Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JDK-8243376: java.net.SocketPermission.implies(Permission p) spec is mismatching with implementation #1916

Closed
wants to merge 15 commits into from

Conversation

jaysk1
Copy link
Contributor

@jaysk1 jaysk1 commented Jan 2, 2021

Issue

https://bugs.openjdk.java.net/browse/JDK-8243376

Problem

The scenario is:

  • Some specified target hostname resolves to two IP addresses (always the same address pair).
  • The DNS resolved order of the two ip addresses changes (a usual LoadBalancer type behavior).
  • The CNAME of the two ip addresses differ.

In SocketPermission class(void getIP() method), it internally resolves and saves only the first IP address resolved, not all the IP addresses resolved.

  • Depending on when the implier/implied SocketPermission hostname is resolved, the resolved addresses order differs, and the internally saved IP address mismatches, resulting on SocketPermission#implies() false.

Michael McMahon kindly reviewed and suggested changes: https://mail.openjdk.java.net/pipermail/net-dev/2020-May/014001.html


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

  • JDK-8243376: java.net.SocketPermission.implies(Permission p) spec is mismatching with implementation

Download

$ git fetch https://git.openjdk.java.net/jdk pull/1916/head:pull/1916
$ git checkout pull/1916

@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented Jan 2, 2021

👋 Welcome back jaysk1! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

@openjdk openjdk bot commented Jan 2, 2021

@jaysk1 The following label will be automatically applied to this pull request:

  • net

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the net label Jan 2, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Jan 5, 2021

⚠️ @jaysk1 This pull request contains merges that bring in commits not present in the target repository. Since this is not a "merge style" pull request, these changes will be squashed when this pull request in integrated. If this is your intention, then please ignore this message. If you want to preserve the commit structure, you must change the title of this pull request to Merge <project>:<branch> where <project> is the name of another project in the OpenJDK organization (for example Merge jdk:master).

@openjdk openjdk bot added the rfr label Jan 5, 2021
@mlbridge
Copy link

@mlbridge mlbridge bot commented Jan 5, 2021

@jaysk1
Copy link
Contributor Author

@jaysk1 jaysk1 commented Jan 5, 2021

Apologies for the various (noise) commits for the Jcheck Whitespace error.
Will be more mindful and invest time in setting up local pre-commit check here-on.

The actual commits being:
Changes to file: src/java.base/share/classes/java/net/SocketPermission.java
A new test case: test/jdk/java/net/SocketPermission/SocketPermissionIm.java
A new host file: test/jdk/java/net/SocketPermission/Host.txt

Thanks!

@vyommani
Copy link
Contributor

@vyommani vyommani commented Jan 5, 2021

Please find below minor comments.
1-> Please use File.separator,
String hostsFileName = System.getProperty("test.src", ".") + File.separator + "Host.txt";
we don't need "System.exit(0);" break will work instead.

Copy link
Member

@Michael-Mc-Mahon Michael-Mc-Mahon left a comment

Hi Jay,
Looking back to my original comment, I think I suggested that the fix should account for multiple cname values (one for each IP address in the addresses array). That is still my view. In other words, cname needs to be an array, the same length as addresses (except in the case where the permission was constructed using a wildcard - in that case it can continue as a single value, ie the array would have length 1).

Your solution here drops the caching aspect, and every time getCanonName() is called it will do the DNS reverse lookup which could slow things down a lot. Assuming that DNS always returns the same values but just in a different order, then it should be possible to cache all the canonical names and do a comparison across them all, without having to go back to DNS each time.

  • Michael.

@jaysk1
Copy link
Contributor Author

@jaysk1 jaysk1 commented Feb 5, 2021

@Michael-Mc-Mahon: Please take a look at the above patch. Thanks!

@jaysk1
Copy link
Contributor Author

@jaysk1 jaysk1 commented Feb 9, 2021

@Michael-Mc-Mahon and @dfuch: I have addressed the review comments. Please take a look. Thanks!

@vyommani
Copy link
Contributor

@vyommani vyommani commented Mar 5, 2021

As you change equal & hashCode method, if possible can you please add some additional tests in "jdk/java/net/SocketPermission/Equals.java" just to make sure we test every corner case.

@jaysk1
Copy link
Contributor Author

@jaysk1 jaysk1 commented Mar 10, 2021

I have addressed the changes mentioned by @Michael-Mc-Mahon and now working on Vyom's suggestions, will send the new patch for review soon. Thanks!

@openjdk openjdk bot removed the rfr label Mar 10, 2021
@openjdk openjdk bot added the rfr label Mar 10, 2021
@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented Apr 21, 2021

@jaysk1 This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented May 19, 2021

@jaysk1 This pull request has been inactive for more than 8 weeks and will now be automatically closed. If you would like to continue working on this pull request in the future, feel free to reopen it! This can be done using the /open pull request command.

@bridgekeeper bridgekeeper bot closed this May 19, 2021
@jaysk1
Copy link
Contributor Author

@jaysk1 jaysk1 commented Dec 16, 2021

/open

@openjdk openjdk bot reopened this Dec 16, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Dec 16, 2021

@jaysk1 This pull request is now open

@vyommani
Copy link
Contributor

@vyommani vyommani commented Dec 20, 2021

Hi Jay, overall changes look ok to me, please do let me know if you need any help.

@jaysk1
Copy link
Contributor Author

@jaysk1 jaysk1 commented Dec 20, 2021

Hi Vyom, Thanks a lot for reaching out.
We have reopened to try and write the additional tests in "jdk/java/net/SocketPermission/Equals.java" for equal & hashCode method.

Copy link

@pushkarnk pushkarnk left a comment

@jaysk1 Thanks for this PR! I've left some questions inline.

that.getCanonName();
}

return (this.cname.equalsIgnoreCase(that.cname));
return this.cnames[0].equalsIgnoreCase(that.cnames[0]);
Copy link

@pushkarnk pushkarnk Jan 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jaysk1 On the event of us reaching here, won't this and that have multiple canonical names each, in different orders? Do you think we need to compare the arrays here?

if (this.cname != null) {
return this.cname.equalsIgnoreCase(that.cname);
if (this.cnames != null) {
return this.cnames[0].equalsIgnoreCase(that.cnames[0]);
Copy link

@pushkarnk pushkarnk Jan 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jaysk1 Can this comparison fail for SocketPermission objects that have multiple cname entries in different orders?

return this.getName().hashCode();
else
return this.cname.hashCode();
return this.cnames[0].hashCode();
Copy link

@pushkarnk pushkarnk Jan 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jaysk1 Can this cause "equal" SocketPermission objects with the identical, multiple cname entries, but in a different order, to have unequal hash codes?

System.out.println("Expected true, returned false");
break;
}
addIpToHostsFile(hostname, "1.2.3."+testPass, hostsFileName);
Copy link

@pushkarnk pushkarnk Jan 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Looks like these needs an indentation correction.


private static void addIpToHostsFile(String host, String addr, String hostsFileName)
throws Exception {
String mapping = addr + " " + host;
Copy link

@pushkarnk pushkarnk Jan 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: indentation?

@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented Feb 7, 2022

@jaysk1 This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented Mar 7, 2022

@jaysk1 This pull request has been inactive for more than 8 weeks and will now be automatically closed. If you would like to continue working on this pull request in the future, feel free to reopen it! This can be done using the /open pull request command.

@bridgekeeper bridgekeeper bot closed this Mar 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
net rfr
5 participants