From 0198b08154c1ea10cbe852247035ebaf2c9ff59d Mon Sep 17 00:00:00 2001
From: Robert Varga <robert.varga@pantheon.tech>
Date: Sat, 16 Sep 2023 08:31:31 +0200
Subject: [PATCH] Disable invalidRequest.blockTraversal

Shiro's traversal filtering disallows escaped slashes, which are part of
RESTCONF spec. Disable traversal filtering by default.

JIRA: AAA-265
Change-Id: I17fce53bf9e8f34a81796fa476508f5dd5a5b7e1
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
(cherry picked from commit 3abb8fff9677c0f4c52302926eac89eeb87161dc)
---
 .../main/resources/initial/aaa-app-config.xml   | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml b/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml
index 03cfaf355..1fc146e22 100644
--- a/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml
+++ b/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml
@@ -280,6 +280,23 @@
         <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
     </main>
 
+    <!--
+        Disable parts of invalidRequest filter, as these are blocking valid RESTCONF requests.
+
+        RESTCONF routinely transmits data in URLs. The encoding requires that all reserved URI
+        characters, as defined in https://www.rfc-editor.org/rfc/rfc3986#section-2.2, be
+        percent-encoded. See https://jira.opendaylight.org/browse/AAA-265.
+     -->
+    <main>
+        <!-- ';' is a RFC3986 reserved character -->
+        <pair-key>invalidRequest.blockSemicolon</pair-key>
+        <pair-value>false</pair-value>
+    </main>
+    <main>
+        <!-- '/' is a RFC3986 reserved character -->
+        <pair-key>invalidRequest.blockTraversal</pair-key>
+        <pair-value>false</pair-value>
+    </main>
 
     <!--
       ===================================================================================
-- 
2.36.6