config option to support ambiguous uris in jetty servlets (#2787)

Signed-off-by: Henry Avetisyan <[email protected]>
AthenZ · Oct 29, 2024 · adc523a · adc523a
1 parent 9773882
commit adc523a
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 6 deletions.
diff --git a/containers/jetty/conf/athenz.properties b/containers/jetty/conf/athenz.properties
@@ -178,7 +178,7 @@ athenz.jetty_home=/home/athenz
 # Enable graceful shutdown in the Jetty
 #athenz.graceful_shutdown=false
 
-# How long to wait for the Jetty server to shutdown, in milliseconds
+# How long to wait for the Jetty server to shut down, in milliseconds
 # If the athenz.graceful_shutdown is not true, this setting is invalid.
 #athenz.graceful_shutdown_timeout=30000
 
@@ -201,3 +201,11 @@ athenz.jetty_home=/home/athenz
 # configuration provider, then the athenz.config.source_paths property
 # must be set to aws-param-store://zts
 #athenz.config.source_paths=
+
+# Boolean flag to indicate whether the server should support ambiguous URIs
+# in the request. If this flag is set to true, then the server will set
+# uri compliance option to UriCompliance.LEGACY in the Jetty http configuration
+# object and set the setDecodeAmbiguousURIs to true in the servlet handler object.
+# In Athenz this is required to support AWS temporary credentials request when
+# the role name contains the / character.
+#athenz.decode_ambiguous_uris=true
diff --git a/containers/jetty/pom.xml b/containers/jetty/pom.xml
@@ -27,7 +27,7 @@
   <packaging>jar</packaging>
 
   <properties>
-    <code.coverage.min>0.8991</code.coverage.min>
+    <code.coverage.min>0.9055</code.coverage.min>
   </properties>
 
   <dependencies>

diff --git a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzConsts.java
@@ -65,6 +65,7 @@ public final class AthenzConsts {
     public static final String ATHENZ_PROP_HEALTH_CHECK_URI_LIST  = "athenz.health_check_uri_list";
     public static final String ATHENZ_PROP_HEALTH_CHECK_PATH      = "athenz.health_check_path";
     public static final String ATHENZ_PROP_LOG_FORWARDED_FOR_ADDR = "athenz.log_forwarded_for_addr";
+    public static final String ATHENZ_PROP_DECODE_AMBIGUOUS_URIS  = "athenz.decode_ambiguous_uris";
 
     public static final String ATHENZ_PROP_RATE_LIMIT_FACTORY_CLASS        = "athenz.ratelimit_factory_class";
     public static final String ATHENZ_PROP_PRIVATE_KEY_STORE_FACTORY_CLASS = "athenz.private_keystore_factory_class";

diff --git a/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java b/containers/jetty/src/main/java/com/yahoo/athenz/container/AthenzJettyContainer.java
@@ -31,10 +31,12 @@
 import org.eclipse.jetty.deploy.DeploymentManager;
 import org.eclipse.jetty.deploy.providers.ContextProvider;
 import org.eclipse.jetty.ee10.servlet.FilterHolder;
+import org.eclipse.jetty.ee10.servlet.ServletHandler;
 import org.eclipse.jetty.http.HttpHeader;
 import org.eclipse.jetty.http.HttpHeaderValue;
 import org.eclipse.jetty.ee10.webapp.WebAppContext;
 import org.eclipse.jetty.http.HttpVersion;
+import org.eclipse.jetty.http.UriCompliance;
 import org.eclipse.jetty.rewrite.handler.HeaderPatternRule;
 import org.eclipse.jetty.rewrite.handler.RewriteHandler;
 import org.eclipse.jetty.server.*;
@@ -70,10 +72,19 @@ public class AthenzJettyContainer {
     private String banner = null;
     private Handler.Sequence handlers = null;
     private PrivateKeyStore privateKeyStore;
+    private final boolean decodeAmbiguousUris;
     private final AthenzConnectionListener connectionListener = new AthenzConnectionListener();
     private final JettyConnectionLoggerFactory jettyConnectionLoggerFactory = new JettyConnectionLoggerFactory();
 
     public AthenzJettyContainer() {
+
+        // check to see if we want to support ambiguous uris
+
+        decodeAmbiguousUris = Boolean.parseBoolean(
+                System.getProperty(AthenzConsts.ATHENZ_PROP_DECODE_AMBIGUOUS_URIS, "true"));
+
+        // load our service private key store
+
         loadServicePrivateKey();
     }
 
