You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2023/01/10 19:18:40 UTC
[GitHub] [solr] janhoy opened a new pull request, #1284: SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multi files
janhoy opened a new pull request, #1284:
URL: https://github.com/apache/solr/pull/1284
https://issues.apache.org/jira/browse/SOLR-16616
A concrete use case for this is in a Kubernetes environment where a configMap exists with two `.cer` files, one for the SSL certificate of KeyCloak, and another file with SSL cert for the private CA. Currently we have been copying and concatenating the string content of those files into the `trustedCerts` configuration key. But that is cumbersome when you have several k8s clusters with different certificates for each.
With this feature, we'll supply a both files as this
```json
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] risdenk commented on a diff in pull request #1284: SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multi files
Posted by GitBox <gi...@apache.org>.
risdenk commented on code in PR #1284:
URL: https://github.com/apache/solr/pull/1284#discussion_r1066221224
##########
solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java:
##########
@@ -297,6 +283,54 @@ public void init(Map<String, Object> pluginConfig) {
lastInitTime = Instant.now();
}
+ /**
+ * Given a configuration object of a file name or list of file names, read X509 certificates from
+ * each file
+ */
+ @SuppressWarnings("unchecked")
Review Comment:
What is unchecked here?
##########
solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java:
##########
@@ -297,6 +283,54 @@ public void init(Map<String, Object> pluginConfig) {
lastInitTime = Instant.now();
}
+ /**
+ * Given a configuration object of a file name or list of file names, read X509 certificates from
+ * each file
+ */
+ @SuppressWarnings("unchecked")
+ Collection<X509Certificate> readSslCertsFromFileOrList(Object trustedCertsFileObj) {
+ Collection<X509Certificate> certs = new HashSet<>();
+ if (trustedCertsFileObj instanceof String) {
+ String trustedCertsFile = (String) trustedCertsFileObj;
+ log.info("Reading trustedCerts from file {}", trustedCertsFile);
+ try {
+ certs.addAll(parseCertsFromFile(trustedCertsFile));
+ } catch (IOException e) {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + trustedCertsFile, e);
+ }
Review Comment:
Couldn't you just make this string into a List of one and use the same logic as the list? That would simplify and remove the duplications.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a diff in pull request #1284: SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multi files
Posted by GitBox <gi...@apache.org>.
janhoy commented on code in PR #1284:
URL: https://github.com/apache/solr/pull/1284#discussion_r1066374442
##########
solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java:
##########
@@ -297,6 +283,54 @@ public void init(Map<String, Object> pluginConfig) {
lastInitTime = Instant.now();
}
+ /**
+ * Given a configuration object of a file name or list of file names, read X509 certificates from
+ * each file
+ */
+ @SuppressWarnings("unchecked")
+ Collection<X509Certificate> readSslCertsFromFileOrList(Object trustedCertsFileObj) {
+ Collection<X509Certificate> certs = new HashSet<>();
+ if (trustedCertsFileObj instanceof String) {
+ String trustedCertsFile = (String) trustedCertsFileObj;
+ log.info("Reading trustedCerts from file {}", trustedCertsFile);
+ try {
+ certs.addAll(parseCertsFromFile(trustedCertsFile));
+ } catch (IOException e) {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + trustedCertsFile, e);
+ }
Review Comment:
I had the same thought on the train home from work today :) Will investigate.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on pull request #1284: SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multi files
Posted by GitBox <gi...@apache.org>.
janhoy commented on PR #1284:
URL: https://github.com/apache/solr/pull/1284#issuecomment-1378653646
Thanks for the review. I'll merge this on Friday if no other comments.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy merged pull request #1284: SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multi files
Posted by GitBox <gi...@apache.org>.
janhoy merged PR #1284:
URL: https://github.com/apache/solr/pull/1284
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] sonatype-lift[bot] commented on a diff in pull request #1284: SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multi files
Posted by GitBox <gi...@apache.org>.
