AMBARI-12102. Increase unit test coverage for ViewURLStreamProvider (smohanty)

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -265,6 +265,12 @@ public class Configuration {
   public static final String RECOVERY_RETRY_GAP_KEY = "recovery.retry_interval";
   public static final String RECOVERY_RETRY_GAP_DEFAULT = "5";
 
+  /**
+   * Allow proxy calls to these hosts and ports only
+   */
+  public static final String PROXY_ALLOWED_HOST_PORTS = "proxy.allowed.hostports";
+  public static final String PROXY_ALLOWED_HOST_PORTS_DEFAULT = "*:*";
+
   /**
    * This key defines whether stages of parallel requests are executed in
    * parallel or sequentally. Only stages from different requests
@@ -573,6 +579,8 @@ public class Configuration {
 
     configsMap.put(AGENT_PACKAGE_PARALLEL_COMMANDS_LIMIT_KEY, properties.getProperty(
             AGENT_PACKAGE_PARALLEL_COMMANDS_LIMIT_KEY, AGENT_PACKAGE_PARALLEL_COMMANDS_LIMIT_DEFAULT));
+    configsMap.put(PROXY_ALLOWED_HOST_PORTS, properties.getProperty(
+        PROXY_ALLOWED_HOST_PORTS, PROXY_ALLOWED_HOST_PORTS_DEFAULT));
 
     File passFile = new File(configsMap.get(SRVR_KSTR_DIR_KEY) + File.separator
         + configsMap.get(SRVR_CRT_PASS_FILE_KEY));
@@ -913,7 +921,7 @@ public class Configuration {
    */
   public int getClientSSLApiPort() {
     return Integer.parseInt(properties.getProperty(CLIENT_API_SSL_PORT_KEY,
-        String.valueOf(CLIENT_API_SSL_PORT_DEFAULT)));
+                                                   String.valueOf(CLIENT_API_SSL_PORT_DEFAULT)));
   }
 
   /**
@@ -1225,23 +1233,26 @@ public class Configuration {
 
   public String getSrvrDisabledCiphers() {
     String disabledCiphers = properties.getProperty(SRVR_DISABLED_CIPHERS,
-            properties.getProperty(SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT));
+                                                    properties.getProperty(SRVR_DISABLED_CIPHERS,
+                                                                           SRVR_DISABLED_CIPHERS_DEFAULT));
     return disabledCiphers.trim();
   }
 
   public String getSrvrDisabledProtocols() {
     String disabledProtocols = properties.getProperty(SRVR_DISABLED_PROTOCOLS,
-            properties.getProperty(SRVR_DISABLED_PROTOCOLS, SRVR_DISABLED_PROTOCOLS_DEFAULT));
+                                                      properties.getProperty(SRVR_DISABLED_PROTOCOLS,
+                                                                             SRVR_DISABLED_PROTOCOLS_DEFAULT));
     return disabledProtocols.trim();
   }
 
   public int getOneWayAuthPort() {
     return Integer.parseInt(properties.getProperty(SRVR_ONE_WAY_SSL_PORT_KEY,
-        String.valueOf(SRVR_ONE_WAY_SSL_PORT_DEFAULT)));
+                                                   String.valueOf(SRVR_ONE_WAY_SSL_PORT_DEFAULT)));
   }
 
   public int getTwoWayAuthPort() {
-    return Integer.parseInt(properties.getProperty(SRVR_TWO_WAY_SSL_PORT_KEY, String.valueOf(SRVR_TWO_WAY_SSL_PORT_DEFAULT)));
+    return Integer.parseInt(properties.getProperty(SRVR_TWO_WAY_SSL_PORT_KEY,
+                                                   String.valueOf(SRVR_TWO_WAY_SSL_PORT_DEFAULT)));
   }
 
   /**
@@ -1317,13 +1328,14 @@ public class Configuration {
     return repoSuffixes.split(",");
   }
 
+
   public String isExecutionSchedulerClusterd() {
     return properties.getProperty(EXECUTION_SCHEDULER_CLUSTERED, "false");
   }
 
   public String getExecutionSchedulerThreads() {
     return properties.getProperty(EXECUTION_SCHEDULER_THREADS,
-        DEFAULT_SCHEDULER_THREAD_COUNT);
+                                  DEFAULT_SCHEDULER_THREAD_COUNT);
   }
 
   public Integer getRequestReadTimeout() {
@@ -1338,7 +1350,7 @@ public class Configuration {
 
   public String getExecutionSchedulerConnections() {
     return properties.getProperty(EXECUTION_SCHEDULER_CONNECTIONS,
-        DEFAULT_SCHEDULER_MAX_CONNECTIONS);
+                                  DEFAULT_SCHEDULER_MAX_CONNECTIONS);
   }
 
   public Long getExecutionSchedulerMisfireToleration() {
@@ -1350,7 +1362,7 @@ public class Configuration {
 
   public Integer getExecutionSchedulerStartDelay() {
     String delay = properties.getProperty(EXECUTION_SCHEDULER_START_DELAY,
-        DEFAULT_SCHEDULER_START_DELAY_SECONDS);
+                                          DEFAULT_SCHEDULER_START_DELAY_SECONDS);
     return Integer.parseInt(delay);
   }
 

ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java

@@ -290,9 +290,9 @@ public class AmbariServer {
 
       //session-per-request strategy for api and agents
       root.addFilter(new FilterHolder(injector.getInstance(AmbariPersistFilter.class)), "/api/*", DISPATCHER_TYPES);
-      root.addFilter(new FilterHolder(injector.getInstance(AmbariPersistFilter.class)), "/proxy/*", DISPATCHER_TYPES);
+      // root.addFilter(new FilterHolder(injector.getInstance(AmbariPersistFilter.class)), "/proxy/*", DISPATCHER_TYPES);
       root.addFilter(new FilterHolder(new MethodOverrideFilter()), "/api/*", DISPATCHER_TYPES);
-      root.addFilter(new FilterHolder(new MethodOverrideFilter()), "/proxy/*", DISPATCHER_TYPES);
+      // root.addFilter(new FilterHolder(new MethodOverrideFilter()), "/proxy/*", DISPATCHER_TYPES);
 
       // register listener to capture request context
       root.addEventListener(new RequestContextListener());
@@ -302,7 +302,7 @@ public class AmbariServer {
 
       if (configs.getApiAuthentication()) {
         root.addFilter(new FilterHolder(springSecurityFilter), "/api/*", DISPATCHER_TYPES);
-        root.addFilter(new FilterHolder(springSecurityFilter), "/proxy/*", DISPATCHER_TYPES);
+      // root.addFilter(new FilterHolder(springSecurityFilter), "/proxy/*", DISPATCHER_TYPES);
       }
 
 
@@ -386,6 +386,7 @@ public class AmbariServer {
       agentroot.addServlet(cert, "/*");
       cert.setInitOrder(4);
 
+      /*
       ServletHolder proxy = new ServletHolder(ServletContainer.class);
       proxy.setInitParameter("com.sun.jersey.config.property.resourceConfigClass",
                              "com.sun.jersey.api.core.PackagesResourceConfig");
@@ -394,6 +395,7 @@ public class AmbariServer {
       proxy.setInitParameter("com.sun.jersey.api.json.POJOMappingFeature", "true");
       root.addServlet(proxy, "/proxy/*");
       proxy.setInitOrder(5);
+      */
 
       ServletHolder resources = new ServletHolder(ServletContainer.class);
       resources.setInitParameter("com.sun.jersey.config.property.resourceConfigClass",
@@ -401,13 +403,13 @@ public class AmbariServer {
       resources.setInitParameter("com.sun.jersey.config.property.packages",
           "org.apache.ambari.server.resources.api.rest;");
       root.addServlet(resources, "/resources/*");
-      resources.setInitOrder(6);
+      resources.setInitOrder(5);
 
       if (configs.csrfProtectionEnabled()) {
         sh.setInitParameter("com.sun.jersey.spi.container.ContainerRequestFilters",
                     "org.apache.ambari.server.api.AmbariCsrfProtectionFilter");
-        proxy.setInitParameter("com.sun.jersey.spi.container.ContainerRequestFilters",
-                    "org.apache.ambari.server.api.AmbariCsrfProtectionFilter");
+        /* proxy.setInitParameter("com.sun.jersey.spi.container.ContainerRequestFilters",
+                    "org.apache.ambari.server.api.AmbariCsrfProtectionFilter"); */
       }
 
       // Set jetty thread pool

ambari-server/src/main/java/org/apache/ambari/server/view/ViewURLStreamProvider.java

@@ -18,19 +18,26 @@
 
 package org.apache.ambari.server.view;
 
