You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2022/01/12 09:47:53 UTC
[GitHub] [solr] janhoy opened a new pull request #518: SOLR-15907 Move JWT auth plugin to contrib
janhoy opened a new pull request #518:
URL: https://github.com/apache/solr/pull/518
https://issues.apache.org/jira/browse/SOLR-15907
Ripping out JWT related stuff from solr-core into a new contrib. This is a stepping stone for 1st party package, whenever we figure out how to do that.
It was not too hard, had to move some Jwt specific logic from common test-class. I'll consider changing package name into `org.apache.security.jwt` in a followup, since split-package is not ideal. Precommit passes. JWT tests pass. Currently running entire test suite.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783150980
##########
File path: solr/contrib/jwt-auth/build.gradle
##########
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+apply plugin: 'java-library'
+
+description = 'Language Identifier contrib for extracting language from a document being indexed'
+
+configurations.all {
+ exclude group: 'log4j', module: 'log4j'
+ exclude group: 'org.slf4j', module: 'slf4j-log4j12'
+ exclude group: 'org.apache.yetus', module: 'audience-annotations'
+ // be conservative on what's added here. Affects *all* configs, including internal ones.
+}
+
+dependencies {
+ implementation project(':solr:core')
+
+ implementation 'org.bitbucket.b_c:jose4j'
+ implementation 'org.apache.zookeeper:zookeeper'
Review comment:
Solr is not vulnerable, only server side
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r782900495
##########
File path: solr/solr-ref-guide/src/jwt-authentication-plugin.adoc
##########
@@ -21,6 +21,11 @@ Solr can support https://en.wikipedia.org/wiki/JSON_Web_Token[JSON Web Token] (J
This allows Solr to assert that a user is already authenticated with an external https://en.wikipedia.org/wiki/Identity_provider[Identity Provider] by validating that the JWT formatted https://en.wikipedia.org/wiki/Access_token[access token] is digitally signed by the Identity Provider.
The typical use case is to integrate Solr with an https://en.wikipedia.org/wiki/OpenID_Connect[OpenID Connect] enabled IdP.
+== Contrib package
+
+This is provided via a Solr Contrib package that needs to be added to the classpah before use. Since this is a node-level
+plugin it must go in `sharedLib`, see <<configuring-solr-xml.adoc#,Configuring solr.xml>> for details.
Review comment:
I tested this manually with
```bash
bin/solr start -c -Dsolr.sharedLib=/Users/janhoy/git/solr/solr/packaging/build/dev/dist/,/Users/janhoy/git/solr/solr/packaging/build/dev/contrib/jwt-auth/lib/
```
and it then worked.
I first tried adding the two jars in sharedLib, but sharedLib only accepts folders. Would be useful if it also accepted a jar or a wildcard, like the `<lib>` in solrconfig.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] HoustonPutman commented on pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
HoustonPutman commented on pull request #518:
URL: https://github.com/apache/solr/pull/518#issuecomment-1015601813
You could do a first-commit adding an exclusion for the spotless rule: https://github.com/apache/solr/blob/main/gradle/validation/spotless.gradle#L46
Then revert the spotless exclusion and do the reformatting in another commit.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] dsmiley commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
dsmiley commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783453312
##########
File path: solr/core/build.gradle
##########
@@ -115,9 +115,6 @@ dependencies {
testImplementation 'org.slf4j:jcl-over-slf4j'
- // JWT Auth plugin
- api 'org.bitbucket.b_c:jose4j'
Review comment:
+1 to what Dawid says -- definitely an "api" dependency. Feel free to ping me Jan on dependency matters; I'm glad Dawid is still here to help.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on pull request #518:
URL: https://github.com/apache/solr/pull/518#issuecomment-1032107261
Closing, please see #606 instead.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r782898576
##########
File path: solr/core/build.gradle
##########
@@ -115,9 +115,6 @@ dependencies {
testImplementation 'org.slf4j:jcl-over-slf4j'
- // JWT Auth plugin
- api 'org.bitbucket.b_c:jose4j'
Review comment:
The jose lib was defined as `api` in solr-core. When I moved it into the contrib (as implementation), suddenly all contribs complained they could not find `slf4j`. I considered changing `org.slf4j:slf4j-api` to `api` scope in solr-core, to give all contribs depending on solr-core access to the logger. But then I instead added `slf4j-api` to all of them explicitly. Any preference?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] madrob commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
madrob commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783272786
##########
File path: solr/contrib/jwt-auth/src/java/org/apache/solr/security/JWTAuthPlugin.java
##########
@@ -104,15 +102,31 @@
@Deprecated(since = "9.0") // Remove in 10.0
private static final String PARAM_ALG_WHITELIST = "algWhitelist";
- private static final Set<String> PROPS = ImmutableSet.of(PARAM_BLOCK_UNKNOWN,
- PARAM_PRINCIPAL_CLAIM, PARAM_REQUIRE_EXPIRATIONTIME, PARAM_ALG_ALLOWLIST,
- PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM, PARAM_ROLES_CLAIM,
- PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS,
- PARAM_TRUSTED_CERTS_FILE, PARAM_TRUSTED_CERTS,
- // These keys are supported for now to enable PRIMARY issuer config through top-level keys
- JWTIssuerConfig.PARAM_JWKS_URL, JWTIssuerConfig.PARAM_JWK, JWTIssuerConfig.PARAM_ISSUER,
- JWTIssuerConfig.PARAM_CLIENT_ID, JWTIssuerConfig.PARAM_WELL_KNOWN_URL, JWTIssuerConfig.PARAM_AUDIENCE,
- JWTIssuerConfig.PARAM_AUTHORIZATION_ENDPOINT);
+ private static final ImmutableSet<String> PROPS =
Review comment:
Ah, interesting. That check actually went away and became the better named and better described https://errorprone.info/bugpattern/PreferredInterfaceType
I've generally been trying to move us away from the guava types and onto jdk types using Set.of where reasonable.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on pull request #518:
URL: https://github.com/apache/solr/pull/518#issuecomment-1010944111
If we change package name, we could also consider adding `org.apache.solr.security.jwt` to the list of packages ResourceLoader scans when resolving a `class="solr.*"` alias.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783540085
##########
File path: solr/contrib/jwt-auth/src/java/org/apache/solr/security/JWTAuthPlugin.java
##########
@@ -104,15 +102,31 @@
@Deprecated(since = "9.0") // Remove in 10.0
private static final String PARAM_ALG_WHITELIST = "algWhitelist";
- private static final Set<String> PROPS = ImmutableSet.of(PARAM_BLOCK_UNKNOWN,
- PARAM_PRINCIPAL_CLAIM, PARAM_REQUIRE_EXPIRATIONTIME, PARAM_ALG_ALLOWLIST,
- PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM, PARAM_ROLES_CLAIM,
- PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS,
- PARAM_TRUSTED_CERTS_FILE, PARAM_TRUSTED_CERTS,
- // These keys are supported for now to enable PRIMARY issuer config through top-level keys
- JWTIssuerConfig.PARAM_JWKS_URL, JWTIssuerConfig.PARAM_JWK, JWTIssuerConfig.PARAM_ISSUER,
- JWTIssuerConfig.PARAM_CLIENT_ID, JWTIssuerConfig.PARAM_WELL_KNOWN_URL, JWTIssuerConfig.PARAM_AUDIENCE,
- JWTIssuerConfig.PARAM_AUTHORIZATION_ENDPOINT);
+ private static final ImmutableSet<String> PROPS =
Review comment:
I moved this to `Set.of()` which is also immutable. Good catch.
We have more than 100 dependencies. Would be cool to make a list of them in a spreadsheet, with columns for number-of-uses, version, release-date, known CVEs, test or runtime etc. Then we could sort by fewest uses and perhaps move to JDK APIs for a lot and get rid of some weight.
We should also look at shadowed classes in Solr which are likely very old, and see if we find alternatives.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on pull request #518:
URL: https://github.com/apache/solr/pull/518#issuecomment-1012061486
Any more comments? I'd like to merge this to main only and let it bake.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783150407
##########
File path: solr/contrib/jwt-auth/build.gradle
##########
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+apply plugin: 'java-library'
+
+description = 'Language Identifier contrib for extracting language from a document being indexed'
+
+configurations.all {
+ exclude group: 'log4j', module: 'log4j'
+ exclude group: 'org.slf4j', module: 'slf4j-log4j12'
+ exclude group: 'org.apache.yetus', module: 'audience-annotations'
+ // be conservative on what's added here. Affects *all* configs, including internal ones.
