NIFI-13622 Corrected Logout Complete Redirect for Proxies (#9143)

This closes #9143
apache · Aug 2, 2024 · 141ca71 · 141ca71
1 parent 4588449
commit 141ca71
Show file tree

Hide file tree

Showing 4 changed files with 196 additions and 15 deletions.
diff --git a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml
@@ -85,6 +85,11 @@
             <artifactId>nifi-web-security</artifactId>
             <version>2.0.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-web-servlet-shared</artifactId>
+            <version>2.0.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-web</artifactId>

diff --git a/...i-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java b/...i-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
@@ -100,6 +100,7 @@
 import org.apache.nifi.web.UiExtensionType;
 import org.apache.nifi.web.server.connector.FrameworkServerConnectorFactory;
 import org.apache.nifi.web.server.filter.FilterParameter;
+import org.apache.nifi.web.server.filter.LogoutCompleteRedirectFilter;
 import org.apache.nifi.web.server.filter.RequestFilterProvider;
 import org.apache.nifi.web.server.filter.RestApiRequestFilterProvider;
 import org.apache.nifi.web.server.filter.StandardRequestFilterProvider;
@@ -226,21 +227,8 @@ public void init() {
         configureConnectors(server);
 
         final ContextHandlerCollection handlerCollection = new ContextHandlerCollection();
-
-        // Only restrict the host header if running in HTTPS mode
-        if (props.isHTTPSConfigured()) {
-            final HostHeaderHandler hostHeaderHandler = new HostHeaderHandler(props);
-            handlerCollection.addHandler(hostHeaderHandler);
-        }
-
-        final Handler warHandlers = loadInitialWars(bundles);
-        handlerCollection.addHandler(warHandlers);
-
-        final RewriteHandler logoutCompleteRewriteHandler = new RewriteHandler();
-        final RedirectPatternRule redirectLogoutComplete = new RedirectPatternRule("/nifi/logout-complete", "/nifi/#/logout-complete");
-        logoutCompleteRewriteHandler.addRule(redirectLogoutComplete);
-        logoutCompleteRewriteHandler.setHandler(handlerCollection);
-        server.setHandler(logoutCompleteRewriteHandler);
+        final Handler standardHandler = getStandardHandler(handlerCollection);
+        server.setHandler(standardHandler);
 
         final RewriteHandler defaultRewriteHandler = new RewriteHandler();
         final RedirectPatternRule redirectDefault = new RedirectPatternRule("/*", "/nifi");
@@ -256,6 +244,18 @@ public void init() {
         server.setRequestLog(requestLog);
     }
 
+    private Handler getStandardHandler(final ContextHandlerCollection handlerCollection) {
+        // Only restrict the host header if running in HTTPS mode
+        if (props.isHTTPSConfigured()) {
+            final HostHeaderHandler hostHeaderHandler = new HostHeaderHandler(props);
+            handlerCollection.addHandler(hostHeaderHandler);
+        }
+
+        final Handler warHandlers = loadInitialWars(bundles);
+        handlerCollection.addHandler(warHandlers);
+        return handlerCollection;
+    }
+
     private Handler loadInitialWars(final Set<Bundle> bundles) {
         final Map<File, Bundle> warToBundleLookup = findWars(bundles);
 
@@ -644,6 +644,13 @@ private WebAppContext loadWar(final File warFile, final String contextPath, fina
                 ? REST_API_REQUEST_FILTER_PROVIDER.getFilters(props)
                 : REQUEST_FILTER_PROVIDER.getFilters(props);
 
+        // Add Logout Complete Filter for web user interface integration
+        if (CONTEXT_PATH_NIFI.equals(contextPath)) {
+            final FilterHolder logoutCompleteFilterHolder = new FilterHolder(LogoutCompleteRedirectFilter.class);
+            logoutCompleteFilterHolder.setName(LogoutCompleteRedirectFilter.class.getSimpleName());
+            requestFilters.add(logoutCompleteFilterHolder);
+        }
+
         requestFilters.forEach(filter -> {
             final String pathSpecification = filter.getInitParameter(FilterParameter.PATH_SPECIFICATION.name());
             final String filterPathSpecification = pathSpecification == null ? CONTEXT_PATH_ALL : pathSpecification;

