From b64f9e5722487fe583385054531c94bc068135fb Mon Sep 17 00:00:00 2001 From: David Hay Date: Mon, 18 May 2026 10:39:20 +0100 Subject: [PATCH] LUC070-252-fix-urgent-pentest-findings - all pen test fixes from dv5-demo (e55e1a52) but not vault-review-fixes or worker-sub-task-fixes or java17 upgrades. --- .gitignore | 6 +- datavault-broker/pom.xml | 9 + .../broker/config/ActuatorConfig.java | 27 ++- .../broker/config/SecurityActuatorConfig.java | 44 +++-- .../broker/config/SecurityConfig.java | 88 +++++++--- .../broker/config/TracingConfig.java | 17 ++ .../broker/config/UserMdcFilter.java | 43 +++++ .../broker/config/WebConfig.java | 2 + .../broker/controllers/TraceController.java | 82 +++++++++ .../broker/queue/RabbitUtils.java | 23 ++- .../broker/queue/Sender.java | 14 +- .../broker/actuator/ActuatorTest.java | 16 +- .../broker/actuator/OpenApiBrokerTest.java | 85 --------- .../DepositsControllerRetrieveNoAuthTest.java | 33 ---- .../broker/config/SecurityConfigTest.java | 88 ++++++++++ .../controllers/TraceControllerMvcIT.java | 166 ++++++++++++++++++ .../controllers/TraceControllerTest.java | 52 ++++++ .../broker/queue/RabbitEventListenerIT.java | 12 +- .../org.junit.jupiter.api.extension.Extension | 1 + .../resources/application-test.properties | 7 + .../test/resources/junit-platform.properties | 1 + datavault-common/pom.xml | 43 ++++- .../ActuatorHealthSecurityAdvice.java | 34 ++++ .../actuator/ActuatorInfoSecurityAdvice.java | 36 ++++ .../actuator/ActuatorSecurityAdvice.java | 52 ++++++ .../actuator/BaseActuatorSecurityAdvice.java | 55 ++++++ .../common/config/SecurityMethod.java | 57 ++++++ .../common/response/ResponseType.java | 5 + .../common/util/MdcUtils.java | 36 ++++ .../common/util/TraceInfo.java | 4 + .../common/util/TraceUtils.java | 26 +++ .../common/actuator/WithMockActuatorUser.java | 10 ++ .../common/config/SecurityMethodTest.java | 26 +++ .../common/crypto/BaseTempKeyStoreTest.java | 15 +- .../common/crypto/EncryptionTest.java | 14 +- .../common/util/LogLevelExtension.java | 70 ++++++++ .../common/util/TempFileCleaner.java | 161 +++++++++++++++++ .../common/util/TempFileCleanerExtension.java | 40 +++++ .../util/TempFileCleanerExtensionTest.java | 55 ++++++ .../common/util/TraceIdWrapper.java | 65 +++++++ .../org.junit.jupiter.api.extension.Extension | 1 + .../test/resources/junit-platform.properties | 1 + datavault-webapp/pom.xml | 15 ++ .../webapp/app/DataVaultWebApp.java | 21 ++- .../shib/ShibAuthenticationProvider.java | 7 +- .../webapp/config/ActutatorConfig.java | 35 +++- .../webapp/config/HttpSecurityUtils.java | 100 ++++++++++- .../webapp/config/RestTemplateConfig.java | 7 +- .../webapp/config/SecurityActuatorConfig.java | 37 ++-- .../webapp/config/WebConfig.java | 6 +- .../database/DatabaseWebSecurityConfig.java | 40 ++++- .../config/shib/ShibWebSecurityConfig.java | 18 +- .../standalone/StandaloneProfileConfig.java | 2 +- .../StandaloneWebSecurityConfig.java | 18 +- .../webapp/config/trace/BaseMdcFilter.java | 28 +++ .../webapp/config/trace/MdcRequestFilter.java | 55 ++++++ .../config/trace/MdcRestorationFilter.java | 35 ++++ .../config/trace/TraceLoggingFilter.java | 67 +++++++ .../config/trace/TraceLoggingInterceptor.java | 0 .../webapp/config/trace/TracingConfig.java | 58 ++++++ .../webapp/controllers/VaultsController.java | 30 ++-- .../admin/AdminUsersController.java | 26 +-- .../controllers/auth/AuthController.java | 74 ++++++-- .../auth/DataVaultAccessDeniedHandler.java | 27 +++ .../controllers/auth/ErrorController.java | 85 ++++----- .../auth/ValidationExceptionHandler.java | 16 ++ .../api/SimulateErrorController.java | 28 +-- .../standalone/api/TraceController.java | 51 ++++++ .../trace/BaseErrorController.java | 85 +++++++++ .../trace/DemoTraceController.java | 69 ++++++++ .../trace/DemoTraceControllerApi.java | 4 + .../webapp/services/RestService.java | 35 +++- .../webapp/services/TraceService.java | 32 ++++ .../application-standalone.properties | 4 + .../src/main/resources/application.properties | 11 +- .../webapp/WEB-INF/templates/auth/denied.html | 3 + .../authentication/ProtectedPathsTest.java | 9 +- .../shib/LoginUsingShibAltTest.java | 10 +- .../webapp/app/config/BaseThymeleafTest.java | 2 + .../config/ThymeleafConfigDateFormatTest.java | 6 +- .../app/config/ThymeleafConfigTest.java | 2 + .../app/config/ThymeleafTemplateTest.java | 7 +- .../app/services/RestTemplateLoggingTest.java | 39 ++-- .../webapp/app/setup/ActuatorTest.java | 45 +++-- .../webapp/app/setup/ErrorHandlingTest.java | 39 ++-- .../webapp/app/setup/OpenApiWebAppTest.java | 66 ------- .../webapp/app/setup/ProfileDatabaseTest.java | 4 +- .../webapp/app/setup/ProfileShibTest.java | 2 +- .../app/setup/ProfileStandaloneTest.java | 2 +- .../webapp/app/setup/TraceControllerTest.java | 146 +++++++++++++++ .../webapp/config/HttpSecurityUtilsTest.java | 161 +++++++++++++++++ .../controllers/DepositsControllerTest.java | 34 +++- .../webapp/controllers/SimpleRestService.java | 22 +++ .../controllers/VaultsControllerMvcTest.java | 20 +-- .../AdminPendingVaultsControllerTest.java | 20 ++- ...dminUsersControllerNonShibProfileTest.java | 9 +- .../admin/BaseAdminUsersControllerTest.java | 20 +-- .../trace/BaseTraceIdDemoControllerTest.java | 33 ++++ ...SimpleRestServiceTracePropagationTest.java | 86 +++++++++ ...erWhenOutputTraceIdOnErrorIsFalseTest.java | 38 ++++ ...lerWhenOutputTraceIdOnErrorIsTrueTest.java | 57 ++++++ .../trace/TraceIdDemoControllerTest.java | 103 +++++++++++ .../trace/TraceParentExtractionTest.java | 57 ++++++ .../trace/mvc/TraceIdDemoController.java | 90 ++++++++++ .../trace/mvc/TraceIdDemoControllerApi.java | 4 + .../mvc/TraceIdDemoControllerConfig.java | 66 +++++++ .../trace/mvc/TraceTestController.java | 22 +++ .../trace/mvc/TraceTestControllerApi.java | 4 + .../webapp/services/RestServiceTest.java | 41 ++++- .../webapp/test/MvcUtils.java | 76 ++++++++ .../org.junit.jupiter.api.extension.Extension | 1 + .../resources/application-database.properties | 6 + .../test/resources/datavault-test.properties | 8 +- .../test/resources/junit-platform.properties | 1 + .../src/test/resources/logback-test.xml | 3 +- .../test/resources/logs/expectedLogEvents.txt | 1 - .../src/test/resources/protected-paths.csv | 1 - .../stubs/restService/refreshVaultReview.json | 10 ++ ...refreshVaultReviewDepositReviewsAdded.json | 14 ++ ...reshVaultReviewDepositReviewsNotAdded.json | 14 ++ .../traceInfoTraceNotSupplied.json | 24 +++ .../restService/traceInfoTraceSupplied.json | 27 +++ .../test/webapp/WEB-INF/templates/page1.html | 11 ++ datavault-worker/pom.xml | 14 +- .../worker/config/ActuatorConfig.java | 26 ++- .../worker/config/RabbitConfig.java | 8 +- .../worker/config/SecurityActuatorConfig.java | 16 +- .../worker/config/TracingConfig.java | 15 ++ .../worker/config/WebConfig.java | 2 + .../worker/rabbit/RabbitMessageSelector.java | 67 +++++-- .../datavaultplatform/worker/tasks/Trace.java | 30 ++++ .../src/main/resources/application.properties | 13 +- .../worker/actuator/ActuatorTest.java | 14 +- .../worker/actuator/OpenApiWorkerTest.java | 82 --------- .../worker/rabbit/BaseRabbitIT.java | 88 +++++++++- .../rabbit/RabbitMessageSelectorTest.java | 45 +++-- .../worker/rabbit/RabbitTraceTest.java | 94 ++++++++++ .../worker/tasks/BaseDepositIT.java | 11 -- .../PerformDepositThenRetrieveNoChunksIT.java | 8 +- .../worker/tasks/TraceTaskIT.java | 85 +++++++++ .../org.junit.jupiter.api.extension.Extension | 1 + .../test/resources/junit-platform.properties | 1 + .../sampleMessages/sampleTraceMessage.json | 22 +++ .../scripts/runLocalByodbBroker.sh | 3 +- .../scripts/runLocalByodbWebApp.sh | 1 + .../scripts/runLocalByodbWorker.sh | 17 ++ pom.xml | 17 +- 147 files changed, 4201 insertions(+), 693 deletions(-) create mode 100644 datavault-broker/src/main/java/org/datavaultplatform/broker/config/TracingConfig.java create mode 100644 datavault-broker/src/main/java/org/datavaultplatform/broker/config/UserMdcFilter.java create mode 100644 