From 5961c430e9059233a20c6ccb4de344bfabec37a3 Mon Sep 17 00:00:00 2001 From: "Mateusz \"Serafin\" Gajewski" Date: Wed, 29 Mar 2023 10:18:48 +0200 Subject: [PATCH 1/3] Bring DistinguishedNameParser from okhttp3 --- .../internal/tls/DistinguishedNameParser.java | 426 ++++++++++++++++++ 1 file changed, 426 insertions(+) create mode 100644 client/trino-client/src/main/java/okhttp3/internal/tls/DistinguishedNameParser.java diff --git a/client/trino-client/src/main/java/okhttp3/internal/tls/DistinguishedNameParser.java b/client/trino-client/src/main/java/okhttp3/internal/tls/DistinguishedNameParser.java new file mode 100644 index 000000000000..b58507e616b3 --- /dev/null +++ b/client/trino-client/src/main/java/okhttp3/internal/tls/DistinguishedNameParser.java @@ -0,0 +1,426 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package okhttp3.internal.tls; + +import javax.security.auth.x500.X500Principal; + +// Formatted copy of https://raw.githubusercontent.com/square/okhttp/fc7ac8ae0b30d219cbd884b2af458f19c170c5fb/okhttp/src/main/java/okhttp3/internal/tls/DistinguishedNameParser.java +final class DistinguishedNameParser +{ + private final String dn; + private final int length; + private int pos; + private int beg; + private int end; + + /** + * Temporary variable to store positions of the currently parsed item. + */ + private int cur; + + /** + * Distinguished name characters. + */ + private char[] chars; + + DistinguishedNameParser(X500Principal principal) + { + // RFC2253 is used to ensure we get attributes in the reverse + // order of the underlying ASN.1 encoding, so that the most + // significant values of repeated attributes occur first. + this.dn = principal.getName(X500Principal.RFC2253); + this.length = this.dn.length(); + } + + // gets next attribute type: (ALPHA 1*keychar) / oid + private String nextAT() + { + for (; pos < length && chars[pos] == ' '; pos++) { + // skip preceding space chars, they can present after + // comma or semicolon (compatibility with RFC 1779) + } + if (pos == length) { + return null; // reached the end of DN + } + + // mark the beginning of attribute type + beg = pos; + + // attribute type chars + pos++; + for (; pos < length && chars[pos] != '=' && chars[pos] != ' '; pos++) { + // we don't follow exact BNF syntax here: + // accept any char except space and '=' + } + if (pos >= length) { + throw new IllegalStateException("Unexpected end of DN: " + dn); + } + + // mark the end of attribute type + end = pos; + + if (chars[pos] == ' ') { + for (; pos < length && chars[pos] != '=' && chars[pos] == ' '; pos++) { + // skip trailing space chars between attribute type and '=' + // (compatibility with RFC 1779) + } + + if (chars[pos] != '=' || pos == length) { + throw new IllegalStateException("Unexpected end of DN: " + dn); + } + } + + pos++; //skip '=' char + + for (; pos < length && chars[pos] == ' '; pos++) { + // skip space chars between '=' and attribute value + // (compatibility with RFC 1779) + } + + // in case of oid attribute type skip its prefix: "oid." or "OID." + // (compatibility with RFC 1779) + if ((end - beg > 4) && (chars[beg + 3] == '.') + && (chars[beg] == 'O' || chars[beg] == 'o') + && (chars[beg + 1] == 'I' || chars[beg + 1] == 'i') + && (chars[beg + 2] == 'D' || chars[beg + 2] == 'd')) { + beg += 4; + } + + return new String(chars, beg, end - beg); + } + + // gets quoted attribute value: QUOTATION *( quotechar / pair ) QUOTATION + private String quotedAV() + { + pos++; + beg = pos; + end = beg; + while (true) { + if (pos == length) { + throw new IllegalStateException("Unexpected end of DN: " + dn); + } + + if (chars[pos] == '"') { + // enclosing quotation was found + pos++; + break; + } + else if (chars[pos] == '\\') { + chars[end] = getEscaped(); + } + else { + // shift char: required for string with escaped chars + chars[end] = chars[pos]; + } + pos++; + end++; + } + + for (; pos < length && chars[pos] == ' '; pos++) { + // skip trailing space chars before comma or semicolon. + // (compatibility with RFC 1779) + } + + return new String(chars, beg, end - beg); + } + + // gets hex string attribute value: "#" hexstring + private String hexAV() + { + if (pos + 4 >= length) { + // encoded byte array must be not less then 4 c + throw