diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-05-09 11:29:36 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-05-09 11:29:36 +0200 |
commit | 5b23cba3f2bc7cda5c6eced3267c75198da9904a (patch) | |
tree | e75a59f02e1ddfb0e7aa941a53bfc95f32905bbb | |
parent | c3667718a63a8703bf62833dcb92b7ad5422d0cc (diff) |
Move LocalhostFilter and NoopFilter to jdisc-security-filters
-rw-r--r-- | jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilter.java (renamed from node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java) | 19 | ||||
-rw-r--r-- | jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/NoopFilter.java (renamed from node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NoopFilter.java) | 2 | ||||
-rw-r--r-- | jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilterTest.java | 60 | ||||
-rw-r--r-- | node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java | 37 |
4 files changed, 72 insertions, 46 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilter.java index f9900f9b0ec..1623128fac2 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilter.java @@ -1,30 +1,33 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.provision.restapi.v2.filter; +package com.yahoo.jdisc.http.filter.security.misc; import com.google.common.net.InetAddresses; -import com.yahoo.jdisc.handler.ResponseHandler; +import com.yahoo.jdisc.Response; import com.yahoo.jdisc.http.filter.DiscFilterRequest; -import com.yahoo.jdisc.http.filter.SecurityRequestFilter; -import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse; +import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase; import java.net.InetAddress; +import java.util.Optional; /** * A security filter that only allows self-originating requests. * * @author mpolden + * @author bjorncs */ @SuppressWarnings("unused") // Injected -public class LocalhostFilter implements SecurityRequestFilter { +public class LocalhostFilter extends JsonSecurityRequestFilterBase { @Override - public void filter(DiscFilterRequest request, ResponseHandler handler) { + protected Optional<ErrorResponse> filter(DiscFilterRequest request) { InetAddress remoteAddr = InetAddresses.forString(request.getRemoteAddr()); if (!remoteAddr.isLoopbackAddress() && !request.getRemoteAddr().equals(request.getLocalAddr())) { - FilterUtils.write(ErrorResponse.unauthorized( + return Optional.of(new ErrorResponse( + Response.Status.UNAUTHORIZED, String.format("%s %s denied for %s: Unauthorized host", request.getMethod(), - request.getUri().getPath(), request.getRemoteAddr())), handler); + request.getUri().getPath(), request.getRemoteAddr()))); } + return Optional.empty(); } } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NoopFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/NoopFilter.java index 084095fa93c..cb1130e8825 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NoopFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/NoopFilter.java @@ -1,5 +1,5 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.provision.restapi.v2.filter; +package com.yahoo.jdisc.http.filter.security.misc; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilterTest.java new file mode 100644 index 00000000000..39c3783caec --- /dev/null +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilterTest.java @@ -0,0 +1,60 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.filter.security.misc; + +import com.yahoo.container.jdisc.RequestHandlerTestDriver; +import com.yahoo.jdisc.Response; +import com.yahoo.jdisc.http.filter.DiscFilterRequest; +import org.junit.Test; +import org.mockito.Mockito; + +import java.net.URI; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNull; +import static org.mockito.Mockito.when; + +/** + * @author mpolden + * @author bjorncs + */ +public class LocalhostFilterTest { + + @Test + public void filter() { + // Reject from non-loopback + assertUnauthorized(createRequest("1.2.3.4", null)); + + // Allow requests from loopback addresses + assertSuccess(createRequest("127.0.0.1", null)); + assertSuccess(createRequest("127.127.0.1", null)); + assertSuccess(createRequest("0:0:0:0:0:0:0:1", null)); + + // Allow requests originating from self + assertSuccess(createRequest("1.3.3.7", "1.3.3.7")); + } + + private static DiscFilterRequest createRequest(String remoteAddr, String localAddr) { + DiscFilterRequest request = Mockito.mock(DiscFilterRequest.class); + when(request.getRemoteAddr()).thenReturn(remoteAddr); + when(request.getLocalAddr()).thenReturn(localAddr); + when(request.getMethod()).thenReturn("GET"); + when(request.getUri()).thenReturn(URI.create("http://localhost:8080/")); + return request; + } + + private static void assertUnauthorized(DiscFilterRequest request) { + LocalhostFilter filter = new LocalhostFilter(); + RequestHandlerTestDriver.MockResponseHandler handler = new RequestHandlerTestDriver.MockResponseHandler(); + filter.filter(request, handler); + assertEquals(Response.Status.UNAUTHORIZED, handler.getStatus()); + } + + + private static void assertSuccess(DiscFilterRequest request) { + LocalhostFilter filter = new LocalhostFilter(); + RequestHandlerTestDriver.MockResponseHandler handler = new RequestHandlerTestDriver.MockResponseHandler(); + filter.filter(request, handler); + assertNull(handler.getResponse()); + } + +} diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java deleted file mode 100644 index cb1ac2ade72..00000000000 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.provision.restapi.v2.filter; - -import com.yahoo.application.container.handler.Request.Method; -import com.yahoo.vespa.hosted.provision.restapi.v2.filter.FilterTester.Request; -import org.junit.Before; -import org.junit.Test; - -/** - * @author mpolden - */ -public class LocalhostFilterTest { - - private FilterTester tester; - - @Before - public void before() { - tester = new FilterTester(new LocalhostFilter()); - } - - @Test - public void filter() { - // Reject from non-loopback - tester.assertRequest(new Request(Method.GET, "/").remoteAddr("1.2.3.4"), 401, - "{\"error-code\":\"UNAUTHORIZED\",\"message\":\"GET / denied for " + - "1.2.3.4: Unauthorized host\"}"); - - // Allow requests from loopback addresses - tester.assertSuccess(new Request(Method.GET, "/").remoteAddr("127.0.0.1")); - tester.assertSuccess(new Request(Method.GET, "/").remoteAddr("127.127.0.1")); - tester.assertSuccess(new Request(Method.GET, "/").remoteAddr("0:0:0:0:0:0:0:1")); - - // Allow requests originating from self - tester.assertSuccess(new Request(Method.GET, "/").localAddr("1.3.3.7").remoteAddr("1.3.3.7")); - } - -} |