Repository: knox Updated Branches: refs/heads/master 0a9f33b03 -> 9c65733f0
KNOX-615 Domain Cookies cannot Wildcard IP Addresses Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/9c65733f Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/9c65733f Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/9c65733f Branch: refs/heads/master Commit: 9c65733f0fb419e88b3ffc84714155555266952b Parents: 0a9f33b Author: Larry McCay <lmc...@hortonworks.com> Authored: Tue Oct 27 12:45:14 2015 -0400 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Tue Oct 27 12:45:14 2015 -0400 ---------------------------------------------------------------------- gateway-service-knoxsso/pom.xml | 11 +++++- .../gateway/service/knoxsso/WebSSOResource.java | 15 +++++++- .../service/knoxsso/WebSSOResourceTest.java | 40 ++++++++++++++++++++ .../org/apache/hadoop/gateway/util/Urls.java | 12 ++++++ 4 files changed, 75 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-service-knoxsso/pom.xml ---------------------------------------------------------------------- diff --git a/gateway-service-knoxsso/pom.xml b/gateway-service-knoxsso/pom.xml index a138ce6..b3c2d92 100644 --- a/gateway-service-knoxsso/pom.xml +++ b/gateway-service-knoxsso/pom.xml @@ -50,5 +50,14 @@ <artifactId>junit</artifactId> <scope>test</scope> </dependency> - </dependencies> + <dependency> + <groupId>org.apache.knox</groupId> + <artifactId>gateway-test-utils</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.easymock</groupId> + <artifactId>easymock</artifactId> + <scope>test</scope> + </dependency> </dependencies> </project> http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java ---------------------------------------------------------------------- diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java index 644d650..475e39b 100644 --- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java +++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java @@ -40,6 +40,7 @@ import org.apache.hadoop.gateway.services.GatewayServices; import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority; import org.apache.hadoop.gateway.services.security.token.TokenServiceException; import org.apache.hadoop.gateway.services.security.token.impl.JWT; +import org.apache.hadoop.gateway.util.Urls; import static javax.ws.rs.core.MediaType.APPLICATION_JSON; import static javax.ws.rs.core.MediaType.APPLICATION_XML; @@ -184,14 +185,24 @@ public class WebSSOResource { response.addCookie(c); } - private String getDomainName(String url) throws URISyntaxException { + String getDomainName(String url) throws URISyntaxException { URI uri = new URI(url); String domain = uri.getHost(); + // if accessing via ip address do not wildcard the cookie domain + if (Urls.isIp(domain)) { + return domain; + } + if (Urls.dotOccurrences(domain) < 2) { + if (!domain.startsWith(".")) { + domain = "." + domain; + } + return domain; + } int idx = domain.indexOf('.'); if (idx == -1) { idx = 0; } - return domain.startsWith("www.") ? domain.substring(4) : domain.substring(idx); + return domain.substring(idx); } private String getCookieValue(HttpServletRequest request, String name) { http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java ---------------------------------------------------------------------- diff --git a/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java b/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java new file mode 100644 index 0000000..769e497 --- /dev/null +++ b/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java @@ -0,0 +1,40 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.gateway.service.knoxsso; + +import org.junit.Assert; +import org.junit.Test; + +/** + * + */ +public class WebSSOResourceTest { + @Test + public void testDomainNameCreation() throws Exception { + WebSSOResource resource = new WebSSOResource(); + // determine parent domain and wildcard the cookie domain with a dot prefix + Assert.assertTrue(resource.getDomainName("http://www.local.com").equals(".local.com")); + Assert.assertTrue(resource.getDomainName("http://ljm.local.com").equals(".local.com")); + Assert.assertTrue(resource.getDomainName("http://local.home").equals(".local.home")); + Assert.assertTrue(resource.getDomainName("http://localhost").equals(".localhost")); // chrome may not allow this + Assert.assertTrue(resource.getDomainName("http://local.home.test.com").equals(".home.test.com")); + + // ip addresses can not be wildcarded - may be a completely different domain + Assert.assertTrue(resource.getDomainName("http://127.0.0.1").equals("127.0.0.1")); + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java ---------------------------------------------------------------------- diff --git a/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java b/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java index b30a0ef..5255e3a 100644 --- a/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java +++ b/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java @@ -17,6 +17,9 @@ */ package org.apache.hadoop.gateway.util; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + /** * */ @@ -54,4 +57,13 @@ public class Urls { } } + public static boolean isIp(String domain) { + Pattern p = Pattern.compile("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"); + Matcher m = p.matcher(domain); + return m.find(); + } + + public static int dotOccurrences(String domain) { + return domain.length() - domain.replace(".", "").length(); + } }