fix: code review comments

Onlineberatung · Apr 5, 2024 · 5285392 · 5285392
1 parent 7ed222b
commit 5285392
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 30 deletions.
diff --git a/src/main/java/de/caritas/cob/videoservice/config/security/WebSecurityConfig.java b/src/main/java/de/caritas/cob/videoservice/config/security/WebSecurityConfig.java
@@ -4,6 +4,7 @@
 import de.caritas.cob.videoservice.filter.HttpTenantFilter;
 import de.caritas.cob.videoservice.filter.StatelessCsrfFilter;
 import jakarta.annotation.Nullable;
+import java.util.List;
 import lombok.RequiredArgsConstructor;
 import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -29,36 +30,45 @@ public class WebSecurityConfig implements WebMvcConfigurer {
   private static final String UUID_PATTERN =
       "\\b[0-9a-f]{8}\\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\\b[0-9a-f]{12}\\b";
 
-  public static final String[] WHITE_LIST =
-      new String[] {
-        "/videocalls/docs",
-        "/videocalls/docs/**",
-        "/videocalls/event/stop",
-        "/v2/api-docs",
-        "/configuration/ui",
-        "/swagger-resources/**",
-        "/configuration/security",
-        "/swagger-ui",
-        "/swagger-ui/**",
-        "/webjars/**",
-        "/actuator/health",
-        "/actuator/health/**"
-      };
-
-  @Autowired AuthorisationService authorisationService;
-  @Autowired JwtAuthConverterProperties jwtAuthConverterProperties;
-
-  @Autowired(required = false)
-  @Nullable
-  private HttpTenantFilter httpTenantFilter;
-
-  @Value("${csrf.cookie.property}")
+  public static final List<String> WHITE_LIST =
+      List.of(
+          "/videocalls/docs",
+          "/videocalls/docs/**",
+          "/videocalls/event/stop",
+          "/v2/api-docs",
+          "/configuration/ui",
+          "/swagger-resources/**",
+          "/configuration/security",
+          "/swagger-ui",
+          "/swagger-ui/**",
+          "/webjars/**",
+          "/actuator/health",
+          "/actuator/health/**");
+
+  public WebSecurityConfig(
+      AuthorisationService authorisationService,
+      JwtAuthConverterProperties jwtAuthConverterProperties,
+      @Value("${multitenancy.enabled}") boolean multitenancy,
+      @Value("${csrf.cookie.property}") String csrfCookieProperty,
+      @Value("${csrf.header.property}") String csrfHeaderProperty,
+      @Autowired(required = false) HttpTenantFilter httpTenantFilter) {
+    this.authorisationService = authorisationService;
+    this.jwtAuthConverterProperties = jwtAuthConverterProperties;
+    this.multitenancy = multitenancy;
+    this.httpTenantFilter = httpTenantFilter;
+    this.csrfCookieProperty = csrfCookieProperty;
+    this.csrfHeaderProperty = csrfHeaderProperty;
+  }
+
+  AuthorisationService authorisationService;
+  JwtAuthConverterProperties jwtAuthConverterProperties;
+
+  @Nullable private HttpTenantFilter httpTenantFilter;
+
   private String csrfCookieProperty;
 
-  @Value("${csrf.header.property}")
   private String csrfHeaderProperty;
 
-  @Value("${multitenancy.enabled}")
   private boolean multitenancy;
 
   /**
@@ -84,7 +94,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
         .and()
         .authorizeRequests()
-        .requestMatchers(WHITE_LIST)
+        .requestMatchers(WHITE_LIST.toArray(String[]::new))
         .permitAll()
         .requestMatchers("/videocalls/new")
         .hasAuthority(AuthorityValue.CONSULTANT)

diff --git a/src/main/java/de/caritas/cob/videoservice/filter/StatelessCsrfFilter.java b/src/main/java/de/caritas/cob/videoservice/filter/StatelessCsrfFilter.java
@@ -1,9 +1,9 @@
 package de.caritas.cob.videoservice.filter;
 
+import static de.caritas.cob.videoservice.config.security.WebSecurityConfig.WHITE_LIST;
 import static java.util.Objects.isNull;
 import static java.util.Objects.nonNull;
 
-import de.caritas.cob.videoservice.config.security.WebSecurityConfig;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.Cookie;
@@ -73,8 +73,7 @@ public static final class DefaultRequiresCsrfMatcher implements RequestMatcher {
      */
     @Override
     public boolean matches(HttpServletRequest request) {
-
-      if (Arrays.stream(WebSecurityConfig.WHITE_LIST)
+      if (Arrays.stream(WHITE_LIST.toArray(String[]::new))
           .parallel()
           .anyMatch(request.getRequestURI().toLowerCase()::contains)) {
         return false;