+import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.controller.internal.URLStreamProvider;
 import org.apache.ambari.server.proxy.ProxyService;
 import org.apache.ambari.view.URLConnectionProvider;
 import org.apache.ambari.view.ViewContext;
 import org.apache.commons.io.IOUtils;
-
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.http.client.utils.URIBuilder;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
 import java.net.URISyntaxException;
+import java.net.URL;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 
@@ -39,6 +46,8 @@ import java.util.Map;
  */
 public class ViewURLStreamProvider implements org.apache.ambari.view.URLStreamProvider, URLConnectionProvider {
 
+  private static final Log LOG = LogFactory.getLog(ViewContextImpl.class);
+
   /**
    * The key for the "doAs" header.
    */
@@ -54,20 +63,37 @@ public class ViewURLStreamProvider implements org.apache.ambari.view.URLStreamPr
    */
   private final URLStreamProvider streamProvider;
 
+  /**
+   * Apply host port restrictions if any
+   */
+  private HostPortRestrictionHandler hostPortRestrictionHandler;
 
   // ----- Constructor -----------------------------------------------------
 
   /**
    * Construct a view URL stream provider.
    *
-   * @param viewContext     the associated view context
-   * @param streamProvider  the underlying stream provider
+   * @param viewContext    the associated view context
+   * @param streamProvider the underlying stream provider
    */
   protected ViewURLStreamProvider(ViewContext viewContext, URLStreamProvider streamProvider) {
-    this.viewContext    = viewContext;
+    this.viewContext = viewContext;
     this.streamProvider = streamProvider;
   }
 
+  /**
+   * Get an instance of HostPortRestrictionHandler
+   *
+   * @return
+   */
+  private HostPortRestrictionHandler getHostPortRestrictionHandler() {
+    if (this.hostPortRestrictionHandler == null) {
+      HostPortRestrictionHandler hostPortRestrictionHandlerTmp =
+          new HostPortRestrictionHandler(this.viewContext.getAmbariProperty(Configuration.PROXY_ALLOWED_HOST_PORTS));
+      this.hostPortRestrictionHandler = hostPortRestrictionHandlerTmp;
+    }
+    return this.hostPortRestrictionHandler;
+  }
 
   // ----- URLStreamProvider -----------------------------------------------
 
@@ -182,6 +208,11 @@ public class ViewURLStreamProvider implements org.apache.ambari.view.URLStreamPr
   // get the input stream response from the underlying stream provider
   private InputStream getInputStream(String spec, String requestMethod, Map<String, String> headers, byte[] info)
       throws IOException {
+    if (!isProxyCallAllowed(spec)) {
+      LOG.warn("Call to " + spec + " is not allowed. See ambari.properties proxy.allowed.hostports.");
+      throw new IOException("Call to " + spec + " is not allowed. See ambari.properties proxy.allowed.hostports.");
+    }
+
     HttpURLConnection connection = getHttpURLConnection(spec, requestMethod, headers, info);
 
     int responseCode = connection.getResponseCode();
@@ -194,7 +225,13 @@ public class ViewURLStreamProvider implements org.apache.ambari.view.URLStreamPr
   private HttpURLConnection getHttpURLConnection(String spec, String requestMethod,
                                                  Map<String, String> headers, byte[] info)
       throws IOException {
+    if (!isProxyCallAllowed(spec)) {
+      LOG.warn("Call to " + spec + " is not allowed. See ambari.properties proxy.allowed.hostports.");
+      throw new IOException("Call to " + spec + " is not allowed. See ambari.properties proxy.allowed.hostports.");
+    }
+
     // adapt the headers to the internal URLStreamProvider processURL signature
+
     Map<String, List<String>> headerMap = new HashMap<String, List<String>>();
     for (Map.Entry<String, String> entry : headers.entrySet()) {
       headerMap.put(entry.getKey(), Collections.singletonList(entry.getValue()));
@@ -202,4 +239,117 @@ public class ViewURLStreamProvider implements org.apache.ambari.view.URLStreamPr
     return streamProvider.processURL(spec, requestMethod, info, headerMap);
   }
 
