[GitHub] [nifi] exceptionfactory commented on a change in pull request #4972: NIFI-7912 - Added a Denial of Service filter wrapper called NiFiDoSFi…

GitBox Tue, 06 Apr 2021 11:10:25 -0700


exceptionfactory commented on a change in pull request #4972:
URL: https://github.com/apache/nifi/pull/4972#discussion_r608067336




##########
File path: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
##########
@@ -256,5 +256,10 @@
             <version>${nifi.groovy.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-servlets</artifactId>

Review comment:
       Is this dependency addition necessary given that the most recent commit 
does not include a new filter class?

##########
File path: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
##########
@@ -715,20 +717,40 @@ private static int 
determineMaxWebRequestsPerSecond(NiFiProperties props) {
         return configuredMaxRequestsPerSecond > 0 ? 
configuredMaxRequestsPerSecond : defaultMaxRequestsPerSecond;
     }
 
+    private static long determineRequestTimeoutInMilliseconds(NiFiProperties 
props) {
+        long defaultRequestTimeout = 
Math.round(FormatUtils.getPreciseTimeDuration(NiFiProperties.DEFAULT_WEB_REQUEST_TIMEOUT,
 TimeUnit.MILLISECONDS));
+        long configuredRequestTimeout = 0L;
+        try {
+            configuredRequestTimeout = 
Math.round(FormatUtils.getPreciseTimeDuration(props.getWebRequestTimeout(), 
TimeUnit.MILLISECONDS));
+        } catch (final NumberFormatException e) {
+            logger.warn("Exception parsing property " + 
NiFiProperties.WEB_REQUEST_TIMEOUT + "; using default value: " + 
defaultRequestTimeout);

Review comment:
       Recommend adjusting the log statement to use placeholders:
   ```suggestion
               logger.warn("Exception parsing property [{}]: using default 
value [{}] ", NiFiProperties.WEB_REQUEST_TIMEOUT, defaultRequestTimeout);
   ```

##########
File path: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
##########
@@ -715,20 +717,40 @@ private static int 
determineMaxWebRequestsPerSecond(NiFiProperties props) {
         return configuredMaxRequestsPerSecond > 0 ? 
configuredMaxRequestsPerSecond : defaultMaxRequestsPerSecond;
     }
 
+    private static long determineRequestTimeoutInMilliseconds(NiFiProperties 
props) {

Review comment:
       Recommend adding `final` modifier:
   ```suggestion
       private static long determineRequestTimeoutInMilliseconds(final 
NiFiProperties props) {
   ```

##########
File path: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
##########
@@ -715,20 +717,40 @@ private static int 
determineMaxWebRequestsPerSecond(NiFiProperties props) {
         return configuredMaxRequestsPerSecond > 0 ? 
configuredMaxRequestsPerSecond : defaultMaxRequestsPerSecond;
     }
 
+    private static long determineRequestTimeoutInMilliseconds(NiFiProperties 
props) {
+        long defaultRequestTimeout = 
Math.round(FormatUtils.getPreciseTimeDuration(NiFiProperties.DEFAULT_WEB_REQUEST_TIMEOUT,
 TimeUnit.MILLISECONDS));
+        long configuredRequestTimeout = 0L;
+        try {
+            configuredRequestTimeout = 
Math.round(FormatUtils.getPreciseTimeDuration(props.getWebRequestTimeout(), 
TimeUnit.MILLISECONDS));
+        } catch (final NumberFormatException e) {
+            logger.warn("Exception parsing property " + 
NiFiProperties.WEB_REQUEST_TIMEOUT + "; using default value: " + 
defaultRequestTimeout);
+        }
+
+        return configuredRequestTimeout > 0 ? configuredRequestTimeout : 
defaultRequestTimeout;
+    }
+
     /**
      * Adds the {@link org.eclipse.jetty.servlets.DoSFilter} to the specified 
context and path. Limits incoming web requests to {@code 
maxWebRequestsPerSecond} per second.
      *
      * @param path the path to apply this filter
      * @param webAppContext the context to apply this filter
      * @param maxWebRequestsPerSecond the maximum number of allowed requests 
per second
      */
-    private static void addWebRequestRateLimitingFilter(String path, 
WebAppContext webAppContext, int maxWebRequestsPerSecond) {
+    private static void addWebRequestRateLimitingFilter(String path, 
WebAppContext webAppContext, int maxWebRequestsPerSecond, long 
requestTimeoutInMilliseconds, final String ipWhitelist) {
         FilterHolder holder = new FilterHolder(DoSFilter.class);
         holder.setInitParameters(new HashMap<String, String>() {{
             put("maxRequestsPerSec", String.valueOf(maxWebRequestsPerSecond));
+            put("maxRequestMs", String.valueOf(requestTimeoutInMilliseconds));
+            put("ipWhitelist", String.valueOf(ipWhitelist));
         }});
         holder.setName(DoSFilter.class.getSimpleName());
-        logger.debug("Adding DoSFilter to context at path: " + path + " with 
max req/sec: " + maxWebRequestsPerSecond);
+
+        String ipWhitelistLoggable = ipWhitelist;
+        if(ipWhitelist == null) {
+            ipWhitelistLoggable = "none";
+        }
+        logger.info("Adding DoSFilter to context at path: {} with max req/sec: 
{}, request timeout: {} ms. Whitelisted IPs not subject to filter: {}",
+                path, maxWebRequestsPerSecond, requestTimeoutInMilliseconds, 
ipWhitelistLoggable);

Review comment:
       The loggable representation could be handled using 
`StringUtils.defaultIfEmpty()`
   ```suggestion
           logger.info("Adding DoSFilter Path [{}] Max Requests per Second [{}] 
Timeout [{} ms] Excluded Addresses [{}]",
                   path, maxWebRequestsPerSecond, requestTimeoutInMilliseconds, 
StringUtils.defaultIfEmpty(ipWhitelist, "none"));
   ```

##########
File path: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/groovy/org/apache/nifi/web/server/JettyServerGroovyTest.groovy
##########
@@ -540,6 +540,21 @@ class JettyServerGroovyTest extends GroovyTestCase {
         assert filterNames.contains("DoSFilter")
         assert !filterNames.contains("ContentLengthFilter")
     }
+
+    @Test
+    void testDetermineRequestTimeoutInMilliseconds() {
+        // Arrange
+        Map badProps = [
+                (NiFiProperties.WEB_REQUEST_TIMEOUT): "50 sec",
+        ]
+
+        NiFiProperties mockProps = new StandardNiFiProperties(new 
Properties(badProps))
+
+        // Act
+        long requestTimeout = 
JettyServer.determineRequestTimeoutInMilliseconds(mockProps)

Review comment:
       Recommend avoiding calls to private methods even though Groovy allows it 
to work.  Instead, is it possible to retrieve the configured DoSFilter and 
evaluate the configuration?  Otherwise, it seems acceptable to remove this test 
method.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on a change in pull request #4972: NIFI-7912 - Added a Denial of Service filter wrapper called NiFiDoSFi…

Reply via email to