[BackPort]: CVE Fixes from Upstream

distribution/bin/check-licenses.py

@@ -202,8 +202,19 @@ def set_attr(self, data):
 
     def set_license(self, data):
         if data.upper().find("GPL") < 0:
-            if self.license != 'Apache License version 2.0':
-                self.license = self.compatible_license_names[data]
+            # Check if the license assosciated with the component is acccepted
+            # set_license() will pick the first acceptable license
+            # this fixes issue where a multi-licensed component
+            # could override accepted license with not accepted one
+            # e.g., EPL / GPL for logback-core
+            if self.license not in self.compatible_license_names:
+                try:
+                    self.license = self.compatible_license_names[data]
+                except KeyError:
+                    print("Unsupported license: " + data)
+                    print("For:" +  self.group_id + " "  + self.artifact_id + " in: "+ self.druid_module_name)
+            else:
+                print(self.group_id + " "  + self.artifact_id + " in: " + self.druid_module_name + " with: " + self.license + " ignoring " + data)
 
 
 def print_log_to_stderr(string):
@@ -289,6 +300,7 @@ def build_compatible_license_names():
 
     compatible_licenses['Creative Commons CC0'] = 'Creative Commons CC0'
     compatible_licenses['CC0'] = 'Creative Commons CC0'
+    compatible_licenses['Public Domain, per Creative Commons CC0'] = 'Creative Commons CC0'
 
     compatible_licenses['The MIT License'] = 'MIT License'
     compatible_licenses['MIT License'] = 'MIT License'

docs/development/extensions-core/druid-ranger-security.md

@@ -21,24 +21,21 @@ title: "Apache Ranger Security"
   ~ specific language governing permissions and limitations
   ~ under the License.
   -->
-  
+
 This Apache Druid extension adds an Authorizer which implements access control for Druid, backed by [Apache Ranger](https://ranger.apache.org/). Please see [Authentication and Authorization](../../operations/auth.md) for more information on the basic facilities this extension provides.
 
 Make sure to [include](../../configuration/extensions.md#loading-extensions) `druid-ranger-security` in the extensions load list.
 
-:::info
- The latest release of Apache Ranger is at the time of writing version 2.0. This version has a dependency on `log4j 1.2.17` which has a vulnerability if you configure it to use a `SocketServer` (CVE-2019-17571). Next to that, it also includes Kafka 2.0.0 which has 2 known vulnerabilities (CVE-2019-12399, CVE-2018-17196). Kafka can be used by the audit component in Ranger, but is not required.
-:::
 
 ## Configuration
 
-Support for Apache Ranger authorization consists of three elements: 
+Support for Apache Ranger authorization consists of three elements:
 * configuring the extension in Apache Druid
 * configuring the connection to Apache Ranger
 * providing the service definition for Druid to Apache Ranger
- 
+
 ### Enabling the extension
-Ensure that you have a valid authenticator chain and escalator set in your `common.runtime.properties`. For every authenticator your wish to use the authorizer for, set `druid.auth.authenticator.<authenticatorName>.authorizerName` to the name you will give the authorizer, e.g. `ranger`. 
+Ensure that you have a valid authenticator chain and escalator set in your `common.runtime.properties`. For every authenticator your wish to use the authorizer for, set `druid.auth.authenticator.<authenticatorName>.authorizerName` to the name you will give the authorizer, e.g. `ranger`.
 
 Then add the following and amend to your needs (in case you need to use multiple authorizers):
 

extensions-contrib/cassandra-storage/pom.xml

@@ -33,6 +33,21 @@
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
+    <dependencyManagement>
+        <dependencies>
+            <!-- snakeyaml explicitly pinned to version 1.33 as it is
+            a transitive dependency of:
+            com.netflix.astyanax:astyanax:jar -> g.apache.cassandra:cassandra-all:jar
+            please remove this pin after the update of astyanax, see comment below
+             -->
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>1.33</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>org.apache.druid</groupId>

