Remove CORS filters from controller-server

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-04-05 15:07:53 +0200
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-04-09 12:49:33 +0200
commit: 773bb8bf0f99fe1a2a7cec5aa026f0bbf43c7f7d (patch)
tree: d9fb5f274b89488cfe83da8696b3b7b4d228e31b /controller-server
parent: 467ec6be1c0f7fd20eb0a4fea065671f51809740 (diff)
6 files changed, 0 insertions, 345 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlHeaders.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlHeaders.java
deleted file mode 100644
index 8a539720a21..00000000000
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlHeaders.java
+++ /dev/null
@@ -1,25 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.restapi.filter;
-
-import com.google.common.collect.ImmutableMap;
-
-import java.time.Duration;
-import java.util.Map;
-
-/**
- * @author gv
- */
-public interface AccessControlHeaders {
-
-    String CORS_PREFLIGHT_REQUEST_CACHE_TTL =  Long.toString(Duration.ofDays(7).getSeconds());
-
-    String ALLOW_ORIGIN_HEADER = "Access-Control-Allow-Origin";
-
-    Map<String, String> ACCESS_CONTROL_HEADERS = ImmutableMap.of(
-            "Access-Control-Max-Age", CORS_PREFLIGHT_REQUEST_CACHE_TTL,
-            "Access-Control-Allow-Headers", "Origin,Content-Type,Accept,Yahoo-Principal-Auth",
-            "Access-Control-Allow-Methods", "OPTIONS,GET,PUT,DELETE,POST",
-            "Access-Control-Allow-Credentials", "true"
-    );
-
-}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilter.java
deleted file mode 100644
index 8df4124028e..00000000000
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilter.java
+++ /dev/null
@@ -1,70 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.restapi.filter;
-
-import com.google.inject.Inject;
-import com.yahoo.jdisc.Response;
-import com.yahoo.jdisc.handler.ContentChannel;
-import com.yahoo.jdisc.handler.ResponseHandler;
-import com.yahoo.jdisc.http.HttpResponse;
-import com.yahoo.jdisc.http.filter.DiscFilterRequest;
-import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
-import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig;
-import com.yahoo.yolean.chain.After;
-import com.yahoo.yolean.chain.Before;
-import com.yahoo.yolean.chain.Provides;
-
-import java.util.Collections;
-import java.util.Set;
-import java.util.stream.Collectors;
-
-import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS;
-import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ACCESS_CONTROL_HEADERS;
-import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ALLOW_ORIGIN_HEADER;
-
-/**
- * <p>
- * This filter makes sure we respond as quickly as possible to CORS pre-flight requests
- * which browsers transmit before the Hosted Vespa dashboard code is allowed to send a "real" request.
- * </p>
- * <p>
- * An "Access-Control-Max-Age" header is added so that the browser will cache the result of this pre-flight request,
- * further improving the responsiveness of the Hosted Vespa dashboard application.
- * </p>
- * <p>
- * Runs after all standard security request filters, but before BouncerFilter, as the browser does not send
- * credentials with pre-flight requests.
- * </p>
- *
- * @author andreer
- * @author gv
- */
-@After({"InputValidationFilter","RemoteIPFilter", "DoNotTrackRequestFilter", "CookieDataRequestFilter"})
-@Before({"BouncerFilter", "ControllerAuthorizationFilter"})
-@Provides("AccessControlRequestFilter")
-public class AccessControlRequestFilter implements SecurityRequestFilter {
-    private final Set<String> allowedUrls;
-
-    @Inject
-    public AccessControlRequestFilter(HttpAccessControlConfig config) {
-        allowedUrls = Collections.unmodifiableSet(config.allowedUrls().stream().collect(Collectors.toSet()));
-    }
-
-    @Override
-    public void filter(DiscFilterRequest discFilterRequest, ResponseHandler responseHandler) {
-        String origin = discFilterRequest.getHeader("Origin");
-
-        if (!discFilterRequest.getMethod().equals(OPTIONS.name()))
-            return;
-
-        HttpResponse response = HttpResponse.newInstance(Response.Status.OK);
-
-        if (allowedUrls.contains(origin))
-            response.headers().add(ALLOW_ORIGIN_HEADER, origin);
-
-        ACCESS_CONTROL_HEADERS.forEach(
-                (name, value) -> response.headers().add(name, value));
-
-        ContentChannel cc = responseHandler.handleResponse(response);
-        cc.close(null);
-    }
-}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilter.java
deleted file mode 100644
index c2ad31cd925..00000000000
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilter.java
+++ /dev/null
@@ -1,55 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.restapi.filter;
-
-import com.yahoo.jdisc.AbstractResource;
-import com.yahoo.jdisc.http.filter.DiscFilterResponse;
-import com.yahoo.jdisc.http.filter.RequestView;
-import com.yahoo.jdisc.http.filter.SecurityResponseFilter;
-import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig;
-
-import java.util.List;
-import java.util.Optional;
-
-import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ACCESS_CONTROL_HEADERS;
-import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ALLOW_ORIGIN_HEADER;
-
-/**
- * @author gv
- * @author Tony Vaagenes
- */
-public class AccessControlResponseFilter extends AbstractResource implements SecurityResponseFilter {
-
-    private final List<String> allowedUrls;
-
-    public AccessControlResponseFilter(HttpAccessControlConfig config) {
-        allowedUrls = config.allowedUrls();
-    }
-
-    @Override
-    public void filter(DiscFilterResponse response, RequestView request) {
-        Optional<String> requestOrigin = request.getFirstHeader("Origin");
-
-        requestOrigin.ifPresent(
-                origin -> allowedUrls.stream()
-                        .filter(allowedUrl -> matchesRequestOrigin(origin, allowedUrl))
-                        .findAny()
-                        .ifPresent(allowedOrigin -> setHeaderUnlessExists(response, ALLOW_ORIGIN_HEADER, allowedOrigin))
-        );
-        ACCESS_CONTROL_HEADERS.forEach((name, value) -> setHeaderUnlessExists(response, name, value));
-    }
-
-    private boolean matchesRequestOrigin(String requestOrigin, String allowedUrl) {
-        return allowedUrl.equals("*") || requestOrigin.startsWith(allowedUrl);
-    }
-
-    /**
-     * This is to avoid duplicating headers already set by the {@link AccessControlRequestFilter}.
