the Update Key values -sqlBuilder.append(" WHERE "); AtomicInteger whereFieldCount = new AtomicInteger(0); - for (int i = 0; i < fieldCount; i++) { - RecordField field = recordSchema.getField(i); String fieldName = field.getFieldName(); @@ -1207,14 +1199,17 @@ public class PutDatabaseRecord extends AbstractProcessor { if (whereFieldCount.getAndIncrement() > 0) { sqlBuilder.append(" AND "); +} else if (i == 0) { +// Set the WHERE clause based on the Update Key values +sqlBuilder.append(" WHERE "); } if (settings.escapeColumnNames) { sqlBuilder.append(tableSchema.getQuotedIdentifierString()) -.append(normalizedColName) +.append(desc.getColumnName()) .append(tableSchema.getQuotedIdentifierString()); } else { -sqlBuilder.append(normalizedColName); +sqlBuilder.append(desc.getColumnName()); } sqlBuilder.append(" = ?"); includedColumns.add(i); @@ -1363,10 +1358,6 @@ public class PutDatabaseRecord extends AbstractProcessor { getLogger().warn(missingColMessage); } } -// Optionally quote the name before returning -if (settings.escapeColumnNames) { -normalizedKeyColumnName = quoteString + normalizedKeyColumnName + quoteString; -} normalizedKeyColumnNames.add(normalizedKeyColumnName); } @@ -1419,7 +1410,7 @@ public class PutDatabaseRecord extends AbstractProcessor { } public static TableSchema from(fin
[nifi] branch main updated: [NIFI-9623] - Attempt to look up messages locale file without country designation if it fails to find it with the country designation
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 8d143e8 [NIFI-9623] - Attempt to look up messages locale file without country designation if it fails to find it with the country designation 8d143e8 is described below commit 8d143e83677c6a40ac13bc9f98404dcc6817cc36 Author: Rob Fellows AuthorDate: Mon Jan 24 13:43:23 2022 -0500 [NIFI-9623] - Attempt to look up messages locale file without country designation if it fails to find it with the country designation Signed-off-by: Nathan Gough This closes #5707. --- .../src/main/webapp/nf-registry-bootstrap.js | 22 +- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/nf-registry-bootstrap.js b/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/nf-registry-bootstrap.js index 4ad63a8..62648eb 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/nf-registry-bootstrap.js +++ b/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/webapp/nf-registry-bootstrap.js @@ -60,7 +60,27 @@ if (!locale || locale === 'en-us') { } bootstrapModule(); }).fail(function () { -bootstrapModule(); +// was this a country specific locale? if so, try to get the generic version of the language +const localeTokens = locale.split('-'); +if (localeTokens.length === 2) { +translationFile = 'locale/messages.' + localeTokens[0] + '.xlf'; +$.ajax({ +url: translationFile, +dataType: 'text' +}).done(function (translations) { +// add providers if translation file for locale is loaded +if (translations) { +providers.push({provide: TRANSLATIONS, useValue: translations}); +providers.push({provide: TRANSLATIONS_FORMAT, useValue: 'xlf'}); +providers.push({provide: LOCALE_ID, useValue: localeTokens[0]}); +} +bootstrapModule(); +}).fail(function () { +bootstrapModule(); +}); +} else { +bootstrapModule(); +} }); }
[nifi] branch main updated: NIFI-9631 - Enable cli.sh to be used with a symbolic link
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 11bad7b NIFI-9631 - Enable cli.sh to be used with a symbolic link 11bad7b is described below commit 11bad7b4edb9da66b88f0ddedba68703294a84c7 Author: David Stewart AuthorDate: Wed Jan 26 10:03:11 2022 + NIFI-9631 - Enable cli.sh to be used with a symbolic link Signed-off-by: Nathan Gough This closes #5717. --- .../nifi-toolkit-assembly/src/main/resources/bin/cli.sh| 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/bin/cli.sh b/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/bin/cli.sh index 9ba36d5..9a30dde 100644 --- a/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/bin/cli.sh +++ b/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/bin/cli.sh @@ -19,8 +19,14 @@ # Script structure inspired from Apache Karaf and other Apache projects with similar startup approaches -SCRIPT_DIR=$(dirname "$0") -SCRIPT_NAME=$(basename "$0") +SCRIPT_LINK=$(readlink $0 2> /dev/null) +if test -z "$SCRIPT_LINK"; then +SCRIPT_DIR=$(dirname "$0") +SCRIPT_NAME=$(basename "$0") +else +SCRIPT_DIR=$(dirname "$SCRIPT_LINK") +SCRIPT_NAME=$(basename "$SCRIPT_LINK") +fi NIFI_TOOLKIT_HOME=$(cd "${SCRIPT_DIR}" && cd .. && pwd) PROGNAME=$(basename "$0")
[nifi] branch main updated: NIFI-9610 Refactored nifi-processor-utils to separate modules
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new dc7d951 NIFI-9610 Refactored nifi-processor-utils to separate modules dc7d951 is described below commit dc7d9510cd5e63dfe3888d6c9f5464fe6eb843f8 Author: exceptionfactory AuthorDate: Mon Jan 31 15:06:13 2022 -0600 NIFI-9610 Refactored nifi-processor-utils to separate modules - Added nifi-bin-manager - Added nifi-event-listen - Added nifi-event-put - Added nifi-listed-entity - Added nifi-put-pattern - Removed nifi-processor-utils Signed-off-by: Nathan Gough This closes #5729. --- .../nifi-aws-bundle/nifi-aws-processors/pom.xml| 10 +- .../nifi-azure-processors/pom.xml | 7 +- .../nifi-beats-processors/pom.xml | 2 +- .../nifi-extension-utils/nifi-bin-manager}/pom.xml | 27 +- .../org/apache/nifi/processor/util/bin/Bin.java| 0 .../apache/nifi/processor/util/bin/BinFiles.java | 0 .../apache/nifi/processor/util/bin/BinManager.java | 0 .../processor/util/bin/BinProcessingResult.java| 0 .../nifi/processor/util/bin/EvictionReason.java| 0 .../nifi-event-listen}/pom.xml | 40 +- .../AbstractListenEventBatchingProcessor.java | 0 .../util/listen/AbstractListenEventProcessor.java | 0 .../nifi/processor/util/listen/EventBatcher.java | 0 .../processor/util/listen/FlowFileEventBatch.java | 0 .../processor/util/listen/ListenerProperties.java | 0 .../listen/dispatcher/AsyncChannelDispatcher.java | 0 .../util/listen/dispatcher/ByteBufferFactory.java | 0 .../util/listen/dispatcher/ByteBufferPool.java | 0 .../util/listen/dispatcher/ByteBufferSource.java | 0 .../util/listen/dispatcher/ChannelDispatcher.java | 0 .../dispatcher/DatagramChannelDispatcher.java | 0 .../nifi/processor/util/listen/event/Event.java| 0 .../processor/util/listen/event/EventFactory.java | 0 .../util/listen/event/EventFactoryUtil.java| 0 .../processor/util/listen/event/EventQueue.java| 0 .../util/listen/event/NetworkEventFactory.java | 0 .../processor/util/listen/event/StandardEvent.java | 0 .../util/listen/event/StandardEventFactory.java| 0 .../listen/event/StandardNetworkEventFactory.java | 0 .../util/listen/response/ChannelResponder.java | 0 .../util/listen/response/ChannelResponse.java | 0 .../processor/util/listen/EventBatcherTest.java| 0 .../nifi-extension-utils/nifi-event-put}/pom.xml | 25 +- .../util/put/AbstractPutEventProcessor.java| 0 .../pom.xml| 68 +-- .../processor/util/list/AbstractListProcessor.java | 0 .../nifi/processor/util/list/EntityListing.java| 0 .../util/list/ListProcessorTestWatcher.java| 0 .../nifi/processor/util/list/ListableEntity.java | 0 .../processor/util/list/ListableEntityWrapper.java | 0 .../nifi/processor/util/list/ListedEntity.java | 0 .../processor/util/list/ListedEntityTracker.java | 0 .../util/list/TestAbstractListProcessor.java | 3 +- .../listen/dispatcher/SocketChannelAttachment.java | 44 -- .../util/listen/handler/ChannelHandler.java| 55 --- .../util/list/ITAbstractListProcessor.java | 471 - .../nifi-extension-utils/nifi-put-pattern}/pom.xml | 26 +- .../util/pattern/DiscontinuedException.java| 0 .../nifi/processor/util/pattern/ErrorTypes.java| 0 .../processor/util/pattern/ExceptionHandler.java | 0 .../processor/util/pattern/PartialFunctions.java | 0 .../apache/nifi/processor/util/pattern/Put.java| 0 .../nifi/processor/util/pattern/PutGroup.java | 0 .../processor/util/pattern/RollbackOnFailure.java | 0 .../nifi/processor/util/pattern/RoutingResult.java | 0 .../util/pattern/TestExceptionHandler.java | 0 .../util/pattern/TestRollbackOnFailure.java| 0 nifi-nar-bundles/nifi-extension-utils/pom.xml | 21 +- .../nifi-gcp-bundle/nifi-gcp-processors/pom.xml| 7 +- .../nifi-hive-bundle/nifi-hive-processors/pom.xml | 15 +- .../nifi-hive-bundle/nifi-hive3-processors/pom.xml | 7 +- .../nifi-hive_1_1-processors/pom.xml | 15 +- .../nifi-splunk-processors/pom.xml | 22 +- .../nifi-standard-processors/pom.xml | 22 +- .../nifi-system-test-extensions/pom.xml| 2 +- 65 files changed, 165 insertions(+), 724 deletions(-) diff --git a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/pom.xml b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/pom.xml index 1c8b255..3c2eb74 100644 --- a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/pom.xml +++ b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/pom.xml
[nifi] branch main updated: NIFI-9634 Upgraded Spring Framework to 5.3.15
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new c8fe514 NIFI-9634 Upgraded Spring Framework to 5.3.15 c8fe514 is described below commit c8fe5149a5ca3afcb955cd4d572d1081595b564d Author: exceptionfactory AuthorDate: Thu Jan 27 15:15:40 2022 -0600 NIFI-9634 Upgraded Spring Framework to 5.3.15 - Upgraded Spring Framework from 5.3.14 to 5.3.15 - Upgraded Spring Boot from 2.5.8 to 2.6.3 in Registry - Upgraded Jersey from 2.33 to 2.35 - Upgraded Jackson from 2.12.5 to 2.13.1 Signed-off-by: Nathan Gough This closes #5723. --- nifi-registry/pom.xml | 2 +- pom.xml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nifi-registry/pom.xml b/nifi-registry/pom.xml index 2398e0e..3a4c9dd 100644 --- a/nifi-registry/pom.xml +++ b/nifi-registry/pom.xml @@ -37,7 +37,7 @@ 2.1 -2.5.8 +2.6.3 6.5.7 6.4.0 3.12.0 diff --git a/pom.xml b/pom.xml index 5311e49..39ff28f 100644 --- a/pom.xml +++ b/pom.xml @@ -103,7 +103,7 @@ 1.7.32 2.1.0 9.4.44.v20210927 -2.12.5 +2.13.1 2.3.5 2.3.3 3.0.8 @@ -114,12 +114,12 @@ 1.2.1 2.1.5 1.9.6 -2.33 +2.35 1.2.10 3.11.2 3.10.6.Final 4.1.72.Final -5.3.14 +5.3.15 5.6.1
[nifi] branch main updated (8f2a9f9 -> 95abc35)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git. from 8f2a9f9 NIFI-9632 - Removed nifi-lumberjack-bundle add 95abc35 NIFI-6266 Corrected proxy FTP connect handling No new revisions were added by this update. Summary of changes: .../FTPClientProvider.java}| 14 +- .../processors/standard/ftp/ProxyFTPClient.java| 55 .../standard/ftp/StandardFTPClientProvider.java| 179 .../ClientAuthenticationException.java | 8 +- .../ClientConfigurationException.java | 8 +- .../{ssh => socket}/ClientConnectException.java| 4 +- .../standard/ssh/StandardSSHClientProvider.java| 3 + .../nifi/processors/standard/util/FTPTransfer.java | 132 ++--- .../nifi/processors/standard/util/FTPUtils.java| 301 - .../standard/util/SocksProxySocketFactory.java | 69 - .../nifi/processors/standard/TestFetchFTP.java | 18 +- .../standard/ftp/ProxyFTPClientTest.java | 82 ++ .../StandardFTPClientProviderTest.java}| 44 +-- .../ssh/StandardSSHClientProviderTest.java | 2 + 14 files changed, 384 insertions(+), 535 deletions(-) copy nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/{ssh/SSHClientProvider.java => ftp/FTPClientProvider.java} (72%) create mode 100644 nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ftp/ProxyFTPClient.java create mode 100644 nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ftp/StandardFTPClientProvider.java rename nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/{ssh => socket}/ClientAuthenticationException.java (86%) rename nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/{ssh => socket}/ClientConfigurationException.java (82%) rename nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/{ssh => socket}/ClientConnectException.java (88%) delete mode 100644 nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/FTPUtils.java delete mode 100644 nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/SocksProxySocketFactory.java create mode 100644 nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/ftp/ProxyFTPClientTest.java copy nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/{ssh/StandardSSHClientProviderTest.java => ftp/StandardFTPClientProviderTest.java} (67%)