datavault-broker/src/main/java/org/datavaultplatform/broker/controllers/TraceController.java delete mode 100644 datavault-broker/src/test/java/org/datavaultplatform/broker/actuator/OpenApiBrokerTest.java delete mode 100644 datavault-broker/src/test/java/org/datavaultplatform/broker/authentication/DepositsControllerRetrieveNoAuthTest.java create mode 100644 datavault-broker/src/test/java/org/datavaultplatform/broker/config/SecurityConfigTest.java create mode 100644 datavault-broker/src/test/java/org/datavaultplatform/broker/controllers/TraceControllerMvcIT.java create mode 100644 datavault-broker/src/test/java/org/datavaultplatform/broker/controllers/TraceControllerTest.java create mode 100644 datavault-broker/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension create mode 100644 datavault-broker/src/test/resources/junit-platform.properties create mode 100644 datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorHealthSecurityAdvice.java create mode 100644 datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorInfoSecurityAdvice.java create mode 100644 datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorSecurityAdvice.java create mode 100644 datavault-common/src/main/java/org/datavaultplatform/common/actuator/BaseActuatorSecurityAdvice.java create mode 100644 datavault-common/src/main/java/org/datavaultplatform/common/config/SecurityMethod.java create mode 100644 datavault-common/src/main/java/org/datavaultplatform/common/response/ResponseType.java create mode 100644 datavault-common/src/main/java/org/datavaultplatform/common/util/MdcUtils.java create mode 100644 datavault-common/src/main/java/org/datavaultplatform/common/util/TraceInfo.java create mode 100644 datavault-common/src/main/java/org/datavaultplatform/common/util/TraceUtils.java create mode 100644 datavault-common/src/test/java/org/datavaultplatform/common/actuator/WithMockActuatorUser.java create mode 100644 datavault-common/src/test/java/org/datavaultplatform/common/config/SecurityMethodTest.java create mode 100644 datavault-common/src/test/java/org/datavaultplatform/common/util/LogLevelExtension.java create mode 100644 datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleaner.java create mode 100644 datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleanerExtension.java create mode 100644 datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleanerExtensionTest.java create mode 100644 datavault-common/src/test/java/org/datavaultplatform/common/util/TraceIdWrapper.java create mode 100644 datavault-common/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension create mode 100644 datavault-common/src/test/resources/junit-platform.properties create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/BaseMdcFilter.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/MdcRequestFilter.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/MdcRestorationFilter.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TraceLoggingFilter.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TraceLoggingInterceptor.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TracingConfig.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/DataVaultAccessDeniedHandler.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/standalone/api/TraceController.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/BaseErrorController.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/DemoTraceController.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/DemoTraceControllerApi.java create mode 100644 datavault-webapp/src/main/java/org/datavaultplatform/webapp/services/TraceService.java delete mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/OpenApiWebAppTest.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/TraceControllerTest.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/config/HttpSecurityUtilsTest.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/SimpleRestService.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/BaseTraceIdDemoControllerTest.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/SimpleRestServiceTracePropagationTest.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdControllerWhenOutputTraceIdOnErrorIsFalseTest.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdControllerWhenOutputTraceIdOnErrorIsTrueTest.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdDemoControllerTest.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceParentExtractionTest.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoController.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoControllerApi.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoControllerConfig.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceTestController.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceTestControllerApi.java create mode 100644 datavault-webapp/src/test/java/org/datavaultplatform/webapp/test/MvcUtils.java create mode 100644 datavault-webapp/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension create mode 100644 datavault-webapp/src/test/resources/junit-platform.properties create mode 100644 datavault-webapp/src/test/resources/stubs/restService/refreshVaultReview.json create mode 100644 datavault-webapp/src/test/resources/stubs/restService/refreshVaultReviewDepositReviewsAdded.json create mode 100644 datavault-webapp/src/test/resources/stubs/restService/refreshVaultReviewDepositReviewsNotAdded.json create mode 100644 datavault-webapp/src/test/resources/stubs/restService/traceInfoTraceNotSupplied.json create mode 100644 datavault-webapp/src/test/resources/stubs/restService/traceInfoTraceSupplied.json create mode 100644 datavault-webapp/src/test/webapp/WEB-INF/templates/page1.html create mode 100644 datavault-worker/src/main/java/org/datavaultplatform/worker/config/TracingConfig.java create mode 100644 datavault-worker/src/main/java/org/datavaultplatform/worker/tasks/Trace.java delete mode 100644 datavault-worker/src/test/java/org/datavaultplatform/worker/actuator/OpenApiWorkerTest.java create mode 100644 datavault-worker/src/test/java/org/datavaultplatform/worker/rabbit/RabbitTraceTest.java create mode 100644 datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/TraceTaskIT.java create mode 100644 datavault-worker/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension create mode 100644 datavault-worker/src/test/resources/junit-platform.properties create mode 100644 datavault-worker/src/test/resources/sampleMessages/sampleTraceMessage.json diff --git a/.gitignore b/.gitignore index 415b3bf64..426b9eddd 100644 --- a/.gitignore +++ b/.gitignore @@ -18,7 +18,6 @@ dist/ nbdist/ nbactions.xml nb-configuration.xml -META-INF/ datavault-broker/src/main/webapp/WEB-INF/glassfish-web.xml datavault-webapp/src/main/webapp/WEB-INF/glassfish-web.xml ## Ignore all *.properties file in root folder, EXCEPT datavault.properties (the default) @@ -43,4 +42,7 @@ datavault-webapp/pids # ignore intellij run files .run/ TEMPLATES/* -dv5/local-db/docker/backup.D.SPEED.sql \ No newline at end of file +dv5/local-db/docker/backup.D.SPEED.sql +# this can set the java version for the Intellij IDE and will set java versions for terminals too if 'sdk config set sdkman_auto_env true' +.sdkmanrc +SWAGGER_OPENAPI/*.zip \ No newline at end of file diff --git a/datavault-broker/pom.xml b/datavault-broker/pom.xml index 7f6e6bcc3..cc0b722cc 100644 --- a/datavault-broker/pom.xml +++ b/datavault-broker/pom.xml @@ -149,6 +149,15 @@ com.fasterxml.jackson.core jackson-databind + + io.micrometer + micrometer-tracing-bridge-otel + + + io.micrometer + micrometer-tracing-test + test + diff --git a/datavault-broker/src/main/java/org/datavaultplatform/broker/config/ActuatorConfig.java b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/ActuatorConfig.java index aadcab55f..64b5050d2 100644 --- a/datavault-broker/src/main/java/org/datavaultplatform/broker/config/ActuatorConfig.java +++ b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/ActuatorConfig.java @@ -4,14 +4,15 @@ import java.util.List; import