+}
+
+dependencies {
+ implementation project(':solr:core')
+
+ implementation 'org.bitbucket.b_c:jose4j'
+ implementation 'org.apache.zookeeper:zookeeper'
+
+ implementation 'commons-io:commons-io'
+ implementation 'org.apache.commons:commons-lang3'
+ implementation 'org.eclipse.jetty:jetty-client'
+ implementation ('com.google.guava:guava') { transitive = false }
Review comment:
Done in #520
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783538516
##########
File path: solr/core/build.gradle
##########
@@ -115,9 +115,6 @@ dependencies {
testImplementation 'org.slf4j:jcl-over-slf4j'
- // JWT Auth plugin
- api 'org.bitbucket.b_c:jose4j'
Review comment:
Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] sonatype-lift[bot] commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
sonatype-lift[bot] commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783013500
##########
File path: solr/contrib/jwt-auth/src/java/org/apache/solr/security/JWTAuthPlugin.java
##########
@@ -104,15 +102,31 @@
@Deprecated(since = "9.0") // Remove in 10.0
private static final String PARAM_ALG_WHITELIST = "algWhitelist";
- private static final Set<String> PROPS = ImmutableSet.of(PARAM_BLOCK_UNKNOWN,
- PARAM_PRINCIPAL_CLAIM, PARAM_REQUIRE_EXPIRATIONTIME, PARAM_ALG_ALLOWLIST,
- PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM, PARAM_ROLES_CLAIM,
- PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS,
- PARAM_TRUSTED_CERTS_FILE, PARAM_TRUSTED_CERTS,
- // These keys are supported for now to enable PRIMARY issuer config through top-level keys
- JWTIssuerConfig.PARAM_JWKS_URL, JWTIssuerConfig.PARAM_JWK, JWTIssuerConfig.PARAM_ISSUER,
- JWTIssuerConfig.PARAM_CLIENT_ID, JWTIssuerConfig.PARAM_WELL_KNOWN_URL, JWTIssuerConfig.PARAM_AUDIENCE,
- JWTIssuerConfig.PARAM_AUTHORIZATION_ENDPOINT);
+ private static final Set<String> PROPS =
Review comment:
*MutableConstantField:* Constant field declarations should use the immutable type (such as ImmutableList) instead of the general collection interface type (such as List) [(details)](https://errorprone.info/bugpattern/MutableConstantField)
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
##########
File path: solr/contrib/jwt-auth/src/java/org/apache/solr/security/JWTIssuerConfig.java
##########
@@ -46,10 +34,19 @@
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
+import org.apache.commons.io.IOUtils;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.Utils;
+import org.jose4j.http.Get;
+import org.jose4j.http.SimpleResponse;
+import org.jose4j.jwk.HttpsJwks;
+import org.jose4j.jwk.JsonWebKey;
+import org.jose4j.jwk.JsonWebKeySet;
+import org.jose4j.lang.JoseException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
-/**
- * Holds information about an IdP (issuer), such as issuer ID, JWK url(s), keys etc
- */
+/** Holds information about an IdP (issuer), such as issuer ID, JWK url(s), keys etc */
public class JWTIssuerConfig {
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
Review comment:
*UnusedVariable:* The field 'log' is never read. [(details)](https://errorprone.info/bugpattern/UnusedVariable)
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
##########
File path: solr/contrib/jwt-auth/build.gradle
##########
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+apply plugin: 'java-library'
+
+description = 'Language Identifier contrib for extracting language from a document being indexed'
+
+configurations.all {
+ exclude group: 'log4j', module: 'log4j'
+ exclude group: 'org.slf4j', module: 'slf4j-log4j12'
+ exclude group: 'org.apache.yetus', module: 'audience-annotations'
+ // be conservative on what's added here. Affects *all* configs, including internal ones.
+}
+
+dependencies {
+ implementation project(':solr:core')
+
+ implementation 'org.bitbucket.b_c:jose4j'
+ implementation 'org.apache.zookeeper:zookeeper'
+
+ implementation 'commons-io:commons-io'
+ implementation 'org.apache.commons:commons-lang3'
+ implementation 'org.eclipse.jetty:jetty-client'
+ implementation ('com.google.guava:guava') { transitive = false }
Review comment:
*Moderate OSS Vulnerability:*
### pkg:maven/com.google.guava/guava@25.1-jre
0 Critical, 0 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
<details>
<summary><b>Components</b></summary><br/>
<ul>
<details>
<summary><b>pkg:maven/com.google.guava/guava@25.1-jre</b></summary>
<ul>
<details>
<summary><b>MODERATE Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2020-8908] A temp directory creation vulnerability exists in all versions of Guava, allowin...