svn commit: r1897010 - /nifi/site/trunk/security.html
Author: thenatog Date: Thu Jan 13 17:32:24 2022 New Revision: 1897010 URL: http://svn.apache.org/viewvc?rev=1897010=rev Log: Updated security page to include some details about the latest h2 database vulnerability which does not appear to affect NiFi and its usage Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1897010=1897009=1897010=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Thu Jan 13 17:32:24 2022 @@ -218,6 +218,22 @@ Released: December 15, 2021 + + +CVE-2021-23463: Apache NiFi's use of H2 database +Severity: None +Versions Affected: + +Apache NiFi 1.13.0 - 1.15.x + + +Description: For posterity we will note here that Apache NiFi uses H2 database v1.4.199 which was announced to contain CVE-2021-23463. Upon investigation, we have found that NiFi's usage of H2 is +limited in scope, generally to authentication mechanisms which have clearly defined usages that do not include usages of the vulnerable org.h2.jdbc.JdbcResultSet.getSQLXML() method. For more information on this H2 vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2021-23463; target="_blank">NIST NVD CVE-2021-23463. +Mitigation: We are working to develop an upgrade path for NiFi to a fixed version of the H2 dependency, which will resolve flagging this issue on CVE scans. +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463; target="_blank">Mitre Database: CVE-2021-23463 +Released: December 15, 2021 + +
[nifi] branch main updated: NIFI-9539 Upgraded Netty from 4.1.69 to 4.1.72
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 12ba579 NIFI-9539 Upgraded Netty from 4.1.69 to 4.1.72 12ba579 is described below commit 12ba579b8f6c506288458fb6cd2191ea26da2cb3 Author: exceptionfactory AuthorDate: Wed Jan 5 15:39:49 2022 -0600 NIFI-9539 Upgraded Netty from 4.1.69 to 4.1.72 - Added Netty 4 BOM to root Maven configuration - Removed individual Netty 4 dependency overrides - Removed commented dependencies and unnecessary declarations from MiNiFi Signed-off-by: Nathan Gough This closes #5635. --- .../minifi-server-nar/pom.xml | 36 --- minifi/pom.xml | 5 --- nifi-commons/nifi-security-socket-ssl/pom.xml | 1 - nifi-nar-bundles/nifi-atlas-bundle/pom.xml | 11 -- nifi-nar-bundles/nifi-druid-bundle/pom.xml | 11 -- .../nifi-elasticsearch-5-processors/pom.xml| 16 - .../nifi-event-transport/pom.xml | 1 - nifi-nar-bundles/nifi-flume-bundle/pom.xml | 6 .../nifi-graph-test-clients/pom.xml| 6 .../nifi-other-graph-services/pom.xml | 6 nifi-nar-bundles/nifi-hadoop-bundle/pom.xml| 6 nifi-nar-bundles/nifi-hive-bundle/pom.xml | 16 - nifi-nar-bundles/nifi-solr-bundle/pom.xml | 41 -- .../nifi-distributed-cache-client-service/pom.xml | 1 - .../nifi-registry-aws-extensions/pom.xml | 11 -- pom.xml| 9 - 16 files changed, 8 insertions(+), 175 deletions(-) diff --git a/minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-server-nar/pom.xml b/minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-server-nar/pom.xml index 8689071..9348a9c 100644 --- a/minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-server-nar/pom.xml +++ b/minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-server-nar/pom.xml @@ -43,42 +43,6 @@ nifi-headless-server 1.16.0-SNAPSHOT - - org.apache.nifi diff --git a/minifi/pom.xml b/minifi/pom.xml index e288dad..a73c3a0 100644 --- a/minifi/pom.xml +++ b/minifi/pom.xml @@ -856,11 +856,6 @@ limitations under the License. 1.6.0 -org.apache.zookeeper -zookeeper -3.5.5 - - org.testng testng 6.8.8 diff --git a/nifi-commons/nifi-security-socket-ssl/pom.xml b/nifi-commons/nifi-security-socket-ssl/pom.xml index 2e11473..996f07a 100644 --- a/nifi-commons/nifi-security-socket-ssl/pom.xml +++ b/nifi-commons/nifi-security-socket-ssl/pom.xml @@ -40,7 +40,6 @@ io.netty netty-handler -${netty.4.version} test diff --git a/nifi-nar-bundles/nifi-atlas-bundle/pom.xml b/nifi-nar-bundles/nifi-atlas-bundle/pom.xml index f583927..987a3fb 100644 --- a/nifi-nar-bundles/nifi-atlas-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-atlas-bundle/pom.xml @@ -86,17 +86,6 @@ commons-compress 1.21 - - -io.netty -netty-handler -${netty.4.version} - - -io.netty -netty-transport-native-epoll -${netty.4.version} - diff --git a/nifi-nar-bundles/nifi-druid-bundle/pom.xml b/nifi-nar-bundles/nifi-druid-bundle/pom.xml index 6d3922e..fcc34be 100644 --- a/nifi-nar-bundles/nifi-druid-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-druid-bundle/pom.xml @@ -168,17 +168,6 @@ netty ${netty.3.version} - - -io.netty -netty-transport -${netty.4.version} - - -io.netty -netty-transport-native-epoll -${netty.4.version} - diff --git a/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml b/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml index d98b33d..6f48720 100644 --- a/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml +++ b/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml @@ -91,22 +91,6 @@ language governing permissions and limitations under the License. --> nifi-ssl-context-service test - - -io.netty -ne
[nifi-site] branch main updated: NIFI-9480 - Updated security.html page for 1.15.1 release.
