Repository: knox Updated Branches: refs/heads/master c94d9b1e6 -> 6e7266ad3
KNOX-1366 - Dispatch whitelist should clearly indicate when the default whitelist will be applied Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/6e7266ad Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/6e7266ad Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/6e7266ad Branch: refs/heads/master Commit: 6e7266ad3649e1804ee869afed04f79a71e48b7d Parents: c94d9b1 Author: Phil Zampino <pzamp...@apache.org> Authored: Tue Jun 26 10:28:11 2018 -0400 Committer: Phil Zampino <pzamp...@apache.org> Committed: Tue Jun 26 10:28:11 2018 -0400 ---------------------------------------------------------------------- gateway-release/home/conf/gateway-site.xml | 5 +++-- gateway-release/home/conf/topologies/knoxsso.xml | 4 ---- .../knox/gateway/service/knoxsso/WebSSOResource.java | 2 +- .../org/apache/knox/gateway/util/WhitelistUtils.java | 4 +++- .../gateway/dispatch/GatewayDispatchFilterTest.java | 2 +- .../apache/knox/gateway/util/WhitelistUtilsTest.java | 12 ++++++++++++ 6 files changed, 20 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/6e7266ad/gateway-release/home/conf/gateway-site.xml ---------------------------------------------------------------------- diff --git a/gateway-release/home/conf/gateway-site.xml b/gateway-release/home/conf/gateway-site.xml index 9894cf1..1db5332 100644 --- a/gateway-release/home/conf/gateway-site.xml +++ b/gateway-release/home/conf/gateway-site.xml @@ -136,8 +136,9 @@ limitations under the License. <property> <name>gateway.dispatch.whitelist</name> - <value></value> - <description>The whitelist to be applied for dispatches associated with the service roles specified by gateway.dispatch.whitelist.services.</description> + <value>DEFAULT</value> + <description>The whitelist to be applied for dispatches associated with the service roles specified by gateway.dispatch.whitelist.services. + If the value is DEFAULT, a domain-based whitelist will be derived from the Knox host.</description> </property> </configuration> http://git-wip-us.apache.org/repos/asf/knox/blob/6e7266ad/gateway-release/home/conf/topologies/knoxsso.xml ---------------------------------------------------------------------- diff --git a/gateway-release/home/conf/topologies/knoxsso.xml b/gateway-release/home/conf/topologies/knoxsso.xml index d097f42..b4ac7b1 100644 --- a/gateway-release/home/conf/topologies/knoxsso.xml +++ b/gateway-release/home/conf/topologies/knoxsso.xml @@ -111,10 +111,6 @@ <name>knoxsso.token.ttl</name> <value>-1</value> </param> - <param> - <name>knoxsso.redirect.whitelist.regex</name> - <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> - </param> </service> </topology> http://git-wip-us.apache.org/repos/asf/knox/blob/6e7266ad/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java ---------------------------------------------------------------------- diff --git a/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java index 2454e41..f207432 100644 --- a/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java +++ b/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java @@ -182,7 +182,7 @@ public class WebSSOResource { throw new WebApplicationException("Original URL not found in the request.", Response.Status.BAD_REQUEST); } - boolean validRedirect = (whitelist == null) || whitelist.isEmpty() || RegExUtils.checkWhitelist(whitelist, original); + boolean validRedirect = (whitelist == null) || RegExUtils.checkWhitelist(whitelist, original); if (!validRedirect) { log.whiteListMatchFail(original, whitelist); throw new WebApplicationException("Original URL not valid according to the configured whitelist.", http://git-wip-us.apache.org/repos/asf/knox/blob/6e7266ad/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java b/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java index 50795e5..42e6eb2 100644 --- a/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java +++ b/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java @@ -27,6 +27,8 @@ import java.util.List; public class WhitelistUtils { + static final String DEFAULT_CONFIG_VALUE = "DEFAULT"; + static final String LOCALHOST_REGEXP_SEGMENT = "(localhost|127\\.0\\.0\\.1|0:0:0:0:0:0:0:1|::1)"; static final String LOCALHOST_REGEXP = "^" + LOCALHOST_REGEXP_SEGMENT + "$"; @@ -51,7 +53,7 @@ public class WhitelistUtils { if (whitelistedServiceRoles.contains(serviceRole)) { // Check the whitelist against the URL to be dispatched whitelist = config.getDispatchWhitelist(); - if (whitelist == null || whitelist.isEmpty()) { + if (whitelist == null || whitelist.equalsIgnoreCase(DEFAULT_CONFIG_VALUE)) { whitelist = deriveDefaultDispatchWhitelist(request); LOG.derivedDispatchWhitelist(whitelist); } http://git-wip-us.apache.org/repos/asf/knox/blob/6e7266ad/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/GatewayDispatchFilterTest.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/GatewayDispatchFilterTest.java b/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/GatewayDispatchFilterTest.java index 0408d79..69d2453 100644 --- a/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/GatewayDispatchFilterTest.java +++ b/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/GatewayDispatchFilterTest.java @@ -160,7 +160,7 @@ public class GatewayDispatchFilterTest { "", serviceRole, "http://www.notonmylist.org:9999";, - false); + false); // Should be disallowed because nothing can match an empty whitelist } http://git-wip-us.apache.org/repos/asf/knox/blob/6e7266ad/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java b/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java index 3094c6f..172979a 100644 --- a/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java +++ b/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java @@ -102,6 +102,18 @@ public class WhitelistUtilsTest { assertTrue(whitelist.equals(WHITELIST)); } + @Test + public void testExplicitlyConfiguredDefaultWhitelist() throws Exception { + final String serviceRole = "TEST"; + final String WHITELIST = "DEFAULT"; + + String whitelist = + doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole), WHITELIST), + serviceRole); + assertNotNull(whitelist); + assertTrue("Expected the derived localhost whitelist.", + RegExUtils.checkWhitelist(whitelist, "http://localhost:9099/";)); + } private String doTestGetDispatchWhitelist(GatewayConfig config, String serviceRole) { return doTestGetDispatchWhitelist(config, "localhost", serviceRole);
