nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/ProxiedEntitiesUtils.java - nifi-registry - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.nifi.registry.security.util;

 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.stream.Collectors;

 public class ProxiedEntitiesUtils {
     private static final Logger logger = LoggerFactory.getLogger(ProxiedEntitiesUtils.class);

     public static final String PROXY_ENTITIES_CHAIN = "X-ProxiedEntitiesChain";
     public static final String PROXY_ENTITIES_ACCEPTED = "X-ProxiedEntitiesAccepted";
     public static final String PROXY_ENTITIES_DETAILS = "X-ProxiedEntitiesDetails";

     private static final String GT = ">";
     private static final String ESCAPED_GT = "\\\\>";
     private static final String LT = "<";
     private static final String ESCAPED_LT = "\\\\<";

     private static final String ANONYMOUS_CHAIN = "<>";

     /**
      * Formats the specified DN to be set as a HTTP header using well known conventions.
      *
      * @param dn raw dn
      * @return the dn formatted as an HTTP header
      */
     public static String formatProxyDn(String dn) {
         return LT + sanitizeDn(dn) + GT;
     }

     /**
      * If a user provides a DN with the sequence '><', they could escape the tokenization process and impersonate another user.
      * <p>
      * Example:
      * <p>
      * Provided DN: {@code jdoe><alopresto} -> {@code <jdoe><alopresto><proxy...>} would allow the user to impersonate jdoe
      *
      * @param rawDn the unsanitized DN
      * @return the sanitized DN
      */
     private static String sanitizeDn(String rawDn) {
         if (StringUtils.isEmpty(rawDn)) {
             return rawDn;
         } else {
             String sanitizedDn = rawDn.replaceAll(GT, ESCAPED_GT).replaceAll(LT, ESCAPED_LT);
             if (!sanitizedDn.equals(rawDn)) {
                 logger.warn("The provided DN [" + rawDn + "] contained dangerous characters that were escaped to [" + sanitizedDn + "]");
             }
             return sanitizedDn;
         }
     }

     /**
      * Reconstitutes the original DN from the sanitized version passed in the proxy chain.
      * <p>
      * Example:
      * <p>
      * {@code alopresto\>\<proxy1} -> {@code alopresto><proxy1}
      *
      * @param sanitizedDn the sanitized DN
      * @return the original DN
      */
     private static String unsanitizeDn(String sanitizedDn) {
         if (StringUtils.isEmpty(sanitizedDn)) {
             return sanitizedDn;
         } else {
             String unsanitizedDn = sanitizedDn.replaceAll(ESCAPED_GT, GT).replaceAll(ESCAPED_LT, LT);
             if (!unsanitizedDn.equals(sanitizedDn)) {
                 logger.warn("The provided DN [" + sanitizedDn + "] had been escaped, and was reconstituted to the dangerous DN [" + unsanitizedDn + "]");
             }
             return unsanitizedDn;
         }
     }

     /**
      * Tokenizes the specified proxy chain.
      *
      * @param rawProxyChain raw chain
      * @return tokenized proxy chain
      */
     public static List<String> tokenizeProxiedEntitiesChain(String rawProxyChain) {
         final List<String> proxyChain = new ArrayList<>();
         if (!StringUtils.isEmpty(rawProxyChain)) {
             // Split the String on the >< token
             List<String> elements = Arrays.asList(StringUtils.splitByWholeSeparatorPreserveAllTokens(rawProxyChain, "><"));

             // Unsanitize each DN and collect back
             elements = elements.stream().map(ProxiedEntitiesUtils::unsanitizeDn).collect(Collectors.toList());

             // Remove the leading < from the first element
             elements.set(0, elements.get(0).replaceFirst(LT, ""));

