[BACKLOG-31895] CSFR - /data-access/api/connection/add (#128)

* [BACKLOG-31895] Adding platform-extensions dependency and minor cleanup to pom * [BACKLOG-31895] Passing csrf token to 'data-access/api/connection/add'
pentaho · Nov 11, 2019 · 8f34431 · 8f34431
1 parent 2003b36
commit 8f34431
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 34 deletions.
diff --git a/pom.xml b/pom.xml
@@ -7,59 +7,62 @@
     <artifactId>pentaho-ce-jar-parent-pom</artifactId>
     <version>9.0.0.0-SNAPSHOT</version>
   </parent>
+
   <groupId>pentaho</groupId>
   <artifactId>data-refinery-pdi-plugin</artifactId>
   <version>9.0.0.0-SNAPSHOT</version>
   <packaging>bundle</packaging>
+
   <name>Pentaho Community Edition Project: ${project.artifactId}</name>
-  <description>Provides PDI job enteries for building and publishing analytic data models.
+  <description>
+    Provides PDI job enteries for building and publishing analytic data models.
     Job steps include Build Model and Publish Model.
-    Transformation steps include  Annotate Stream and Shared Dimension.</description>
+    Transformation steps include  Annotate Stream and Shared Dimension.
+  </description>
+
   <url>http://www.pentaho.com</url>
   <scm>
     <connection>scm:git:[email protected]:pentaho/${project.artifactId}.git</connection>
     <developerConnection>scm:git:[email protected]:pentaho/${project.artifactId}.git</developerConnection>
     <url>scm:git:[email protected]:pentaho/${project.artifactId}.git</url>
   </scm>
+
   <properties>
     <pdi-dataservice-plugin.version>9.0.0.0-SNAPSHOT</pdi-dataservice-plugin.version>
+    <pentaho-metadata.version>9.0.0.0-SNAPSHOT</pentaho-metadata.version>
+    <pentaho-modeler.version>9.0.0.0-SNAPSHOT</pentaho-modeler.version>
+    <pentaho-osgi-bundles.version>9.0.0.0-SNAPSHOT</pentaho-osgi-bundles.version>
+    <pentaho-data-access.version>9.0.0.0-SNAPSHOT</pentaho-data-access.version>
+    <commons-xul.version>9.0.0.0-SNAPSHOT</commons-xul.version>
+    <pdi.version>9.0.0.0-SNAPSHOT</pdi.version>
+    <platform.version>9.0.0.0-SNAPSHOT</platform.version>
+
+    <dependency.jersey.revision>1.19.1</dependency.jersey.revision>
     <dependency.jersey-apache-client.revision>1.19.1</dependency.jersey-apache-client.revision>
     <dependency.apache-xmlgraphics.revision>1.8</dependency.apache-xmlgraphics.revision>
-    <pentaho-metadata.version>9.0.0.0-SNAPSHOT</pentaho-metadata.version>
     <dependency.commons.collections.revision>3.2.2</dependency.commons.collections.revision>
     <dependency.jaxrs.revision>1.1.1</dependency.jaxrs.revision>
     <maven-bundle-plugin.version>2.4.0</maven-bundle-plugin.version>
     <dependency.junit.revision>4.7</dependency.junit.revision>
-    <pentaho-modeler.version>9.0.0.0-SNAPSHOT</pentaho-modeler.version>
     <dependency.mockito.revision>1.8.4</dependency.mockito.revision>
-    <pentaho-osgi-bundles.version>9.0.0.0-SNAPSHOT</pentaho-osgi-bundles.version>
     <dependency.commons.io.revision>1.4</dependency.commons.io.revision>
-    <dependency.jersey.revision>1.19.1</dependency.jersey.revision>
-    <pentaho-data-access.version>9.0.0.0-SNAPSHOT</pentaho-data-access.version>
-    <commons-xul.version>9.0.0.0-SNAPSHOT</commons-xul.version>
-    <pdi.version>9.0.0.0-SNAPSHOT</pdi.version>
-    <platform.version>9.0.0.0-SNAPSHOT</platform.version>
