You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by GitBox <gi...@apache.org> on 2019/12/12 08:46:08 UTC
[GitHub] [lucene-solr] chatman commented on a change in pull request #1078:
SOLR-14071: Untrusted configsets shouldn't be allowed to use
chatman commented on a change in pull request #1078: SOLR-14071: Untrusted configsets shouldn't be allowed to use <lib>
URL: https://github.com/apache/lucene-solr/pull/1078#discussion_r357018557
##########
File path: solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
##########
@@ -369,13 +370,55 @@ public void testUploadWithScriptUpdateProcessor() throws Exception {
}
+ @Test
+ public void testUploadWithLibDirective() throws Exception {
+ // Authorization off
+ unprotectConfigsHandler();
+ final String untrustedSuffix = "-untrusted";
+ uploadConfigSetWithAssertions("with-lib-directive", untrustedSuffix, null, null);
+ // try to create a collection with the uploaded configset
+ Throwable thrown = expectThrows(HttpSolrClient.RemoteSolrException.class, () -> {
+ createCollection("newcollection3", "with-lib-directive" + untrustedSuffix,
+ 1, 1, solrCluster.getSolrClient());
+ });
+
+ assertThat(thrown.getMessage(), containsString("Underlying core creation failed"));
+
+ // Authorization on
+ final String trustedSuffix = "-trusted";
+ protectConfigsHandler();
+ uploadConfigSetWithAssertions("with-lib-directive", trustedSuffix, "solr", "SolrRocks");
+ // try to create a collection with the uploaded configset
+ CollectionAdminResponse resp = createCollection("newcollection3", "with-lib-directive" + trustedSuffix,
+ 1, 1, solrCluster.getSolrClient());
+
+ SolrInputDocument doc = sdoc("id", "4055", "subject", "Solr");
+ solrCluster.getSolrClient().add("newcollection3", doc);
+ solrCluster.getSolrClient().commit("newcollection3");
+ assertEquals("4055", solrCluster.getSolrClient().query("newcollection3",
+ params("q", "*:*")).getResults().get(0).get("id"));
+ }
+
protected SolrZkClient zkClient() {
ZkStateReader reader = solrCluster.getSolrClient().getZkStateReader();
if (reader == null)
solrCluster.getSolrClient().connect();
return solrCluster.getSolrClient().getZkStateReader().getZkClient();
}
+ private void unprotectConfigsHandler() throws Exception {
+ HttpClient cl = null;
+ try {
+ cl = HttpClientUtil.createClient(null);
+ zkClient().setData("/security.json", "{}".getBytes(UTF_8), true);
+ } finally {
+ if (cl != null) {
+ HttpClientUtil.close(cl);
+ }
+ }
+ Thread.sleep(5000); // TODO: Without a delay, the test fails. Some problem with Authc/Authz framework?
Review comment:
Yeah, that is so irritating indeed. I remember we put that sleep of 5s in for the authentication to kick in. I'll reduce the sleep to 1s and see if it works or not. Please don't mind the potential noise on Jenkins due to this, if it fails.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org