Servlet path not explicitly required for EndpointRequest

0fd873f0 · Madhura Bhave · Andy Wilkinson · 85f2db38 · 0fd873f0 · 0fd873f0
Commit 0fd873f0 authored Sep 19, 2018 by Madhura Bhave Committed by Andy Wilkinson Oct 16, 2018
4 changed files
--- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java
+++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java
@@ -35,7 +35,6 @@ import org.springframework.boot.actuate.endpoint.EndpointId;
 import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.autoconfigure.security.servlet.RequestMatcherProvider;
-import org.springframework.boot.autoconfigure.web.servlet.DispatcherServletPath;
 import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher;
 import org.springframework.core.annotation.AnnotatedElementUtils;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -139,23 +138,13 @@ public final class EndpointRequest {

 		private RequestMatcher createDelegate(WebApplicationContext context) {
 			try {
-				String pathPrefix = getPathPrefix(context);
-				return createDelegate(context, new RequestMatcherFactory(pathPrefix));
+				return createDelegate(context, new RequestMatcherFactory());
 			}
 			catch (NoSuchBeanDefinitionException ex) {
 				return EMPTY_MATCHER;
 			}
 		}

-		private String getPathPrefix(WebApplicationContext context) {
-			try {
-				return context.getBean(DispatcherServletPath.class).getPrefix();
-			}
-			catch (NoSuchBeanDefinitionException ex) {
-				return "";
-			}
-		}
-
 		protected abstract RequestMatcher createDelegate(WebApplicationContext context,
 				RequestMatcherFactory requestMatcherFactory);

@@ -313,15 +302,9 @@ public final class EndpointRequest {
 	 */
 	private static class RequestMatcherFactory {

-		private final String prefix;
-
-		RequestMatcherFactory(String prefix) {
-			this.prefix = prefix;
-		}
-
 		public RequestMatcher antPath(RequestMatcherProvider matcherProvider,
 				String... parts) {
-			StringBuilder pattern = new StringBuilder(this.prefix);
+			StringBuilder pattern = new StringBuilder();
 			for (String part : parts) {
 				pattern.append(part);
 			}

--- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java
+++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java
+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.boot.actuate.autoconfigure.security.servlet;
+
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.List;
+
+import org.junit.Test;
+
+import org.springframework.boot.actuate.endpoint.ExposableEndpoint;
+import org.springframework.boot.actuate.endpoint.Operation;
+import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
+import org.springframework.boot.actuate.endpoint.annotation.ReadOperation;
+import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoint;
+import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
+import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
+import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
+import org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+
+/**
+ * Abstract base class for {@link EndpointRequest} tests.
+ *
+ * @author Madhura Bhave
+ */
+public abstract class AbstractEndpointRequestIntegrationTests {
+
+	protected abstract WebApplicationContextRunner getContextRunner();
+
+	@Test
+	public void toEndpointShouldMatch() {
+		getContextRunner().run((context) -> {
+			WebTestClient webTestClient = getWebTestClient(context);
+			webTestClient.get().uri("/actuator/e1").exchange().expectStatus().isOk();
+		});
+	}
+
+	@Test
+	public void toAllEndpointsShouldMatch() {
+		getContextRunner().withPropertyValues("spring.security.user.password=password")
+				.run((context) -> {
+					WebTestClient webTestClient = getWebTestClient(context);
+					webTestClient.get().uri("/actuator/e2").exchange().expectStatus()
+							.isUnauthorized();
+					webTestClient.get().uri("/actuator/e2")
+							.header("Authorization", getBasicAuth()).exchange()
+							.expectStatus().isOk();
+				});
+	}
+
+	@Test
+	public void toLinksShouldMatch() {
+		getContextRunner().run((context) -> {
+			WebTestClient webTestClient = getWebTestClient(context);
+			webTestClient.get().uri("/actuator").exchange().expectStatus().isOk();
+			webTestClient.get().uri("/actuator/").exchange().expectStatus().isOk();
