You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by am...@apache.org on 2022/03/23 11:56:08 UTC
[knox] branch master updated: KNOX-2342 - CommonIdentityAssertionFilter calling mapGroupPrincipals Twice (#546)
This is an automated email from the ASF dual-hosted git repository.
amagyar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 17130f4 KNOX-2342 - CommonIdentityAssertionFilter calling mapGroupPrincipals Twice (#546)
17130f4 is described below
commit 17130f451a7165d1e3b1d767c09c1bbf23451f94
Author: Attila Magyar <m....@gmail.com>
AuthorDate: Wed Mar 23 12:56:02 2022 +0100
KNOX-2342 - CommonIdentityAssertionFilter calling mapGroupPrincipals Twice (#546)
---
.../common/filter/CommonIdentityAssertionFilter.java | 8 +++++++-
.../filter/CommonIdentityAssertionFilterTest.java | 12 +++++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
index adf349d..4c34291 100644
--- a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
+++ b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
@@ -20,8 +20,10 @@ package org.apache.knox.gateway.identityasserter.common.filter;
import java.io.IOException;
import java.security.AccessController;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -157,7 +159,11 @@ public class CommonIdentityAssertionFilter extends AbstractIdentityAssertionFilt
HttpServletRequestWrapper wrapper = wrapHttpServletRequest(
request, mappedPrincipalName);
- continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName, groups);
+ continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName, unique(groups));
+ }
+
+ private static String[] unique(String[] groups) {
+ return new HashSet<>(Arrays.asList(groups)).toArray(new String[0]);
}
protected String[] combineGroupMappings(String[] mappedGroups, String[] groups) {
diff --git a/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/filter/CommonIdentityAssertionFilterTest.java b/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/filter/CommonIdentityAssertionFilterTest.java
index c659a02..5795726 100644
--- a/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/filter/CommonIdentityAssertionFilterTest.java
+++ b/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/filter/CommonIdentityAssertionFilterTest.java
@@ -34,7 +34,9 @@ import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
+import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter;
@@ -75,6 +77,14 @@ public class CommonIdentityAssertionFilterTest {
calculatedGroups.addAll(Arrays.asList(super.combineGroupMappings(mappedGroups, groups)));
return super.combineGroupMappings(mappedGroups, groups);
}
+
+ @Override
+ protected void continueChainAsPrincipal(HttpServletRequestWrapper request, ServletResponse response, FilterChain chain, String mappedPrincipalName, String[] groups) throws IOException, ServletException {
+ assertEquals("Groups should not have duplicates: " + Arrays.toString(groups),
+ new HashSet<>(Arrays.asList(groups)).size(),
+ groups.length);
+ super.continueChainAsPrincipal(request, response, chain, mappedPrincipalName, groups);
+ }
};
ThreadContext.put(MDC_AUDIT_CONTEXT_KEY, "dummy");
}
@@ -83,7 +93,7 @@ public class CommonIdentityAssertionFilterTest {
public void testSimpleFilter() throws ServletException, IOException {
FilterConfig config = EasyMock.createNiceMock( FilterConfig.class );
EasyMock.expect(config.getInitParameter(CommonIdentityAssertionFilter.GROUP_PRINCIPAL_MAPPING)).
- andReturn("*=everyone;").once();
+ andReturn("*=everyone;lmccay=test-virtual-group").once();
EasyMock.expect(config.getInitParameter(CommonIdentityAssertionFilter.PRINCIPAL_MAPPING)).
andReturn("ljm=lmccay;").once();
EasyMock.expect(config.getInitParameterNames()).