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new 8cbadd0 NIFI-9480 - Updated security.html page for 1.15.1 release. 8cbadd0 is described below commit 8cbadd01bc0d5b55829f10e0c686dee6aa39acf3 Author: Nathan Gough AuthorDate: Thu Dec 16 18:46:09 2021 -0500 NIFI-9480 - Updated security.html page for 1.15.1 release. --- src/pages/html/security.hbs | 64 ++--- 1 file changed, 61 insertions(+), 3 deletions(-) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index 88c5bdb..d591b6d 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -51,6 +51,67 @@ title: Apache NiFi Security Reports Thank you for helping keep Apache NiFi and our users safe! + + + + +Fixed in Apache NiFi 1.15.1 + + + + + +Vulnerabilities + + + + +CVE-2021-44145: Apache NiFi information disclosure by XXE in TransformXML +Severity: Low +Versions Affected: + +Apache NiFi 0.1.0 - 1.15.0 + + +Description: In the TransformXML processor, an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. +Mitigation: The 'Secure processing' property will now apply to the configured XSLT file as well as flow files being transformed. Users running any previous NiFi release should upgrade to the latest release. +Credit: This issue was discovered by DangKhai at Viettel Cyber Security. +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44145; target="_blank">Mitre Database: CVE-2021-44145 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9399; target="_blank">NIFI-9399 +NiFi PR: https://github.com/apache/nifi/pull/5542; target="_blank">PR 5542 +Released: December 15, 2021 + + + + + +Dependency Vulnerabilities + + + + +CVE-2021-44228: Apache NiFi's use of log4j +Severity: None +Versions Affected: + +Apache NiFi 0.1.0 - 1.15.0 + + +Description: For posterity we will note here that Apache NiFi uses SLF4J for logging with Logback as the runtime +implementation since the project's inception. One of our PMC members has written an analysis of NiFi's vulnerability (or lack thereof) here: https://exceptionfactory.com/posts/2021/12/14/evaluating-log4shell-and-apache-nifi;>https://exceptionfactory.com/posts/2021/12/14/evaluating-log4shell-and-apache-nifi. For more information on the log4j vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2021-44228; target="_blank">NIST NVD CVE-2021-44228. +Mitigation: We have taken measures to ensure that any potential instances of log4j brought in by dependencies are overriden to log4j 2.16.0. +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228; target="_blank">Mitre Database: CVE-2021-44228 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9474; target="_blank">NIFI-9474 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-9482; target="_blank">NIFI-9482 + +NiFi PR: https://github.com/apache/nifi/pull/5592; target="_blank">PR 5592 +NiFi PR: https://github.com/apache/nifi/pull/5595; target="_blank">PR 5595 +NiFi PR: https://github.com/apache/nifi/pull/5598; target="_blank">PR 5598 +NiFi PR: https://github.com/apache/nifi/pull/5600; target="_blank">PR 5600 + +Released: December 15, 2021 + + @@ -97,9 +158,6 @@ title: Apache NiFi Security Reports Released: February 16, 2021 - - -
svn commit: r1896081 - in /nifi/site/trunk: download.html minifi/download.html registry.html
Author: thenatog Date: Thu Dec 16 23:44:26 2021 New Revision: 1896081 URL: http://svn.apache.org/viewvc?rev=1896081=rev Log: Reverted page changes Modified: nifi/site/trunk/download.html nifi/site/trunk/minifi/download.html nifi/site/trunk/registry.html Modified: nifi/site/trunk/download.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/download.html?rev=1896081=1896080=1896081=diff == --- nifi/site/trunk/download.html (original) +++ nifi/site/trunk/download.html Thu Dec 16 23:44:26 2021 @@ -129,30 +129,30 @@ Releases -1.15.0 +1.15.1 -Released November 7th, 2021 +Released December 15th, 2021 Sources: -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.0/nifi-1.15.0-source-release.zip;>nifi-1.15.0-source-release.zip ( https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-source-release.zip.asc;>asc, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-source-release.zip.sha256;>sha256, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-source-release.zip.sha512;>sha512 ) +https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.1/nifi-1.15.1-source-release.zip;>nifi-1.15.1-source-release.zip ( https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-source-release.zip.asc;>asc, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-source-release.zip.sha256;>sha256, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-source-release.zip.sha512;>sha512 ) Binaries -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.0/nifi-1.15.0-bin.tar.gz;>nifi-1.15.0-bin.tar.gz ( https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.tar.gz.asc;>asc, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.tar.gz.sha256;>sha256, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.tar.gz.sha512;>sha512 ) +https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.1/nifi-1.15.1-bin.tar.gz;>nifi-1.15.1-bin.tar.gz ( https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.tar.gz.asc;>asc, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.tar.gz.sha256;>sha256, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.tar.gz.sha512;>sha512 ) -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.0/nifi-1.15.0-bin.zip;>nifi-1.15.0-bin.zip ( https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.zip.asc;>asc, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.zip.sha256;>sha256, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.zip.sha512;>sha512 ) +https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.1/nifi-1.15.1-bin.zip;>nifi-1.15.1-bin.zip ( https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.zip.asc;>asc, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.zip.sha256;>sha256, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.zip.sha512;>sha512 ) -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.0/nifi-toolkit-1.15.0-bin.tar.gz;>nifi-toolkit-1.15.0-bin.tar.gz ( https://downloads.apache.org/nifi/1.15.0/nifi-toolkit-1.15.0-bin.tar.gz.asc;>asc, https://downloads.apache.org/nifi/1.15.0/nifi-toolkit-1.15.0-bin.tar.gz.sha256;>sha256, https://downloads.apache.org/nifi/1.15.0/nifi-toolkit-1.15.0-bin.tar.gz.sha512;>sha512 ) +https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.1/nifi-toolkit-1.15.1-bin.tar.gz;>nifi-toolkit-1.15.1-bin.tar.gz ( https://downloads.apache.org/nifi/1.15.1/nifi-toolkit-1.15.1-bin.tar.gz.asc;>asc, https://downloads.apache.org/nifi/1.15.1/nifi-toolkit-1.15.1-bin.tar.gz.sha256;>sha256, https://downloads.apache.org/nifi/1.15.1/nifi-toolkit-1.15.1-bin.tar.gz.sha512;>sha512 ) -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.0/nifi-toolkit-1.15.0-bin.zip;>nifi-toolkit-1.15.0-bin.zip ( https://downloads.apache.org/nifi/1.15.0/nifi-toolkit-1.15.0-bin.zip.asc;>asc, https://downloads.apache.org/nifi/1.15.0/nifi-toolkit-1.15.0-bin.zip.sha256;>sha256, https://downloads.apache.org/nifi/1.15.0/nifi-toolkit-1.15.0-bin.zip.sha512;>sha512 ) -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.0/nifi-stateless-1.15.0-bin.tar.gz;>nifi-stateless-1.15.0-bin.tar.gz ( https://downloads.apache.org/nifi/1.15.0/nifi-stateless-1.15.0-bin.tar.gz.asc;>asc, https://downloads.apache.org/nifi/1.15.0/nifi-stateless-1.15.0-bin.tar.gz.sha256;>sha256, https://d
svn commit: r1896080 - in /nifi/site/trunk: download.html minifi/download.html registry.html security.html
Author: thenatog Date: Thu Dec 16 23:40:37 2021 New Revision: 1896080 URL: http://svn.apache.org/viewvc?rev=1896080=rev Log: Updated NiFi Security page for 1.15.1 Modified: nifi/site/trunk/download.html nifi/site/trunk/minifi/download.html nifi/site/trunk/registry.html nifi/site/trunk/security.html Modified: nifi/site/trunk/download.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/download.html?rev=1896080=1896079=1896080=diff == --- nifi/site/trunk/download.html (original) +++ nifi/site/trunk/download.html Thu Dec 16 23:40:37 2021 @@ -129,30 +129,30 @@ Releases -1.15.1 +1.15.0 -Released December 15th, 2021 +Released November 7th, 2021 Sources: -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.1/nifi-1.15.1-source-release.zip;>nifi-1.15.1-source-release.zip ( https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-source-release.zip.asc;>asc, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-source-release.zip.sha256;>sha256, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-source-release.zip.sha512;>sha512 ) +https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.0/nifi-1.15.0-source-release.zip;>nifi-1.15.0-source-release.zip ( https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-source-release.zip.asc;>asc, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-source-release.zip.sha256;>sha256, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-source-release.zip.sha512;>sha512 ) Binaries -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.1/nifi-1.15.1-bin.tar.gz;>nifi-1.15.1-bin.tar.gz ( https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.tar.gz.asc;>asc, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.tar.gz.sha256;>sha256, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.tar.gz.sha512;>sha512 ) +https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.0/nifi-1.15.0-bin.tar.gz;>nifi-1.15.0-bin.tar.gz ( https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.tar.gz.asc;>asc, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.tar.gz.sha256;>sha256, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.tar.gz.sha512;>sha512 ) -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.1/nifi-1.15.1-bin.zip;>nifi-1.15.1-bin.zip ( https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.zip.asc;>asc, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.zip.sha256;>sha256, https://downloads.apache.org/nifi/1.15.1/nifi-1.15.1-bin.zip.sha512;>sha512 ) +https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.0/nifi-1.15.0-bin.zip;>nifi-1.15.0-bin.zip ( https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.zip.asc;>asc, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.zip.sha256;>sha256, https://downloads.apache.org/nifi/1.15.0/nifi-1.15.0-bin.zip.sha512;>sha512 ) -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.1/nifi-toolkit-1.15.1-bin.tar.gz;>nifi-toolkit-1.15.1-bin.tar.gz ( https://downloads.apache.org/nifi/1.15.1/nifi-toolkit-1.15.1-bin.tar.gz.asc;>asc, https://downloads.apache.org/nifi/1.15.1/nifi-toolkit-1.15.1-bin.tar.gz.sha256;>sha256, https://downloads.apache.org/nifi/1.15.1/nifi-toolkit-1.15.1-bin.tar.gz.sha512;>sha512 ) +https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.0/nifi-toolkit-1.15.0-bin.tar.gz;>nifi-toolkit-1.15.0-bin.tar.gz ( https://downloads.apache.org/nifi/1.15.0/nifi-toolkit-1.15.0-bin.tar.gz.asc;>asc, https://downloads.apache.org/nifi/1.15.0/nifi-toolkit-1.15.0-bin.tar.gz.sha256;>sha256, https://downloads.apache.org/nifi/1.15.0/nifi-toolkit-1.15.0-bin.tar.gz.sha512;>sha512 ) -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.1/nifi-toolkit-1.15.1-bin.zip;>nifi-toolkit-1.15.1-bin.zip ( https://downloads.apache.org/nifi/1.15.1/nifi-toolkit-1.15.1-bin.zip.asc;>asc, https://downloads.apache.org/nifi/1.15.1/nifi-toolkit-1.15.1-bin.zip.sha256;>sha256, https://downloads.apache.org/nifi/1.15.1/nifi-toolkit-1.15.1-bin.zip.sha512;>sha512 ) -https://www.apache.org/dyn/closer.lua?path=/nifi/1.15.1/nifi-stateless-1.15.1-bin.tar.gz;>nifi-stateless-1.15.1-bin.tar.gz ( https://downloads.apache.org/nifi/1.15.1/nifi-stateless-1.15.1-bin.tar.gz.asc;>asc, https://downloads.apache.org/nifi/1.15.1/nifi-stateless-1
[nifi] branch main updated (97198e3 -> f5dccb5)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git. from 97198e3 NIFI-9382: This closes #5584. Added system test that replicates issue in which a closed shared classloader causes issues when used again NIFI-9382: Fixed issue with SharedInstanceClassLoader where the classloader may get closed but then get used again. When the SharedInstanceClassLoader is closed, we will now ensure that we don't use anymore and instead create a new one. add f5dccb5 NIFI-9444: Added reconnect property to JettyWebsocketClient. No new revisions were added by this update. Summary of changes: .../nifi/websocket/jetty/JettyWebSocketClient.java | 38 ++-- .../websocket/jetty/ITJettyWebsocketReconnect.java | 105 + 2 files changed, 136 insertions(+), 7 deletions(-) create mode 100644 nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-jetty/src/test/java/org/apache/nifi/websocket/jetty/ITJettyWebsocketReconnect.java