sonatype-lift[bot] commented on code in PR #1284:
URL: https://github.com/apache/solr/pull/1284#discussion_r1066264046
##########
solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java:
##########
@@ -297,6 +283,54 @@ public void init(Map<String, Object> pluginConfig) {
lastInitTime = Instant.now();
}
+ /**
+ * Given a configuration object of a file name or list of file names, read X509 certificates from
+ * each file
+ */
+ @SuppressWarnings("unchecked")
+ Collection<X509Certificate> readSslCertsFromFileOrList(Object trustedCertsFileObj) {
+ Collection<X509Certificate> certs = new HashSet<>();
+ if (trustedCertsFileObj instanceof String) {
+ String trustedCertsFile = (String) trustedCertsFileObj;
+ log.info("Reading trustedCerts from file {}", trustedCertsFile);
+ try {
+ certs.addAll(parseCertsFromFile(trustedCertsFile));
+ } catch (IOException e) {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + trustedCertsFile, e);
+ }
+ } else if (trustedCertsFileObj instanceof List) {
+ List<String> trustedCertsFileList = (List<String>) trustedCertsFileObj;
+ log.info("Reading trustedCerts from list of files {}", trustedCertsFileList);
+ trustedCertsFileList.forEach(
+ f -> {
+ try {
+ certs.addAll(parseCertsFromFile(f));
+ } catch (IOException e) {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + f, e);
+ }
+ });
+ } else {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "trustedCertsFile is neither a String or List");
+ }
+ return certs;
+ }
+
+ /**
+ * Given a filename string, validate the file and then read any X509 certificates from it
+ *
+ * @return list of certificates found in file
+ */
+ Collection<? extends X509Certificate> parseCertsFromFile(String certFileName) throws IOException {
+ Path certFilePath = Paths.get(certFileName);
Review Comment:
<picture><img alt="7% of developers fix this issue" src="https://lift.sonatype.com/api/commentimage/fixrate/7/display.svg"></picture>
*[PATH_TRAVERSAL_IN](https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN):* This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input
---
<details><summary><b>âšī¸ Learn about @sonatype-lift commands</b></summary>
You can reply with the following commands. For example, reply with ***@sonatype-lift ignoreall*** to leave out all findings.
| **Command** | **Usage** |
| ------------- | ------------- |
| `@sonatype-lift ignore` | Leave out the above finding from this PR |
| `@sonatype-lift ignoreall` | Leave out all the existing findings from this PR |
| `@sonatype-lift exclude <file\|issue\|path\|tool>` | Exclude specified `file\|issue\|path\|tool` from Lift findings by updating your config.toml file |
**Note:** When talking to LiftBot, you need to **refresh** the page to see its response.
<sub>[Click here](https://github.com/apps/sonatype-lift/installations/new) to add LiftBot to another repo.</sub></details>
---
Was this a good recommendation?
[ [đ Not relevant](https://www.sonatype.com/lift-comment-rating?comment=367180506&lift_comment_rating=1) ] - [ [đ Won't fix](https://www.sonatype.com/lift-comment-rating?comment=367180506&lift_comment_rating=2) ] - [ [đ Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=367180506&lift_comment_rating=3) ] - [ [đ Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=367180506&lift_comment_rating=4) ] - [ [đ Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=367180506&lift_comment_rating=5) ]
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] sonatype-lift[bot] commented on a diff in pull request #1284: SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multi files
Posted by GitBox <gi...@apache.org>.
sonatype-lift[bot] commented on code in PR #1284:
URL: https://github.com/apache/solr/pull/1284#discussion_r1066388488
##########
solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java:
##########
@@ -297,6 +283,54 @@ public void init(Map<String, Object> pluginConfig) {
lastInitTime = Instant.now();
}
+ /**
+ * Given a configuration object of a file name or list of file names, read X509 certificates from
+ * each file
+ */
+ @SuppressWarnings("unchecked")
+ Collection<X509Certificate> readSslCertsFromFileOrList(Object trustedCertsFileObj) {
+ Collection<X509Certificate> certs = new HashSet<>();
+ if (trustedCertsFileObj instanceof String) {
+ String trustedCertsFile = (String) trustedCertsFileObj;
+ log.info("Reading trustedCerts from file {}", trustedCertsFile);
+ try {
+ certs.addAll(parseCertsFromFile(trustedCertsFile));
+ } catch (IOException e) {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + trustedCertsFile, e);
+ }
+ } else if (trustedCertsFileObj instanceof List) {
+ List<String> trustedCertsFileList = (List<String>) trustedCertsFileObj;
+ log.info("Reading trustedCerts from list of files {}", trustedCertsFileList);
+ trustedCertsFileList.forEach(
+ f -> {
+ try {
+ certs.addAll(parseCertsFromFile(f));
+ } catch (IOException e) {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + f, e);
+ }
+ });
+ } else {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "trustedCertsFile is neither a String or List");
+ }
+ return certs;
+ }
+
+ /**
+ * Given a filename string, validate the file and then read any X509 certificates from it
+ *
+ * @return list of certificates found in file
+ */
+ Collection<? extends X509Certificate> parseCertsFromFile(String certFileName) throws IOException {
+ Path certFilePath = Paths.get(certFileName);
Review Comment:
I've recorded this as ignored for this pull request.