new IllegalStateException("Unexpected end of DN: " + dn); + } + + beg = pos; // store '#' position + pos++; + while (true) { + // check for end of attribute value + // looks for space and component separators + if (pos == length || chars[pos] == '+' || chars[pos] == ',' + || chars[pos] == ';') { + end = pos; + break; + } + + if (chars[pos] == ' ') { + end = pos; + pos++; + for (; pos < length && chars[pos] == ' '; pos++) { + // skip trailing space chars before comma or semicolon. + // (compatibility with RFC 1779) + } + break; + } + else if (chars[pos] >= 'A' && chars[pos] <= 'F') { + chars[pos] += 32; //to low case + } + + pos++; + } + + // verify length of hex string + // encoded byte array must be not less then 4 and must be even number + int hexLen = end - beg; // skip first '#' char + if (hexLen < 5 || (hexLen & 1) == 0) { + throw new IllegalStateException("Unexpected end of DN: " + dn); + } + + // get byte encoding from string representation + byte[] encoded = new byte[hexLen / 2]; + for (int i = 0, p = beg + 1; i < encoded.length; p += 2, i++) { + encoded[i] = (byte) getByte(p); + } + + return new String(chars, beg, hexLen); + } + + private String escapedAV() + { + beg = pos; + end = pos; + while (true) { + if (pos >= length) { + // the end of DN has been found + return new String(chars, beg, end - beg); + } + + switch (chars[pos]) { + case '+': + case ',': + case ';': + // separator char has been found + return new String(chars, beg, end - beg); + case '\\': + // escaped char + chars[end++] = getEscaped(); + pos++; + break; + case ' ': + // need to figure out whether space defines + // the end of attribute value or not + cur = end; + + pos++; + chars[end++] = ' '; + + for (; pos < length && chars[pos] == ' '; pos++) { + chars[end++] = ' '; + } + if (pos == length || chars[pos] == ',' || chars[pos] == '+' + || chars[pos] == ';') { + // separator char or the end of DN has been found + return new String(chars, beg, cur - beg); + } + break; + default: + chars[end++] = chars[pos]; + pos++; + } + } + } + + // returns escaped char + private char getEscaped() + { + pos++; + if (pos == length) { + throw new IllegalStateException("Unexpected end of DN: " + dn); + } + + switch (chars[pos]) { + case '"': + case '\\': + case ',': + case '=': + case '+': + case '<': + case '>': + case '#': + case ';': + case ' ': + case '*': + case '%': + case '_': + //FIXME: escaping is allowed only for leading or trailing space char + return chars[pos]; + default: + // RFC doesn't explicitly say that escaped hex pair is + // interpreted as UTF-8 char. It only contains an example of such DN. + return getUTF8(); + } + } + + // decodes UTF-8 char + // see http://www.unicode.org for UTF-8 bit distribution table + private char getUTF8() + { + int res = getByte(pos); + pos++; //FIXME tmp + + if (res < 128) { // one byte: 0-7F + return (char) res; + } + else if (res >= 192 && res <= 247) { + int count; + if (res <= 223) { // two bytes: C0-DF + count = 1; + res = res & 0x1F; + } + else if (res <= 239) { // three bytes: E0-EF + count = 2; + res = res & 0x0F; + } + else { // four bytes: F0-F7 + count = 3; + res = res & 0x07; + } + + int b; + for (int i = 0; i < count; i++) { + pos++; + if (pos == length || chars[pos] != '\\') { + return 0x3F; //FIXME failed to decode UTF-8 char - return '?' + } + pos++; + + b = getByte(pos); + pos++; //FIXME tmp + if ((b & 0xC0) != 0x80) { + return 0x3F; //FIXME failed to decode UTF-8 char - return '?' + } + + res = (res << 6) + (b & 0x3F); + } + return (char) res; + } + else { + return 0x3F; //FIXME failed to decode UTF-8 char - return '?' + } + } + + // Returns byte representation of a char pair + // The char pair is composed of DN char in + // specified 'position' and the next char + // According to BNF syntax: + // hexchar = DIGIT / "A" / "B" / "C" / "D" / "E" / "F" + // / "a" / "b" / "c" / "d" / "e" / "f" + private int getByte(int position) + { + if (position + 1 >= length) { + throw new IllegalStateException("Malformed DN: " + dn); + } + + int b1; + int b2; + + b1 = chars[position]; + if (b1 >= '0' && b1 <= '9') { + b1 = b1 - '0'; + } + else if (b1 >= 'a' && b1 <= 'f') { + b1 = b1 - 87; // 87 = 'a' - 10 + } + else if (b1 >= 'A' && b1 <= 'F') { + b1 = b1 - 55; // 