Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/vlad/develop' into vlad/develop
Browse files Browse the repository at this point in the history
  • Loading branch information
@VladSenyuta
VladSenyuta committed Apr 15, 2024
2 parents 98dbb89 + 4bae3ac commit 62e31ef
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 1 deletion.
16 changes: 16 additions & 0 deletions api/src/main/java/io/kafbat/ui/config/ReadOnlyModeFilter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import io.kafbat.ui.service.ClustersStorage;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.Set;
import java.util.regex.Pattern;
import lombok.RequiredArgsConstructor;
import org.jetbrains.annotations.NotNull;
Expand All @@ -23,6 +24,10 @@ public class ReadOnlyModeFilter implements WebFilter {
private static final Pattern CLUSTER_NAME_REGEX =
Pattern.compile("/api/clusters/(?<clusterName>[^/]++)");

private static final Set<Pattern> SAFE_ENDPOINTS = Set.of(
Pattern.compile("/api/clusters/[^/]+/topics/[^/]+/(smartfilters)$")
);

private final ClustersStorage clustersStorage;

@NotNull
Expand All @@ -35,10 +40,12 @@ public Mono<Void> filter(ServerWebExchange exchange, @NotNull WebFilterChain cha

var path = exchange.getRequest().getPath().pathWithinApplication().value();
var decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);

var matcher = CLUSTER_NAME_REGEX.matcher(decodedPath);
if (!matcher.find()) {
return chain.filter(exchange);
}

var clusterName = matcher.group("clusterName");
var kafkaCluster = clustersStorage.getClusterByName(clusterName)
.orElseThrow(
Expand All @@ -49,6 +56,15 @@ public Mono<Void> filter(ServerWebExchange exchange, @NotNull WebFilterChain cha
return chain.filter(exchange);
}

var isSafeEndpoint = SAFE_ENDPOINTS
.stream()
.parallel()
.anyMatch(endpoint -> endpoint.matcher(decodedPath).matches());

if (isSafeEndpoint) {
return chain.filter(exchange);
}

return Mono.error(ReadOnlyModeException::new);
}
}
3 changes: 2 additions & 1 deletion api/src/main/java/io/kafbat/ui/service/KafkaConfigSanitizer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ class KafkaConfigSanitizer {
.add(
"basic.auth.user.info", /* For Schema Registry credentials */
"password", "secret", "token", "key", ".*credentials.*", /* General credential patterns */
"aws.access.*", "aws.secret.*", "aws.session.*" /* AWS-related credential patterns */
"aws.access.*", "aws.secret.*", "aws.session.*", /* AWS-related credential patterns */
"connection.uri" /* mongo credential patterns */
)
.build();

Expand Down
3 changes: 3 additions & 0 deletions api/src/test/java/io/kafbat/ui/service/KafkaConfigSanitizerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ void obfuscateCredentials() {
assertThat(sanitizer.sanitize("aws.secret.access.key", "secret")).isEqualTo("******");
assertThat(sanitizer.sanitize("aws.secretAccessKey", "secret")).isEqualTo("******");
assertThat(sanitizer.sanitize("aws.sessionToken", "secret")).isEqualTo("******");

//Mongo var sanitizing
assertThat(sanitizer.sanitize("connection.uri", "secret")).isEqualTo("******");
}

@Test
Expand Down

0 comments on commit 62e31ef

Please sign in to comment.