You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by am...@apache.org on 2022/03/23 11:56:08 UTC

[knox] branch master updated: KNOX-2342 - CommonIdentityAssertionFilter calling mapGroupPrincipals Twice (#546)

This is an automated email from the ASF dual-hosted git repository.

amagyar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 17130f4  KNOX-2342 - CommonIdentityAssertionFilter calling mapGroupPrincipals Twice (#546)
17130f4 is described below

commit 17130f451a7165d1e3b1d767c09c1bbf23451f94
Author: Attila Magyar <m....@gmail.com>
AuthorDate: Wed Mar 23 12:56:02 2022 +0100

    KNOX-2342 - CommonIdentityAssertionFilter calling mapGroupPrincipals Twice (#546)
---
 .../common/filter/CommonIdentityAssertionFilter.java         |  8 +++++++-
 .../filter/CommonIdentityAssertionFilterTest.java            | 12 +++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
index adf349d..4c34291 100644
--- a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
+++ b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
@@ -20,8 +20,10 @@ package org.apache.knox.gateway.identityasserter.common.filter;
 import java.io.IOException;
 import java.security.AccessController;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -157,7 +159,11 @@ public class CommonIdentityAssertionFilter extends AbstractIdentityAssertionFilt
     HttpServletRequestWrapper wrapper = wrapHttpServletRequest(
         request, mappedPrincipalName);
 
-    continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName, groups);
+    continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName, unique(groups));
+  }
+
+  private static String[] unique(String[] groups) {
+    return new HashSet<>(Arrays.asList(groups)).toArray(new String[0]);
   }
 
   protected String[] combineGroupMappings(String[] mappedGroups, String[] groups) {
diff --git a/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/filter/CommonIdentityAssertionFilterTest.java b/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/filter/CommonIdentityAssertionFilterTest.java
index c659a02..5795726 100644
--- a/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/filter/CommonIdentityAssertionFilterTest.java
+++ b/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/filter/CommonIdentityAssertionFilterTest.java
@@ -34,7 +34,9 @@ import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter;
@@ -75,6 +77,14 @@ public class CommonIdentityAssertionFilterTest {
         calculatedGroups.addAll(Arrays.asList(super.combineGroupMappings(mappedGroups, groups)));
         return super.combineGroupMappings(mappedGroups, groups);
       }
+
+      @Override
+      protected void continueChainAsPrincipal(HttpServletRequestWrapper request, ServletResponse response, FilterChain chain, String mappedPrincipalName, String[] groups) throws IOException, ServletException {
+        assertEquals("Groups should not have duplicates: " + Arrays.toString(groups),
+                new HashSet<>(Arrays.asList(groups)).size(),
+                groups.length);
+        super.continueChainAsPrincipal(request, response, chain, mappedPrincipalName, groups);
+      }
     };
     ThreadContext.put(MDC_AUDIT_CONTEXT_KEY, "dummy");
   }
@@ -83,7 +93,7 @@ public class CommonIdentityAssertionFilterTest {
   public void testSimpleFilter() throws ServletException, IOException {
     FilterConfig config = EasyMock.createNiceMock( FilterConfig.class );
     EasyMock.expect(config.getInitParameter(CommonIdentityAssertionFilter.GROUP_PRINCIPAL_MAPPING)).
-        andReturn("*=everyone;").once();
+        andReturn("*=everyone;lmccay=test-virtual-group").once();
     EasyMock.expect(config.getInitParameter(CommonIdentityAssertionFilter.PRINCIPAL_MAPPING)).
         andReturn("ljm=lmccay;").once();
     EasyMock.expect(config.getInitParameterNames()).