Line 0
Link Here
|
|
|
1 |
/* |
2 |
* Licensed to the Apache Software Foundation (ASF) under one or more |
3 |
* contributor license agreements. See the NOTICE file distributed with |
4 |
* this work for additional information regarding copyright ownership. |
5 |
* The ASF licenses this file to You under the Apache License, Version 2.0 |
6 |
* (the "License"); you may not use this file except in compliance with |
7 |
* the License. You may obtain a copy of the License at |
8 |
* |
9 |
* http://www.apache.org/licenses/LICENSE-2.0 |
10 |
* |
11 |
* Unless required by applicable law or agreed to in writing, software |
12 |
* distributed under the License is distributed on an "AS IS" BASIS, |
13 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
14 |
* See the License for the specific language governing permissions and |
15 |
* limitations under the License. |
16 |
*/ |
17 |
|
18 |
package org.apache.catalina.connector; |
19 |
|
20 |
import static org.junit.Assert.*; |
21 |
|
22 |
import java.io.IOException; |
23 |
import java.util.ArrayList; |
24 |
import java.util.Arrays; |
25 |
import java.util.List; |
26 |
|
27 |
import javax.servlet.ServletException; |
28 |
|
29 |
import org.apache.catalina.valves.ValveBase; |
30 |
import org.junit.Test; |
31 |
|
32 |
/** |
33 |
* {@link RemoteIpValve} Tests |
34 |
*/ |
35 |
public class RemoteIpValveTest { |
36 |
|
37 |
static class RemoteAddrAndHostTrackerValve extends ValveBase { |
38 |
private String remoteAddr; |
39 |
private String remoteHost; |
40 |
|
41 |
public String getRemoteAddr() { |
42 |
return remoteAddr; |
43 |
} |
44 |
|
45 |
public String getRemoteHost() { |
46 |
return remoteHost; |
47 |
} |
48 |
|
49 |
@Override |
50 |
public void invoke(Request request, Response response) throws IOException, ServletException { |
51 |
this.remoteHost = request.getRemoteHost(); |
52 |
this.remoteAddr = request.getRemoteAddr(); |
53 |
} |
54 |
} |
55 |
|
56 |
@Test |
57 |
public void testCommaDelimitedListToStringArray() { |
58 |
List<String> elements = Arrays.asList("element1", "element2", "element3"); |
59 |
String actual = RemoteIpValve.listToCommaDelimitedString(elements); |
60 |
assertEquals("element1, element2, element3", actual); |
61 |
} |
62 |
|
63 |
@Test |
64 |
public void testCommaDelimitedListToStringArrayEmptyList() { |
65 |
List<String> elements = new ArrayList<String>(); |
66 |
String actual = RemoteIpValve.listToCommaDelimitedString(elements); |
67 |
assertEquals("", actual); |
68 |
} |
69 |
|
70 |
@Test |
71 |
public void testCommaDelimitedListToStringArrayNullList() { |
72 |
String actual = RemoteIpValve.listToCommaDelimitedString(null); |
73 |
assertEquals("", actual); |
74 |
} |
75 |
|
76 |
@Test |
77 |
public void testInvokeAllowedRemoteAddrWithNullRemoteIpHeader() throws Exception { |
78 |
// PREPARE |
79 |
RemoteIpValve remoteIpValve = new RemoteIpValve(); |
80 |
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); |
81 |
remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); |
82 |
remoteIpValve.setRemoteIPHeader("x-forwarded-for"); |
83 |
remoteIpValve.setProxiesHeader("x-forwarded-by"); |
84 |
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); |
85 |
remoteIpValve.setNext(remoteAddrAndHostTrackerValve); |
86 |
|
87 |
Request request = new Request(); |
88 |
request.setCoyoteRequest(new org.apache.coyote.Request()); |
89 |
request.remoteAddr = "192.168.0.10"; |
90 |
request.remoteHost = "remote-host-original-value"; |
91 |
|
92 |
// TEST |
93 |
remoteIpValve.invoke(request, null); |
94 |
|
95 |
// VERIFY |
96 |
String actualXForwardedFor = request.getHeader("x-forwarded-for"); |
97 |
assertNull("x-forwarded-for must be null", actualXForwardedFor); |
98 |
|
99 |
String actualXForwardedBy = request.getHeader("x-forwarded-by"); |
100 |
assertNull("x-forwarded-by must be null", actualXForwardedBy); |
101 |
|
102 |
String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); |
103 |
assertEquals("remoteAddr", "192.168.0.10", actualRemoteAddr); |
104 |
|
105 |
String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); |
106 |
assertEquals("remoteHost", "remote-host-original-value", actualRemoteHost); |
107 |
