Configurable Origins and small configuration fixes

conf/zeppelin-site.xml.template

@@ -154,5 +154,11 @@
 </property>
 -->
 
+<property>
+  <name>zeppelin.server.allowed.origins</name>
+  <value>*</value>
+  <description>Allowed sources for REST and WebSocket requests (i.e. http://onehost:8080,http://otherhost.com). If you leave * you are vulnerable to https://issues.apache.org/jira/browse/ZEPPELIN-173</description>
+</property>
+
 </configuration>
 

zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java

@@ -17,9 +17,14 @@
 
 package org.apache.zeppelin.server;
 
+import org.apache.zeppelin.conf.ZeppelinConfiguration;
+import org.apache.zeppelin.utils.SecurityUtils;
+
 import java.io.IOException;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.text.DateFormat;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.Locale;
 
@@ -41,11 +46,15 @@ public class CorsFilter implements Filter {
   @Override
   public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
       throws IOException, ServletException {
-    String sourceHost = request.getServerName();
-    String currentHost = java.net.InetAddress.getLocalHost().getHostName();
+    String sourceHost = ((HttpServletRequest) request).getHeader("Origin");
     String origin = "";
-    if (currentHost.equals(sourceHost) || "localhost".equals(sourceHost)) {
-      origin = ((HttpServletRequest) request).getHeader("Origin");
+
+    try {
+      if (SecurityUtils.isValidOrigin(sourceHost, ZeppelinConfiguration.create())) {
+        origin = sourceHost;
+      }
+    } catch (URISyntaxException e) {
+      e.printStackTrace();
     }
 
     if (((HttpServletRequest) request).getMethod().equals("OPTIONS")) {

zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookServer.java

@@ -24,9 +24,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-
 import javax.servlet.http.HttpServletRequest;
-
 import org.apache.zeppelin.conf.ZeppelinConfiguration;
 import org.apache.zeppelin.conf.ZeppelinConfiguration.ConfVars;
 import org.apache.zeppelin.display.AngularObject;
@@ -43,12 +41,12 @@
 import org.apache.zeppelin.scheduler.JobListener;
 import org.apache.zeppelin.server.ZeppelinServer;
 import org.apache.zeppelin.socket.Message.OP;
+import org.apache.zeppelin.utils.SecurityUtils;
 import org.eclipse.jetty.websocket.WebSocket;
 import org.eclipse.jetty.websocket.WebSocketServlet;
 import org.quartz.SchedulerException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-
 import com.google.common.base.Strings;
 import com.google.gson.Gson;
 /**
@@ -69,24 +67,15 @@ private Notebook notebook() {
   }
   @Override
   public boolean checkOrigin(HttpServletRequest request, String origin) {
-    URI sourceUri = null;
-    String currentHost = null;
 
     try {
-      sourceUri = new URI(origin);
-      currentHost = java.net.InetAddress.getLocalHost().getHostName();
+      return SecurityUtils.isValidOrigin(origin, ZeppelinConfiguration.create());
     } catch (UnknownHostException e) {
       e.printStackTrace();
-    }
-    catch (URISyntaxException e) {
+    } catch (URISyntaxException e) {
       e.printStackTrace();
     }
 
-    String sourceHost = sourceUri.getHost();
-    if (currentHost.equals(sourceHost) || "localhost".equals(sourceHost)) {
-      return true;
-    }
-
     return false;
   }
 