extensions-contrib/kubernetes-overlord-extensions/pom.xml

@@ -34,6 +34,18 @@
     <relativePath>../../pom.xml</relativePath>
   </parent>
 
+  <dependencyManagement>
+      <dependencies>
+            <!-- snakeyaml explicitly pinned to version 1.33 as it is
+             a transitive dependency of com.fasterxml.jackson.dataformat:jackson-dataformat-yaml 2.12.7
+             please remove this pin, after updating jackson-dataform-yaml to version > 2.14.3  / 2.15.0 -->
+          <dependency>
+              <groupId>org.yaml</groupId>
+              <artifactId>snakeyaml</artifactId>
+              <version>1.33</version>
+          </dependency>
+      </dependencies>
+  </dependencyManagement>
 
   <dependencies>
     <dependency>

extensions-core/avro-extensions/pom.xml

@@ -35,7 +35,6 @@
 
   <properties>
     <schemarepo.version>0.1.3</schemarepo.version>
-    <confluent.version>5.5.12</confluent.version>
   </properties>
 
   <repositories>

extensions-core/druid-pac4j/pom.xml

@@ -34,7 +34,7 @@
   </parent>
 
   <properties>
-    <pac4j.version>3.8.3</pac4j.version>
+    <pac4j.version>4.5.7</pac4j.version>
 
     <!-- Following must be updated along with any updates to pac4j version -->
     <nimbus.lang.tag.version>1.7</nimbus.lang.tag.version>

extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java

@@ -23,14 +23,15 @@
 import org.apache.druid.server.security.AuthConfig;
 import org.apache.druid.server.security.AuthenticationResult;
 import org.pac4j.core.config.Config;
-import org.pac4j.core.context.J2EContext;
+import org.pac4j.core.context.JEEContext;
 import org.pac4j.core.context.session.SessionStore;
 import org.pac4j.core.engine.CallbackLogic;
 import org.pac4j.core.engine.DefaultCallbackLogic;
 import org.pac4j.core.engine.DefaultSecurityLogic;
 import org.pac4j.core.engine.SecurityLogic;
+import org.pac4j.core.exception.http.HttpAction;
 import org.pac4j.core.http.adapter.HttpActionAdapter;
-import org.pac4j.core.profile.CommonProfile;
+import org.pac4j.core.profile.UserProfile;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -47,12 +48,12 @@ public class Pac4jFilter implements Filter
 {
   private static final Logger LOGGER = new Logger(Pac4jFilter.class);
 
-  private static final HttpActionAdapter<String, J2EContext> NOOP_HTTP_ACTION_ADAPTER = (int code, J2EContext ctx) -> null;
+  private static final HttpActionAdapter<String, JEEContext> NOOP_HTTP_ACTION_ADAPTER = (HttpAction code, JEEContext ctx) -> null;
 
   private final Config pac4jConfig;
-  private final SecurityLogic<String, J2EContext> securityLogic;
-  private final CallbackLogic<String, J2EContext> callbackLogic;
-  private final SessionStore<J2EContext> sessionStore;
+  private final SecurityLogic<String, JEEContext> securityLogic;
+  private final CallbackLogic<String, JEEContext> callbackLogic;
+  private final SessionStore<JEEContext> sessionStore;
 
   private final String name;
   private final String authorizerName;
@@ -88,7 +89,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 
     HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
     HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
-    J2EContext context = new J2EContext(httpServletRequest, httpServletResponse, sessionStore);
+    JEEContext context = new JEEContext(httpServletRequest, httpServletResponse, sessionStore);
 
     if (Pac4jCallbackResource.SELF_URL.equals(httpServletRequest.getRequestURI())) {
       callbackLogic.perform(
@@ -101,7 +102,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
       String uid = securityLogic.perform(
           context,
           pac4jConfig,
-          (J2EContext ctx, Collection<CommonProfile> profiles, Object... parameters) -> {
+          (JEEContext ctx, Collection<UserProfile> profiles, Object... parameters) -> {
             if (profiles.isEmpty()) {
               LOGGER.warn("No profiles found after OIDC auth.");
               return null;

extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java

@@ -25,19 +25,20 @@
 import org.apache.druid.java.util.common.logger.Logger;
 import org.pac4j.core.context.ContextHelper;
 import org.pac4j.core.context.Cookie;
-import org.pac4j.core.context.Pac4jConstants;
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.context.session.SessionStore;
 import org.pac4j.core.exception.TechnicalException;
 import org.pac4j.core.profile.CommonProfile;
 import org.pac4j.core.util.JavaSerializationHelper;
+import org.pac4j.core.util.Pac4jConstants;
 
 import javax.annotation.Nullable;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.Serializable;
 import java.util.Map;
+import java.util.Optional;
 import java.util.zip.GZIPInputStream;
 import java.util.zip.GZIPOutputStream;
 
@@ -78,15 +79,15 @@ public String getOrCreateSessionId(WebContext context)
 
   @Nullable
   @Override
-  public Object get(WebContext context, String key)
+  public Optional<Object> get(WebContext context, String key)
   {
     final Cookie cookie = ContextHelper.getCookie(context, PAC4J_SESSION_PREFIX + key);
     Object value = null;
     if (cookie != null) {
       value = uncompressDecryptBase64(cookie.getValue());
     }
     LOGGER.debug("Get from session: [%s] = [%s]", key, value);
-    return value;
+    return Optional.ofNullable(value);
   }
 
   @Override
@@ -142,7 +143,7 @@ private Serializable uncompressDecryptBase64(final String v)
     if (v != null && !v.isEmpty()) {
       byte[] bytes = StringUtils.decodeBase64String(v);
       if (bytes != null) {
-        return javaSerializationHelper.unserializeFromBytes(unCompress(cryptoService.decrypt(bytes)));
+        return javaSerializationHelper.deserializeFromBytes(unCompress(cryptoService.decrypt(bytes)));
       }
     }
     return null;
@@ -176,19 +177,19 @@ private Object clearUserProfile(final Object value)
   {
     if (value instanceof Map<?, ?>) {
       final Map<String, CommonProfile> profiles = (Map<String, CommonProfile>) value;
-      profiles.forEach((name, profile) -> profile.clearSensitiveData());
+      profiles.forEach((name, profile) -> profile.removeLoginData());
       return profiles;
     } else {
       final CommonProfile profile = (CommonProfile) value;
-      profile.clearSensitiveData();
+      profile.removeLoginData();
       return profile;
     }
   }
 
   @Override
-  public SessionStore buildFromTrackableSession(WebContext arg0, Object arg1)
+  public Optional<SessionStore<T>> buildFromTrackableSession(WebContext arg0, Object arg1)
   {
-    return null;
+    return Optional.empty();
   }
 
   @Override
@@ -198,9 +199,9 @@ public boolean destroySession(WebContext arg0)
   }
 
   @Override
-  public Object getTrackableSession(WebContext arg0)
+  public Optional getTrackableSession(WebContext arg0)
   {
-    return null;
+    return Optional.empty();
   }
 
   @Override

extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java

@@ -25,15 +25,23 @@
 import org.junit.Test;
 import org.pac4j.core.context.Cookie;
 import org.pac4j.core.context.WebContext;
+import org.pac4j.core.profile.CommonProfile;
+import org.pac4j.core.profile.definition.CommonProfileDefinition;
 
 import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
 
 public class Pac4jSessionStoreTest
 {
+  private static final String COOKIE_PASSPHRASE = "test-cookie-passphrase";
+
   @Test
   public void testSetAndGet()
   {
-    Pac4jSessionStore<WebContext> sessionStore = new Pac4jSessionStore("test-cookie-passphrase");
+    Pac4jSessionStore<WebContext> sessionStore = new Pac4jSessionStore(COOKIE_PASSPHRASE);
 
