Fix #29400: allow to customize HTTP headers

LEDfan · LEDfan · commit a847c8285b94 · 2023-01-02T13:21:19.000+01:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java b/src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java
@@ -24,6 +24,8 @@
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.UserLogoutHandler;
 import eu.openanalytics.containerproxy.util.AppRecoveryFilter;
+import eu.openanalytics.containerproxy.util.EnvironmentUtils;
+import eu.openanalytics.containerproxy.util.OverridingHeaderWriter;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -43,16 +45,17 @@
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
+import org.springframework.security.web.header.Header;
 import org.springframework.security.web.header.writers.StaticHeadersWriter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
 
 import javax.inject.Inject;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.List;
 
 import static eu.openanalytics.containerproxy.ui.TemplateResolverConfig.PROP_CORS_ALLOWED_ORIGINS;
@@ -77,7 +80,12 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 	
 	@Autowired(required=false)
 	private List<ICustomSecurityConfig> customConfigs;
-	
+
+	public static final String PROP_DISABLE_NO_SNIFF_HEADER = "proxy.api-security.disable-no-sniff-header";
+	public static final String PROP_DISABLE_HSTS_HEADER = "proxy.api-security.disable-hsts-header";
+	public static final String PROP_DISABLE_XSS_PROTECTION_HEADER = "proxy.api-security.disable-xss-protection-header";
+	public static final String PROP_CUSTOM_HEADERS = "proxy.api-security.custom-headers";
+
 	@Override
 	public void configure(WebSecurity web) {
 //		web
@@ -110,7 +118,7 @@ private void checkForIncorrectConfiguration(HttpServletRequest request) {
 
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
-		if (environment.getProperty(PROP_CORS_ALLOWED_ORIGINS + "[0]") != null) {
+		if (EnvironmentUtils.readList(environment, PROP_CORS_ALLOWED_ORIGINS) != null) {
 			// enable cors
 			http.cors();
 		}
@@ -136,8 +144,25 @@ public void handle(HttpServletRequest request, HttpServletResponse response, Acc
 			}
 		});
 
-		// Always set header: X-Content-Type-Options=nosniff
-		http.headers().contentTypeOptions();
+		if (environment.getProperty(PROP_DISABLE_NO_SNIFF_HEADER, Boolean.class, false)) {
+			http.headers().contentTypeOptions().disable();
+		} else {
+			// set header: X-Content-Type-Options=nosniff
+			http.headers().contentTypeOptions();
+		}
+
+		if (environment.getProperty(PROP_DISABLE_XSS_PROTECTION_HEADER, Boolean.class, false)) {
+			http.headers().xssProtection().disable();
+		} else {
+			http.headers().xssProtection();
+		}
+
+		if (environment.getProperty(PROP_DISABLE_HSTS_HEADER, Boolean.class, false)) {
+			http.headers().httpStrictTransportSecurity().disable();
+		} else {
+			http.headers().httpStrictTransportSecurity();
+		}
+
 
 		String frameOptions = environment.getProperty("server.frame-options", "disable");
 		switch (frameOptions.toUpperCase()) {
@@ -157,15 +182,19 @@ public void handle(HttpServletRequest request, HttpServletResponse response, Acc
 						.addHeaderWriter(new StaticHeadersWriter("X-Frame-Options", frameOptions));
 				}
 		}
-		
+
+		List<Header> headers = getCustomHeaders();
+		if (!headers.isEmpty()) {
+			http.headers().addHeaderWriter(new OverridingHeaderWriter(headers));
+		}
+
 		// Allow public access to health endpoint
 		http.authorizeRequests().antMatchers("/actuator/health").permitAll();
 		http.authorizeRequests().antMatchers("/actuator/health/readiness").permitAll();
 		http.authorizeRequests().antMatchers("/actuator/health/liveness").permitAll();
 		http.authorizeRequests().antMatchers("/actuator/prometheus").permitAll();
 		http.authorizeRequests().antMatchers("/actuator/recyclable").permitAll();
-
-	http.authorizeRequests().antMatchers("/saml/metadata").permitAll();
+		http.authorizeRequests().antMatchers("/saml/metadata").permitAll();
 
