forked from spinnaker/kork
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(spring-security): refactor spring security from 5.x to 6.x w…
…ith spring boot upgrade to 3.x
While upgrading the spring boot to 3.0.13 and spring cloud 2022.0.5, encountered the below errors during build process of kork-actuator module:
```
> Task :kork-actuator:compileJava FAILED
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java:26: error: cannot find symbol
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
^
symbol: class WebSecurityConfigurerAdapter
location: package org.springframework.security.config.annotation.web.configuration
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java:30: error: cannot find symbol
public class ActuatorEndpointsConfiguration extends WebSecurityConfigurerAdapter {
^
symbol: class WebSecurityConfigurerAdapter
2 errors
```
With spring boot upgrade, spring security also upgrades from 5.x to 6.x. As per the migration [steps](https://www.baeldung.com/spring-security-migrate-5-to-6), `WebSecurityConfigurerAdapter` has been removed. So, it is not required to be extended, instead bean can be registered.
```
> Task :kork-actuator:compileJava FAILED
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java:45: error: invalid method reference
.ifPresent(sanitizer::setKeysToSanitize);
^
cannot find symbol
symbol: method setKeysToSanitize(T)
location: class Sanitizer
where T is a type-variable:
T extends Object declared in class Optional
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java:56: error: incompatible types: String cannot be converted to SanitizableData
return sanitizer.sanitize(property, environment.getProperty(property));
^
Note: Some messages have been simplified; recompile with -Xdiags:verbose to get full output
2 errors
```
In spring boot 3, changes are introduced in sanitization of actuator [endpoints](https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#actuator-endpoints-sanitization).
Default `Sanitizer` implementation has been removed and replaced with `SanitizingFunction`.
spring-projects/spring-boot#33448
spring-projects/spring-boot#39243
spring-projects/spring-boot#32156
So, added the `ActuatorSanitizingFunction` class to provide the default implementation of `SanitizingFunction`.- Loading branch information
Showing
8 changed files
with
184 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
135 changes: 135 additions & 0 deletions
135
...ctuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorSanitizingFunction.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,135 @@ | ||
| /* | ||
| * Copyright 2024 OpsMx, Inc. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package com.netflix.spinnaker.kork.actuator; | ||
|
|
||
| import java.util.ArrayList; | ||
| import java.util.Arrays; | ||
| import java.util.Collection; | ||
| import java.util.List; | ||
| import java.util.Set; | ||
| import java.util.regex.Matcher; | ||
| import java.util.regex.Pattern; | ||
| import java.util.stream.Collectors; | ||
| import org.springframework.boot.actuate.endpoint.SanitizableData; | ||
| import org.springframework.boot.actuate.endpoint.SanitizingFunction; | ||
| import org.springframework.stereotype.Component; | ||
| import org.springframework.util.StringUtils; | ||
|
|
||
| @Component | ||
| public class ActuatorSanitizingFunction implements SanitizingFunction { | ||
|
|
||
| private static final String[] REGEX_PARTS = {"*", "$", "^", "+"}; | ||
| private static final Set<String> DEFAULT_KEYS_TO_SANITIZE = | ||
| Set.of( | ||
| "password", | ||
| "secret", | ||
| "key", | ||
| "token", | ||
| ".*credentials.*", | ||
| "vcap_services", | ||
| "^vcap\\.services.*$", | ||
| "sun.java.command", | ||
| "^spring[._]application[._]json$"); | ||
| private static final Set<String> URI_USERINFO_KEYS = | ||
| Set.of("uri", "uris", "url", "urls", "address", "addresses"); | ||
| private static final Pattern URI_USERINFO_PATTERN = | ||
| Pattern.compile("^\\[?[A-Za-z][A-Za-z0-9\\+\\.\\-]+://.+:(.*)@.+$"); | ||
| private List<Pattern> keysToSanitize = new ArrayList<>(); | ||
|
|
||
| public ActuatorSanitizingFunction(List<String> additionalKeysToSanitize) { | ||
| addKeysToSanitize(DEFAULT_KEYS_TO_SANITIZE); | ||
| addKeysToSanitize(URI_USERINFO_KEYS); | ||
| addKeysToSanitize(additionalKeysToSanitize); | ||
| } | ||
|
|
||
| public ActuatorSanitizingFunction() { | ||
| addKeysToSanitize(DEFAULT_KEYS_TO_SANITIZE); | ||
| addKeysToSanitize(URI_USERINFO_KEYS); | ||
| } | ||
|
|
||
| private void addKeysToSanitize(Collection<String> keysToSanitize) { | ||
| for (String key : keysToSanitize) { | ||
| this.keysToSanitize.add(getPattern(key)); | ||
| } | ||
| } | ||
|
|
||
| private Pattern getPattern(String value) { | ||
| if (isRegex(value)) { | ||
| return Pattern.compile(value, Pattern.CASE_INSENSITIVE); | ||
| } | ||
| return Pattern.compile(".*" + value + "$", Pattern.CASE_INSENSITIVE); | ||
| } | ||
|
|
||
| private boolean isRegex(String value) { | ||
| for (String part : REGEX_PARTS) { | ||
| if (value.contains(part)) { | ||
| return true; | ||
| } | ||
| } | ||
| return false; | ||
| } | ||
|
|
||
| public void setKeysToSanitize(String... keysToSanitize) { | ||
| if (keysToSanitize != null) { | ||
| for (String key : keysToSanitize) { | ||
| this.keysToSanitize.add(getPattern(key)); // todo: clear oll existing the make the list. | ||
| } | ||
| } | ||
| } | ||
|
|
||
| @Override | ||
| public SanitizableData apply(SanitizableData data) { | ||
| if (data.getValue() == null) { | ||
| return data; | ||
| } | ||
|
|
||
| for (Pattern pattern : keysToSanitize) { | ||
| if (pattern.matcher(data.getKey()).matches()) { | ||
| if (keyIsUriWithUserInfo(pattern)) { | ||
| return data.withValue(sanitizeUris(data.getValue().toString())); | ||
| } | ||
|
|
||
| return data.withValue(SanitizableData.SANITIZED_VALUE); | ||
| } | ||
| } | ||
|
|
||
| return data; | ||
| } | ||
|
|
||
| private boolean keyIsUriWithUserInfo(Pattern pattern) { | ||
| for (String uriKey : URI_USERINFO_KEYS) { | ||
| if (pattern.matcher(uriKey).matches()) { | ||
| return true; | ||
| } | ||
| } | ||
| return false; | ||
| } | ||
|
|
||
| private Object sanitizeUris(String value) { | ||
| return Arrays.stream(value.split(",")).map(this::sanitizeUri).collect(Collectors.joining(",")); | ||
| } | ||
|
|
||
| private String sanitizeUri(String value) { | ||
| Matcher matcher = URI_USERINFO_PATTERN.matcher(value); | ||
| String password = matcher.matches() ? matcher.group(1) : null; | ||
| if (password != null) { | ||
| return StringUtils.replace( | ||
| value, ":" + password + "@", ":" + SanitizableData.SANITIZED_VALUE + "@"); | ||
| } | ||
| return value; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters