Skip to content
Permalink
Browse files Browse the repository at this point in the history
Disable RMI endpoint by default
This endpoint can be enabled by including `gocd.agent.remoting.legacy=true` in the
`-Dgocd.agent.extra.properties` property for the server process.
  • Loading branch information
marques-work committed Jan 1, 2021
1 parent 876a8ed commit 7b88b70
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 20 deletions.
Expand Up @@ -20,6 +20,7 @@
import com.thoughtworks.go.domain.JobResult;
import com.thoughtworks.go.domain.JobState;
import com.thoughtworks.go.server.service.AgentRuntimeInfo;
import com.thoughtworks.go.util.SystemEnvironment;
import org.slf4j.LoggerFactory;
import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
import org.springframework.remoting.support.RemoteInvocation;
Expand All @@ -35,9 +36,9 @@
import java.util.Objects;
import java.util.Set;

import static com.thoughtworks.go.util.SystemEnvironment.AGENT_EXTRA_PROPERTIES;
import static java.lang.String.format;
import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
import static javax.servlet.http.HttpServletResponse.*;

/**
* Custom invoker service exporter that validates UUID authorization on agent requests. This prevents compromised agents
Expand All @@ -55,8 +56,29 @@ public class AgentRemoteInvokerServiceExporter extends HttpInvokerServiceExporte
new MethodSignature("getCookie", AgentRuntimeInfo.class)
);

private final SystemEnvironment env;

public AgentRemoteInvokerServiceExporter() {
this(new SystemEnvironment());
}

public AgentRemoteInvokerServiceExporter(SystemEnvironment env) {
this.env = env;
}

@Override
public void handleRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
if (rejectRMI()) {
// yes, ideally, this should be short-circuited in the agent auth filter, but keeping this logic here has
// some advantages:
// - it keeps all deprecated RMI logic in one place so it's easier to remove (just remove this class)
// - it's 100% reliable by virtue of its proximity to the RMI invocation code and can't be thwarted by
// some clever URI encoding to circumvent the uri path test that we would need to write at the filter
// level in order to selectively apply this logic to the RMI endpoint and not the JSON API endpoint
reject(response, SC_GONE, "This RMI endpoint is disabled.");
return;
}

try {
RemoteInvocation invocation = readRemoteInvocation(request);

Expand All @@ -71,6 +93,11 @@ public void handleRequest(HttpServletRequest request, HttpServletResponse respon
}
}

private boolean rejectRMI() {
final String props = env.get(AGENT_EXTRA_PROPERTIES).toLowerCase();
return !Arrays.asList(props.split("\\s+")).contains("gocd.agent.remoting.legacy=true");
}

/**
* Verifies that the agent UUID from the deserialized payload matches the UUID permitted by the agent authentication
* filter.
Expand Down
Expand Up @@ -23,6 +23,7 @@
import com.thoughtworks.go.http.mocks.MockHttpServletResponse;
import com.thoughtworks.go.server.messaging.BuildRepositoryMessageProducer;
import com.thoughtworks.go.server.service.AgentRuntimeInfo;
import com.thoughtworks.go.util.SystemEnvironment;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mock;
Expand All @@ -33,6 +34,7 @@
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.InvocationTargetException;

import static com.thoughtworks.go.util.SystemEnvironment.AGENT_EXTRA_PROPERTIES;
import static javax.servlet.http.HttpServletResponse.*;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.fail;
Expand All @@ -46,21 +48,35 @@ public class AgentRemoteInvokerServiceExporterTest {

private MockHttpServletResponse res;

@Mock
private SystemEnvironment env;

@Mock
private BuildRepositoryMessageProducer target;

@BeforeEach
void setup() throws Exception {
openMocks(this).close();
when(env.get(AGENT_EXTRA_PROPERTIES)).thenReturn("gocd.agent.remoting.legacy=true");
req = new MockHttpServletRequest();
req.addHeader("X-Agent-GUID", AGENT_UUID);
res = new MockHttpServletResponse();
}