55 = 'A' - 10 + } + else { + throw new IllegalStateException("Malformed DN: " + dn); + } + + b2 = chars[position + 1]; + if (b2 >= '0' && b2 <= '9') { + b2 = b2 - '0'; + } + else if (b2 >= 'a' && b2 <= 'f') { + b2 = b2 - 87; // 87 = 'a' - 10 + } + else if (b2 >= 'A' && b2 <= 'F') { + b2 = b2 - 55; // 55 = 'A' - 10 + } + else { + throw new IllegalStateException("Malformed DN: " + dn); + } + + return (b1 << 4) + b2; + } + + /** + * Parses the DN and returns the most significant attribute value for an attribute type, or null + * if none found. + * + * @param attributeType attribute type to look for (e.g. "ca") + */ + public String findMostSpecific(String attributeType) + { + // Initialize internal state. + pos = 0; + beg = 0; + end = 0; + cur = 0; + chars = dn.toCharArray(); + + String attType = nextAT(); + if (attType == null) { + return null; + } + while (true) { + String attValue = ""; + + if (pos == length) { + return null; + } + + switch (chars[pos]) { + case '"': + attValue = quotedAV(); + break; + case '#': + attValue = hexAV(); + break; + case '+': + case ',': + case ';': // compatibility with RFC 1779: semicolon can separate RDNs + //empty attribute value + break; + default: + attValue = escapedAV(); + } + + // Values are ordered from most specific to least specific + // due to the RFC2253 formatting. So take the first match + // we see. + if (attributeType.equalsIgnoreCase(attType)) { + return attValue; + } + + if (pos >= length) { + return null; + } + + if (chars[pos] == ',' || chars[pos] == ';') { + // + } + else if (chars[pos] != '+') { + throw new IllegalStateException("Malformed DN: " + dn); + } + + pos++; + attType = nextAT(); + if (attType == null) { + throw new IllegalStateException("Malformed DN: " + dn); + } + } + } +} From 874170bc34376d86ee86d23178c369a4370b006f Mon Sep 17 00:00:00 2001 From: "Mateusz \"Serafin\" Gajewski" Date: Wed, 29 Mar 2023 10:19:59 +0200 Subject: [PATCH 2/3] Inline OkHostnameVerifier and Util.verifyAsIpAddress They were removed in OkHttp 4.x and we still rely on the legacy SSL hostname verification --- .../internal/tls/LegacyHostnameVerifier.java | 142 +++++++++++++++++- 1 file changed, 138 insertions(+), 4 deletions(-) diff --git a/client/trino-client/src/main/java/okhttp3/internal/tls/LegacyHostnameVerifier.java b/client/trino-client/src/main/java/okhttp3/internal/tls/LegacyHostnameVerifier.java index 45a883f7d8b9..5ac8aca7b769 100644 --- a/client/trino-client/src/main/java/okhttp3/internal/tls/LegacyHostnameVerifier.java +++ b/client/trino-client/src/main/java/okhttp3/internal/tls/LegacyHostnameVerifier.java @@ -13,20 +13,29 @@ */ package okhttp3.internal.tls; +import com.google.common.collect.ImmutableList; + import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLException; import javax.net.ssl.SSLSession; import javax.security.auth.x500.X500Principal; import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; - -import static okhttp3.internal.Util.verifyAsIpAddress; -import static okhttp3.internal.tls.OkHostnameVerifier.allSubjectAltNames; +import java.util.Collection; +import java.util.List; +import java.util.Locale; +import java.util.regex.Pattern; public class LegacyHostnameVerifier implements HostnameVerifier { + private static final int ALT_DNS_NAME = 2; + private static final int ALT_IPA_NAME = 7; + private static final Pattern VERIFY_AS_IP_ADDRESS = Pattern.compile( + "([0-9a-fA-F]*:[0-9a-fA-F:.]*)|([\\d.]+)"); + public static final HostnameVerifier INSTANCE = new LegacyHostnameVerifier(); private LegacyHostnameVerifier() {} @@ -57,7 +66,7 @@ public boolean verify(String host, SSLSession session) // RFC 2818 advises using the most specific name for matching. String cn = new DistinguishedNameParser(principal).findMostSpecific("cn"); if (cn != null) { - return OkHostnameVerifier.INSTANCE.verifyHostname(host, cn); + return verifyHostname(host, cn); } return false; @@ -66,4 +75,129 @@ public boolean verify(String host, SSLSession session) return false; } } + + private boolean verifyAsIpAddress(String host) + { + return VERIFY_AS_IP_ADDRESS.matcher(host).matches(); + } + + private boolean verifyHostname(String hostName, String pattern) + { + // Basic sanity checks + // Check length == 0 instead of .isEmpty() to