HIVE-27554: added control to JDBCBrowser client URL (#4537) (Henri Bi…

…estro) * HIVE-27554: added control to JDBCBrowser client URL * HIVE-27554: moved control in redirect strategy; - simplified check using uri properties (scheme, absolute); - cleaned up imports; Simplify code; * Update TestSSOControl.java * Update HiveJdbcSamlRedirectStrategy.java
apache · Aug 14, 2023 · 7abeb1d · 7abeb1d
1 parent c31aa5e
commit 7abeb1d
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 9 deletions.
diff --git a/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcBrowserClient.java b/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcBrowserClient.java
@@ -203,7 +203,6 @@ private Map<String, String> getQueryParams(URI ssoUri)
   @VisibleForTesting
   protected void openBrowserWindow() throws HiveJdbcBrowserException {
     URI ssoUri = clientContext.getSsoUri();
-    Preconditions.checkNotNull(ssoUri, "SSO Url is null");
     try {
       if (Desktop.isDesktopSupported() && Desktop.getDesktop()
           .isSupported(Action.BROWSE)) {
@@ -212,18 +211,19 @@ protected void openBrowserWindow() throws HiveJdbcBrowserException {
         LOG.info(
             "Desktop mode is not supported. Attempting to use OS "
                 + "commands to open the default browser");
+        String ssoUriStr = ssoUri.toString();
         //Desktop is not supported, lets try to open the browser process
         OsType os = getOperatingSystem();
         switch (os) {
           case WINDOWS:
             Runtime.getRuntime()
-                .exec("rundll32 url.dll,FileProtocolHandler " + ssoUri.toString());
+                .exec("rundll32 url.dll,FileProtocolHandler " + ssoUriStr);
             break;
           case MAC:
-            Runtime.getRuntime().exec("open " + ssoUri.toString());
+            Runtime.getRuntime().exec("open " + ssoUriStr);
             break;
           case LINUX:
-            Runtime.getRuntime().exec("xdg-open " + ssoUri.toString());
+            Runtime.getRuntime().exec("xdg-open " + ssoUriStr);
             break;
           case UNKNOWN:
             throw new HiveJdbcBrowserException(

diff --git a/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcSamlRedirectStrategy.java b/jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcSamlRedirectStrategy.java
@@ -62,4 +62,30 @@ public boolean isRedirected(
     }
     return super.isRedirected(request, response, context);
   }
+
+  @Override
+  public URI getLocationURI(HttpRequest request, HttpResponse response, HttpContext context) throws ProtocolException {
+    // add our own check to super-call
+    return checkSsoUri(super.getLocationURI(request, response, context));
+  }
+
+  /**
+   * Checks that the URI used to redirect SSO is valid.
+   * @param uri the uri to validate
+   * @return the uri
+   * @throws ProtocolException if uri is null or not http(s) or not absolute
+   */
+  static URI checkSsoUri(URI uri) throws ProtocolException {
+    if (uri == null) {
+      throw new ProtocolException("SSO Url is null");
+    }
+    final String scheme = uri.getScheme();
+    // require https or https and absolute
+    final boolean valid = ("http".equalsIgnoreCase(scheme) || "https".equalsIgnoreCase(scheme))
+                          && uri.isAbsolute();
+    if (!valid) {
+      throw new ProtocolException("SSO Url "+uri.toString()+ "is invalid");
+    }
+    return uri;
+  }
 }
diff --git a/jdbc/src/java/org/apache/hive/jdbc/saml/IJdbcBrowserClient.java b/jdbc/src/java/org/apache/hive/jdbc/saml/IJdbcBrowserClient.java
@@ -21,12 +21,7 @@
 import com.google.common.base.Preconditions;
 import com.google.errorprone.annotations.Immutable;
 import java.io.Closeable;
-import java.io.UnsupportedEncodingException;
 import java.net.URI;
-import java.net.URLDecoder;
-import java.nio.charset.StandardCharsets;
-import java.util.HashMap;
-import java.util.Map;
 import org.apache.hive.service.auth.saml.HiveSamlUtils;
 
 /**

diff --git a/jdbc/src/test/org/apache/hive/jdbc/saml/TestSSOControl.java b/jdbc/src/test/org/apache/hive/jdbc/saml/TestSSOControl.java
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.jdbc.saml;
+
+import java.net.URI;
+
+import org.junit.Test;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class TestSSOControl {
+
+  static boolean checkValid(String uri) {
+    try {
+      HiveJdbcSamlRedirectStrategy.checkSsoUri(new URI(uri));
+      return true;
+    } catch(Exception xany) {
+      return false;
+    }
+  }
+
+  @Test
+  public void testValidURL() {
+    assertTrue(checkValid("https://companya.okta.com"));
+    assertTrue(checkValid("https://companyb.okta.com:8080"));
+    assertTrue(checkValid("https://companyc.okta.com/testpathvalue"));
+  }
+
+  @Test
+  public void testInvalidURL() {
+    assertFalse(checkValid("-a Calculator"));
+    assertFalse(checkValid("This is random text"));
+    assertFalse(checkValid("file://randomfile"));
+  }
+}