From 7ac95abaa4d8500ea531f8033884a9262518800b Mon Sep 17 00:00:00 2001 From: Mike Drob Date: Fri, 9 Apr 2021 10:19:57 -0500 Subject: [PATCH] SOLR-15317 Handle spaces in principal names (#64) --- solr/CHANGES.txt | 2 ++ .../solr/security/PKIAuthenticationPlugin.java | 8 ++++---- .../solr/security/TestPKIAuthenticationPlugin.java | 14 ++++++++------ 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index 2791f1f3a988..f83b9fd6be26 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -258,6 +258,8 @@ Bug Fixes * SOLR-15233: Set doAs param in ConfigurableInternodeAuthHadoopPlugin (Geza Nagy, Jason Gerlowski, Mike Drob) +* SOLR-15317: Correctly handle user principals with whitespace in PKIAuthPlugin (Dominik Dresel, Mike Drob) + ================== 8.9.0 ================== Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release. diff --git a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java index bdf298f9acc1..a07be1321575 100644 --- a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java +++ b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java @@ -167,15 +167,15 @@ private static PKIHeaderData parseCipher(String cipher, PublicKey key) { return null; } String s = new String(bytes, UTF_8).trim(); - String[] ss = s.split(" "); - if (ss.length < 2) { + int splitPoint = s.lastIndexOf(' '); + if (splitPoint == -1) { log.warn("Invalid cipher {} deciphered data {}", cipher, s); return null; } PKIHeaderData headerData = new PKIHeaderData(); try { - headerData.timestamp = Long.parseLong(ss[1]); - headerData.userName = ss[0]; + headerData.timestamp = Long.parseLong(s.substring(splitPoint + 1)); + headerData.userName = s.substring(0, splitPoint); log.debug("Successfully decrypted header {} {}", headerData.userName, headerData.timestamp); return headerData; } catch (NumberFormatException e) { diff --git a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java index 9cb9bb1a462c..76498e494db2 100644 --- a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java +++ b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java @@ -67,6 +67,10 @@ boolean isSolrThread() { } } + final AtomicReference
header = new AtomicReference<>(); + final AtomicReference wrappedRequestByFilter = new AtomicReference<>(); + final FilterChain filterChain = (servletRequest, servletResponse) -> wrappedRequestByFilter.set(servletRequest); + public void test() throws Exception { assumeWorkingMockito(); @@ -83,22 +87,20 @@ public Principal getUserPrincipal() { PublicKey correctKey = CryptoKeys.deserializeX509PublicKey(mock.getPublicKey()); mock.remoteKeys.put(nodeName, correctKey); - principal.set(new BasicUserPrincipal("solr")); + String username = "solr user"; // with spaces + principal.set(new BasicUserPrincipal(username)); mock.solrRequestInfo = new SolrRequestInfo(localSolrQueryRequest, new SolrQueryResponse()); BasicHttpRequest request = new BasicHttpRequest("GET", "http://localhost:56565"); mock.setHeader(request); - final AtomicReference
header = new AtomicReference<>(); header.set(request.getFirstHeader(PKIAuthenticationPlugin.HEADER)); assertNotNull(header.get()); assertTrue(header.get().getValue().startsWith(nodeName)); - final AtomicReference wrappedRequestByFilter = new AtomicReference<>(); HttpServletRequest mockReq = createMockRequest(header); - FilterChain filterChain = (servletRequest, servletResponse) -> wrappedRequestByFilter.set(servletRequest); mock.authenticate(mockReq, null, filterChain); - assertNotNull(((HttpServletRequest) wrappedRequestByFilter.get()).getUserPrincipal()); assertNotNull(wrappedRequestByFilter.get()); - assertEquals("solr", ((HttpServletRequest) wrappedRequestByFilter.get()).getUserPrincipal().getName()); + assertNotNull(((HttpServletRequest) wrappedRequestByFilter.get()).getUserPrincipal()); + assertEquals(username, ((HttpServletRequest) wrappedRequestByFilter.get()).getUserPrincipal().getName()); //test 2 principal.set(null); // no user