This is an automated email from the ASF dual-hosted git repository.
lmccay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 85c5557f0 KNOX-3103 - Move RegEx Tests from KnoxSSO module to
RegExUtils (#998)
85c5557f0 is described below
commit 85c5557f0c2d30ef31fc60829759f11fce69e168
Author: lmccay <[email protected]>
AuthorDate: Thu Feb 27 09:43:44 2025 -0500
KNOX-3103 - Move RegEx Tests from KnoxSSO module to RegExUtils (#998)
* KNOX-3100 - RemoteAuthProvider to accept multiple group headers
---
.../service/knoxsso/WebSSOResourceTest.java | 82 ----------------
.../apache/knox/gateway/util/RegExUtilsTest.java | 106 +++++++++++++++++++++
2 files changed, 106 insertions(+), 82 deletions(-)
diff --git
a/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
b/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
index de0a51940..5cee80579 100644
---
a/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
+++
b/gateway-service-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
@@ -28,7 +28,6 @@ import static org.junit.Assert.assertTrue;
import java.lang.reflect.Field;
import java.net.HttpCookie;
-import java.net.MalformedURLException;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
@@ -67,7 +66,6 @@ import
org.apache.knox.gateway.services.security.token.TokenUtils;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import org.apache.knox.gateway.session.control.ConcurrentSessionVerifier;
-import org.apache.knox.gateway.util.RegExUtils;
import org.easymock.EasyMock;
import org.junit.Assert;
import org.junit.BeforeClass;
@@ -107,86 +105,6 @@ public class WebSSOResourceTest {
gatewayPrivateKey = (RSAPrivateKey) keyPair.getPrivate();
}
- @Test
- public void testWhitelistMatching() {
- String whitelist = "^https?://.*example.com:8080/.*$;" +
- "^https?://.*example.com/.*$;" +
- "^https?://.*example2.com:\\d{0,9}/.*$;" +
- "^https://.*example3.com:\\d{0,9}/.*$;"; +
- "^https?://localhost:\\d{0,9}/.*$;^/.*$";
-
- // match on explicit hostname/domain and port
- Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkWhitelist(whitelist,
- "http://host.example.com:8080/";));
- // match on non-required port
- Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkWhitelist(whitelist,
- "http://host.example.com/";));
- // match on required but any port
- Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkWhitelist(whitelist,
- "http://host.example2.com:1234/";));
- // fail on missing port
- assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
- "http://host.example2.com/";));
- // fail on invalid port
- assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
- "http://host.example.com:8081/";));
- // fail on alphanumeric port
- assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
- "http://host.example.com:A080/";));
- // fail on invalid hostname/domain
- assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
- "http://host.example.net:8080/";));
- // fail on required port
- assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
- "http://host.example2.com/";));
- // fail on required https
- assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
- "http://host.example3.com/";));
- // match on localhost and port
- Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkWhitelist(whitelist,
- "http://localhost:8080/";));
- // match on local/relative path
- Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkWhitelist(whitelist,
- "/local/resource/"));
- }
-
- @Test
- public void testWhitelistMatchingAgainstBaseURL() throws
MalformedURLException {
- Assert.assertTrue("Failed to match whitelist",
-
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
- "https://KNOX_GW_DOMAIN";));
- Assert.assertTrue("Failed to match whitelist",
-
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
- "https://KNOX_GW_DOMAIN?a=1&b=2";));
- Assert.assertTrue("Failed to match whitelist",
-
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
- "https://KNOX_GW_DOMAIN?a=1&b=2";));
- Assert.assertTrue("Failed to match whitelist",
-
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
- "https://KNOX_GW_DOMAIN/path1/path2/path/3?a=1&b=2";));
- Assert.assertFalse("Inappropriately matched whitelist",
-
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
- "https://google.com?https://KNOX_GW_DOMAIN";));
- Assert.assertFalse("Inappropriately matched whitelist",
-
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
- "https://google.com/https://KNOX_GW_DOMAIN";));
- }
-
- @Test
- public void testMaliciousOriginalUrl() throws Exception {
- String whitelist =
"^(?!.*([<>\"'`{}|\\\\^]|<script|%3cscript|javascript:|data:|alert\\(|onclick=))(^https?://.*example.com/.*)$";
-
