chatman commented on a change in pull request #1078: SOLR-14071: Untrusted
configsets shouldn't be allowed to use <lib>
URL: https://github.com/apache/lucene-solr/pull/1078#discussion_r357030750
##########
File path: solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
##########
@@ -369,13 +370,55 @@ public void testUploadWithScriptUpdateProcessor() throws
Exception {
}
+ @Test
+ public void testUploadWithLibDirective() throws Exception {
+ // Authorization off
+ unprotectConfigsHandler();
+ final String untrustedSuffix = "-untrusted";
+ uploadConfigSetWithAssertions("with-lib-directive", untrustedSuffix, null,
null);
+ // try to create a collection with the uploaded configset
+ Throwable thrown = expectThrows(HttpSolrClient.RemoteSolrException.class,
() -> {
+ createCollection("newcollection3", "with-lib-directive" +
untrustedSuffix,
+ 1, 1, solrCluster.getSolrClient());
+ });
+
+ assertThat(thrown.getMessage(), containsString("Underlying core creation
failed"));
+
+ // Authorization on
+ final String trustedSuffix = "-trusted";
+ protectConfigsHandler();
+ uploadConfigSetWithAssertions("with-lib-directive", trustedSuffix, "solr",
"SolrRocks");
+ // try to create a collection with the uploaded configset
+ CollectionAdminResponse resp = createCollection("newcollection3",
"with-lib-directive" + trustedSuffix,
+ 1, 1, solrCluster.getSolrClient());
+
+ SolrInputDocument doc = sdoc("id", "4055", "subject", "Solr");
+ solrCluster.getSolrClient().add("newcollection3", doc);
+ solrCluster.getSolrClient().commit("newcollection3");
+ assertEquals("4055", solrCluster.getSolrClient().query("newcollection3",
+ params("q", "*:*")).getResults().get(0).get("id"));
+ }
+
protected SolrZkClient zkClient() {
ZkStateReader reader = solrCluster.getSolrClient().getZkStateReader();
if (reader == null)
solrCluster.getSolrClient().connect();
return solrCluster.getSolrClient().getZkStateReader().getZkClient();
}
+ private void unprotectConfigsHandler() throws Exception {
+ HttpClient cl = null;
+ try {
+ cl = HttpClientUtil.createClient(null);
+ zkClient().setData("/security.json", "{}".getBytes(UTF_8), true);
+ } finally {
+ if (cl != null) {
+ HttpClientUtil.close(cl);
+ }
+ }
+ Thread.sleep(5000); // TODO: Without a delay, the test fails. Some problem
with Authc/Authz framework?
Review comment:
> Well, we're all trying to help one way or another; lack of time is no
excuse to add code that will make other people wonder what the heck is going on
later.
I agree. That's why I removed the new test. By the way, a 5 second sleep was
already there in another test.
> I have a strong temptation to ban Thread.sleep with forbidden APIs
everywhere
Totally agree. I want to do that myself.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