[nifi] branch main updated (0e09750 -> c1e5427)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git. from 0e09750 NIFI-9393 Set Port Scheduled State for Flow Definitions add c1e5427 NIFI-9355 Upgraded Apache Curator from 4.2.0 to 5.2.0 No new revisions were added by this update. Summary of changes: minifi/pom.xml | 18 -- nifi-nar-bundles/nifi-framework-bundle/pom.xml | 10 ++ nifi-toolkit/nifi-toolkit-zookeeper-migrator/pom.xml | 8 +--- 3 files changed, 11 insertions(+), 25 deletions(-)
[nifi] branch main updated (839fbf7 -> 0e09750)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git. from 839fbf7 NIFI-9382: Created a new ClassloaderIsolationKey mechanism by which H… (#5533) add 0e09750 NIFI-9393 Set Port Scheduled State for Flow Definitions No new revisions were added by this update. Summary of changes: .../java/org/apache/nifi/groups/StandardProcessGroup.java | 7 +++ .../nifi/registry/flow/mapping/NiFiRegistryFlowMapper.java| 11 +-- .../registry/flow/mapping/NiFiRegistryFlowMapperTest.java | 6 ++ 3 files changed, 22 insertions(+), 2 deletions(-)
[nifi] branch main updated: NIFI-9384 Corrected usage and generics in ListenTCP
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 0cf515c NIFI-9384 Corrected usage and generics in ListenTCP 0cf515c is described below commit 0cf515c9c0d58ae41218135a331ca09fe3bb4fec Author: exceptionfactory AuthorDate: Tue Nov 16 15:22:09 2021 -0600 NIFI-9384 Corrected usage and generics in ListenTCP - Addressed compiler warnings in ListenTCP and EventBatcher - Adjusted ListenTCP property order to match previous version Signed-off-by: Nathan Gough This closes #5526. --- .../nifi/processor/util/listen/EventBatcher.java | 32 .../apache/nifi/processors/standard/ListenTCP.java | 35 ++ 2 files changed, 29 insertions(+), 38 deletions(-) diff --git a/nifi-nar-bundles/nifi-extension-utils/nifi-processor-utils/src/main/java/org/apache/nifi/processor/util/listen/EventBatcher.java b/nifi-nar-bundles/nifi-extension-utils/nifi-processor-utils/src/main/java/org/apache/nifi/processor/util/listen/EventBatcher.java index bcdb598..7a8fff2 100644 --- a/nifi-nar-bundles/nifi-extension-utils/nifi-processor-utils/src/main/java/org/apache/nifi/processor/util/listen/EventBatcher.java +++ b/nifi-nar-bundles/nifi-extension-utils/nifi-processor-utils/src/main/java/org/apache/nifi/processor/util/listen/EventBatcher.java @@ -20,10 +20,7 @@ import org.apache.nifi.event.transport.message.ByteArrayMessage; import org.apache.nifi.flowfile.FlowFile; import org.apache.nifi.logging.ComponentLog; import org.apache.nifi.processor.ProcessSession; -import org.apache.nifi.processor.io.OutputStreamCallback; -import java.io.IOException; -import java.io.OutputStream; import java.util.ArrayList; import java.util.HashMap; import java.util.Map; @@ -34,11 +31,11 @@ public abstract class EventBatcher { public static final int POLL_TIMEOUT_MS = 20; -private volatile BlockingQueue events; -private volatile BlockingQueue errorEvents; +private final BlockingQueue events; +private final BlockingQueue errorEvents; private final ComponentLog logger; -public EventBatcher(final ComponentLog logger, final BlockingQueue events, final BlockingQueue errorEvents) { +public EventBatcher(final ComponentLog logger, final BlockingQueue events, final BlockingQueue errorEvents) { this.logger = logger; this.events = events; this.errorEvents = errorEvents; @@ -56,10 +53,10 @@ public abstract class EventBatcher { * @return a Map from the batch key to the FlowFile and events for that batch, the size of events in all * the batches will be <= batchSize */ -public Map getBatches(final ProcessSession session, final int totalBatchSize, +public Map> getBatches(final ProcessSession session, final int totalBatchSize, final byte[] messageDemarcatorBytes) { -final Map batches = new HashMap(); +final Map> batches = new HashMap<>(); for (int i = 0; i < totalBatchSize; i++) { final E event = getMessage(true, true, session); if (event == null) { @@ -67,11 +64,11 @@ public abstract class EventBatcher { } final String batchKey = getBatchKey(event); -FlowFileEventBatch batch = batches.get(batchKey); +FlowFileEventBatch batch = batches.get(batchKey); // if we don't have a batch for this key then create a new one if (batch == null) { -batch = new FlowFileEventBatch(session.create(), new ArrayList()); +batch = new FlowFileEventBatch<>(session.create(), new ArrayList<>()); batches.put(batchKey, batch); } @@ -82,15 +79,12 @@ public abstract class EventBatcher { final boolean writeDemarcator = (i > 0); try { final byte[] rawMessage = event.getMessage(); -FlowFile appendedFlowFile = session.append(batch.getFlowFile(), new OutputStreamCallback() { -@Override -public void process(final OutputStream out) throws IOException { -if (writeDemarcator) { -out.write(messageDemarcatorBytes); -} - -out.write(rawMessage); +FlowFile appendedFlowFile = session.append(batch.getFlowFile(), out -> { +if (writeDemarcator) { +out.write(messageDemarcatorBytes); } + +out.write(rawMessage); }); // update the FlowFile reference in the batch object @@ -99,7 +93,7 @@ public abstract class EventBatcher {
[nifi] branch main updated: NIFI-9346 Added closing of EventSender to TestListenRELP
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 16e6045 NIFI-9346 Added closing of EventSender to TestListenRELP 16e6045 is described below commit 16e6045d13452cbff7da9685f0da4e2278a06434 Author: exceptionfactory AuthorDate: Thu Oct 28 11:54:14 2021 -0500 NIFI-9346 Added closing of EventSender to TestListenRELP Signed-off-by: Nathan Gough This closes #5492. --- .../nifi/processors/standard/TestListenRELP.java | 27 +++--- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java index efdac3a..a15ef07 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java @@ -20,6 +20,8 @@ import org.apache.commons.lang3.StringUtils; import org.apache.ftpserver.ssl.ClientAuth; import org.apache.nifi.annotation.lifecycle.OnScheduled; import org.apache.nifi.event.transport.EventSender; +import org.apache.nifi.event.transport.configuration.ShutdownQuietPeriod; +import org.apache.nifi.event.transport.configuration.ShutdownTimeout; import org.apache.nifi.event.transport.configuration.TransportProtocol; import