Skip to content

Commit

Permalink
Manual Backport: adding hostname support for notifications deny list
Browse files Browse the repository at this point in the history
Signed-off-by: Riya Saxena <[email protected]>
  • Loading branch information
toepkerd authored and riysaxen-amzn committed Aug 26, 2024
1 parent e008360 commit a4328da
Show file tree
Hide file tree
Showing 14 changed files with 120 additions and 31 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,12 @@

package org.opensearch.notifications.core.utils

import inet.ipaddr.HostName
import inet.ipaddr.IPAddressString
import org.apache.http.client.methods.HttpPatch
import org.apache.http.client.methods.HttpPost
import org.apache.http.client.methods.HttpPut
import org.apache.logging.log4j.LogManager
import org.opensearch.core.common.Strings
import java.net.URL

Expand Down Expand Up @@ -37,9 +39,12 @@ fun isHostInDenylist(urlString: String, hostDenyList: List<String>): Boolean {
val url = URL(urlString)
if (url.host != null) {
val ipStr = IPAddressString(url.host)
val hostStr = HostName(url.host)
for (network in hostDenyList) {
val netStr = IPAddressString(network)
if (netStr.contains(ipStr)) {
val denyIpStr = IPAddressString(network)
val denyHostStr = HostName(network)
if (denyIpStr.contains(ipStr) || denyHostStr.equals(hostStr)) {
LogManager.getLogger().error("${url.host} is denied")
return true
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ import org.junit.jupiter.api.Test

internal class ValidationHelpersTests {

private val hostDentyList = listOf(
private val hostDenyList = listOf(
"www.amazon.com",
"127.0.0.0/8",
"10.0.0.0/8",
"172.16.0.0/12",
Expand All @@ -20,8 +21,9 @@ internal class ValidationHelpersTests {
)

@Test
fun `test ips in denylist`() {
fun `test hosts in denylist`() {
val ips = listOf(
"www.amazon.com",
"127.0.0.1", // 127.0.0.0/8
"10.0.0.1", // 10.0.0.0/8
"10.11.12.13", // 10.0.0.0/8
Expand All @@ -31,15 +33,15 @@ internal class ValidationHelpersTests {
"9.9.9.9"
)
for (ip in ips) {
assertEquals(true, isHostInDenylist("https://$ip", hostDentyList))
assertEquals(true, isHostInDenylist("https://$ip", hostDenyList), "address $ip was supposed to be identified as in the deny list, but was not")
}
}

@Test
fun `test url in denylist`() {
val urls = listOf("https://www.amazon.com", "https://mytest.com", "https://mytest.com")
fun `test hosts not in denylist`() {
val urls = listOf("156.4.77.1", "www.something.com")
for (url in urls) {
assertEquals(false, isHostInDenylist(url, hostDentyList))
assertEquals(false, isHostInDenylist("https://$url", hostDenyList), "address $url was not supposed to be identified as in the deny list, but was")
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,9 @@ object ConfigIndexingActions {

@Suppress("UnusedPrivateMember")
private fun validateSlackConfig(slack: Slack, user: User?) {
// TODO: URL validation with rules
require(slack.url.contains(Regex("https://hooks\\.(?:gov-)?slack\\.com/services"))) {
"Wrong Slack url. Should contain \"hooks.slack.com/services/\" or \"hooks.gov-slack.com/services/\""
}
}

@Suppress("UnusedPrivateMember")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ fun getCreateNotificationRequestJsonString(
.joinToString("")
val configObjectString = when (configType) {
ConfigType.SLACK -> """
"slack":{"url":"https://slack.domain.com/sample_slack_url#$randomString"}
"slack":{"url":"https://hooks.slack.com/services/sample_slack_url#$randomString"}
""".trimIndent()
ConfigType.CHIME -> """
"chime":{"url":"https://chime.domain.com/sample_chime_url#$randomString"}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ class SecurityNotificationIT : PluginRestTestCase() {
createUserWithCustomRole(user, password, NOTIFICATION_CREATE_CONFIG_ACCESS, "", ROLE_TO_PERMISSION_MAPPING[NOTIFICATION_CREATE_CONFIG_ACCESS])