If you change your mind, just comment `@sonatype-lift unignore`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a diff in pull request #1284: SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multi files
Posted by GitBox <gi...@apache.org>.
janhoy commented on code in PR #1284:
URL: https://github.com/apache/solr/pull/1284#discussion_r1066376018
##########
solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java:
##########
@@ -297,6 +283,54 @@ public void init(Map<String, Object> pluginConfig) {
lastInitTime = Instant.now();
}
+ /**
+ * Given a configuration object of a file name or list of file names, read X509 certificates from
+ * each file
+ */
+ @SuppressWarnings("unchecked")
+ Collection<X509Certificate> readSslCertsFromFileOrList(Object trustedCertsFileObj) {
+ Collection<X509Certificate> certs = new HashSet<>();
+ if (trustedCertsFileObj instanceof String) {
+ String trustedCertsFile = (String) trustedCertsFileObj;
+ log.info("Reading trustedCerts from file {}", trustedCertsFile);
+ try {
+ certs.addAll(parseCertsFromFile(trustedCertsFile));
+ } catch (IOException e) {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + trustedCertsFile, e);
+ }
+ } else if (trustedCertsFileObj instanceof List) {
+ List<String> trustedCertsFileList = (List<String>) trustedCertsFileObj;
+ log.info("Reading trustedCerts from list of files {}", trustedCertsFileList);
+ trustedCertsFileList.forEach(
+ f -> {
+ try {
+ certs.addAll(parseCertsFromFile(f));
+ } catch (IOException e) {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + f, e);
+ }
+ });
+ } else {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "trustedCertsFile is neither a String or List");
+ }
+ return certs;
+ }
+
+ /**
+ * Given a filename string, validate the file and then read any X509 certificates from it
+ *
+ * @return list of certificates found in file
+ */
+ Collection<? extends X509Certificate> parseCertsFromFile(String certFileName) throws IOException {
+ Path certFilePath = Paths.get(certFileName);
Review Comment:
@sonatype-lift ignore
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a diff in pull request #1284: SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multi files
Posted by GitBox <gi...@apache.org>.
janhoy commented on code in PR #1284:
URL: https://github.com/apache/solr/pull/1284#discussion_r1066376018
##########
solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java:
##########
@@ -297,6 +283,54 @@ public void init(Map<String, Object> pluginConfig) {
lastInitTime = Instant.now();
}
+ /**
+ * Given a configuration object of a file name or list of file names, read X509 certificates from
+ * each file
+ */
+ @SuppressWarnings("unchecked")
+ Collection<X509Certificate> readSslCertsFromFileOrList(Object trustedCertsFileObj) {
+ Collection<X509Certificate> certs = new HashSet<>();
+ if (trustedCertsFileObj instanceof String) {
+ String trustedCertsFile = (String) trustedCertsFileObj;
+ log.info("Reading trustedCerts from file {}", trustedCertsFile);
+ try {
+ certs.addAll(parseCertsFromFile(trustedCertsFile));
+ } catch (IOException e) {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + trustedCertsFile, e);
+ }
+ } else if (trustedCertsFileObj instanceof List) {
+ List<String> trustedCertsFileList = (List<String>) trustedCertsFileObj;
+ log.info("Reading trustedCerts from list of files {}", trustedCertsFileList);
+ trustedCertsFileList.forEach(
+ f -> {
+ try {
+ certs.addAll(parseCertsFromFile(f));
+ } catch (IOException e) {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + f, e);
+ }
+ });
+ } else {
+ throw new SolrException(
+ SolrException.ErrorCode.SERVER_ERROR, "trustedCertsFile is neither a String or List");
+ }
+ return certs;
+ }
+
+ /**
+ * Given a filename string, validate the file and then read any X509 certificates from it
+ *
+ * @return list of certificates found in file
+ */
+ Collection<? extends X509Certificate> parseCertsFromFile(String certFileName) throws IOException {
+ Path certFilePath = Paths.get(certFileName);
Review Comment:
@sonatype-lift ignore
We check in the line below that this path is safe.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a diff in pull request #1284: SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multi files
Posted by GitBox <gi...@apache.org>.
janhoy commented on code in PR #1284:
URL: https://github.com/apache/solr/pull/1284#discussion_r1066373770
##########
solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java:
##########
@@ -297,6 +283,54 @@ public void init(Map<String, Object> pluginConfig) {
lastInitTime = Instant.now();
}
+ /**
+ * Given a configuration object of a file name or list of file names, read X509 certificates from
+ * each file
+ */
+ @SuppressWarnings("unchecked")
Review Comment:
Unchecked cast from `Object` to `List<String>`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org