org.apache.nifi.event.transport.netty.ByteArrayNettyEventSenderFactory; import org.apache.nifi.processor.ProcessContext; @@ -31,8 +33,6 @@ import org.apache.nifi.processors.standard.relp.frame.RELPFrame; import org.apache.nifi.provenance.ProvenanceEventRecord; import org.apache.nifi.provenance.ProvenanceEventType; import org.apache.nifi.remote.io.socket.NetworkUtils; -import org.apache.nifi.reporting.InitializationException; -import org.apache.nifi.security.util.TlsException; import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.util.MockFlowFile; @@ -109,7 +109,7 @@ public class TestListenRELP { } @Test -public void testRELPFramesAreReceivedSuccessfully() throws IOException { +public void testRELPFramesAreReceivedSuccessfully() throws Exception { final int relpFrames = 5; final List frames = getFrames(relpFrames); @@ -135,7 +135,7 @@ public class TestListenRELP { } @Test -public void testRELPFramesAreReceivedSuccessfullyWhenBatched() throws IOException { +public void testRELPFramesAreReceivedSuccessfullyWhenBatched() throws Exception { runner.setProperty(ListenerProperties.MAX_BATCH_SIZE, "5"); @@ -164,9 +164,7 @@ public class TestListenRELP { } @Test -public void testRunMutualTls() throws IOException, TlsException, InitializationException { - - +public void testRunMutualTls() throws Exception { final String serviceIdentifier = SSLContextService.class.getName(); when(sslContextService.getIdentifier()).thenReturn(serviceIdentifier); final SSLContext sslContext = SslContextUtils.createKeyStoreSslContext(); @@ -206,9 +204,7 @@ public class TestListenRELP { runner.shutdown(); } -private void run(final List frames, final int flowFiles, final SSLContext sslContext) -throws IOException { - +private void run(final List frames, final int flowFiles, final SSLContext sslContext) throws Exception { final int port = NetworkUtils.availablePort(); runner.setProperty(AbstractListenEventBatchingProcessor.PORT, Integer.toString(port)); // Run Processor and start Dispatcher without shutting down @@ -243,18 +239,21 @@ public class TestListenRELP { return frames; } -private void sendMessages(final int port, final byte[] relpMessages, final SSLContext sslContext) { +private void sendMessages(final int port, final byte[] relpMessages, final SSLContext sslContext) throws Exception { final ByteArrayNettyEventSenderFactory eventSenderFactory = new ByteArrayNettyEventSenderFactory(runner.getLogger(), LOCALHOST, port, TransportProtocol.TCP); + eventSenderFactory.setShutdownQuietPeriod(ShutdownQuietPeriod.QUICK.getDuration()); + eventSenderFactory.setShutdownTimeout(ShutdownTimeout.QUICK.getDuration()); if (sslContext != null) { eventSenderFactory.setSslContext(sslContext); } eventSenderFactory.setTimeout(SENDER_TIMEOUT); -EventSender eventSender = eventSenderFactory.getEventSender(); -eventSender.sendEvent(re
[nifi] branch main updated (28cd5d1 -> 9865ea2)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git. from 28cd5d1 NIFI-9345: Resolving NPE in ProcessorEntityMerger (#5491) add 9865ea2 NIFI-9322 Refactored OIDC and SAML Access Resources No new revisions were added by this update. Summary of changes: .../org/apache/nifi/web/api/AccessResource.java| 34 ++-- .../apache/nifi/web/api/OIDCAccessResource.java| 10 +-- .../apache/nifi/web/api/SAMLAccessResource.java| 48 --- .../jwt/provider/StandardBearerTokenProvider.java | 26 +- .../security/token/LoginAuthenticationToken.java | 17 ++-- .../provider/StandardBearerTokenProviderTest.java | 99 +- 6 files changed, 156 insertions(+), 78 deletions(-)
[nifi] branch main updated (30efcd3 -> 0eee70c)
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git. from 30efcd3 NIFI-8208: Upgrade MongoDB driver to 4.3 series add 0eee70c NIFI-9339: Fixed headers to include appropriate Reqest-Token header for all requests to the server for JoltTransformJSON UI No new revisions were added by this update. Summary of changes: .../nifi-jolt-transform-json-ui/src/main/webapp/app/app.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
[nifi] branch main updated: NIFI-9263: Using secret-per-context model for Stateless Vault PVP
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 207da40 NIFI-9263: Using secret-per-context model for Stateless Vault PVP 207da40 is described below commit 207da405eeb47ea5848c0951b3108c7742752d25 Author: Joe Gresock AuthorDate: Fri Oct 1 10:29:37 2021 -0400 NIFI-9263: Using secret-per-context model for Stateless Vault PVP Rebasing after PVP refactor Signed-off-by: Nathan Gough This closes #5427. --- .../HashiCorpVaultCommunicationService.java| 32 +--- ...StandardHashiCorpVaultCommunicationService.java | 47 + ...andardHashiCorpVaultCommunicationServiceIT.java | 26 + .../HashiCorpVaultParameterValueProvider.java | 35 - .../TestHashiCorpVaultParameterValueProvider.java | 61 +++--- nifi-stateless/nifi-stateless-assembly/README.md | 5 +- 6 files changed, 156 insertions(+), 50 deletions(-) diff --git a/nifi-commons/nifi-vault-utils/src/main/java/org/apache/nifi/vault/hashicorp/HashiCorpVaultCommunicationService.java b/nifi-commons/nifi-vault-utils/src/main/java/org/apache/nifi/vault/hashicorp/HashiCorpVaultCommunicationService.java index bf43268..8e9f8c5 100644 --- a/nifi-commons/nifi-vault-utils/src/main/java/org/apache/nifi/vault/hashicorp/HashiCorpVaultCommunicationService.java +++ b/nifi-commons/nifi-vault-utils/src/main/java/org/apache/nifi/vault/hashicorp/HashiCorpVaultCommunicationService.java @@ -16,6 +16,7 @@ */ package org.apache.nifi.vault.hashicorp; +import java.util.Map; import java.util.Optional; /** @@ -45,22 +46,41 @@ public interface HashiCorpVaultCommunicationService { byte[] decrypt(String transitPath, String cipherText); /** - * Writes a secret using Vault's unversioned Key/Value Secrets Engine. + * Writes a single secret value using Vault's unversioned Key/Value Secrets Engine. * * @see https://www.vaultproject.io/api-docs/secret/kv/kv-v1;>https://www.vaultproject.io/api-docs/secret/kv/kv-v1 * @param keyValuePath The Vault path to use for the configured Key/Value v1 Secrets Engine - * @param key The secret key + * @param secretKey The secret key * @param value The secret value */ -void writeKeyValueSecret(String keyValuePath, String key, String value); +void writeKeyValueSecret(String keyValuePath, String secretKey, String value); /** - * Reads a secret from