diff --git a/.gitignore b/.gitignore index 218afde..15b39fb 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,6 @@ *.iml target src/test/java/io/* +.classpath +.project +.settings \ No newline at end of file diff --git a/README.adoc b/README.adoc index fc305ce..50163d2 100644 --- a/README.adoc +++ b/README.adoc @@ -42,8 +42,9 @@ At least one must match to let the request pass, if none is set this validation Note that a request without a principal will lead to a HTTP 401 whereas a request with a principal but not the right role will issue a HTTP 403. The host validation will use the JAX-RS `UriInfo#getRequestUri`. -It relies on the system property `geronimo.metrics.jaxrs.acceptedHosts` and it takes a comma separated list of roles. +It relies on the system property `geronimo.metrics.jaxrs.acceptedHosts` and it takes a comma separated list of hosts. At least one must match to let the request pass, if none is set this validation is ignored. +If the host value ends with a dot, the match is a start with match and not an exact match. The `` value is an alias for `127.x.y.z` or `1::x` IP or `localhost`. Configuration example: @@ -51,7 +52,7 @@ Configuration example: [source] ---- -Dgeronimo.metrics.jaxrs.acceptedRoles=ops \ --Dgeronimo.metrics.jaxrs.acceptedHosts=my.remote.host +-Dgeronimo.metrics.jaxrs.acceptedHosts=my.remote.host,10.0.0. ---- IMPORTANT: the default is `geronimo.metrics.jaxrs.acceptedHosts=` but you can disable the endpoints using `geronimo.metrics.jaxrs.activated=false`. diff --git a/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java b/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java index d7d364f..9d033b4 100644 --- a/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java +++ b/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java @@ -43,13 +43,16 @@ public class SecurityValidator { private List acceptedRoles; public void init() { + acceptedRoles = config("geronimo.metrics.jaxrs.acceptedRoles", identity()).orElse(null); acceptedHosts = config("geronimo.metrics.jaxrs.acceptedHosts", value -> { if ("".equals(value)) { return LOCAL_MATCHER; } - return (Predicate) value::equals; + return Optional.ofNullable(value) + .filter(v -> v.endsWith(".")) + .map(v -> ((Predicate) p -> p.startsWith(v))) + .orElse((Predicate) value::equals); }).orElse(singletonList(LOCAL_MATCHER)); - acceptedRoles = config("geronimo.metrics.jaxrs.acceptedRoles", identity()).orElse(null); } public void checkSecurity(final SecurityContext securityContext, final UriInfo uriInfo) { diff --git a/geronimo-metrics-common/src/test/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidatorTest.java b/geronimo-metrics-common/src/test/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidatorTest.java index 63df1e0..ed650b7 100644 --- a/geronimo-metrics-common/src/test/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidatorTest.java +++ b/geronimo-metrics-common/src/test/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidatorTest.java @@ -27,7 +27,6 @@ import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; - import org.junit.Test; public class SecurityValidatorTest { @@ -95,6 +94,7 @@ public String getAuthenticationScheme() { } }; private static final UriInfo REMOTE = uri("http://geronimo.somewhere"); + private static final UriInfo REMOTE_WITH_DOT = uri("http://10.0.0.0"); private static final UriInfo LOCALHOST = uri("http://localhost"); @Test @@ -104,6 +104,20 @@ public void localValid() { }}.checkSecurity(ANONYMOUS, LOCALHOST); } + @Test + public void remoteWithDotValid() { + new SecurityValidator() { + { + init(); + } + + @Override + protected String config(final String key) { + return key.endsWith("acceptedHosts") ? "10." : null; + } + }.checkSecurity(ANONYMOUS, REMOTE_WITH_DOT); + } + @Test(expected = WebApplicationException.class) public void remoteInvalid() { new SecurityValidator() {{ @@ -167,6 +181,34 @@ protected String config(final String key) { }.checkSecurity(ADMIN, REMOTE); } + @Test + public void roleAndHostThatEndsWithDotValid() { + new SecurityValidator() { + { + init(); + } + + @Override + protected String config(final String key) { + return key.endsWith("acceptedRoles") ? "admin" : key.endsWith("acceptedHosts") ? "10." : null; + } + }.checkSecurity(ADMIN, REMOTE_WITH_DOT); + } + + @Test(expected = WebApplicationException.class) + public void roleAnonymousAndHostThatEndsWithDotValid() { + new SecurityValidator() { + { + init(); + } + + @Override + protected String config(final String key) { + return key.endsWith("acceptedRoles") ? "admin" : key.endsWith("acceptedHosts") ? "10." : null; + } + }.checkSecurity(LOGGED_NO_ROLE, REMOTE_WITH_DOT); + } + private static UriInfo uri(final String request) { return new UriInfoMock(request); }