@Test
void rejectsWhenLegacyDisabled() throws Exception {
when(env.get(AGENT_EXTRA_PROPERTIES)).thenReturn("");
final AgentRuntimeInfo agent = runtimeInfo(AGENT_UUID);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("ping", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}));
invoker.handleRequest(req, res);
verify(target, never()).ping(agent);
assertEquals(SC_GONE, res.getStatus());
}

@Test
void isIgnored_allowedForSameUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo(AGENT_UUID);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("isIgnored", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class}, new Object[]{agent, null}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("isIgnored", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class}, new Object[]{agent, null}));
invoker.handleRequest(req, res);
verify(target, only()).isIgnored(agent, null);
assertEquals(SC_OK, res.getStatus());
Expand All @@ -69,7 +85,7 @@ void isIgnored_allowedForSameUUID() throws Exception {
@Test
void isIgnored_rejectedForDifferentUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo("other");
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("isIgnored", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class}, new Object[]{agent, null}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("isIgnored", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class}, new Object[]{agent, null}));
invoker.handleRequest(req, res);
verify(target, never()).isIgnored(any(AgentRuntimeInfo.class), any(JobIdentifier.class));
assertEquals(SC_FORBIDDEN, res.getStatus());
Expand All @@ -78,7 +94,7 @@ void isIgnored_rejectedForDifferentUUID() throws Exception {
@Test
void ping_allowedForSameUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo(AGENT_UUID);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("ping", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("ping", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}));
invoker.handleRequest(req, res);
verify(target, only()).ping(agent);
assertEquals(SC_OK, res.getStatus());
Expand All @@ -87,7 +103,7 @@ void ping_allowedForSameUUID() throws Exception {
@Test
void ping_rejectedForDifferentUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo("other");
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("ping", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("ping", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}));
invoker.handleRequest(req, res);
verify(target, never()).ping(any(AgentRuntimeInfo.class));
assertEquals(SC_FORBIDDEN, res.getStatus());
Expand All @@ -96,7 +112,7 @@ void ping_rejectedForDifferentUUID() throws Exception {
@Test
void getWork_allowedForSameUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo(AGENT_UUID);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("getWork", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("getWork", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}));
invoker.handleRequest(req, res);
verify(target, only()).getWork(agent);
assertEquals(SC_OK, res.getStatus());
Expand All @@ -105,7 +121,7 @@ void getWork_allowedForSameUUID() throws Exception {
@Test
void getWork_rejectedForDifferentUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo("other");
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("getWork", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("getWork", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}));
invoker.handleRequest(req, res);
verify(target, never()).getWork(any(AgentRuntimeInfo.class));
assertEquals(SC_FORBIDDEN, res.getStatus());
Expand All @@ -114,7 +130,7 @@ void getWork_rejectedForDifferentUUID() throws Exception {
@Test
void getCookie_allowedForSameUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo(AGENT_UUID);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("getCookie", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("getCookie", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}));
invoker.handleRequest(req, res);
verify(target, only()).getCookie(agent);
assertEquals(SC_OK, res.getStatus());
Expand All @@ -123,7 +139,7 @@ void getCookie_allowedForSameUUID() throws Exception {
@Test
void getCookie_rejectedForDifferentUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo("other");
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("getCookie", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("getCookie", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}));
invoker.handleRequest(req, res);
verify(target, never()).getCookie(any(AgentRuntimeInfo.class));
assertEquals(SC_FORBIDDEN, res.getStatus());
Expand All @@ -132,7 +148,7 @@ void getCookie_rejectedForDifferentUUID() throws Exception {
@Test
void reportCurrentStatus_allowedForSameUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo(AGENT_UUID);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCurrentStatus", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobState.class}, new Object[]{agent, null, null}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCurrentStatus", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobState.class}, new Object[]{agent, null, null}));
