From 90b2a2e85cd456abf70f9551211f35663def9256 Mon Sep 17 00:00:00 2001 From: Miroslav Blasko Date: Wed, 22 Nov 2023 23:55:15 +0100 Subject: [PATCH 1/2] [#13] Throw error when allowed origins are not configured --- .../cz/cvut/kbss/study/config/SecurityConfig.java | 2 +- .../cvut/kbss/study/config/SecurityConfigTest.java | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java index 15ff8ac4..0d1f6e7b 100644 --- a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java +++ b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java @@ -113,7 +113,7 @@ private static void configureAllowedOrigins(CorsConfiguration corsConfig, Config final List allowedOrigins = new ArrayList<>(); appUrlOrigin.ifPresent(allowedOrigins::add); final String allowedOriginsConfig = config.getConfig(ConfigParam.CORS_ALLOWED_ORIGINS); - allowedOrigins.addAll(Arrays.asList(allowedOriginsConfig.split(","))); + Arrays.stream(allowedOriginsConfig.split(",")).filter(s -> !s.isBlank()).forEach(allowedOrigins::add); if (!allowedOrigins.isEmpty()) { corsConfig.setAllowedOrigins(allowedOrigins); corsConfig.setAllowCredentials(true); diff --git a/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java b/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java index 795da311..be91719a 100644 --- a/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java +++ b/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java @@ -1,5 +1,6 @@ package cz.cvut.kbss.study.config; +import cz.cvut.kbss.study.exception.RecordManagerException; import cz.cvut.kbss.study.service.ConfigReader; import cz.cvut.kbss.study.util.ConfigParam; import org.junit.jupiter.api.Test; @@ -11,6 +12,7 @@ import static org.hamcrest.Matchers.hasItem; import static org.hamcrest.Matchers.hasItems; import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; class SecurityConfigTest { @@ -55,4 +57,14 @@ void createCorsConfigurationSupportsMultipleConfiguredAllowedOrigins() { assertThat(result.getCorsConfiguration(new MockHttpServletRequest()).getAllowedOrigins(), hasItems(originOne, originTwo, originThree)); } + + @Test + void createCorsConfigurationThrowsRecordManagerExceptionWhenAppContextAndAllowedOriginsAreNotSet() { + environment.setProperty(ConfigParam.APP_CONTEXT.toString(), ""); + environment.setProperty(ConfigParam.CORS_ALLOWED_ORIGINS.toString(),""); + + assertThrows(RecordManagerException.class, () -> { + SecurityConfig.createCorsConfiguration(config); + }); + } } \ No newline at end of file From 57b4dac94f20cd55e1f5591f2d687089bd5d7a73 Mon Sep 17 00:00:00 2001 From: Miroslav Blasko Date: Tue, 28 Nov 2023 22:30:52 +0100 Subject: [PATCH 2/2] [#13] Empty origins should not result in * --- .../java/cz/cvut/kbss/study/config/SecurityConfig.java | 10 ++++++---- .../cz/cvut/kbss/study/config/SecurityConfigTest.java | 9 +++++---- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java index 0d1f6e7b..a46bf110 100644 --- a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java +++ b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java @@ -117,11 +117,13 @@ private static void configureAllowedOrigins(CorsConfiguration corsConfig, Config if (!allowedOrigins.isEmpty()) { corsConfig.setAllowedOrigins(allowedOrigins); corsConfig.setAllowCredentials(true); - LOG.debug( - "Using response header Access-Control-Allow-Origin with value {}.", - corsConfig.getAllowedOrigins() - ); + } else { + corsConfig.setAllowedOrigins(null); } + LOG.debug( + "Using response header Access-Control-Allow-Origin with value {}.", + corsConfig.getAllowedOrigins() + ); } private static Optional getApplicationUrlOrigin(ConfigReader configReader) { diff --git a/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java b/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java index be91719a..6ea26851 100644 --- a/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java +++ b/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java @@ -12,6 +12,7 @@ import static org.hamcrest.Matchers.hasItem; import static org.hamcrest.Matchers.hasItems; import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertThrows; class SecurityConfigTest { @@ -59,12 +60,12 @@ void createCorsConfigurationSupportsMultipleConfiguredAllowedOrigins() { } @Test - void createCorsConfigurationThrowsRecordManagerExceptionWhenAppContextAndAllowedOriginsAreNotSet() { + void createCorsConfigurationDoNotSetAllowedOriginsWhenAppContextAndAllowedOriginsAreNotSet() { environment.setProperty(ConfigParam.APP_CONTEXT.toString(), ""); environment.setProperty(ConfigParam.CORS_ALLOWED_ORIGINS.toString(),""); - assertThrows(RecordManagerException.class, () -> { - SecurityConfig.createCorsConfiguration(config); - }); + final CorsConfigurationSource result = SecurityConfig.createCorsConfiguration(config); + assertNotNull(result.getCorsConfiguration(new MockHttpServletRequest())); + assertNull(result.getCorsConfiguration(new MockHttpServletRequest()).getAllowedOrigins()); } } \ No newline at end of file