-     * Currently (March 2016), this filter is invoked for OPTIONS requests to jdisc request handlers,
-     * even if the request filter has been invoked first. For jersey based APIs, this filter is NOT
-     * invoked in these cases.
-     */
-    private void setHeaderUnlessExists(DiscFilterResponse response, String name, String value) {
-        if (response.getHeader(name) == null)
-            response.setHeader(name, value);
-    }
-}
diff --git a/controller-server/src/main/resources/configdefinitions/http-access-control.def b/controller-server/src/main/resources/configdefinitions/http-access-control.def
deleted file mode 100644
index 4cd1532761b..00000000000
--- a/controller-server/src/main/resources/configdefinitions/http-access-control.def
+++ /dev/null
@@ -1,4 +0,0 @@
-# Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-namespace=vespa.hosted.controller.restapi.filter.config
-
-allowedUrls[] string
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilterTest.java
deleted file mode 100644
index 0c31c6e2cc5..00000000000
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilterTest.java
+++ /dev/null
@@ -1,79 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.restapi.filter;
-
-import com.yahoo.jdisc.HeaderFields;
-import com.yahoo.jdisc.Response;
-import com.yahoo.jdisc.handler.ContentChannel;
-import com.yahoo.jdisc.handler.ResponseHandler;
-import com.yahoo.jdisc.http.filter.DiscFilterRequest;
-import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
-import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig;
-import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig.Builder;
-import org.junit.Test;
-
-import java.util.Arrays;
-
-import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS;
-import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ACCESS_CONTROL_HEADERS;
-import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ALLOW_ORIGIN_HEADER;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNull;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
-/**
- * @author gjoranv
- */
-public class AccessControlRequestFilterTest {
-
-    @Test
-    public void any_options_request_yields_access_control_headers_in_response() {
-        HeaderFields headers = doFilterRequest(newRequestFilter(), "http://any.origin");
-        ACCESS_CONTROL_HEADERS.keySet().forEach(
-                header -> assertFalse("Empty header: " + header, headers.getFirst(header).isEmpty()));
-    }
-
-    @Test
-    public void allowed_request_origin_yields_allow_origin_header_in_response() {
-        final String ALLOWED_ORIGIN = "http://allowed.origin";
-        HeaderFields headers = doFilterRequest(newRequestFilter(ALLOWED_ORIGIN), ALLOWED_ORIGIN);
-        assertEquals(ALLOWED_ORIGIN, headers.getFirst(ALLOW_ORIGIN_HEADER));
-    }
-
-    @Test
-    public void disallowed_request_origin_does_not_yield_allow_origin_header_in_response() {
-        HeaderFields headers = doFilterRequest(newRequestFilter("http://allowed.origin"), "http://disallowed.origin");
-        assertNull(headers.getFirst(ALLOW_ORIGIN_HEADER));
-    }
-
-    private static HeaderFields doFilterRequest(SecurityRequestFilter filter, String originUrl) {
-        AccessControlResponseHandler responseHandler = new AccessControlResponseHandler();
-        filter.filter(newOptionsRequest(originUrl), responseHandler);
-        return responseHandler.response.headers();
-    }
-
-    private static DiscFilterRequest newOptionsRequest(String origin) {
-        DiscFilterRequest request = mock(DiscFilterRequest.class);
-        when(request.getHeader("Origin")).thenReturn(origin);
-        when(request.getMethod()).thenReturn(OPTIONS.name());
-        return request;
-    }
-
-    private static AccessControlRequestFilter newRequestFilter(String... allowedOriginUrls) {
-        Builder builder = new Builder();
-        Arrays.asList(allowedOriginUrls).forEach(builder::allowedUrls);
-        return new AccessControlRequestFilter(new HttpAccessControlConfig(builder));
-    }
-
-    private static class AccessControlResponseHandler implements ResponseHandler {
-        Response response;
-
-        @Override
-        public ContentChannel handleResponse(Response response) {
-            this.response = response;
-            return mock(ContentChannel.class);
-        }
-    }
-
-}
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilterTest.java
deleted file mode 100644
index 1b368d0a4b8..00000000000
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilterTest.java
+++ /dev/null
