diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-04-05 15:07:53 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-04-09 12:49:33 +0200 |
commit | 773bb8bf0f99fe1a2a7cec5aa026f0bbf43c7f7d (patch) | |
tree | d9fb5f274b89488cfe83da8696b3b7b4d228e31b /controller-server | |
parent | 467ec6be1c0f7fd20eb0a4fea065671f51809740 (diff) |
Remove CORS filters from controller-server
Diffstat (limited to 'controller-server')
6 files changed, 0 insertions, 345 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlHeaders.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlHeaders.java deleted file mode 100644 index 8a539720a21..00000000000 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlHeaders.java +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.restapi.filter; - -import com.google.common.collect.ImmutableMap; - -import java.time.Duration; -import java.util.Map; - -/** - * @author gv - */ -public interface AccessControlHeaders { - - String CORS_PREFLIGHT_REQUEST_CACHE_TTL = Long.toString(Duration.ofDays(7).getSeconds()); - - String ALLOW_ORIGIN_HEADER = "Access-Control-Allow-Origin"; - - Map<String, String> ACCESS_CONTROL_HEADERS = ImmutableMap.of( - "Access-Control-Max-Age", CORS_PREFLIGHT_REQUEST_CACHE_TTL, - "Access-Control-Allow-Headers", "Origin,Content-Type,Accept,Yahoo-Principal-Auth", - "Access-Control-Allow-Methods", "OPTIONS,GET,PUT,DELETE,POST", - "Access-Control-Allow-Credentials", "true" - ); - -} diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilter.java deleted file mode 100644 index 8df4124028e..00000000000 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilter.java +++ /dev/null @@ -1,70 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.restapi.filter; - -import com.google.inject.Inject; -import com.yahoo.jdisc.Response; -import com.yahoo.jdisc.handler.ContentChannel; -import com.yahoo.jdisc.handler.ResponseHandler; -import com.yahoo.jdisc.http.HttpResponse; -import com.yahoo.jdisc.http.filter.DiscFilterRequest; -import com.yahoo.jdisc.http.filter.SecurityRequestFilter; -import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig; -import com.yahoo.yolean.chain.After; -import com.yahoo.yolean.chain.Before; -import com.yahoo.yolean.chain.Provides; - -import java.util.Collections; -import java.util.Set; -import java.util.stream.Collectors; - -import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS; -import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ACCESS_CONTROL_HEADERS; -import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ALLOW_ORIGIN_HEADER; - -/** - * <p> - * This filter makes sure we respond as quickly as possible to CORS pre-flight requests - * which browsers transmit before the Hosted Vespa dashboard code is allowed to send a "real" request. - * </p> - * <p> - * An "Access-Control-Max-Age" header is added so that the browser will cache the result of this pre-flight request, - * further improving the responsiveness of the Hosted Vespa dashboard application. - * </p> - * <p> - * Runs after all standard security request filters, but before BouncerFilter, as the browser does not send - * credentials with pre-flight requests. - * </p> - * - * @author andreer - * @author gv - */ -@After({"InputValidationFilter","RemoteIPFilter", "DoNotTrackRequestFilter", "CookieDataRequestFilter"}) -@Before({"BouncerFilter", "ControllerAuthorizationFilter"}) -@Provides("AccessControlRequestFilter") -public class AccessControlRequestFilter implements SecurityRequestFilter { - private final Set<String> allowedUrls; - - @Inject - public AccessControlRequestFilter(HttpAccessControlConfig config) { - allowedUrls = Collections.unmodifiableSet(config.allowedUrls().stream().collect(Collectors.toSet())); - } - - @Override - public void filter(DiscFilterRequest discFilterRequest, ResponseHandler responseHandler) { - String origin = discFilterRequest.getHeader("Origin"); - - if (!discFilterRequest.getMethod().equals(OPTIONS.name())) - return; - - HttpResponse response = HttpResponse.newInstance(Response.Status.OK); - - if (allowedUrls.contains(origin)) - response.headers().add(ALLOW_ORIGIN_HEADER, origin); - - ACCESS_CONTROL_HEADERS.forEach( - (name, value) -> response.headers().add(name, value)); - - ContentChannel cc = responseHandler.handleResponse(response); - cc.close(null); - } -} diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilter.java deleted file mode 100644 index c2ad31cd925..00000000000 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilter.java +++ /dev/null @@ -1,55 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.restapi.filter; - -import com.yahoo.jdisc.AbstractResource; -import com.yahoo.jdisc.http.filter.DiscFilterResponse; -import com.yahoo.jdisc.http.filter.RequestView; -import com.yahoo.jdisc.http.filter.SecurityResponseFilter; -import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig; - -import