     <dependency.commons.lang.revision>2.6</dependency.commons.lang.revision>
     <dependency.h2.revision>1.0.78</dependency.h2.revision>
   </properties>
+
   <dependencies>
     <dependency>
       <groupId>pentaho</groupId>
       <artifactId>pdi-dataservice-server-plugin</artifactId>
       <version>${pdi-dataservice-plugin.version}</version>
       <scope>provided</scope>
     </dependency>
-    <dependency>
-      <groupId>pentaho</groupId>
-      <artifactId>pentaho-cache-manager-api</artifactId>
-      <version>${pentaho-osgi-bundles.version}</version>
-      <scope>test</scope>
-    </dependency>
     <dependency>
       <groupId>pentaho</groupId>
       <artifactId>pdi-dataservice-client-plugin</artifactId>
       <version>${pdi-dataservice-plugin.version}</version>
     </dependency>
+
     <dependency>
       <groupId>pentaho-kettle</groupId>
       <artifactId>kettle-core</artifactId>
@@ -81,6 +84,7 @@
       <artifactId>kettle-ui-swt</artifactId>
       <version>${pdi.version}</version>
     </dependency>
+
     <dependency>
       <groupId>org.pentaho</groupId>
       <artifactId>commons-xul-core</artifactId>
@@ -96,6 +100,18 @@
       <artifactId>pentaho-platform-core</artifactId>
       <version>${platform.version}</version>
     </dependency>
+    <dependency>
+      <groupId>pentaho</groupId>
+      <artifactId>pentaho-platform-extensions</artifactId>
+      <version>${platform.version}</version>
+      <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>*</groupId>
+        </exclusion>
+      </exclusions>
+    </dependency>
     <dependency>
       <groupId>org.pentaho</groupId>
       <artifactId>pentaho-metadata</artifactId>
@@ -122,6 +138,7 @@
         </exclusion>
       </exclusions>
     </dependency>
+
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
@@ -143,6 +160,7 @@
         </exclusion>
       </exclusions>
     </dependency>
+
     <dependency>
       <groupId>com.sun.jersey.contribs</groupId>
       <artifactId>jersey-multipart</artifactId>
@@ -180,6 +198,7 @@
       <artifactId>jersey-client</artifactId>
       <version>${dependency.jersey.revision}</version>
     </dependency>
+
     <dependency>
       <groupId>javax.ws.rs</groupId>
       <artifactId>jsr311-api</artifactId>
@@ -207,6 +226,21 @@
       <version>3.3.0-I20070605-0010</version>
       <scope>compile</scope>
     </dependency>
+
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <version>4.5.3</version>
+    </dependency>
+
+    <!-- Test Dependencies -->
+
+    <dependency>
+      <groupId>pentaho</groupId>
+      <artifactId>pentaho-cache-manager-api</artifactId>
+      <version>${pentaho-osgi-bundles.version}</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-all</artifactId>
@@ -249,18 +283,14 @@
       <artifactId>xercesImpl</artifactId>
       <scope>test</scope>
     </dependency>
-    <dependency>
-      <groupId>org.apache.httpcomponents</groupId>
-      <artifactId>httpclient</artifactId>
-      <version>4.5.3</version>
-    </dependency>
     <dependency>
       <groupId>org.pentaho.di.plugins</groupId>
       <artifactId>meta-inject-plugin</artifactId>
       <version>${pdi.version}</version>
       <scope>test</scope>
     </dependency>
   </dependencies>
+
   <build>
     <plugins>
       <plugin>
@@ -290,7 +320,6 @@
     </plugins>
   </build>
 