+  /**
+   * Is it allowed to make calls to the supplied url
+   * @param spec the URL
+   * @return
+   */
+  protected boolean isProxyCallAllowed(String spec) {
+    if (StringUtils.isNotBlank(spec) && this.getHostPortRestrictionHandler().proxyCallRestricted()) {
+      try {
+        URL url = new URL(spec);
+        return this.getHostPortRestrictionHandler().allowProxy(url.getHost(),
+                                                               Integer.toString(url.getPort() == -1
+                                                                                    ? url.getDefaultPort()
+                                                                                    : url.getPort()));
+      } catch (MalformedURLException ex) {
+      }
+    }
+
+    return true;
+  }
+
+  /**
+   * Creates a list of allowed hosts and ports
+   */
+  class HostPortRestrictionHandler {
+    private final String allowedHostPortsValue;
+    private Map<String, HashSet<String>> allowedHostPorts = null;
+    private Boolean isProxyCallRestricted = Boolean.FALSE;
+
+    public HostPortRestrictionHandler(String allowedHostPortsValue) {
+      this.allowedHostPortsValue = allowedHostPortsValue;
+      LOG.debug("Proxy restriction will be derived from " + allowedHostPortsValue);
+    }
+
+    /**
+     * Checks supplied host and port against the restriction list
+     *
+     * @param host
+     * @param port
+     *
+     * @return if the host and port combination is allowed
+     */
+    public boolean allowProxy(String host, String port) {
+      LOG.debug("Checking host " + host + " port " + port + " against allowed list.");
+      if (StringUtils.isNotBlank(host)) {
+        String hostToCompare = host.trim().toLowerCase();
+        if (this.allowedHostPorts == null) {
+          initializeAllowedHostPorts();
+        }
+
+        if (this.isProxyCallRestricted) {
+          if (this.allowedHostPorts.containsKey(hostToCompare)) {
+            if (this.allowedHostPorts.get(hostToCompare).contains("*")) {
+              return true;
+            }
+            String portToCompare = "";
+            if (StringUtils.isNotBlank(port)) {
+              portToCompare = port.trim();
+            }
+            if (this.allowedHostPorts.get(hostToCompare).contains(portToCompare)) {
+              return true;  // requested host port allowed
+            }
+            return false;
+          }
+          return false; // restricted, at least hostname need to match
+        } // no restriction
+      }
+      return true;
+    }
+
+    /**
+     * Initialize the allowed list of hosts and ports
+     */
+    private void initializeAllowedHostPorts() {
+      boolean proxyCallRestricted = false;
+      Map<String, HashSet<String>> allowed = new HashMap<String, HashSet<String>>();
+      if (StringUtils.isNotBlank(allowedHostPortsValue)) {
+        String allowedStr = allowedHostPortsValue.toLowerCase();
+        if (!allowedStr.equals(Configuration.PROXY_ALLOWED_HOST_PORTS_DEFAULT)) {
+          proxyCallRestricted = true;
+          String[] hostPorts = allowedStr.trim().split(",");
+          for (String hostPortStr : hostPorts) {
+            String[] hostAndPort = hostPortStr.trim().split(":");
+            if (hostAndPort.length == 1) {
+              if (!allowed.containsKey(hostAndPort[0])) {
+                allowed.put(hostAndPort[0], new HashSet<String>());
+              }
+              allowed.get(hostAndPort[0]).add("*");
+              LOG.debug("Allow proxy to host " + hostAndPort[0] + " and all ports.");
+            } else {
+              if (!allowed.containsKey(hostAndPort[0])) {
+                allowed.put(hostAndPort[0], new HashSet<String>());
+              }
+              allowed.get(hostAndPort[0]).add(hostAndPort[1]);
+              LOG.debug("Allow proxy to host " + hostAndPort[0] + " and port " + hostAndPort[1]);
+            }
+          }
+        }
+      }
+      this.allowedHostPorts = allowed;
+      this.isProxyCallRestricted = proxyCallRestricted;
+    }
+
+    /**
+     * Is there a restriction of which host and port the call can be made to
+     * @return
+     */
+    public Boolean proxyCallRestricted() {
+      if (this.allowedHostPorts == null) {
+        initializeAllowedHostPorts();
+      }
+      return this.isProxyCallRestricted;
+    }
+  }
 }

ambari-server/src/test/java/org/apache/ambari/server/view/ViewURLStreamProviderTest.java

@@ -18,6 +18,7 @@
 
 package org.apache.ambari.server.view;
 
