RANGER-5534: added validation logic for username and groupname for usersync process

ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java

@@ -200,6 +200,16 @@ public class UserGroupSyncConfig {
     private static final String SSL_KEYSTORE_PATH_PASSWORD_ALIAS   = "usersync.ssl.key.password";
     private static final String SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS = "usersync.ssl.truststore.password";
 
+    private static final String UGSYNC_USERNAME_VALIDATION_REGEX_PROPERTY_NAME = "ranger.usersync.username.validation.regEx";
+    private static final String UGSYNC_GROUPNAME_VALIDATION_REGEX_PROPERTY_NAME = "ranger.usersync.groupname.validation.regEx";
+    private static final String UGSYNC_USERNAME_VALIDATE_PROPERTY_NAME = "ranger.usersync.username.validation.enabled";
+    private static final String UGSYNC_GROUPNAME_VALIDATE_PROPERTY_NAME = "ranger.usersync.groupname.validation.enabled";
+
+    private static final String DEFAULT_REGEX_USERNAME_VALIDATOR = "^[\\p{L}\\p{Mn}\\p{Nd}\\._-]{3,64}$" ;
+    private static final String DEFAULT_REGEX_GROUPNAME_VALIDATOR = "^[\\p{L}\\p{N}._\\-\\s]{1,256}$"    ;
+    private static final boolean DEFAULT_USERNAME_VALIDATE_ENABLED = true ;
+    private static final boolean DEFAULT_GROUPNAME_VALIDATE_ENABLED = true ;
+
     private static volatile UserGroupSyncConfig me;
     private final           Properties          prop = new Properties();
     private                 Configuration       userGroupConfig;
@@ -1438,4 +1448,29 @@ private int getIntProperty(Properties prop, String key, int defaultValue) {
 
         return ret;
     }
+
+    public boolean isUserNameValidateEnabled() {
+        boolean ret = DEFAULT_USERNAME_VALIDATE_ENABLED ;
+         String validate = prop.getProperty(UGSYNC_USERNAME_VALIDATE_PROPERTY_NAME) ;
+         if (validate != null) {
+             ret = Boolean.parseBoolean(validate);
+         }
+         return ret;
+    }
+    public boolean isGroupNameValidateEnabled() {
+        boolean ret = DEFAULT_GROUPNAME_VALIDATE_ENABLED ;
+         String validate = prop.getProperty(UGSYNC_GROUPNAME_VALIDATE_PROPERTY_NAME) ;
+         if (validate != null) {
+             ret = Boolean.parseBoolean(validate);
+         }
+         return ret;
+    }
+
+    public String getUserNameValidateRegEx() {
+        return prop.getProperty(UGSYNC_USERNAME_VALIDATION_REGEX_PROPERTY_NAME,DEFAULT_REGEX_USERNAME_VALIDATOR) ;
+    }
+
+    public String getGroupNameValidateRegEx() {
+        return prop.getProperty(UGSYNC_GROUPNAME_VALIDATION_REGEX_PROPERTY_NAME,DEFAULT_REGEX_GROUPNAME_VALIDATOR) ;
+    }
 }

ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java

@@ -85,6 +85,10 @@ public class UnixUserGroupBuilder implements UserGroupSource {
     private UnixSyncSourceInfo               unixSyncSourceInfo;
     private boolean                          isStartupFlag;
     private boolean                          computeDeletes;
+    private String                           regExUserNameValidator;
+    private String                           regExGroupNameValidator;
+    private boolean                          validateUserName;
+    private boolean                          validateGroupName;
 
     Set<String> allGroups = new HashSet<>();
 
@@ -96,6 +100,11 @@ public UnixUserGroupBuilder() {
         unixGroupFile         = config.getUnixGroupFile();
         timeout               = config.getUpdateMillisMin();
         enumerateGroupMembers = config.isGroupEnumerateEnabled();
+        validateUserName        = config.isUserNameValidateEnabled(); ;
+        validateGroupName       = config.isGroupNameValidateEnabled() ;
+        regExUserNameValidator  = config.getUserNameValidateRegEx() ;
+        regExGroupNameValidator = config.getGroupNameValidateRegEx(); ;
+
 
         LOG.debug("Minimum UserId: {}, minimum GroupId: {}", minimumUserId, minimumGroupId);
     }
@@ -330,6 +339,13 @@ private void buildUnixUserList(String command) throws Throwable {
                     continue;
                 }
 
+                if (validateUserName) {
+                    if (!isValidUserName(userName)) {
+                        LOG.warn("Ignoring Unix Username: [{}]: failed to confirm to validation-pattern: [{}]", userName, regExUserNameValidator);
+                        continue;
+                    }
+                }
+
                 int numUserId;
 
                 try {
@@ -459,6 +475,13 @@ private void parseMembers(String line) {
             return;
         }
 
+        if (validateGroupName) {
+            if (!isValidGroupName(groupName)) {
+                LOG.warn("Ignoring Unix GroupName: [{}]: failed to confirm to validation-pattern: [{}]", groupName, regExGroupNameValidator);
+                return;
+            }
+        }
+
         groupId2groupNameMap.put(groupId, groupName);
 
         Map<String, String> groupAttrMap = new HashMap<>();
@@ -528,13 +551,13 @@ private void buildUnixGroupList(String allGroupsCmd, String groupCmd, boolean us
 
                 String command;
 
-                if (useGid) {
+                if (useGid) { //Linux will use this section of code
                     command = String.format(groupCmd, group.getKey());
-                } else {
+                } else { // Mac will use this section of code
                     command = String.format(groupCmd, group.getValue());
                 }
 
-                String[] cmd = new String[] {"bash", "-c", command + " " + group.getKey()};
+                String[] cmd = new String[] {"bash", "-c", command };
 
                 if (LOG.isDebugEnabled()) {
                     LOG.debug("Executing: {}", Arrays.toString(cmd));
@@ -592,4 +615,11 @@ private void buildUnixGroupList(String allGroupsCmd, String groupCmd, boolean us
             LOG.debug("Done adding extra groups");
         }
     }
+    private boolean isValidUserName(String aUserName) {
+        return (aUserName != null && aUserName.matches(regExUserNameValidator)) ;
+    }
+
+    private boolean isValidGroupName(String aGroupName) {
+        return (aGroupName != null && aGroupName.matches(regExGroupNameValidator)) ;
+    }
 }

unixauthservice/conf.dist/ranger-ugsync-default.xml

@@ -73,4 +73,22 @@
 		<name>ranger.usersync.dest.ranger.session.cookie.name</name>
 		<value>RANGERADMINSESSIONID</value>
 	</property>
+	<property>
+		<name>ranger.usersync.username.validation.enabled</name>
+		<value>true</value>
+	</property>
+	<property>
+		<name>ranger.usersync.username.validation.regEx</name>
+		<!-- <value>^[a-z_][a-z0-9_-]{0,31}$</value> -->
+		<values>^[\p{L}\p{Mn}\p{Nd}\._-]{3,64}$</values>
+	</property>
+	<property>
+		<name>ranger.usersync.groupname.validation.enabled</name>
+		<value>true</value>
+	</property>
+	<property>
+		<name>ranger.usersync.groupname.validation.regEx</name>
+		<!-- <value>^[a-z][a-z0-9-]{0,30}$</value> -->
+		<value>^[\p{L}\p{N}._\-\s]{1,256}$</value>
+	</property>
 </configuration>