support Java 5. + if ((hostName == null) || (hostName.length() == 0) || (hostName.startsWith(".")) || (hostName.endsWith(".."))) { + // Invalid domain name + return false; + } + if ((pattern == null) || (pattern.length() == 0) || (pattern.startsWith(".")) || (pattern.endsWith(".."))) { + // Invalid pattern/domain name + return false; + } + + // Normalize hostName and pattern by turning them into absolute domain names if they are not + // yet absolute. This is needed because server certificates do not normally contain absolute + // names or patterns, but they should be treated as absolute. At the same time, any hostName + // presented to this method should also be treated as absolute for the purposes of matching + // to the server certificate. + // www.android.com matches www.android.com + // www.android.com matches www.android.com. + // www.android.com. matches www.android.com. + // www.android.com. matches www.android.com + if (!hostName.endsWith(".")) { + hostName += '.'; + } + if (!pattern.endsWith(".")) { + pattern += '.'; + } + // hostName and pattern are now absolute domain names. + + pattern = pattern.toLowerCase(Locale.US); + // hostName and pattern are now in lower case -- domain names are case-insensitive. + + if (!pattern.contains("*")) { + // Not a wildcard pattern -- hostName and pattern must match exactly. + return hostName.equals(pattern); + } + // Wildcard pattern + + // WILDCARD PATTERN RULES: + // 1. Asterisk (*) is only permitted in the left-most domain name label and must be the + // only character in that label (i.e., must match the whole left-most label). + // For example, *.example.com is permitted, while *a.example.com, a*.example.com, + // a*b.example.com, a.*.example.com are not permitted. + // 2. Asterisk (*) cannot match across domain name labels. + // For example, *.example.com matches test.example.com but does not match + // sub.test.example.com. + // 3. Wildcard patterns for single-label domain names are not permitted. + + if ((!pattern.startsWith("*.")) || (pattern.indexOf('*', 1) != -1)) { + // Asterisk (*) is only permitted in the left-most domain name label and must be the only + // character in that label + return false; + } + + // Optimization: check whether hostName is too short to match the pattern. hostName must be at + // least as long as the pattern because asterisk must match the whole left-most label and + // hostName starts with a non-empty label. Thus, asterisk has to match one or more characters. + if (hostName.length() < pattern.length()) { + // hostName too short to match the pattern. + return false; + } + + if ("*.".equals(pattern)) { + // Wildcard pattern for single-label domain name -- not permitted. + return false; + } + + // hostName must end with the region of pattern following the asterisk. + String suffix = pattern.substring(1); + if (!hostName.endsWith(suffix)) { + // hostName does not end with the suffix + return false; + } + + // Check that asterisk did not match across domain name labels. + int suffixStartIndexInHostName = hostName.length() - suffix.length(); + // Asterisk is matching across domain name labels -- not permitted. + return (suffixStartIndexInHostName <= 0) || (hostName.lastIndexOf('.', suffixStartIndexInHostName - 1) == -1); + } + + private List allSubjectAltNames(X509Certificate certificate) + { + return ImmutableList.builder() + .addAll(allSubjectAltNames(certificate, ALT_IPA_NAME)) + .addAll(allSubjectAltNames(certificate, ALT_DNS_NAME)) + .build(); + } + + private List allSubjectAltNames(X509Certificate certificate, int type) + { + ImmutableList.Builder result = ImmutableList.builder(); + try { + Collection subjectAltNames = certificate.getSubjectAlternativeNames(); + if (subjectAltNames == null) { + return ImmutableList.of(); + } + for (Object subjectAltName : subjectAltNames) { + List entry = (List) subjectAltName; + if (entry == null || entry.size() < 2) { + continue; + } + Integer altNameType = (Integer) entry.get(0); + if (altNameType == null) { + continue; + } + if (altNameType == type) { + String altName = (String) entry.get(1); + if (altName != null) { + result.add(altName); + } + } + } + return result.build(); + } + catch (CertificateParsingException e) { + return ImmutableList.of(); + } + } } From 