Skip to content

Commit

Permalink
chore(deps): upgrade play to remove CVEs (datahub-project#4864)
Browse files Browse the repository at this point in the history
  • Loading branch information
RyanHolstien authored and maggiehays committed Aug 1, 2022
1 parent 40d7dfd commit fe5fb85
Show file tree
Hide file tree
Showing 21 changed files with 176 additions and 86 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/build-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,9 @@ jobs:
- name: Install dependencies
run: ./metadata-ingestion/scripts/install_deps.sh
- name: Gradle build
run: ./gradlew build -x check -x docs-website:build -x test -x yarnTest -x lint -x yarnLint -x testQuick -x :metadata-integration:java:spark-lineage:test
run: |
./gradlew build -x check -x docs-website:build -x test -x yarnTest -x lint -x yarnLint -x testQuick -x :metadata-integration:java:spark-lineage:test
./gradlew :datahub-frontend:dist
- name: Smoke test
run: ./smoke-test/smoke.sh
env:
Expand Down
5 changes: 4 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -64,4 +64,7 @@ metadata-ingestion/generated/**
# docs
docs/generated/
tmp*
temp*
temp*

# frontend assets
datahub-frontend/public/**
15 changes: 8 additions & 7 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ buildscript {
}
classpath "io.codearte.gradle.nexus:gradle-nexus-staging-plugin:0.30.0"
classpath "com.palantir.gradle.gitversion:gradle-git-version:0.12.3"
classpath "org.gradle.playframework:gradle-playframework:0.12"
classpath "gradle.plugin.org.hidetake:gradle-swagger-generator-plugin:2.18.1"
}
}
Expand Down Expand Up @@ -110,14 +111,14 @@ project.ext.externalDependency = [
'opentracingJdbc':'io.opentracing.contrib:opentracing-jdbc:0.2.15',
'parquet': 'org.apache.parquet:parquet-avro:1.12.2',
'picocli': 'info.picocli:picocli:4.5.0',
'playCache': 'com.typesafe.play:play-cache_2.11:2.6.18',
'playWs': 'com.typesafe.play:play-ahc-ws-standalone_2.11:2.0.8',
'playDocs': 'com.typesafe.play:play-docs_2.11:2.6.18',
'playGuice': 'com.typesafe.play:play-guice_2.11:2.6.18',
'playJavaJdbc': 'com.typesafe.play:play-java-jdbc_2.11:2.6.18',
'playTest': 'com.typesafe.play:play-test_2.11:2.6.18',
'playCache': 'com.typesafe.play:play-cache_2.12:2.7.6',
'playWs': 'com.typesafe.play:play-ahc-ws-standalone_2.12:2.0.8',
'playDocs': 'com.typesafe.play:play-docs_2.12:2.7.6',
'playGuice': 'com.typesafe.play:play-guice_2.12:2.7.6',
'playJavaJdbc': 'com.typesafe.play:play-java-jdbc_2.12:2.7.6',
'playTest': 'com.typesafe.play:play-test_2.12:2.7.6',
'pac4j': 'org.pac4j:pac4j-oidc:3.6.0',
'playPac4j': 'org.pac4j:play-pac4j_2.11:7.0.1',
'playPac4j': 'org.pac4j:play-pac4j_2.12:8.0.2',
'postgresql': 'org.postgresql:postgresql:42.3.3',
'protobuf': 'com.google.protobuf:protobuf-java:3.19.3',
'reflections': 'org.reflections:reflections:0.9.9',
Expand Down
1 change: 0 additions & 1 deletion datahub-frontend/app/auth/AuthModule.java
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@
import com.linkedin.util.Configuration;
import com.datahub.authentication.Authentication;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Collections;
import org.apache.commons.codec.digest.DigestUtils;
import org.pac4j.core.client.Client;
Expand Down
23 changes: 22 additions & 1 deletion datahub-frontend/app/auth/Authenticator.java
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package auth;

import com.typesafe.config.Config;
import java.util.Optional;
import javax.inject.Inject;
import play.mvc.Http;
import play.mvc.Result;
Expand All @@ -22,7 +23,8 @@ public class Authenticator extends Security.Authenticator {

@Inject
public Authenticator(@Nonnull Config config) {
this.metadataServiceAuthEnabled = config.hasPath(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH) && config.getBoolean(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH);
this.metadataServiceAuthEnabled = config.hasPath(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH)
&& config.getBoolean(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH);
}

@Override
Expand All @@ -38,9 +40,28 @@ public String getUsername(@Nonnull Http.Context ctx) {
}
}

