[fix][sec]disable trace in web service

pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/HttpSecurityProcessor.java

@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.broker.web;
+
+import org.eclipse.jetty.security.ConstraintMapping;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
+import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.util.security.Constraint;
+
+public class HttpSecurityProcessor {
+    public static void disableHttpDebugMethod(ServletContextHandler ctxHandler, String path) {
+        Constraint c = new Constraint();
+        c.setAuthenticate(true);
+        ConstraintMapping traceMapping = new ConstraintMapping();
+        traceMapping.setConstraint(c);
+        traceMapping.setMethod("TRACE");
+        traceMapping.setPathSpec(path);
+
+        ConstraintMapping trackMapping = new ConstraintMapping();
+        trackMapping.setConstraint(c);
+        trackMapping.setMethod("TRACK");
+        trackMapping.setPathSpec(path);
+        ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
+        securityHandler.setConstraintMappings(new ConstraintMapping[]{traceMapping, trackMapping});
+        ctxHandler.setSecurityHandler(securityHandler);
+    }
+}

pulsar-broker/src/main/java/org/apache/pulsar/broker/web/WebService.java

@@ -226,10 +226,6 @@ private static class FilterInitializer {
                 authenticationFilterHolder = null;
             }
 
-            if (config.isDisableHttpDebugMethods()) {
-                filterHolders.add(new FilterHolder(new DisableDebugHttpMethodFilter(config)));
-            }
-
             if (config.getHttpMaxRequestSize() > 0) {
                 filterHolders.add(new FilterHolder(
                         new MaxRequestSizeFilter(
@@ -255,6 +251,9 @@ public void addServlet(String path, ServletHolder servletHolder, boolean require
         ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
         // Notice: each context path should be unique, but there's nothing here to verify that
         context.setContextPath(path);
+        if (this.pulsar.getConfiguration().isDisableHttpDebugMethods()) {
+            HttpSecurityProcessor.disableHttpDebugMethod(context, MATCH_ALL);
+        }
         context.addServlet(servletHolder, MATCH_ALL);
         if (attributeMap != null) {
             attributeMap.forEach((key, value) -> {

pulsar-broker/src/test/java/org/apache/pulsar/broker/web/WebServiceTest.java

@@ -281,14 +281,14 @@ public void testDisableHttpTraceAndTrackMethods() throws Exception {
         Response res = builder.execute().get();
 
         // This should have failed
-        assertEquals(res.getStatusCode(), 405);
+        assertEquals(res.getStatusCode(), 403);
 
         builder = client.prepare("TRACK", url);
 
         res = builder.execute().get();
 
         // This should have failed
-        assertEquals(res.getStatusCode(), 405);
+        assertEquals(res.getStatusCode(), 403);
     }
 
     @Test

pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java

@@ -163,6 +163,15 @@ public class WorkerConfig implements Serializable, PulsarConfiguration {
             + "(0 to disable limiting)")
     private int maxHttpServerConnections = 2048;
 
+    @FieldContext(
+            category = CATEGORY_WORKER,
+            doc = "If true, the broker will reject all HTTP requests using the TRACE and TRACK verbs.\n"
+                    + " This setting may be necessary if the broker is deployed into an environment that uses http "
+                    + "port\n"
+                    + " scanning and flags web servers allowing the TRACE method as insecure."
+    )
+    private boolean disableHttpDebugMethods = false;
+
     @FieldContext(
             category = CATEGORY_WORKER,
             required = false,

pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/rest/WorkerServer.java

@@ -27,6 +27,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.apache.pulsar.broker.authentication.AuthenticationService;
 import org.apache.pulsar.broker.web.AuthenticationFilter;
+import org.apache.pulsar.broker.web.HttpSecurityProcessor;
 import org.apache.pulsar.broker.web.JettyRequestLogFactory;
 import org.apache.pulsar.broker.web.RateLimitingFilter;
 import org.apache.pulsar.broker.web.WebExecutorThreadPool;
@@ -208,18 +209,18 @@ public void addFilters(ServletContextHandler context, boolean requiresAuthentica
         }
     }
 
-    static ServletContextHandler newServletContextHandler(String contextPath,
+    ServletContextHandler newServletContextHandler(String contextPath,
                                                                  ResourceConfig config,
                                                                  WorkerService workerService,
                                                                  FilterInitializer filterInitializer) {
         return newServletContextHandler(contextPath, config, workerService, true, filterInitializer);
     }
 
-    static ServletContextHandler newServletContextHandler(String contextPath,
-                                                                 ResourceConfig config,
-                                                                 WorkerService workerService,
-                                                                 boolean requireAuthentication,
-                                                                 FilterInitializer filterInitializer) {
+    ServletContextHandler newServletContextHandler(String contextPath,
+                                                   ResourceConfig config,
+                                                   WorkerService workerService,
+                                                   boolean requireAuthentication,
+                                                   FilterInitializer filterInitializer) {
         final ServletContextHandler contextHandler =
                 new ServletContextHandler(ServletContextHandler.NO_SESSIONS);
 
@@ -230,6 +231,11 @@ static ServletContextHandler newServletContextHandler(String contextPath,
 
         final ServletHolder apiServlet =
                 new ServletHolder(new ServletContainer(config));
+
+        if (workerConfig.isDisableHttpDebugMethods()) {
+            HttpSecurityProcessor.disableHttpDebugMethod(contextHandler, MATCH_ALL);
+        }
+
         contextHandler.addServlet(apiServlet, MATCH_ALL);
 
         filterInitializer.addFilters(contextHandler, requireAuthentication);

pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java

@@ -746,6 +746,16 @@ public class ProxyConfiguration implements PulsarConfiguration {
     )
     private double httpRequestsMaxPerSecond = 100.0;
 
+
+    @FieldContext(
+            category = CATEGORY_HTTP,
+            doc = "If true, the broker will reject all HTTP requests using the TRACE and TRACK verbs.\n"
+                    + " This setting may be necessary if the broker is deployed into an environment that uses http "
+                    + "port\n"
+                    + " scanning and flags web servers allowing the TRACE method as insecure."
+    )
+    private boolean disableHttpDebugMethods = false;
+
     @PropertiesContext(
         properties = {
             @PropertyContext(

pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/WebServer.java

@@ -31,6 +31,7 @@
 import org.apache.commons.lang3.tuple.Pair;
 import org.apache.pulsar.broker.authentication.AuthenticationService;
 import org.apache.pulsar.broker.web.AuthenticationFilter;
+import org.apache.pulsar.broker.web.HttpSecurityProcessor;
 import org.apache.pulsar.broker.web.JettyRequestLogFactory;
 import org.apache.pulsar.broker.web.JsonMapperProvider;
 import org.apache.pulsar.broker.web.RateLimitingFilter;
@@ -204,6 +205,11 @@ public void addServlet(String basePath, ServletHolder servletHolder,
 
         ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
         context.setContextPath(basePath);
+
+        if (config.isDisableHttpDebugMethods()) {
+            HttpSecurityProcessor.disableHttpDebugMethod(context, MATCH_ALL);
+        }
+
         context.addServlet(servletHolder, MATCH_ALL);
         for (Pair<String, Object> attribute : attributes) {
             context.setAttribute(attribute.getLeft(), attribute.getRight());