             // Remove the trailing > from the last element
             int last = elements.size() - 1;
             String lastElement = elements.get(last);
             if (lastElement.endsWith(GT)) {
                 elements.set(last, lastElement.substring(0, lastElement.length() - 1));
             }

             proxyChain.addAll(elements);
         }

         return proxyChain;
     }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.nifi.registry.security.util;

	import org.apache.commons.lang3.StringUtils;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import java.util.ArrayList;
	import java.util.Arrays;
	import java.util.List;
	import java.util.stream.Collectors;

	public class ProxiedEntitiesUtils {
	private static final Logger logger = LoggerFactory.getLogger(ProxiedEntitiesUtils.class);

	public static final String PROXY_ENTITIES_CHAIN = "X-ProxiedEntitiesChain";
	public static final String PROXY_ENTITIES_ACCEPTED = "X-ProxiedEntitiesAccepted";
	public static final String PROXY_ENTITIES_DETAILS = "X-ProxiedEntitiesDetails";

	private static final String GT = ">";
	private static final String ESCAPED_GT = "\\\\>";
	private static final String LT = "<";
	private static final String ESCAPED_LT = "\\\\<";

	private static final String ANONYMOUS_CHAIN = "<>";

	/**
	* Formats the specified DN to be set as a HTTP header using well known conventions.
	*
	* @param dn raw dn
	* @return the dn formatted as an HTTP header
	*/
	public static String formatProxyDn(String dn) {
	return LT + sanitizeDn(dn) + GT;
	}

	/**
	* If a user provides a DN with the sequence '><', they could escape the tokenization process and impersonate another user.
	* <p>
	* Example:
	* <p>
	* Provided DN: {@code jdoe><alopresto} -> {@code <jdoe><alopresto><proxy...>} would allow the user to impersonate jdoe
	*
	* @param rawDn the unsanitized DN
	* @return the sanitized DN
	*/
	private static String sanitizeDn(String rawDn) {
	if (StringUtils.isEmpty(rawDn)) {
	return rawDn;
	} else {
	String sanitizedDn = rawDn.replaceAll(GT, ESCAPED_GT).replaceAll(LT, ESCAPED_LT);
	if (!sanitizedDn.equals(rawDn)) {
	logger.warn("The provided DN [" + rawDn + "] contained dangerous characters that were escaped to [" + sanitizedDn + "]");
	}
	return sanitizedDn;
	}
	}

	/**
	* Reconstitutes the original DN from the sanitized version passed in the proxy chain.
	* <p>
	* Example:
	* <p>
	* {@code alopresto\>\<proxy1} -> {@code alopresto><proxy1}
	*
	* @param sanitizedDn the sanitized DN
	* @return the original DN
	*/
	private static String unsanitizeDn(String sanitizedDn) {
	if (StringUtils.isEmpty(sanitizedDn)) {
	return sanitizedDn;
	} else {
	String unsanitizedDn = sanitizedDn.replaceAll(ESCAPED_GT, GT).replaceAll(ESCAPED_LT, LT);
	if (!unsanitizedDn.equals(sanitizedDn)) {
	logger.warn("The provided DN [" + sanitizedDn + "] had been escaped, and was reconstituted to the dangerous DN [" + unsanitizedDn + "]");
	}
	return unsanitizedDn;
	}
	}

	/**
	* Tokenizes the specified proxy chain.
	*
	* @param rawProxyChain raw chain
	* @return tokenized proxy chain
	*/
	public static List<String> tokenizeProxiedEntitiesChain(String rawProxyChain) {
	final List<String> proxyChain = new ArrayList<>();
	if (!StringUtils.isEmpty(rawProxyChain)) {
	// Split the String on the >< token
	List<String> elements = Arrays.asList(StringUtils.splitByWholeSeparatorPreserveAllTokens(rawProxyChain, "><"));

	// Unsanitize each DN and collect back
	elements = elements.stream().map(ProxiedEntitiesUtils::unsanitizeDn).collect(Collectors.toList());

	// Remove the leading < from the first element
	elements.set(0, elements.get(0).replaceFirst(LT, ""));

	// Remove the trailing > from the last element
	int last = elements.size() - 1;
	String lastElement = elements.get(last);
	if (lastElement.endsWith(GT)) {
	elements.set(last, lastElement.substring(0, lastElement.length() - 1));
	}

	proxyChain.addAll(elements);
	}

	return proxyChain;
	}

	}