[
https://issues.apache.org/jira/browse/KNOX-3001?focusedWorklogId=900193&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-900193
]
ASF GitHub Bot logged work on KNOX-3001:
----------------------------------------
Author: ASF GitHub Bot
Created on: 17/Jan/24 18:18
Start Date: 17/Jan/24 18:18
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #834:
URL: https://github.com/apache/knox/pull/834
## What changes were proposed in this pull request?
As described in
[KNOX-3001](https://issues.apache.org/jira/browse/KNOX-3001), if the shared
provider, descriptor, service, or application originally contains XML-escaped
values, Knox will persist topologies in a way such that those already escaped
values become doubly-escaped.
To avoid this issue the following was implemented:
- unescape the value first
- escape the unescaped result
## How was this patch tested?
I updated existing JUnit tests where a shared provider config contains both
a single `&` and an escaped `&` in its .json file. The test then proves the
generated XML is parsed properly and contains the desired `&` value in the SAX
document.
I also ran integration tests with the following shared-provider and
descriptor files:
```
$ cat conf/shared-providers/smolnar.json
{
"providers" : [ {
"role" : "webappsec",
"name" : "WebAppSec",
"enabled" : true,
"params" : {
"xframe.options.enabled" : "true"
}
}, {
"role" : "authentication",
"name" : "ShiroProvider",
"enabled" : true,
"params" : {
"main.ldapContextFactory" :
"org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory",
"main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm",
"main.ldapRealm.authenticationCachingEnabled" : "false",
"main.ldapRealm.contextFactory" : "$ldapContextFactory",
"main.ldapRealm.contextFactory.authenticationMechanism" : "simple",
"main.ldapRealm.contextFactory.url" : "ldap://localhost:33389";,
"main.ldapRealm.userDnTemplate" :
"uid=0ou=people,dc=hadoop,dc=apache,dc=org",
"main.ldapRealm.userSearchFilter" :
"(&(&(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))",
"redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html",
"restrictedCookies" : "rememberme,WWW-Authenticate",
"sessionTimeout" : "30",
"urls./**" : "authcBasic"
}
}, {
"role" : "identity-assertion",
"name" : "Default",
"enabled" : true,
"params" : { }
} ],
"readOnly" : true
}
$ cat conf/descriptors/smolnar.json
{
"provider-config-ref": "smolnar",
"services": [
{
"name": "KNOXSSO",
"params": {
"knoxsso.token.ttl": "86400000",
"knoxsso.token.sigalg": "",
"knoxsso.redirect.whitelist.regex":
"^https?:\\/\\/(.*smolnar\\.root\\.xyz\\.com)(?::[0-9]+)?(?:\\/.*)?$"
}
}
],
"applications": [
{
"name": "knoxauth"
}
]
}
```
Then I confirmed that the generated topology is in good shape:
```
$ cat conf/topologies/smolnar.xml
<?xml version="1.0" encoding="utf-8"?>
<!--==============================================-->
<!
Issue Time Tracking
-------------------
Worklog Id: (was: 900193)
Remaining Estimate: 0h
Time Spent: 10m
> XML escaping should be configurable in SimpleDescriptorHandle
> -------------------------------------------------------------
>
> Key: KNOX-3001
> URL: https://issues.apache.org/jira/browse/KNOX-3001
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> KNOX-2804 added a beneficial improvement in Knox's logic when dealing with
> JSON files and turned them into XML topologies: before the generated topology
> persisted, the possible values are XML-escaped to avoid errors in SAXParser.
> However, this might cause backward-compatible issues in deployments, where
> the data in the given shared provider config or descriptor is already given
> in XML-friendy way.
