From dee84caf9bb26b9b41c98e28f632929573836f73 Mon Sep 17 00:00:00 2001 From: Eduard Schander <66794307+EddeCCC@users.noreply.github.com> Date: Mon, 28 Aug 2023 16:51:43 +0200 Subject: [PATCH] update SecurityConfig (#46) * update security-config * update cors-test * remove unused imports --- .../eum/server/security/SecurityConfig.java | 10 +-- .../eum/server/security/cors/CorsTest.java | 75 +++++++++++++++++++ 2 files changed, 80 insertions(+), 5 deletions(-) create mode 100644 src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java diff --git a/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java b/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java index e80a082..91ef62b 100644 --- a/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java +++ b/src/main/java/rocks/inspectit/oce/eum/server/security/SecurityConfig.java @@ -9,6 +9,7 @@ import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; @@ -20,10 +21,9 @@ @Slf4j @Configuration +@EnableWebSecurity public class SecurityConfig { - @Autowired - private AuthenticationManager authenticationManager; @Autowired private EumServerConfiguration configuration; @Autowired(required = false) @@ -53,8 +53,8 @@ protected void configure(AuthenticationManagerBuilder auth) { * @throws Exception In case of any error */ @Bean - protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.cors(AbstractHttpConfigurer::disable).csrf(AbstractHttpConfigurer::disable); + protected SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception { + http.cors(Customizer.withDefaults()).csrf(AbstractHttpConfigurer::disable); if (configuration.getSecurity().isEnabled()) { http.authorizeHttpRequests( authz -> authz @@ -74,4 +74,4 @@ protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception { } return http.build(); } -} \ No newline at end of file +} diff --git a/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java b/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java new file mode 100644 index 0000000..051ba6b --- /dev/null +++ b/src/test/java/rocks/inspectit/oce/eum/server/security/cors/CorsTest.java @@ -0,0 +1,75 @@ +package rocks.inspectit.oce.eum.server.security.cors; + +import org.junit.jupiter.api.Test; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.util.TestPropertyValues; +import org.springframework.boot.test.web.client.TestRestTemplate; +import org.springframework.context.ApplicationContextInitializer; +import org.springframework.context.ConfigurableApplicationContext; +import org.springframework.http.*; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.context.ContextConfiguration; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +@ContextConfiguration(initializers = CorsTest.Initializer.class) +@DirtiesContext +public class CorsTest { + + @Autowired + private TestRestTemplate restTemplate; + + static class Initializer implements ApplicationContextInitializer { + + @Override + public void initialize(ConfigurableApplicationContext applicationContext) { + String tokenDir = getClass().getClassLoader().getResource("security/simple-auth-provider").getFile(); + TestPropertyValues.of("inspectit-eum-server.security.enabled=true", "inspectit-eum-server.security.auth-provider.simple.enabled=true", "inspectit-eum-server.security.auth-provider.simple.token-directory=" + tokenDir, "inspectit-eum-server.security.auth-provider.simple.default-file-name=") + .applyTo(applicationContext); + } + } + + @Test + public void successfulCorsForGetBeacons() { + String endpoint = "/beacon"; + + HttpHeaders headers = new HttpHeaders(); + headers.setOrigin("https://www.example.com"); + headers.setAccessControlRequestMethod(HttpMethod.GET); + HttpEntity requestEntity = new HttpEntity<>(headers); + ResponseEntity response = restTemplate.exchange( + endpoint, HttpMethod.OPTIONS, requestEntity, String.class); + + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void successfulCorsForPostBeacons() { + String endpoint = "/beacon"; + + HttpHeaders headers = new HttpHeaders(); + headers.setOrigin("https://www.example.com"); + headers.setAccessControlRequestMethod(HttpMethod.POST); + HttpEntity requestEntity = new HttpEntity<>(headers); + ResponseEntity response = restTemplate.exchange( + endpoint, HttpMethod.OPTIONS, requestEntity, String.class); + + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void successfulCorsForSpans() { + String endpoint = "/spans"; + + HttpHeaders headers = new HttpHeaders(); + headers.setOrigin("https://www.example.com"); + headers.setAccessControlRequestMethod(HttpMethod.POST); + HttpEntity requestEntity = new HttpEntity<>(headers); + ResponseEntity response = restTemplate.exchange( + endpoint, HttpMethod.OPTIONS, requestEntity, String.class); + + assertEquals(HttpStatus.OK, response.getStatusCode()); + } +}