[JENKINS-39402] Cap the number of group headers printed by AccessDeniedException2 #2727
Conversation
…ssDeniedException2.
| r.createWebClient().login("user").goTo("confgure"); | ||
| fail("should not have been allowed to access anything"); | ||
| } catch (FailingHttpStatusCodeException x) { | ||
| assertEquals(HttpURLConnection.HTTP_FORBIDDEN, x.getStatusCode()); |
There was a problem hiding this comment.
Without fix, fails here with a 500 from Jetty as reported in the field.
| } | ||
| assertThat("capped at a reasonable number", reportedGroups, Matchers.<List<String>>allOf( | ||
| Matchers.<String>hasSize(11), // 10 groups plus final warning | ||
| Matchers.<String>hasItem("<991 more>"))); // 1000 + SecurityRealm.AUTHENTICATED_AUTHORITY.getAuthority() - 10 |
| @@ -12,6 +12,9 @@ | |||
| * @author Kohsuke Kawaguchi | |||
| */ | |||
| public class AccessDeniedException2 extends AccessDeniedException { | |||
|
|
|||
| private static final int MAX_REPORTED_AUTHORITIES = 10; | |||
There was a problem hiding this comment.
Seems to be too low to be useful, especially given crazy behaviors such as https://github.com/jenkinsci/ldap-plugin/blob/4ced65b080ff3eb81ad23916ccb6133077b80185/src/main/java/hudson/security/LDAPSecurityRealm.java#L1039
There was a problem hiding this comment.
tbh I'm not sure reporting this is ever useful, given the whoAmI url
|
🐝 |
I think this is more a place to start diagnosis. You can always go to |
|
Should this not rather count both headers and individual authority name length as well? I.e. cap individual names at ~50 chars long or something? |
There was a problem hiding this comment.
I agree with @daniel-beck that the limit seems to be too small. In order to avoid negative, the limit should be modifiable via SystemProperties at least
|
These suggestions are more effort than they are worth. I would rather just delete the functionality altogether. |
| @@ -38,8 +41,14 @@ public AccessDeniedException2(Throwable t, Authentication authentication, Permis | |||
| */ | |||
| public void reportAsHeaders(HttpServletResponse rsp) { | |||
| rsp.addHeader("X-You-Are-Authenticated-As",authentication.getName()); | |||
| for (GrantedAuthority auth : authentication.getAuthorities()) { | |||
| rsp.addHeader("X-You-Are-In-Group",auth.getAuthority()); | |||
| GrantedAuthority[] authorities = authentication.getAuthorities(); | |||
There was a problem hiding this comment.
do we even need to report this given there is a whoAmI which reports this in a much nicer way (and most users won't check the headers, and most scripts can't take any action)
I do not see a use for this funcationality given there is a |
… omitting them altogether by default. Test still reproduces the original issue when flag is set on: … org.eclipse.jetty.server.HttpChannel$CommitCallback failed WARNING: Commit failed java.io.IOException: Response header too large at org.eclipse.jetty.http.HttpGenerator.generateResponse(HttpGenerator.java:402) at org.eclipse.jetty.server.HttpConnection$SendCallback.process(HttpConnection.java:655) at … at hudson.security.AccessDeniedHandlerImpl.handle(AccessDeniedHandlerImpl.java:57) at … Caused by: java.nio.BufferOverflowException at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:189) at java.nio.ByteBuffer.put(ByteBuffer.java:859) at org.eclipse.jetty.http.HttpGenerator.putTo(HttpGenerator.java:1087) at org.eclipse.jetty.http.HttpGenerator.generateHeaders(HttpGenerator.java:705) at org.eclipse.jetty.http.HttpGenerator.generateResponse(HttpGenerator.java:387) ... 66 more java.lang.AssertionError: expected:<403> but was:<500> at org.junit.Assert.fail(Assert.java:88) at org.junit.Assert.failNotEquals(Assert.java:834) at org.junit.Assert.assertEquals(Assert.java:645) at org.junit.Assert.assertEquals(Assert.java:631) at hudson.security.AccessDeniedException2Test.youAreInGroupHeaders(AccessDeniedException2Test.java:56)
|
I would rather like to see a test demonstrating the correct behavior in both modes than just removal of the test logic for the disabled logic |
If it is disabled by default, who cares? There was no test before and patch merely conditionally runs the original code. The test logic in the initial version of the patch was to verify that the more complicated capping logic worked. |
| @@ -38,8 +43,10 @@ public AccessDeniedException2(Throwable t, Authentication authentication, Permis | |||
| */ | |||
| public void reportAsHeaders(HttpServletResponse rsp) { | |||
| rsp.addHeader("X-You-Are-Authenticated-As",authentication.getName()); | |||
| for (GrantedAuthority auth : authentication.getAuthorities()) { | |||
| rsp.addHeader("X-You-Are-In-Group",auth.getAuthority()); | |||
| if (REPORT_GROUP_HEADERS) { | |||
There was a problem hiding this comment.
If false, I would rather return a message like "Disabled due to JENKINS-39402; use /whoAmI to diagnose groups. Or set the XXX system property to true" within the Header value
jglick
added
the
ready-for-merge
JENKINS-39402
@reviewbybees