knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-965 - SecureQueryDecryptProcessor decode call could return null thus it would get a NPE (Jeffrey E Rodriguez via lmccay)
Date Wed, 28 Jun 2017 16:58:08 GMT
Repository: knox
Updated Branches:
  refs/heads/master 315a0ba9b -> 3004ba8b9


KNOX-965 - SecureQueryDecryptProcessor decode call could return null thus it would get a NPE
(Jeffrey E Rodriguez via lmccay)

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/3004ba8b
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/3004ba8b
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/3004ba8b

Branch: refs/heads/master
Commit: 3004ba8b9b78d603e04d8c6f2313b0b527fdd252
Parents: 315a0ba
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Wed Jun 28 12:57:58 2017 -0400
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Wed Jun 28 12:57:58 2017 -0400

----------------------------------------------------------------------
 .../SecureQueryDecryptProcessor.java            | 57 +++++++++-------
 .../SecureQueryEncryptDecryptProcessorTest.java | 68 ++++++++++++++++++++
 2 files changed, 103 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/3004ba8b/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryDecryptProcessor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryDecryptProcessor.java
b/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryDecryptProcessor.java
index 1e20ad1..0687cb4 100644
--- a/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryDecryptProcessor.java
+++ b/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryDecryptProcessor.java
@@ -30,7 +30,6 @@ import org.apache.hadoop.gateway.util.urltemplate.Query;
 import org.apache.hadoop.gateway.util.urltemplate.Template;
 
 import java.io.UnsupportedEncodingException;
-import java.util.List;
 import java.util.Map;
 import java.util.StringTokenizer;
 
@@ -60,37 +59,51 @@ public class SecureQueryDecryptProcessor implements UrlRewriteStepProcessor<Secu
     Builder newUrl = new Builder( currUrl );
     Map<String,Query> map = newUrl.getQuery();
     Query query = map.remove( ENCRYPTED_PARAMETER_NAME );
+    UrlRewriteStepStatus status = UrlRewriteStepStatus.FAILURE;
+    status = getUrlRewriteStepStatus(context, newUrl, map, query, status);
+    return status;
+  }
+
+  private UrlRewriteStepStatus getUrlRewriteStepStatus(UrlRewriteContext context, Builder
newUrl, Map<String, Query> map, Query query, UrlRewriteStepStatus status) throws UnsupportedEncodingException
{
     if( query != null ) {
       String value = query.getFirstValue().getPattern();
       value = decode( value );
-      StringTokenizer outerParser = new StringTokenizer( value, "&" );
-      while( outerParser.hasMoreTokens() ) {
-        String pair = outerParser.nextToken();
-        StringTokenizer innerParser = new StringTokenizer( pair, "=" );
-        if( innerParser.hasMoreTokens() ) {
-          String paramName = innerParser.nextToken();
-          if( innerParser.hasMoreTokens() ) {
-            String paramValue = innerParser.nextToken();
-            // Need to remove from the clear parameters any param name in the encoded params.
-            // If we don't then someone could override something in the encoded param.
-            map.remove( paramName );
-            newUrl.addQuery( paramName, "", paramValue, true );
-          } else {
-            newUrl.addQuery( paramName, "", null, true );
-          }
-        }
-      }
-      context.setCurrentUrl( newUrl.build() );
-      context.getParameters().resolve( "gateway.name" );
+      status = getUrlRewriteStepStatus(context, newUrl, map, status, value);
+    }
+    return status;
+  }
+
+  private UrlRewriteStepStatus getUrlRewriteStepStatus(UrlRewriteContext context, Builder
newUrl, Map<String, Query> map, UrlRewriteStepStatus status, String value) {
+    if( value != null ) {
+       StringTokenizer outerParser = new StringTokenizer( value, "&" );
+       while( outerParser.hasMoreTokens() ) {
+         String pair = outerParser.nextToken();
+         StringTokenizer innerParser = new StringTokenizer( pair, "=" );
+         if( innerParser.hasMoreTokens() ) {
+           String paramName = innerParser.nextToken();
+           if( innerParser.hasMoreTokens() ) {
+             String paramValue = innerParser.nextToken();
+             // Need to remove from the clear parameters any param name in the encoded params.
+             // If we don't then someone could override something in the encoded param.
+             map.remove( paramName );
+             newUrl.addQuery( paramName, "", paramValue, true );
+           } else {
+             newUrl.addQuery( paramName, "", null, true );
+           }
+         }
+       }
+       context.setCurrentUrl( newUrl.build() );
+       context.getParameters().resolve( "gateway.name" );
+       status = UrlRewriteStepStatus.SUCCESS;
     }
-    return UrlRewriteStepStatus.SUCCESS;
+    return status;
   }
 
   @Override
   public void destroy() {
   }
 
-  private String decode( String string ) throws UnsupportedEncodingException {
+  String decode( String string ) throws UnsupportedEncodingException {
     byte[] bytes = Base64.decodeBase64( string );
     EncryptionResult result = EncryptionResult.fromByteArray(bytes);
     byte[] clear = cryptoService.decryptForCluster(clusterName, 

http://git-wip-us.apache.org/repos/asf/knox/blob/3004ba8b/gateway-provider-rewrite-step-secure-query/src/test/java/org/apache/hadoop/gateway/securequery/SecureQueryEncryptDecryptProcessorTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-rewrite-step-secure-query/src/test/java/org/apache/hadoop/gateway/securequery/SecureQueryEncryptDecryptProcessorTest.java
b/gateway-provider-rewrite-step-secure-query/src/test/java/org/apache/hadoop/gateway/securequery/SecureQueryEncryptDecryptProcessorTest.java
index ddc2782..453aeb9 100644
--- a/gateway-provider-rewrite-step-secure-query/src/test/java/org/apache/hadoop/gateway/securequery/SecureQueryEncryptDecryptProcessorTest.java
+++ b/gateway-provider-rewrite-step-secure-query/src/test/java/org/apache/hadoop/gateway/securequery/SecureQueryEncryptDecryptProcessorTest.java
@@ -27,9 +27,11 @@ import org.apache.hadoop.gateway.util.urltemplate.Params;
 import org.apache.hadoop.gateway.util.urltemplate.Parser;
 import org.apache.hadoop.gateway.util.urltemplate.Query;
 import org.apache.hadoop.gateway.util.urltemplate.Template;
+import org.apache.hadoop.gateway.filter.rewrite.spi.UrlRewriteStepStatus;
 import org.easymock.Capture;
 import org.easymock.EasyMock;
 import org.junit.Test;
+import org.junit.Assert;
 
 import java.util.Arrays;
 
@@ -108,4 +110,70 @@ public class SecureQueryEncryptDecryptProcessorTest {
     assertThat( query, nullValue() );
   }
 