+		});
+	}
+
+	protected WebTestClient getWebTestClient(AssertableWebApplicationContext context) {
+		int port = context
+				.getSourceApplicationContext(
+						AnnotationConfigServletWebServerApplicationContext.class)
+				.getWebServer().getPort();
+		return WebTestClient.bindToServer().baseUrl("http://localhost:" + port).build();
+	}
+
+	String getBasicAuth() {
+		return "Basic " + Base64.getEncoder().encodeToString("user:password".getBytes());
+	}
+
+	static class BaseConfiguration {
+
+		@Bean
+		public TestEndpoint1 endpoint1() {
+			return new TestEndpoint1();
+		}
+
+		@Bean
+		public TestEndpoint2 endpoint2() {
+			return new TestEndpoint2();
+		}
+
+		@Bean
+		public TestEndpoint3 endpoint3() {
+			return new TestEndpoint3();
+		}
+
+		@Bean
+		public PathMappedEndpoints pathMappedEndpoints() {
+			List<ExposableEndpoint<?>> endpoints = new ArrayList<>();
+			endpoints.add(mockEndpoint("e1"));
+			endpoints.add(mockEndpoint("e2"));
+			endpoints.add(mockEndpoint("e3"));
+			return new PathMappedEndpoints("/actuator", () -> endpoints);
+		}
+
+		private TestPathMappedEndpoint mockEndpoint(String id) {
+			TestPathMappedEndpoint endpoint = mock(TestPathMappedEndpoint.class);
+			given(endpoint.getId()).willReturn(id);
+			given(endpoint.getRootPath()).willReturn(id);
+			return endpoint;
+		}
+
+	}
+
+	@Endpoint(id = "e1")
+	static class TestEndpoint1 {
+
+		@ReadOperation
+		public Object getAll() {
+			return "endpoint 1";
+		}
+
+	}
+
+	@Endpoint(id = "e2")
+	static class TestEndpoint2 {
+
+		@ReadOperation
+		public Object getAll() {
+			return "endpoint 2";
+		}
+
+	}
+
+	@Endpoint(id = "e3")
+	static class TestEndpoint3 {
+
+		@ReadOperation
+		public Object getAll() {
+			return null;
+		}
+
+	}
+
+	interface TestPathMappedEndpoint
+			extends ExposableEndpoint<Operation>, PathMappedEndpoint {
+
+	}
+
+	@Configuration
+	static class SecurityConfiguration {
+
+		@Bean
+		public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter() {
+			return new WebSecurityConfigurerAdapter() {
+				@Override
+				protected void configure(HttpSecurity http) throws Exception {
+					http.authorizeRequests().requestMatchers(EndpointRequest.toLinks())
+							.permitAll()
+							.requestMatchers(EndpointRequest.to(TestEndpoint1.class))
+							.permitAll().requestMatchers(EndpointRequest.toAnyEndpoint())
+							.authenticated().anyRequest().hasRole("ADMIN").and()
+							.httpBasic();
+				}
+			};
+		}
+
+	}
+
+}
--- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/JerseyEndpointRequestIntegrationTests.java
+++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/JerseyEndpointRequestIntegrationTests.java
+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.boot.actuate.autoconfigure.security.servlet;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+
+import org.glassfish.jersey.server.ResourceConfig;
+import org.glassfish.jersey.server.model.Resource;
+
+import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
+import org.springframework.boot.actuate.endpoint.http.ActuatorMediaType;
+import org.springframework.boot.actuate.endpoint.invoke.convert.ConversionServiceParameterValueMapper;
+import org.springframework.boot.actuate.endpoint.web.EndpointLinksResolver;
+import org.springframework.boot.actuate.endpoint.web.EndpointMapping;
+import org.springframework.boot.actuate.endpoint.web.EndpointMediaTypes;
+import org.springframework.boot.actuate.endpoint.web.PathMapper;
+import org.springframework.boot.actuate.endpoint.web.annotation.WebEndpointDiscoverer;
+import org.springframework.boot.actuate.endpoint.web.jersey.JerseyEndpointResourceFactory;
+import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration;
+import org.springframework.boot.autoconfigure.jersey.JerseyAutoConfiguration;
+import org.springframework.boot.autoconfigure.jersey.ResourceConfigCustomizer;
+import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.autoconfigure.security.servlet.SecurityRequestMatcherProviderAutoConfiguration;
+import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
+import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
+import org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * Integration tests for {@link EndpointRequest} with Jersey.