// Create sample config request reference
val sampleSlack = Slack("https://domain.com/sample_slack_url#1234567890")
val sampleSlack = Slack("https://hooks.slack.com/services/sample_slack_url")
val referenceObject = NotificationConfig(
"this is a sample config name",
"this is a sample config description",
Expand Down Expand Up @@ -96,7 +96,7 @@ class SecurityNotificationIT : PluginRestTestCase() {
createUserWithCustomRole(user, password, NOTIFICATION_NO_ACCESS_ROLE, "", ROLE_TO_PERMISSION_MAPPING[NOTIFICATION_NO_ACCESS_ROLE])

// Create sample config request reference
val sampleSlack = Slack("https://domain.com/sample_slack_url#1234567890")
val sampleSlack = Slack("https://hooks.slack.com/services/sample_slack_url")
val referenceObject = NotificationConfig(
"this is a sample config name",
"this is a sample config description",
Expand Down Expand Up @@ -132,7 +132,7 @@ class SecurityNotificationIT : PluginRestTestCase() {
createUserWithCustomRole(user, password, NOTIFICATION_UPDATE_CONFIG_ACCESS, "", ROLE_TO_PERMISSION_MAPPING[NOTIFICATION_UPDATE_CONFIG_ACCESS])

// Create sample config request reference
val sampleSlack = Slack("https://domain.com/sample_slack_url#1234567890")
val sampleSlack = Slack("https://hooks.slack.com/services/sample_slack_url")
val referenceObject = NotificationConfig(
"this is a sample config name",
"this is a sample config description",
Expand Down Expand Up @@ -209,7 +209,7 @@ class SecurityNotificationIT : PluginRestTestCase() {
createUserWithCustomRole(user, password, NOTIFICATION_NO_ACCESS_ROLE, "", ROLE_TO_PERMISSION_MAPPING[NOTIFICATION_NO_ACCESS_ROLE])

// Create sample config request reference
val sampleSlack = Slack("https://domain.com/sample_slack_url#1234567890")
val sampleSlack = Slack("https://hooks.slack.com/services/sample_slack_url")
val referenceObject = NotificationConfig(
"this is a sample config name",
"this is a sample config description",
Expand Down Expand Up @@ -245,7 +245,7 @@ class SecurityNotificationIT : PluginRestTestCase() {
createUserWithCustomRole(user, password, NOTIFICATION_GET_CONFIG_ACCESS, "", ROLE_TO_PERMISSION_MAPPING[NOTIFICATION_GET_CONFIG_ACCESS])

// Create sample config request reference
val sampleSlack = Slack("https://domain.com/sample_slack_url#1234567890")
val sampleSlack = Slack("https://hooks.slack.com/services/sample_slack_url")
val referenceObject = NotificationConfig(
"this is a sample config name",
"this is a sample config description",
Expand Down Expand Up @@ -301,7 +301,7 @@ class SecurityNotificationIT : PluginRestTestCase() {
createUserWithCustomRole(user, password, NOTIFICATION_DELETE_CONFIG_ACCESS, "", ROLE_TO_PERMISSION_MAPPING[NOTIFICATION_DELETE_CONFIG_ACCESS])

