Create artifacts from URL (#2660)

* create artifacts from URL

* revert apicurio-common-app-components bump to let CI do it's job

* fix testsuite compilation error

* add rest tests

* improve tests

* minor

* fix failing tests

* bump apicurio-common-app-components.version and remove todos

* review comments

* revert unrelated changes

* Better handling for yaml files

* more strict parsable yaml

* fixing the ci

* better fixes

* more fixes

* Isolate the groupId for ProtobufSerdeTest

* review

Author: andreaTP

app/pom.xml

@@ -118,6 +118,14 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-smallrye-context-propagation</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-rest-client</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-rest-client-jackson</artifactId>
+        </dependency>
 
         <dependency>
             <groupId>io.quarkus</groupId>

app/src/main/java/io/apicurio/registry/rest/RestConfig.java

@@ -0,0 +1,20 @@
+package io.apicurio.registry.rest;
+
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+
+import javax.inject.Singleton;
+
+@Singleton
+public class RestConfig {
+
+    @ConfigProperty(name = "registry.rest.artifact.download.maxSize", defaultValue = "1000000")
+    int downloadMaxSize;
+
+    @ConfigProperty(name = "registry.rest.artifact.download.skipSSLValidation", defaultValue = "false")
+    boolean downloadSkipSSLValidation;
+
+    public int getDownloadMaxSize() { return this.downloadMaxSize; }
+
+    public boolean getDownloadSkipSSLValidation() { return this.downloadSkipSSLValidation; }
+
+}

app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java

@@ -16,6 +16,7 @@
 
 package io.apicurio.registry.rest.v2;
 
+import com.google.common.hash.Hashing;
 import io.apicurio.registry.auth.Authorized;
 import io.apicurio.registry.auth.AuthorizedLevel;
 import io.apicurio.registry.auth.AuthorizedStyle;
@@ -27,6 +28,7 @@
 import io.apicurio.registry.rest.HeadersHack;
 import io.apicurio.registry.rest.MissingRequiredParameterException;
 import io.apicurio.registry.rest.ParametersConflictException;
+import io.apicurio.registry.rest.RestConfig;
 import io.apicurio.registry.rest.v2.beans.ArtifactMetaData;
 import io.apicurio.registry.rest.v2.beans.ArtifactReference;
 import io.apicurio.registry.rest.v2.beans.ArtifactSearchResults;
@@ -69,17 +71,27 @@
 import io.apicurio.registry.util.ContentTypeUtil;
 import io.apicurio.registry.utils.ArtifactIdValidator;
 import io.apicurio.registry.utils.IoUtil;
+import io.apicurio.registry.utils.JAXRSClientUtil;
 import org.jose4j.base64url.Base64;
 
 import javax.enterprise.context.ApplicationScoped;
 import javax.inject.Inject;
 import javax.interceptor.Interceptors;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.BadRequestException;
+import javax.ws.rs.client.Client;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
+import java.io.BufferedInputStream;
 import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
@@ -94,12 +106,14 @@
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_DESCRIPTION;
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_DESCRIPTION_ENCODED;
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_EDITABLE_METADATA;
+import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_FROM_URL;
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_GROUP_ID;
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_IF_EXISTS;
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_NAME;
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_NAME_ENCODED;
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_RULE;
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_RULE_TYPE;
+import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_SHA;
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_UPDATE_STATE;
 import static io.apicurio.common.apps.logging.audit.AuditingConstants.KEY_VERSION;
 
@@ -131,6 +145,9 @@ public class GroupsResourceImpl implements GroupsResource {
     @Inject
     ArtifactTypeUtilProviderFactory factory;
 
+    @Inject
+    RestConfig restConfig;
+
     /**
      * @see io.apicurio.registry.rest.v2.GroupsResource#getLatestArtifact(java.lang.String, java.lang.String, java.lang.Boolean)
      */
@@ -585,30 +602,86 @@ public void deleteArtifactsInGroup(String groupId) {
     }
 
