From 467ec6be1c0f7fd20eb0a4fea065671f51809740 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Thu, 5 Apr 2018 13:06:20 +0200 Subject: Add new module jdisc-security-filters * Add new base class for security filters supporting CORS headers * Add CORS response filter and preflight request filter --- .../CorsPreflightSecurityRequestFilterTest.java | 78 ++++++++++++++ .../cors/CorsSecurityRequestFilterBaseTest.java | 60 +++++++++++ .../cors/CorsSecurityResponseFilterTest.java | 112 +++++++++++++++++++++ 3 files changed, 250 insertions(+) create mode 100644 jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsPreflightSecurityRequestFilterTest.java create mode 100644 jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityRequestFilterBaseTest.java create mode 100644 jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityResponseFilterTest.java (limited to 'jdisc-security-filters/src/test') diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsPreflightSecurityRequestFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsPreflightSecurityRequestFilterTest.java new file mode 100644 index 00000000000..cb934c32bee --- /dev/null +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsPreflightSecurityRequestFilterTest.java @@ -0,0 +1,78 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.filters.cors; + +import com.yahoo.jdisc.HeaderFields; +import com.yahoo.jdisc.Response; +import com.yahoo.jdisc.handler.ContentChannel; +import com.yahoo.jdisc.handler.ResponseHandler; +import com.yahoo.jdisc.http.filter.DiscFilterRequest; +import com.yahoo.jdisc.http.filter.SecurityRequestFilter; +import com.yahoo.jdisc.http.filters.cors.CorsSecurityFilterConfig.Builder; +import org.junit.Test; + +import java.util.Arrays; + +import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS; +import static com.yahoo.jdisc.http.filters.cors.CorsLogic.ACCESS_CONTROL_HEADERS; +import static com.yahoo.jdisc.http.filters.cors.CorsLogic.ALLOW_ORIGIN_HEADER; +import static org.junit.Assert.*; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + + +/** + * @author gjoranv + * @author bjorncs + */ +public class CorsPreflightSecurityRequestFilterTest { + + @Test + public void any_options_request_yields_access_control_headers_in_response() { + HeaderFields headers = doFilterRequest(newRequestFilter(), "http://any.origin"); + ACCESS_CONTROL_HEADERS.keySet().forEach( + header -> assertFalse("Empty header: " + header, headers.getFirst(header).isEmpty())); + } + + @Test + public void allowed_request_origin_yields_allow_origin_header_in_response() { + final String ALLOWED_ORIGIN = "http://allowed.origin"; + HeaderFields headers = doFilterRequest(newRequestFilter(ALLOWED_ORIGIN), ALLOWED_ORIGIN); + assertEquals(ALLOWED_ORIGIN, headers.getFirst(ALLOW_ORIGIN_HEADER)); + } + + @Test + public void disallowed_request_origin_does_not_yield_allow_origin_header_in_response() { + HeaderFields headers = doFilterRequest(newRequestFilter("http://allowed.origin"), "http://disallowed.origin"); + assertNull(headers.getFirst(ALLOW_ORIGIN_HEADER)); + } + + private static HeaderFields doFilterRequest(SecurityRequestFilter filter, String originUrl) { + AccessControlResponseHandler responseHandler = new AccessControlResponseHandler(); + filter.filter(newOptionsRequest(originUrl), responseHandler); + return responseHandler.response.headers(); + } + + private static DiscFilterRequest newOptionsRequest(String origin) { + DiscFilterRequest request = mock(DiscFilterRequest.class); + when(request.getHeader("Origin")).thenReturn(origin); + when(request.getMethod()).thenReturn(OPTIONS.name()); + return request; + } + + private static CorsPreflightSecurityRequestFilter newRequestFilter(String... allowedOriginUrls) { + Builder builder = new Builder(); + Arrays.asList(allowedOriginUrls).forEach(builder::allowedUrls); + return new CorsPreflightSecurityRequestFilter(new CorsSecurityFilterConfig(builder)); + } + + private static class AccessControlResponseHandler implements ResponseHandler { + Response response; + + @Override + public ContentChannel handleResponse(Response response) { + this.response = response; + return mock(ContentChannel.class); + } + } + +} diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityRequestFilterBaseTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityRequestFilterBaseTest.java new file mode 100644 index 00000000000..65fb78cdbd6 --- /dev/null +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityRequestFilterBaseTest.java @@ -0,0 +1,60 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.filters.cors; + +import com.yahoo.container.jdisc.RequestHandlerTestDriver.MockResponseHandler; +import com.yahoo.jdisc.Response; +import com.yahoo.jdisc.http.filter.DiscFilterRequest; +import org.junit.Test; + +import java.util.Collections; +import java.util.List; +import java.util.Optional; +import java.util.Set; + +import static com.yahoo.jdisc.http.filters.cors.CorsLogic.ALLOW_ORIGIN_HEADER; +import static org.hamcrest.CoreMatchers.equalTo; +import static org.hamcrest.CoreMatchers.notNullValue; +import static org.junit.Assert.assertThat; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +/** + * @author bjorncs + */ +public class CorsSecurityRequestFilterBaseTest { + + @Test + public void adds_cors_headers_when_filter_reject_request() { + String