@Override
public Optional<String> getUsername(@Nonnull Http.Request request) {
Http.Context ctx = Http.Context.current();
if (this.metadataServiceAuthEnabled) {
// If Metadata Service auth is enabled, we only want to verify presence of the
// "Authorization" header OR the presence of a frontend generated session cookie.
// At this time, the actor is still considered to be unauthenicated.
return Optional.ofNullable(AuthUtils.isEligibleForForwarding(ctx) ? "urn:li:corpuser:UNKNOWN" : null);
} else {
// If Metadata Service auth is not enabled, verify the presence of a valid session cookie.
return Optional.ofNullable(AuthUtils.hasValidSessionCookie(ctx) ? ctx.session().get(ACTOR) : null);
}
}

@Override
@Nonnull
public Result onUnauthorized(@Nullable Http.Context ctx) {
return unauthorized();
}

@Override
public Result onUnauthorized(Http.Request req) {
return unauthorized();
}
}
21 changes: 12 additions & 9 deletions datahub-frontend/app/auth/sso/oidc/OidcResponseErrorHandler.java
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,11 @@


public class OidcResponseErrorHandler {

private OidcResponseErrorHandler() {

}

private static final Logger _logger = LoggerFactory.getLogger("OidcResponseErrorHandler");

private static final String ERROR_FIELD_NAME = "error";
Expand All @@ -22,20 +27,18 @@ public static Result handleError(final PlayWebContext context) {
getErrorDescription(context));

if (getError(context).equals("access_denied")) {
return unauthorized(String.format("Access denied. " +
"The OIDC service responded with 'Access denied'. " +
"It seems that you don't have access to this application yet. Please apply for access. \n\n" +
"If you already have been assigned this application, it may be so that your OIDC request is still in action. " +
"Error details: '%s':'%s'",
return unauthorized(String.format("Access denied. "
+ "The OIDC service responded with 'Access denied'. "
+ "It seems that you don't have access to this application yet. Please apply for access. \n\n"
+ "If you already have been assigned this application, it may be so that your OIDC request is still in action. "
+ "Error details: '%s':'%s'",
context.getRequestParameter("error"),
context.getRequestParameter("error_description")));
}

return internalServerError(
String.format("Internal server error. The OIDC service responded with an error: '%s'.\n" +
"Error description: '%s'",
getError(context),
getErrorDescription(context)));
String.format("Internal server error. The OIDC service responded with an error: '%s'.\n"
+ "Error description: '%s'", getError(context), getErrorDescription(context)));
}

public static boolean isError(final PlayWebContext context) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,12 @@ public CustomOidcAuthenticator(final OidcConfiguration configuration, final Oidc
chosenMethod = preferredMethod;
} else {
throw new TechnicalException(
"Preferred authentication method (" + preferredMethod + ") not supported " +
"by provider according to provider metadata (" + metadataMethods + ").");
"Preferred authentication method ("
+ preferredMethod
+ ") not supported "
+ "by provider according to provider metadata ("
+ metadataMethods
+ ").");
}
} else {
chosenMethod = firstSupportedMethod(metadataMethods);
Expand All @@ -83,13 +87,13 @@ public CustomOidcAuthenticator(final OidcConfiguration configuration, final Oidc
chosenMethod);
}

final ClientID _clientID = new ClientID(configuration.getClientId());
final ClientID clientID = new ClientID(configuration.getClientId());
if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(chosenMethod)) {
final Secret _secret = new Secret(configuration.getSecret());
clientAuthentication = new ClientSecretPost(_clientID, _secret);
final Secret secret = new Secret(configuration.getSecret());
clientAuthentication = new ClientSecretPost(clientID, secret);
} else if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(chosenMethod)) {
final Secret _secret = new Secret(configuration.getSecret());
clientAuthentication = new ClientSecretBasic(_clientID, _secret);
final Secret secret = new Secret(configuration.getSecret());
clientAuthentication = new ClientSecretBasic(clientID, secret);
} else if (ClientAuthenticationMethod.NONE.equals(chosenMethod)) {
clientAuthentication = null; // No client authentication in none mode
} else {
Expand Down Expand Up @@ -128,8 +132,8 @@ private static ClientAuthenticationMethod firstSupportedMethod(final List<Client
if (firstSupported.isPresent()) {
return firstSupported.get();
} else {
throw new TechnicalException("None of the Token endpoint provider metadata authentication methods are supported: " +
metadataMethods);
throw new TechnicalException("None of the Token endpoint provider metadata authentication methods are supported: "
+ metadataMethods);
}
}

