Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CXF version to 3.4.5 #1540

Merged
merged 1 commit into from
Dec 22, 2021
Merged

Update CXF version to 3.4.5 #1540

merged 1 commit into from
Dec 22, 2021

Conversation

palashhedau
Copy link
Contributor

@palashhedau palashhedau commented Dec 20, 2021
edited
Loading

opensearch-security pull request intake form

Please provide as much details as possible to get feedback/acceptance on your PR quickly

  1. Category: (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
    Bug Fix

  2. Github Issue # or road-map entry, if available:

  3. Description of changes:
    Update CXF version to 3.4.5

  4. Why these changes are required?
    To correctly parse JWT with escaped characters

  5. What is the old behavior before changes and new behavior after changes? (Please add any example/logs/screen-shot if available)

  6. Testing done: (Please provide details of testing done: Unit testing, integration testing and manual testing)

  7. TO-DOs, if any: (Please describe pending items and provide Github issues# for each of them)

  8. Is it backport from main branch? (If yes, please add backport PR # and commits #)

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or

(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or

(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.

(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@palashhedau palashhedau requested a review from a team December 20, 2021 22:20
vrozov
vrozov suggested changes Dec 21, 2021
View reviewed changes
Copy link
Contributor

@vrozov vrozov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • only handles subject claim in JWT token, there may be other claims where unescaping is necessary.
  • missing UT

@palashhedau palashhedau force-pushed the main branch 2 times, most recently from 4eedf97 to e03ad58 Compare December 21, 2021 04:15
@vrozov
Copy link
Contributor

vrozov commented Dec 21, 2021

Please upgrade CXF to 3.4.5 or above. See https://issues.apache.org/jira/browse/CXF-8555?jql=project%20%3D%20CXF%20AND%20text%20~%20%22escape%22

vrozov
vrozov reviewed Dec 21, 2021
View reviewed changes
src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java Outdated Show resolved Hide resolved
src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java
@@ -193,6 +193,48 @@ public void decryptAssertionsTest() throws Exception {
Assert.assertEquals("horst", jwt.getClaim("sub"));
}

@Test
public void unescapeSamlEntitiesTest() throws Exception {
mockSamlIdpServer.setAuthenticateUser("ABC\\User1");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add tests for more special characters (/, ").

@vrozov vrozov self-requested a review December 21, 2021 23:37
@palashhedau palashhedau force-pushed the main branch 2 times, most recently from 1e83433 to ea01ea0 Compare December 21, 2021 23:52
vrozov
vrozov previously approved these changes Dec 21, 2021
View reviewed changes
@vrozov vrozov changed the title Unescape username, required for \ for SAML IDP Update CXF version to 3.4.5 Dec 21, 2021
Update CXF version to 3.4.5
f5a8845 
Signed-off-by: Palash Hedau <[email protected]>
@palashhedau palashhedau dismissed stale reviews from hsiang9431-amzn and vrozov via f5a8845 December 22, 2021 00:05
@palashhedau palashhedau merged commit 7e002f2 into opensearch-project:main Dec 22, 2021
wuychn pushed a commit to ochprince/security that referenced this pull request Mar 16, 2023
@palashhedau
Update CXF version to 3.4.5 (opensearch-project#1540)
a534435 
Signed-off-by: Palash Hedau <[email protected]>

Co-authored-by: Palash Hedau <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hsiang9431-amzn hsiang9431-amzn hsiang9431-amzn approved these changes

@vrozov vrozov vrozov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@palashhedau @vrozov @hsiang9431-amzn