origin = "http://allowed.origin"; + Set allowedOrigins = Collections.singleton(origin); + int statusCode = 403; + SimpleCorsSecurityRequestFilter filter = + new SimpleCorsSecurityRequestFilter(allowedOrigins, statusCode, "Forbidden"); + DiscFilterRequest request = mock(DiscFilterRequest.class); + when(request.getHeader("Origin")).thenReturn(origin); + MockResponseHandler responseHandler = new MockResponseHandler(); + filter.filter(request, responseHandler); + + Response response = responseHandler.getResponse(); + assertThat(response, notNullValue()); + assertThat(response.getStatus(), equalTo(statusCode)); + List allowOriginHeader = response.headers().get(ALLOW_ORIGIN_HEADER); + assertThat(allowOriginHeader.size(), equalTo(1)); + assertThat(allowOriginHeader.get(0), equalTo(origin)); + } + + private static class SimpleCorsSecurityRequestFilter extends CorsSecurityRequestFilterBase { + private final ErrorResponse errorResponse; + + SimpleCorsSecurityRequestFilter(Set allowedUrls, int statusCode, String message) { + super(allowedUrls); + this.errorResponse = new ErrorResponse(statusCode, message); + } + + @Override + protected Optional filter(DiscFilterRequest request) { + return Optional.ofNullable(this.errorResponse); + } + } + +} \ No newline at end of file diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityResponseFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityResponseFilterTest.java new file mode 100644 index 00000000000..cadc4b217b3 --- /dev/null +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filters/cors/CorsSecurityResponseFilterTest.java @@ -0,0 +1,112 @@ +// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.filters.cors; + +import com.yahoo.jdisc.http.Cookie; +import com.yahoo.jdisc.http.filter.DiscFilterResponse; +import com.yahoo.jdisc.http.filter.RequestView; +import com.yahoo.jdisc.http.filter.SecurityResponseFilter; +import com.yahoo.jdisc.http.filters.cors.CorsSecurityFilterConfig.Builder; +import com.yahoo.jdisc.http.servlet.ServletOrJdiscHttpResponse; +import org.junit.Test; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Optional; + +import static com.yahoo.jdisc.http.filters.cors.CorsLogic.ACCESS_CONTROL_HEADERS; +import static com.yahoo.jdisc.http.filters.cors.CorsLogic.ALLOW_ORIGIN_HEADER; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNull; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +/** + * @author gjoranv + * @author bjorncs + */ +public class CorsSecurityResponseFilterTest { + + @Test + public void any_request_yields_access_control_headers_in_response() { + Map headers = doFilterRequest(newResponseFilter(), "http://any.origin"); + ACCESS_CONTROL_HEADERS.keySet().forEach( + header -> assertFalse("Empty header: " + header, headers.get(header).isEmpty())); + } + + @Test + public void allowed_request_origin_yields_allow_origin_header_in_response() { + final String ALLOWED_ORIGIN = "http://allowed.origin"; + Map headers = doFilterRequest(newResponseFilter(ALLOWED_ORIGIN), ALLOWED_ORIGIN); + assertEquals(ALLOWED_ORIGIN, headers.get(ALLOW_ORIGIN_HEADER)); + } + + @Test + public void disallowed_request_origin_does_not_yield_allow_origin_header_in_response() { + Map headers = doFilterRequest(newResponseFilter("http://allowed.origin"), "http://disallowed.origin"); + assertNull(headers.get(ALLOW_ORIGIN_HEADER)); + } + + @Test + public void any_request_origin_yields_allow_origin_header_in_response_when_wildcard_is_allowed() { + Map headers = doFilterRequest(newResponseFilter("*"), "http://any.origin"); + assertEquals("*", headers.get(ALLOW_ORIGIN_HEADER)); + } + + private static Map doFilterRequest(SecurityResponseFilter filter, String originUrl) { + TestResponse response = new TestResponse(); + filter.filter(response, newRequestView(originUrl)); + return Collections.unmodifiableMap(response.headers); + } + + private static CorsSecurityResponseFilter newResponseFilter(String... allowedOriginUrls) { + Builder builder = new Builder(); + Arrays.asList(allowedOriginUrls).forEach(builder::allowedUrls); + return new CorsSecurityResponseFilter(new CorsSecurityFilterConfig(builder)); + } + + private static RequestView newRequestView(String originUrl) { + RequestView request = mock(RequestView.class); + when(request.getFirstHeader("Origin")).thenReturn(Optional.of(originUrl)); + return request; + } + + private static class TestResponse extends DiscFilterResponse { + Map headers = new HashMap<>(); + + TestResponse() { + super(mock(ServletOrJdiscHttpResponse.class)); + } + + @Override + public void setHeader(String name, String value) { + headers.put(name, value); + } + + @Override + public String getHeader(String name) { + return headers.get(name); + } + + @Override + public void removeHeaders(String s) { throw new UnsupportedOperationException(); } + + @Override + public void setHeaders(String s, String s1) { throw new UnsupportedOperationException(); } + + @Override + public void setHeaders(String s, List list) { throw new UnsupportedOperationException(); } + + @Override + public void addHeader(String s, String s1) { throw new UnsupportedOperationException(); } + + @Override + public void setCookies(List list) { throw new UnsupportedOperationException(); } + + @Override + public void setStatus(int i) { throw new UnsupportedOperationException(); } + } +} -- cgit v1.2.3