From f4edfe3692ad1f81c30d1f502cdfd2199362784e Mon Sep 17 00:00:00 2001
From: vaughn <vaughn@apache.org>
Date: Sat, 9 Mar 2024 21:04:30 +0800
Subject: [PATCH] fix(auth): enhance the URL check (#2422)

Co-authored-by: imbajin <jin@apache.org>
---
 .github/PULL_REQUEST_TEMPLATE.md              |  5 +++--
 .github/workflows/ci.yml                      |  1 +
 hugegraph-server/hugegraph-api/pom.xml        |  6 +++++
 .../api/filter/AuthenticationFilter.java      |  7 +++---
 .../scripts/dependency/known-dependencies.txt | 22 ++++++++++++++-----
 .../regenerate_known_dependencies.sh          |  4 ++--
 6 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 356c8341d9..c71e5e4a6a 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -51,11 +51,12 @@ For example:
 
 <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
 
-- [ ]  Nope
-- [ ]  Dependencies (add/update license info) <!-- Don't forget to add/update the info in "LICENSE" & "NOTICE" files (both in root & dist module) -->
+- [ ]  Dependencies ([add/update license](https://hugegraph.apache.org/docs/contribution-guidelines/contribute/#321-check-licenses) info & [regenerate_dependencies](../hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh)) <!-- Don't forget to add/update the info in "LICENSE" & "NOTICE" files (both in root & dist module) -->
 - [ ]  Modify configurations
 - [ ]  The public API
 - [ ]  Other affects (typed here)
+- [ ]  Nope
+
 
 ## Documentation Status
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bae3434171..ece52b8577 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,6 +10,7 @@ on:
 
 jobs:
   build:
+    # TODO: we need test & replace it to ubuntu-24.04 or ubuntu-latest
     runs-on: ubuntu-20.04
     env:
       USE_STAGE: 'false' # Whether to include the stage repository.
diff --git a/hugegraph-server/hugegraph-api/pom.xml b/hugegraph-server/hugegraph-api/pom.xml
index ce18f8d35c..e13849d93a 100644
--- a/hugegraph-server/hugegraph-api/pom.xml
+++ b/hugegraph-server/hugegraph-api/pom.xml
@@ -164,6 +164,12 @@
             <artifactId>arthas-packaging</artifactId>
             <version>${arthas.version}</version>
         </dependency>
+      <dependency>
+        <groupId>org.gridkit.jvmtool</groupId>
+        <artifactId>sjk-core</artifactId>
+        <version>0.22</version>
+        <scope>compile</scope>
+      </dependency>
     </dependencies>
 
     <build>
diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java
index fffe5ef9e5..8505d435dd 100644
--- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java
+++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java
@@ -41,6 +41,7 @@
 import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException;
 import org.glassfish.grizzly.http.server.Request;
 import org.glassfish.grizzly.utils.Charsets;
+import org.gridkit.jvmtool.cmd.AntPathMatcher;
 import org.slf4j.Logger;
 
 import com.alipay.remoting.util.StringUtils;
@@ -71,10 +72,11 @@ public class AuthenticationFilter implements ContainerRequestFilter {
     private static final Logger LOG = Log.logger(AuthenticationFilter.class);
 
     private static final List<String> WHITE_API_LIST = ImmutableList.of(
-            "auth/login",
+            "graphs/*/auth/login",
             "versions",
             "openapi.json"
     );
+    private static final AntPathMatcher MATCHER = new AntPathMatcher();
 
     private static String whiteIpStatus;
 