java.util.function.Function; -import io.swagger.v3.oas.models.OpenAPI; -import io.swagger.v3.oas.models.info.Info; import org.datavaultplatform.broker.actuator.CurrentTimeEndpoint; import org.datavaultplatform.broker.actuator.LocalFileStoreEndpoint; import org.datavaultplatform.broker.actuator.MemoryInfoEndpoint; import org.datavaultplatform.broker.actuator.SftpFileStoreEndpoint; import org.datavaultplatform.broker.services.ArchiveStoreService; import org.datavaultplatform.broker.services.FileStoreService; +import org.datavaultplatform.common.actuator.ActuatorHealthSecurityAdvice; +import org.datavaultplatform.common.actuator.ActuatorInfoSecurityAdvice; +import org.datavaultplatform.common.actuator.ActuatorSecurityAdvice; import org.datavaultplatform.common.util.StorageClassNameResolver; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; @@ -21,6 +22,21 @@ public class ActuatorConfig { + @Bean + ActuatorInfoSecurityAdvice actuatorInfoSecurityAdvice() { + return new ActuatorInfoSecurityAdvice(); + } + + @Bean + ActuatorHealthSecurityAdvice actuatorHealthSecurityAdvice() { + return new ActuatorHealthSecurityAdvice(); + } + + @Bean + ActuatorSecurityAdvice actuatorSecurityAdvice() { + return new ActuatorSecurityAdvice(); + } + @Bean Clock clock() { return Clock.systemDefaultZone(); @@ -56,11 +72,4 @@ public SftpFileStoreEndpoint sftpFileStoreEndpoint(@Autowired FileStoreService public LocalFileStoreEndpoint localFileStoreEndpoint(@Autowired ArchiveStoreService archiveStoreService) { return new LocalFileStoreEndpoint(archiveStoreService); } - - @Bean - public OpenAPI openAPI() { - return new OpenAPI().info(new Info().title("DataVault Broker") - .description("broker application") - .version("v0.0.1")); - } } diff --git a/datavault-broker/src/main/java/org/datavaultplatform/broker/config/SecurityActuatorConfig.java b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/SecurityActuatorConfig.java index ea4ad855f..3bee1a028 100644 --- a/datavault-broker/src/main/java/org/datavaultplatform/broker/config/SecurityActuatorConfig.java +++ b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/SecurityActuatorConfig.java @@ -6,6 +6,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; import org.springframework.core.annotation.Order; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; @@ -19,6 +20,8 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + @ConditionalOnExpression("${broker.security.enabled:true}") @Configuration @Slf4j @@ -45,26 +48,41 @@ public DaoAuthenticationProvider actuatorAuthenticationProvider(@Qualifier("actu return provider; } + @Bean + @Order(0) + @Profile("database") + public SecurityFilterChain traceApiFilterChain(HttpSecurity http, AuthenticationProvider actuatorAuthenticationProvider) throws Exception { + return http + .securityMatcher("/trace/**") + .csrf(AbstractHttpConfigurer::disable) + .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) + .authorizeHttpRequests(auth -> auth.anyRequest().authenticated()) + .authenticationProvider(actuatorAuthenticationProvider) + .httpBasic(withDefaults()) + .build(); + } + @Bean @Order(1) public SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity http, @Qualifier("actuatorAuthenticationProvider") AuthenticationProvider authenticationProvider) throws Exception { - http.securityMatcher("/actuator/**","/v3/**","/swagger-ui/**") - .authenticationProvider( authenticationProvider ) + http.securityMatcher("/actuator/**") + .authenticationProvider(authenticationProvider) .csrf(AbstractHttpConfigurer::disable) .httpBasic(Customizer.withDefaults()) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) - .authorizeHttpRequests( authz -> { - authz.requestMatchers( - "/v3/**", - "/swagger-ui/**", - "/actuator/info", - "/actuator/health", - "/actuator/metrics", - "/actuator/mappings", - "/actuator/memoryinfo").permitAll(); - authz.anyRequest().fullyAuthenticated(); - }); + .authorizeHttpRequests(authz -> authz + // 1. Allow these specific endpoints without login + .requestMatchers( + "/actuator", + "/actuator/info", + "/actuator/health" + ).permitAll() + + // 2. Require authentication for everything else covered by the securityMatcher + // (This includes Swagger, V3 docs, and the rest of the actuator endpoints) + .anyRequest().authenticated() + ); return http.build(); } diff --git a/datavault-broker/src/main/java/org/datavaultplatform/broker/config/SecurityConfig.java b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/SecurityConfig.java index 5e9b3ef92..245a7836c 100644 --- a/datavault-broker/src/main/java/org/datavaultplatform/broker/config/SecurityConfig.java +++ b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/SecurityConfig.java @@ -1,22 +1,16 @@ package org.datavaultplatform.broker.config; -import static org.datavaultplatform.common.util.Constants.HEADER_USER_ID; - -import java.io.IOException; import jakarta.servlet.FilterChain; import jakarta.servlet.ServletException; import jakarta.servlet.ServletRequest; import jakarta.servlet.ServletResponse; import lombok.extern.slf4j.Slf4j; -import org.datavaultplatform.broker.authentication.RestAuthenticationFailureHandler; -import org.datavaultplatform.broker.authentication.RestAuthenticationFilter; -import org.datavaultplatform.broker.authentication.RestAuthenticationProvider; -import org.datavaultplatform.broker.authentication.RestAuthenticationSuccessHandler; -import org.datavaultplatform.broker.authentication.RestWebAuthenticationDetailsSource; +import org.datavaultplatform.broker.authentication.*; import org.datavaultplatform.broker.services.AdminService; import org.datavaultplatform.broker.services.ClientsService; import org.datavaultplatform.broker.services.RolesAndPermissionsService; import org.datavaultplatform.broker.services.UsersService; +import org.datavaultplatform.common.config.SecurityMethod; import org.datavaultplatform.common.util.Constants; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Value; @@ -28,6 +22,7 @@ import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.ProviderManager; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @@ -45,6 +40,12 @@ import org.springframework.web.filter.CommonsRequestLoggingFilter; import org.springframework.web.filter.GenericFilterBean; +import java.io.IOException; +import java.util.LinkedHashMap; +import java.util.Map; + +import static org.datavaultplatform.common.util.Constants.HEADER_USER_ID; + @SuppressWarnings("DefaultAnnotationParam") @ConditionalOnExpression("${broker.security.enabled:true}") @Configuration @@ -60,7 +61,6 @@ public class SecurityConfig { WebSecurityCustomizer webSecurityCustomizer() { return web -> { web.debug(securityDebug); - web.ignoring().requestMatchers("/retrieve/**"); }; } @@ -78,24 +78,66 @@ public SecurityFilterChain securityFilterChain( .addFilterAt(restFilter(authenticationManager), AbstractPreAuthenticatedProcessingFilter.class) .sessionManagement(cust -> cust.