From a551c5544c9113b7e33d9dd3daf87f8eafe53c7e Mon Sep 17 00:00:00 2001 From: diuis Date: Thu, 27 Feb 2020 02:29:35 +0100 Subject: [PATCH 1/5] add starts with predicate for accepted hosts --- .../common/jaxrs/SecurityValidator.java | 8 +++- .../common/jaxrs/SecurityValidatorTest.java | 45 ++++++++++++++++++- 2 files changed, 49 insertions(+), 4 deletions(-) diff --git a/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java b/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java index d7d364f..683d8ba 100644 --- a/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java +++ b/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java @@ -43,13 +43,16 @@ public class SecurityValidator { private List acceptedRoles; public void init() { + acceptedRoles = config("geronimo.metrics.jaxrs.acceptedRoles", identity()).orElse(null); acceptedHosts = config("geronimo.metrics.jaxrs.acceptedHosts", value -> { if ("".equals(value)) { return LOCAL_MATCHER; } - return (Predicate) value::equals; + return Optional.ofNullable(value) + .filter(v -> v.endsWith(".")) + .map(v -> ((Predicate) p -> p.startsWith(v))) + .orElse((Predicate) value::equals); }).orElse(singletonList(LOCAL_MATCHER)); - acceptedRoles = config("geronimo.metrics.jaxrs.acceptedRoles", identity()).orElse(null); } public void checkSecurity(final SecurityContext securityContext, final UriInfo uriInfo) { @@ -85,4 +88,5 @@ private Optional> config(final String key, final Function protected String config(final String key) { return System.getProperty(key); } + } diff --git a/geronimo-metrics-common/src/test/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidatorTest.java b/geronimo-metrics-common/src/test/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidatorTest.java index c2e0aef..ed650b7 100644 --- a/geronimo-metrics-common/src/test/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidatorTest.java +++ b/geronimo-metrics-common/src/test/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidatorTest.java @@ -27,8 +27,6 @@ import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; -import com.sun.org.apache.regexp.internal.RE; - import org.junit.Test; public class SecurityValidatorTest { @@ -96,6 +94,7 @@ public String getAuthenticationScheme() { } }; private static final UriInfo REMOTE = uri("http://geronimo.somewhere"); + private static final UriInfo REMOTE_WITH_DOT = uri("http://10.0.0.0"); private static final UriInfo LOCALHOST = uri("http://localhost"); @Test @@ -105,6 +104,20 @@ public void localValid() { }}.checkSecurity(ANONYMOUS, LOCALHOST); } + @Test + public void remoteWithDotValid() { + new SecurityValidator() { + { + init(); + } + + @Override + protected String config(final String key) { + return key.endsWith("acceptedHosts") ? "10." : null; + } + }.checkSecurity(ANONYMOUS, REMOTE_WITH_DOT); + } + @Test(expected = WebApplicationException.class) public void remoteInvalid() { new SecurityValidator() {{ @@ -168,6 +181,34 @@ protected String config(final String key) { }.checkSecurity(ADMIN, REMOTE); } + @Test + public void roleAndHostThatEndsWithDotValid() { + new SecurityValidator() { + { + init(); + } + + @Override + protected String config(final String key) { + return key.endsWith("acceptedRoles") ? "admin" : key.endsWith("acceptedHosts") ? "10." : null; + } + }.checkSecurity(ADMIN, REMOTE_WITH_DOT); + } + + @Test(expected = WebApplicationException.class) + public void roleAnonymousAndHostThatEndsWithDotValid() { + new SecurityValidator() { + { + init(); + } + + @Override + protected String config(final String key) { + return key.endsWith("acceptedRoles") ? "admin" : key.endsWith("acceptedHosts") ? "10." : null; + } + }.checkSecurity(LOGGED_NO_ROLE, REMOTE_WITH_DOT); + } + private static UriInfo uri(final String request) { return new UriInfoMock(request); } From f1a3609f2059a2a22de70a52568a8e99183517d4 Mon Sep 17 00:00:00 2001 From: diuis Date: Thu, 27 Feb 2020 09:02:17 +0100 Subject: [PATCH 2/5] add eclipse files and directories to gitignore --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 218afde..15b39fb 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,6 @@ *.iml target src/test/java/io/* +.classpath +.project +.settings \ No newline at end of file From 9f739ec6727d48a66ba863834170090d3694475f Mon Sep 17 00:00:00 2001 From: diuis Date: Thu, 27 Feb 2020 09:06:56 +0100 Subject: [PATCH 3/5] Update SecurityValidator.java --- .../microprofile/metrics/common/jaxrs/SecurityValidator.java | 1 - 1 file changed, 1 deletion(-) diff --git a/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java b/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java index 683d8ba..9d033b4 100644 --- a/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java +++ b/geronimo-metrics-common/src/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java @@ -88,5 +88,4 @@ private Optional> config(final String key, final Function protected String config(final String key) { return System.getProperty(key); } - } From 840091aa2862a52659841d4db23eec14c7b97a9b Mon Sep 17 00:00:00 2001 From: diuis Date: Thu, 27 Feb 2020 09:15:47 +0100 Subject: [PATCH 4/5] fix typo (hosts instead of roles) --- README.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.adoc b/README.adoc index fc305ce..97b4a26 100644 --- a/README.adoc +++ b/README.adoc @@ -42,7 +42,7 @@ At least one must match to let the request pass, if none is set this validation Note that a request without a principal will lead to a HTTP 401 whereas a request with a principal but not the right role will issue a HTTP 403. The host validation will use the JAX-RS `UriInfo#getRequestUri`. -It relies on the system property `geronimo.metrics.jaxrs.acceptedHosts` and it takes a comma separated list of roles. +It relies on the system property `geronimo.metrics.jaxrs.acceptedHosts` and it takes a comma separated list of hosts. At least one must match to let the request pass, if none is set this validation is ignored. The `` value is an alias for `127.x.y.z` or `1::x` IP or `localhost`. From a814d9989e6e8b07fb96bf0b202ef8065855d4b5 Mon Sep 17 00:00:00 2001 From: diuis Date: Thu, 27 Feb 2020 09:22:01 +0100 Subject: [PATCH 5/5] add doc for the starts with match --- README.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.adoc b/README.adoc index 97b4a26..50163d2 100644 --- a/README.adoc +++ b/README.adoc @@ -44,6 +44,7 @@ Note that a request without a principal will lead to a HTTP 401 whereas a reques The host validation will use the JAX-RS `UriInfo#getRequestUri`. It relies on the system property `geronimo.metrics.jaxrs.acceptedHosts` and it takes a comma separated list of hosts. At least one must match to let the request pass, if none is set this validation is ignored. +If the host value ends with a dot, the match is a start with match and not an exact match. The `` value is an alias for `127.x.y.z` or `1::x` IP or `localhost`. Configuration example: @@ -51,7 +52,7 @@ Configuration example: [source] ---- -Dgeronimo.metrics.jaxrs.acceptedRoles=ops \ --Dgeronimo.metrics.jaxrs.acceptedHosts=my.remote.host +-Dgeronimo.metrics.jaxrs.acceptedHosts=my.remote.host,10.0.0. ---- IMPORTANT: the default is `geronimo.metrics.jaxrs.acceptedHosts=` but you can disable the endpoints using `geronimo.metrics.jaxrs.activated=false`.