@@ -1,112 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.restapi.filter;
-
-import com.yahoo.jdisc.http.Cookie;
-import com.yahoo.jdisc.http.filter.DiscFilterResponse;
-import com.yahoo.jdisc.http.filter.RequestView;
-import com.yahoo.jdisc.http.filter.SecurityResponseFilter;
-import com.yahoo.jdisc.http.servlet.ServletOrJdiscHttpResponse;
-import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig;
-import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig.Builder;
-import org.junit.Test;
-
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-
-import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ACCESS_CONTROL_HEADERS;
-import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ALLOW_ORIGIN_HEADER;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNull;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
-/**
- * @author gjoranv
- */
-public class AccessControlResponseFilterTest {
-
-    @Test
-    public void any_request_yields_access_control_headers_in_response() {
-        Map<String, String> headers = doFilterRequest(newResponseFilter(), "http://any.origin");
-        ACCESS_CONTROL_HEADERS.keySet().forEach(
-                header -> assertFalse("Empty header: " + header, headers.get(header).isEmpty()));
-    }
-
-    @Test
-    public void allowed_request_origin_yields_allow_origin_header_in_response() {
-        final String ALLOWED_ORIGIN = "http://allowed.origin";
-        Map<String, String> headers = doFilterRequest(newResponseFilter(ALLOWED_ORIGIN), ALLOWED_ORIGIN);
-        assertEquals(ALLOWED_ORIGIN, headers.get(ALLOW_ORIGIN_HEADER));
-    }
-
-    @Test
-    public void disallowed_request_origin_does_not_yield_allow_origin_header_in_response() {
-        Map<String, String> headers = doFilterRequest(newResponseFilter("http://allowed.origin"), "http://disallowed.origin");
-        assertNull(headers.get(ALLOW_ORIGIN_HEADER));
-    }
-
-    @Test
-    public void any_request_origin_yields_allow_origin_header_in_response_when_wildcard_is_allowed() {
-        Map<String, String> headers = doFilterRequest(newResponseFilter("*"), "http://any.origin");
-        assertEquals("*", headers.get(ALLOW_ORIGIN_HEADER));
-    }
-
-    private static Map<String, String> doFilterRequest(SecurityResponseFilter filter, String originUrl) {
-        TestResponse response = new TestResponse();
-        filter.filter(response, newRequestView(originUrl));
-        return Collections.unmodifiableMap(response.headers);
-    }
-
-    private static AccessControlResponseFilter newResponseFilter(String... allowedOriginUrls) {
-        Builder builder = new Builder();
-        Arrays.asList(allowedOriginUrls).forEach(builder::allowedUrls);
-        return new AccessControlResponseFilter(new HttpAccessControlConfig(builder));
-    }
-
-    private static RequestView newRequestView(String originUrl) {
-        RequestView request = mock(RequestView.class);
-        when(request.getFirstHeader("Origin")).thenReturn(Optional.of(originUrl));
-        return request;
-    }
-
-    private static class TestResponse extends DiscFilterResponse {
-        Map<String, String> headers = new HashMap<>();
-
-        TestResponse() {
-            super(mock(ServletOrJdiscHttpResponse.class));
-        }
-
-        @Override
-        public void setHeader(String name, String value) {
-            headers.put(name, value);
-        }
-
-        @Override
-        public String getHeader(String name) {
-            return headers.get(name);
-        }
-
-        @Override
-        public void removeHeaders(String s) { throw new UnsupportedOperationException(); }
-
-        @Override
-        public void setHeaders(String s, String s1) { throw new UnsupportedOperationException(); }
-
-        @Override
-        public void setHeaders(String s, List<String> list) { throw new UnsupportedOperationException(); }
-
-        @Override
-        public void addHeader(String s, String s1) { throw new UnsupportedOperationException(); }
-
-        @Override
-        public void setCookies(List<Cookie> list) { throw new UnsupportedOperationException(); }
-
-        @Override
-        public void setStatus(int i) { throw new UnsupportedOperationException(); }
-    }
-}
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-04-05 15:07:53 +0200
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-04-09 12:49:33 +0200
commit	773bb8bf0f99fe1a2a7cec5aa026f0bbf43c7f7d (patch)
tree	d9fb5f274b89488cfe83da8696b3b7b4d228e31b /controller-server
parent	467ec6be1c0f7fd20eb0a4fea065671f51809740 (diff)