+ *
+ * @author Madhura Bhave
+ */
+public class JerseyEndpointRequestIntegrationTests
+		extends AbstractEndpointRequestIntegrationTests {
+
+	@Override
+	protected WebApplicationContextRunner getContextRunner() {
+		return new WebApplicationContextRunner(
+				AnnotationConfigServletWebServerApplicationContext::new)
+						.withUserConfiguration(JerseyEndpointConfiguration.class,
+								SecurityConfiguration.class, BaseConfiguration.class)
+						.withConfiguration(AutoConfigurations.of(
+								SecurityAutoConfiguration.class,
+								UserDetailsServiceAutoConfiguration.class,
+								SecurityRequestMatcherProviderAutoConfiguration.class,
+								JacksonAutoConfiguration.class,
+								JerseyAutoConfiguration.class));
+	}
+
+	@Configuration
+	@EnableConfigurationProperties(WebEndpointProperties.class)
+	static class JerseyEndpointConfiguration {
+
+		private final ApplicationContext applicationContext;
+
+		JerseyEndpointConfiguration(ApplicationContext applicationContext) {
+			this.applicationContext = applicationContext;
+		}
+
+		@Bean
+		public TomcatServletWebServerFactory tomcat() {
+			return new TomcatServletWebServerFactory(0);
+		}
+
+		@Bean
+		public ResourceConfig resourceConfig() {
+			return new ResourceConfig();
+		}
+
+		@Bean
+		public ResourceConfigCustomizer webEndpointRegistrar() {
+			return this::customize;
+		}
+
+		private void customize(ResourceConfig config) {
+			List<String> mediaTypes = Arrays.asList(
+					javax.ws.rs.core.MediaType.APPLICATION_JSON,
+					ActuatorMediaType.V2_JSON);
+			EndpointMediaTypes endpointMediaTypes = new EndpointMediaTypes(mediaTypes,
+					mediaTypes);
+			WebEndpointDiscoverer discoverer = new WebEndpointDiscoverer(
+					this.applicationContext, new ConversionServiceParameterValueMapper(),
+					endpointMediaTypes, PathMapper.useEndpointId(),
+					Collections.emptyList(), Collections.emptyList());
+			Collection<Resource> resources = new JerseyEndpointResourceFactory()
+					.createEndpointResources(new EndpointMapping("/actuator"),
+							discoverer.getEndpoints(), endpointMediaTypes,
+							new EndpointLinksResolver(discoverer.getEndpoints()));
+			config.registerResources(new HashSet<>(resources));
+		}
+
+	}
+
+}
--- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/MvcEndpointRequestIntegrationTests.java
+++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/MvcEndpointRequestIntegrationTests.java
+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.boot.actuate.autoconfigure.security.servlet;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import org.junit.Test;
+
+import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
+import org.springframework.boot.actuate.endpoint.http.ActuatorMediaType;
+import org.springframework.boot.actuate.endpoint.invoke.convert.ConversionServiceParameterValueMapper;
+import org.springframework.boot.actuate.endpoint.web.EndpointLinksResolver;
+import org.springframework.boot.actuate.endpoint.web.EndpointMapping;
+import org.springframework.boot.actuate.endpoint.web.EndpointMediaTypes;
+import org.springframework.boot.actuate.endpoint.web.PathMapper;
+import org.springframework.boot.actuate.endpoint.web.annotation.WebEndpointDiscoverer;
+import org.springframework.boot.actuate.endpoint.web.servlet.WebMvcEndpointHandlerMapping;
+import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.autoconfigure.http.HttpMessageConvertersAutoConfiguration;
+import org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration;
+import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.autoconfigure.security.servlet.SecurityRequestMatcherProviderAutoConfiguration;
+import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
+import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
+import org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.web.cors.CorsConfiguration;
+
+/**
+ * Integration tests for {@link EndpointRequest} with Spring MVC.