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .exceptionHandling(ex -> ex.authenticationEntryPoint(http403EntryPoint())) - .authorizeHttpRequests(authz -> authz - .requestMatchers("/admin/users/**").hasAuthority("ROLE_ADMIN") - .requestMatchers("/admin/archivestores/**").hasAuthority("ROLE_ADMIN_ARCHIVESTORES") - .requestMatchers("/admin/deposits/**").hasAuthority("ROLE_ADMIN_DEPOSITS") - .requestMatchers("/admin/retrieves/**").hasAuthority("ROLE_ADMIN_RETRIEVES") - .requestMatchers("/admin/vaults/**").hasAuthority("ROLE_ADMIN_VAULTS") - .requestMatchers("/admin/pendingVaults/**").hasAuthority("ROLE_ADMIN_PENDING_VAULTS") - .requestMatchers("/admin/events/**").hasAuthority("ROLE_ADMIN_EVENTS") - .requestMatchers("/admin/billing/**").hasAuthority("ROLE_ADMIN_BILLING") - /* TODO : DavidHay : no controller mapped to /admin/reviews ! */ - .requestMatchers("/admin/reviews/**").hasAuthority("ROLE_ADMIN_REVIEWS") - .requestMatchers("/admin/paused/deposit/toggle/**").hasAuthority("ROLE_ADMIN") - .requestMatchers("/admin/paused/retrieve/toggle/**").hasAuthority("ROLE_ADMIN") - .anyRequest().authenticated()); + .authorizeHttpRequests(getAuthZCustomizer()); return http.build(); } + public static final Map SECURITY_PATH_MAP = new LinkedHashMap<>(); + + static { + SECURITY_PATH_MAP.put("/admin/users/**", "hasAuthority('ROLE_ADMIN')"); + SECURITY_PATH_MAP.put("/admin/archivestores/**", "hasAuthority('ROLE_ADMIN_ARCHIVESTORES')"); + SECURITY_PATH_MAP.put("/admin/deposits/**", "hasAuthority('ROLE_ADMIN_DEPOSITS')"); + SECURITY_PATH_MAP.put("/admin/retrieves/**", "hasAuthority('ROLE_ADMIN_RETRIEVES')"); + SECURITY_PATH_MAP.put("/admin/vaults/**", "hasAuthority('ROLE_ADMIN_VAULTS')"); + SECURITY_PATH_MAP.put("/admin/pendingVaults/**", "hasAuthority('ROLE_ADMIN_PENDING_VAULTS')"); + SECURITY_PATH_MAP.put("/admin/events/**", "hasAuthority('ROLE_ADMIN_EVENTS')"); + SECURITY_PATH_MAP.put("/admin/billing/**", "hasAuthority('ROLE_ADMIN_BILLING')"); + /* TODO : DavidHay : no controller mapped to /admin/reviews ! */ + SECURITY_PATH_MAP.put("/admin/reviews/**", "hasAuthority('ROLE_ADMIN_REVIEWS')"); + SECURITY_PATH_MAP.put("/admin/paused/deposit/toggle/**", "hasAuthority('ROLE_ADMIN')"); + SECURITY_PATH_MAP.put("/admin/paused/retrieve/toggle/**", "hasAuthority('ROLE_ADMIN')"); + } + + public Customizer.AuthorizationManagerRequestMatcherRegistry> getAuthZCustomizer() { + return authz -> { + + for(Map.Entry entry : SECURITY_PATH_MAP.entrySet()) { + var matchers = authz.requestMatchers(entry.getKey()); + SecurityMethod sm = SecurityMethod.from(entry.getValue()); + if (sm.isPermitAll()) { + matchers.permitAll(); + + } else if (sm.isHasRole()) { + matchers.hasRole(sm.arg()); + + } else if (sm.isHasAuthority()) { + matchers.hasAuthority(sm.arg()); + + } else { + throw new RuntimeException("Unknown security method: " + sm.method()); + } + } + authz.anyRequest().authenticated(); + +// authz +// .requestMatchers("/admin/users/**").hasAuthority("ROLE_ADMIN") +// .requestMatchers("/admin/archivestores/**").hasAuthority("ROLE_ADMIN_ARCHIVESTORES") +// .requestMatchers("/admin/deposits/**").hasAuthority("ROLE_ADMIN_DEPOSITS") +// .requestMatchers("/admin/retrieves/**").hasAuthority("ROLE_ADMIN_RETRIEVES") +// .requestMatchers("/admin/vaults/**").hasAuthority("ROLE_ADMIN_VAULTS") +// .requestMatchers("/admin/pendingVaults/**").hasAuthority("ROLE_ADMIN_PENDING_VAULTS") +// .requestMatchers("/admin/events/**").hasAuthority("ROLE_ADMIN_EVENTS") +// .requestMatchers("/admin/billing/**").hasAuthority("ROLE_ADMIN_BILLING") +// /* TODO : DavidHay : no controller mapped to /admin/reviews ! */ +// .requestMatchers("/admin/reviews/**").hasAuthority("ROLE_ADMIN_REVIEWS") +// .requestMatchers("/admin/paused/deposit/toggle/**").hasAuthority("ROLE_ADMIN") +// .requestMatchers("/admin/paused/retrieve/toggle/**").hasAuthority("ROLE_ADMIN") +// .anyRequest().authenticated(); + }; + } + /** diff --git a/datavault-broker/src/main/java/org/datavaultplatform/broker/config/TracingConfig.java b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/TracingConfig.java new file mode 100644 index 000000000..9532ce1d7 --- /dev/null +++ b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/TracingConfig.java @@ -0,0 +1,17 @@ +package org.datavaultplatform.broker.config; + +import io.opentelemetry.api.trace.propagation.W3CTraceContextPropagator; +import io.opentelemetry.context.propagation.ContextPropagators; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Import; + +@Configuration +@Import(UserMdcFilter.class) +public class TracingConfig { + + @Bean + ContextPropagators otelContextPropagators() { + return ContextPropagators.create(W3CTraceContextPropagator.getInstance()); + } +} diff --git a/datavault-broker/src/main/java/org/datavaultplatform/broker/config/UserMdcFilter.java b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/UserMdcFilter.java new file mode 100644 index 000000000..42345a6a9 --- /dev/null +++ b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/UserMdcFilter.java @@ -0,0 +1,43 @@ +package org.datavaultplatform.broker.config; + +import jakarta.servlet.FilterChain; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import org.datavaultplatform.common.util.MdcUtils; +import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; +import org.springframework.core.annotation.Order; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.OncePerRequestFilter; + +import java.io.IOException; + +@Component +@ConditionalOnClass(Authentication.class) +@Order(101) // Ensure it runs after Spring Security Filter (default 100) +public class UserMdcFilter extends OncePerRequestFilter { + + @Override + protected void doFilterInternal(HttpServletRequest request, + HttpServletResponse response, + FilterChain filterChain) + throws ServletException, IOException { + + Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + + String username = null; + if (auth != null && auth.isAuthenticated()) { + username = auth.getName(); + } + username = MdcUtils.getMdcUserName(username); + MdcUtils.addUserNameToMdc(username); + + try { + filterChain.doFilter(request, response); + } finally { + MdcUtils.removeMdcUserName(); + } + } +} diff --git a/datavault-broker/src/main/java/org/datavaultplatform/broker/config/WebConfig.java b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/WebConfig.java index efea99613..6f596d6f3 100644 --- a/datavault-broker/src/main/java/org/datavaultplatform/broker/config/WebConfig.java +++ b/datavault-broker/src/main/java/org/datavaultplatform/broker/config/WebConfig.java @@ -1,10 +1,12 @@ package org.datavaultplatform.broker.config; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Import; import org.springframework.web.servlet.config.annotation.PathMatchConfigurer; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @Configuration +@Import(TracingConfig.class) public class WebConfig implements WebMvcConfigurer { @Override diff --git a/datavault-broker/src/main/java/org/datavaultplatform/broker/controllers/TraceController.java b/datavault-broker/src/main/java/org/datavaultplatform/broker/controllers/TraceController.java new file mode 100644 index 000000000..3c54fea56 --- /dev/null +++ b/datavault-broker/src/main/java/org/datavaultplatform/broker/controllers/TraceController.java @@ -0,0 +1,82 @@ +package org.datavaultplatform.broker.controllers; + +import com.fasterxml.jackson.databind.ObjectMapper; +import io.micrometer.tracing.Tracer; +import lombok.SneakyThrows; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.broker.queue.Sender; +import org.datavaultplatform.common.event.Event; +import org.datavaultplatform.common.model.ArchiveStore; +import org.datavaultplatform.common.model.Job; +import org.datavaultplatform.common.task.Task; +import org.datavaultplatform.common.util.TraceInfo; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Profile; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +@RestController +@Profile("database") +@RequestMapping("/trace") +@Slf4j +public class TraceController { + + private final Tracer tracer; + private final Sender sender; + private final ObjectMapper mapper; + @Autowired + public TraceController(Tracer tracer, Sender sender, ObjectMapper mapper) { + this.tracer = tracer; + this.sender = sender; + this.mapper = mapper; + } + + @GetMapping("/info") + public TraceInfo getTraceInfo() { + String traceId = tracer.currentSpan().context().traceId(); + log.info("TraceId: {}", traceId); + return new TraceInfo(traceId); + } + + @SneakyThrows + @GetMapping("/worker") + public TraceInfo sendTraceTaskToWorker() { + TraceInfo traceInfo = getTraceInfo(); + Map properties = new HashMap<>(); + properties.put("brokerTraceId", traceInfo.traceId()); + List archiveStores = List.of(); + Map> userFileStoreProperties = Map.of(); + Map userFileStoreClasses = Map.of(); + Map chunkFilesDigest = Map.of(); + byte[] tarIVs = new byte[0]; + Map chunksIVs = Map.of(); + String encTarDigest = ""; + Map encChunksDigests = Map.of(); + Event lastEvent = null; + Job job = new Job(){ + @Override + public String getID() { + return "1234567890"; + } + }; + job.setState(0); + job.setTaskClass("org.datavaultplatform.worker.tasks.Trace"); + Task