@@ -300,6 +289,7 @@ private void broadcastNoteList() {
     List<Map<String, String>> notesInfo = new LinkedList<>();
     for (Note note : notes) {
       Map<String, String> info = new HashMap<>();
+
       if (hideHomeScreenNotebookFromList && note.id().equals(homescreenNotebookId)) {
         continue;
       }

zeppelin-server/src/main/java/org/apache/zeppelin/utils/SecurityUtils.java

@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.zeppelin.utils;
+
+import org.apache.zeppelin.conf.ZeppelinConfiguration;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.UnknownHostException;
+
+/**
+ * Created by joelz on 8/19/15.
+ */
+public class SecurityUtils {
+  public static Boolean isValidOrigin(String sourceHost, ZeppelinConfiguration conf)
+      throws UnknownHostException, URISyntaxException {
+    if (sourceHost == null){
+      return false;
+    }
+
+    URI sourceHostUri = new URI(sourceHost);
+    String currentHost = java.net.InetAddress.getLocalHost().getHostName().toLowerCase();
+    if (currentHost.equals(sourceHostUri.getHost()) ||
+            "localhost".equals(sourceHostUri.getHost()) ||
+            conf.getAllowedOrigins().contains(sourceHost) ||
+            conf.getAllowedOrigins().contains("*")) {
+      return true;
+    }
+
+    return false;
+  }
+}

zeppelin-server/src/test/java/org/apache/zeppelin/rest/AbstractTestRestApi.java

@@ -227,7 +227,8 @@ protected static GetMethod httpGet(String path) throws IOException {
     LOG.info("Connecting to {}", url + path);
     HttpClient httpClient = new HttpClient();
     GetMethod getMethod = new GetMethod(url + path);
-    httpClient.executeMethod(getMethod);
+    getMethod.addRequestHeader("Origin", "http://localhost:8080");
+            httpClient.executeMethod(getMethod);
     LOG.info("{} - {}", getMethod.getStatusCode(), getMethod.getStatusText());
     return getMethod;
   }
@@ -236,6 +237,7 @@ protected static PostMethod httpPost(String path, String body) throws IOExceptio
     LOG.info("Connecting to {}", url + path);
     HttpClient httpClient = new HttpClient();
     PostMethod postMethod = new PostMethod(url + path);
+    postMethod.addRequestHeader("Origin", "http://localhost:8080");
     RequestEntity entity = new ByteArrayRequestEntity(body.getBytes("UTF-8"));
     postMethod.setRequestEntity(entity);
     httpClient.executeMethod(postMethod);

zeppelin-server/src/test/java/org/apache/zeppelin/rest/ZeppelinRestApiTest.java

@@ -104,9 +104,10 @@ public void testInterpreterAutoBinding() throws IOException {
     // create note
     Note note = ZeppelinServer.notebook.createNote();
 
-    // check interpreter is bindded
+    // check interpreter is binded
     GetMethod get = httpGet("/notebook/interpreter/bind/"+note.id());
     assertThat(get, isAllowed());
+    get.addRequestHeader("Origin", "http://localhost");
     Map<String, Object> resp = gson.fromJson(get.getResponseBodyAsString(), new TypeToken<Map<String, Object>>(){}.getType());
     List<Map<String, String>> body = (List<Map<String, String>>) resp.get("body");
     assertTrue(0 < body.size());

zeppelin-server/src/test/java/org/apache/zeppelin/security/SecurityUtilsTest.java

