Merge branch '2.1.x'

Closes gh-17079
This commit is contained in:
Andy Wilkinson
2019-06-07 11:00:44 +01:00
2799 changed files with 28402 additions and 47836 deletions

View File

@@ -41,10 +41,8 @@ import static org.assertj.core.api.Assertions.assertThat;
*
* @author Madhura Bhave
*/
@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT,
properties = { "management.server.port=0" },
classes = { ManagementPortSampleSecureWebFluxTests.SecurityConfiguration.class,
SampleSecureWebFluxApplication.class })
@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT, properties = { "management.server.port=0" }, classes = {
ManagementPortSampleSecureWebFluxTests.SecurityConfiguration.class, SampleSecureWebFluxApplication.class })
class ManagementPortSampleSecureWebFluxTests {
@LocalServerPort
@@ -59,35 +57,29 @@ class ManagementPortSampleSecureWebFluxTests {
@Test
void testHome() {
this.webClient.get().uri("http://localhost:" + this.port, String.class)
.header("Authorization", "basic " + getBasicAuth()).exchange()
.expectStatus().isOk().expectBody(String.class).isEqualTo("Hello user");
.header("Authorization", "basic " + getBasicAuth()).exchange().expectStatus().isOk()
.expectBody(String.class).isEqualTo("Hello user");
}
@Test
void actuatorPathOnMainPortShouldNotMatch() {
this.webClient.get()
.uri("http://localhost:" + this.port + "/actuator", String.class)
.exchange().expectStatus().isUnauthorized();
this.webClient.get()
.uri("http://localhost:" + this.port + "/actuator/health", String.class)
.exchange().expectStatus().isUnauthorized();
this.webClient.get().uri("http://localhost:" + this.port + "/actuator", String.class).exchange().expectStatus()
.isUnauthorized();
this.webClient.get().uri("http://localhost:" + this.port + "/actuator/health", String.class).exchange()
.expectStatus().isUnauthorized();
}
@Test
void testSecureActuator() {
this.webClient.get()
.uri("http://localhost:" + this.managementPort + "/actuator/env",
String.class)
.exchange().expectStatus().isUnauthorized();
this.webClient.get().uri("http://localhost:" + this.managementPort + "/actuator/env", String.class).exchange()
.expectStatus().isUnauthorized();
}
@Test
void testInsecureActuator() {
String responseBody = this.webClient.get()
.uri("http://localhost:" + this.managementPort + "/actuator/health",
String.class)
.exchange().expectStatus().isOk().expectBody(String.class).returnResult()
.getResponseBody();
.uri("http://localhost:" + this.managementPort + "/actuator/health", String.class).exchange()
.expectStatus().isOk().expectBody(String.class).returnResult().getResponseBody();
assertThat(responseBody).contains("\"status\":\"UP\"");
}
@@ -100,14 +92,10 @@ class ManagementPortSampleSecureWebFluxTests {
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.authorizeExchange().matchers(EndpointRequest.to("health", "info"))
.permitAll()
.matchers(EndpointRequest.toAnyEndpoint()
.excluding(MappingsEndpoint.class))
.hasRole("ACTUATOR")
.matchers(PathRequest.toStaticResources().atCommonLocations())
.permitAll().pathMatchers("/login").permitAll().anyExchange()
.authenticated().and().httpBasic().and().build();
return http.authorizeExchange().matchers(EndpointRequest.to("health", "info")).permitAll()
.matchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR")
.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll().pathMatchers("/login")
.permitAll().anyExchange().authenticated().and().httpBasic().and().build();
}
}

View File

@@ -40,40 +40,39 @@ class SampleSecureWebFluxApplicationTests {
@Test
void userDefinedMappingsSecureByDefault() {
this.webClient.get().uri("/").accept(MediaType.APPLICATION_JSON).exchange()
.expectStatus().isEqualTo(HttpStatus.UNAUTHORIZED);
this.webClient.get().uri("/").accept(MediaType.APPLICATION_JSON).exchange().expectStatus()
.isEqualTo(HttpStatus.UNAUTHORIZED);
}
@Test
void healthInsecureByDefault() {
this.webClient.get().uri("/actuator/health").accept(MediaType.APPLICATION_JSON)
.exchange().expectStatus().isOk();
this.webClient.get().uri("/actuator/health").accept(MediaType.APPLICATION_JSON).exchange().expectStatus()
.isOk();
}
@Test
void infoInsecureByDefault() {
this.webClient.get().uri("/actuator/info").accept(MediaType.APPLICATION_JSON)
.exchange().expectStatus().isOk();
this.webClient.get().uri("/actuator/info").accept(MediaType.APPLICATION_JSON).exchange().expectStatus().isOk();
}
@Test
void otherActuatorsSecureByDefault() {
this.webClient.get().uri("/actuator/env").accept(MediaType.APPLICATION_JSON)
.exchange().expectStatus().isUnauthorized();
this.webClient.get().uri("/actuator/env").accept(MediaType.APPLICATION_JSON).exchange().expectStatus()
.isUnauthorized();
}
@Test
void userDefinedMappingsAccessibleOnLogin() {
this.webClient.get().uri("/").accept(MediaType.APPLICATION_JSON)
.header("Authorization", "basic " + getBasicAuth()).exchange()
.expectBody(String.class).isEqualTo("Hello user");
.header("Authorization", "basic " + getBasicAuth()).exchange().expectBody(String.class)
.isEqualTo("Hello user");
}
@Test
void actuatorsAccessibleOnLogin() {
this.webClient.get().uri("/actuator/health").accept(MediaType.APPLICATION_JSON)
.header("Authorization", "basic " + getBasicAuth()).exchange()
.expectBody(String.class).isEqualTo("{\"status\":\"UP\"}");
.header("Authorization", "basic " + getBasicAuth()).exchange().expectBody(String.class)
.isEqualTo("{\"status\":\"UP\"}");
}
private String getBasicAuth() {