> A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
>
> **CVSS Score:** 3.3
>
> **CVSS Vector:** CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
</ul>
</details>
</ul>
</details>
</ul>
</details>
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
##########
File path: solr/contrib/jwt-auth/build.gradle
##########
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+apply plugin: 'java-library'
+
+description = 'Language Identifier contrib for extracting language from a document being indexed'
+
+configurations.all {
+ exclude group: 'log4j', module: 'log4j'
+ exclude group: 'org.slf4j', module: 'slf4j-log4j12'
+ exclude group: 'org.apache.yetus', module: 'audience-annotations'
+ // be conservative on what's added here. Affects *all* configs, including internal ones.
+}
+
+dependencies {
+ implementation project(':solr:core')
+
+ implementation 'org.bitbucket.b_c:jose4j'
+ implementation 'org.apache.zookeeper:zookeeper'
Review comment:
*Severe OSS Vulnerability:*
### pkg:maven/org.apache.zookeeper/zookeeper@3.7.0
0 Critical, 2 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
<details>
<summary><b>Components</b></summary><br/>
<ul>
<details>
<summary><b>pkg:maven/org.apache.zookeeper/zookeeper@3.7.0</b></summary>
<ul>
<details>
<summary><b>SEVERE Vulnerabilities (2)</b></summary><br/>
<ul>
<details>
<summary>CVE-2021-28164</summary>
> #### [CVE-2021-28164] In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mo...
> In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
>
> **CVSS Score:** 5.3
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
</details>
<details>
<summary>CVE-2021-34429</summary>
> #### [CVE-2021-34429] For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs ca...
> For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
>
> **CVSS Score:** 5.3
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
</details>
</ul>
</details>
</ul>
</details>
</ul>
</details>
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] madrob commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
madrob commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783218761
##########
File path: solr/contrib/jwt-auth/src/java/org/apache/solr/security/JWTAuthPlugin.java
##########
@@ -104,15 +102,31 @@
@Deprecated(since = "9.0") // Remove in 10.0
private static final String PARAM_ALG_WHITELIST = "algWhitelist";
- private static final Set<String> PROPS = ImmutableSet.of(PARAM_BLOCK_UNKNOWN,
- PARAM_PRINCIPAL_CLAIM, PARAM_REQUIRE_EXPIRATIONTIME, PARAM_ALG_ALLOWLIST,
- PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM, PARAM_ROLES_CLAIM,
- PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS,
- PARAM_TRUSTED_CERTS_FILE, PARAM_TRUSTED_CERTS,
- // These keys are supported for now to enable PRIMARY issuer config through top-level keys
- JWTIssuerConfig.PARAM_JWKS_URL, JWTIssuerConfig.PARAM_JWK, JWTIssuerConfig.PARAM_ISSUER,
- JWTIssuerConfig.PARAM_CLIENT_ID, JWTIssuerConfig.PARAM_WELL_KNOWN_URL, JWTIssuerConfig.PARAM_AUDIENCE,
- JWTIssuerConfig.PARAM_AUTHORIZATION_ENDPOINT);
+ private static final ImmutableSet<String> PROPS =
Review comment:
Why did this type change from Set?
##########
File path: solr/contrib/jwt-auth/src/java/org/apache/solr/security/JWTIssuerConfig.java
##########
@@ -408,8 +428,8 @@ private HttpsJwks create(String url) {
}
/**
- * Config object for a OpenId Connect well-known config
- * Typically exposed through /.well-known/openid-configuration endpoint
+ * Config object for a OpenId Connect well-known config Typically exposed through
Review comment:
Include an explicit `<p>`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on pull request #518:
URL: https://github.com/apache/solr/pull/518#issuecomment-1014917760
> I would have preferred to see the reformatting done as a separate PR/commit, though
I know. I believe the spotless requirements are only enforced for contribs right now. I did an attempt to rebase this to achieve this, but there are so many commits with an occational reformat in between, so I don't know how. I could make sure that the move from core to contrib gets its own commit in main, and then do the rest including reformatting as one squash commit though. Would that help?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy closed pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy closed pull request #518:
URL: https://github.com/apache/solr/pull/518
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783226802
##########
File path: solr/contrib/jwt-auth/src/java/org/apache/solr/security/JWTAuthPlugin.java
##########