diff --git a/...i-jetty/src/main/java/org/apache/nifi/web/server/filter/LogoutCompleteRedirectFilter.java b/...i-jetty/src/main/java/org/apache/nifi/web/server/filter/LogoutCompleteRedirectFilter.java
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.server.filter;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.apache.nifi.web.servlet.shared.RequestUriBuilder;
+
+import java.io.IOException;
+import java.net.URI;
+
+/**
+ * Logout Complete Redirect Filter for web user interface integration with fragment-based routing
+ */
+public class LogoutCompleteRedirectFilter implements Filter {
+    private static final String LOGOUT_COMPLETE_PATH = "/nifi/logout-complete";
+
+    private static final String USER_INTERFACE_PATH = "/nifi/";
+
+    private static final String FRAGMENT_PATH = "/logout-complete";
+
+    @Override
+    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
+        if (servletRequest instanceof HttpServletRequest httpServletRequest) {
+            final String requestUri = httpServletRequest.getRequestURI();
+            if (requestUri.endsWith(LOGOUT_COMPLETE_PATH)) {
+                final HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
+                doRedirect(httpServletRequest, httpServletResponse);
+            } else {
+                filterChain.doFilter(servletRequest, servletResponse);
+            }
+        } else {
+            filterChain.doFilter(servletRequest, servletResponse);
+        }
+    }
+
+    private void doRedirect(final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse) throws IOException {
+        final URI redirectUri = RequestUriBuilder.fromHttpServletRequest(httpServletRequest)
+                .path(USER_INTERFACE_PATH)
+                .fragment(FRAGMENT_PATH)
+                .build();
+        final String redirectLocation = redirectUri.toString();
+        httpServletResponse.sendRedirect(redirectLocation);
+    }
+}
diff --git a/...tty/src/test/java/org/apache/nifi/web/server/filter/LogoutCompleteRedirectFilterTest.java b/...tty/src/test/java/org/apache/nifi/web/server/filter/LogoutCompleteRedirectFilterTest.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.server.filter;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.ArgumentCaptor;
+import org.mockito.Captor;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+public class LogoutCompleteRedirectFilterTest {
+    private static final String LOGOUT_COMPLETE_URI = "/nifi/logout-complete";
+
+    private static final String ROOT_URI = "/nifi/";
+
+    private static final String ALLOWED_CONTEXT_PATHS_PARAMETER = "allowedContextPaths";
+
+    private static final String FORWARDED_PATH = "/forwarded";
+
+    private static final String LOGOUT_COMPLETE_EXPECTED = "/forwarded/nifi/#/logout-complete";
+
+    private static final String CONTEXT_PATH_HEADER = "X-ProxyContextPath";
+
+    @Mock
+    private ServletContext servletContext;
+
+    @Mock
+    private FilterConfig filterConfig;
+
+    @Mock
+    private FilterChain filterChain;
+
+    @Mock(strictness = Mock.Strictness.LENIENT)
+    private HttpServletRequest request;
+
+    @Mock
+    private HttpServletResponse response;
+
+    @Captor
+    private ArgumentCaptor<String> redirectCaptor;
+
+    private LogoutCompleteRedirectFilter filter;
+
+    @BeforeEach
+    public void setFilter() throws ServletException {
+        filter = new LogoutCompleteRedirectFilter();
+        filter.init(filterConfig);
+    }
+
+    @Test
+    public void testDoFilter() throws ServletException, IOException {
+        when(request.getRequestURI()).thenReturn(ROOT_URI);
+
+        filter.doFilter(request, response, filterChain);
+
+        verify(response, never()).sendRedirect(anyString());
+    }
+
+    @Test
+    public void testDoFilterLogoutComplete() throws ServletException, IOException {
+        when(request.getRequestURI()).thenReturn(LOGOUT_COMPLETE_URI);
+        when(request.getServletContext()).thenReturn(servletContext);
+        when(servletContext.getInitParameter(eq(ALLOWED_CONTEXT_PATHS_PARAMETER))).thenReturn(FORWARDED_PATH);
+        when(request.getHeader(eq(CONTEXT_PATH_HEADER))).thenReturn(FORWARDED_PATH);
+
+        filter.doFilter(request, response, filterChain);
+
+        verify(response).sendRedirect(redirectCaptor.capture());
+
+        final String redirect = redirectCaptor.getValue();
+        assertEquals(LOGOUT_COMPLETE_EXPECTED, redirect);
+    }
+}