You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by pz...@apache.org on 2018/07/03 18:53:54 UTC
knox git commit: KNOX-1373 - Default dispatch whitelist should
consider X-Forwarded-Host header
Repository: knox
Updated Branches:
refs/heads/master b2ec86f71 -> 35b65a267
KNOX-1373 - Default dispatch whitelist should consider X-Forwarded-Host header
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/35b65a26
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/35b65a26
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/35b65a26
Branch: refs/heads/master
Commit: 35b65a26727245b75420551851f78d574a6d2c0b
Parents: b2ec86f
Author: Phil Zampino <pz...@apache.org>
Authored: Tue Jul 3 14:35:57 2018 -0400
Committer: Phil Zampino <pz...@apache.org>
Committed: Tue Jul 3 14:37:19 2018 -0400
----------------------------------------------------------------------
.../knox/gateway/util/WhitelistUtils.java | 23 +++++++--
.../knox/gateway/util/WhitelistUtilsTest.java | 53 ++++++++++++++++++--
2 files changed, 68 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/35b65a26/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java b/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
index 220e448..37df2f6 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
@@ -67,10 +67,25 @@ public class WhitelistUtils {
private static String deriveDefaultDispatchWhitelist(HttpServletRequest request) {
String defaultWhitelist = null;
- try {
- defaultWhitelist = deriveDomainBasedWhitelist(InetAddress.getLocalHost().getCanonicalHostName());
- } catch (UnknownHostException e) {
- //
+ // Check first for the X-Forwarded-Host header, and use it to derive the domain-based whitelist
+ String requestedHost = request.getHeader("X-Forwarded-Host");
+ if (requestedHost != null && !requestedHost.isEmpty()) {
+ // The value may include port information, which needs to be removed
+ int portIndex = requestedHost.indexOf(":");
+ if (portIndex > 0) {
+ requestedHost = requestedHost.substring(0, portIndex);
+ }
+ defaultWhitelist = deriveDomainBasedWhitelist(requestedHost);
+ }
+
+ // If the domain-based whitelist could not be derived from the X-Forwarded-Host header value, then use the
+ // localhost FQDN
+ if (defaultWhitelist == null) {
+ try {
+ defaultWhitelist = deriveDomainBasedWhitelist(InetAddress.getLocalHost().getCanonicalHostName());
+ } catch (UnknownHostException e) {
+ //
+ }
}
// If the domain could not be determined, default to just the local/relative whitelist
http://git-wip-us.apache.org/repos/asf/knox/blob/35b65a26/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java b/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
index 1824fe6..272a35d 100644
--- a/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
+++ b/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
@@ -79,9 +79,36 @@ public class WhitelistUtilsTest {
}
@Test
+ public void testDefaultDomainWhitelistWithXForwardedHost() throws Exception {
+ final String serviceRole = "TEST";
+
+ String whitelist =
+ doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole), null),
+ "host0.test.org",
+ "lb.external.test.org",
+ serviceRole);
+ assertNotNull(whitelist);
+ assertTrue(whitelist.contains("\\.external\\.test\\.org"));
+ }
+
+ @Test
+ public void testDefaultDomainWhitelistWithXForwardedHostAndPort() throws Exception {
+ final String serviceRole = "TEST";
+
+ String whitelist =
+ doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole), null),
+ "host0.test.org",
+ "lb.external.test.org:9090",
+ serviceRole);
+ assertNotNull(whitelist);
+ assertTrue(whitelist.contains("\\.external\\.test\\.org"));
+ assertFalse(whitelist.contains("9090"));
+ }
+
+ @Test
public void testConfiguredWhitelist() throws Exception {
final String serviceRole = "TEST";
- final String WHITELIST = "^.*\\.my\\.domain\\.com.*$";
+ final String WHITELIST = "^.*\\.my\\.domain\\.com.*$";
String whitelist =
doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole), WHITELIST),
@@ -93,11 +120,11 @@ public class WhitelistUtilsTest {
@Test
public void testExplicitlyConfiguredDefaultWhitelist() throws Exception {
final String serviceRole = "TEST";
- final String WHITELIST = "DEFAULT";
+ final String WHITELIST = "DEFAULT";
String whitelist =
doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole), WHITELIST),
- serviceRole);
+ serviceRole);
assertNotNull(whitelist);
assertTrue("Expected the derived localhost whitelist.",
RegExUtils.checkWhitelist(whitelist, "http://localhost:9099/"));
@@ -111,17 +138,27 @@ public class WhitelistUtilsTest {
private String doTestGetDispatchWhitelist(GatewayConfig config,
String serverName,
String serviceRole) {
+ return doTestGetDispatchWhitelist(config, serverName, null, serviceRole);
+ }
+
+ private String doTestGetDispatchWhitelist(GatewayConfig config,
+ String serverName,
+ String xForwardedHost,
+ String serviceRole) {
ServletContext sc = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(sc.getAttribute("org.apache.knox.gateway.config")).andReturn(config).anyTimes();
EasyMock.replay(sc);
HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+ if (xForwardedHost != null && !xForwardedHost.isEmpty()) {
+ EasyMock.expect(request.getHeader("X-Forwarded-Host")).andReturn(xForwardedHost).anyTimes();
+ }
EasyMock.expect(request.getAttribute("targetServiceRole")).andReturn(serviceRole).anyTimes();
EasyMock.expect(request.getServletContext()).andReturn(sc).anyTimes();
EasyMock.replay(request);
String result = null;
- if (serverName != null && !serverName.isEmpty() && !serverName.equalsIgnoreCase("localhost")) {
+ if (serverName != null && !serverName.isEmpty() && !serverName.equalsIgnoreCase("localhost") && xForwardedHost == null) {
try {
Method method = WhitelistUtils.class.getDeclaredMethod("deriveDomainBasedWhitelist", String.class);
method.setAccessible(true);
@@ -129,6 +166,14 @@ public class WhitelistUtilsTest {
} catch (Exception e) {
e.printStackTrace();
}
+ } else if (xForwardedHost != null && !xForwardedHost.isEmpty()) {
+ try {
+ Method method = WhitelistUtils.class.getDeclaredMethod("deriveDefaultDispatchWhitelist", HttpServletRequest.class);
+ method.setAccessible(true);
+ result = (String) method.invoke(null, request);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
} else {
result = WhitelistUtils.getDispatchWhitelist(request);
}