+import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.controller.internal.URLStreamProvider;
 import org.apache.ambari.view.ViewContext;
 import org.junit.Assert;
@@ -30,7 +31,9 @@ import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 
+import static org.easymock.EasyMock.anyObject;
 import static org.easymock.EasyMock.aryEq;
 import static org.easymock.EasyMock.createNiceMock;
 import static org.easymock.EasyMock.eq;
@@ -269,7 +272,10 @@ public class ViewURLStreamProviderTest {
     Map<String, List<String>> headerMap = new HashMap<String, List<String>>();
     headerMap.put("header", Collections.singletonList("headerValue"));
 
-    expect(streamProvider.processURL(eq("spec"), eq("requestMethod"), aryEq("params".getBytes()), eq(headerMap))).andReturn(urlConnection);
+    expect(streamProvider.processURL(eq("spec"),
+                                     eq("requestMethod"),
+                                     aryEq("params".getBytes()),
+                                     eq(headerMap))).andReturn(urlConnection);
 
     replay(streamProvider, urlConnection);
 
@@ -299,7 +305,11 @@ public class ViewURLStreamProviderTest {
 
     ViewURLStreamProvider viewURLStreamProvider = new ViewURLStreamProvider(viewContext, streamProvider);
 
-    Assert.assertEquals(urlConnection, viewURLStreamProvider.getConnectionAs("spec", "requestMethod", "params", headers, "joe"));
+    Assert.assertEquals(urlConnection, viewURLStreamProvider.getConnectionAs("spec",
+                                                                             "requestMethod",
+                                                                             "params",
+                                                                             headers,
+                                                                             "joe"));
 
     verify(streamProvider, urlConnection);
   }
@@ -324,8 +334,110 @@ public class ViewURLStreamProviderTest {
 
     ViewURLStreamProvider viewURLStreamProvider = new ViewURLStreamProvider(viewContext, streamProvider);
 
-    Assert.assertEquals(urlConnection, viewURLStreamProvider.getConnectionAsCurrent("spec", "requestMethod", "params", headers));
+    Assert.assertEquals(urlConnection, viewURLStreamProvider.getConnectionAsCurrent("spec",
+                                                                                    "requestMethod",
+                                                                                    "params",
+                                                                                    headers));
 
