You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by gi...@apache.org on 2023/05/19 01:16:52 UTC
[druid] branch master updated: Revert PreResponseAuthorizationCheckFilter (#13813)
This is an automated email from the ASF dual-hosted git repository.
gian pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new e9fed1445f Revert PreResponseAuthorizationCheckFilter (#13813)
e9fed1445f is described below
commit e9fed1445f2124b94fdba5976a90b7b52cd5baff
Author: imply-cheddar <86...@users.noreply.github.com>
AuthorDate: Fri May 19 10:16:43 2023 +0900
Revert PreResponseAuthorizationCheckFilter (#13813)
Make it permissive like it used to be again so that we
ensure that validation errors make it out.
---
.../PreResponseAuthorizationCheckFilter.java | 19 ++++-----------
.../PreResponseAuthorizationCheckFilterTest.java | 28 ++++++++++++++++++++++
2 files changed, 32 insertions(+), 15 deletions(-)
diff --git a/server/src/main/java/org/apache/druid/server/security/PreResponseAuthorizationCheckFilter.java b/server/src/main/java/org/apache/druid/server/security/PreResponseAuthorizationCheckFilter.java
index d0f543a06d..97d3e05a5f 100644
--- a/server/src/main/java/org/apache/druid/server/security/PreResponseAuthorizationCheckFilter.java
+++ b/server/src/main/java/org/apache/druid/server/security/PreResponseAuthorizationCheckFilter.java
@@ -179,21 +179,10 @@ public class PreResponseAuthorizationCheckFilter implements Filter
private static boolean statusShouldBeHidden(int status)
{
- // We allow 404s (not found) to not be rewritten to forbidden because consistently returning 404s is a way to leak
- // less information when something wasn't able to be done anyway. I.e. if we pretend that the thing didn't exist
- // when the authorization fails, then there is no information about whether the thing existed. If we return
- // a 403 when authorization fails and a 404 when authorization succeeds, but it doesn't exist, then we have
- // leaked that it could maybe exist, if the authentication credentials were good.
- //
- // We also allow 307s (temporary redirect) to not be hidden as they are used to redirect to the leader.
- switch (status) {
- case HttpServletResponse.SC_FORBIDDEN:
- case HttpServletResponse.SC_NOT_FOUND:
- case HttpServletResponse.SC_TEMPORARY_REDIRECT:
- return false;
- default:
- return true;
- }
+ // Hide any 200s because a 200 response could contain stuff that we don't want seen, so we hide that. It's also
+ // possible that errors can leak information, but that's something we cannot truly fix here. We choose to let
+ // those error messages through because this filter values giving the user good feedback instead.
+ return status / 100 == 2;
}
public static void sendJsonError(HttpServletResponse resp, int error, String errorJson, OutputStream outputStream)
diff --git a/server/src/test/java/org/apache/druid/server/http/security/PreResponseAuthorizationCheckFilterTest.java b/server/src/test/java/org/apache/druid/server/http/security/PreResponseAuthorizationCheckFilterTest.java
index b8b2f21fc4..2cb4361bc2 100644
--- a/server/src/test/java/org/apache/druid/server/http/security/PreResponseAuthorizationCheckFilterTest.java
+++ b/server/src/test/java/org/apache/druid/server/http/security/PreResponseAuthorizationCheckFilterTest.java
@@ -106,6 +106,34 @@ public class PreResponseAuthorizationCheckFilterTest
Assert.assertEquals(403, resp.getStatus());
}
+ @Test
+ public void testMissingAuthorizationCheck401ResponseAndNotCommitted() throws ServletException, IOException
+ {
+ EmittingLogger.registerEmitter(new NoopServiceEmitter());
+
+ AuthenticationResult authenticationResult = new AuthenticationResult("so-very-valid", "so-very-valid", null, null);
+
+ MockHttpServletRequest req = new MockHttpServletRequest();
+ req.requestUri = "uri";
+ req.method = "GET";
+ req.remoteAddr = "1.2.3.4";
+ req.remoteHost = "aHost";
+
+ MockHttpServletResponse resp = new MockHttpServletResponse();
+ resp.setStatus(401);
+
+ req.attributes.put(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult);
+
+ PreResponseAuthorizationCheckFilter filter = new PreResponseAuthorizationCheckFilter(
+ authenticators,
+ new DefaultObjectMapper()
+ );
+ filter.doFilter(req, resp, (request, response) -> {
+ });
+
+ Assert.assertEquals(401, resp.getStatus());
+ }
+
@Test
public void testMissingAuthorizationCheckWithForbidden() throws Exception
{
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org