chatman commented on a change in pull request #1078: SOLR-14071: Untrusted
configsets shouldn't be allowed to use <lib>
URL: https://github.com/apache/lucene-solr/pull/1078#discussion_r357022530
##########
File path: solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
##########
@@ -369,13 +370,55 @@ public void testUploadWithScriptUpdateProcessor() throws
Exception {
}
+ @Test
+ public void testUploadWithLibDirective() throws Exception {
+ // Authorization off
+ unprotectConfigsHandler();
+ final String untrustedSuffix = "-untrusted";
+ uploadConfigSetWithAssertions("with-lib-directive", untrustedSuffix, null,
null);
+ // try to create a collection with the uploaded configset
+ Throwable thrown = expectThrows(HttpSolrClient.RemoteSolrException.class,
() -> {
+ createCollection("newcollection3", "with-lib-directive" +
untrustedSuffix,
+ 1, 1, solrCluster.getSolrClient());
+ });
+
+ assertThat(thrown.getMessage(), containsString("Underlying core creation
failed"));
+
+ // Authorization on
+ final String trustedSuffix = "-trusted";
+ protectConfigsHandler();
+ uploadConfigSetWithAssertions("with-lib-directive", trustedSuffix, "solr",
"SolrRocks");
+ // try to create a collection with the uploaded configset
+ CollectionAdminResponse resp = createCollection("newcollection3",
"with-lib-directive" + trustedSuffix,
+ 1, 1, solrCluster.getSolrClient());
+
+ SolrInputDocument doc = sdoc("id", "4055", "subject", "Solr");
+ solrCluster.getSolrClient().add("newcollection3", doc);
+ solrCluster.getSolrClient().commit("newcollection3");
+ assertEquals("4055", solrCluster.getSolrClient().query("newcollection3",
+ params("q", "*:*")).getResults().get(0).get("id"));
+ }
+
protected SolrZkClient zkClient() {
ZkStateReader reader = solrCluster.getSolrClient().getZkStateReader();
if (reader == null)
solrCluster.getSolrClient().connect();
return solrCluster.getSolrClient().getZkStateReader().getZkClient();
}
+ private void unprotectConfigsHandler() throws Exception {
+ HttpClient cl = null;
+ try {
+ cl = HttpClientUtil.createClient(null);
+ zkClient().setData("/security.json", "{}".getBytes(UTF_8), true);
+ } finally {
+ if (cl != null) {
+ HttpClientUtil.close(cl);
+ }
+ }
+ Thread.sleep(5000); // TODO: Without a delay, the test fails. Some problem
with Authc/Authz framework?
Review comment:
Okay, I'll dig in to figure out. Maybe there is some way. All the
authentication/authorization details are way past my memory.
But anyway, I have limited time today, and lots of issues to get to (before
8.4), please see SOLR-13442). There will be a compromise somewhere or the other
unless someone can please help me.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