> For instance, using the following shared provider config will result in a bad
> XML topology:
> {noformat}
> {
> "providers" : [ {
> "role" : "webappsec",
> "name" : "WebAppSec",
> "enabled" : true,
> "params" : {
> "xframe.options.enabled" : "true"
> }
> }, {
> "role" : "authentication",
> "name" : "ShiroProvider",
> "enabled" : true,
> "params" : {
> "main.ldapContextFactory" :
> "org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory",
> "main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm",
> "main.ldapRealm.authenticationCachingEnabled" : "false",
> "main.ldapRealm.contextFactory" : "$ldapContextFactory",
> "main.ldapRealm.contextFactory.authenticationMechanism" : "simple",
> "main.ldapRealm.contextFactory.url" : "ldap://localhost:33389";,
> "main.ldapRealm.userDnTemplate" :
> "uid=0ou=people,dc=hadoop,dc=apache,dc=org",
> "main.ldapRealm.userSearchFilter" :
> "(&(&(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))",
> "redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html",
> "restrictedCookies" : "rememberme,WWW-Authenticate",
> "sessionTimeout" : "30",
> "urls./**" : "authcBasic"
> }
> }, {
> "role" : "identity-assertion",
> "name" : "Default",
> "enabled" : true,
> "params" : { }
> } ],
> "readOnly" : true
> } {noformat}
> The generated XML:
> {noformat}
> <?xml version="1.0" encoding="utf-8"?>
> <!--==============================================-->
> <!-- DO NOT EDIT. This is an auto-generated file. -->
> <!--==============================================-->
> <topology>
> <generated>true</generated>
> <gateway>
> <provider>
> <role>webappsec</role>
> <name>WebAppSec</name>
> <enabled>true</enabled>
> <param>
> <name>xframe.options.enabled</name>
> <value>true</value>
> </param>
> </provider>
> <provider>
> <role>authentication</role>
> <name>ShiroProvider</name>
> <enabled>true</enabled>
> <param>
> <name>main.ldapContextFactory</name>
>
> <value>org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory</value>
> </param>
> <param>
> <name>main.ldapRealm</name>
>
> <value>org.apache.knox.gateway.shirorealm.KnoxLdapRealm</value>
> </param>
> <param>
> <name>main.ldapRealm.authenticationCachingEnabled</name>
> <value>false</value>
> </param>
> <param>
> <name>main.ldapRealm.contextFactory</name>
> <value>$ldapContextFactory</value>
> </param>
> <param>
>
> <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
> <value>simple</value>
> </param>
> <param>
> <name>main.ldapRealm.contextFactory.url</name>
> <value>ldap://localhost:33389</value>
> </param>
> <param>
> <name>main.ldapRealm.userDnTemplate</name>
> <value>uid=0ou=people,dc=hadoop,dc=apache,dc=org</value>
> </param>
> <param>
> <name>main.ldapRealm.userSearchFilter</name>
>
> <value>(&amp;(&amp;(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))</value>
> </param>
> <param>
> <name>redirectToUrl</name>
> <value>/${GATEWAY_PATH}/knoxsso/knoxauth/login.html</value>
> </param>
> <param>
> <name>restrictedCookies</name>
> <value>rememberme,WWW-Authenticate</value>
> </param>
> <param>
> <name>sessionTimeout</name>
> <value>30</value>
> </param>
> <param>
> <name>urls./**</name>
> <value>authcBasic</value>
> </param>
> </provider>
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> </provider>
> </gateway> <service>
> <role>KNOXSSO</role>
> <param>
> <name>knoxsso.token.ttl</name>
> <value>86400000</value>
> </param>
> <param>
> <name>knoxsso.token.sigalg</name>
> <value></value>
> </param>
> <param>
> <name>knoxsso.redirect.whitelist.regex</name>
>
> <value>^https?:\/\/(.*smolnar\.root\.xyz\.com)(?::[0-9]+)?(?:\/.*)?$</value>
> </param>
> </service>
> <application>
> <name>knoxauth</name>
> </application>
> </topology> {noformat}
> As you can see, the value of {{main.ldapRealm.userSearchFilter}} is
> double-escaped that makes the topology invalid.
> Moreover, the previously added XML escape function is meant for XML 1.1
> documents whereas this code generates XML 1.0, so that this should be changed
> too.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