// Create sample config request reference
val sampleSlack = Slack("https://domain.com/sample_slack_url#1234567890")
val sampleSlack = Slack("https://hooks.slack.com/services/sample_slack_url")
val referenceObject = NotificationConfig(
"this is a sample config name",
"this is a sample config description",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ class NotificationsBackwardsCompatibilityIT : PluginRestTestCase() {
"description": "This is a sample config description $configId",
"config_type": "slack",
"is_enabled": true,
"slack": { "url": "https://slack.domain.com/sample_slack_url#$configId" }
"slack": { "url": "https://hooks.slack.com/services/sample_slack_url#$configId" }
}
}
""".trimIndent()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ class ChimeNotificationConfigCrudIT : PluginRestTestCase() {
"description":"${referenceObject.description}",
"config_type":"chime",
"is_enabled":${referenceObject.isEnabled},
"slack":{"url":"https://dummy.com"}
"slack":{"url":"https://hooks.slack.com/services/sample_slack_url"}
"chime":{"url":"${(referenceObject.configData as Chime).url}"}
}
}
Expand Down Expand Up @@ -190,7 +190,7 @@ class ChimeNotificationConfigCrudIT : PluginRestTestCase() {
"description":"this is a updated config description",
"config_type":"slack",
"is_enabled":"true",
"slack":{"url":"https://updated.domain.com/updated_slack_url#0987654321"}
"slack":{"url":"https://hooks.slack.com/services/sample_slack_url"}
}
}
""".trimIndent()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ class CreateNotificationConfigIT : PluginRestTestCase() {

fun `test Create slack notification config`() {
// Create sample config request reference
val sampleSlack = Slack("https://domain.com/sample_slack_url#1234567890")
val sampleSlack = Slack("https://hooks.slack.com/services/sample_slack_url")
val referenceObject = NotificationConfig(
"this is a sample config name",
"this is a sample config description",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -908,7 +908,7 @@ class EmailNotificationConfigCrudIT : PluginRestTestCase() {
"description":"${smtpAccountConfig.description}",
"config_type":"smtp_account",
"is_enabled":${smtpAccountConfig.isEnabled},
"slack": {"url": "https://dummy.com"},
"slack": {"url": "https://hooks.slack.com/services/sample_slack_url"},
"smtp_account":{
"host":"${sampleSmtpAccount.host}",
"port":"${sampleSmtpAccount.port}",
Expand Down Expand Up @@ -949,7 +949,7 @@ class EmailNotificationConfigCrudIT : PluginRestTestCase() {
"description":"${emailConfig.description}",
"config_type":"email",
"is_enabled":${emailConfig.isEnabled},
"slack":{"url": "https://dummy.com"},
"slack":{"url": "https://hooks.slack.com/services/sample_slack_url"},
"email":{
"email_account_id":"${sampleEmail.emailAccountID}",
"default_recipients":[
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -627,7 +627,7 @@ class QueryNotificationConfigIT : PluginRestTestCase() {
val urlIds = setOf(slackId, chimeId, microsoftTeamsId, webhookId)
val recipientIds = setOf(emailGroupId)
val fromIds = setOf(emailGroupId, smtpAccountId)
val domainIds = setOf(slackId, chimeId, microsoftTeamsId, webhookId, smtpAccountId)
val domainIds = setOf(chimeId, microsoftTeamsId, webhookId, smtpAccountId)
Thread.sleep(1000)

// Get notification configs using query=slack
Expand Down Expand Up @@ -702,7 +702,7 @@ class QueryNotificationConfigIT : PluginRestTestCase() {
val urlIds = setOf(slackId, chimeId, microsoftTeamsId, webhookId)
val recipientIds = setOf(emailGroupId)
val fromIds = setOf(emailGroupId, smtpAccountId)
val domainIds = setOf(slackId, chimeId, microsoftTeamsId, webhookId, smtpAccountId)
val domainIds = setOf(chimeId, microsoftTeamsId, webhookId, smtpAccountId)
Thread.sleep(1000)

