ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From atk...@apache.org
Subject git commit: AMBARI-8027 Admin View: need better username validation. (atkach)
Date Wed, 29 Oct 2014 22:35:31 GMT
Repository: ambari
Updated Branches:
  refs/heads/branch-1.7.0 40da2c181 -> 7d94c8c6e


AMBARI-8027 Admin View: need better username validation. (atkach)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/7d94c8c6
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/7d94c8c6
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/7d94c8c6

Branch: refs/heads/branch-1.7.0
Commit: 7d94c8c6e134ddf614cb8a9d869be4cb9f44c237
Parents: 40da2c1
Author: atkach <atkach@hortonworks.com>
Authored: Thu Oct 30 00:35:00 2014 +0200
Committer: atkach <atkach@hortonworks.com>
Committed: Thu Oct 30 00:35:00 2014 +0200

----------------------------------------------------------------------
 .../controllers/users/UsersCreateCtrl.js        |  4 +--
 .../scripts/controllers/users/UsersListCtrl.js  |  7 ++--
 .../app/scripts/directives/editableList.js      |  2 +-
 .../ui/admin-web/app/scripts/routes.js          |  2 +-
 .../ui/admin-web/app/scripts/services/Group.js  |  2 +-
 .../ui/admin-web/app/scripts/services/User.js   |  4 +--
 .../ui/admin-web/app/views/users/list.html      |  4 +--
 .../ambari/server/api/services/BaseRequest.java | 12 +++----
 .../api/services/ResultPostProcessorImpl.java   |  8 ++++-
 .../AmbariAuthorizationFilter.java              |  8 ++++-
 .../server/api/services/BaseRequestTest.java    |  5 +--
 .../AmbariAuthorizationFilterTest.java          | 37 +++++++++++++++++++-
 ambari-web/app/router.js                        |  2 +-
 13 files changed, 74 insertions(+), 23 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersCreateCtrl.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersCreateCtrl.js
b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersCreateCtrl.js
index 3fc324a..d853d6a 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersCreateCtrl.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersCreateCtrl.js
@@ -33,7 +33,7 @@ angular.module('ambariAdminConsole')
         'Users/active': !!$scope.user.active,
         'Users/admin': !!$scope.user.admin
       }).then(function() {
-        Alert.success('Created user <a href="#/users/' + $scope.user.user_name + '">'
+ $scope.user.user_name + "</a>");
+        Alert.success('Created user <a href="#/users/' + encodeURIComponent($scope.user.user_name)
+ '">' + $scope.user.user_name + "</a>");
         $scope.form.$setPristine();
         $location.path(targetUrl);
       }).catch(function(data) {
@@ -68,4 +68,4 @@ angular.module('ambariAdminConsole')
       event.preventDefault();
     }
   });
-}]);
\ No newline at end of file
+}]);

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersListCtrl.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersListCtrl.js
b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersListCtrl.js
index f34f4d5..ff09832 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersListCtrl.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersListCtrl.js
@@ -43,7 +43,10 @@ angular.module('ambariAdminConsole')
       admin: $scope.adminFilter
     }).then(function(data) {
       $scope.totalUsers = data.data.itemTotal;
-      $scope.users = data.data.items;
+      $scope.users = data.data.items.map(function (user) {
+        user.Users.encoded_name = encodeURIComponent(user.Users.user_name);
+        return user;
+      });
     });
   };
 
@@ -85,4 +88,4 @@ angular.module('ambariAdminConsole')
       $scope.loadUsers();
     }
   });
-}]);
\ No newline at end of file
+}]);

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-admin/src/main/resources/ui/admin-web/app/scripts/directives/editableList.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/directives/editableList.js
b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/directives/editableList.js
index 5f96f90..2f1d923 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/directives/editableList.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/directives/editableList.js
@@ -121,7 +121,7 @@ angular.module('ambariAdminConsole')
             
           } else {
             // Load typeahed items based on current input
-            $resource.listByName(newValue).then(function(data) {
+            $resource.listByName(encodeURIComponent(newValue)).then(function(data) {
               var items = [];
               angular.forEach(data.data.items, function(item) {
                 var name;

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-admin/src/main/resources/ui/admin-web/app/scripts/routes.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/routes.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/routes.js
index 0eff401..897f294 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/routes.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/routes.js
@@ -41,7 +41,7 @@ angular.module('ambariAdminConsole')
       controller: 'UsersCreateCtrl'
     },
     show: {
-      url: '/users/:id',
+      url: '/users/:id*',
       templateUrl: 'views/users/show.html',
       controller: 'UsersShowCtrl'
     }

