Google Git
Sign in
apache / incubator-atlas / 35c776448cb932723e64fda6b642f65659e83879 / . / webapp / src / main / java / org / apache / atlas / web / filters / AtlasCSRFPreventionFilter.java
blob: 5294c9be9aa7d16e981d2a48d8bf88a3c39e03dd [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.atlas.web.filters;
import java.io.IOException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.AtlasException;
import org.apache.commons.configuration.Configuration;
import org.codehaus.jackson.map.ObjectMapper;
import org.json.simple.JSONObject;
public class AtlasCSRFPreventionFilter implements Filter {
private static final Logger LOG = LoggerFactory.getLogger(AtlasCSRFPreventionFilter.class);
private static Configuration configuration;
static {
try {
configuration = ApplicationProperties.get();
LOG.info("Configuration obtained :: "+configuration);
} catch (AtlasException e) {
LOG.error(e.getMessage(), e);
}
}
public static final boolean isCSRF_ENABLED = configuration.getBoolean("atlas.rest-csrf.enabled", true);
public static final String BROWSER_USER_AGENT_PARAM = "atlas.rest-csrf.browser-useragents-regex";
public static final String BROWSER_USER_AGENTS_DEFAULT = "^Mozilla.*,^Opera.*,^Chrome";
public static final String CUSTOM_METHODS_TO_IGNORE_PARAM = "atlas.rest-csrf.methods-to-ignore";
public static final String METHODS_TO_IGNORE_DEFAULT = "GET,OPTIONS,HEAD,TRACE";
public static final String CUSTOM_HEADER_PARAM = "atlas.rest-csrf.custom-header";
public static final String HEADER_DEFAULT = "X-XSRF-HEADER";
public static final String HEADER_USER_AGENT = "User-Agent";
private String headerName = HEADER_DEFAULT;
private Set<String> methodsToIgnore = null;
private Set<Pattern> browserUserAgents;
public AtlasCSRFPreventionFilter() {
try {
if (isCSRF_ENABLED){
init(null);
}
} catch (Exception e) {
LOG.error("Error while initializing Filter ", e);
}
}
public void init(FilterConfig filterConfig) throws ServletException {
String customHeader = configuration.getString(CUSTOM_HEADER_PARAM, HEADER_DEFAULT);
if (customHeader != null) {
headerName = customHeader;
}
String customMethodsToIgnore = configuration.getString(CUSTOM_METHODS_TO_IGNORE_PARAM, METHODS_TO_IGNORE_DEFAULT);
if (customMethodsToIgnore != null) {
parseMethodsToIgnore(customMethodsToIgnore);
} else {
parseMethodsToIgnore(METHODS_TO_IGNORE_DEFAULT);
}
String agents = configuration.getString(BROWSER_USER_AGENT_PARAM, BROWSER_USER_AGENTS_DEFAULT);
if (agents == null) {
agents = BROWSER_USER_AGENTS_DEFAULT;
}
parseBrowserUserAgents(agents);
LOG.info("Adding cross-site request forgery (CSRF) protection");
}
void parseMethodsToIgnore(String mti) {
String[] methods = mti.split(",");
methodsToIgnore = new HashSet<>();
Collections.addAll(methodsToIgnore, methods);
}
void parseBrowserUserAgents(String userAgents) {
String[] agentsArray = userAgents.split(",");
browserUserAgents = new HashSet<>();
for (String patternString : agentsArray) {
browserUserAgents.add(Pattern.compile(patternString));
}
}
protected boolean isBrowser(String userAgent) {
if (userAgent == null) {
return false;
}
if (browserUserAgents != null){
for (Pattern pattern : browserUserAgents) {
Matcher matcher = pattern.matcher(userAgent);
if (matcher.matches()) {
return true;
}
}
}
return false;
}
public interface HttpInteraction {
/**
* Returns the value of a header.
*
* @param header
* name of header
* @return value of header
*/
String getHeader(String header);
/**
* Returns the method.
*
* @return method
*/
String getMethod();
/**
* Called by the filter after it decides that the request may proceed.
*
* @throws IOException
* if there is an I/O error
* @throws ServletException
* if the implementation relies on the servlet API and a
* servlet API call has failed
*/
void proceed() throws IOException, ServletException;
/**
* Called by the filter after it decides that the request is a potential
* CSRF attack and therefore must be rejected.
*
* @param code
* status code to send
* @param message
* response message
* @throws IOException
* if there is an I/O error
*/
void sendError(int code, String message) throws IOException;
}
public void handleHttpInteraction(HttpInteraction httpInteraction)
throws IOException, ServletException {
if (!isBrowser(httpInteraction.getHeader(HEADER_USER_AGENT))
|| methodsToIgnore.contains(httpInteraction.getMethod())
|| httpInteraction.getHeader(headerName) != null) {
httpInteraction.proceed();
}else {
httpInteraction.sendError(HttpServletResponse.SC_BAD_REQUEST,"Missing Required Header for CSRF Vulnerability Protection");
}
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
final HttpServletRequest httpRequest = (HttpServletRequest) request;
final HttpServletResponse httpResponse = (HttpServletResponse) response;
AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(httpResponse);
responseWrapper.setHeader("X-Frame-Options", "DENY");
if (isCSRF_ENABLED){
handleHttpInteraction(new ServletFilterHttpInteraction(httpRequest, httpResponse, chain));
}else{
chain.doFilter(request, response);
}
}
public void destroy() {
}
private static final class ServletFilterHttpInteraction implements
HttpInteraction {
private final FilterChain chain;
private final HttpServletRequest httpRequest;
private final HttpServletResponse httpResponse;
/**
* Creates a new ServletFilterHttpInteraction.
*
* @param httpRequest
* request to process
* @param httpResponse
* response to process
* @param chain
* filter chain to forward to if HTTP interaction is allowed
*/
public ServletFilterHttpInteraction(HttpServletRequest httpRequest,
HttpServletResponse httpResponse, FilterChain chain) {
this.httpRequest = httpRequest;
this.httpResponse = httpResponse;
this.chain = chain;
}
@Override
public String getHeader(String header) {
return httpRequest.getHeader(header);
}
@Override
public String getMethod() {
return httpRequest.getMethod();
}
@Override
public void proceed() throws IOException, ServletException {
chain.doFilter(httpRequest, httpResponse);
}
@Override
public void sendError(int code, String message) throws IOException {
JSONObject json = new JSONObject();
ObjectMapper mapper = new ObjectMapper();
json.put("msgDesc", message);
String jsonAsStr = mapper.writeValueAsString(json);
httpResponse.setContentType("application/json");
httpResponse.setStatus(code);
httpResponse.setCharacterEncoding("UTF-8");
httpResponse.getWriter().write(jsonAsStr);
}
}
}