+ *
+ * @author Madhura Bhave
+ */
+public class MvcEndpointRequestIntegrationTests
+		extends AbstractEndpointRequestIntegrationTests {
+
+	@Test
+	public void toEndpointWhenServletPathSetShouldMatch() {
+		getContextRunner().withPropertyValues("server.servlet.path=/admin")
+				.run((context) -> {
+					WebTestClient webTestClient = getWebTestClient(context);
+					webTestClient.get().uri("/admin/actuator/e1").exchange()
+							.expectStatus().isOk();
+				});
+	}
+
+	@Test
+	public void toAnyEndpointWhenServletPathSetShouldMatch() {
+		getContextRunner().withPropertyValues("server.servlet.path=/admin",
+				"spring.security.user.password=password").run((context) -> {
+					WebTestClient webTestClient = getWebTestClient(context);
+					webTestClient.get().uri("/admin/actuator/e2").exchange()
+							.expectStatus().isUnauthorized();
+					webTestClient.get().uri("/admin/actuator/e2")
+							.header("Authorization", getBasicAuth()).exchange()
+							.expectStatus().isOk();
+				});
+	}
+
+	@Override
+	protected WebApplicationContextRunner getContextRunner() {
+		return new WebApplicationContextRunner(
+				AnnotationConfigServletWebServerApplicationContext::new)
+						.withUserConfiguration(WebMvcEndpointConfiguration.class,
+								SecurityConfiguration.class, BaseConfiguration.class)
+						.withConfiguration(AutoConfigurations.of(
+								SecurityAutoConfiguration.class,
+								UserDetailsServiceAutoConfiguration.class,
+								WebMvcAutoConfiguration.class,
+								SecurityRequestMatcherProviderAutoConfiguration.class,
+								JacksonAutoConfiguration.class,
+								HttpMessageConvertersAutoConfiguration.class,
+								DispatcherServletAutoConfiguration.class));
+	}
+
+	@Configuration
+	@EnableConfigurationProperties(WebEndpointProperties.class)
+	static class WebMvcEndpointConfiguration {
+
+		private final ApplicationContext applicationContext;
+
+		WebMvcEndpointConfiguration(ApplicationContext applicationContext) {
+			this.applicationContext = applicationContext;
+		}
+
+		@Bean
+		public TomcatServletWebServerFactory tomcat() {
+			return new TomcatServletWebServerFactory(0);
+		}
+
+		@Bean
+		public WebMvcEndpointHandlerMapping webEndpointServletHandlerMapping() {
+			List<String> mediaTypes = Arrays.asList(MediaType.APPLICATION_JSON_VALUE,
+					ActuatorMediaType.V2_JSON);
+			EndpointMediaTypes endpointMediaTypes = new EndpointMediaTypes(mediaTypes,
+					mediaTypes);
+			WebEndpointDiscoverer discoverer = new WebEndpointDiscoverer(
+					this.applicationContext, new ConversionServiceParameterValueMapper(),
+					endpointMediaTypes, PathMapper.useEndpointId(),
+					Collections.emptyList(), Collections.emptyList());
+			return new WebMvcEndpointHandlerMapping(new EndpointMapping("/actuator"),
+					discoverer.getEndpoints(), endpointMediaTypes,
+					new CorsConfiguration(),
+					new EndpointLinksResolver(discoverer.getEndpoints()));
+		}
+
+	}
+
+}