// Get notification configs using text_query=slack should not return any item
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,16 @@
package org.opensearch.integtest.config

import org.junit.Assert
import org.opensearch.client.Request
import org.opensearch.client.RequestOptions
import org.opensearch.client.ResponseException
import org.opensearch.commons.notifications.model.ConfigType
import org.opensearch.commons.notifications.model.NotificationConfig
import org.opensearch.commons.notifications.model.Slack
import org.opensearch.core.rest.RestStatus
import org.opensearch.integtest.PluginRestTestCase
import org.opensearch.integtest.getResponseBody
import org.opensearch.integtest.jsonify
import org.opensearch.notifications.NotificationPlugin.Companion.PLUGIN_BASE_URI
import org.opensearch.notifications.verifySingleConfigEquals
import org.opensearch.rest.RestRequest
Expand All @@ -19,7 +24,7 @@ class SlackNotificationConfigCrudIT : PluginRestTestCase() {

fun `test Create, Get, Update, Delete slack notification config using REST client`() {
// Create sample config request reference
val sampleSlack = Slack("https://domain.com/sample_slack_url#1234567890")
val sampleSlack = Slack("https://hooks.slack.com/services/sample_slack_url")
val referenceObject = NotificationConfig(
"this is a sample config name",
"this is a sample config description",
Expand Down Expand Up @@ -67,7 +72,7 @@ class SlackNotificationConfigCrudIT : PluginRestTestCase() {
Thread.sleep(100)

// Updated notification config object
val updatedSlack = Slack("https://updated.domain.com/updated_slack_url#0987654321")
val updatedSlack = Slack("https://hooks.slack.com/services/updated_slack_url")
val updatedObject = NotificationConfig(
"this is a updated config name",
"this is a updated config description",
Expand Down Expand Up @@ -126,7 +131,7 @@ class SlackNotificationConfigCrudIT : PluginRestTestCase() {

fun `test Bad Request for multiple config data for Slack using REST Client`() {
// Create sample config request reference
val sampleSlack = Slack("https://domain.com/sample_slack_url#1234567890")
val sampleSlack = Slack("https://hooks.slack.com/services/sample_slack_url")
val referenceObject = NotificationConfig(
"this is a sample config name",
"this is a sample config description",
Expand Down Expand Up @@ -155,4 +160,40 @@ class SlackNotificationConfigCrudIT : PluginRestTestCase() {
RestStatus.BAD_REQUEST.status
)
}

fun `test create config with wrong Slack url and get error text`() {
val sampleSlack = Slack("https://webhook.slack.com/services/sample_slack_url")
val referenceObject = NotificationConfig(
"this is a sample config name",
"this is a sample config description",
ConfigType.SLACK,
isEnabled = true,
configData = sampleSlack
)
val createRequestJsonString = """
{
"config":{
"name":"${referenceObject.name}",
"description":"${referenceObject.description}",
"config_type":"slack",
"is_enabled":${referenceObject.isEnabled},
"slack":{"url":"${(referenceObject.configData as Slack).url}"}
}
}
""".trimIndent()
val response = try {
val request = Request(RestRequest.Method.POST.name, "$PLUGIN_BASE_URI/configs")
request.setJsonEntity(createRequestJsonString)
val restOptionsBuilder = RequestOptions.DEFAULT.toBuilder()
restOptionsBuilder.addHeader("Content-Type", "application/json")
request.setOptions(restOptionsBuilder)
client().performRequest(request)
fail("Expected wrong Slack URL.")
} catch (exception: ResponseException) {
Assert.assertEquals(
"Wrong Slack url. Should contain \"hooks.slack.com/services/\" or \"hooks.gov-slack.com/services/\"",
jsonify(getResponseBody(exception.response))["error"].asJsonObject["reason"].asString
)
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ class WebhookNotificationConfigCrudIT : PluginRestTestCase() {
"description":"${referenceObject.description}",
"config_type":"webhook",
"is_enabled":${referenceObject.isEnabled},
"slack":{"url":"https://dummy.com"}
"slack":{"url":"https://hooks.slack.com/services/sample_slack_url"}
"webhook":{"url":"${(referenceObject.configData as Webhook).url}"}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import org.junit.jupiter.api.BeforeAll
import org.junit.jupiter.api.Test
import org.opensearch.commons.authuser.User
import org.opensearch.commons.notifications.model.MicrosoftTeams
import org.opensearch.commons.notifications.model.Slack
import java.lang.reflect.Method
import kotlin.test.assertFails

