Add new module jdisc-security-filters

* Add new base class for security filters supporting CORS headers
* Add CORS response filter and preflight request filter

3 files changed, 250 insertions, 0 deletions

diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsPreflightSecurityRequestFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsPreflightSecurityRequestFilterTest.java
new file mode 100644
index 00000000000..cb934c32bee
--- /dev/null
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsPreflightSecurityRequestFilterTest.java
@@ -0,0 +1,78 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.filters.cors;
+
+import com.yahoo.jdisc.HeaderFields;
+import com.yahoo.jdisc.Response;
+import com.yahoo.jdisc.handler.ContentChannel;
+import com.yahoo.jdisc.handler.ResponseHandler;
+import com.yahoo.jdisc.http.filter.DiscFilterRequest;
+import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
+import com.yahoo.jdisc.http.filters.cors.CorsSecurityFilterConfig.Builder;
+import org.junit.Test;
+
+import java.util.Arrays;
+
+import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS;
+import static com.yahoo.jdisc.http.filters.cors.CorsLogic.ACCESS_CONTROL_HEADERS;
+import static com.yahoo.jdisc.http.filters.cors.CorsLogic.ALLOW_ORIGIN_HEADER;
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+
+/**
+ * @author gjoranv
+ * @author bjorncs
+ */
+public class CorsPreflightSecurityRequestFilterTest {
+
+    @Test
+    public void any_options_request_yields_access_control_headers_in_response() {
+        HeaderFields headers = doFilterRequest(newRequestFilter(), "http://any.origin");
+        ACCESS_CONTROL_HEADERS.keySet().forEach(
+                header -> assertFalse("Empty header: " + header, headers.getFirst(header).isEmpty()));
+    }
+
+    @Test
+    public void allowed_request_origin_yields_allow_origin_header_in_response() {
+        final String ALLOWED_ORIGIN = "http://allowed.origin";
+        HeaderFields headers = doFilterRequest(newRequestFilter(ALLOWED_ORIGIN), ALLOWED_ORIGIN);
+        assertEquals(ALLOWED_ORIGIN, headers.getFirst(ALLOW_ORIGIN_HEADER));
+    }
+
+    @Test
+    public void disallowed_request_origin_does_not_yield_allow_origin_header_in_response() {
+        HeaderFields headers = doFilterRequest(newRequestFilter("http://allowed.origin"), "http://disallowed.origin");
+        assertNull(headers.getFirst(ALLOW_ORIGIN_HEADER));
+    }
+
+    private static HeaderFields doFilterRequest(SecurityRequestFilter filter, String originUrl) {
+        AccessControlResponseHandler responseHandler = new AccessControlResponseHandler();
+        filter.filter(newOptionsRequest(originUrl), responseHandler);
+        return responseHandler.response.headers();
+    }
+
+    private static DiscFilterRequest newOptionsRequest(String origin) {
+        DiscFilterRequest request = mock(DiscFilterRequest.class);
+        when(request.getHeader("Origin")).thenReturn(origin);
+        when(request.getMethod()).thenReturn(OPTIONS.name());
+        return request;
+    }
+
+    private static CorsPreflightSecurityRequestFilter newRequestFilter(String... allowedOriginUrls) {
+        Builder builder = new Builder();
+        Arrays.asList(allowedOriginUrls).forEach(builder::allowedUrls);
+        return new CorsPreflightSecurityRequestFilter(new CorsSecurityFilterConfig(builder));
+    }
+
+    private static class AccessControlResponseHandler implements ResponseHandler {
+        Response response;
+
+        @Override
+        public ContentChannel handleResponse(Response response) {
+            this.response = response;
+            return mock(ContentChannel.class);
+        }
+    }
+
+}
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityRequestFilterBaseTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityRequestFilterBaseTest.java
new file mode 100644
index 00000000000..65fb78cdbd6
--- /dev/null
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityRequestFilterBaseTest.java
@@ -0,0 +1,60 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.filters.cors;
+
+import com.yahoo.container.jdisc.RequestHandlerTestDriver.MockResponseHandler;
+import com.yahoo.jdisc.Response;
+import com.yahoo.jdisc.http.filter.DiscFilterRequest;
+import org.junit.Test;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+
+import static com.yahoo.jdisc.http.filters.cors.CorsLogic.ALLOW_ORIGIN_HEADER;
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.junit.Assert.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+/**
+ * @author bjorncs
+ */
+public class CorsSecurityRequestFilterBaseTest {
+
+    @Test
+    public void adds_cors_headers_when_filter_reject_request() {
+        String origin = "http://allowed.origin";
+        Set<String> allowedOrigins = Collections.singleton(origin);
+        int statusCode = 403;
+        SimpleCorsSecurityRequestFilter filter =
+                new SimpleCorsSecurityRequestFilter(allowedOrigins, statusCode, "Forbidden");
+        DiscFilterRequest request = mock(DiscFilterRequest.class);
+        when(request.getHeader("Origin")).thenReturn(origin);
+        MockResponseHandler responseHandler = new MockResponseHandler();
+        filter.filter(request, responseHandler);
+
+        Response response = responseHandler.getResponse();
