Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HBASE-26789 Automatically add default security headers to http/rest if SSL enabled #4128

Merged
merged 1 commit into from
Mar 2, 2022
Merged

HBASE-26789 Automatically add default security headers to http/rest if SSL enabled #4128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -626,9 +626,11 @@ private void initializeWebServer(String name, String hostName,
ClickjackingPreventionFilter.class.getName(),
ClickjackingPreventionFilter.getDefaultParameters(conf));

HttpConfig httpConfig = new HttpConfig(conf);

addGlobalFilter("securityheaders",
SecurityHeadersFilter.class.getName(),
SecurityHeadersFilter.getDefaultParameters(conf));
SecurityHeadersFilter.getDefaultParameters(conf, httpConfig.isSecure()));

// But security needs to be enabled prior to adding the other servlets
if (authenticationEnabled) {
Expand Down
12 changes: 5 additions & 7 deletions hbase-http/src/main/java/org/apache/hadoop/hbase/http/SecurityHeadersFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@
public class SecurityHeadersFilter implements Filter {
private static final Logger LOG =
LoggerFactory.getLogger(SecurityHeadersFilter.class);
private static final String DEFAULT_HSTS = "";
private static final String DEFAULT_CSP = "";
private static final String DEFAULT_HSTS = "max-age=63072000;includeSubDomains;preload";
private static final String DEFAULT_CSP = "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
private FilterConfig filterConfig;

@Override
Expand Down Expand Up @@ -70,12 +70,10 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
public void destroy() {
}

public static Map<String, String> getDefaultParameters(Configuration conf) {
public static Map<String, String> getDefaultParameters(Configuration conf, boolean isSecure) {
Map<String, String> params = new HashMap<>();
params.put("hsts", conf.get("hbase.http.filter.hsts.value",
DEFAULT_HSTS));
params.put("csp", conf.get("hbase.http.filter.csp.value",
DEFAULT_CSP));
params.put("hsts", conf.get("hbase.http.filter.hsts.value", isSecure ? DEFAULT_HSTS : ""));
params.put("csp", conf.get("hbase.http.filter.csp.value", isSecure ? DEFAULT_CSP : ""));
return params;
}
}
14 changes: 14 additions & 0 deletions hbase-http/src/test/java/org/apache/hadoop/hbase/http/TestSSLHttpServer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,11 @@

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URL;
import java.security.GeneralSecurityException;
import javax.net.ssl.HttpsURLConnection;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileUtil;
Expand Down Expand Up @@ -73,6 +75,7 @@ public static void setup() throws Exception {
serverConf = HTU.getConfiguration();

serverConf.setInt(HttpServer.HTTP_MAX_THREADS, TestHttpServer.MAX_THREADS);
serverConf.setBoolean(ServerConfigurationKeys.HBASE_SSL_ENABLED_KEY, true);

keystoresDir = new File(HTU.getDataTestDir("keystore").toString());
keystoresDir.mkdirs();
Expand Down Expand Up @@ -122,6 +125,17 @@ public void testEcho() throws Exception {
"/echo?a=b&c<=d&e=>")));
}

@Test
public void testSecurityHeaders() throws IOException, GeneralSecurityException {
HttpsURLConnection conn = (HttpsURLConnection) baseUrl.openConnection();
conn.setSSLSocketFactory(clientSslFactory.createSSLSocketFactory());
assertEquals(HttpsURLConnection.HTTP_OK, conn.getResponseCode());
assertEquals("max-age=63072000;includeSubDomains;preload",
conn.getHeaderField("Strict-Transport-Security"));
assertEquals("default-src https: data: 'unsafe-inline' 'unsafe-eval'",
conn.getHeaderField("Content-Security-Policy"));
}

private static String readOut(URL url) throws Exception {
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(clientSslFactory.createSSLSocketFactory());
Expand Down
9 changes: 6 additions & 3 deletions hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,11 +147,12 @@ private void addClickjackingPreventionFilter(ServletContextHandler ctxHandler,
ctxHandler.addFilter(holder, PATH_SPEC_ANY, EnumSet.allOf(DispatcherType.class));
}

private void addSecurityHeadersFilter(ServletContextHandler ctxHandler, Configuration conf) {
private void addSecurityHeadersFilter(ServletContextHandler ctxHandler,
Configuration conf, boolean isSecure) {
FilterHolder holder = new FilterHolder();
holder.setName("securityheaders");
holder.setClassName(SecurityHeadersFilter.class.getName());
holder.setInitParameters(SecurityHeadersFilter.getDefaultParameters(conf));
holder.setInitParameters(SecurityHeadersFilter.getDefaultParameters(conf, isSecure));
ctxHandler.addFilter(holder, PATH_SPEC_ANY, EnumSet.allOf(DispatcherType.class));
}

Expand Down Expand Up @@ -301,7 +302,9 @@ public synchronized void run() throws Exception {
httpConfig.setSendDateHeader(false);

ServerConnector serverConnector;
boolean isSecure = false;
if (conf.getBoolean(REST_SSL_ENABLED, false)) {
isSecure = true;
HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
httpsConfig.addCustomizer(new SecureRequestCustomizer());

Expand Down Expand Up @@ -389,7 +392,7 @@ public synchronized void run() throws Exception {
}
addCSRFFilter(ctxHandler, conf);
addClickjackingPreventionFilter(ctxHandler, conf);
addSecurityHeadersFilter(ctxHandler, conf);
addSecurityHeadersFilter(ctxHandler, conf, isSecure);
HttpServerUtil.constrainHttpMethods(ctxHandler, servlet.getConfiguration()
.getBoolean(REST_HTTP_ALLOW_OPTIONS_METHOD, REST_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT));

Expand Down
8 changes: 6 additions & 2 deletions hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/TestRESTServerSSL.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,6 @@
package org.apache.hadoop.hbase.rest;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;

import java.io.File;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
Expand Down Expand Up @@ -107,6 +105,12 @@ public void testSslConnection() throws Exception {

Response response = sslClient.get("/version", Constants.MIMETYPE_TEXT);
assertEquals(200, response.getCode());

// Default security headers
assertEquals("max-age=63072000;includeSubDomains;preload",
response.getHeader("Strict-Transport-Security"));
assertEquals("default-src https: data: 'unsafe-inline' 'unsafe-eval'",
response.getHeader("Content-Security-Policy"));
}

@Test(expected = org.apache.http.client.ClientProtocolException.class)
Expand Down