1369b848c7651e840483ba665c8e0cf459bd137f Mon Sep 17 00:00:00 2001 From: "Mateusz \"Serafin\" Gajewski" Date: Wed, 29 Mar 2023 10:24:00 +0200 Subject: [PATCH 3/3] Update okhttp to 4.10.0 --- .../java/io/trino/client/JsonResponse.java | 10 ------ .../external/TestExternalAuthenticator.java | 3 +- plugin/trino-http-event-listener/pom.xml | 3 +- plugin/trino-pinot/pom.xml | 12 +++---- pom.xml | 33 +++---------------- testing/trino-product-tests/pom.xml | 5 --- 6 files changed, 13 insertions(+), 53 deletions(-) diff --git a/client/trino-client/src/main/java/io/trino/client/JsonResponse.java b/client/trino-client/src/main/java/io/trino/client/JsonResponse.java index 1b6e2f54b92c..c5f1aee3a3a3 100644 --- a/client/trino-client/src/main/java/io/trino/client/JsonResponse.java +++ b/client/trino-client/src/main/java/io/trino/client/JsonResponse.java @@ -29,7 +29,6 @@ import java.util.OptionalLong; import static com.google.common.base.MoreObjects.toStringHelper; -import static com.google.common.net.HttpHeaders.LOCATION; import static java.lang.String.format; import static java.util.Objects.requireNonNull; @@ -113,15 +112,6 @@ public String toString() public static JsonResponse execute(JsonCodec codec, OkHttpClient client, Request request, OptionalLong materializedJsonSizeLimit) { try (Response response = client.newCall(request).execute()) { - // TODO: fix in OkHttp: https://github.com/square/okhttp/issues/3111 - if ((response.code() == 307) || (response.code() == 308)) { - String location = response.header(LOCATION); - if (location != null) { - request = request.newBuilder().url(location).build(); - return execute(codec, client, request, materializedJsonSizeLimit); - } - } - ResponseBody responseBody = requireNonNull(response.body()); if (isJson(responseBody.contentType())) { String body = null; diff --git a/client/trino-client/src/test/java/io/trino/client/auth/external/TestExternalAuthenticator.java b/client/trino-client/src/test/java/io/trino/client/auth/external/TestExternalAuthenticator.java index f82ba3af0b82..99be93901378 100644 --- a/client/trino-client/src/test/java/io/trino/client/auth/external/TestExternalAuthenticator.java +++ b/client/trino-client/src/test/java/io/trino/client/auth/external/TestExternalAuthenticator.java @@ -139,8 +139,7 @@ public void testAuthentication() Request authenticated = authenticator.authenticate(null, getUnauthorizedResponse("Bearer x_token_server=\"http://token.uri\"")); - assertThat(authenticated.headers()) - .extracting(headers -> headers.get(AUTHORIZATION)) + assertThat(authenticated.headers().get(AUTHORIZATION)) .isEqualTo("Bearer valid-token"); } diff --git a/plugin/trino-http-event-listener/pom.xml b/plugin/trino-http-event-listener/pom.xml index b4632e89bb58..dd136be0b7e0 100644 --- a/plugin/trino-http-event-listener/pom.xml +++ b/plugin/trino-http-event-listener/pom.xml @@ -130,8 +130,7 @@ com.squareup.okio - okio - 1.17.2 + okio-jvm test diff --git a/plugin/trino-pinot/pom.xml b/plugin/trino-pinot/pom.xml index 4bf58219c16d..4ba8b460b842 100755 --- a/plugin/trino-pinot/pom.xml +++ b/plugin/trino-pinot/pom.xml @@ -510,6 +510,12 @@ runtime + + org.jetbrains + annotations + runtime + + io.trino @@ -628,12 +634,6 @@ test - - org.jetbrains - annotations - test - - org.testcontainers kafka diff --git a/pom.xml b/pom.xml index 3881ec57a203..5125d39caedb 100644 --- a/pom.xml +++ b/pom.xml @@ -53,7 +53,6 @@ 9.0.0 ${dep.airlift.version} 1.12.261 - 3.14.9 0.11.5 21.9.0.0 1.14 @@ -66,7 +65,7 @@ 7.3.1 3.3.2 4.14.0 - 7.1.4 + 8.4.5 1.1.0 4.7.2 3.21.6 @@ -1372,32 +1371,10 @@ com.squareup.okhttp3 - logging-interceptor - ${dep.okhttp.version} - - - - com.squareup.okhttp3 - mockwebserver - ${dep.okhttp.version} - - - - com.squareup.okhttp3 - okhttp - ${dep.okhttp.version} - - - - com.squareup.okhttp3 - okhttp-tls - ${dep.okhttp.version} - - - - com.squareup.okhttp3 - okhttp-urlconnection - ${dep.okhttp.version} + okhttp-bom + pom + 4.10.0 + import diff --git a/testing/trino-product-tests/pom.xml b/testing/trino-product-tests/pom.xml index 68a1cb86e53b..38cedd57f7e3 100644 --- a/testing/trino-product-tests/pom.xml +++ b/testing/trino-product-tests/pom.xml @@ -229,11 +229,6 @@ assertj-core - - org.jetbrains - annotations - - org.testng testng