You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by kr...@apache.org on 2019/08/25 16:55:54 UTC
[knox] branch master updated: KNOX-1934 - Setting the default value of knoxsso.cookie.secure.only based on ssl.enabled flag in gateway-site.xml (#134)

This is an automated email from the ASF dual-hosted git repository.

krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 9ae8d4e  KNOX-1934 - Setting the default value of knoxsso.cookie.secure.only based on ssl.enabled flag in gateway-site.xml (#134)
9ae8d4e is described below

commit 9ae8d4e85c84ab6167a9c92d25006c46111babb3
Author: Sandor Molnar <sm...@apache.org>
AuthorDate: Sun Aug 25 18:55:50 2019 +0200

    KNOX-1934 - Setting the default value of knoxsso.cookie.secure.only based on ssl.enabled flag in gateway-site.xml (#134)
---
 gateway-release/home/conf/topologies/knoxsso.xml   |  2 +
 gateway-service-knoxsso/pom.xml                    |  5 +-
 .../gateway/service/knoxsso/WebSSOResource.java    | 11 ++-
 .../service/knoxsso/WebSSOResourceTest.java        | 88 +++++++++++++++++++---
 4 files changed, 91 insertions(+), 15 deletions(-)

diff --git a/gateway-release/home/conf/topologies/knoxsso.xml b/gateway-release/home/conf/topologies/knoxsso.xml
index a679600..d669827 100644
--- a/gateway-release/home/conf/topologies/knoxsso.xml
+++ b/gateway-release/home/conf/topologies/knoxsso.xml
@@ -103,10 +103,12 @@
 
     <service>
         <role>KNOXSSO</role>
+        <!--
         <param>
             <name>knoxsso.cookie.secure.only</name>
             <value>true</value>
         </param>
+         -->
         <param>
             <name>knoxsso.token.ttl</name>
             <value>-1</value>
diff --git a/gateway-service-knoxsso/pom.xml b/gateway-service-knoxsso/pom.xml
index 90c510b..11d0905 100644
--- a/gateway-service-knoxsso/pom.xml
+++ b/gateway-service-knoxsso/pom.xml
@@ -72,7 +72,10 @@
             <groupId>javax.servlet</groupId>
             <artifactId>javax.servlet-api</artifactId>
         </dependency>
-
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.apache.knox</groupId>
             <artifactId>gateway-test-utils</artifactId>
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
index 7d4dabf..54a315f 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
@@ -44,7 +44,9 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.WebApplicationException;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.knox.gateway.audit.log4j.audit.Log4jAuditor;
+import org.apache.knox.gateway.config.GatewayConfig;
 import org.apache.knox.gateway.i18n.messages.MessagesFactory;
 import org.apache.knox.gateway.services.ServiceType;
 import org.apache.knox.gateway.services.GatewayServices;
@@ -133,8 +135,13 @@ public class WebSSOResource {
       cookieName = DEFAULT_SSO_COOKIE_NAME;
     }
 
-    String secure = context.getInitParameter(SSO_COOKIE_SECURE_ONLY_INIT_PARAM);
-    secureOnly = Boolean.parseBoolean(secure);
+    final String secure = context.getInitParameter(SSO_COOKIE_SECURE_ONLY_INIT_PARAM);
+    if (StringUtils.isBlank(secure)) {
+      final GatewayConfig config = (GatewayConfig) request.getServletContext().getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE);
+      secureOnly = config.isSSLEnabled();
+    } else {
+      secureOnly = Boolean.parseBoolean(secure);
+    }
     if (!secureOnly) {
       log.cookieSecureOnly(secureOnly);
     }
diff --git a/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java b/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
index 40d268f..b7f143e 100644
--- a/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
+++ b/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
@@ -136,6 +136,7 @@ public class WebSSOResourceTest {
   public void testGetToken() throws Exception {
 
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
@@ -188,6 +189,7 @@ public class WebSSOResourceTest {
   public void testAudiences() throws Exception {
 
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
@@ -246,6 +248,7 @@ public class WebSSOResourceTest {
   public void testAudiencesWhitespace() throws Exception {
 
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
@@ -304,6 +307,7 @@ public class WebSSOResourceTest {
   public void testSignatureAlgorithm() throws Exception {
 
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
@@ -358,6 +362,7 @@ public class WebSSOResourceTest {
   public void testDefaultTTL() throws Exception {
 
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
@@ -414,6 +419,7 @@ public class WebSSOResourceTest {
   @Test
   public void testCustomTTL() throws Exception {
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
@@ -472,6 +478,7 @@ public class WebSSOResourceTest {
   public void testNegativeTTL() throws Exception {
 
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
@@ -526,9 +533,61 @@ public class WebSSOResourceTest {
   }
 