 		// Note: call early, before http.authorizeRequests().anyRequest().fullyAuthenticated();
 		if (customConfigs != null) {
@@ -213,4 +242,24 @@ public AuthenticationManager authenticationManagerBean() throws Exception {
 		return super.authenticationManagerBean();
 	}
 
+	private List<Header> getCustomHeaders() {
+		List<Header> headers = new ArrayList<>();
+
+		int i = 0;
+		String headerName = environment.getProperty(String.format(PROP_CUSTOM_HEADERS + "[%d].name", i));
+		while (headerName != null) {
+			String headerValue = environment.getProperty(String.format(PROP_CUSTOM_HEADERS + "[%d].value", i));
+			if (headerValue == null) {
+				logger.warn("Missing header value for header {}", headerName);
+				i++;
+				continue;
+			}
+			headers.add(new Header(headerName, headerValue));
+			i++;
+			headerName = environment.getProperty(String.format(PROP_CUSTOM_HEADERS + "[%d].name", i));
+		}
+
+		return headers;
+	}
+
 }
diff --git a/src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java b/src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java
@@ -20,8 +20,11 @@
  */
 package eu.openanalytics.containerproxy.ui;
 
+import eu.openanalytics.containerproxy.util.EnvironmentUtils;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.PropertySource;
 import org.springframework.core.env.Environment;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
@@ -63,16 +66,8 @@ public FileTemplateResolver templateResolver() {
 
 	@Override
 	public void addCorsMappings(@Nonnull CorsRegistry registry) {
-		List<String> origins = new ArrayList<>();
-		int i = 0;
-		String origin = environment.getProperty(String.format(PROP_CORS_ALLOWED_ORIGINS + "[%d]", i));
-		while (origin != null) {
-			origins.add(origin);
-			i++;
-			origin = environment.getProperty(String.format(PROP_CORS_ALLOWED_ORIGINS + "[%d]", i));
-		}
-
-		if (origins.size() > 0) {
+		List<String> origins = EnvironmentUtils.readList(environment, PROP_CORS_ALLOWED_ORIGINS);
+		if (origins != null) {
 			registry.addMapping("/**")
 					.allowCredentials(true)
 					.allowedOrigins(origins.toArray(new String[0]));
diff --git a/src/main/java/eu/openanalytics/containerproxy/util/EnvironmentUtils.java b/src/main/java/eu/openanalytics/containerproxy/util/EnvironmentUtils.java
@@ -0,0 +1,53 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.util;
+
+import org.springframework.core.env.Environment;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+public class EnvironmentUtils {
+
+    public static List<String> readList(Environment environment, String propertyName) {
+        String singleValue = environment.getProperty(propertyName);
+        if (singleValue != null) {
+            return Collections.singletonList(singleValue);
+        }
+
+        List<String> result = new ArrayList<>();
+        int i = 0;
+        String value = environment.getProperty(String.format(propertyName + "[%d]", i));
+        while (value != null) {
+            result.add(value);
+            i++;
+            value = environment.getProperty(String.format(propertyName + "[%d]", i));
+        }
+
+        if (result.size() == 0) {
+            return null;
+        }
+
+        return result;
+    }
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/util/OverridingHeaderWriter.java b/src/main/java/eu/openanalytics/containerproxy/util/OverridingHeaderWriter.java
@@ -0,0 +1,52 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.util;
+
+import org.springframework.security.web.header.Header;
+import org.springframework.security.web.header.HeaderWriter;
+import org.springframework.util.Assert;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.List;
+
+public class OverridingHeaderWriter implements HeaderWriter {
+
+    private final List<Header> headers;
+
+    public OverridingHeaderWriter(List<Header> headers) {
+        Assert.notEmpty(headers, "headers cannot be null or empty");
+        this.headers = headers;
+    }
+
+    @Override
+    public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
+        for (Header header : this.headers) {
+            response.setHeader(header.getName(), header.getValues().get(0));
+        }
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getName() + " [headers=" + this.headers + "]";
+    }
+
+}
