diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-12-02 16:46:27 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-12-02 16:46:27 +0100 |
commit | 482a30d82ab06a8f8ddfbc1d3e1222daa0b3389f (patch) | |
tree | a6729f4666159a997749dda56604157c3a9fae18 | |
parent | 7050f71b6d40c59fb68315b0c72dc3dcf84f0f0c (diff) |
Add glob pattern helper that handles multiple alternative boundaries
4 files changed, 205 insertions, 35 deletions
diff --git a/security-utils/pom.xml b/security-utils/pom.xml index b7c7c110ad8..39a52fb12db 100644 --- a/security-utils/pom.xml +++ b/security-utils/pom.xml @@ -60,6 +60,16 @@ <artifactId>mockito-core</artifactId> <scope>test</scope> </dependency> + <dependency> + <groupId>org.junit.jupiter</groupId> + <artifactId>junit-jupiter</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.junit.vintage</groupId> + <artifactId>junit-vintage-engine</artifactId> + <scope>test</scope> + </dependency> </dependencies> <build> <plugins> diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java new file mode 100644 index 00000000000..30d4186f8a5 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java @@ -0,0 +1,82 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls.policy; + +import java.util.Arrays; +import java.util.Objects; +import java.util.regex.Pattern; + +/** + * Matching engine for glob patterns having where one ore more alternative characters acts a boundary for wildcard matching. + * + * @author bjorncs + */ +class GlobPattern { + private final String pattern; + private final char[] boundaries; + private final Pattern regexPattern; + + GlobPattern(String pattern, char[] boundaries) { + this.pattern = pattern; + this.boundaries = boundaries; + this.regexPattern = toRegexPattern(pattern, boundaries); + } + + boolean matches(String value) { return regexPattern.matcher(value).matches(); } + + String asString() { return pattern; } + Pattern regexPattern() { return regexPattern; } + char[] boundaries() { return boundaries; } + + private static Pattern toRegexPattern(String pattern, char[] boundaries) { + StringBuilder builder = new StringBuilder("^"); + StringBuilder precedingCharactersToQuote = new StringBuilder(); + char[] chars = pattern.toCharArray(); + for (char c : chars) { + if (c == '?' || c == '*') { + builder.append(quotePrecedingLiteralsAndReset(precedingCharactersToQuote)); + // Note: we explicitly stop matching at a separator boundary. + // This is to make matching less vulnerable to dirty tricks (e.g dot as boundary for hostnames). + // Same applies for single chars; they should only match _within_ a boundary. + builder.append("[^").append(Pattern.quote(new String(boundaries))).append("]"); + if (c == '*') builder.append('*'); + } else { + precedingCharactersToQuote.append(c); + } + } + return Pattern.compile(builder.append(quotePrecedingLiteralsAndReset(precedingCharactersToQuote)).append('$').toString()); + } + + // Combines multiple subsequent literals inside a single quote to simplify produced regex patterns + private static String quotePrecedingLiteralsAndReset(StringBuilder literals) { + if (literals.length() > 0) { + String quoted = literals.toString(); + literals.setLength(0); + return Pattern.quote(quoted); + } + return ""; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + GlobPattern that = (GlobPattern) o; + return Objects.equals(pattern, that.pattern) && Arrays.equals(boundaries, that.boundaries); + } + + @Override + public int hashCode() { + int result = Objects.hash(pattern); + result = 31 * result + Arrays.hashCode(boundaries); + return result; + } + + @Override + public String toString() { + return "GlobPattern{" + + "pattern='" + pattern + '\'' + + ", boundaries=" + Arrays.toString(boundaries) + + ", regexPattern=" + regexPattern + + '}'; + } +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java index fd9a233d609..d59052a48ef 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java @@ -2,60 +2,32 @@ package com.yahoo.security.tls.policy; import java.util.Objects; -import java.util.regex.Pattern; /** * @author bjorncs */ class HostGlobPattern implements RequiredPeerCredential.Pattern { - private final String pattern; - private final Pattern regexPattern; + private final GlobPattern globPattern; HostGlobPattern(String pattern) { - this.pattern = pattern; - this.regexPattern = toRegexPattern(pattern); + this.globPattern = new GlobPattern(pattern, new char[] {'.'}); } @Override public String asString() { - return pattern; + return globPattern.asString(); } @Override public boolean matches(String hostString) { - return regexPattern.matcher(hostString).matches(); - } - - private static Pattern toRegexPattern(String pattern) { - StringBuilder builder = new StringBuilder("^"); - for (char c : pattern.toCharArray()) { - if (c == '*') { - // Note: we explicitly stop matching at a dot separator boundary. - // This is to make host name matching less vulnerable to dirty tricks. - builder.append("[^.]