Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions changelog/unreleased/PR#4553-pki-v2-header-base64-fix.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
title: PKIAuthenticationPlugin now rejects a SolrAuthV2 header with a malformed signature using a 401 response, instead of returning a 500
type: fixed
authors:
- name: Jan Høydahl
links:
- name: PR#4553
url: https://github.com/apache/solr/pull/4553
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,13 @@ private PKIHeaderData decipherHeaderV2(String header) {
int sigStart = header.lastIndexOf(' ');

String data = header.substring(0, sigStart);
byte[] sig = Base64.getDecoder().decode(header.substring(sigStart + 1));
byte[] sig;
try {
sig = Base64.getDecoder().decode(header.substring(sigStart + 1));
} catch (IllegalArgumentException e) {
log.warn("Could not parse signature in SolrAuthV2 header as base64");
return null;
}
PKIHeaderData rv = validateSignature(data, sig, key, false);
if (rv == null) {
log.warn("Failed to verify signature, trying after refreshing the key ");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,23 @@ public void testLegacyV1HeaderRejected() throws Exception {
"Should not have proceeded after authentication failure", wrappedRequestByFilter.get());
}

@Test
public void testMalformedV2HeaderSignatureRejected() throws Exception {
headerValue.set(nodeName + " someuser 1234567890 not_base64!!!");

HttpServletResponse response = mock(HttpServletResponse.class);
assertFalse(
"Should have rejected request with a non-base64 signature",
mock.authenticate(mockReq, response, filterChain));

verify(response)
.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), PKIAuthenticationPlugin.HEADER_V2);
verify(response).sendError(ArgumentMatchers.eq(401), anyString());

assertNull(
"Should not have proceeded after authentication failure", wrappedRequestByFilter.get());
}

private HttpServletRequest createMockRequest(final AtomicReference<String> headerValue) {
HttpServletRequest mockReq = mock(HttpServletRequest.class);
when(mockReq.getHeader(any(String.class)))
Expand Down
Loading