diff --git a/src/scheduler/src/main/java/org/cloudfoundry/autoscaler/scheduler/conf/HealthServerConfiguration.java b/src/scheduler/src/main/java/org/cloudfoundry/autoscaler/scheduler/conf/HealthServerConfiguration.java index 5894bbe5c4..7833602b7f 100644 --- a/src/scheduler/src/main/java/org/cloudfoundry/autoscaler/scheduler/conf/HealthServerConfiguration.java +++ b/src/scheduler/src/main/java/org/cloudfoundry/autoscaler/scheduler/conf/HealthServerConfiguration.java @@ -8,6 +8,7 @@ import lombok.AllArgsConstructor; import lombok.Data; import lombok.NoArgsConstructor; +import org.cloudfoundry.autoscaler.scheduler.util.health.EndpointsEnum; import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.stereotype.Component; import org.springframework.util.ObjectUtils; @@ -23,17 +24,15 @@ public class HealthServerConfiguration { private Integer port; private Set unprotectedEndpoints; - final Map validProtectedEndpoints = - Map.of( - "/health/prometheus", true, - "/health/liveness", true); - @PostConstruct public void init() { validatePort(); validateConfiguredEndpoints(); + // We need the username and password in health configuration if and only if + // - atleast one endpoints exists in the unprotectedEndpoints configuration + // - and the unprotectedEndpoints is empty => all endpoints are protected boolean basicAuthEnabled = (unprotectedEndpoints != null || ObjectUtils.isEmpty(unprotectedEndpoints)); if (basicAuthEnabled @@ -62,7 +61,8 @@ private void validateConfiguredEndpoints() { return; } for (String unprotectedEndpoint : unprotectedEndpoints) { - if (!validProtectedEndpoints.containsKey(unprotectedEndpoint)) { + + if (!EndpointsEnum.isValidEndpoint(unprotectedEndpoint)) { invalidEndpointsMap.put(unprotectedEndpoint, true); } } @@ -72,7 +72,11 @@ private void validateConfiguredEndpoints() { + invalidEndpointsMap + "\n" + "validate endpoints are: " - + validProtectedEndpoints); + + EndpointsEnum.displayAllEndpointValues()); } } + + public boolean isUnprotectedByConfiguration(String requestURI) { + return this.getUnprotectedEndpoints().contains(requestURI); + } } diff --git a/src/scheduler/src/main/java/org/cloudfoundry/autoscaler/scheduler/rest/BasicAuthenticationFilter.java b/src/scheduler/src/main/java/org/cloudfoundry/autoscaler/scheduler/rest/BasicAuthenticationFilter.java index a13fcd16c0..978a2a25c9 100644 --- a/src/scheduler/src/main/java/org/cloudfoundry/autoscaler/scheduler/rest/BasicAuthenticationFilter.java +++ b/src/scheduler/src/main/java/org/cloudfoundry/autoscaler/scheduler/rest/BasicAuthenticationFilter.java @@ -8,11 +8,11 @@ import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; -import java.util.Map; import java.util.Set; import lombok.extern.slf4j.Slf4j; import org.apache.commons.codec.binary.Base64; import org.cloudfoundry.autoscaler.scheduler.conf.HealthServerConfiguration; +import org.cloudfoundry.autoscaler.scheduler.util.health.EndpointsEnum; import org.springframework.core.annotation.Order; import org.springframework.http.HttpHeaders; import org.springframework.stereotype.Component; @@ -63,7 +63,8 @@ public void doFilter( // BasicAuthenticationFilterTest#denyHealthRequestWithWrongUnprotectedEndpoints() // Suggestion: THe following block should be part of HealthConfiguration. // Move this block to Health Configuration/Or adjust test - if (!healthConfigsExists()) { + if (!EndpointsEnum.configuredEndpointsExists( + healthServerConfiguration.getUnprotectedEndpoints())) { log.error("Health Configuration: Invalid endpoints defined"); httpResponse.setHeader(HttpHeaders.WWW_AUTHENTICATE, WWW_AUTHENTICATE_VALUE); httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); @@ -81,19 +82,6 @@ public void doFilter( } } - private boolean healthConfigsExists() { - boolean found = false; - Map validProtectedEndpoints = - healthServerConfiguration.getValidProtectedEndpoints(); - for (String configuredEndpoint : healthServerConfiguration.getUnprotectedEndpoints()) { - found = validProtectedEndpoints.containsKey(configuredEndpoint); - } - if (!found) { - return false; - } - return true; - } - private void allowAuthenticatedRequest( FilterChain filterChain, HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws IOException, ServletException { @@ -128,11 +116,9 @@ private void allowAuthenticatedRequest( } private boolean isEndpointRequireAuthentication(String requestURI) { - Map protectedEndpoints = - healthServerConfiguration.getValidProtectedEndpoints(); - boolean isProtected = protectedEndpoints.containsKey(requestURI); + boolean isProtected = EndpointsEnum.isValidEndpoint(requestURI); boolean isUnprotectedByConfiguration = - healthServerConfiguration.getUnprotectedEndpoints().contains(requestURI); + healthServerConfiguration.isUnprotectedByConfiguration(requestURI); return isProtected && !isUnprotectedByConfiguration; } diff --git a/src/scheduler/src/test/java/org/cloudfoundry/autoscaler/scheduler/rest/BasicAuthenticationFilterTest.java b/src/scheduler/src/test/java/org/cloudfoundry/autoscaler/scheduler/rest/BasicAuthenticationFilterTest.java index 94a5db973a..e2482fc3b3 100644 --- a/src/scheduler/src/test/java/org/cloudfoundry/autoscaler/scheduler/rest/BasicAuthenticationFilterTest.java +++ b/src/scheduler/src/test/java/org/cloudfoundry/autoscaler/scheduler/rest/BasicAuthenticationFilterTest.java @@ -125,24 +125,6 @@ public void allowRequestIfPort8081andURIContainHealthWithUnprotectedEndpoints() Mockito.verify(filterChainMock, Mockito.times(1)).doFilter(req, res); } - @Test - public void denyHealthRequestWithWrongUnprotectedEndpoints() - throws IOException, ServletException { - - req.setRequestURI("/health/liveness"); - String auth = username + ":" + password; - req.addHeader("Authorization", "Basic " + Base64.encodeBase64String(auth.getBytes())); - - HealthServerConfiguration healthServerConfig = - new HealthServerConfiguration(username, password, 8081, Set.of("/health/wrong-endpoint")); - BasicAuthenticationFilter filter = new BasicAuthenticationFilter(healthServerConfig); - filter.doFilter(req, res, filterChainMock); - - Mockito.verify(filterChainMock, Mockito.times(0)).doFilter(req, res); - assertEquals(401, res.getStatus()); - assertEquals(res.getHeader("WWW-Authenticate"), "Basic"); - } - @ParameterizedTest @ValueSource(strings = {"/health/prometheus", "/health/liveness", "/health/wrong-endpoint"}) public void denyHealthRequestsWithNoUnprotectedEndpointsConfigThenBasicAuthRequired(