HBASE-22467 UI fixes to enable Knox proxying

Closes #261

Signed-off-by: Sean Busbey <busbey@apache.org>

hbase-http/src/main/java/org/apache/hadoop/hbase/http/ProfileOutputServlet.java

@@ -19,6 +19,7 @@ package org.apache.hadoop.hbase.http;
 
 import java.io.File;
 import java.io.IOException;
+import java.util.regex.Pattern;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -37,6 +38,8 @@ public class ProfileOutputServlet extends DefaultServlet {
   private static final long serialVersionUID = 1L;
   private static final Logger LOG = LoggerFactory.getLogger(ProfileOutputServlet.class);
   private static final int REFRESH_PERIOD = 2;
+  // Alphanumeric characters, plus percent (url-encoding), equals, and ampersand
+  private static final Pattern ALPHA_NUMERIC = Pattern.compile("[a-zA-Z0-9\\%\\=\\&]*");
 
   @Override
   protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
@@ -48,11 +51,26 @@ public class ProfileOutputServlet extends DefaultServlet {
     // will be <100 bytes (in all modes).
     if (requestedFile.length() < 100) {
       LOG.info(requestedFile  + " is incomplete. Sending auto-refresh header.");
-      resp.setHeader("Refresh", REFRESH_PERIOD + "," + req.getRequestURI());
+      String refreshUrl = req.getRequestURI();
+      // Rebuild the query string (if we have one)
+      if (req.getQueryString() != null) {
+        refreshUrl += "?" + sanitize(req.getQueryString());
+      }
+      ProfileServlet.setResponseHeader(resp);
+      resp.setHeader("Refresh", REFRESH_PERIOD + ";" + refreshUrl);
       resp.getWriter().write("This page will be auto-refreshed every " + REFRESH_PERIOD +
-        " seconds until the output file is ready.");
+        " seconds until the output file is ready. Redirecting to " + refreshUrl);
     } else {
       super.doGet(req, resp);
     }
   }
+
+  static String sanitize(String input) {
+    // Basic test to try to avoid any XSS attacks or HTML content showing up.
+    // Duplicates HtmlQuoting a little, but avoid destroying ampersand.
+    if (ALPHA_NUMERIC.matcher(input).matches()) {
+      return input;
+    }
+    throw new RuntimeException("Non-alphanumeric data found in input, aborting.");
+  }
 }

hbase-http/src/main/java/org/apache/hadoop/hbase/http/ProfileServlet.java

@@ -359,7 +359,7 @@ public class ProfileServlet extends HttpServlet {
     return Output.SVG;
   }
 
-  private static void setResponseHeader(final HttpServletResponse response) {
+  static void setResponseHeader(final HttpServletResponse response) {
     response.setHeader(ACCESS_CONTROL_ALLOW_METHODS, ALLOWED_METHODS);
     response.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN, "*");
     response.setContentType(CONTENT_TYPE_TEXT);

hbase-http/src/test/java/org/apache/hadoop/hbase/http/TestProfileOutputServlet.java

@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.http;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.hadoop.hbase.HBaseClassTestRule;
+import org.apache.hadoop.hbase.testclassification.SmallTests;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+@Category({SmallTests.class})
+public class TestProfileOutputServlet {
+  @ClassRule
+  public static final HBaseClassTestRule CLASS_RULE =
+      HBaseClassTestRule.forClass(TestProfileOutputServlet.class);
+
+  @Test
+  public void testSanitization() {
+    List<String> good = Arrays.asList("abcd", "key=value", "key1=value&key2=value2", "");
+    for (String input : good) {
+      assertEquals(input, ProfileOutputServlet.sanitize(input));
+    }
+    List<String> bad = Arrays.asList("function(){console.log(\"oops\")}", "<strong>uhoh</strong>");
+    for (String input : bad) {
+      try {
+        ProfileOutputServlet.sanitize(input);
+        fail("Expected sanitization of \"" + input + "\" to fail");
+      } catch (RuntimeException e) {
+        // Pass
+      }
+    }
+  }
+
+}

hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/common/TaskMonitorTmpl.jamon

@@ -25,6 +25,7 @@ org.apache.hadoop.util.StringUtils;
 TaskMonitor taskMonitor = TaskMonitor.get();
 String filter = "general";
 String format = "html";
+String parent = "";
 </%args>
 
 <%if format.equals("json")%>
@@ -79,7 +80,7 @@ String format = "html";
     <%args>
         String filter;
     </%args>
-    <a href="?format=json&filter=<% filter %>">View as JSON</a>
+    <a href="<% parent %>?format=json&filter=<% filter %>">View as JSON</a>
 </%def>
 
 <%def renderTasks>

hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/master/MasterStatusTmpl.jamon

@@ -146,7 +146,7 @@ AssignmentManager assignmentManager = master.getAssignmentManager();
             </div>
             <div class="collapse navbar-collapse">
                 <ul class="nav navbar-nav">
-                <li class="active"><a href="/">Home</a></li>
+                <li class="active"><a href="/master-status">Home</a></li>
                 <li><a href="/tablesDetailed.jsp">Table Details</a></li>
                 <%if master.isActiveMaster() %>
                 <li><a href="/procedures.jsp">Procedures &amp; Locks</a></li>
@@ -279,7 +279,7 @@ AssignmentManager assignmentManager = master.getAssignmentManager();
 
 
         <section>
-            <& ../common/TaskMonitorTmpl; filter = filter &>
+            <& ../common/TaskMonitorTmpl; filter = filter; parent = "/master-status" &>
         </section>
 
         <section>

hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/regionserver/RSStatusTmpl.jamon

@@ -78,7 +78,7 @@ org.apache.hadoop.hbase.zookeeper.MasterAddressTracker;
             </div>
             <div class="collapse navbar-collapse">
                 <ul class="nav navbar-nav">
-                <li class="active"><a href="/">Home</a></li>
+                <li class="active"><a href="/rs-status">Home</a></li>
                 <li><a href="/processRS.jsp">Process Metrics</a></li>
                 <li><a href="/logs/">Local Logs</a></li>
                 <li><a href="/logLevel">Log Level</a></li>
@@ -114,7 +114,7 @@ org.apache.hadoop.hbase.zookeeper.MasterAddressTracker;
     </section>
 
     <section>
-    <& ../common/TaskMonitorTmpl; filter = filter &>
+    <& ../common/TaskMonitorTmpl; filter = filter; parent = "/rs-status" &>
     </section>
 
     <section>

hbase-server/src/main/resources/hbase-webapps/master/table.jsp

@@ -228,7 +228,7 @@ if ( fqtn != null ) {
 %>
 <tr>
   <td><%= escapeXml(meta.getRegionNameAsString()) %></td>
-    <td><a href="http://<%= hostAndPort %>/"><%= StringEscapeUtils.escapeHtml4(hostAndPort) %></a></td>
+    <td><a href="http://<%= hostAndPort %>/rs-status/"><%= StringEscapeUtils.escapeHtml4(hostAndPort) %></a></td>
     <td><%= readReq%></td>
     <td><%= writeReq%></td>
     <td><%= fileSize%></td>