This is an automated email from the ASF dual-hosted git repository. spolavarapu pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 3ce8112e7 RANGER-3387: Added extra validation for handling PUT/POST requests coming from KNOX proxy with different CSRF header than the one set by the client 3ce8112e7 is described below commit 3ce8112e723e65c93de092f6a14a418383abc8d0 Author: Sailaja Polavarapu <spolavar...@cloudera.com> AuthorDate: Wed Jul 13 16:30:07 2022 -0700 RANGER-3387: Added extra validation for handling PUT/POST requests coming from KNOX proxy with different CSRF header than the one set by the client --- .../web/filter/RangerCSRFPreventionFilter.java | 18 ++++++++++++++---- .../web/filter/RangerKRBAuthenticationFilter.java | 8 +++++++- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java index e02813fec..7cc7f5e63 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java @@ -151,7 +151,7 @@ public class RangerCSRFPreventionFilter implements Filter { void sendError(int code, String message) throws IOException; } - public void handleHttpInteraction(HttpInteraction httpInteraction) + public void handleHttpInteraction(HttpInteraction httpInteraction, boolean spnegoEnabled, boolean trustedProxyEnabled) throws IOException, ServletException { HttpSession session = ((ServletFilterHttpInteraction) httpInteraction).getSession(); @@ -166,20 +166,30 @@ public class RangerCSRFPreventionFilter implements Filter { } } - if (clientCsrfToken != null && clientCsrfToken.equals(actualCsrfToken) + if (LOG.isDebugEnabled()) { + LOG.debug("actualCsrfToken = " + actualCsrfToken + " clientCsrfToken = " + clientCsrfToken + + "trustedProxy = " + trustedProxyEnabled + " for " + ((ServletFilterHttpInteraction) httpInteraction).httpRequest.getRequestURI()); + } + /* When the request is from Knox, then spnegoEnabled and trustedProxyEnabled are true. + * In this case Knox inserts XSRF header with proper value for POST & PUT requests and hence proceed with authentication filter + */ + if ((spnegoEnabled && trustedProxyEnabled) || clientCsrfToken != null && clientCsrfToken.equals(actualCsrfToken) || !isBrowser(httpInteraction.getHeader(HEADER_USER_AGENT)) || methodsToIgnore.contains(httpInteraction.getMethod())) { httpInteraction.proceed(); }else { + LOG.error("Missing header or invalid Header value for CSRF Vulnerability Protection"); httpInteraction.sendError(HttpServletResponse.SC_BAD_REQUEST,"Missing header or invalid Header value for CSRF Vulnerability Protection"); } } - + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (IS_CSRF_ENABLED) { final HttpServletRequest httpRequest = (HttpServletRequest)request; final HttpServletResponse httpResponse = (HttpServletResponse)response; - handleHttpInteraction(new ServletFilterHttpInteraction(httpRequest, httpResponse, chain)); + Boolean spnegoEnabled = httpRequest.getAttribute("spnegoEnabled") != null ? Boolean.valueOf(String.valueOf(httpRequest.getAttribute("spnegoEnabled"))) : false; + Boolean trustedProxyEnabled = httpRequest.getAttribute("trustedProxyEnabled") != null ? Boolean.valueOf(String.valueOf(httpRequest.getAttribute("trustedProxyEnabled"))) : false; + handleHttpInteraction(new ServletFilterHttpInteraction(httpRequest, httpResponse, chain), spnegoEnabled, trustedProxyEnabled); }else{ chain.doFilter(request, response); } diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java index a8b8b34a4..db55e408d 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java @@ -370,7 +370,13 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter { boolean allowTrustedProxy = PropertiesUtil.getBooleanProperty(ALLOW_TRUSTED_PROXY, false); - if (allowTrustedProxy && StringUtils.isNotEmpty(doAsUser) && existingAuth.isAuthenticated() + if(isSpnegoEnable(authtype) && allowTrustedProxy && StringUtils.isNotEmpty(doAsUser) + && existingAuth != null && existingAuth.isAuthenticated()) { + request.setAttribute("spnegoEnabled", true); + request.setAttribute("trustedProxyEnabled", true); + } + + if (allowTrustedProxy && StringUtils.isNotEmpty(doAsUser) && existingAuth != null && existingAuth.isAuthenticated() && StringUtils.equals(action, RestUtil.TIMEOUT_ACTION)) { HttpServletResponse httpResponse = (HttpServletResponse) response; handleTimeoutRequest(httpRequest, httpResponse);