@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.zeppelin.security;
+
+import junit.framework.Assert;
+import org.apache.commons.configuration.ConfigurationException;
+import org.apache.zeppelin.conf.ZeppelinConfiguration;
+import org.apache.zeppelin.utils.SecurityUtils;
+import org.junit.Test;
+
+import java.net.URISyntaxException;
+import java.net.UnknownHostException;
+
+/**
+ * Created by joelz on 8/19/15.
+ */
+public class SecurityUtilsTest {
+    @Test
+    public void isInvalid() throws URISyntaxException, UnknownHostException {
+        Assert.assertFalse(SecurityUtils.isValidOrigin("http://127.0.1.1", ZeppelinConfiguration.create()));
+    }
+
+    @Test
+    public void isInvalidFromConfig() throws URISyntaxException, UnknownHostException, ConfigurationException {
+        Assert.assertFalse(
+                SecurityUtils.isValidOrigin("http://otherinvalidhost.com",
+                        new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site.xml"))));
+    }
+
+    @Test
+    public void isLocalhost() throws URISyntaxException, UnknownHostException {
+        Assert.assertTrue(SecurityUtils.isValidOrigin("http://localhost", ZeppelinConfiguration.create()));
+    }
+
+    @Test
+    public void isLocalMachine() throws URISyntaxException, UnknownHostException {
+        Assert.assertTrue(SecurityUtils.isValidOrigin(
+                "http://" + java.net.InetAddress.getLocalHost().getHostName(),
+                ZeppelinConfiguration.create()));
+    }
+
+    @Test
+    public void isValidFromConfig() throws URISyntaxException, UnknownHostException, ConfigurationException {
+        Assert.assertTrue(
+                SecurityUtils.isValidOrigin("http://otherhost.com",
+                        new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site.xml"))));
+    }
+
+    @Test
+    public void isValidFromStar() throws URISyntaxException, UnknownHostException, ConfigurationException {
+        Assert.assertTrue(
+                SecurityUtils.isValidOrigin("http://anyhost.com",
+                        new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site-star.xml"))));
+    }
+
+    @Test
+    public void nullOrigin() throws URISyntaxException, UnknownHostException, ConfigurationException {
+        Assert.assertFalse(
+                SecurityUtils.isValidOrigin(null,
+                        new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site.xml"))));
+    }
+
+    @Test
+    public void emptyOrigin() throws URISyntaxException, UnknownHostException, ConfigurationException {
+        Assert.assertFalse(
+                SecurityUtils.isValidOrigin("",
+                        new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site.xml"))));
+    }
+
+    @Test
+    public void notAURIOrigin() throws URISyntaxException, UnknownHostException, ConfigurationException {
+        Assert.assertFalse(
+                SecurityUtils.isValidOrigin("test123",
+                        new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site.xml"))));
+    }
+}

zeppelin-server/src/test/java/org/apache/zeppelin/server/CorsFilterTests.java → zeppelin-server/src/test/java/org/apache/zeppelin/server/CorsFilterTest.java

@@ -40,7 +40,7 @@
  * @author joelz
  *
  */
-public class CorsFilterTests {
+public class CorsFilterTest {
 
     public static String[] headers = new String[8];
     public static Integer count = 0;
@@ -54,7 +54,7 @@ public void ValidCorsFilterTest() throws IOException, ServletException {
         when(mockRequest.getHeader("Origin")).thenReturn("http://localhost:8080");
         when(mockRequest.getMethod()).thenReturn("Empty");
         when(mockRequest.getServerName()).thenReturn("localhost");
-
+        count = 0;
 
         doAnswer(new Answer() {
             @Override
@@ -79,7 +79,6 @@ public void InvalidCorsFilterTest() throws IOException, ServletException {
         when(mockRequest.getMethod()).thenReturn("Empty");
         when(mockRequest.getServerName()).thenReturn("evillocalhost");
 
-
         doAnswer(new Answer() {
             @Override
             public Object answer(InvocationOnMock invocationOnMock) throws Throwable {

zeppelin-server/src/test/java/org/apache/zeppelin/socket/NotebookServerTests.java → zeppelin-server/src/test/java/org/apache/zeppelin/socket/NotebookServerTest.java

@@ -22,6 +22,10 @@
 import org.junit.Assert;
 import org.junit.Test;
 
+import java.io.IOException;
+import org.junit.Assert;
+import org.junit.Test;
+
 import java.net.UnknownHostException;
 
 /**
@@ -31,7 +35,7 @@
  * @author joelz
  *
  */
-    public class NotebookServerTests {
+    public class NotebookServerTest {
 
     @Test
     public void CheckOrigin() throws UnknownHostException {
@@ -45,6 +49,4 @@ public void CheckInvalidOrigin(){
         NotebookServer server = new NotebookServer();
         Assert.assertFalse(server.checkOrigin(new TestHttpServletRequest(), "http://evillocalhost:8080"));
     }
-
-
-}
+}