java.util.List; -import java.util.Optional; - -import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ACCESS_CONTROL_HEADERS; -import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ALLOW_ORIGIN_HEADER; - -/** - * @author gv - * @author Tony Vaagenes - */ -public class AccessControlResponseFilter extends AbstractResource implements SecurityResponseFilter { - - private final List<String> allowedUrls; - - public AccessControlResponseFilter(HttpAccessControlConfig config) { - allowedUrls = config.allowedUrls(); - } - - @Override - public void filter(DiscFilterResponse response, RequestView request) { - Optional<String> requestOrigin = request.getFirstHeader("Origin"); - - requestOrigin.ifPresent( - origin -> allowedUrls.stream() - .filter(allowedUrl -> matchesRequestOrigin(origin, allowedUrl)) - .findAny() - .ifPresent(allowedOrigin -> setHeaderUnlessExists(response, ALLOW_ORIGIN_HEADER, allowedOrigin)) - ); - ACCESS_CONTROL_HEADERS.forEach((name, value) -> setHeaderUnlessExists(response, name, value)); - } - - private boolean matchesRequestOrigin(String requestOrigin, String allowedUrl) { - return allowedUrl.equals("*") || requestOrigin.startsWith(allowedUrl); - } - - /** - * This is to avoid duplicating headers already set by the {@link AccessControlRequestFilter}. - * Currently (March 2016), this filter is invoked for OPTIONS requests to jdisc request handlers, - * even if the request filter has been invoked first. For jersey based APIs, this filter is NOT - * invoked in these cases. - */ - private void setHeaderUnlessExists(DiscFilterResponse response, String name, String value) { - if (response.getHeader(name) == null) - response.setHeader(name, value); - } -} diff --git a/controller-server/src/main/resources/configdefinitions/http-access-control.def b/controller-server/src/main/resources/configdefinitions/http-access-control.def deleted file mode 100644 index 4cd1532761b..00000000000 --- a/controller-server/src/main/resources/configdefinitions/http-access-control.def +++ /dev/null @@ -1,4 +0,0 @@ -# Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -namespace=vespa.hosted.controller.restapi.filter.config - -allowedUrls[] string diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilterTest.java deleted file mode 100644 index 0c31c6e2cc5..00000000000 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlRequestFilterTest.java +++ /dev/null @@ -1,79 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.restapi.filter; - -import com.yahoo.jdisc.HeaderFields; -import com.yahoo.jdisc.Response; -import com.yahoo.jdisc.handler.ContentChannel; -import com.yahoo.jdisc.handler.ResponseHandler; -import com.yahoo.jdisc.http.filter.DiscFilterRequest; -import com.yahoo.jdisc.http.filter.SecurityRequestFilter; -import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig; -import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig.Builder; -import org.junit.Test; - -import java.util.Arrays; - -import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS; -import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ACCESS_CONTROL_HEADERS; -import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ALLOW_ORIGIN_HEADER; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNull; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -/** - * @author gjoranv - */ -public class AccessControlRequestFilterTest { - - @Test - public void any_options_request_yields_access_control_headers_in_response() { - HeaderFields headers = doFilterRequest(newRequestFilter(), "http://any.origin"); - ACCESS_CONTROL_HEADERS.keySet().forEach( - header -> assertFalse("Empty header: " + header, headers.getFirst(header).isEmpty())); - } - - @Test - public void allowed_request_origin_yields_allow_origin_header_in_response() { - final String ALLOWED_ORIGIN = "http://allowed.origin"; - HeaderFields headers = doFilterRequest(newRequestFilter(ALLOWED_ORIGIN), ALLOWED_ORIGIN); - assertEquals(ALLOWED_ORIGIN, headers.getFirst(ALLOW_ORIGIN_HEADER)); - } - - @Test - public void disallowed_request_origin_does_not_yield_allow_origin_header_in_response() { - HeaderFields headers = doFilterRequest(newRequestFilter("http://allowed.origin"), "http://disallowed.origin"); - assertNull(headers.getFirst(ALLOW_ORIGIN_HEADER)); - } - - private static HeaderFields doFilterRequest(SecurityRequestFilter filter, String originUrl) { - AccessControlResponseHandler responseHandler = new AccessControlResponseHandler(); - filter.filter(newOptionsRequest(originUrl), responseHandler); - return responseHandler.response.headers(); - } - - private static DiscFilterRequest newOptionsRequest(String origin) { - DiscFilterRequest request = mock(DiscFilterRequest.class); - when(request.getHeader("Origin")).thenReturn(origin); - when(request.getMethod()).thenReturn(OPTIONS.name()); - return