invoker.handleRequest(req, res);
verify(target, only()).reportCurrentStatus(agent, null, null);
assertEquals(SC_OK, res.getStatus());
Expand All @@ -141,7 +157,7 @@ void reportCurrentStatus_allowedForSameUUID() throws Exception {
@Test
void reportCurrentStatus_rejectedForDifferentUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo("other");
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCurrentStatus", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobState.class}, new Object[]{agent, null, null}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCurrentStatus", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobState.class}, new Object[]{agent, null, null}));
invoker.handleRequest(req, res);
verify(target, never()).reportCurrentStatus(any(AgentRuntimeInfo.class), any(JobIdentifier.class), any(JobState.class));
assertEquals(SC_FORBIDDEN, res.getStatus());
Expand All @@ -150,7 +166,7 @@ void reportCurrentStatus_rejectedForDifferentUUID() throws Exception {
@Test
void reportCompleting_allowedForSameUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo(AGENT_UUID);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCompleting", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobResult.class}, new Object[]{agent, null, null}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCompleting", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobResult.class}, new Object[]{agent, null, null}));
invoker.handleRequest(req, res);
verify(target, only()).reportCompleting(agent, null, null);
assertEquals(SC_OK, res.getStatus());
Expand All @@ -159,7 +175,7 @@ void reportCompleting_allowedForSameUUID() throws Exception {
@Test
void reportCompleting_rejectedForDifferentUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo("other");
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCompleting", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobResult.class}, new Object[]{agent, null, null}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCompleting", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobResult.class}, new Object[]{agent, null, null}));
invoker.handleRequest(req, res);
verify(target, never()).reportCompleting(any(AgentRuntimeInfo.class), any(JobIdentifier.class), any(JobResult.class));
assertEquals(SC_FORBIDDEN, res.getStatus());
Expand All @@ -168,7 +184,7 @@ void reportCompleting_rejectedForDifferentUUID() throws Exception {
@Test
void reportCompleted_allowedForSameUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo(AGENT_UUID);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCompleted", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobResult.class}, new Object[]{agent, null, null}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCompleted", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobResult.class}, new Object[]{agent, null, null}));
invoker.handleRequest(req, res);
verify(target, only()).reportCompleted(agent, null, null);
assertEquals(SC_OK, res.getStatus());
Expand All @@ -177,7 +193,7 @@ void reportCompleted_allowedForSameUUID() throws Exception {
@Test
void reportCompleted_rejectedForDifferentUUID() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo("other");
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCompleted", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobResult.class}, new Object[]{agent, null, null}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("reportCompleted", new Class[]{AgentRuntimeInfo.class, JobIdentifier.class, JobResult.class}, new Object[]{agent, null, null}));
invoker.handleRequest(req, res);
verify(target, never()).reportCompleted(any(AgentRuntimeInfo.class), any(JobIdentifier.class), any(JobResult.class));
assertEquals(SC_FORBIDDEN, res.getStatus());
Expand All @@ -186,7 +202,7 @@ void reportCompleted_rejectedForDifferentUUID() throws Exception {
@Test
void rejectsUnknownMethod() throws Exception {
final AgentRuntimeInfo agent = runtimeInfo(AGENT_UUID);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("nonexistent", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}), target);
final AgentRemoteInvokerServiceExporter invoker = deserializingWith(new RemoteInvocation("nonexistent", new Class[]{AgentRuntimeInfo.class}, new Object[]{agent}));
invoker.handleRequest(req, res);
verifyNoInteractions(target);
assertEquals(SC_BAD_REQUEST, res.getStatus());
Expand All @@ -200,11 +216,11 @@ private AgentIdentifier identifier(String uuid) {
return new AgentIdentifier(null, null, uuid);
}

private static AgentRemoteInvokerServiceExporter deserializingWith(final RemoteInvocation invocation, final BuildRepositoryMessageProducer proxy) {
final AgentRemoteInvokerServiceExporter invoker = new AgentRemoteInvokerServiceExporter() {
private AgentRemoteInvokerServiceExporter deserializingWith(final RemoteInvocation invocation) {
final AgentRemoteInvokerServiceExporter invoker = new AgentRemoteInvokerServiceExporter(env) {
@Override
protected Object getProxyForService() {
return proxy;
return target;
}

@Override
Expand Down

0 comments on commit 7b88b70

Please sign in to comment.