[hive] branch master updated: HIVE-27554: added control to JDBCBrowser client URL (#4537) (Henri Biestro)

Mon, 14 Aug 2023 07:49:02 -0700 

This is an automated email from the ASF dual-hosted git repository.

ngangam pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
     new 7abeb1df463 HIVE-27554: added control to JDBCBrowser client URL 
(#4537) (Henri Biestro)
7abeb1df463 is described below

commit 7abeb1df463cc389f668172e7cf3bb772799858a
Author: Henrib <hbies...@gmail.com>
AuthorDate: Mon Aug 14 16:48:46 2023 +0200

    HIVE-27554: added control to JDBCBrowser client URL (#4537) (Henri Biestro)
    
    * HIVE-27554: added control to JDBCBrowser client URL
    
    * HIVE-27554: moved control in redirect strategy;
    - simplified check using uri properties (scheme, absolute);
    - cleaned up imports;
    
    Simplify code;
    * Update TestSSOControl.java
    * Update HiveJdbcSamlRedirectStrategy.java
---
 .../hive/jdbc/saml/HiveJdbcBrowserClient.java      |  8 ++--
 .../jdbc/saml/HiveJdbcSamlRedirectStrategy.java    | 26 +++++++++++
 .../apache/hive/jdbc/saml/IJdbcBrowserClient.java  |  5 ---
 .../org/apache/hive/jdbc/saml/TestSSOControl.java  | 51 ++++++++++++++++++++++
 4 files changed, 81 insertions(+), 9 deletions(-)

diff --git a/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcBrowserClient.java 
b/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcBrowserClient.java
index 146bc63a5ec..fd8ee895509 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcBrowserClient.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcBrowserClient.java
@@ -203,7 +203,6 @@ public class HiveJdbcBrowserClient implements 
IJdbcBrowserClient {
   @VisibleForTesting
   protected void openBrowserWindow() throws HiveJdbcBrowserException {
     URI ssoUri = clientContext.getSsoUri();
-    Preconditions.checkNotNull(ssoUri, "SSO Url is null");
     try {
       if (Desktop.isDesktopSupported() && Desktop.getDesktop()
           .isSupported(Action.BROWSE)) {
@@ -212,18 +211,19 @@ public class HiveJdbcBrowserClient implements 
IJdbcBrowserClient {
         LOG.info(
             "Desktop mode is not supported. Attempting to use OS "
                 + "commands to open the default browser");
+        String ssoUriStr = ssoUri.toString();
         //Desktop is not supported, lets try to open the browser process
         OsType os = getOperatingSystem();
         switch (os) {
           case WINDOWS:
             Runtime.getRuntime()
-                .exec("rundll32 url.dll,FileProtocolHandler " + 
ssoUri.toString());
+                .exec("rundll32 url.dll,FileProtocolHandler " + ssoUriStr);
             break;
           case MAC:
-            Runtime.getRuntime().exec("open " + ssoUri.toString());
+            Runtime.getRuntime().exec("open " + ssoUriStr);
             break;
           case LINUX:
-            Runtime.getRuntime().exec("xdg-open " + ssoUri.toString());
+            Runtime.getRuntime().exec("xdg-open " + ssoUriStr);
             break;
           case UNKNOWN:
             throw new HiveJdbcBrowserException(
diff --git 
a/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcSamlRedirectStrategy.java 
b/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcSamlRedirectStrategy.java
index 40e057570e3..c5ce4eeea5e 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcSamlRedirectStrategy.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcSamlRedirectStrategy.java
@@ -62,4 +62,30 @@ public class HiveJdbcSamlRedirectStrategy extends 
DefaultRedirectStrategy {
     }
     return super.isRedirected(request, response, context);
   }
+
+  @Override
+  public URI getLocationURI(HttpRequest request, HttpResponse response, 
HttpContext context) throws ProtocolException {
+    // add our own check to super-call
+    return checkSsoUri(super.getLocationURI(request, response, context));
+  }
+
+  /**
+   * Checks that the URI used to redirect SSO is valid.
+   * @param uri the uri to validate
+   * @return the uri
+   * @throws ProtocolException if uri is null or not http(s) or not absolute
+   */
+  static URI checkSsoUri(URI uri) throws ProtocolException {
+    if (uri == null) {
+      throw new ProtocolException("SSO Url is null");
+    }
+    final String scheme = uri.getScheme();
+    // require https or https and absolute
+    final boolean valid = ("http".equalsIgnoreCase(scheme) || 
"https".equalsIgnoreCase(scheme))
+                          && uri.isAbsolute();
+    if (!valid) {
+      throw new ProtocolException("SSO Url "+uri.toString()+ "is invalid");
+    }
+    return uri;
+  }
 }
diff --git a/jdbc/src/java/org/apache/hive/jdbc/saml/IJdbcBrowserClient.java 
b/jdbc/src/java/org/apache/hive/jdbc/saml/IJdbcBrowserClient.java
index a6125838300..c1d7b9f9ba1 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/saml/IJdbcBrowserClient.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/saml/IJdbcBrowserClient.java
@@ -21,12 +21,7 @@ package org.apache.hive.jdbc.saml;
 import com.google.common.base.Preconditions;
 import com.google.errorprone.annotations.Immutable;
 import java.io.Closeable;
-import java.io.UnsupportedEncodingException;
 import java.net.URI;
-import java.net.URLDecoder;
-import java.nio.charset.StandardCharsets;
-import java.util.HashMap;
-import java.util.Map;
 import org.apache.hive.service.auth.saml.HiveSamlUtils;
 
 /**
diff --git a/jdbc/src/test/org/apache/hive/jdbc/saml/TestSSOControl.java 
b/jdbc/src/test/org/apache/hive/jdbc/saml/TestSSOControl.java
new file mode 100644
index 00000000000..236491e5d97
--- /dev/null
+++ b/jdbc/src/test/org/apache/hive/jdbc/saml/TestSSOControl.java
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.jdbc.saml;
+
+import java.net.URI;
+
+import org.junit.Test;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class TestSSOControl {
+
+  static boolean checkValid(String uri) {
+    try {
+      HiveJdbcSamlRedirectStrategy.checkSsoUri(new URI(uri));
+      return true;
+    } catch(Exception xany) {
+      return false;
+    }
+  }
+
+  @Test
+  public void testValidURL() {
+    assertTrue(checkValid("https://companya.okta.com";));
+    assertTrue(checkValid("https://companyb.okta.com:8080";));
+    assertTrue(checkValid("https://companyc.okta.com/testpathvalue";));
+  }
+
+  @Test
+  public void testInvalidURL() {
+    assertFalse(checkValid("-a Calculator"));
+    assertFalse(checkValid("This is random text"));
+    assertFalse(checkValid("file://randomfile"));
+  }
+}

Reply via email to