Expand Down
3 changes: 2 additions & 1 deletion datahub-frontend/app/client/AuthServiceClient.java
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,8 @@ public String generateSessionTokenForUser(@Nonnull final String userId) {
try {

final String protocol = this.metadataServiceUseSsl ? "https" : "http";
final HttpPost request = new HttpPost(String.format("%s://%s:%s/%s", protocol, this.metadataServiceHost, this.metadataServicePort, GENERATE_SESSION_TOKEN_ENDPOINT));
final HttpPost request = new HttpPost(String.format("%s://%s:%s/%s", protocol, this.metadataServiceHost,
this.metadataServicePort, GENERATE_SESSION_TOKEN_ENDPOINT));

// Build JSON request to generate a token on behalf of a user.
String json = String.format("{ \"%s\":\"%s\" }", USER_ID_FIELD, userId);
Expand Down
7 changes: 4 additions & 3 deletions datahub-frontend/app/controllers/Application.java
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;
import java.util.stream.Collectors;
import play.Play;
import play.api.Play;
import play.http.HttpEntity;
import play.libs.ws.InMemoryBodyWritable;
import play.libs.ws.StandaloneWSClient;
Expand Down Expand Up @@ -59,7 +59,7 @@ public Application(@Nonnull Config config) {
*/
@Nonnull
private Result serveAsset(@Nullable String path) {
InputStream indexHtml = Play.application().classloader().getResourceAsStream("public/index.html");
InputStream indexHtml = Play.current().classloader().getResourceAsStream("public/index.html");
response().setHeader("Cache-Control", "no-cache");
return ok(indexHtml).as("text/html");
}
Expand Down Expand Up @@ -114,7 +114,8 @@ public CompletableFuture<Result> proxy(String path) throws ExecutionException, I
.toMap()
.entrySet()
.stream()
.filter(entry -> !AuthenticationConstants.LEGACY_X_DATAHUB_ACTOR_HEADER.equals(entry.getKey())) // Remove X-DataHub-Actor to prevent malicious delegation.
// Remove X-DataHub-Actor to prevent malicious delegation.
.filter(entry -> !AuthenticationConstants.LEGACY_X_DATAHUB_ACTOR_HEADER.equals(entry.getKey()))
.filter(entry -> !Http.HeaderNames.CONTENT_LENGTH.equals(entry.getKey()))
.filter(entry -> !Http.HeaderNames.CONTENT_TYPE.equals(entry.getKey()))
.filter(entry -> !Http.HeaderNames.AUTHORIZATION.equals(entry.getKey()))
Expand Down
6 changes: 3 additions & 3 deletions datahub-frontend/app/controllers/CentralLogoutController.java
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,14 @@ public class CentralLogoutController extends LogoutController {
@Inject
public CentralLogoutController(Config config) {

String _authBaseUrl = config.hasPath(AUTH_BASE_URL_CONFIG_PATH)
String authBaseUrl = config.hasPath(AUTH_BASE_URL_CONFIG_PATH)
? config.getString(AUTH_BASE_URL_CONFIG_PATH)
: DEFAULT_BASE_URL_PATH;

_isOidcEnabled = config.hasPath("auth.oidc.enabled") && config.getBoolean("auth.oidc.enabled");

setDefaultUrl(_authBaseUrl);
setLogoutUrlPattern(_authBaseUrl + ".*");
setDefaultUrl(authBaseUrl);
setLogoutUrlPattern(authBaseUrl + ".*");
setLocalLogout(true);
setCentralLogout(true);

Expand Down
3 changes: 2 additions & 1 deletion datahub-frontend/app/controllers/SsoCallbackController.java
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ public class SsoCallbackLogic implements CallbackLogic<Result, PlayWebContext> {

private final OidcCallbackLogic _oidcCallbackLogic;

SsoCallbackLogic(final SsoManager ssoManager, final Authentication systemAuthentication, final EntityClient entityClient, final AuthServiceClient authClient) {
SsoCallbackLogic(final SsoManager ssoManager, final Authentication systemAuthentication,
final EntityClient entityClient, final AuthServiceClient authClient) {
_oidcCallbackLogic = new OidcCallbackLogic(ssoManager, systemAuthentication, entityClient, authClient);
}