Vault's unversioned Key/Value Secrets Engine. + * Reads a single secret value from Vault's unversioned Key/Value Secrets Engine. * * @see https://www.vaultproject.io/api-docs/secret/kv/kv-v1;>https://www.vaultproject.io/api-docs/secret/kv/kv-v1 * @param keyValuePath The Vault path to use for the configured Key/Value v1 Secrets Engine - * @param key The secret key + * @param secretKey The secret key * @return The secret value, or empty if not found */ -Optional readKeyValueSecret(String keyValuePath, String key); +Optional readKeyValueSecret(String keyValuePath, String secretKey); + +/** + * Writes a secret with multiple key/value pairs using Vault's unversioned Key/Value Secrets Engine. + * + * @see https://www.vaultproject.io/api-docs/secret/kv/kv-v1;>https://www.vaultproject.io/api-docs/secret/kv/kv-v1 + * @param keyValuePath The Vault path to use for the configured Key/Value v1 Secrets Engine + * @param keyValues A map from key to value for keys/values that should be stored in the secret + */ +void writeKeyValueSecretMap(String keyValuePath, String secretKey, Map keyValues); + +/** + * Reads a secret with multiple key/value pairs from Vault's unversioned Key/Value Secrets Engine. + * + * @see https://www.vaultproject.io/api-docs/secret/kv/kv-v1;>https://www.vaultproject.io/api-docs/secret/kv/kv-v1 + * @param keyValuePath The Vault path to use for the configured Key/Value v1 Secrets Engine + * @param secretKey The secret key + * @return A map from key to value from the secret key/values, or an empty map if not found + */ +Map readKeyValueSecretMap(String keyValuePath, String secretKey); } diff --git a/nifi-commons/nifi-vault-utils/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java b/nifi-commons/nifi-vault-utils/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java index 21c9213..3450843 100644 --- a/nifi-commons/nifi-vault-utils/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java +++ b/nifi-commons/nifi-vault-utils/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java @@ -31,8 +31,
[nifi] branch main updated: NIFI-9241 Refactored CSRF mitigation using random Request-Token
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new e16a6c2 NIFI-9241 Refactored CSRF mitigation using random Request-Token e16a6c2 is described below commit e16a6c2b89879034be65cca56b33724914b54033 Author: exceptionfactory AuthorDate: Tue Sep 28 01:00:47 2021 -0500 NIFI-9241 Refactored CSRF mitigation using random Request-Token - Replaced use of Authorization header with custom Request-Token header for CSRF mitigation - Added Request-Token cookie for CSRF mitigation - Replaced session storage of JWT with expiration in seconds - Removed and disabled CORS configuration - Disabled HTTP OPTIONS method - Refactored HTTP Proxy URI construction using RequestUriBuilder Signed-off-by: Nathan Gough This closes #5417. --- .../nifi/web/filter/SanitizeContextPathFilter.java | 13 +- .../apache/nifi/web/util/RequestUriBuilder.java| 88 .../java/org/apache/nifi/web/util/WebUtils.java| 60 +++- .../nifi/web/util/RequestUriBuilderTest.java | 100 + .../apache/nifi/web/util/WebUtilsGroovyTest.groovy | 156 +--- .../replication/ThreadPoolRequestReplicator.java | 1 + .../resources/org/apache/nifi/web/webdefault.xml | 6 +- .../apache/nifi/web/NiFiCsrfTokenRepository.java | 91 .../nifi/web/NiFiWebApiSecurityConfiguration.java | 28 +--- .../org/apache/nifi/web/api/AccessResource.java| 26 +--- .../apache/nifi/web/api/ApplicationResource.java | 39 + .../nifi/web/api/ApplicationResourceTest.groovy| 123 +++- .../nifi/web/api/TestDataTransferResource.java | 10 +- .../security/csrf}/CsrfCookieRequestMatcher.java | 2 +- .../csrf/StandardCookieCsrfTokenRepository.java| 126 .../nifi/web/security/http/SecurityCookieName.java | 2 + .../nifi/web/security/http/SecurityHeader.java | 4 + .../StandardCookieCsrfTokenRepositoryTest.java | 160 + .../src/main/webapp/js/nf/canvas/nf-canvas.js | 23 +-- .../src/main/webapp/js/nf/login/nf-login.js| 5 +- .../src/main/webapp/js/nf/nf-ajax-setup.js | 16 +-- .../main/webapp/js/nf/nf-authorization-storage.js | 18 ++- .../nifi-web-ui/src/main/webapp/js/nf/nf-common.js | 34 - 23 files changed, 631 insertions(+), 500 deletions(-) diff --git a/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/filter/SanitizeContextPathFilter.java b/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/filter/SanitizeContextPathFilter.java index 02d8bc3..7079e9d 100644 --- a/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/filter/SanitizeContextPathFilter.java +++ b/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/filter/SanitizeContextPathFilter.java @@ -17,6 +17,9 @@ package org.apache.nifi.web.filter; import java.io.IOException; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; @@ -26,25 +29,23 @@ import javax.servlet.ServletResponse; import org.apache.commons.lang3.StringUtils; import org.apache.nifi.web.util.WebUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** * This filter intercepts a request and populates the {@code contextPath} attribute on the request with a sanitized value (originally) retrieved from {@code nifi.properties}. */ public class SanitizeContextPathFilter implements Filter { -private static final Logger logger = LoggerFactory.getLogger(SanitizeContextPathFilter.class); private static final String ALLOWED_CONTEXT_PATHS_PARAMETER_NAME = "allowedContextPaths"; private String allowedContextPaths = ""; +private List parsedAllowedContextPaths = Collections.emptyList(); @Override public void init(FilterConfig filterConfig) throws ServletException { String providedAllowedList = filterConfig.getServletContext().getInitParameter(ALLOWED_CONTEXT_PATHS_PARAMETER_NAME); -logger.debug("SanitizeContextPathFilter received provided allowed context paths from NiFi properties: " + providedAllowedList); if (StringUtils.isNotBlank(providedAllowedList)) { allowedContextPaths = providedAllowedList; +parsedAllowedContextPaths = Arrays.asList(StringUtils.split(providedAllowedList, ',')); } } @@ -64,10 +65,8 @@ public class SanitizeContextPathFilter implements Filter { */ protected void injectContextPathAttribute(ServletRequest request) { // Capture the provided context path headers and sanitize them before using in the response -String contextPath = WebUtils.sanitizeContextPath