     /**
-     * @see io.apicurio.registry.rest.v2.GroupsResource#createArtifact(String, ArtifactType, String, String, IfExists, Boolean, String, String, String, String, InputStream)
+     * @see io.apicurio.registry.rest.v2.GroupsResource#createArtifact(String, ArtifactType, String, String, IfExists, Boolean, String, String, String, String, String, String, InputStream)
      */
     @Override
-    @Audited(extractParameters = {"0", KEY_GROUP_ID, "1", KEY_ARTIFACT_TYPE, "2", KEY_ARTIFACT_ID, "3", KEY_VERSION, "4", KEY_IF_EXISTS, "5", KEY_CANONICAL, "6", KEY_DESCRIPTION, "7", KEY_DESCRIPTION_ENCODED, "8", KEY_NAME, "9", KEY_NAME_ENCODED})
+    @Audited(extractParameters = {"0", KEY_GROUP_ID, "1", KEY_ARTIFACT_TYPE, "2", KEY_ARTIFACT_ID, "3", KEY_VERSION, "4", KEY_IF_EXISTS, "5", KEY_CANONICAL, "6", KEY_DESCRIPTION, "7", KEY_DESCRIPTION_ENCODED, "8", KEY_NAME, "9", KEY_NAME_ENCODED, "10", KEY_FROM_URL, "11", KEY_SHA})
     @Authorized(style = AuthorizedStyle.GroupOnly, level = AuthorizedLevel.Write)
     public ArtifactMetaData createArtifact(String groupId, ArtifactType xRegistryArtifactType, String xRegistryArtifactId,
                                            String xRegistryVersion, IfExists ifExists, Boolean canonical,
                                            String xRegistryDescription, String xRegistryDescriptionEncoded,
-                                           String xRegistryName, String xRegistryNameEncoded, InputStream data) {
-
-        return this.createArtifactWithRefs(groupId, xRegistryArtifactType, xRegistryArtifactId, xRegistryVersion, ifExists, canonical, xRegistryDescription, xRegistryDescriptionEncoded, xRegistryName, xRegistryNameEncoded, data, Collections.emptyList());
+                                           String xRegistryName, String xRegistryNameEncoded,
+                                           String xRegistryContentHash, String xRegistryHashAlgorithm, InputStream data) {
+        return this.createArtifactWithRefs(groupId, xRegistryArtifactType, xRegistryArtifactId, xRegistryVersion, ifExists, canonical, xRegistryDescription, xRegistryDescriptionEncoded, xRegistryName, xRegistryNameEncoded, xRegistryContentHash, xRegistryHashAlgorithm, data, Collections.emptyList());
     }
 
     /**
-     * @see io.apicurio.registry.rest.v2.GroupsResource#createArtifact(java.lang.String, io.apicurio.registry.types.ArtifactType, java.lang.String, java.lang.String, io.apicurio.registry.rest.v2.beans.IfExists, java.lang.Boolean, java.lang.String, java.lang.String, java.lang.String, java.lang.String, io.apicurio.registry.rest.v2.beans.ContentCreateRequest)
+     * @see io.apicurio.registry.rest.v2.GroupsResource#createArtifact(String, ArtifactType, String, String, IfExists, Boolean, String, String, String, String, String, String, ContentCreateRequest)
      */
     @Override
-    @Audited(extractParameters = {"0", KEY_GROUP_ID, "1", KEY_ARTIFACT_TYPE, "2", KEY_ARTIFACT_ID, "3", KEY_VERSION, "4", KEY_IF_EXISTS, "5", KEY_CANONICAL, "6", KEY_DESCRIPTION, "7", KEY_DESCRIPTION_ENCODED, "8", KEY_NAME, "9", KEY_NAME_ENCODED})
+    @Audited(extractParameters = {"0", KEY_GROUP_ID, "1", KEY_ARTIFACT_TYPE, "2", KEY_ARTIFACT_ID, "3", KEY_VERSION, "4", KEY_IF_EXISTS, "5", KEY_CANONICAL, "6", KEY_DESCRIPTION, "7", KEY_DESCRIPTION_ENCODED, "8", KEY_NAME, "9", KEY_NAME_ENCODED, "10", "from_url" /*KEY_FROM_URL*/, "11", "artifact_sha" /*KEY_SHA*/})
     @Authorized(style = AuthorizedStyle.GroupOnly, level = AuthorizedLevel.Write)
-    public ArtifactMetaData createArtifact(String groupId, ArtifactType xRegistryArtifactType,
-                                           String xRegistryArtifactId, String xRegistryVersion, IfExists ifExists, Boolean canonical,
-                                           String xRegistryDescription, String xRegistryDescriptionEncoded, String xRegistryName,
-                                           String xRegistryNameEncoded, ContentCreateRequest data) {
-        return this.createArtifactWithRefs(groupId, xRegistryArtifactType, xRegistryArtifactId, xRegistryVersion, ifExists, canonical, xRegistryDescription, xRegistryDescriptionEncoded, xRegistryName, xRegistryNameEncoded, IoUtil.toStream(data.getContent()), data.getReferences());
+    public ArtifactMetaData createArtifact(String groupId, ArtifactType xRegistryArtifactType, String xRegistryArtifactId,
+                                           String xRegistryVersion, IfExists ifExists, Boolean canonical,
+                                           String xRegistryDescription, String xRegistryDescriptionEncoded,
+                                           String xRegistryName, String xRegistryNameEncoded,
+                                           String xRegistryContentHash, String xRegistryHashAlgorithm, ContentCreateRequest data) {
+        InputStream content = null;
+        try {
+            URL url = new URL(data.getContent());
+            content = fetchContentFromURL(url.toURI());
+        } catch (MalformedURLException | URISyntaxException e) {
+            content = IoUtil.toStream(data.getContent());
+        }
+
+        return this.createArtifactWithRefs(groupId, xRegistryArtifactType, xRegistryArtifactId, xRegistryVersion, ifExists, canonical, xRegistryDescription, xRegistryDescriptionEncoded, xRegistryName, xRegistryNameEncoded, xRegistryContentHash, xRegistryHashAlgorithm, content, data.getReferences());
+    }
+
+    public enum RegistryHashAlgorithm {
+        SHA256,
+        MD5
+    }
+
+    /**
+     * Return an InputStream for the resource to be downloaded
+     * @param url
+     */
+    private InputStream fetchContentFromURL(URI url) {
+        Client client = null;
+        try {
+            client = JAXRSClientUtil.getJAXRSClient(restConfig.getDownloadSkipSSLValidation());
+        } catch (KeyManagementException kme) {
+            throw new RuntimeException(kme);
+        } catch (NoSuchAlgorithmException nsae) {
+            throw new RuntimeException(nsae);
+        }
+
+        // 1. Registry issues HTTP HEAD request to the target URL.
+        List<Object> contentLengthHeaders = client
+                .target(url)
+                .request()
+                .head()
+                .getHeaders()
+                .get("Content-Length");
+
+        if (contentLengthHeaders == null || contentLengthHeaders.size() < 1) {
+            throw new BadRequestException("Requested resource URL does not provide 'Content-Length' in the headers");
+        }
+
+        // 2. According to HTTP specification, target server must return Content-Length header.
+        int contentLength = Integer.parseInt(contentLengthHeaders.get(0).toString());
+
+        // 3. Registry analyzes value of Content-Length to check if file with declared size could be processed securely.
+        if (contentLength > restConfig.getDownloadMaxSize()) {
+            throw new BadRequestException("Requested resource is bigger than " + restConfig.getDownloadMaxSize() + " and cannot be downloaded.");
+        }
+
+        // 4. Finally, registry issues HTTP GET to the target URL and fetches only amount of bytes specified by HTTP HEAD from step 1.
+        return new BufferedInputStream(client
+                .target(url)
+                .request()
+                .get()
+                .readEntity(InputStream.class), contentLength);
     }
 