@@ -314,9 +316,8 @@ public boolean equals(Object obj) {
 
     public static boolean isWhiteAPI(ContainerRequestContext context) {
         String path = context.getUriInfo().getPath();
-
         for (String whiteApi : WHITE_API_LIST) {
-            if (path.endsWith(whiteApi)) {
+            if (MATCHER.match(whiteApi, path)) {
                 return true;
             }
         }
diff --git a/hugegraph-server/hugegraph-dist/scripts/dependency/known-dependencies.txt b/hugegraph-server/hugegraph-dist/scripts/dependency/known-dependencies.txt
index 7cf6d2404e..f593d8d96f 100644
--- a/hugegraph-server/hugegraph-dist/scripts/dependency/known-dependencies.txt
+++ b/hugegraph-server/hugegraph-dist/scripts/dependency/known-dependencies.txt
@@ -1,5 +1,3 @@
-HdrHistogram-2.1.9.jar
-ST4-4.0.8.jar
 accessors-smart-1.2.jar
 airline-0.8.jar
 animal-sniffer-annotations-1.19.jar
@@ -112,6 +110,7 @@ hamcrest-2.2.jar
 hamcrest-core-1.3.jar
 hanlp-portable-1.8.3.jar
 hbase-shaded-endpoint-2.0.6.jar
+HdrHistogram-2.1.9.jar
 hessian-3.3.6.jar
 hg-pd-client-1.5.0.1.jar
 hg-pd-common-1.5.0.1.jar
@@ -192,8 +191,8 @@ jersey-test-framework-core-3.0.3.jar
 jersey-test-framework-provider-grizzly2-3.0.3.jar
 jetcd-common-0.5.9.jar
 jetcd-core-0.5.9.jar
-jffi-1.2.16-native.jar
 jffi-1.2.16.jar
+jffi-1.2.16-native.jar
 jflex-1.8.2.jar
 jieba-analysis-1.0.2.jar
 jjwt-api-0.11.5.jar
@@ -257,8 +256,8 @@ netty-all-4.1.44.Final.jar
 netty-all-4.1.61.Final.jar
 netty-buffer-4.1.72.Final.jar
 netty-codec-4.1.72.Final.jar
-netty-codec-http-4.1.72.Final.jar
 netty-codec-http2-4.1.72.Final.jar
+netty-codec-http-4.1.72.Final.jar
 netty-codec-socks-4.1.72.Final.jar
 netty-common-4.1.72.Final.jar
 netty-handler-4.1.72.Final.jar
@@ -286,22 +285,32 @@ parser-9.0-9.0.20190305.jar
 perfmark-api-0.25.0.jar
 picocli-4.3.2.jar
 postgresql-42.4.3.jar
-proto-google-common-protos-2.0.1.jar
 protobuf-java-3.21.7.jar
 protobuf-java-util-3.17.2.jar
+proto-google-common-protos-2.0.1.jar
 psjava-0.1.19.jar
-reporter-config-base-3.0.3.jar
 reporter-config3-3.0.3.jar
+reporter-config-base-3.0.3.jar
 rewriting-9.0-9.0.20190305.jar
 rocksdbjni-7.2.2.jar
 scala-java8-compat_2.12-0.8.0.jar
 scala-library-2.12.7.jar
 scala-reflect-2.12.7.jar
 sigar-1.6.4.jar
+sjk-agent-0.22.jar
 sjk-cli-0.14.jar
+sjk-cli-0.22.jar
 sjk-core-0.14.jar
+sjk-core-0.22.jar
+sjk-hflame-0.22.jar
+sjk-jfr5-0.5.jar
+sjk-jfr6-0.7.jar
+sjk-jfr-standalone-0.7.jar
 sjk-json-0.14.jar
+sjk-json-0.22.jar
+sjk-nps-0.9.jar
 sjk-stacktrace-0.14.jar
+sjk-stacktrace-0.22.jar
 slf4j-api-1.7.25.jar
 snakeyaml-1.26.jar
 snakeyaml-1.27.jar
@@ -311,6 +320,7 @@ snowball-stemmer-1.3.0.581.1.jar
 sofa-common-tools-1.0.12.jar
 sofa-rpc-all-5.7.6.jar
 sourcecode_2.12-0.1.4.jar
+ST4-4.0.8.jar
 stream-2.5.2.jar
 swagger-annotations-1.5.18.jar
 swagger-annotations-jakarta-2.2.18.jar
diff --git a/hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh b/hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh
index b555bd6470..64bb5718fa 100644
--- a/hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh
+++ b/hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh
@@ -16,7 +16,7 @@
 # limitations under the License.
 #
 
-BASE_PATH=$(cd $(dirname $0); pwd)
+BASE_PATH=$(cd "$(dirname $0)" || exit; pwd)
 DEP_PATH=$BASE_PATH/all_dependencies
 FILE_NAME=${1:-known-dependencies.txt}
 
@@ -25,7 +25,7 @@ if [[ -d $DEP_PATH ]];then
   rm -r -f $DEP_PATH
 fi
 
-cd $BASE_PATH/../../../
+cd "$BASE_PATH"/../../../ || exit
 
 mvn dependency:copy-dependencies -DincludeScope=runtime -DoutputDirectory=$DEP_PATH