*"); - } else if (c == '?') { - // Same applies for single chars; they should only match _within_ a dot boundary. - builder.append("[^.]"); - } else if (isRegexMetaCharacter(c)){ - builder.append("\\"); - builder.append(c); - } else { - builder.append(c); - } - } - builder.append('$'); - return Pattern.compile(builder.toString()); - } - - private static boolean isRegexMetaCharacter(char c) { - return "<([{\\^-=$!|]})?*+.>".indexOf(c) != -1; // note: includes '?' and '*' + return globPattern.matches(hostString); } @Override public String toString() { return "HostGlobPattern{" + - "pattern='" + pattern + '\'' + + "pattern='" + globPattern + '\'' + '}'; } @@ -64,11 +36,11 @@ class HostGlobPattern implements RequiredPeerCredential.Pattern { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; HostGlobPattern that = (HostGlobPattern) o; - return Objects.equals(pattern, that.pattern); + return Objects.equals(globPattern, that.globPattern); } @Override public int hashCode() { - return Objects.hash(pattern); + return Objects.hash(globPattern); } } diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java new file mode 100644 index 00000000000..bd51799980c --- /dev/null +++ b/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java @@ -0,0 +1,106 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls.policy; + +import org.junit.jupiter.api.Test; + +import java.util.Arrays; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +/** + * @author bjorncs + */ +class GlobPatternTest { + + @Test + public void glob_without_wildcards_matches_entire_string() { + assertMatches("foo", ".", "foo"); + assertNotMatches("foo", ".", "fooo"); + assertNotMatches("foo", ".", "ffoo"); + assertPatternHasRegex("foo", ".", "^\\Qfoo\\E$"); + } + + @Test + public void wildcard_glob_can_match_prefix() { + assertMatches("foo*", ".", "foo"); + assertMatches("foo*", ".", "foobar"); + assertNotMatches("foo*", ".", "ffoo"); + } + + @Test + public void wildcard_glob_can_match_suffix() { + assertMatches("*foo", ".", "foo"); + assertMatches("*foo", ".", "ffoo"); + assertNotMatches("*foo", ".", "fooo"); + } + + @Test + public void wildcard_glob_can_match_substring() { + assertMatches("f*o", ".", "fo"); + assertMatches("f*o", ".", "foo"); + assertMatches("f*o", ".", "ffoo"); + assertNotMatches("f*o", ".", "boo"); + } + + @Test + public void wildcard_glob_does_not_cross_multiple_dot_delimiter_boundaries() { + assertMatches("*.bar.baz", ".", "foo.bar.baz"); + assertMatches("*.bar.baz", ".", ".bar.baz"); + assertNotMatches("*.bar.baz", ".", "zoid.foo.bar.baz"); + assertMatches("foo.*.baz", ".", "foo.bar.baz"); + assertNotMatches("foo.*.baz", ".", "foo.bar.zoid.baz"); + + assertPatternHasRegex("*.bar.baz", ".", "^[^\\Q.\\E]*\\Q.bar.baz\\E$"); + } + + @Test + public void single_char_glob_matches_non_dot_characters() { + assertMatches("f?o", ".", "foo"); + assertNotMatches("f?o", ".", "fooo"); + assertNotMatches("f?o", ".", "ffoo"); + assertNotMatches("f?o", ".", "f.o"); + } + + @Test + public void other_regex_meta_characters_are_matched_as_literal_characters() { + String literals = "<([{\\^-=$!|]})+.>"; + assertMatches(literals, ".", literals); + assertPatternHasRegex(literals, ".", "^\\Q<([{\\^-=$!|]})+.>\\E$"); + } + + @Test + public void handles_patterns_with_multiple_alternative_boundaries() { + assertMatches("https://*.vespa.ai/", "./", "https://docs.vespa.ai/"); + assertMatches("https://vespa.ai/*.world", "./", "https://vespa.ai/hello.world"); + assertNotMatches("https://vespa.ai/*/", "./", "https://vespa.ai/hello.world/"); + assertMatches("https://vespa.ai/*/index.html", "./", "https://vespa.ai/path/index.html"); + } + + private void assertMatches(String pattern, String boundaries, String value) { + GlobPattern p = globPattern(pattern, boundaries); + assertTrue( + p.matches(value), + () -> String.format("Expected '%s' with boundaries '%s' to match '%s'", + pattern, Arrays.toString(p.boundaries()), value)); + } + + private void assertNotMatches(String pattern, String boundaries, String value) { + GlobPattern p = globPattern(pattern, boundaries); + assertFalse( + p.matches(value), + () -> String.format("Expected '%s' with boundaries '%s' to not match '%s'", + pattern, Arrays.toString(p.boundaries()), value)); + } + + private void assertPatternHasRegex(String pattern, String boundaries, String expectedPattern) { + GlobPattern p = globPattern(pattern, boundaries); + assertEquals(expectedPattern, p.regexPattern().pattern()); + } + + private static GlobPattern globPattern(String pattern, String boundaries) { + return new GlobPattern(pattern, boundaries.toCharArray()); + } + +}
\ No newline at end of file |