     /**
@@ -623,13 +696,17 @@ public ArtifactMetaData createArtifact(String groupId, ArtifactType xRegistryArt
      * @param xRegistryDescriptionEncoded
      * @param xRegistryName
      * @param xRegistryNameEncoded
+     * @param xRegistryContentHash
+     * @param xRegistryHashAlgorithm
      * @param data
      * @param references
      */
     private ArtifactMetaData createArtifactWithRefs(String groupId, ArtifactType xRegistryArtifactType, String xRegistryArtifactId,
                                                     String xRegistryVersion, IfExists ifExists, Boolean canonical,
                                                     String xRegistryDescription, String xRegistryDescriptionEncoded,
-                                                    String xRegistryName, String xRegistryNameEncoded, InputStream data, List<ArtifactReference> references) {
+                                                    String xRegistryName, String xRegistryNameEncoded,
+                                                    String xRegistryContentHash, String xRegistryHashAlgorithm,
+                                                    InputStream data, List<ArtifactReference> references) {
 
         requireParameter("groupId", groupId);
 
@@ -649,6 +726,25 @@ private ArtifactMetaData createArtifactWithRefs(String groupId, ArtifactType xRe
         if (content.bytes().length == 0) {
             throw new BadRequestException(EMPTY_CONTENT_ERROR_MESSAGE);
         }
+
+        // Mitigation for MITM attacks, verify that the artifact is the expected one
+        if (xRegistryContentHash != null) {
+            String calculatedSha = null;
+            RegistryHashAlgorithm algorithm = (xRegistryHashAlgorithm == null) ? RegistryHashAlgorithm.SHA256 : RegistryHashAlgorithm.valueOf(xRegistryHashAlgorithm);
+            switch (algorithm) {
+                case MD5:
+                    calculatedSha = Hashing.md5().hashString(content.content(), StandardCharsets.UTF_8).toString();
+                    break;
+                case SHA256:
+                    calculatedSha = Hashing.sha256().hashString(content.content(), StandardCharsets.UTF_8).toString();
+                    break;
+            }
+
+            if (!calculatedSha.equals(xRegistryContentHash.trim())) {
+                throw new BadRequestException("Provided Artifact Hash doesn't match with the content");
+            }
+        }
+
         final boolean fcanonical = canonical == null ? Boolean.FALSE : canonical;
 