     WebContext webContext1 = EasyMock.mock(WebContext.class);
     EasyMock.expect(webContext1.getScheme()).andReturn("https");
@@ -54,7 +62,73 @@ public void testSetAndGet()
     WebContext webContext2 = EasyMock.mock(WebContext.class);
     EasyMock.expect(webContext2.getRequestCookies()).andReturn(Collections.singletonList(cookie));
     EasyMock.replay(webContext2);
+    Assert.assertEquals("value", Objects.requireNonNull(sessionStore.get(webContext2, "key")).orElse(null));
+  }
+
+  @Test
+  public void testSetAndGetClearUserProfile()
+  {
+    Pac4jSessionStore<WebContext> sessionStore = new Pac4jSessionStore(COOKIE_PASSPHRASE);
+
+    WebContext webContext1 = EasyMock.mock(WebContext.class);
+    EasyMock.expect(webContext1.getScheme()).andReturn("https");
+    Capture<Cookie> cookieCapture = EasyMock.newCapture();
+
+    webContext1.addResponseCookie(EasyMock.capture(cookieCapture));
+    EasyMock.replay(webContext1);
+
+    CommonProfile profile = new CommonProfile();
+    profile.addAttribute(CommonProfileDefinition.DISPLAY_NAME, "name");
+    sessionStore.set(webContext1, "pac4jUserProfiles", profile);
+
+    Cookie cookie = cookieCapture.getValue();
+    Assert.assertTrue(cookie.isSecure());
+    Assert.assertTrue(cookie.isHttpOnly());
+    Assert.assertTrue(cookie.isSecure());
+    Assert.assertEquals(900, cookie.getMaxAge());
+
+
+    WebContext webContext2 = EasyMock.mock(WebContext.class);
+    EasyMock.expect(webContext2.getRequestCookies()).andReturn(Collections.singletonList(cookie));
+    EasyMock.replay(webContext2);
+    Optional<Object> value = sessionStore.get(webContext2, "pac4jUserProfiles");
+    Assert.assertTrue(Objects.requireNonNull(value).isPresent());
+    Assert.assertEquals("name", ((CommonProfile) value.get()).getAttribute(CommonProfileDefinition.DISPLAY_NAME));
+  }
+
+  @Test
+  public void testSetAndGetClearUserMultipleProfile()
+  {
+    Pac4jSessionStore<WebContext> sessionStore = new Pac4jSessionStore(COOKIE_PASSPHRASE);
+
+    WebContext webContext1 = EasyMock.mock(WebContext.class);
+    EasyMock.expect(webContext1.getScheme()).andReturn("https");
+    Capture<Cookie> cookieCapture = EasyMock.newCapture();
+
+    webContext1.addResponseCookie(EasyMock.capture(cookieCapture));
+    EasyMock.replay(webContext1);
 
-    Assert.assertEquals("value", sessionStore.get(webContext2, "key"));
+    CommonProfile profile1 = new CommonProfile();
+    profile1.addAttribute(CommonProfileDefinition.DISPLAY_NAME, "name1");
+    CommonProfile profile2 = new CommonProfile();
+    profile2.addAttribute(CommonProfileDefinition.DISPLAY_NAME, "name2");
+    Map<String, CommonProfile> profiles = new HashMap<>();
+    profiles.put("profile1", profile1);
+    profiles.put("profile2", profile2);
+    sessionStore.set(webContext1, "pac4jUserProfiles", profiles);
+
+    Cookie cookie = cookieCapture.getValue();
+    Assert.assertTrue(cookie.isSecure());
+    Assert.assertTrue(cookie.isHttpOnly());
+    Assert.assertTrue(cookie.isSecure());
+    Assert.assertEquals(900, cookie.getMaxAge());
+
+
+    WebContext webContext2 = EasyMock.mock(WebContext.class);
+    EasyMock.expect(webContext2.getRequestCookies()).andReturn(Collections.singletonList(cookie));
+    EasyMock.replay(webContext2);
+    Optional<Object> value = sessionStore.get(webContext2, "pac4jUserProfiles");
+    Assert.assertTrue(Objects.requireNonNull(value).isPresent());
+    Assert.assertEquals(2, ((Map<String, CommonProfile>) value.get()).size());
   }
 }