This is an automated email from the ASF dual-hosted git repository.
spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3ce8112e7 RANGER-3387: Added extra validation for handling PUT/POST
requests coming from KNOX proxy with different CSRF header than the one set by
the client
3ce8112e7 is described below
commit 3ce8112e723e65c93de092f6a14a418383abc8d0
Author: Sailaja Polavarapu <spolavar...@cloudera.com>
AuthorDate: Wed Jul 13 16:30:07 2022 -0700
RANGER-3387: Added extra validation for handling PUT/POST requests coming
from KNOX proxy with different CSRF header than the one set by the client
---
.../web/filter/RangerCSRFPreventionFilter.java | 18 ++++++++++++++----
.../web/filter/RangerKRBAuthenticationFilter.java | 8 +++++++-
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
index e02813fec..7cc7f5e63 100644
---
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
+++
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
@@ -151,7 +151,7 @@ public class RangerCSRFPreventionFilter implements Filter {
void sendError(int code, String message) throws IOException;
}
- public void handleHttpInteraction(HttpInteraction httpInteraction)
+ public void handleHttpInteraction(HttpInteraction httpInteraction,
boolean spnegoEnabled, boolean trustedProxyEnabled)
throws IOException, ServletException {
HttpSession session = ((ServletFilterHttpInteraction)
httpInteraction).getSession();
@@ -166,20 +166,30 @@ public class RangerCSRFPreventionFilter implements Filter
{
}
}
- if (clientCsrfToken != null &&
clientCsrfToken.equals(actualCsrfToken)
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("actualCsrfToken = " + actualCsrfToken + "
clientCsrfToken = " + clientCsrfToken +
+ "trustedProxy = " + trustedProxyEnabled
+ " for " + ((ServletFilterHttpInteraction)
httpInteraction).httpRequest.getRequestURI());
+ }
+ /* When the request is from Knox, then spnegoEnabled and
trustedProxyEnabled are true.
+ * In this case Knox inserts XSRF header with proper value for
POST & PUT requests and hence proceed with authentication filter
+ */
+ if ((spnegoEnabled && trustedProxyEnabled) || clientCsrfToken
!= null && clientCsrfToken.equals(actualCsrfToken)
||
!isBrowser(httpInteraction.getHeader(HEADER_USER_AGENT))
||
methodsToIgnore.contains(httpInteraction.getMethod())) {
httpInteraction.proceed();
}else {
+ LOG.error("Missing header or invalid Header value for
CSRF Vulnerability Protection");
httpInteraction.sendError(HttpServletResponse.SC_BAD_REQUEST,"Missing header or
invalid Header value for CSRF Vulnerability Protection");
}
}
-
+
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
if (IS_CSRF_ENABLED) {
final HttpServletRequest httpRequest =
(HttpServletRequest)request;
final HttpServletResponse httpResponse =
(HttpServletResponse)response;
- handleHttpInteraction(new
ServletFilterHttpInteraction(httpRequest, httpResponse, chain));
+ Boolean spnegoEnabled =
httpRequest.getAttribute("spnegoEnabled") != null ?
Boolean.valueOf(String.valueOf(httpRequest.getAttribute("spnegoEnabled"))) :
false;
+ Boolean trustedProxyEnabled =
httpRequest.getAttribute("trustedProxyEnabled") != null ?
Boolean.valueOf(String.valueOf(httpRequest.getAttribute("trustedProxyEnabled")))
: false;
+ handleHttpInteraction(new
ServletFilterHttpInteraction(httpRequest, httpResponse, chain), spnegoEnabled,
trustedProxyEnabled);
}else{
chain.doFilter(request, response);
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
index a8b8b34a4..db55e408d 100644
---
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
+++
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
@@ -370,7 +370,13 @@ public class RangerKRBAuthenticationFilter extends
RangerKrbFilter {
boolean allowTrustedProxy =
PropertiesUtil.getBooleanProperty(ALLOW_TRUSTED_PROXY, false);
- if (allowTrustedProxy &&
StringUtils.isNotEmpty(doAsUser) && existingAuth.isAuthenticated()
+ if(isSpnegoEnable(authtype) && allowTrustedProxy &&
StringUtils.isNotEmpty(doAsUser)
+ && existingAuth != null &&
existingAuth.isAuthenticated()) {
+ request.setAttribute("spnegoEnabled", true);
+ request.setAttribute("trustedProxyEnabled",
true);
+ }
+
+ if (allowTrustedProxy &&
StringUtils.isNotEmpty(doAsUser) && existingAuth != null &&
existingAuth.isAuthenticated()
&& StringUtils.equals(action,
RestUtil.TIMEOUT_ACTION)) {
HttpServletResponse httpResponse =
(HttpServletResponse) response;
handleTimeoutRequest(httpRequest, httpResponse);