@@ -104,15 +102,31 @@
@Deprecated(since = "9.0") // Remove in 10.0
private static final String PARAM_ALG_WHITELIST = "algWhitelist";
- private static final Set<String> PROPS = ImmutableSet.of(PARAM_BLOCK_UNKNOWN,
- PARAM_PRINCIPAL_CLAIM, PARAM_REQUIRE_EXPIRATIONTIME, PARAM_ALG_ALLOWLIST,
- PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM, PARAM_ROLES_CLAIM,
- PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS,
- PARAM_TRUSTED_CERTS_FILE, PARAM_TRUSTED_CERTS,
- // These keys are supported for now to enable PRIMARY issuer config through top-level keys
- JWTIssuerConfig.PARAM_JWKS_URL, JWTIssuerConfig.PARAM_JWK, JWTIssuerConfig.PARAM_ISSUER,
- JWTIssuerConfig.PARAM_CLIENT_ID, JWTIssuerConfig.PARAM_WELL_KNOWN_URL, JWTIssuerConfig.PARAM_AUDIENCE,
- JWTIssuerConfig.PARAM_AUTHORIZATION_ENDPOINT);
+ private static final ImmutableSet<String> PROPS =
Review comment:
Because of https://github.com/apache/solr/pull/518#discussion_r783013500
IntelliJ does NOT warn about the same, so probably not important.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783231303
##########
File path: solr/contrib/jwt-auth/src/java/org/apache/solr/security/JWTIssuerConfig.java
##########
@@ -408,8 +428,8 @@ private HttpsJwks create(String url) {
}
/**
- * Config object for a OpenId Connect well-known config
- * Typically exposed through /.well-known/openid-configuration endpoint
+ * Config object for a OpenId Connect well-known config Typically exposed through
Review comment:
Thanks, fixed. Also added a <code> block around the url path.
I think we have enabled some spotless enforcement on contribs now, so I did `./gradlew :solr:contrib:jwt-auth:spotlessApply`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] dweiss commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
dweiss commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r802356561
##########
File path: solr/core/build.gradle
##########
@@ -115,9 +115,6 @@ dependencies {
testImplementation 'org.slf4j:jcl-over-slf4j'
- // JWT Auth plugin
- api 'org.bitbucket.b_c:jose4j'
Review comment:
> I'm glad Dawid is still here to help.
Yeah, kind of. I'm a bit terrified at the size of unread messages in dev/solr when I wake up each morning. Seems like 800 guys are working on it full time! Or just Jan, but has a 800 hours day on the planet where he lives... :)
Also, more seriously and interestingly, I don't get e-mails about review requests from github... I'll check the settings but if you have something important, use a mention (these I do get) or just call out via e-mail explicitly. Odd.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783237654
##########
File path: solr/contrib/jwt-auth/src/java/org/apache/solr/security/JWTIssuerConfig.java
##########
@@ -408,8 +428,8 @@ private HttpsJwks create(String url) {
}
/**
- * Config object for a OpenId Connect well-known config
- * Typically exposed through /.well-known/openid-configuration endpoint
+ * Config object for a OpenId Connect well-known config Typically exposed through
Review comment:
Hmm, spotless is angry with me today, https://github.com/apache/solr/runs/4792054141?check_suite_focus=true
```
* What went wrong:
Execution failed for task ':solr:contrib:jwt-auth:spotlessJavaCheck'.
> The following files had format violations:
solr/contrib/jwt-auth/src/java/org/apache/solr/security/JWTIssuerConfig.java
@@ -429,7 +429,8 @@
··/**
···*·Config·object·for·a·OpenId·Connect·well-known·config.
-···*·<p>Typically·exposed·through·<code>/.well-known/openid-configuration·endpoint</code></p>
+···*
+···*·<p>Typically·exposed·through·<code>/.well-known/openid-configuration·endpoint</code>
···*/
··public·static·class·WellKnownDiscoveryConfig·{
····private·final·Map<String,·Object>·securityConf;
Run './gradlew :solr:contrib:jwt-auth:spotlessApply' to fix these violations.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] dweiss commented on a change in pull request #518: SOLR-15907 Move JWT auth plugin to contrib
Posted by GitBox <gi...@apache.org>.
dweiss commented on a change in pull request #518:
URL: https://github.com/apache/solr/pull/518#discussion_r783281998
##########
File path: solr/core/build.gradle
##########
@@ -115,9 +115,6 @@ dependencies {
testImplementation 'org.slf4j:jcl-over-slf4j'
- // JWT Auth plugin
- api 'org.bitbucket.b_c:jose4j'
Review comment:
My opinion is that if Solr core is using slf4j for logging and it's something encouraged for contribs then I think it's fine to put it in the api configuration (as a transitive, exported dependency).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org