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/Group.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/Group.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/Group.js
index cf35d4f..ce892ec 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/Group.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/Group.js
@@ -123,7 +123,7 @@ angular.module('ambariAdminConsole')
 
     $http({
       method: 'POST',
-      url: Settings.baseUrl + '/groups/' + this.group_name + '/members' + '/'+ member.user_name
+      url: Settings.baseUrl + '/groups/' + this.group_name + '/members' + '/'+ encodeURIComponent(member.user_name)
     })
     .success(function(data) {
       deferred.resolve(data)

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/User.js
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/User.js b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/User.js
index 4ea048e..9d20413 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/User.js
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/User.js
@@ -82,10 +82,10 @@ angular.module('ambariAdminConsole')
       return $http.get(Settings.baseUrl + '/privileges', {
         params:{
           'PrivilegeInfo/principal_type': 'USER',
-          'PrivilegeInfo/principal_name': userId,
+          'PrivilegeInfo/principal_name': encodeURIComponent(userId),
           'fields': '*'
         }
       });
     }
   };
-}]);
\ No newline at end of file
+}]);

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-admin/src/main/resources/ui/admin-web/app/views/users/list.html
----------------------------------------------------------------------
diff --git a/ambari-admin/src/main/resources/ui/admin-web/app/views/users/list.html b/ambari-admin/src/main/resources/ui/admin-web/app/views/users/list.html
index 76addd3..97ec9d1 100644
--- a/ambari-admin/src/main/resources/ui/admin-web/app/views/users/list.html
+++ b/ambari-admin/src/main/resources/ui/admin-web/app/views/users/list.html
@@ -68,7 +68,7 @@
           <span class="glyphicon" tooltip="{{user.Users.admin ? 'Ambari Admin' : ''}}"
ng-class="{'glyphicon-flash' : user.Users.admin}"></span>
         </td>
         <td>
-          <link-to route="users.show" id="{{user.Users.user_name}}">{{user.Users.user_name}}</link-to>
+           <a href="#/users/{{user.Users.encoded_name}}">{{user.Users.user_name}}</a>
         </td>
         <td>{{user.Users.ldap_user ? 'LDAP' : 'Local'}}</td>
         <td><span ng-class="user.Users.active ? 'text-success' : 'text-danger'">{{user.Users.active
? 'Active' : 'Inactive'}}</span></td>
@@ -84,4 +84,4 @@
     </div>
     
   </div>
-</div>
\ No newline at end of file
+</div>

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-server/src/main/java/org/apache/ambari/server/api/services/BaseRequest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/services/BaseRequest.java
b/ambari-server/src/main/java/org/apache/ambari/server/api/services/BaseRequest.java
index d4d61f7..7494491 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/api/services/BaseRequest.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/api/services/BaseRequest.java
@@ -155,11 +155,7 @@ public abstract class BaseRequest implements Request {
 
   @Override
   public String getURI() {
-    try {
-      return URLDecoder.decode(m_uriInfo.getRequestUri().toASCIIString(), "UTF-8");
-    } catch (UnsupportedEncodingException e) {
-      throw new RuntimeException("Unable to decode URI: " + e, e);
-    }
+    return m_uriInfo.getRequestUri().toASCIIString();
   }
 
   @Override
@@ -314,7 +310,11 @@ public abstract class BaseRequest implements Request {
     }
 
     if (queryString != null) {
-      m_predicate = getPredicateCompiler().compile(queryString);
+      try {
+        m_predicate = getPredicateCompiler().compile(URLDecoder.decode(queryString, "UTF-8"));
+      } catch (UnsupportedEncodingException e) {
+        throw new RuntimeException("Unable to decode URI: " + e, e);
+      }
     }
   }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-server/src/main/java/org/apache/ambari/server/api/services/ResultPostProcessorImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/services/ResultPostProcessorImpl.java
b/ambari-server/src/main/java/org/apache/ambari/server/api/services/ResultPostProcessorImpl.java
index bfb1e57..8d17846 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/api/services/ResultPostProcessorImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/api/services/ResultPostProcessorImpl.java
@@ -24,6 +24,8 @@ import org.apache.ambari.server.api.resources.ResourceInstance;
 import org.apache.ambari.server.controller.spi.Resource;
 import org.apache.ambari.server.api.util.TreeNode;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -79,7 +81,11 @@ public class ResultPostProcessorImpl implements ResultPostProcessor {
       href = node.getProperty("href");
       int i = href.indexOf('?');
       if (i != -1) {
-        href = href.substring(0, i);
+        try {
+          href = URLDecoder.decode(href.substring(0, i), "UTF-8");
+        } catch (UnsupportedEncodingException e) {
+          throw new RuntimeException("Unable to decode URI: " + e, e);
+        }
       }
     } else {
       String isItemsCollection = node.getProperty("isCollection");

