You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2015/10/27 17:45:23 UTC

knox git commit: KNOX-615 Domain Cookies cannot Wildcard IP Addresses

Repository: knox
Updated Branches:
  refs/heads/master 0a9f33b03 -> 9c65733f0


KNOX-615 Domain Cookies cannot Wildcard IP Addresses

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/9c65733f
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/9c65733f
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/9c65733f

Branch: refs/heads/master
Commit: 9c65733f0fb419e88b3ffc84714155555266952b
Parents: 0a9f33b
Author: Larry McCay <lm...@hortonworks.com>
Authored: Tue Oct 27 12:45:14 2015 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Tue Oct 27 12:45:14 2015 -0400

----------------------------------------------------------------------
 gateway-service-knoxsso/pom.xml                 | 11 +++++-
 .../gateway/service/knoxsso/WebSSOResource.java | 15 +++++++-
 .../service/knoxsso/WebSSOResourceTest.java     | 40 ++++++++++++++++++++
 .../org/apache/hadoop/gateway/util/Urls.java    | 12 ++++++
 4 files changed, 75 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-service-knoxsso/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/pom.xml b/gateway-service-knoxsso/pom.xml
index a138ce6..b3c2d92 100644
--- a/gateway-service-knoxsso/pom.xml
+++ b/gateway-service-knoxsso/pom.xml
@@ -50,5 +50,14 @@
       <artifactId>junit</artifactId>
       <scope>test</scope>
     </dependency>
-  </dependencies>
+    <dependency>
+      <groupId>org.apache.knox</groupId>
+      <artifactId>gateway-test-utils</artifactId>
+      <scope>test</scope>
+    </dependency>
+      <dependency>
+          <groupId>org.easymock</groupId>
+          <artifactId>easymock</artifactId>
+          <scope>test</scope>
+      </dependency>  </dependencies>
 </project>

http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
index 644d650..475e39b 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
@@ -40,6 +40,7 @@ import org.apache.hadoop.gateway.services.GatewayServices;
 import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
 import org.apache.hadoop.gateway.services.security.token.TokenServiceException;
 import org.apache.hadoop.gateway.services.security.token.impl.JWT;
+import org.apache.hadoop.gateway.util.Urls;
 
 import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
 import static javax.ws.rs.core.MediaType.APPLICATION_XML;
@@ -184,14 +185,24 @@ public class WebSSOResource {
     response.addCookie(c);
   }
 
-  private String getDomainName(String url) throws URISyntaxException {
+  String getDomainName(String url) throws URISyntaxException {
     URI uri = new URI(url);
     String domain = uri.getHost();
+    // if accessing via ip address do not wildcard the cookie domain
+    if (Urls.isIp(domain)) {
+      return domain;
+    }
+    if (Urls.dotOccurrences(domain) < 2) {
+      if (!domain.startsWith(".")) {
+        domain = "." + domain;
+      }
+      return domain;
+    }
     int idx = domain.indexOf('.');
     if (idx == -1) {
       idx = 0;
     }
-    return domain.startsWith("www.") ? domain.substring(4) : domain.substring(idx);
+    return domain.substring(idx);
   }
 
   private String getCookieValue(HttpServletRequest request, String name) {

http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java b/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java
new file mode 100644
index 0000000..769e497
--- /dev/null
+++ b/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.service.knoxsso;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ *
+ */
+public class WebSSOResourceTest {
+  @Test
+  public void testDomainNameCreation() throws Exception {
+    WebSSOResource resource = new WebSSOResource();
+    // determine parent domain and wildcard the cookie domain with a dot prefix
+    Assert.assertTrue(resource.getDomainName("http://www.local.com").equals(".local.com"));
+    Assert.assertTrue(resource.getDomainName("http://ljm.local.com").equals(".local.com"));
+    Assert.assertTrue(resource.getDomainName("http://local.home").equals(".local.home"));
+    Assert.assertTrue(resource.getDomainName("http://localhost").equals(".localhost")); // chrome may not allow this
+    Assert.assertTrue(resource.getDomainName("http://local.home.test.com").equals(".home.test.com"));
+    
+    // ip addresses can not be wildcarded - may be a completely different domain
+    Assert.assertTrue(resource.getDomainName("http://127.0.0.1").equals("127.0.0.1"));
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java
----------------------------------------------------------------------
diff --git a/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java b/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java
index b30a0ef..5255e3a 100644
--- a/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java
+++ b/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java
@@ -17,6 +17,9 @@
  */
 package org.apache.hadoop.gateway.util;
 
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
 /**
  *
  */
@@ -54,4 +57,13 @@ public class Urls {
     }
   }
 
+  public static boolean isIp(String domain) {
+    Pattern p = Pattern.compile("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$");
+    Matcher m = p.matcher(domain);
+    return m.find();
+  }
+
+  public static int dotOccurrences(String domain) {
+    return domain.length() - domain.replace(".", "").length();
+  }
 }