Improve the docs about Stub Runner standalone executions in terms of security concerns; fixes gh-1806

This commit is contained in:
Marcin Grzejszczak
2022-07-01 13:05:57 +02:00
parent 5b17e9c6bf
commit 8a855d9bc3
2 changed files with 14 additions and 3 deletions

View File

@@ -619,9 +619,15 @@ by setting the following system properties or by setting the corresponding envir
Spring Cloud Contract Stub Runner Boot is a Spring Boot application that exposes REST endpoints to
trigger the messaging labels and to access WireMock servers.
One of the use cases is to run some smoke (end-to-end) tests on a deployed application.
You can check out the https://github.com/spring-cloud/spring-cloud-pipelines[Spring Cloud Pipelines]
project for more information.
[[features-stub-runner-boot-security]]
==== Stub Runner Boot Security
The Stub Runner Boot application is not secured by design - securing it would require to add security to all
stubs even if they don't actually require it. Since this is a testing utility - the server is **not intended**
to be used in production environments.
IMPORTANT: It is expected that **only a trusted client** has access to the Stub Runner Boot server. You should not
run this application as a Fat Jar or a link:docker-project.html#docker-stubrunner[Docker Image] in untrusted locations.
[[features-stub-runner-boot-server]]
==== Stub Runner Server

View File

@@ -389,6 +389,11 @@ This section describes how to use Docker on the consumer side to fetch and run s
We publish a `spring-cloud/spring-cloud-contract-stub-runner` Docker image
that starts the standalone version of Stub Runner.
[[docker-stubrunner-security]]
=== Security
Since the Spring Cloud Contract Stub Runner Docker Image uses the standalone version of Stub Runner the same security considerations need to be taken. You can read more about those link:project-features.html#features-stub-runner-boot-security[in this section of the documentation].
[[docker-stubrunner-env-vars]]
=== Environment Variables