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index b184a59..bedffbb 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -19,6 +19,8 @@
 package org.apache.ambari.server.security.authorization;
 
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -222,7 +224,11 @@ public class AmbariAuthorizationFilter implements Filter {
     if (!matcher.matches()) {
       return null;
     } else {
-      return matcher.group(1);
+      try {
+        return URLDecoder.decode(matcher.group(1), "UTF-8");
+      } catch (UnsupportedEncodingException e) {
+        throw new RuntimeException("Unable to decode URI: " + e, e);
+      }
     }
   }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-server/src/test/java/org/apache/ambari/server/api/services/BaseRequestTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/api/services/BaseRequestTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/api/services/BaseRequestTest.java
index 9cfd8c6..27fc077 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/api/services/BaseRequestTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/api/services/BaseRequestTest.java
@@ -171,8 +171,9 @@ public abstract class BaseRequestTest {
   @Test
   public void testProcess_QueryInURI() throws Exception {
     HttpHeaders headers = createNiceMock(HttpHeaders.class);
-    String uriString = "http://localhost.com:8080/api/v1/clusters/c1?foo=foo-value&bar=bar-value";
-    URI uri = new URI(URLEncoder.encode(uriString, "UTF-8"));
+    String path = URLEncoder.encode("http://localhost.com:8080/api/v1/clusters/c1", "UTF-8");
+    String query = URLEncoder.encode("foo=foo-value&bar=bar-value", "UTF-8");
+    URI uri = new URI(path + "?" + query);
     PredicateCompiler compiler = createStrictMock(PredicateCompiler.class);
     Predicate predicate = createNiceMock(Predicate.class);
     UriInfo uriInfo = createMock(UriInfo.class);

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
index 116b6ec..f3c6400 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
@@ -356,6 +356,41 @@ public class AmbariAuthorizationFilterTest {
   }
 
   @Test
+  public void testParseUserNameSpecial() throws Exception {
+    String contextPath = "/api/v1/users/user%3F";
+    String username = AmbariAuthorizationFilter.parseUserName(contextPath);
+    Assert.assertEquals("user?", username);
+
+    contextPath = "/api/v1/users/a%20b";
+    username = AmbariAuthorizationFilter.parseUserName(contextPath);
+    Assert.assertEquals("a b", username);
+
+    contextPath = "/api/v1/users/a%2Bb";
+    username = AmbariAuthorizationFilter.parseUserName(contextPath);
+    Assert.assertEquals("a+b", username);
+
+    contextPath = "/api/v1/users/a%21";
+    username = AmbariAuthorizationFilter.parseUserName(contextPath);
+    Assert.assertEquals("a!", username);
+
+    contextPath = "/api/v1/users/a%3D";
+    username = AmbariAuthorizationFilter.parseUserName(contextPath);
+    Assert.assertEquals("a=", username);
+
+    contextPath = "/api/v1/users/a%2Fb";
+    username = AmbariAuthorizationFilter.parseUserName(contextPath);
+    Assert.assertEquals("a/b", username);
+
+    contextPath = "/api/v1/users/a%23";
+    username = AmbariAuthorizationFilter.parseUserName(contextPath);
+    Assert.assertEquals("a#", username);
+
+    contextPath = "/api/v1/users/%3F%3F";
+    username = AmbariAuthorizationFilter.parseUserName(contextPath);
+    Assert.assertEquals("??", username);
+  }
+
+  @Test
   public void testParseViewContextPath() throws Exception {
     final String[] pathesToTest = {
         AmbariAuthorizationFilter.VIEWS_CONTEXT_PATH_PREFIX + "MY_VIEW/1.0.0/INSTANCE1",
@@ -369,4 +404,4 @@ public class AmbariAuthorizationFilterTest {
       Assert.assertEquals("1.0.0", dto.getVersion());
     }
   }
-}
\ No newline at end of file
+}

http://git-wip-us.apache.org/repos/asf/ambari/blob/7d94c8c6/ambari-web/app/router.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/router.js b/ambari-web/app/router.js
index 25a142a..97fc560 100644
--- a/ambari-web/app/router.js
+++ b/ambari-web/app/router.js
@@ -204,7 +204,7 @@ App.Router = Em.Router.extend({
       data: {
         auth: "Basic " + hash,
         usr: usr,
-        loginName: loginName
+        loginName: encodeURIComponent(loginName)
       },
       beforeSend: 'authBeforeSend',
       success: 'loginSuccessCallback',


Mime
View raw message