Skip to content

Accepted hosts starts with match #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
diuis wants to merge 7 commits into from
Closed

Accepted hosts starts with match #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a551c55
add starts with predicate for accepted hosts
diuis Feb 27, 2020
f1a3609
add eclipse files and directories to gitignore
diuis Feb 27, 2020
ed56d4e
Merge branch 'accepted-hosts-startsWith-match' into disable-hosts-whi…
diuis Feb 27, 2020
9f739ec
Update SecurityValidator.java
diuis Feb 27, 2020
43152c7
Merge pull request #1 from diuis/disable-hosts-whitelist
diuis Feb 27, 2020
840091a
fix typo (hosts instead of roles)
diuis Feb 27, 2020
a814d99
add doc for the starts with match
diuis Feb 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,6 @@
*.iml
target
src/test/java/io/*
.classpath
.project
.settings
5 changes: 3 additions & 2 deletions README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,16 +42,17 @@ At least one must match to let the request pass, if none is set this validation
Note that a request without a principal will lead to a HTTP 401 whereas a request with a principal but not the right role will issue a HTTP 403.

The host validation will use the JAX-RS `UriInfo#getRequestUri`.
It relies on the system property `geronimo.metrics.jaxrs.acceptedHosts` and it takes a comma separated list of roles.
It relies on the system property `geronimo.metrics.jaxrs.acceptedHosts` and it takes a comma separated list of hosts.
At least one must match to let the request pass, if none is set this validation is ignored.
If the host value ends with a dot, the match is a start with match and not an exact match.
The `<local>` value is an alias for `127.x.y.z` or `1::x` IP or `localhost`.

Configuration example:

[source]
----
-Dgeronimo.metrics.jaxrs.acceptedRoles=ops \
-Dgeronimo.metrics.jaxrs.acceptedHosts=my.remote.host
-Dgeronimo.metrics.jaxrs.acceptedHosts=my.remote.host,10.0.0.
----

IMPORTANT: the default is `geronimo.metrics.jaxrs.acceptedHosts=<local>` but you can disable the endpoints using `geronimo.metrics.jaxrs.activated=false`.
Expand Down
7 changes: 5 additions & 2 deletions ...rc/main/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,16 @@ public class SecurityValidator {
private List<String> acceptedRoles;

public void init() {
acceptedRoles = config("geronimo.metrics.jaxrs.acceptedRoles", identity()).orElse(null);
acceptedHosts = config("geronimo.metrics.jaxrs.acceptedHosts", value -> {
if ("<local>".equals(value)) {
return LOCAL_MATCHER;
}
return (Predicate<String>) value::equals;
return Optional.ofNullable(value)
.filter(v -> v.endsWith("."))
.map(v -> ((Predicate<String>) p -> p.startsWith(v)))
.orElse((Predicate<String>) value::equals);
}).orElse(singletonList(LOCAL_MATCHER));
acceptedRoles = config("geronimo.metrics.jaxrs.acceptedRoles", identity()).orElse(null);
}

public void checkSecurity(final SecurityContext securityContext, final UriInfo uriInfo) {
Expand Down
44 changes: 43 additions & 1 deletion ...est/java/org/apache/geronimo/microprofile/metrics/common/jaxrs/SecurityValidatorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;


import org.junit.Test;

public class SecurityValidatorTest {
Expand Down Expand Up @@ -95,6 +94,7 @@ public String getAuthenticationScheme() {
}
};
private static final UriInfo REMOTE = uri("http://geronimo.somewhere");
private static final UriInfo REMOTE_WITH_DOT = uri("http://10.0.0.0");
private static final UriInfo LOCALHOST = uri("http://localhost");

@Test
Expand All @@ -104,6 +104,20 @@ public void localValid() {
}}.checkSecurity(ANONYMOUS, LOCALHOST);
}

@Test
public void remoteWithDotValid() {
new SecurityValidator() {
{
init();
}

@Override
protected String config(final String key) {
return key.endsWith("acceptedHosts") ? "10." : null;
}
}.checkSecurity(ANONYMOUS, REMOTE_WITH_DOT);
}

@Test(expected = WebApplicationException.class)
public void remoteInvalid() {
new SecurityValidator() {{
Expand Down Expand Up @@ -167,6 +181,34 @@ protected String config(final String key) {
}.checkSecurity(ADMIN, REMOTE);
}

@Test
public void roleAndHostThatEndsWithDotValid() {
new SecurityValidator() {
{
init();
}

@Override
protected String config(final String key) {
return key.endsWith("acceptedRoles") ? "admin" : key.endsWith("acceptedHosts") ? "10." : null;
}
}.checkSecurity(ADMIN, REMOTE_WITH_DOT);
}

@Test(expected = WebApplicationException.class)
public void roleAnonymousAndHostThatEndsWithDotValid() {
new SecurityValidator() {
{
init();
}

@Override
protected String config(final String key) {
return key.endsWith("acceptedRoles") ? "admin" : key.endsWith("acceptedHosts") ? "10." : null;
}
}.checkSecurity(LOGGED_NO_ROLE, REMOTE_WITH_DOT);
}

private static UriInfo uri(final String request) {
return new UriInfoMock(request);
}
Expand Down