   @Test
+  public void shouldMatchKnoxSsoSecureOnlyWithSslEnabledInCaseKnoxSsoSecureOnlyIsNotSet() throws Exception {
+    testSecureOnly(false, null, false);
+    testSecureOnly(true, null, true);
+  }
+
+  @Test
+  public void shouldUseKnoxSsoSecureOnlyInCaseKnoxSsoSecureOnlyIsSet() throws Exception {
+    testSecureOnly(false, Boolean.TRUE, true);
+    testSecureOnly(true, Boolean.FALSE, false);
+  }
+
+  private void testSecureOnly(boolean sslEnabled, Boolean knoxSsoCookieSecureOnly, boolean expectedknoxSsoSecureOnly) throws Exception {
+    final ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig(sslEnabled)).anyTimes();
+    EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(knoxSsoCookieSecureOnly == null ? null : knoxSsoCookieSecureOnly.toString());
+
+    final HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+    EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
+    EasyMock.expect(request.getParameterMap()).andReturn(Collections.emptyMap());
+    EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
+
+    final HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+    ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class);
+    CookieResponseWrapper responseWrapper = new CookieResponseWrapper(response, outputStream);
+
+    final Principal principal = EasyMock.createNiceMock(Principal.class);
+    EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
+    EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
+
+    final GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
+    EasyMock.expect(services.getService(ServiceType.TOKEN_SERVICE)).andReturn(new TestJWTokenAuthority(gatewayPublicKey, gatewayPrivateKey));
+    EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
+
+    EasyMock.replay(context, request, services);
+
+    final WebSSOResource webSSOResponse = new WebSSOResource();
+    webSSOResponse.request = request;
+    webSSOResponse.response = responseWrapper;
+    webSSOResponse.context = context;
+    webSSOResponse.init();
+
+    // Issue a token
+    webSSOResponse.doGet();
+
+    // Check the cookie
+    final Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
+    assertNotNull(cookie);
+    assertEquals(expectedknoxSsoSecureOnly, cookie.getSecure());
+  }
+
+  @Test
   public void testOverflowTTL() throws Exception {
 
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
@@ -584,13 +643,8 @@ public class WebSSOResourceTest {
 
   @Test
   public void testWhitelistValidationWithEncodedOriginalURL() throws Exception {
-    GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
-    EasyMock.expect(config.getDispatchWhitelistServices()).andReturn(Collections.emptyList()).anyTimes();
-    EasyMock.expect(config.getDispatchWhitelist()).andReturn(null).anyTimes();
-    EasyMock.replay(config);
-
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
-    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(config).anyTimes();
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
@@ -639,16 +693,25 @@ public class WebSSOResourceTest {
     }
   }
 
-  @Test
-  public void testTopologyDefinedWhitelist() throws Exception {
-    final String testServiceRole = "TEST";
+  private GatewayConfig expectGatewayConfig() {
+    return expectGatewayConfig(true);
+  }
 
-    GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
-    EasyMock.expect(config.getDispatchWhitelistServices()).andReturn(Collections.singletonList(testServiceRole)).anyTimes();
+  private GatewayConfig expectGatewayConfig(boolean sslEnabled) {
+    final GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
+    EasyMock.expect(config.getDispatchWhitelistServices()).andReturn(Collections.emptyList()).anyTimes();
     EasyMock.expect(config.getDispatchWhitelist()).andReturn(null).anyTimes();
+    EasyMock.expect(config.isSSLEnabled()).andReturn(sslEnabled).anyTimes();
     EasyMock.replay(config);
+    return config;
+  }
+
+  @Test
+  public void testTopologyDefinedWhitelist() throws Exception {
+    final String testServiceRole = "TEST";
 
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
@@ -657,7 +720,6 @@ public class WebSSOResourceTest {
     EasyMock.expect(context.getInitParameter("knoxsso.token.audiences")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.token.ttl")).andReturn("60000");
     EasyMock.expect(context.getInitParameter("knoxsso.enable.session")).andReturn(null);
-    EasyMock.expect(context.getAttribute("org.apache.knox.gateway.config")).andReturn(config).anyTimes();
 
     HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
     EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
@@ -710,6 +772,7 @@ public class WebSSOResourceTest {
 
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
     EasyMock.expect(context.getInitParameter("knoxsso.expected.params")).andReturn("knoxtoken,originalUrl");
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
 
     ServletContext contextNoParam = EasyMock.createNiceMock(ServletContext.class);
 
@@ -807,6 +870,7 @@ public class WebSSOResourceTest {
     RSAPrivateKey customPrivateKey = (RSAPrivateKey) keyPair.getPrivate();
 
     ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+    EasyMock.expect(context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE)).andReturn(expectGatewayConfig()).anyTimes();
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
     EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);