     verify(streamProvider, urlConnection, viewContext);
   }
+
+  @Test
+  public void testProxyRestriction() throws Exception {
+    ViewURLStreamProvider viewURLStreamProvider = new ViewURLStreamProvider(null, null);
+    Properties ambariProperties = new Properties();
+    Configuration configuration = new Configuration(ambariProperties);
+    Assert.assertEquals(
+        Configuration.PROXY_ALLOWED_HOST_PORTS_DEFAULT,
+        configuration.getConfigsMap().get(Configuration.PROXY_ALLOWED_HOST_PORTS));
+    ViewURLStreamProvider.HostPortRestrictionHandler hprh =
+        viewURLStreamProvider.new HostPortRestrictionHandler(
+            configuration.getProperty(Configuration.PROXY_ALLOWED_HOST_PORTS));
+    Assert.assertFalse(hprh.proxyCallRestricted());
+    Assert.assertTrue(hprh.allowProxy("host1.com", null));
+    Assert.assertTrue(hprh.allowProxy(null, null));
+    Assert.assertTrue(hprh.allowProxy("host1.com", " "));
+    Assert.assertTrue(hprh.allowProxy("host1.com ", " "));
+    Assert.assertTrue(hprh.allowProxy(" host1.com ", "8080"));
+
+    ambariProperties = new Properties();
+    ambariProperties.setProperty(Configuration.PROXY_ALLOWED_HOST_PORTS, "");
+    configuration = new Configuration(ambariProperties);
+    hprh =
+        viewURLStreamProvider.new HostPortRestrictionHandler(
+            configuration.getProperty(Configuration.PROXY_ALLOWED_HOST_PORTS));
+    Assert.assertFalse(hprh.proxyCallRestricted());
+    Assert.assertTrue(hprh.allowProxy("host1.com", null));
+    Assert.assertTrue(hprh.allowProxy(null, null));
+    Assert.assertTrue(hprh.allowProxy("host1.com", " "));
+    Assert.assertTrue(hprh.allowProxy("host1.com ", " "));
+    Assert.assertTrue(hprh.allowProxy(" host1.com ", "8080"));
+
+    ambariProperties = new Properties();
+    ambariProperties.setProperty(Configuration.PROXY_ALLOWED_HOST_PORTS, "host1.com:*");
+    configuration = new Configuration(ambariProperties);
+    hprh =
+        viewURLStreamProvider.new HostPortRestrictionHandler(
+            configuration.getProperty(Configuration.PROXY_ALLOWED_HOST_PORTS));
+    Assert.assertTrue(hprh.proxyCallRestricted());
+    Assert.assertTrue(hprh.allowProxy("host1.com", null));
+    Assert.assertTrue(hprh.allowProxy(null, null));
+    Assert.assertTrue(hprh.allowProxy("host1.com", "20"));
+    Assert.assertFalse(hprh.allowProxy("host2.com ", " "));
+    Assert.assertFalse(hprh.allowProxy(" host2.com ", "8080"));
+
+    ambariProperties = new Properties();
+    ambariProperties.setProperty(Configuration.PROXY_ALLOWED_HOST_PORTS, " host1.com:80 ,host2.org:443, host2.org:22");
+    configuration = new Configuration(ambariProperties);
+    hprh =
+        viewURLStreamProvider.new HostPortRestrictionHandler(
+            configuration.getProperty(Configuration.PROXY_ALLOWED_HOST_PORTS));
+    Assert.assertTrue(hprh.proxyCallRestricted());
+    Assert.assertTrue(hprh.allowProxy("host1.com", "80"));
+    Assert.assertFalse(hprh.allowProxy("host1.com", "20"));
+    Assert.assertFalse(hprh.allowProxy("host2.org", "404"));
+    Assert.assertFalse(hprh.allowProxy("host2.com", "22"));
+
+    ViewContext viewContext = createNiceMock(ViewContext.class);
+    expect(viewContext.getAmbariProperty(anyObject(String.class))).andReturn(
+        " host1.com:80 ,host2.org:443, host2.org:22");
+    replay(viewContext);
+    viewURLStreamProvider = new ViewURLStreamProvider(viewContext, null);
+
+
+    Assert.assertTrue(viewURLStreamProvider.isProxyCallAllowed("http://host1.com/tt"));
+    Assert.assertTrue(viewURLStreamProvider.isProxyCallAllowed("https://host2.org/tt"));
+    Assert.assertFalse(viewURLStreamProvider.isProxyCallAllowed("https://host2.org:444/tt"));
+
+    viewContext = createNiceMock(ViewContext.class);
+    expect(viewContext.getAmbariProperty(anyObject(String.class))).andReturn("c6401.ambari.apache.org:8088");
+    replay(viewContext);
+    viewURLStreamProvider = new ViewURLStreamProvider(viewContext, null);
+    Assert.assertTrue(viewURLStreamProvider.isProxyCallAllowed(
+        "http://c6401.ambari.apache.org:8088/ws/v1/cluster/get-node-labels"));
+
+    viewContext = createNiceMock(ViewContext.class);
+    expect(viewContext.getAmbariProperty(anyObject(String.class))).andReturn("*:8088");
+    replay(viewContext);
+    viewURLStreamProvider = new ViewURLStreamProvider(viewContext, null);
+    Assert.assertFalse(viewURLStreamProvider.isProxyCallAllowed(
+        "http://c6401.ambari.apache.org:8088/ws/v1/cluster/get-node-labels"));
+
+    viewContext = createNiceMock(ViewContext.class);
+    expect(viewContext.getAmbariProperty(anyObject(String.class))).andReturn("c6401.ambari.apache.org:*");
+    replay(viewContext);
+    viewURLStreamProvider = new ViewURLStreamProvider(viewContext, null);
+    Assert.assertTrue(viewURLStreamProvider.isProxyCallAllowed(
+        "http://c6401.ambari.apache.org:8088/ws/v1/cluster/get-node-labels"));
+
+    viewContext = createNiceMock(ViewContext.class);
+    expect(viewContext.getAmbariProperty(anyObject(String.class))).andReturn(
+        "c6401.ambari.apache.org:80,c6401.ambari.apache.org:443");
+    replay(viewContext);
+    viewURLStreamProvider = new ViewURLStreamProvider(viewContext, null);
+    Assert.assertTrue(viewURLStreamProvider.isProxyCallAllowed(
+        "http://c6401.ambari.apache.org/ws/v1/cluster/get-node-labels"));
+    Assert.assertTrue(viewURLStreamProvider.isProxyCallAllowed(
+        "https://c6401.ambari.apache.org/ws/v1/cluster/get-node-labels"));
+  }
 }