retrieveTask = new Task( + job, properties, archiveStores, + userFileStoreProperties, userFileStoreClasses, + null, null, + chunkFilesDigest, + tarIVs, chunksIVs, + encTarDigest, encChunksDigests, lastEvent); + String jsonRetrieve = mapper.writeValueAsString(retrieveTask); + + boolean isRestart = false; + sender.send(jsonRetrieve, isRestart); + return traceInfo; + } +} diff --git a/datavault-broker/src/main/java/org/datavaultplatform/broker/queue/RabbitUtils.java b/datavault-broker/src/main/java/org/datavaultplatform/broker/queue/RabbitUtils.java index f93c97b56..0c0073877 100644 --- a/datavault-broker/src/main/java/org/datavaultplatform/broker/queue/RabbitUtils.java +++ b/datavault-broker/src/main/java/org/datavaultplatform/broker/queue/RabbitUtils.java @@ -2,6 +2,10 @@ import java.nio.charset.StandardCharsets; import java.util.UUID; + +import io.micrometer.tracing.Span; +import io.micrometer.tracing.Tracer; +import io.micrometer.tracing.propagation.Propagator; import lombok.extern.slf4j.Slf4j; import org.springframework.amqp.core.Message; import org.springframework.amqp.core.MessageProperties; @@ -12,22 +16,31 @@ public abstract class RabbitUtils { public static final String DEFAULT_EXCHANGE = ""; + private RabbitUtils() { + } public static String sendDirectToQueue(RabbitTemplate template, String queueName, - String messageText) { - return sendToRoutingKey(template, DEFAULT_EXCHANGE, queueName, messageText); + String messageText, Tracer tracer, Propagator propagator) { + return sendToRoutingKey(template, DEFAULT_EXCHANGE, queueName, messageText, tracer, propagator); } public static String sendToExchange(RabbitTemplate template, String exchangeName, - String messageText) { - return sendToRoutingKey(template, exchangeName, null, messageText); + String messageText, Tracer tracer, Propagator propagator) { + return sendToRoutingKey(template, exchangeName, null, messageText, tracer, propagator); } public static String sendToRoutingKey(RabbitTemplate template, String exchange, String routingKey, - String messageText) { + String messageText, Tracer tracer, Propagator propagator) { MessageProperties props = new MessageProperties(); props.setContentType(MessageProperties.CONTENT_TYPE_TEXT_PLAIN); String messageId = UUID.randomUUID().toString(); props.setMessageId(messageId); + // propagate w3c tracing headers + Span currentSpan = tracer.currentSpan(); + if (currentSpan != null) { + propagator.inject(currentSpan.context(), props, (carrier, key, value) -> { + carrier.setHeader(key, value); + }); + } Message message = new Message(messageText.getBytes(StandardCharsets.UTF_8), props); template.send(exchange, routingKey, message); log.info("Sent [{}] to [{}/{}]", message, exchange, routingKey); diff --git a/datavault-broker/src/main/java/org/datavaultplatform/broker/queue/Sender.java b/datavault-broker/src/main/java/org/datavaultplatform/broker/queue/Sender.java index acd93359d..95d2c1537 100644 --- a/datavault-broker/src/main/java/org/datavaultplatform/broker/queue/Sender.java +++ b/datavault-broker/src/main/java/org/datavaultplatform/broker/queue/Sender.java @@ -1,5 +1,7 @@ package org.datavaultplatform.broker.queue; +import io.micrometer.tracing.Tracer; +import io.micrometer.tracing.propagation.Propagator; import lombok.extern.slf4j.Slf4j; import org.datavaultplatform.common.config.BaseQueueConfig; import org.springframework.amqp.rabbit.core.RabbitTemplate; @@ -14,21 +16,25 @@ public class Sender { private final RabbitTemplate template; private final String workerQueueName; private final String restartExchangeName; - + private final Tracer tracer; + private final Propagator propagator; + @Autowired public Sender(@Value(BaseQueueConfig.WORKER_QUEUE_NAME) String workerQueueName, @Value(BaseQueueConfig.RESTART_EXCHANGE_NAME) String restartExchangeName, - RabbitTemplate template) { + RabbitTemplate template, Tracer tracer, Propagator propagator) { this.template = template; this.workerQueueName = workerQueueName; this.restartExchangeName = restartExchangeName; + this.tracer = tracer; + this.propagator = propagator; } public String send(String messageText, boolean restart) { if (restart) { - return RabbitUtils.sendToExchange(template, restartExchangeName, messageText); + return RabbitUtils.sendToExchange(template, restartExchangeName, messageText, tracer, propagator); } else { - return RabbitUtils.sendDirectToQueue(template, workerQueueName, messageText); + return RabbitUtils.sendDirectToQueue(template, workerQueueName, messageText, tracer, propagator); } } diff --git a/datavault-broker/src/test/java/org/datavaultplatform/broker/actuator/ActuatorTest.java b/datavault-broker/src/test/java/org/datavaultplatform/broker/actuator/ActuatorTest.java index 22a46c39b..93ed8fee4 100644 --- a/datavault-broker/src/test/java/org/datavaultplatform/broker/actuator/ActuatorTest.java +++ b/datavault-broker/src/test/java/org/datavaultplatform/broker/actuator/ActuatorTest.java @@ -9,6 +9,7 @@ import org.datavaultplatform.broker.test.AddTestProperties; import org.datavaultplatform.broker.test.BaseDatabaseTest; import org.datavaultplatform.broker.test.TestClockConfig; +import org.datavaultplatform.common.actuator.WithMockActuatorUser; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.ValueSource; @@ -65,23 +66,27 @@ void setup() { } @ParameterizedTest - @ValueSource(strings = {"/actuator/info", "/actuator/health", - "/actuator/metrics", "/actuator/memoryinfo", "/actuator/mappings"}) + @ValueSource(strings = {"/actuator", "/actuator/", "/actuator/info", "/actuator/health"}) @SneakyThrows void testActuatorPublicAccess(String url) { checkPublic(url); } @ParameterizedTest - @ValueSource(strings={"/actuator", "/actuator/", "/actuator/env", "/users", "/actuator/loggers"}) + @ValueSource(strings = {"/actuator/env", "/actuator/customtime", + "/actuator/sftpfilestores", "/actuator/localfilestores", + "/actuator/env", "/actuator/loggers", + "/actuator/metrics", "/actuator/memoryinfo", "/actuator/mappings"}) @SneakyThrows void testActuatorUnauthorized(String url) { checkUnauthorized(url); } @ParameterizedTest - @ValueSource(strings = {"/actuator", "/actuator/", "/actuator/env", "/actuator/customtime", - "/actuator/sftpfilestores", "/actuator/localfilestores"}) + @ValueSource(strings = {"/actuator/env", "/actuator/customtime", + "/actuator/sftpfilestores", "/actuator/localfilestores", + "/actuator/env", "/actuator/loggers", + "/actuator/metrics", "/actuator/memoryinfo", "/actuator/mappings"}) @SneakyThrows void testActuatorAuthorized(String url) { checkAuthorized(url, "bactor", "bactorpass"); @@ -123,6 +128,7 @@ void testCurrentTime() throws Exception { } @Test + @WithMockActuatorUser void testMemoryInfo() throws Exception { MvcResult mvcResult = mvc.perform( get("/actuator/memoryinfo")) diff --git a/datavault-broker/src/test/java/org/datavaultplatform/broker/actuator/OpenApiBrokerTest.java b/datavault-broker/src/test/java/org/datavaultplatform/broker/actuator/OpenApiBrokerTest.java deleted file mode 100644 index d98f5c73f..000000000 --- a/datavault-broker/src/test/java/org/datavaultplatform/broker/actuator/OpenApiBrokerTest.java +++ /dev/null @@ -1,85 +0,0 @@ -package org.datavaultplatform.broker.actuator; - -import io.swagger.v3.oas.models.OpenAPI; -import lombok.extern.slf4j.Slf4j; -import org.datavaultplatform.broker.app.DataVaultBrokerApp; -import org.datavaultplatform.broker.queue.Sender; -import org.datavaultplatform.broker.services.FileStoreService; -import org.datavaultplatform.broker.test.AddTestProperties; -import org.datavaultplatform.broker.test.BaseDatabaseTest; -import org.datavaultplatform.broker.test.TestClockConfig; -import org.junit.jupiter.api.Test; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; -import org.springframework.boot.test.context.SpringBootTest; -import org.springframework.boot.test.mock.mockito.MockBean; -import org.springframework.context.annotation.Import; -import org.springframework.test.context.TestPropertySource; -import