@@ -499,6 +510,9 @@ HttpConfiguration getHttpsConfig(HttpConfiguration httpConfig, int httpsPort, bo
         httpsConfig.setSecureScheme("https");
         httpsConfig.setSecurePort(httpsPort);
         httpsConfig.addCustomizer(new SecureRequestCustomizer(sniRequired, sniHostCheck, -1L, false));
+        if (decodeAmbiguousUris) {
+            httpsConfig.setUriCompliance(UriCompliance.LEGACY);
+        }
         return httpsConfig;
     }
 
@@ -646,6 +660,12 @@ public void run() {
             server.setDumpAfterStart(true);
 
             server.start();
+
+            // we're going to set the decodeAmbiguousURIs flag for all our servlet
+            // handlers if the decodeAmbiguousUris flag is set to true.
+
+            server.getContainedBeans(ServletHandler.class).forEach(handler -> handler.setDecodeAmbiguousURIs(decodeAmbiguousUris));
+
             System.out.println("Jetty server running at " + banner);
             server.join();
         } catch (Exception e) {

diff --git a/containers/jetty/src/test/java/com/yahoo/athenz/container/AthenzJettyContainerTest.java b/containers/jetty/src/test/java/com/yahoo/athenz/container/AthenzJettyContainerTest.java
@@ -776,6 +776,19 @@ public void testHttpResponseHeadersInvalidJson() {
         System.clearProperty(AthenzConsts.ATHENZ_PROP_RESPONSE_HEADERS_JSON);
     }
 
+    @Test
+    public void testContainerRunMaxThreadsFailure() {
+        AthenzJettyContainer container = new AthenzJettyContainer();
+        container.createServer(1);
+
+        try {
+            container.run();
+            fail();
+        } catch (Exception ex) {
+            assertTrue(ex.getMessage().contains("Insufficient configured threads"));
+        }
+    }
+
     @Test
     public void testInitConfigManager() {
         System.setProperty(AthenzConsts.ATHENZ_PROP_CONFIG_SOURCE_PATHS, "prop-file://./src/test/resources/athenz.properties");

diff --git a/pom.xml b/pom.xml
@@ -72,10 +72,10 @@
 
   <properties>
     <angus.mail.version>2.0.3</angus.mail.version>
-    <apache.httpclient.version>5.4</apache.httpclient.version>
+    <apache.httpclient.version>5.4.1</apache.httpclient.version>
     <apache.httpclient4.version>4.5.14</apache.httpclient4.version>
     <aws.version>1.12.777</aws.version>
-    <aws2.version>2.29.1</aws2.version>
+    <aws2.version>2.29.2</aws2.version>
     <aws.dynamodb.local.version>2.5.2</aws.dynamodb.local.version>
     <aws.secretmanager.version>2.0.2</aws.secretmanager.version>
     <bouncycastle.version>1.78.1</bouncycastle.version>
@@ -91,8 +91,8 @@
     <guava.version>33.3.1-jre</guava.version>
     <hamcrest.version>3.0</hamcrest.version>
     <hamcrest.json.version>0.3</hamcrest.json.version>
-    <jackson-core.version>2.18.0</jackson-core.version>
-    <jackson-databind.version>2.18.0</jackson-databind.version>
+    <jackson-core.version>2.18.1</jackson-core.version>
+    <jackson-databind.version>2.18.1</jackson-databind.version>
     <jakarta.activation.version>2.1.3</jakarta.activation.version>
     <jakarta.annotation.version>2.1.1</jakarta.annotation.version>
     <jakarta.mail.version>2.1.3</jakarta.mail.version>