-
Notifications
You must be signed in to change notification settings - Fork 141
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Changed allowlist config to denylist ip config for datasource uri hosts
Signed-off-by: Vamsi Manohar <[email protected]>
- Loading branch information
Showing
17 changed files
with
190 additions
and
125 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
43 changes: 43 additions & 0 deletions
43
common/src/main/java/org/opensearch/sql/common/interceptors/URIValidatorInterceptor.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
/* | ||
* | ||
* * Copyright OpenSearch Contributors | ||
* * SPDX-License-Identifier: Apache-2.0 | ||
* | ||
*/ | ||
|
||
package org.opensearch.sql.common.interceptors; | ||
|
||
import java.io.IOException; | ||
import java.util.List; | ||
import lombok.NonNull; | ||
import okhttp3.Interceptor; | ||
import okhttp3.Request; | ||
import okhttp3.Response; | ||
import org.jetbrains.annotations.NotNull; | ||
import org.opensearch.sql.common.setting.Settings; | ||
import org.opensearch.sql.common.utils.URIValidationUtils; | ||
|
||
public class URIValidatorInterceptor implements Interceptor { | ||
|
||
private final List<String> denyHostList; | ||
|
||
public URIValidatorInterceptor(@NonNull List<String> denyHostList) { | ||
this.denyHostList = denyHostList; | ||
} | ||
|
||
@NotNull | ||
@Override | ||
public Response intercept(Interceptor.Chain chain) throws IOException { | ||
Request request = chain.request(); | ||
String host = request.url().host(); | ||
boolean isValidHost = URIValidationUtils.validateURIHost(host, denyHostList); | ||
if (isValidHost) { | ||
return chain.proceed(request); | ||
} else { | ||
throw new IllegalArgumentException( | ||
String.format( | ||
"Disallowed hostname in the uri. Validate with %s config", | ||
Settings.Key.DATASOURCES_URI_HOSTS_DENY_LIST.getKeyValue())); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
common/src/main/java/org/opensearch/sql/common/utils/URIValidationUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
package org.opensearch.sql.common.utils; | ||
|
||
import inet.ipaddr.IPAddressString; | ||
import java.net.InetAddress; | ||
import java.net.UnknownHostException; | ||
import java.util.List; | ||
|
||
/** Utility Class for URI host validation. */ | ||
public class URIValidationUtils { | ||
|
||
public static boolean validateURIHost(String host, List<String> denyHostList) | ||
throws UnknownHostException { | ||
IPAddressString ipStr = new IPAddressString(InetAddress.getByName(host).getHostAddress()); | ||
for (String denyHost : denyHostList) { | ||
IPAddressString denyHostStr = new IPAddressString(denyHost); | ||
if (denyHostStr.contains(ipStr)) { | ||
return false; | ||
} | ||
} | ||
return true; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
59 changes: 59 additions & 0 deletions
59
...sources/src/main/java/org/opensearch/sql/datasources/utils/DatasourceValidationUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
package org.opensearch.sql.datasources.utils; | ||
|
||
import java.net.URI; | ||
import java.net.URISyntaxException; | ||
import java.net.UnknownHostException; | ||
import java.util.HashSet; | ||
import java.util.List; | ||
import java.util.Map; | ||
import java.util.Set; | ||
import org.apache.commons.validator.routines.DomainValidator; | ||
import org.opensearch.sql.common.utils.URIValidationUtils; | ||
|
||
public class DatasourceValidationUtils { | ||
|
||
public static final int MAX_LENGTH_FOR_CONFIG_PROPERTY = 1000; | ||
|
||
public static void validateHost(String uriString, List<String> denyHostList) | ||
throws URISyntaxException, UnknownHostException { | ||
validateDomain(uriString); | ||
URIValidationUtils.validateURIHost(new URI(uriString) | ||
.getHost(), denyHostList); | ||
} | ||
|
||
public static void validateMissingFields(Map<String, String> config, Set<String> fields) { | ||
Set<String> missingFields = new HashSet<>(); | ||
Set<String> invalidLengthFields = new HashSet<>(); | ||
for (String field : fields) { | ||
if (!config.containsKey(field)) { | ||
missingFields.add(field); | ||
} else if (config.get(field).length() > MAX_LENGTH_FOR_CONFIG_PROPERTY) { | ||
invalidLengthFields.add(field); | ||
} | ||
} | ||
StringBuilder errorStringBuilder = new StringBuilder(); | ||
if (missingFields.size() > 0) { | ||
errorStringBuilder.append( | ||
String.format( | ||
"Missing %s fields in the Prometheus connector properties.", missingFields)); | ||
} | ||
|
||
if (invalidLengthFields.size() > 0) { | ||
errorStringBuilder.append( | ||
String.format("Fields %s exceeds more than 1000 characters.", invalidLengthFields)); | ||
} | ||
if (errorStringBuilder.length() > 0) { | ||
throw new IllegalArgumentException(errorStringBuilder.toString()); | ||
} | ||
} | ||
|
||
private static void validateDomain(String uriString) throws URISyntaxException { | ||
URI uri = new URI(uriString); | ||
String host = uri.getHost(); | ||
if (host == null | ||
|| (!(DomainValidator.getInstance().isValid(host) | ||
|| DomainValidator.getInstance().isValidLocalTld(host)))) { | ||
throw new IllegalArgumentException(String.format("Invalid hostname in the uri: %s", uriString)); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.