Skip to content

Commit

Permalink
change valid endpoints to Enum types
Browse files Browse the repository at this point in the history
  • Loading branch information
asalan316 committed Jun 14, 2023
1 parent 87416bc commit 145d426
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 45 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ MAKEFLAGS = -s
go_modules:= $(shell find . -maxdepth 3 -name "*.mod" -exec dirname {} \; | sed 's|\./src/||' | sort)
all_modules:= $(go_modules) db scheduler
.SHELLFLAGS := -eu -o pipefail -c ${SHELLFLAGS}
MVN_OPTS="-Dmaven.test.skip=true"
MVN_OPTS="-Dmaven.test.skip=true -Dmaven.plugin.validation=VERBOSE"
OS:=$(shell . /etc/lsb-release &>/dev/null && echo $${DISTRIB_ID} || uname )
db_type:=postgres
DB_HOST:=localhost
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.cloudfoundry.autoscaler.scheduler.util.health.EndpointsEnum;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
import org.springframework.util.ObjectUtils;
Expand All @@ -23,17 +24,15 @@ public class HealthServerConfiguration {
private Integer port;
private Set<String> unprotectedEndpoints;

final Map<String, Boolean> validProtectedEndpoints =
Map.of(
"/health/prometheus", true,
"/health/liveness", true);

@PostConstruct
public void init() {

validatePort();
validateConfiguredEndpoints();

// We need the username and password in health configuration if and only if
// - atleast one endpoints exists in the unprotectedEndpoints configuration
// - and the unprotectedEndpoints is empty => all endpoints are protected
boolean basicAuthEnabled =
(unprotectedEndpoints != null || ObjectUtils.isEmpty(unprotectedEndpoints));
if (basicAuthEnabled
Expand Down Expand Up @@ -62,7 +61,8 @@ private void validateConfiguredEndpoints() {
return;
}
for (String unprotectedEndpoint : unprotectedEndpoints) {
if (!validProtectedEndpoints.containsKey(unprotectedEndpoint)) {

if (!EndpointsEnum.isValidEndpoint(unprotectedEndpoint)) {
invalidEndpointsMap.put(unprotectedEndpoint, true);
}
}
Expand All @@ -72,7 +72,11 @@ private void validateConfiguredEndpoints() {
+ invalidEndpointsMap
+ "\n"
+ "validate endpoints are: "
+ validProtectedEndpoints);
+ EndpointsEnum.displayAllEndpointValues());
}
}

public boolean isUnprotectedByConfiguration(String requestURI) {
return this.getUnprotectedEndpoints().contains(requestURI);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Map;
import java.util.Set;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.codec.binary.Base64;
import org.cloudfoundry.autoscaler.scheduler.conf.HealthServerConfiguration;
import org.cloudfoundry.autoscaler.scheduler.util.health.EndpointsEnum;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Component;
Expand Down Expand Up @@ -63,7 +63,8 @@ public void doFilter(
// BasicAuthenticationFilterTest#denyHealthRequestWithWrongUnprotectedEndpoints()
// Suggestion: THe following block should be part of HealthConfiguration.
// Move this block to Health Configuration/Or adjust test
if (!healthConfigsExists()) {
if (!EndpointsEnum.configuredEndpointsExists(
healthServerConfiguration.getUnprotectedEndpoints())) {
log.error("Health Configuration: Invalid endpoints defined");
httpResponse.setHeader(HttpHeaders.WWW_AUTHENTICATE, WWW_AUTHENTICATE_VALUE);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
Expand All @@ -81,19 +82,6 @@ public void doFilter(
}
}

private boolean healthConfigsExists() {
boolean found = false;
Map<String, Boolean> validProtectedEndpoints =
healthServerConfiguration.getValidProtectedEndpoints();
for (String configuredEndpoint : healthServerConfiguration.getUnprotectedEndpoints()) {
found = validProtectedEndpoints.containsKey(configuredEndpoint);
}
if (!found) {
return false;
}
return true;
}

private void allowAuthenticatedRequest(
FilterChain filterChain, HttpServletRequest httpRequest, HttpServletResponse httpResponse)
throws IOException, ServletException {
Expand Down Expand Up @@ -128,11 +116,9 @@ private void allowAuthenticatedRequest(
}

private boolean isEndpointRequireAuthentication(String requestURI) {
Map<String, Boolean> protectedEndpoints =
healthServerConfiguration.getValidProtectedEndpoints();
boolean isProtected = protectedEndpoints.containsKey(requestURI);
boolean isProtected = EndpointsEnum.isValidEndpoint(requestURI);
boolean isUnprotectedByConfiguration =
healthServerConfiguration.getUnprotectedEndpoints().contains(requestURI);
healthServerConfiguration.isUnprotectedByConfiguration(requestURI);

return isProtected && !isUnprotectedByConfiguration;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -125,24 +125,6 @@ public void allowRequestIfPort8081andURIContainHealthWithUnprotectedEndpoints()
Mockito.verify(filterChainMock, Mockito.times(1)).doFilter(req, res);
}

@Test
public void denyHealthRequestWithWrongUnprotectedEndpoints()
throws IOException, ServletException {

req.setRequestURI("/health/liveness");
String auth = username + ":" + password;
req.addHeader("Authorization", "Basic " + Base64.encodeBase64String(auth.getBytes()));

HealthServerConfiguration healthServerConfig =
new HealthServerConfiguration(username, password, 8081, Set.of("/health/wrong-endpoint"));
BasicAuthenticationFilter filter = new BasicAuthenticationFilter(healthServerConfig);
filter.doFilter(req, res, filterChainMock);

Mockito.verify(filterChainMock, Mockito.times(0)).doFilter(req, res);
assertEquals(401, res.getStatus());
assertEquals(res.getHeader("WWW-Authenticate"), "Basic");
}

@ParameterizedTest
@ValueSource(strings = {"/health/prometheus", "/health/liveness", "/health/wrong-endpoint"})
public void denyHealthRequestsWithNoUnprotectedEndpointsConfigThenBasicAuthRequired(
Expand Down

0 comments on commit 145d426

Please sign in to comment.