From 5037f7317c3056a3c03a345341186ff077029924 Mon Sep 17 00:00:00 2001 From: EddeCCC Date: Mon, 28 Aug 2023 15:25:57 +0200 Subject: [PATCH 1/3] update security-config --- .../eum/server/security/SecurityConfig.java | 17 ++++-- .../eum/server/security/cors/CorsTest.java | 57 +++++++++++++++++++ 2 files changed, 69 insertions(+), 5 deletions(-) create mode 100644 src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java diff --git a/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java b/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java index e80a082..9dbe911 100644 --- a/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java +++ b/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java @@ -9,21 +9,26 @@ import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.cors.CorsConfigurationSource; +import org.springframework.web.cors.CorsUtils; +import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import rocks.inspectit.oce.eum.server.configuration.model.EumServerConfiguration; import rocks.inspectit.oce.eum.server.configuration.model.security.SecuritySettings; +import java.util.Arrays; import java.util.Collections; import java.util.List; @Slf4j @Configuration +@EnableWebSecurity public class SecurityConfig { - @Autowired - private AuthenticationManager authenticationManager; @Autowired private EumServerConfiguration configuration; @Autowired(required = false) @@ -53,8 +58,10 @@ protected void configure(AuthenticationManagerBuilder auth) { * @throws Exception In case of any error */ @Bean - protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.cors(AbstractHttpConfigurer::disable).csrf(AbstractHttpConfigurer::disable); + protected SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception { + //http.cors().and().csrf(); //GEHT + http.cors(Customizer.withDefaults()).csrf(AbstractHttpConfigurer::disable); //GEHT + //http.cors(AbstractHttpConfigurer::disable).csrf(AbstractHttpConfigurer::disable); //GEHT NICHT if (configuration.getSecurity().isEnabled()) { http.authorizeHttpRequests( authz -> authz @@ -74,4 +81,4 @@ protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception { } return http.build(); } -} \ No newline at end of file +} diff --git a/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java b/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java new file mode 100644 index 0000000..b16de18 --- /dev/null +++ b/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java @@ -0,0 +1,57 @@ +package rocks.inspectit.oce.eum.server.security.cors; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.test.context.junit4.SpringRunner; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; + +@RunWith(SpringRunner.class) +@SpringBootTest +public class CorsTest { + + @Autowired + private WebApplicationContext wac; + + public MockMvc mockMvc; + + @BeforeEach + public void setUp() { + DefaultMockMvcBuilder builder = MockMvcBuilders + .webAppContextSetup(wac) + .dispatchOptions(true); + this.mockMvc = builder.build(); + } + + @Test + public void testSuccessfulCors() throws Exception { + this.mockMvc + .perform(options("/beacon") + .header("Origin", "www.example.com") + .header("Access-Control-Request-Method", "GET") + ) + .andDo(print()) + .andExpect(status().isOk()); + } + + @Test + public void testFailingCors() throws Exception { + this.mockMvc + .perform(options("/beacon") + .header("Access-Control-Request-Method", "DUMMY") + .header("Origin", "www.example.com") + ) + .andDo(print()) + .andExpect(status().isForbidden()); + } +} From c90d9d99e705568c03bdb1abed68af8f42df6a8e Mon Sep 17 00:00:00 2001 From: EddeCCC Date: Mon, 28 Aug 2023 16:42:29 +0200 Subject: [PATCH 2/3] update cors-test --- .../eum/server/security/SecurityConfig.java | 4 +- .../eum/server/security/cors/CorsTest.java | 99 +++++++++++-------- 2 files changed, 61 insertions(+), 42 deletions(-) diff --git a/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java b/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java index 9dbe911..5cd8015 100644 --- a/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java +++ b/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java @@ -59,9 +59,7 @@ protected void configure(AuthenticationManagerBuilder auth) { */ @Bean protected SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception { - //http.cors().and().csrf(); //GEHT - http.cors(Customizer.withDefaults()).csrf(AbstractHttpConfigurer::disable); //GEHT - //http.cors(AbstractHttpConfigurer::disable).csrf(AbstractHttpConfigurer::disable); //GEHT NICHT + http.cors(Customizer.withDefaults()).csrf(AbstractHttpConfigurer::disable); if (configuration.getSecurity().isEnabled()) { http.authorizeHttpRequests( authz -> authz diff --git a/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java b/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java index b16de18..694bf72 100644 --- a/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java +++ b/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java @@ -1,57 +1,78 @@ package rocks.inspectit.oce.eum.server.security.cors; -import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; -import org.springframework.test.context.junit4.SpringRunner; -import org.springframework.test.web.servlet.MockMvc; -import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder; -import org.springframework.test.web.servlet.setup.MockMvcBuilders; -import org.springframework.web.context.WebApplicationContext; - -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options; -import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; - -@RunWith(SpringRunner.class) -@SpringBootTest +import org.springframework.boot.test.util.TestPropertyValues; +import org.springframework.boot.test.web.client.TestRestTemplate; +import org.springframework.context.ApplicationContextInitializer; +import org.springframework.context.ConfigurableApplicationContext; +import org.springframework.http.*; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.context.ContextConfiguration; + +import java.util.List; + +import static org.junit.jupiter.api.Assertions.assertEquals; + + +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +@ContextConfiguration(initializers = CorsTest.Initializer.class) +@DirtiesContext public class CorsTest { @Autowired - private WebApplicationContext wac; + private TestRestTemplate restTemplate; - public MockMvc mockMvc; + static class Initializer implements ApplicationContextInitializer { - @BeforeEach - public void setUp() { - DefaultMockMvcBuilder builder = MockMvcBuilders - .webAppContextSetup(wac) - .dispatchOptions(true); - this.mockMvc = builder.build(); + @Override + public void initialize(ConfigurableApplicationContext applicationContext) { + String tokenDir = getClass().getClassLoader().getResource("security/simple-auth-provider").getFile(); + TestPropertyValues.of("inspectit-eum-server.security.enabled=true", "inspectit-eum-server.security.auth-provider.simple.enabled=true", "inspectit-eum-server.security.auth-provider.simple.token-directory=" + tokenDir, "inspectit-eum-server.security.auth-provider.simple.default-file-name=") + .applyTo(applicationContext); + } } @Test - public void testSuccessfulCors() throws Exception { - this.mockMvc - .perform(options("/beacon") - .header("Origin", "www.example.com") - .header("Access-Control-Request-Method", "GET") - ) - .andDo(print()) - .andExpect(status().isOk()); + public void successfulCorsForGetBeacons() { + String endpoint = "/beacon"; + + HttpHeaders headers = new HttpHeaders(); + headers.setOrigin("https://www.example.com"); + headers.setAccessControlRequestMethod(HttpMethod.GET); + HttpEntity requestEntity = new HttpEntity<>(headers); + ResponseEntity response = restTemplate.exchange( + endpoint, HttpMethod.OPTIONS, requestEntity, String.class); + + assertEquals(HttpStatus.OK, response.getStatusCode()); } @Test - public void testFailingCors() throws Exception { - this.mockMvc - .perform(options("/beacon") - .header("Access-Control-Request-Method", "DUMMY") - .header("Origin", "www.example.com") - ) - .andDo(print()) - .andExpect(status().isForbidden()); + public void successfulCorsForPostBeacons() { + String endpoint = "/beacon"; + + HttpHeaders headers = new HttpHeaders(); + headers.setOrigin("https://www.example.com"); + headers.setAccessControlRequestMethod(HttpMethod.POST); + HttpEntity requestEntity = new HttpEntity<>(headers); + ResponseEntity response = restTemplate.exchange( + endpoint, HttpMethod.OPTIONS, requestEntity, String.class); + + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void successfulCorsForSpans() { + String endpoint = "/spans"; + + HttpHeaders headers = new HttpHeaders(); + headers.setOrigin("https://www.example.com"); + headers.setAccessControlRequestMethod(HttpMethod.POST); + HttpEntity requestEntity = new HttpEntity<>(headers); + ResponseEntity response = restTemplate.exchange( + endpoint, HttpMethod.OPTIONS, requestEntity, String.class); + + assertEquals(HttpStatus.OK, response.getStatusCode()); } } From d0e9313ad1ea748ffbb591199101d2e6837f8ca5 Mon Sep 17 00:00:00 2001 From: EddeCCC Date: Mon, 28 Aug 2023 16:47:15 +0200 Subject: [PATCH 3/3] remove unused imports --- .../inspectit/oce/eum/server/security/SecurityConfig.java | 5 ----- .../inspectit/oce/eum/server/security/cors/CorsTest.java | 3 --- 2 files changed, 8 deletions(-) diff --git a/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java b/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java index 5cd8015..91ef62b 100644 --- a/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java +++ b/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java @@ -13,14 +13,9 @@ import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; -import org.springframework.web.cors.CorsConfiguration; -import org.springframework.web.cors.CorsConfigurationSource; -import org.springframework.web.cors.CorsUtils; -import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import rocks.inspectit.oce.eum.server.configuration.model.EumServerConfiguration; import rocks.inspectit.oce.eum.server.configuration.model.security.SecuritySettings; -import java.util.Arrays; import java.util.Collections; import java.util.List; diff --git a/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java b/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java index 694bf72..051ba6b 100644 --- a/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java +++ b/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java @@ -11,11 +11,8 @@ import org.springframework.test.annotation.DirtiesContext; import org.springframework.test.context.ContextConfiguration; -import java.util.List; - import static org.junit.jupiter.api.Assertions.assertEquals; - @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) @ContextConfiguration(initializers = CorsTest.Initializer.class) @DirtiesContext