|
108 |
String actualPostInvokeRemoteAddr = request.getRemoteAddr(); |
109 |
assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); |
110 |
|
111 |
String actualPostInvokeRemoteHost = request.getRemoteHost(); |
112 |
assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); |
113 |
|
114 |
} |
115 |
|
116 |
@Test |
117 |
public void testInvokeAllProxiesAreTrusted() throws Exception { |
118 |
|
119 |
// PREPARE |
120 |
RemoteIpValve remoteIpValve = new RemoteIpValve(); |
121 |
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); |
122 |
remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); |
123 |
remoteIpValve.setRemoteIPHeader("x-forwarded-for"); |
124 |
remoteIpValve.setProxiesHeader("x-forwarded-by"); |
125 |
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); |
126 |
remoteIpValve.setNext(remoteAddrAndHostTrackerValve); |
127 |
|
128 |
Request request = new Request(); |
129 |
request.setCoyoteRequest(new org.apache.coyote.Request()); |
130 |
request.remoteAddr = "192.168.0.10"; |
131 |
request.remoteHost = "remote-host-original-value"; |
132 |
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2"); |
133 |
|
134 |
// TEST |
135 |
remoteIpValve.invoke(request, null); |
136 |
|
137 |
// VERIFY |
138 |
String actualXForwardedFor = request.getHeader("x-forwarded-for"); |
139 |
assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); |
140 |
|
141 |
String actualXForwardedBy = request.getHeader("x-forwarded-by"); |
142 |
assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy); |
143 |
|
144 |
String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); |
145 |
assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); |
146 |
|
147 |
String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); |
148 |
assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); |
149 |
|
150 |
String actualPostInvokeRemoteAddr = request.getRemoteAddr(); |
151 |
assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); |
152 |
|
153 |
String actualPostInvokeRemoteHost = request.getRemoteHost(); |
154 |
assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); |
155 |
} |
156 |
|
157 |
@Test |
158 |
public void testInvokeAllProxiesAreTrustedOrInternal() throws Exception { |
159 |
|
160 |
// PREPARE |
161 |
RemoteIpValve remoteIpValve = new RemoteIpValve(); |
162 |
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); |
163 |
remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); |
164 |
remoteIpValve.setRemoteIPHeader("x-forwarded-for"); |
165 |
remoteIpValve.setProxiesHeader("x-forwarded-by"); |
166 |
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); |
167 |
remoteIpValve.setNext(remoteAddrAndHostTrackerValve); |
168 |
|
169 |
Request request = new Request(); |
170 |
request.setCoyoteRequest(new org.apache.coyote.Request()); |
171 |
request.remoteAddr = "192.168.0.10"; |
172 |
request.remoteHost = "remote-host-original-value"; |
173 |
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") |
174 |
.setString("140.211.11.130, proxy1, proxy2, 192.168.0.10, 192.168.0.11"); |
175 |
|
176 |
// TEST |
177 |
remoteIpValve.invoke(request, null); |
178 |
|
179 |
// VERIFY |
180 |
String actualXForwardedFor = request.getHeader("x-forwarded-for"); |
181 |
assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); |
182 |
|
183 |
String actualXForwardedBy = request.getHeader("x-forwarded-by"); |
184 |
assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy); |
185 |
|
186 |
String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); |
187 |
assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); |
188 |
|
189 |
String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); |
190 |
assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); |
191 |
|
192 |
String actualPostInvokeRemoteAddr = request.getRemoteAddr(); |
193 |
assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); |
194 |
|
195 |
String actualPostInvokeRemoteHost = request.getRemoteHost(); |
196 |
assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); |
197 |
} |
198 |
|
199 |
@Test |
200 |
public void testInvokeAllProxiesAreInternal() throws Exception { |
201 |
|
202 |
// PREPARE |
203 |