+  @Test
+  public void testEncryptBadDecrypt() throws Exception {
+    Query query;
+    Template origTemplate = Parser.parseLiteral( "http://host:0/path/file?query-param-name=query-param-value"
);
+
+    // Test encryption.  Results are left in encTemplate
+
+    AliasService as = EasyMock.createNiceMock( AliasService.class );
+    String secret = "sdkjfhsdkjfhsdfs";
+    EasyMock.expect( as.getPasswordFromAliasForCluster("test-cluster-name", "encryptQueryString")).andReturn(
secret.toCharArray() ).anyTimes();
+    CryptoService cryptoService = new DefaultCryptoService();
+    ((DefaultCryptoService)cryptoService).setAliasService(as);
+    GatewayServices gatewayServices = EasyMock.createNiceMock( GatewayServices.class );
+    EasyMock.expect( gatewayServices.getService( GatewayServices.CRYPTO_SERVICE ) ).andReturn(
cryptoService );
+
+    UrlRewriteEnvironment encEnvironment = EasyMock.createNiceMock( UrlRewriteEnvironment.class
);
+    EasyMock.expect( encEnvironment.getAttribute( GatewayServices.GATEWAY_SERVICES_ATTRIBUTE
) ).andReturn( gatewayServices ).anyTimes();
+    EasyMock.expect( encEnvironment.getAttribute( GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE
) ).andReturn( "test-cluster-name" ).anyTimes();
+    UrlRewriteContext encContext = EasyMock.createNiceMock( UrlRewriteContext.class );
+    EasyMock.expect( encContext.getCurrentUrl() ).andReturn( origTemplate );
+    Capture<Template> encTemplate = new Capture<Template>();
+    encContext.setCurrentUrl( EasyMock.capture( encTemplate ) );
+    EasyMock.replay( gatewayServices, as, encEnvironment, encContext );
+
+    SecureQueryEncryptDescriptor descriptor = new SecureQueryEncryptDescriptor();
+    SecureQueryEncryptProcessor processor = new SecureQueryEncryptProcessor();
+    processor.initialize( encEnvironment, descriptor );
+    processor.process( encContext );
+
+    assertThat( encTemplate, notNullValue() );
+    query = encTemplate.getValue().getQuery().get( "_" );
+    assertThat( query.getFirstValue().getPattern().length(), greaterThan( 1 ) );
+    query = encTemplate.getValue().getQuery().get( "query-param-name" );
+    assertThat( query, nullValue() );
+
+    // Test decryption with decode returning null
+
+    gatewayServices = EasyMock.createNiceMock( GatewayServices.class );
+    EasyMock.expect( gatewayServices.getService( GatewayServices.CRYPTO_SERVICE ) ).andReturn(
cryptoService );
+    as = EasyMock.createNiceMock( AliasService.class );
+    EasyMock.expect( as.getPasswordFromAliasForCluster("test-cluster-name", "encryptQueryString")).andReturn(
secret.toCharArray() ).anyTimes();
+
+    UrlRewriteEnvironment decEnvironment = EasyMock.createNiceMock( UrlRewriteEnvironment.class
);
+    EasyMock.expect( decEnvironment.getAttribute( GatewayServices.GATEWAY_SERVICES_ATTRIBUTE
) ).andReturn( gatewayServices ).anyTimes();
+    EasyMock.expect( decEnvironment.getAttribute( GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE
) ).andReturn( "test-cluster-name" ).anyTimes();
+    Params decParams = EasyMock.createNiceMock( Params.class );
+    EasyMock.expect( decParams.resolve( GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE ) ).andReturn(
Arrays.asList("test-cluster-name") ).anyTimes();
+    UrlRewriteContext decContext = EasyMock.createNiceMock( UrlRewriteContext.class );
+    EasyMock.expect( decContext.getCurrentUrl() ).andReturn( encTemplate.getValue() );
+    EasyMock.expect( decContext.getParameters() ).andReturn( decParams );
+    Capture<Template> decTemplate = new Capture<Template>();
+    decContext.setCurrentUrl( EasyMock.capture( decTemplate ) );
+    SecureQueryDecryptDescriptor descriptor1 = new SecureQueryDecryptDescriptor();
+    SecureQueryDecryptProcessor decProcessor =
+       EasyMock.createMockBuilder(
+          SecureQueryDecryptProcessor.class ).addMockedMethod( SecureQueryDecryptProcessor.class.getDeclaredMethod("decode",
String.class )).createMock();
+    EasyMock.expect( decProcessor.decode(EasyMock.anyObject(String.class))).andReturn( null
);
+    EasyMock.replay( gatewayServices, as, decEnvironment, decParams, decContext, decProcessor
);
+
+    decProcessor.initialize( decEnvironment, descriptor1 );
+    UrlRewriteStepStatus status = decProcessor.process( decContext );
+
+    Assert.assertTrue((status == UrlRewriteStepStatus.FAILURE));
+  }
+
+
 }


Mime
View raw message