+        assertThat(response, notNullValue());
+        assertThat(response.getStatus(), equalTo(statusCode));
+        List<String> allowOriginHeader = response.headers().get(ALLOW_ORIGIN_HEADER);
+        assertThat(allowOriginHeader.size(), equalTo(1));
+        assertThat(allowOriginHeader.get(0), equalTo(origin));
+    }
+
+    private static class SimpleCorsSecurityRequestFilter extends CorsSecurityRequestFilterBase {
+        private final ErrorResponse errorResponse;
+
+        SimpleCorsSecurityRequestFilter(Set<String> allowedUrls, int statusCode, String message) {
+            super(allowedUrls);
+            this.errorResponse = new ErrorResponse(statusCode, message);
+        }
+
+        @Override
+        protected Optional<ErrorResponse> filter(DiscFilterRequest request) {
+            return Optional.ofNullable(this.errorResponse);
+        }
+    }
+
+}
\ No newline at end of file
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityResponseFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityResponseFilterTest.java
new file mode 100644
index 00000000000..cadc4b217b3
--- /dev/null
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityResponseFilterTest.java
@@ -0,0 +1,112 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.filters.cors;
+
+import com.yahoo.jdisc.http.Cookie;
+import com.yahoo.jdisc.http.filter.DiscFilterResponse;
+import com.yahoo.jdisc.http.filter.RequestView;
+import com.yahoo.jdisc.http.filter.SecurityResponseFilter;
+import com.yahoo.jdisc.http.filters.cors.CorsSecurityFilterConfig.Builder;
+import com.yahoo.jdisc.http.servlet.ServletOrJdiscHttpResponse;
+import org.junit.Test;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+import static com.yahoo.jdisc.http.filters.cors.CorsLogic.ACCESS_CONTROL_HEADERS;
+import static com.yahoo.jdisc.http.filters.cors.CorsLogic.ALLOW_ORIGIN_HEADER;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+/**
+ * @author gjoranv
+ * @author bjorncs
+ */
+public class CorsSecurityResponseFilterTest {
+
+    @Test
+    public void any_request_yields_access_control_headers_in_response() {
+        Map<String, String> headers = doFilterRequest(newResponseFilter(), "http://any.origin");
+        ACCESS_CONTROL_HEADERS.keySet().forEach(
+                header -> assertFalse("Empty header: " + header, headers.get(header).isEmpty()));
+    }
+
+    @Test
+    public void allowed_request_origin_yields_allow_origin_header_in_response() {
+        final String ALLOWED_ORIGIN = "http://allowed.origin";
+        Map<String, String> headers = doFilterRequest(newResponseFilter(ALLOWED_ORIGIN), ALLOWED_ORIGIN);
+        assertEquals(ALLOWED_ORIGIN, headers.get(ALLOW_ORIGIN_HEADER));
+    }
+
+    @Test
+    public void disallowed_request_origin_does_not_yield_allow_origin_header_in_response() {
+        Map<String, String> headers = doFilterRequest(newResponseFilter("http://allowed.origin"), "http://disallowed.origin");
+        assertNull(headers.get(ALLOW_ORIGIN_HEADER));
+    }
+
+    @Test
+    public void any_request_origin_yields_allow_origin_header_in_response_when_wildcard_is_allowed() {
+        Map<String, String> headers = doFilterRequest(newResponseFilter("*"), "http://any.origin");
+        assertEquals("*", headers.get(ALLOW_ORIGIN_HEADER));
+    }
+
+    private static Map<String, String> doFilterRequest(SecurityResponseFilter filter, String originUrl) {
+        TestResponse response = new TestResponse();
+        filter.filter(response, newRequestView(originUrl));
+        return Collections.unmodifiableMap(response.headers);
+    }
+
+    private static CorsSecurityResponseFilter newResponseFilter(String... allowedOriginUrls) {
+        Builder builder = new Builder();
+        Arrays.asList(allowedOriginUrls).forEach(builder::allowedUrls);
+        return new CorsSecurityResponseFilter(new CorsSecurityFilterConfig(builder));
+    }
+
+    private static RequestView newRequestView(String originUrl) {
+        RequestView request = mock(RequestView.class);
+        when(request.getFirstHeader("Origin")).thenReturn(Optional.of(originUrl));
+        return request;
+    }
+
+    private static class TestResponse extends DiscFilterResponse {
+        Map<String, String> headers = new HashMap<>();
+
+        TestResponse() {
+            super(mock(ServletOrJdiscHttpResponse.class));
+        }
+
+        @Override
+        public void setHeader(String name, String value) {
+            headers.put(name, value);
+        }
+
+        @Override
+        public String getHeader(String name) {
+            return headers.get(name);
+        }
+
+        @Override
+        public void removeHeaders(String s) { throw new UnsupportedOperationException(); }
+
+        @Override
+        public void setHeaders(String s, String s1) { throw new UnsupportedOperationException(); }
+
+        @Override
+        public void setHeaders(String s, List<String> list) { throw new UnsupportedOperationException(); }
+
+        @Override
+        public void addHeader(String s, String s1) { throw new UnsupportedOperationException(); }
+
+        @Override
+        public void setCookies(List<Cookie> list) { throw new UnsupportedOperationException(); }
+
+        @Override
+        public void setStatus(int i) { throw new UnsupportedOperationException(); }
+    }
+}