org.springframework.test.web.servlet.MockMvc; -import org.springframework.test.web.servlet.MvcResult; - -import static org.assertj.core.api.Assertions.assertThat; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; -import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; - -@SpringBootTest(classes = DataVaultBrokerApp.class) -@Import(TestClockConfig.class) -@AddTestProperties -@Slf4j -@TestPropertySource(properties = { - "broker.email.enabled=true", - "broker.controllers.enabled=true", - "broker.initialise.enabled=true", - "broker.rabbit.enabled=false", - "broker.scheduled.enabled=false", - "management.endpoints.web.exposure.include=*", - "management.health.rabbit.enabled=false"}) -@AutoConfigureMockMvc -public class OpenApiBrokerTest extends BaseDatabaseTest { - - @Autowired - MockMvc mvc; - - @MockBean - Sender sender; - - @MockBean - FileStoreService mFileStoreService; - - @Autowired - OpenAPI openApi; - - @Test - void testOpenApi() { - assertThat(openApi.getInfo().getTitle()).isEqualTo("DataVault Broker"); - assertThat(openApi.getInfo().getDescription()).isEqualTo("broker application"); - } - - @Test - void testOpenApiAsJson() throws Exception { - MvcResult mvcResult = mvc.perform( - get("http://localhost:8080/v3/api-docs")) - .andExpect(content().contentTypeCompatibleWith("application/json")) - .andExpect(status().is2xxSuccessful()) - .andExpect(jsonPath("$.openapi").value("3.1.0")) - .andExpect(jsonPath("$.info.title").value("DataVault Broker")) - .andExpect(jsonPath("$.info.description").value("broker application")) - .andExpect(jsonPath("$.info.version").value("v0.0.1")) - .andExpect(jsonPath("$.paths['/permissions/role']").exists()) - .andDo(print()) - .andReturn(); - } - - @Test - void testOpenApiAsSwaggerUI() throws Exception { - MvcResult mvcResult = mvc.perform( - get("http://localhost:8080/swagger-ui/index.html")) - .andExpect(content().contentTypeCompatibleWith("text/html")) - .andExpect(status().is2xxSuccessful()) - .andDo(print()) - .andReturn(); - } - - -} diff --git a/datavault-broker/src/test/java/org/datavaultplatform/broker/authentication/DepositsControllerRetrieveNoAuthTest.java b/datavault-broker/src/test/java/org/datavaultplatform/broker/authentication/DepositsControllerRetrieveNoAuthTest.java deleted file mode 100644 index a08f9e73c..000000000 --- a/datavault-broker/src/test/java/org/datavaultplatform/broker/authentication/DepositsControllerRetrieveNoAuthTest.java +++ /dev/null @@ -1,33 +0,0 @@ -package org.datavaultplatform.broker.authentication; - -import org.datavaultplatform.broker.controllers.DepositsController; -import org.junit.jupiter.api.Test; -import org.springframework.boot.test.mock.mockito.MockBean; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; -import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; - -public class DepositsControllerRetrieveNoAuthTest extends BaseControllerAuthTest { - - @MockBean - DepositsController controller; - - @Test - void testRestartRetrieveNoSecurity() throws Exception { - when(controller.retrieveRestart("retrieve-id-1")).thenReturn(true); - - mvc.perform( - post("/retrieve/{retrieveId}/restart", "retrieve-id-1")).andDo(print()) - .andExpect(status().isOk()) - .andExpect(content().contentTypeCompatibleWith("application/json")) - .andExpect(content().string("true")); - - verify(controller).retrieveRestart("retrieve-id-1"); - } -} diff --git a/datavault-broker/src/test/java/org/datavaultplatform/broker/config/SecurityConfigTest.java b/datavault-broker/src/test/java/org/datavaultplatform/broker/config/SecurityConfigTest.java new file mode 100644 index 000000000..0b98bf783 --- /dev/null +++ b/datavault-broker/src/test/java/org/datavaultplatform/broker/config/SecurityConfigTest.java @@ -0,0 +1,88 @@ +package org.datavaultplatform.broker.config; + +import org.junit.jupiter.api.Test; +import org.mockito.Mockito; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer; + +import java.util.Arrays; +import java.util.concurrent.atomic.AtomicInteger; + +import static org.mockito.Mockito.*; + +class SecurityConfigTest { + + public static final Logger LOG = LoggerFactory.getLogger(SecurityConfigTest.class); + + @Test + void testCustomUserDetailsService(){ + + SecurityConfig securityConfig = new SecurityConfig(); + var customizer = securityConfig.getAuthZCustomizer(); + + var mAuthz = Mockito.mock(AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.class); + + AuthorizeHttpRequestsConfigurer.AuthorizedUrl mAuthURL = mock(AuthorizeHttpRequestsConfigurer.AuthorizedUrl.class); + AtomicInteger counter = new AtomicInteger(0); + doAnswer(invocation -> { + LOG.info("requestMatchers {} {}", counter.incrementAndGet(), Arrays.toString(invocation.getArguments())); + return mAuthURL; + }).when(mAuthz).requestMatchers(any(String[].class)); + + when(mAuthz.anyRequest()).thenReturn(mAuthURL); + customizer.customize(mAuthz); + + var inOrder = inOrder(mAuthz, mAuthURL); + + //1 + inOrder.verify(mAuthz).requestMatchers("/admin/users/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN"); + + //2 + inOrder.verify(mAuthz).requestMatchers("/admin/archivestores/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_ARCHIVESTORES"); + + //3 + inOrder.verify(mAuthz).requestMatchers("/admin/deposits/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_DEPOSITS"); + + //4 + inOrder.verify(mAuthz).requestMatchers("/admin/retrieves/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_RETRIEVES"); + + //5 + inOrder.verify(mAuthz).requestMatchers("/admin/vaults/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_VAULTS"); + + //6 + inOrder.verify(mAuthz).requestMatchers("/admin/pendingVaults/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_PENDING_VAULTS"); + + //7 + inOrder.verify(mAuthz).requestMatchers("/admin/events/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_EVENTS"); + + //8 + inOrder.verify(mAuthz).requestMatchers("/admin/billing/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_BILLING"); + + //9 + inOrder.verify(mAuthz).requestMatchers("/admin/reviews/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_REVIEWS"); + + //10 + inOrder.verify(mAuthz).requestMatchers("/admin/paused/deposit/toggle/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN"); + + //11 + inOrder.verify(mAuthz).requestMatchers("/admin/paused/retrieve/toggle/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN"); + + //12 + inOrder.verify(mAuthz).anyRequest(); + inOrder.verify(mAuthURL).authenticated(); + + inOrder.verifyNoMoreInteractions(); + } +} \ No newline at end of file diff --git a/datavault-broker/src/test/java/org/datavaultplatform/broker/controllers/TraceControllerMvcIT.java b/datavault-broker/src/test/java/org/datavaultplatform/broker/controllers/TraceControllerMvcIT.java new file mode 100644 index 000000000..6b3f432f7 --- /dev/null +++ b/datavault-broker/src/test/java/org/datavaultplatform/broker/controllers/TraceControllerMvcIT.java @@ -0,0 +1,166 @@ +package org.datavaultplatform.broker.controllers; + +import io.micrometer.tracing.propagation.Propagator; +import io.opentelemetry.api.trace.TraceId; +import io.opentelemetry.api.trace.Tracer; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.broker.app.DataVaultBrokerApp; +import org.datavaultplatform.broker.config.MockRabbitConfig; +import org.datavaultplatform.broker.config.MockServicesConfig; +import org.datavaultplatform.broker.test.AddTestProperties; +import org.datavaultplatform.broker.test.BaseDatabaseTest; +import org.datavaultplatform.common.util.TraceInfo; +import org.datavaultplatform.common.util.TraceUtils; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.actuate.observability.AutoConfigureObservability; +import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.web.server.LocalServerPort; +import org.springframework.boot.web.client.RestTemplateBuilder; +import org.springframework.context.annotation.Import; +import org.springframework.http.