update SecurityConfig (#46)

* update security-config * update cors-test * remove unused imports
inspectIT · Aug 28, 2023 · dee84ca · dee84ca
1 parent c616184
commit dee84ca
Show file tree

Hide file tree

Showing 2 changed files with 80 additions and 5 deletions.
diff --git a/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java b/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java
@@ -9,6 +9,7 @@
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@@ -20,10 +21,9 @@
 
 @Slf4j
 @Configuration
+@EnableWebSecurity
 public class SecurityConfig {
 
-    @Autowired
-    private AuthenticationManager authenticationManager;
     @Autowired
     private EumServerConfiguration configuration;
     @Autowired(required = false)
@@ -53,8 +53,8 @@ protected void configure(AuthenticationManagerBuilder auth) {
      * @throws Exception In case of any error
      */
     @Bean
-    protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        http.cors(AbstractHttpConfigurer::disable).csrf(AbstractHttpConfigurer::disable);
+    protected SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
+        http.cors(Customizer.withDefaults()).csrf(AbstractHttpConfigurer::disable);
         if (configuration.getSecurity().isEnabled()) {
             http.authorizeHttpRequests(
                     authz -> authz
@@ -74,4 +74,4 @@ protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         }
         return http.build();
     }
-}
+}
diff --git a/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java b/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java
@@ -0,0 +1,75 @@
+package rocks.inspectit.oce.eum.server.security.cors;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.util.TestPropertyValues;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.context.ApplicationContextInitializer;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.http.*;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ContextConfiguration;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@ContextConfiguration(initializers = CorsTest.Initializer.class)
+@DirtiesContext
+public class CorsTest {
+
+    @Autowired
+    private TestRestTemplate restTemplate;
+
+    static class Initializer implements ApplicationContextInitializer<ConfigurableApplicationContext> {
+
+        @Override
+        public void initialize(ConfigurableApplicationContext applicationContext) {
+            String tokenDir = getClass().getClassLoader().getResource("security/simple-auth-provider").getFile();
+            TestPropertyValues.of("inspectit-eum-server.security.enabled=true", "inspectit-eum-server.security.auth-provider.simple.enabled=true", "inspectit-eum-server.security.auth-provider.simple.token-directory=" + tokenDir, "inspectit-eum-server.security.auth-provider.simple.default-file-name=")
+                    .applyTo(applicationContext);
+        }
+    }
+
+    @Test
+    public void successfulCorsForGetBeacons() {
+        String endpoint = "/beacon";
+
+        HttpHeaders headers = new HttpHeaders();
+        headers.setOrigin("https://www.example.com");
+        headers.setAccessControlRequestMethod(HttpMethod.GET);
+        HttpEntity<Void> requestEntity = new HttpEntity<>(headers);
+        ResponseEntity<String> response = restTemplate.exchange(
+                endpoint, HttpMethod.OPTIONS, requestEntity, String.class);
+
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+    }
+
+    @Test
+    public void successfulCorsForPostBeacons() {
+        String endpoint = "/beacon";
+
+        HttpHeaders headers = new HttpHeaders();
+        headers.setOrigin("https://www.example.com");
+        headers.setAccessControlRequestMethod(HttpMethod.POST);
+        HttpEntity<Void> requestEntity = new HttpEntity<>(headers);
+        ResponseEntity<String> response = restTemplate.exchange(
+                endpoint, HttpMethod.OPTIONS, requestEntity, String.class);
+
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+    }
+
+    @Test
+    public void successfulCorsForSpans() {
+        String endpoint = "/spans";
+
+        HttpHeaders headers = new HttpHeaders();
+        headers.setOrigin("https://www.example.com");
+        headers.setAccessControlRequestMethod(HttpMethod.POST);
+        HttpEntity<Void> requestEntity = new HttpEntity<>(headers);
+        ResponseEntity<String> response = restTemplate.exchange(
+                endpoint, HttpMethod.OPTIONS, requestEntity, String.class);
+
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+    }
+}