summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilter.java (renamed from node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java)19
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/NoopFilter.java (renamed from node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NoopFilter.java)2
-rw-r--r--jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilterTest.java60
-rw-r--r--node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java37
4 files changed, 72 insertions, 46 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilter.java
index f9900f9b0ec..1623128fac2 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilter.java
@@ -1,30 +1,33 @@
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.provision.restapi.v2.filter;
+package com.yahoo.jdisc.http.filter.security.misc;
import com.google.common.net.InetAddresses;
-import com.yahoo.jdisc.handler.ResponseHandler;
+import com.yahoo.jdisc.Response;
import com.yahoo.jdisc.http.filter.DiscFilterRequest;
-import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
-import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse;
+import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase;
import java.net.InetAddress;
+import java.util.Optional;
/**
* A security filter that only allows self-originating requests.
*
* @author mpolden
+ * @author bjorncs
*/
@SuppressWarnings("unused") // Injected
-public class LocalhostFilter implements SecurityRequestFilter {
+public class LocalhostFilter extends JsonSecurityRequestFilterBase {
@Override
- public void filter(DiscFilterRequest request, ResponseHandler handler) {
+ protected Optional<ErrorResponse> filter(DiscFilterRequest request) {
InetAddress remoteAddr = InetAddresses.forString(request.getRemoteAddr());
if (!remoteAddr.isLoopbackAddress() && !request.getRemoteAddr().equals(request.getLocalAddr())) {
- FilterUtils.write(ErrorResponse.unauthorized(
+ return Optional.of(new ErrorResponse(
+ Response.Status.UNAUTHORIZED,
String.format("%s %s denied for %s: Unauthorized host", request.getMethod(),
- request.getUri().getPath(), request.getRemoteAddr())), handler);
+ request.getUri().getPath(), request.getRemoteAddr())));
}
+ return Optional.empty();
}
}
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NoopFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/NoopFilter.java
index 084095fa93c..cb1130e8825 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NoopFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/NoopFilter.java
@@ -1,5 +1,5 @@
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.provision.restapi.v2.filter;
+package com.yahoo.jdisc.http.filter.security.misc;
import com.yahoo.jdisc.handler.ResponseHandler;
import com.yahoo.jdisc.http.filter.DiscFilterRequest;
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilterTest.java
new file mode 100644
index 00000000000..39c3783caec
--- /dev/null
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/misc/LocalhostFilterTest.java
@@ -0,0 +1,60 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.filter.security.misc;
+
+import com.yahoo.container.jdisc.RequestHandlerTestDriver;
+import com.yahoo.jdisc.Response;
+import com.yahoo.jdisc.http.filter.DiscFilterRequest;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import java.net.URI;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.mockito.Mockito.when;
+
+/**
+ * @author mpolden
+ * @author bjorncs
+ */
+public class LocalhostFilterTest {
+
+ @Test
+ public void filter() {
+ // Reject from non-loopback
+ assertUnauthorized(createRequest("1.2.3.4", null));
+
+ // Allow requests from loopback addresses
+ assertSuccess(createRequest("127.0.0.1", null));
+ assertSuccess(createRequest("127.127.0.1", null));
+ assertSuccess(createRequest("0:0:0:0:0:0:0:1", null));
+
+ // Allow requests originating from self
+ assertSuccess(createRequest("1.3.3.7", "1.3.3.7"));
+ }
+
+ private static DiscFilterRequest createRequest(String remoteAddr, String localAddr) {
+ DiscFilterRequest request = Mockito.mock(DiscFilterRequest.class);
+ when(request.getRemoteAddr()).thenReturn(remoteAddr);
+ when(request.getLocalAddr()).thenReturn(localAddr);
+ when(request.getMethod()).thenReturn("GET");
+ when(request.getUri()).thenReturn(URI.create("http://localhost:8080/"));
+ return request;
+ }
+
+ private static void assertUnauthorized(DiscFilterRequest request) {
+ LocalhostFilter filter = new LocalhostFilter();
+ RequestHandlerTestDriver.MockResponseHandler handler = new RequestHandlerTestDriver.MockResponseHandler();
+ filter.filter(request, handler);
+ assertEquals(Response.Status.UNAUTHORIZED, handler.getStatus());
+ }
+
+
+ private static void assertSuccess(DiscFilterRequest request) {
+ LocalhostFilter filter = new LocalhostFilter();
+ RequestHandlerTestDriver.MockResponseHandler handler = new RequestHandlerTestDriver.MockResponseHandler();
+ filter.filter(request, handler);
+ assertNull(handler.getResponse());
+ }
+
+}
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java
deleted file mode 100644
index cb1ac2ade72..00000000000
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/LocalhostFilterTest.java
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.provision.restapi.v2.filter;
-
-import com.yahoo.application.container.handler.Request.Method;
-import com.yahoo.vespa.hosted.provision.restapi.v2.filter.FilterTester.Request;
-import org.junit.Before;
-import org.junit.Test;
-
-/**
- * @author mpolden
- */
-public class LocalhostFilterTest {
-
- private FilterTester tester;
-
- @Before
- public void before() {
- tester = new FilterTester(new LocalhostFilter());
- }
-
- @Test
- public void filter() {
- // Reject from non-loopback
- tester.assertRequest(new Request(Method.GET, "/").remoteAddr("1.2.3.4"), 401,
- "{\"error-code\":\"UNAUTHORIZED\",\"message\":\"GET / denied for " +
- "1.2.3.4: Unauthorized host\"}");
-
- // Allow requests from loopback addresses
- tester.assertSuccess(new Request(Method.GET, "/").remoteAddr("127.0.0.1"));
- tester.assertSuccess(new Request(Method.GET, "/").remoteAddr("127.127.0.1"));
- tester.assertSuccess(new Request(Method.GET, "/").remoteAddr("0:0:0:0:0:0:0:1"));
-
- // Allow requests originating from self
- tester.assertSuccess(new Request(Method.GET, "/").localAddr("1.3.3.7").remoteAddr("1.3.3.7"));
- }
-
-}