You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/11/27 21:37:22 UTC
git commit: KNOX-198 - fixed and enabled functional tests for PUT and
GET behavior
Updated Branches:
refs/heads/master 6fac4afab -> c9b2e5514
KNOX-198 - fixed and enabled functional tests for PUT and GET behavior
Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/c9b2e551
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/c9b2e551
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/c9b2e551
Branch: refs/heads/master
Commit: c9b2e5514c36e7540080ae47b4c9d1e1cecfd645
Parents: 6fac4af
Author: Larry McCay <lm...@hortonworks.com>
Authored: Wed Nov 27 15:37:08 2013 -0500
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Wed Nov 27 15:37:08 2013 -0500
----------------------------------------------------------------------
.../webappsec/filter/CSRFPreventionFilter.java | 13 ++++--
.../hadoop/gateway/GatewayBasicFuncTest.java | 45 ++++++++++++++------
2 files changed, 41 insertions(+), 17 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/c9b2e551/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/filter/CSRFPreventionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/filter/CSRFPreventionFilter.java b/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/filter/CSRFPreventionFilter.java
index eb98b8c..6d40252 100644
--- a/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/filter/CSRFPreventionFilter.java
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/filter/CSRFPreventionFilter.java
@@ -48,16 +48,23 @@ public class CSRFPreventionFilter implements Filter {
if (customMTI != null) {
mti = customMTI;
}
- methodsToIgnore = new HashSet<String>(Arrays.asList(mti));
+ String[] methods = mti.split(",");
+ methodsToIgnore = new HashSet<String>();
+ for (int i = 0; i < methods.length; i++) {
+ methodsToIgnore.add(methods[i]);
+ }
+
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
- if (!methodsToIgnore.contains(((HttpServletRequest) request).getMethod()) && !(((HttpServletRequest) request).getHeader(headerName) != null)) {
+ HttpServletRequest httpRequest = (HttpServletRequest)request;
+ if ( methodsToIgnore.contains( httpRequest.getMethod() ) || httpRequest.getHeader(headerName) != null ) {
+ chain.doFilter(request, response);
+ } else {
((HttpServletResponse)response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for Vulnerability Protection");
}
- chain.doFilter(request, response);
}
/* (non-Javadoc)
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/c9b2e551/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
index 130e479..0c7c486 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
@@ -1934,31 +1934,48 @@ public class GatewayBasicFuncTest {
driver.assertComplete();
}
- @Ignore
- public void testCrossSiteRequestForgeryPrevention() throws IOException {
+ @Test
+ public void testCrossSiteRequestForgeryPreventionPUT() throws IOException {
String root = "/tmp/GatewayWebHdfsFuncTest/testCrossSiteRequestForgeryPrevention";
String username = "hdfs";
String password = "hdfs-password";
-// driver.getMock( "WEBHDFS" )
-// .expect()
-// .method( "PUT" )
-// .pathInfo( "/v1" + root + "/dir" )
-// .queryParam( "op", "MKDIRS" )
-// .queryParam( "user.name", username )
-// .respond()
-// .status( HttpStatus.SC_BAD_REQUEST );
given()
- .log().all()
+// .log().all()
.auth().preemptive().basic( username, password )
// .header("X-XSRF-Header", "jksdhfkhdsf")
.queryParam( "op", "MKDIRS" )
.expect()
- .log().all()
+// .log().all()
.statusCode( HttpStatus.SC_BAD_REQUEST )
.when().put( driver.getUrl( "WEBHDFS" ) + "/v1" + root + "/dir" );
-// driver.reset();
-// driver.assertComplete();
+ driver.assertComplete();
}
+ @Test
+ public void testCrossSiteRequestForgeryPreventionGET() throws IOException {
+ String root = "/tmp/GatewayWebHdfsFuncTest/testCrossSiteRequestForgeryPrevention";
+ String username = "hdfs";
+ String password = "hdfs-password";
+
+ driver.getMock( "WEBHDFS" )
+ .expect()
+ .method( "GET" )
+ .pathInfo( "/v1" + root + "/dir" )
+ .queryParam( "op", "LISTSTATUS" )
+ .queryParam( "user.name", username )
+ .respond()
+ .status( HttpStatus.SC_OK );
+ given()
+// .log().all()
+ .auth().preemptive().basic( username, password )
+// .header("X-XSRF-Header", "jksdhfkhdsf")
+ .queryParam( "op", "LISTSTATUS" )
+ .expect()
+// .log().all()
+ .statusCode( HttpStatus.SC_OK )
+ .when().get( driver.getUrl( "WEBHDFS" ) + "/v1" + root + "/dir" );
+// driver.reset();
+ driver.assertComplete();
+ }
}
\ No newline at end of file