*; +import org.springframework.http.client.ClientHttpRequestExecution; +import org.springframework.http.client.ClientHttpRequestInterceptor; +import org.springframework.http.client.ClientHttpResponse; +import org.springframework.security.authentication.AuthenticationManager; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.test.context.ActiveProfiles; +import org.springframework.test.context.TestPropertySource; +import org.springframework.web.client.RestTemplate; + +import java.io.IOException; +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; + +@SpringBootTest(classes = DataVaultBrokerApp.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +@AddTestProperties +@Slf4j +@TestPropertySource(properties = { + "logging.level.org.springframework.security=TRACE", + "broker.security.enabled=true", + "broker.scheduled.enabled=false", + "broker.controllers.enabled=true", + "broker.services.enabled=true", + "broker.rabbit.enabled=false", + "broker.ldap.enabled=false", + "broker.initialise.enabled=false", + "broker.email.enabled=false", + "broker.database.enabled=true", + "logging.level.org.springframework.security=TRACE", + "logging.level.org.springframework.web.filter=DEBUG", + "logging.level.io.micrometer.tracing=DEBUG", + "management.tracing.sampling.probability=1.0", + "management.tracing.propagation.type=w3c"}) +@Import({MockServicesConfig.class, MockRabbitConfig.class}) //cos spring security requires some services so we have to mock them +@AutoConfigureMockMvc +@AutoConfigureObservability +@ActiveProfiles("database") +class TraceControllerMvcIT extends BaseDatabaseTest { + + public static final String TRACE_ID = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; + public static final String SPAN_ID = "bbbbbbbbbbbbbbbb"; + public static final String TRACE_PARENT_VALUE = "00-" + TRACE_ID + "-" + SPAN_ID + "-01"; + + @Autowired + Tracer tracer; + + @Autowired + Propagator propagator; + + RestTemplate restTemplate; + + @Autowired + AuthenticationManager authManager; + + @LocalServerPort + int serverPort; + + @BeforeEach + void setup() { + assertThat(tracer).isNotNull(); + assertThat(propagator).isNotNull(); + restTemplate = new RestTemplateBuilder() + .rootUri("http://localhost:" + serverPort) + .basicAuthentication("bactor", "bactorpass") + .build(); + restTemplate.setInterceptors(List.of(new RequestLoggingInterceptor())); + } + + @Test + void testHardcodedLogin() { + log.info("authManager class : {}", authManager.getClass().getName()); + // 1. Create the "Unauthenticated" token + UsernamePasswordAuthenticationToken authRequest = + new UsernamePasswordAuthenticationToken("bactor", "bactorpass"); + + // 2. Pass it to the Manager + Authentication result = authManager.authenticate(authRequest); + + // 3. Assert the result + assertThat(result).isNotNull(); + assertThat(result.isAuthenticated()).isTrue(); + assertThat(result.getAuthorities().stream().map(GrantedAuthority::getAuthority).toList()).containsExactlyInAnyOrder("ROLE_ACTUATOR"); + } + + private ResponseEntity getTraceInfo(boolean addTraceParentHeader) { + HttpHeaders headers = new HttpHeaders(); + if (addTraceParentHeader) { + headers.add(TraceUtils.TRACE_PARENT, TRACE_PARENT_VALUE); + } + // Perform the GET request + ResponseEntity response = restTemplate.exchange( + "/trace/info", + HttpMethod.GET, + new HttpEntity<>(headers), + TraceInfo.class + ); + return response; + } + + @Test + void testTimeControllerNoTraceIdSupplied() { + + ResponseEntity response = getTraceInfo(false); + + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); + assertThat(response.getBody()).isNotNull(); + + TraceInfo traceInfo = response.getBody(); + assertThat(traceInfo.traceId()).isNotNull(); + assertThat(traceInfo.traceId()).isNotEqualTo(TRACE_ID); + assertThat(TraceId.isValid(traceInfo.traceId())).isTrue(); + } + + @Test + void testTimeControllerWithTraceIdSupplied() { + + ResponseEntity response = getTraceInfo(true); + + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); + assertThat(response.getBody()).isNotNull(); + + TraceInfo traceInfo = response.getBody(); + assertThat(traceInfo.traceId()).isNotNull(); + assertThat(traceInfo.traceId()).isEqualTo(TRACE_ID); + assertThat(TraceId.isValid(traceInfo.traceId())).isTrue(); + } + + public static class RequestLoggingInterceptor implements ClientHttpRequestInterceptor { + + @Override + public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException { + log.info("=== Request Start ==="); + log.info("URI : {}", request.getURI()); + log.info("Method : {}", request.getMethod()); + log.info("Headers: {}", request.getHeaders()); + log.info("=== Request End ==="); + + return execution.execute(request, body); + } + } +} diff --git a/datavault-broker/src/test/java/org/datavaultplatform/broker/controllers/TraceControllerTest.java b/datavault-broker/src/test/java/org/datavaultplatform/broker/controllers/TraceControllerTest.java new file mode 100644 index 000000000..164978cf2 --- /dev/null +++ b/datavault-broker/src/test/java/org/datavaultplatform/broker/controllers/TraceControllerTest.java @@ -0,0 +1,52 @@ +package org.datavaultplatform.broker.controllers; + +import com.fasterxml.jackson.databind.ObjectMapper; +import io.micrometer.tracing.Tracer; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.broker.queue.Sender; +import org.datavaultplatform.common.util.TraceInfo; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.ArgumentCaptor; +import org.mockito.Captor; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Mockito.*; + +@Slf4j +@ExtendWith(MockitoExtension.class) +class TraceControllerTest { + + TraceController controller; + + @Mock + Sender mSender; + + @Mock + Tracer mTracer; + + final ObjectMapper mapper = new ObjectMapper(); + + @BeforeEach + void setup() { + controller = spy(new TraceController(mTracer, mSender, mapper)); + } + + + @Captor + ArgumentCaptor argMessage; + + @Test + void testBroker() { + TraceInfo traceInfo = new TraceInfo("1234"); + doReturn(traceInfo).when(controller).getTraceInfo(); + TraceInfo result = controller.sendTraceTaskToWorker(); + verify(mSender).send(argMessage.capture(), eq(false)); + assertThat(result).isEqualTo(traceInfo); + + log.info(argMessage.getValue()); + } +} \ No newline at end of file diff --git a/datavault-broker/src/test/java/org/datavaultplatform/broker/queue/RabbitEventListenerIT.java b/datavault-broker/src/test/java/org/datavaultplatform/broker/queue/RabbitEventListenerIT.java index 94daed5f4..a530fc31d 100644 --- a/datavault-broker/src/test/java/org/datavaultplatform/broker/queue/RabbitEventListenerIT.java +++ b/datavault-broker/src/test/java/org/datavaultplatform/broker/queue/RabbitEventListenerIT.java @@ -8,6 +8,8 @@ import java.time.Duration; import java.util.UUID; +import io.micrometer.tracing.Tracer; +import io.micrometer.tracing.propagation.Propagator; import org.datavaultplatform.common.util.TestUtils; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -23,7 +25,7 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.test.mock.mockito.SpyBean; -public class RabbitEventListenerIT extends BaseRabbitTCIT { +class RabbitEventListenerIT extends BaseRabbitTCIT { @SpyBean EventListener eventListener; @@ -44,6 +46,12 @@ public class RabbitEventListenerIT extends BaseRabbitTCIT { @Autowired RabbitAdmin admin; + @Autowired + Tracer tracer; + + @Autowired + Propagator propagator; + @BeforeEach void checkRecvQueueIsEmptyBeforeTest() { QueueInformation info = admin.getQueueInfo(expectedQueueName); @@ -57,7 +65,7 @@ void testRecvFromWorker() { String rand = UUID.randomUUID().toString(); //send message direct to 'events queue' and check that we can receive it via Listener - RabbitUtils.sendDirectToQueue(template, eventQueue.getActualName(), rand); + RabbitUtils.sendDirectToQueue(template, eventQueue.getActualName(), rand, tracer, propagator); TestUtils.waitUntil( Duration.ofSeconds(10), diff --git a/datavault-broker/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension b/datavault-broker/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension new file mode 100644 index 