View File

@@ -40,9 +40,8 @@ import org.springframework.test.web.reactive.server.WebTestClient;
*
* @author Madhura Bhave
*/
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
classes = { SampleSecureWebFluxCustomSecurityTests.SecurityConfiguration.class,
SampleSecureWebFluxApplication.class })
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = {
SampleSecureWebFluxCustomSecurityTests.SecurityConfiguration.class, SampleSecureWebFluxApplication.class })
class SampleSecureWebFluxCustomSecurityTests {
@Autowired
@@ -50,52 +49,47 @@ class SampleSecureWebFluxCustomSecurityTests {
@Test
void userDefinedMappingsSecure() {
this.webClient.get().uri("/").accept(MediaType.APPLICATION_JSON).exchange()
.expectStatus().isEqualTo(HttpStatus.UNAUTHORIZED);
this.webClient.get().uri("/").accept(MediaType.APPLICATION_JSON).exchange().expectStatus()
.isEqualTo(HttpStatus.UNAUTHORIZED);
}
@Test
void healthAndInfoDoNotRequireAuthentication() {
this.webClient.get().uri("/actuator/health").accept(MediaType.APPLICATION_JSON)
.exchange().expectStatus().isOk();
this.webClient.get().uri("/actuator/info").accept(MediaType.APPLICATION_JSON)
.exchange().expectStatus().isOk();
this.webClient.get().uri("/actuator/health").accept(MediaType.APPLICATION_JSON).exchange().expectStatus()
.isOk();
this.webClient.get().uri("/actuator/info").accept(MediaType.APPLICATION_JSON).exchange().expectStatus().isOk();
}
@Test
void actuatorsSecuredByRole() {
this.webClient.get().uri("/actuator/env").accept(MediaType.APPLICATION_JSON)
.header("Authorization", "basic " + getBasicAuth()).exchange()
.expectStatus().isForbidden();
.header("Authorization", "basic " + getBasicAuth()).exchange().expectStatus().isForbidden();
}
@Test
void actuatorsAccessibleOnCorrectLogin() {
this.webClient.get().uri("/actuator/env").accept(MediaType.APPLICATION_JSON)
.header("Authorization", "basic " + getBasicAuthForAdmin()).exchange()
.expectStatus().isOk();
.header("Authorization", "basic " + getBasicAuthForAdmin()).exchange().expectStatus().isOk();
}
@Test
void actuatorExcludedFromEndpointRequestMatcher() {
this.webClient.get().uri("/actuator/mappings").accept(MediaType.APPLICATION_JSON)
.header("Authorization", "basic " + getBasicAuth()).exchange()
.expectStatus().isOk();
.header("Authorization", "basic " + getBasicAuth()).exchange().expectStatus().isOk();
}
@Test
void staticResourceShouldBeAccessible() {
this.webClient.get().uri("/css/bootstrap.min.css")
.accept(MediaType.APPLICATION_JSON).exchange().expectStatus().isOk();
this.webClient.get().uri("/css/bootstrap.min.css").accept(MediaType.APPLICATION_JSON).exchange().expectStatus()
.isOk();
}
@Test
void actuatorLinksIsSecure() {
this.webClient.get().uri("/actuator").accept(MediaType.APPLICATION_JSON).exchange().expectStatus()
.isUnauthorized();
this.webClient.get().uri("/actuator").accept(MediaType.APPLICATION_JSON)
.exchange().expectStatus().isUnauthorized();
this.webClient.get().uri("/actuator").accept(MediaType.APPLICATION_JSON)
.header("Authorization", "basic " + getBasicAuthForAdmin()).exchange()
.expectStatus().isOk();
.header("Authorization", "basic " + getBasicAuthForAdmin()).exchange().expectStatus().isOk();
}
private String getBasicAuth() {
@@ -113,22 +107,18 @@ class SampleSecureWebFluxCustomSecurityTests {
@Bean
public MapReactiveUserDetailsService userDetailsService() {
return new MapReactiveUserDetailsService(
User.withDefaultPasswordEncoder().username("user")
.password("password").authorities("ROLE_USER").build(),
User.withDefaultPasswordEncoder().username("user").password("password").authorities("ROLE_USER")
.build(),
User.withDefaultPasswordEncoder().username("admin").password("admin")
.authorities("ROLE_ACTUATOR", "ROLE_USER").build());
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.authorizeExchange().matchers(EndpointRequest.to("health", "info"))
.permitAll()
.matchers(EndpointRequest.toAnyEndpoint()
.excluding(MappingsEndpoint.class))
.hasRole("ACTUATOR")
.matchers(PathRequest.toStaticResources().atCommonLocations())
.permitAll().pathMatchers("/login").permitAll().anyExchange()
.authenticated().and().httpBasic().and().build();
return http.authorizeExchange().matchers(EndpointRequest.to("health", "info")).permitAll()
.matchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR")
.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll().pathMatchers("/login")
.permitAll().anyExchange().authenticated().and().httpBasic().and().build();
}
}