-
   <repositories>
     <repository>
       <id>pentaho-public</id>

diff --git a/src/main/java/org/pentaho/di/core/refinery/publish/agilebi/ModelServerPublish.java b/src/main/java/org/pentaho/di/core/refinery/publish/agilebi/ModelServerPublish.java
@@ -2,7 +2,7 @@
  *
  * Pentaho Community Edition Project: data-refinery-pdi-plugin
  *
- * Copyright (C) 2002-2017 by Hitachi Vantara : http://www.pentaho.com
+ * Copyright (C) 2002 - 2019 by Hitachi Vantara : http://www.pentaho.com
  *
  * *******************************************************************************
  *
@@ -19,11 +19,10 @@
  * limitations under the License.
  *
  ********************************************************************************/
-
-
 package org.pentaho.di.core.refinery.publish.agilebi;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.sun.jersey.api.client.Client;
 import com.sun.jersey.api.client.ClientResponse;
 import com.sun.jersey.api.client.WebResource;
 import com.sun.jersey.api.client.WebResource.Builder;
@@ -40,7 +39,10 @@
 import org.pentaho.di.core.refinery.publish.model.DataSourceAclModel;
 import org.pentaho.di.core.refinery.publish.util.JAXBUtils;
 import org.pentaho.di.job.entries.publish.exception.DuplicateDataSourceException;
+import org.pentaho.platform.web.http.security.CsrfToken;
+import org.pentaho.platform.web.http.security.CsrfUtil;
 
+import javax.ws.rs.core.Cookie;
 import javax.ws.rs.core.MediaType;
 
 import java.io.InputStream;
@@ -109,22 +111,31 @@ public boolean publishDataSource( boolean update, String connectionId ) throws K
    * @return
    */
   protected boolean updateConnection( DatabaseConnection connection, boolean update ) throws KettleException {
-    String storeDomainUrl;
     try {
-      if ( update ) {
-        storeDomainUrl = biServerConnection.getUrl() + PLUGIN_DATA_ACCESS_API_CONNECTION_UPDATE;
-      } else {
-        storeDomainUrl = biServerConnection.getUrl() + PLUGIN_DATA_ACCESS_API_CONNECTION_ADD;
-      }
-      WebResource resource = getClient().resource( storeDomainUrl );
+      final Client client = getClient();
+
+      final String contextUrl = biServerConnection.getUrl();
+      final  String storeDomainUrl = contextUrl + ( update
+        ? PLUGIN_DATA_ACCESS_API_CONNECTION_UPDATE : PLUGIN_DATA_ACCESS_API_CONNECTION_ADD );
+
+      WebResource resource = client.resource( storeDomainUrl );
       Builder builder = resource
-          .type( MediaType.APPLICATION_JSON )
-          .entity( connection );
+        .type( MediaType.APPLICATION_JSON )
+        .entity( connection );
+
+      final CsrfToken csrfToken = getCsrfToken( client, contextUrl, storeDomainUrl );
+      if ( csrfToken != null ) {
+        builder.header( csrfToken.getHeader(), csrfToken.getToken() );
+
+        csrfToken.getCookies().forEach( cookie -> builder.cookie( Cookie.valueOf( cookie ) ) );
+      }
 
       ClientResponse resp = httpPost( builder );
+
       if ( resp == null ) {
         return false;
       }
+
       if ( resp.getStatus() == 409 ) {
         throw new DuplicateDataSourceException();
       } else if ( resp.getStatus() != 200 ) {
@@ -133,6 +144,7 @@ protected boolean updateConnection( DatabaseConnection connection, boolean updat
     } catch ( Exception ex ) {
       throw new KettleException( ex );
     }
+
     return true;
   }
 
@@ -378,4 +390,9 @@ String constructAbsoluteUrl( String connectionName ) {
     String url = biServerConnection.getUrl() + DATA_ACCESS_API_CONNECTION_GET + REST_NAME_PARM + connectionName;
     return url.replace( " ", "%20" );
   }
+
+  @VisibleForTesting
+  CsrfToken getCsrfToken( Client client, String contextUrl, String storeDomainUrl ) {
+    return CsrfUtil.getCsrfToken( client, contextUrl.replaceAll( "^(.+)/$", "$1" ), storeDomainUrl );
+  }
 }
diff --git a/src/test/java/org/pentaho/di/core/refinery/publish/agilebi/ModelServerPublishTest.java b/src/test/java/org/pentaho/di/core/refinery/publish/agilebi/ModelServerPublishTest.java
@@ -288,6 +288,7 @@ public void testHttpPost() throws Exception {
   public void testUpdateConnection() throws Exception {
 
     doCallRealMethod().when( modelServerPublishSpy ).getClient();
+    doReturn( null ).when( modelServerPublishSpy ).getCsrfToken( any(), any(), any() );
 
     // check null response
     doReturn( null ).when( modelServerPublishSpy ).httpPost( any( WebResource.Builder.class ) );