RemoteIpValve remoteIpValve = new RemoteIpValve(); |
204 |
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); |
205 |
remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); |
206 |
remoteIpValve.setRemoteIPHeader("x-forwarded-for"); |
207 |
remoteIpValve.setProxiesHeader("x-forwarded-by"); |
208 |
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); |
209 |
remoteIpValve.setNext(remoteAddrAndHostTrackerValve); |
210 |
|
211 |
Request request = new Request(); |
212 |
request.setCoyoteRequest(new org.apache.coyote.Request()); |
213 |
request.remoteAddr = "192.168.0.10"; |
214 |
request.remoteHost = "remote-host-original-value"; |
215 |
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, 192.168.0.10, 192.168.0.11"); |
216 |
|
217 |
// TEST |
218 |
remoteIpValve.invoke(request, null); |
219 |
|
220 |
// VERIFY |
221 |
String actualXForwardedFor = request.getHeader("x-forwarded-for"); |
222 |
assertNull("all proxies are internal, x-forwarded-for must be null", actualXForwardedFor); |
223 |
|
224 |
String actualXForwardedBy = request.getHeader("x-forwarded-by"); |
225 |
assertNull("all proxies are internal, x-forwarded-by must be null", actualXForwardedBy); |
226 |
|
227 |
String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); |
228 |
assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); |
229 |
|
230 |
String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); |
231 |
assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); |
232 |
|
233 |
String actualPostInvokeRemoteAddr = request.getRemoteAddr(); |
234 |
assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); |
235 |
|
236 |
String actualPostInvokeRemoteHost = request.getRemoteHost(); |
237 |
assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); |
238 |
} |
239 |
|
240 |
@Test |
241 |
public void testInvokeAllProxiesAreTrustedAndRemoteAddrMatchRegexp() throws Exception { |
242 |
|
243 |
// PREPARE |
244 |
RemoteIpValve remoteIpValve = new RemoteIpValve(); |
245 |
remoteIpValve.setInternalProxies("127\\.0\\.0\\.1, 192\\.168\\..*, another-internal-proxy"); |
246 |
remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); |
247 |
remoteIpValve.setRemoteIPHeader("x-forwarded-for"); |
248 |
remoteIpValve.setProxiesHeader("x-forwarded-by"); |
249 |
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); |
250 |
remoteIpValve.setNext(remoteAddrAndHostTrackerValve); |
251 |
|
252 |
Request request = new Request(); |
253 |
request.setCoyoteRequest(new org.apache.coyote.Request()); |
254 |
request.remoteAddr = "192.168.0.10"; |
255 |
request.remoteHost = "remote-host-original-value"; |
256 |
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2"); |
257 |
|
258 |
// TEST |
259 |
remoteIpValve.invoke(request, null); |
260 |
|
261 |
// VERIFY |
262 |
String actualXForwardedFor = request.getHeader("x-forwarded-for"); |
263 |
assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); |
264 |
|
265 |
String actualXForwardedBy = request.getHeader("x-forwarded-by"); |
266 |
assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy); |
267 |
|
268 |
String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); |
269 |
assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); |
270 |
|
271 |
String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); |
272 |
assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); |
273 |
|
274 |
String actualPostInvokeRemoteAddr = request.getRemoteAddr(); |
275 |
assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); |
276 |
|
277 |
String actualPostInvokeRemoteHost = request.getRemoteHost(); |
278 |
assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); |
279 |
} |
280 |
|
281 |
@Test |
282 |
public void testInvokeNotAllowedRemoteAddr() throws Exception { |
283 |
// PREPARE |
284 |
RemoteIpValve remoteIpValve = new RemoteIpValve(); |
285 |
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); |
286 |
remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); |
287 |
remoteIpValve.setRemoteIPHeader("x-forwarded-for"); |
288 |
remoteIpValve.setProxiesHeader("x-forwarded-by"); |
289 |
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); |
290 |
