You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ja...@apache.org on 2023/11/07 20:25:22 UTC
(solr) branch branch_9x updated: SOLR-16907: Fail when parsing an invalid custom permission definition from security.json (#2040)
This is an automated email from the ASF dual-hosted git repository.
janhoy pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9x by this push:
new ce1935ff8bc SOLR-16907: Fail when parsing an invalid custom permission definition from security.json (#2040)
ce1935ff8bc is described below
commit ce1935ff8bc9024327f40ecfe48f39d7b249f39b
Author: Jan Høydahl <ja...@apache.org>
AuthorDate: Tue Nov 7 17:27:13 2023 +0100
SOLR-16907: Fail when parsing an invalid custom permission definition from security.json (#2040)
(cherry picked from commit 2062d057c003e4113b09b8e6aab49caa134b4a7c)
---
solr/CHANGES.txt | 4 +-
.../java/org/apache/solr/security/Permission.java | 23 ++++++----
.../org/apache/solr/security/PermissionTest.java | 49 ++++++++++++++++++++++
3 files changed, 68 insertions(+), 8 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index ba59b59bcd5..42e53988f3c 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -18,6 +18,8 @@ Improvements
* SOLR-16924: RESTORECORE now sets the UpdateLog to ACTIVE state instead of requiring a separate
REQUESTAPPLYUPDATES call in Collection restore. (Julia Lamoine, David Smiley)
+* SOLR-16907: Fail when parsing an invalid custom permission definition from security.json (janhoy, Uwe Schindler)
+
* SOLR-17046: SchemaCodecFactory is now the implicit default codec factory. (hossman)
* SOLR-16943: Extend Solr client tracing coverage to both Jetty Client and Apache HttpClient (Alex Deparvu, David Smiley)
@@ -35,7 +37,7 @@ Bug Fixes
* SOLR-17039: Entropy calculation in bin/solr script fails in Docker due to missing 'bc' cmd (janhoy)
-* SOLR-17045: DenseVectorField w/ vectorDimension > 1024 now work automatically with _default configset, due to
+* SOLR-17045: DenseVectorField w/ vectorDimension > 1024 now work automatically with _default configset, due to
implicit use of SchemaCodecFactory. (hossman)
Dependency Upgrades
diff --git a/solr/core/src/java/org/apache/solr/security/Permission.java b/solr/core/src/java/org/apache/solr/security/Permission.java
index 95e83f0d5e4..a93020b7bf6 100644
--- a/solr/core/src/java/org/apache/solr/security/Permission.java
+++ b/solr/core/src/java/org/apache/solr/security/Permission.java
@@ -31,7 +31,9 @@ import java.util.Set;
import java.util.function.Function;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
+import java.util.stream.Stream;
import org.apache.solr.common.SolrException;
+import org.apache.solr.common.params.CommonParams;
import org.apache.solr.common.util.Utils;
class Permission {
@@ -52,18 +54,20 @@ class Permission {
p.role = readValueAsSet(m, "role");
if (PermissionNameProvider.Name.get(name) != null) {
p.wellknownName = PermissionNameProvider.Name.get(name);
- HashSet<String> disAllowed = new HashSet<>(knownKeys);
- disAllowed.remove("role"); // these are the only
- disAllowed.remove(NAME); // allowed keys for well-known permissions
- disAllowed.remove("collection"); // allowed keys for well-known permissions
- disAllowed.remove("index");
- for (String s : disAllowed) {
+ for (String s : customPermissionAdditionalKeys) {
if (m.containsKey(s))
throw new SolrException(
SolrException.ErrorCode.BAD_REQUEST,
s + " is not a valid key for the permission : " + name);
}
+ } else if (!m.containsKey(CommonParams.PATH)) {
+ throw new SolrException(
+ SolrException.ErrorCode.BAD_REQUEST,
+ "Permission with name "
+ + name
+ + " is neither a pre-defined permission nor qualifies as a custom permission");
}
+
p.name = name;
p.path = readSetSmart(name, m, "path");
p.collections = readSetSmart(name, m, "collection");
@@ -160,7 +164,12 @@ class Permission {
return Utils.toJSONString(originalConfig);
}
+ static final Set<String> predefinedPermissionAllowedKeys =
+ Set.of("collection", "role", NAME, "index");
+ static final Set<String> customPermissionAdditionalKeys = Set.of("method", "path", "params");
static final Set<String> knownKeys =
- Set.of("collection", "role", "params", "path", "method", NAME, "index");
+ Stream.concat(
+ predefinedPermissionAllowedKeys.stream(), customPermissionAdditionalKeys.stream())
+ .collect(Collectors.toUnmodifiableSet());
public static final Set<String> HTTP_METHODS = Set.of("GET", "POST", "DELETE", "PUT", "HEAD");
}
diff --git a/solr/core/src/test/org/apache/solr/security/PermissionTest.java b/solr/core/src/test/org/apache/solr/security/PermissionTest.java
new file mode 100644
index 00000000000..4d44cb30dfb
--- /dev/null
+++ b/solr/core/src/test/org/apache/solr/security/PermissionTest.java
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.security;
+
+import java.util.Map;
+import java.util.Set;
+import org.apache.solr.SolrTestCaseJ4;
+import org.apache.solr.common.SolrException;
+
+public class PermissionTest extends SolrTestCaseJ4 {
+
+ public void testLoad() {
+ // Valid, currently predefined permissions
+ for (String name : Set.of("read", "zk-read")) {
+ Permission.load(Map.of("name", name, "role", "admin"));
+ }
+ // Invalid custom permissions (some of which were old valid predefined)
+ for (String name :
+ Set.of("metrics-history-read", "autoscaling-read", "autoscaling-write", "invalid-custom")) {
+ SolrException e =
+ assertThrows(
+ SolrException.class, () -> Permission.load(Map.of("name", name, "role", "admin")));
+ assertTrue(
+ e.getMessage()
+ .contains(
+ "Permission with name "
+ + name
+ + " is neither a pre-defined permission nor qualifies as a custom permission"));
+ }
+ // Valid custom permissions
+ for (String name : Set.of("valid-custom")) {
+ Permission.load(Map.of("name", name, "role", "admin", "path", "/foo"));
+ }
+ }
+}