Expand Down
4 changes: 2 additions & 2 deletions datahub-frontend/app/controllers/TrackingController.java
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public class TrackingController extends Controller {
private final Logger _logger = LoggerFactory.getLogger(TrackingController.class.getName());

private static final List<String> KAFKA_SSL_PROTOCOLS = Collections.unmodifiableList(
Arrays.asList(SecurityProtocol.SSL.name(),SecurityProtocol.SASL_SSL.name(),
Arrays.asList(SecurityProtocol.SSL.name(), SecurityProtocol.SASL_SSL.name(),
SecurityProtocol.SASL_PLAINTEXT.name()));

private final Boolean _isEnabled;
Expand Down Expand Up @@ -81,7 +81,7 @@ public Result track() throws Exception {
_producer.send(record);
_producer.flush();
return ok();
} catch(Exception e) {
} catch (Exception e) {
_logger.error(String.format("Failed to emit product analytics event. actor: %s, event: %s", actor, event));
return internalServerError(e.getMessage());
}
Expand Down
1 change: 1 addition & 0 deletions datahub-frontend/app/security/AuthenticationManager.java
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ public void handle(@Nonnull Callback[] callbacks) {
NameCallback nc = null;
PasswordCallback pc = null;
for (Callback callback : callbacks) {
Logger.error("The submitted callback is of type: " + callback.getClass() + " : " + callback);
if (callback instanceof NameCallback) {
nc = (NameCallback) callback;
nc.setName(this.username);
Expand Down
4 changes: 4 additions & 0 deletions datahub-frontend/app/utils/ConfigUtil.java
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@

public class ConfigUtil {

private ConfigUtil() {

}

// New configurations, provided via application.conf file.
public static final String METADATA_SERVICE_HOST_CONFIG_PATH = "metadataService.host";
public static final String METADATA_SERVICE_PORT_CONFIG_PATH = "metadataService.port";
Expand Down
17 changes: 17 additions & 0 deletions datahub-frontend/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -46,4 +46,21 @@ graphqlCodegen {

tasks.withType(Checkstyle) {
exclude "**/generated/**"
}

checkstyleMain.source = "app/"


/*
PLAY UPGRADE NOTE
Generates the distribution jars under the expected names. The playFramework plugin only accepts certain name values
for the resulting folders and files, so some changes were made to accommodate. Default distribution is main if these are excluded
*/
distributions {
create("datahub-frontend") {
distributionBaseName = project.ext.playBinaryBaseName
}
playBinary {
distributionBaseName = project.ext.playBinaryBaseName
}
}
4 changes: 4 additions & 0 deletions datahub-frontend/conf/application.conf
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ play.modules.disabled += "play.api.mvc.CookiesModule"
play.modules.enabled += "play.api.mvc.LegacyCookiesModule"
play.modules.enabled += "auth.AuthModule"

# Legacy Configuration to avoid code changes, update to modern approaches eventually
play.allowHttpContext = true
play.allowGlobalApplication = true

# Database configuration
# ~~~~~
# You can declare as many datasources as you want.
Expand Down
22 changes: 11 additions & 11 deletions datahub-frontend/conf/routes
Original file line number Diff line number Diff line change
Expand Up @@ -19,22 +19,22 @@ POST /callback/:protocol co
GET /logOut controllers.CentralLogoutController.executeLogout()

# Proxies API requests to the metadata service api
GET /api/*path controllers.Application.proxy(path)
POST /api/*path controllers.Application.proxy(path)
DELETE /api/*path controllers.Application.proxy(path)
PUT /api/*path controllers.Application.proxy(path)
GET /api/*path controllers.Application.proxy(path)
POST /api/*path controllers.Application.proxy(path)
DELETE /api/*path controllers.Application.proxy(path)
PUT /api/*path controllers.Application.proxy(path)

# Proxies API requests to the metadata service api
GET /openapi/*path controllers.Application.proxy(path)
POST /openapi/*path controllers.Application.proxy(path)
DELETE /openapi/*path controllers.Application.proxy(path)
PUT /openapi/*path controllers.Application.proxy(path)
GET /openapi/*path controllers.Application.proxy(path)
POST /openapi/*path controllers.Application.proxy(path)
DELETE /openapi/*path controllers.Application.proxy(path)
PUT /openapi/*path controllers.Application.proxy(path)

# Map static resources from the /public folder to the /assets URL path
GET /assets/*file controllers.Assets.at(path="/public", file)
GET /assets/*file controllers.Assets.at(path="/public", file)

# Analytics route
POST /track controllers.TrackingController.track()
POST /track controllers.TrackingController.track()

# Wildcard route accepts any routes and delegates to serveAsset which in turn serves the React Bundle
GET /*path controllers.Application.index(path)
GET /*path controllers.Application.index(path)
Loading

0 comments on commit fe5fb85

Please sign in to comment.