remoteIpValve.setNext(remoteAddrAndHostTrackerValve); |
291 |
|
292 |
Request request = new Request(); |
293 |
request.setCoyoteRequest(new org.apache.coyote.Request()); |
294 |
request.remoteAddr = "not-allowed-internal-proxy"; |
295 |
request.remoteHost = "not-allowed-internal-proxy-host"; |
296 |
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2"); |
297 |
|
298 |
// TEST |
299 |
remoteIpValve.invoke(request, null); |
300 |
|
301 |
// VERIFY |
302 |
String actualXForwardedFor = request.getHeader("x-forwarded-for"); |
303 |
assertEquals("x-forwarded-for must be unchanged", "140.211.11.130, proxy1, proxy2", actualXForwardedFor); |
304 |
|
305 |
String actualXForwardedBy = request.getHeader("x-forwarded-by"); |
306 |
assertNull("x-forwarded-by must be null", actualXForwardedBy); |
307 |
|
308 |
String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); |
309 |
assertEquals("remoteAddr", "not-allowed-internal-proxy", actualRemoteAddr); |
310 |
|
311 |
String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); |
312 |
assertEquals("remoteHost", "not-allowed-internal-proxy-host", actualRemoteHost); |
313 |
|
314 |
String actualPostInvokeRemoteAddr = request.getRemoteAddr(); |
315 |
assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy", actualPostInvokeRemoteAddr); |
316 |
|
317 |
String actualPostInvokeRemoteHost = request.getRemoteHost(); |
318 |
assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy-host", actualPostInvokeRemoteHost); |
319 |
} |
320 |
|
321 |
@Test |
322 |
public void testInvokeUntrustedProxyInTheChain() throws Exception { |
323 |
// PREPARE |
324 |
RemoteIpValve remoteIpValve = new RemoteIpValve(); |
325 |
remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); |
326 |
remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); |
327 |
remoteIpValve.setRemoteIPHeader("x-forwarded-for"); |
328 |
remoteIpValve.setProxiesHeader("x-forwarded-by"); |
329 |
RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); |
330 |
remoteIpValve.setNext(remoteAddrAndHostTrackerValve); |
331 |
|
332 |
Request request = new Request(); |
333 |
request.setCoyoteRequest(new org.apache.coyote.Request()); |
334 |
request.remoteAddr = "192.168.0.10"; |
335 |
request.remoteHost = "remote-host-original-value"; |
336 |
request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") |
337 |
.setString("140.211.11.130, proxy1, untrusted-proxy, proxy2"); |
338 |
|
339 |
// TEST |
340 |
remoteIpValve.invoke(request, null); |
341 |
|
342 |
// VERIFY |
343 |
String actualXForwardedFor = request.getHeader("x-forwarded-for"); |
344 |
assertEquals("ip/host before untrusted-proxy must appear in x-forwarded-for", "140.211.11.130, proxy1", actualXForwardedFor); |
345 |
|
346 |
String actualXForwardedBy = request.getHeader("x-forwarded-by"); |
347 |
assertEquals("ip/host after untrusted-proxy must appear in x-forwarded-by", "proxy2", actualXForwardedBy); |
348 |
|
349 |
String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); |
350 |
assertEquals("remoteAddr", "untrusted-proxy", actualRemoteAddr); |
351 |
|
352 |
String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); |
353 |
assertEquals("remoteHost", "untrusted-proxy", actualRemoteHost); |
354 |
|
355 |
String actualPostInvokeRemoteAddr = request.getRemoteAddr(); |
356 |
assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); |
357 |
|
358 |
String actualPostInvokeRemoteHost = request.getRemoteHost(); |
359 |
assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); |
360 |
} |
361 |
|
362 |
@Test |
363 |
public void testListToCommaDelimitedString() { |
364 |
String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1, element2, element3"); |
365 |
String[] expected = new String[] { |
366 |
"element1", "element2", "element3" |
367 |
}; |
368 |
assertArrayEquals(expected, actual); |
369 |
} |
370 |
|
371 |
@Test |
372 |
public void testListToCommaDelimitedStringMixedSpaceChars() { |
373 |
String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1 , element2,\t element3"); |
374 |
String[] expected = new String[] { |
375 |
"element1", "element2", "element3" |
376 |
}; |
377 |
assertArrayEquals(expected, actual); |
378 |
} |
379 |
} |