         String ct = getContentType();
@@ -660,7 +756,8 @@ private ArtifactMetaData createArtifactWithRefs(String groupId, ArtifactType xRe
             } else if (!ArtifactIdValidator.isArtifactIdAllowed(artifactId)) {
                 throw new InvalidArtifactIdException(ArtifactIdValidator.ARTIFACT_ID_ERROR_MESSAGE);
             }
-            if (ContentTypeUtil.isApplicationYaml(ct)) {
+            if (ContentTypeUtil.isApplicationYaml(ct) ||
+                    (ContentTypeUtil.isApplicationCreateExtended(ct) && ContentTypeUtil.isParsableYaml(content))) {
                 content = ContentTypeUtil.yamlToJson(content);
             }
 

app/src/main/java/io/apicurio/registry/util/ArtifactTypeUtil.java

@@ -64,7 +64,7 @@ private ArtifactTypeUtil() {
      *
      * @param content       the content
      * @param xArtifactType the artifact type
-     * @param ct            content type from request API
+     * @param contentType   content type from request API
      */
     //FIXME:references artifact must be dereferenced here otherwise this will fail to discover the type
     public static ArtifactType determineArtifactType(ContentHandle content, ArtifactType xArtifactType, String contentType) {

app/src/main/java/io/apicurio/registry/util/ContentTypeUtil.java

@@ -27,6 +27,7 @@
 public final class ContentTypeUtil {
 
     public static final String CT_APPLICATION_JSON = "application/json";
+    public static final String CT_APPLICATION_CREATE_EXTENDED = "application/create.extended+json";
     public static final String CT_APPLICATION_YAML = "application/x-yaml";
     public static final String CT_APPLICATION_XML = "application/xml";
 
@@ -57,6 +58,36 @@ public static boolean isApplicationYaml(String ct) {
         return ct.contains(CT_APPLICATION_YAML);
     }
 
+    /**
+     * Returns true if the Content-Type of the inbound request is "application/create.extended+json".
+     *
+     * @param ct content type
+     */
+    public static boolean isApplicationCreateExtended(String ct) {
+        if (ct == null) {
+            return false;
+        }
+        return ct.contains(CT_APPLICATION_CREATE_EXTENDED);
+    }
+
+    /**
+     * Returns true if the content can be parsed as yaml.
+     *
+     */
+    public static boolean isParsableYaml(ContentHandle yaml) {
+        try {
+            String content = yaml.content().trim();
+            // it's Json or Xml
+            if (content.startsWith("{") || content.startsWith("<")) {
+                return false;
+            }
+            JsonNode root = yamlMapper.readTree(yaml.stream());
+            return root != null && root.elements().hasNext();
+        } catch (Throwable t) {
+            return false;
+        }
+    }
+
     public static ContentHandle yamlToJson(ContentHandle yaml) {
         try {
             JsonNode root = yamlMapper.readTree(yaml.stream());

app/src/main/resources/application.properties

@@ -137,7 +137,7 @@ registry.api.errors.include-stack-in-response=${REGISTRY_API_ERRORS_INCLUDE_STAC
 quarkus.http.cors=true
 quarkus.http.cors.origins=${CORS_ALLOWED_ORIGINS:}
 quarkus.http.cors.methods=${CORS_ALLOWED_METHODS:GET,PUT,POST,PATCH,DELETE,OPTIONS}
-quarkus.http.cors.headers=${CORS_ALLOWED_HEADERS:x-registry-name,x-registry-name-encoded,x-registry-description,x-registry-description-encoded,x-registry-version,x-registry-artifactid,x-registry-artifacttype,access-control-request-method,access-control-allow-credentials,access-control-allow-origin,access-control-allow-headers,authorization,content-type}
+quarkus.http.cors.headers=${CORS_ALLOWED_HEADERS:x-registry-name,x-registry-name-encoded,x-registry-description,x-registry-description-encoded,x-registry-version,x-registry-artifactid,x-registry-artifacttype,x-registry-hash-algorithm,x-registry-content-hash,access-control-request-method,access-control-allow-credentials,access-control-allow-origin,access-control-allow-headers,authorization,content-type}
 
 ## Disable OpenAPI class scanning
 mp.openapi.scan.disable=true
@@ -160,4 +160,8 @@ registry.storage.metrics.cache.check-period=30000
 registry.limits.config.cache.check-period=30000
 registry.downloads.reaper.every=60s
 
-quarkus.native.additional-build-args=--initialize-at-run-time=org.apache.kafka.common.security.authenticator.SaslClientAuthenticator
+quarkus.native.additional-build-args=--initialize-at-run-time=org.apache.kafka.common.security.authenticator.SaslClientAuthenticator
+
+# Artifact download
+registry.rest.artifact.download.maxSize=1000000
+registry.rest.artifact.download.skipSSLValidation=false