Expand All @@ -28,8 +29,42 @@ class ConfigIndexingActionsTests {
assertFails { validateMicrosoftTeamsConfig.invoke(ConfigIndexingActions, microsoftTeams, user) }
}

@Test
fun `test validate slack`() {
val user = User()
var slack = Slack("https://hooks.slack.com/services/123456789/123456789/123456789")
validateSlackConfig.invoke(ConfigIndexingActions, slack, user)
slack = Slack("https://hooks.gov-slack.com/services/123456789/123456789/123456789")
validateSlackConfig.invoke(ConfigIndexingActions, slack, user)
slack = Slack("https://hooks.slack.com/services/samplesamplesamplesamplesamplesamplesamplesamplesample")
validateSlackConfig.invoke(ConfigIndexingActions, slack, user)
slack = Slack("https://hooks.gov-slack.com/services/samplesamplesamplesamplesamplesamplesamplesamplesample")
validateSlackConfig.invoke(ConfigIndexingActions, slack, user)
slack = Slack("http://hooks.slack.com/services/123456789/123456789/123456789/123456789")
assertFails { validateSlackConfig.invoke(ConfigIndexingActions, slack, user) }
slack = Slack("http://hooks.gov-slack.com/services/123456789/123456789/123456789/123456789")
assertFails { validateSlackConfig.invoke(ConfigIndexingActions, slack, user) }
slack = Slack("https://slack.com/services/123456789/123456789/123456789/123456789")
assertFails { validateSlackConfig.invoke(ConfigIndexingActions, slack, user) }
slack = Slack("https://gov-slack.com/services/123456789/123456789/123456789/123456789")
assertFails { validateSlackConfig.invoke(ConfigIndexingActions, slack, user) }
slack = Slack("https://hooks.slack.com/123456789/123456789/123456789/123456789/123456789")
assertFails { validateSlackConfig.invoke(ConfigIndexingActions, slack, user) }
slack = Slack("https://hooks.gov-slack.com/123456789/123456789/123456789/123456789/123456789")
assertFails { validateSlackConfig.invoke(ConfigIndexingActions, slack, user) }
slack = Slack("https://hook.slack.com/services/123456789/123456789/123456789/123456789/123456789")
assertFails { validateSlackConfig.invoke(ConfigIndexingActions, slack, user) }
slack = Slack("https://hook.gov-slack.com/services/123456789/123456789/123456789/123456789/123456789")
assertFails { validateSlackConfig.invoke(ConfigIndexingActions, slack, user) }
slack = Slack("https://hooks.slack.com/")
assertFails { validateSlackConfig.invoke(ConfigIndexingActions, slack, user) }
slack = Slack("https://hooks.gov-slack.com/")
assertFails { validateSlackConfig.invoke(ConfigIndexingActions, slack, user) }
}

companion object {
private lateinit var validateMicrosoftTeamsConfig: Method
private lateinit var validateSlackConfig: Method

@BeforeAll
@JvmStatic
Expand All @@ -38,8 +73,12 @@ class ConfigIndexingActionsTests {
validateMicrosoftTeamsConfig = ConfigIndexingActions::class.java.getDeclaredMethod(
"validateMicrosoftTeamsConfig", MicrosoftTeams::class.java, User::class.java
)
validateSlackConfig = ConfigIndexingActions::class.java.getDeclaredMethod(
"validateSlackConfig", Slack::class.java, User::class.java
)

validateMicrosoftTeamsConfig.isAccessible = true
validateSlackConfig.isAccessible = true
}
}
}
Loading

0 comments on commit a4328da

Please sign in to comment.