- // make sure it is malicious and therefore does NOT match
- assertFalse(RegExUtils.checkWhitelist(whitelist,
"https://example.com/path?param=%3e%3cscript%3e";));
- // make sure it matches because it is not malicious
- assertTrue(RegExUtils.checkWhitelist(whitelist,
"https://example.com/path";));
- }
-
- @Test(expected = MalformedURLException.class)
- public void testMalformedOriginalUrl() throws MalformedURLException {
- RegExUtils.checkBaseUrlAgainstWhitelist(".*",
"https://localhost:5003gateway/homepage/home/";);
- }
-
private void configureCommonExpectations(Map<String, String>
contextExpectations) throws Exception {
configureCommonExpectations(contextExpectations, false, false, true);
}
diff --git
a/gateway-util-common/src/test/java/org/apache/knox/gateway/util/RegExUtilsTest.java
b/gateway-util-common/src/test/java/org/apache/knox/gateway/util/RegExUtilsTest.java
new file mode 100644
index 000000000..57af9b015
--- /dev/null
+++
b/gateway-util-common/src/test/java/org/apache/knox/gateway/util/RegExUtilsTest.java
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.util;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.net.MalformedURLException;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class RegExUtilsTest {
+
+ @Test
+ public void testWhitelistMatching() {
+ String whitelist = "^https?://.*example.com:8080/.*$;" +
+ "^https?://.*example.com/.*$;" +
+ "^https?://.*example2.com:\\d{0,9}/.*$;" +
+ "^https://.*example3.com:\\d{0,9}/.*$;"; +
+ "^https?://localhost:\\d{0,9}/.*$;^/.*$";
+
+ // match on explicit hostname/domain and port
+ Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkWhitelist(whitelist,
+ "http://host.example.com:8080/";));
+ // match on non-required port
+ Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkWhitelist(whitelist,
+ "http://host.example.com/";));
+ // match on required but any port
+ Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkWhitelist(whitelist,
+ "http://host.example2.com:1234/";));
+ // fail on missing port
+ assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
+ "http://host.example2.com/";));
+ // fail on invalid port
+ assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
+ "http://host.example.com:8081/";));
+ // fail on alphanumeric port
+ assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
+ "http://host.example.com:A080/";));
+ // fail on invalid hostname/domain
+ assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
+ "http://host.example.net:8080/";));
+ // fail on required port
+ assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
+ "http://host.example2.com/";));
+ // fail on required https
+ assertFalse("Matched whitelist inappropriately",
RegExUtils.checkWhitelist(whitelist,
+ "http://host.example3.com/";));
+ // match on localhost and port
+ Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkWhitelist(whitelist,
+ "http://localhost:8080/";));
+ // match on local/relative path
+ Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkWhitelist(whitelist,
+ "/local/resource/"));
+ }
+
+ @Test
+ public void testWhitelistMatchingAgainstBaseURL() throws
MalformedURLException {
+ Assert.assertTrue("Failed to match whitelist",
+
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
+ "https://KNOX_GW_DOMAIN";));
+ Assert.assertTrue("Failed to match whitelist",
+
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
+ "https://KNOX_GW_DOMAIN?a=1&b=2";));
+ Assert.assertTrue("Failed to match whitelist",
+
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
+ "https://KNOX_GW_DOMAIN/path1/path2/path/3?a=1&b=2";));
+ Assert.assertFalse("Inappropriately matched whitelist",
+
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
+ "https://google.com?https://KNOX_GW_DOMAIN";));
+ Assert.assertFalse("Inappropriately matched whitelist",
+
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
+ "https://google.com/https://KNOX_GW_DOMAIN";));
+ }
+
+ @Test
+ public void testMaliciousOriginalUrl() throws Exception {
+ String whitelist =
"^(?!.*([<>\"'`{}|\\\\^]|<script|%3cscript|javascript:|data:|alert\\(|onclick=))(^https?://.*example.com/.*)$";
+
+ // make sure it is malicious and therefore does NOT match
+ assertFalse(RegExUtils.checkWhitelist(whitelist,
"https://example.com/path?param=%3e%3cscript%3e";));
+ // make sure it matches because it is not malicious
+ assertTrue(RegExUtils.checkWhitelist(whitelist,
"https://example.com/path";));
+ }
+
+ @Test(expected = MalformedURLException.class)
+ public void testMalformedOriginalUrl() throws MalformedURLException {
+ RegExUtils.checkBaseUrlAgainstWhitelist(".*",
"https://localhost:5003gateway/homepage/home/";);
+ }
+}
\ No newline at end of file