request; - } - - private static AccessControlRequestFilter newRequestFilter(String... allowedOriginUrls) { - Builder builder = new Builder(); - Arrays.asList(allowedOriginUrls).forEach(builder::allowedUrls); - return new AccessControlRequestFilter(new HttpAccessControlConfig(builder)); - } - - private static class AccessControlResponseHandler implements ResponseHandler { - Response response; - - @Override - public ContentChannel handleResponse(Response response) { - this.response = response; - return mock(ContentChannel.class); - } - } - -} diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilterTest.java deleted file mode 100644 index 1b368d0a4b8..00000000000 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AccessControlResponseFilterTest.java +++ /dev/null @@ -1,112 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.restapi.filter; - -import com.yahoo.jdisc.http.Cookie; -import com.yahoo.jdisc.http.filter.DiscFilterResponse; -import com.yahoo.jdisc.http.filter.RequestView; -import com.yahoo.jdisc.http.filter.SecurityResponseFilter; -import com.yahoo.jdisc.http.servlet.ServletOrJdiscHttpResponse; -import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig; -import com.yahoo.vespa.hosted.controller.restapi.filter.config.HttpAccessControlConfig.Builder; -import org.junit.Test; - -import java.util.Arrays; -import java.util.Collections; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Optional; - -import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ACCESS_CONTROL_HEADERS; -import static com.yahoo.vespa.hosted.controller.restapi.filter.AccessControlHeaders.ALLOW_ORIGIN_HEADER; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNull; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -/** - * @author gjoranv - */ -public class AccessControlResponseFilterTest { - - @Test - public void any_request_yields_access_control_headers_in_response() { - Map<String, String> headers = doFilterRequest(newResponseFilter(), "http://any.origin"); - ACCESS_CONTROL_HEADERS.keySet().forEach( - header -> assertFalse("Empty header: " + header, headers.get(header).isEmpty())); - } - - @Test - public void allowed_request_origin_yields_allow_origin_header_in_response() { - final String ALLOWED_ORIGIN = "http://allowed.origin"; - Map<String, String> headers = doFilterRequest(newResponseFilter(ALLOWED_ORIGIN), ALLOWED_ORIGIN); - assertEquals(ALLOWED_ORIGIN, headers.get(ALLOW_ORIGIN_HEADER)); - } - - @Test - public void disallowed_request_origin_does_not_yield_allow_origin_header_in_response() { - Map<String, String> headers = doFilterRequest(newResponseFilter("http://allowed.origin"), "http://disallowed.origin"); - assertNull(headers.get(ALLOW_ORIGIN_HEADER)); - } - - @Test - public void any_request_origin_yields_allow_origin_header_in_response_when_wildcard_is_allowed() { - Map<String, String> headers = doFilterRequest(newResponseFilter("*"), "http://any.origin"); - assertEquals("*", headers.get(ALLOW_ORIGIN_HEADER)); - } - - private static Map<String, String> doFilterRequest(SecurityResponseFilter filter, String originUrl) { - TestResponse response = new TestResponse(); - filter.filter(response, newRequestView(originUrl)); - return Collections.unmodifiableMap(response.headers); - } - - private static AccessControlResponseFilter newResponseFilter(String... allowedOriginUrls) { - Builder builder = new Builder(); - Arrays.asList(allowedOriginUrls).forEach(builder::allowedUrls); - return new AccessControlResponseFilter(new HttpAccessControlConfig(builder)); - } - - private static RequestView newRequestView(String originUrl) { - RequestView request = mock(RequestView.class); - when(request.getFirstHeader("Origin")).thenReturn(Optional.of(originUrl)); - return request; - } - - private static class TestResponse extends DiscFilterResponse { - Map<String, String> headers = new HashMap<>(); - - TestResponse() { - super(mock(ServletOrJdiscHttpResponse.class)); - } - - @Override - public void setHeader(String name, String value) { - headers.put(name, value); - } - - @Override - public String getHeader(String name) { - return headers.get(name); - } - - @Override - public void removeHeaders(String s) { throw new UnsupportedOperationException(); } - - @Override - public void setHeaders(String s, String s1) { throw new UnsupportedOperationException(); } - - @Override - public void setHeaders(String s, List<String> list) { throw new UnsupportedOperationException(); } - - @Override - public void addHeader(String s, String s1) { throw new UnsupportedOperationException(); } - - @Override - public void setCookies(List<Cookie> list) { throw new UnsupportedOperationException(); } - - @Override - public void setStatus(int i) { throw new UnsupportedOperationException(); } - } -} |