knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pzamp...@apache.org
Subject knox git commit: KNOX-1373 - Default dispatch whitelist should consider X-Forwarded-Host header
Date Tue, 03 Jul 2018 18:53:54 GMT
Repository: knox
Updated Branches:
  refs/heads/master b2ec86f71 -> 35b65a267


KNOX-1373 - Default dispatch whitelist should consider X-Forwarded-Host header


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/35b65a26
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/35b65a26
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/35b65a26

Branch: refs/heads/master
Commit: 35b65a26727245b75420551851f78d574a6d2c0b
Parents: b2ec86f
Author: Phil Zampino <pzampino@apache.org>
Authored: Tue Jul 3 14:35:57 2018 -0400
Committer: Phil Zampino <pzampino@apache.org>
Committed: Tue Jul 3 14:37:19 2018 -0400

----------------------------------------------------------------------
 .../knox/gateway/util/WhitelistUtils.java       | 23 +++++++--
 .../knox/gateway/util/WhitelistUtilsTest.java   | 53 ++++++++++++++++++--
 2 files changed, 68 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/35b65a26/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java b/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
index 220e448..37df2f6 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/util/WhitelistUtils.java
@@ -67,10 +67,25 @@ public class WhitelistUtils {
   private static String deriveDefaultDispatchWhitelist(HttpServletRequest request) {
     String defaultWhitelist = null;
 
-    try {
-      defaultWhitelist = deriveDomainBasedWhitelist(InetAddress.getLocalHost().getCanonicalHostName());
-    } catch (UnknownHostException e) {
-      //
+    // Check first for the X-Forwarded-Host header, and use it to derive the domain-based
whitelist
+    String requestedHost = request.getHeader("X-Forwarded-Host");
+    if (requestedHost != null && !requestedHost.isEmpty()) {
+      // The value may include port information, which needs to be removed
+      int portIndex = requestedHost.indexOf(":");
+      if (portIndex > 0) {
+        requestedHost = requestedHost.substring(0, portIndex);
+      }
+      defaultWhitelist = deriveDomainBasedWhitelist(requestedHost);
+    }
+
+    // If the domain-based whitelist could not be derived from the X-Forwarded-Host header
value, then use the
+    // localhost FQDN
+    if (defaultWhitelist == null) {
+      try {
+          defaultWhitelist = deriveDomainBasedWhitelist(InetAddress.getLocalHost().getCanonicalHostName());
+      } catch (UnknownHostException e) {
+        //
+      }
     }
 
     // If the domain could not be determined, default to just the local/relative whitelist

http://git-wip-us.apache.org/repos/asf/knox/blob/35b65a26/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
b/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
index 1824fe6..272a35d 100644
--- a/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
+++ b/gateway-spi/src/test/java/org/apache/knox/gateway/util/WhitelistUtilsTest.java
@@ -79,9 +79,36 @@ public class WhitelistUtilsTest {
   }
 
   @Test
+  public void testDefaultDomainWhitelistWithXForwardedHost() throws Exception {
+    final String serviceRole = "TEST";
+
+    String whitelist =
+        doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole),
null),
+                                   "host0.test.org",
+                                   "lb.external.test.org",
+                                   serviceRole);
+    assertNotNull(whitelist);
+    assertTrue(whitelist.contains("\\.external\\.test\\.org"));
+  }
+
+  @Test
+  public void testDefaultDomainWhitelistWithXForwardedHostAndPort() throws Exception {
+    final String serviceRole = "TEST";
+
+    String whitelist =
+        doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole),
null),
+                                   "host0.test.org",
+                                   "lb.external.test.org:9090",
+                                   serviceRole);
+    assertNotNull(whitelist);
+    assertTrue(whitelist.contains("\\.external\\.test\\.org"));
+    assertFalse(whitelist.contains("9090"));
+  }
+
+  @Test
   public void testConfiguredWhitelist() throws Exception {
     final String serviceRole = "TEST";
-    final String WHITELIST = "^.*\\.my\\.domain\\.com.*$";
+    final String WHITELIST   = "^.*\\.my\\.domain\\.com.*$";
 
     String whitelist =
                 doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole),
WHITELIST),
@@ -93,11 +120,11 @@ public class WhitelistUtilsTest {
   @Test
   public void testExplicitlyConfiguredDefaultWhitelist() throws Exception {
     final String serviceRole = "TEST";
-    final String WHITELIST = "DEFAULT";
+    final String WHITELIST   = "DEFAULT";
 
     String whitelist =
         doTestGetDispatchWhitelist(createMockGatewayConfig(Collections.singletonList(serviceRole),
WHITELIST),
-            serviceRole);
+                                   serviceRole);
     assertNotNull(whitelist);
     assertTrue("Expected the derived localhost whitelist.",
                RegExUtils.checkWhitelist(whitelist, "http://localhost:9099/"));
@@ -111,17 +138,27 @@ public class WhitelistUtilsTest {
   private String doTestGetDispatchWhitelist(GatewayConfig config,
                                             String        serverName,
                                             String        serviceRole) {
+    return doTestGetDispatchWhitelist(config, serverName, null, serviceRole);
+  }
+
+  private String doTestGetDispatchWhitelist(GatewayConfig config,
+                                            String        serverName,
+                                            String        xForwardedHost,
+                                            String        serviceRole) {
     ServletContext sc = EasyMock.createNiceMock(ServletContext.class);
     EasyMock.expect(sc.getAttribute("org.apache.knox.gateway.config")).andReturn(config).anyTimes();
     EasyMock.replay(sc);
 
     HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+    if (xForwardedHost != null && !xForwardedHost.isEmpty()) {
+      EasyMock.expect(request.getHeader("X-Forwarded-Host")).andReturn(xForwardedHost).anyTimes();
+    }
     EasyMock.expect(request.getAttribute("targetServiceRole")).andReturn(serviceRole).anyTimes();
     EasyMock.expect(request.getServletContext()).andReturn(sc).anyTimes();
     EasyMock.replay(request);
 
     String result = null;
-    if (serverName != null && !serverName.isEmpty() && !serverName.equalsIgnoreCase("localhost"))
{
+    if (serverName != null && !serverName.isEmpty() && !serverName.equalsIgnoreCase("localhost")
&& xForwardedHost == null) {
       try {
         Method method = WhitelistUtils.class.getDeclaredMethod("deriveDomainBasedWhitelist",
String.class);
         method.setAccessible(true);
@@ -129,6 +166,14 @@ public class WhitelistUtilsTest {
       } catch (Exception e) {
         e.printStackTrace();
       }
+    } else if (xForwardedHost != null && !xForwardedHost.isEmpty()) {
+      try {
+        Method method = WhitelistUtils.class.getDeclaredMethod("deriveDefaultDispatchWhitelist",
HttpServletRequest.class);
+        method.setAccessible(true);
+        result = (String) method.invoke(null, request);
+      } catch (Exception e) {
+        e.printStackTrace();
+      }
     } else {
       result = WhitelistUtils.getDispatchWhitelist(request);
     }


Mime
View raw message