000000000..16c8c8ce0 --- /dev/null +++ b/datavault-broker/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension @@ -0,0 +1 @@ +org.datavaultplatform.common.util.TempFileCleanerExtension diff --git a/datavault-broker/src/test/resources/application-test.properties b/datavault-broker/src/test/resources/application-test.properties index 486801f13..6e982af6c 100644 --- a/datavault-broker/src/test/resources/application-test.properties +++ b/datavault-broker/src/test/resources/application-test.properties @@ -39,3 +39,10 @@ keystore.path=test-keystore-path rabbitmq.define.queue.worker=true rabbitmq.define.queue.broker=true rabbitmq.define.queue.restarts=true + +# see org.datavaultplatform.broker.queue.TaskSender +workers.executor.proper.shutdown.enabled=true +workers.executor.pre.shutdown.now.duration=5m +workers.process.max.duration=1h +workers.process.sigterm.timeout.duration=30s +workers.process.post.sigkill.timeout.duration=5s diff --git a/datavault-broker/src/test/resources/junit-platform.properties b/datavault-broker/src/test/resources/junit-platform.properties new file mode 100644 index 000000000..3c550cd32 --- /dev/null +++ b/datavault-broker/src/test/resources/junit-platform.properties @@ -0,0 +1 @@ +junit.jupiter.extensions.autodBaseetection.enabled = true \ No newline at end of file diff --git a/datavault-common/pom.xml b/datavault-common/pom.xml index 273192685..de2e2f4ca 100644 --- a/datavault-common/pom.xml +++ b/datavault-common/pom.xml @@ -12,7 +12,6 @@ datavault-common datavault-common - 0.0.1-SNAPSHOT @@ -66,6 +65,11 @@ jackson-annotations + + com.google.guava + guava + + org.jsondoc jsondoc-core @@ -167,8 +171,38 @@ net.i2p.crypto eddsa --> + + io.micrometer + micrometer-tracing-bridge-otel + + + io.micrometer + micrometer-tracing-test + test + + + org.springframework.boot + spring-boot-actuator + + + org.springframework.security + spring-security-core + + + org.springframework.security + spring-security-test + test + + + jakarta.servlet + jakarta.servlet-api + + + org.springframework + spring-webmvc + provided + - @@ -192,6 +226,10 @@ **/EventTest* **/TestUtils* **/UsesTestContainers* + **/TempFileCleaner* + **/TempFileCleanerExtension* + **/TraceIdWrapper* + **/WithMockActuatorUser* @@ -200,6 +238,7 @@ org.jacoco jacoco-maven-plugin + ${jacoco.plugin.version} prepare-agent-integration diff --git a/datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorHealthSecurityAdvice.java b/datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorHealthSecurityAdvice.java new file mode 100644 index 000000000..95e0c86e0 --- /dev/null +++ b/datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorHealthSecurityAdvice.java @@ -0,0 +1,34 @@ +package org.datavaultplatform.common.actuator; + +import jakarta.servlet.http.HttpServletRequest; +import org.springframework.boot.actuate.health.SystemHealth; +import org.springframework.web.bind.annotation.ControllerAdvice; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.function.Predicate; + +@ControllerAdvice +public class ActuatorHealthSecurityAdvice extends BaseActuatorSecurityAdvice { + + @Override + public Predicate getAcuatorUrlMatcher() { + return req -> req.getRequestURI().startsWith("/actuator/health"); + } + + @Override + public List getKeysToKeep(){ + return List.of("status"); + } + + @Override + public Object filter(Object fullInfo) { + if( !(fullInfo instanceof SystemHealth systemHealth)){ + return fullInfo; + } + Map result = new HashMap<>(); + result.put("status", systemHealth.getStatus().getCode()); + return result; + } +} \ No newline at end of file diff --git a/datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorInfoSecurityAdvice.java b/datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorInfoSecurityAdvice.java new file mode 100644 index 000000000..1ebbd7c76 --- /dev/null +++ b/datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorInfoSecurityAdvice.java @@ -0,0 +1,36 @@ +package org.datavaultplatform.common.actuator; + +import jakarta.servlet.http.HttpServletRequest; +import org.springframework.web.bind.annotation.ControllerAdvice; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.function.Predicate; + +@ControllerAdvice +public class ActuatorInfoSecurityAdvice extends BaseActuatorSecurityAdvice { + + @Override + public Predicate getAcuatorUrlMatcher() { + return req -> req.getRequestURI().startsWith("/actuator/info"); + } + + @Override + public List getKeysToKeep(){ + return List.of("app"); + } + + @Override + public Object filter(Object fullInfo) { + if (!(fullInfo instanceof Map fullInfoAsMap)) { + return fullInfo; + } + // Create a "Safe" copy with only the bare minimum + Map filteredInfo = new HashMap<>(); + for (String key : getKeysToKeep()) { + filteredInfo.put(key, fullInfoAsMap.get(key)); + } + return filteredInfo; + } +} \ No newline at end of file diff --git a/datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorSecurityAdvice.java b/datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorSecurityAdvice.java new file mode 100644 index 000000000..b1aed5615 --- /dev/null +++ b/datavault-common/src/main/java/org/datavaultplatform/common/actuator/ActuatorSecurityAdvice.java @@ -0,0 +1,52 @@ +package org.datavaultplatform.common.actuator; + +import jakarta.servlet.http.HttpServletRequest; +import lombok.extern.slf4j.Slf4j; +import org.springframework.boot.actuate.endpoint.web.Link; +import org.springframework.web.bind.annotation.ControllerAdvice; + +import java.util.HashMap; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Map; +import java.util.function.Predicate; + +@Slf4j +@ControllerAdvice +public class ActuatorSecurityAdvice extends BaseActuatorSecurityAdvice { + + public static final List ALLOWED = List.of("/actuator", "/actuator/"); + public static final String LINKS = "_links"; + + @Override + public Predicate getAcuatorUrlMatcher() { + return request -> { + boolean allowed = ALLOWED.contains(request.getRequestURI()); + return allowed; + }; + } + + @Override + public List getKeysToKeep(){ + return List.of("self", "heath", "info"); + } + + @Override + public Object filter(Object fullInfo) { + if (!(fullInfo instanceof Map fullInfoAsMap)) { + return fullInfo; + } + Map links = (Map) fullInfoAsMap.get(LINKS); + + LinkedHashMap filteredLinks = new LinkedHashMap<>(); + for (String key : getKeysToKeep()) { + Link link = links.get(key); + if (link != null) { + filteredLinks.put(key, link); + } + } + Map filteredInfo = new HashMap<>(); + filteredInfo.put(LINKS, filteredLinks); + return filteredInfo; + } +} \ No newline at end of file diff --git a/datavault-common/src/main/java/org/datavaultplatform/common/actuator/BaseActuatorSecurityAdvice.java b/datavault-common/src/main/java/org/datavaultplatform/common/actuator/BaseActuatorSecurityAdvice.java new file mode 100644 index 000000000..6afdb2f28 --- /dev/null +++ b/datavault-common/src/main/java/org/datavaultplatform/common/actuator/BaseActuatorSecurityAdvice.java @@ -0,0 +1,55 @@ +package org.datavaultplatform.common.actuator; + +import jakarta.servlet.http.HttpServletRequest; +import lombok.extern.slf4j.Slf4j; +import org.springframework.core.MethodParameter; +import org.springframework.http.MediaType; +import org.springframework.http.server.ServerHttpRequest; +import org.springframework.http.server.ServerHttpResponse; +import org.springframework.http.server.ServletServerHttpRequest; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.web.bind.annotation.ControllerAdvice; +import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice; + +import java.util.List; +import java.util.function.Predicate; + +@ControllerAdvice +@Slf4j +public abstract class BaseActuatorSecurityAdvice implements ResponseBodyAdvice { + + @Override + public boolean supports(MethodParameter returnType, Class converterType) { + return true; + } + + @Override + public Object beforeBodyWrite(Object body, MethodParameter returnType, + MediaType selectedContentType, Class selectedConverterType, + ServerHttpRequest request, ServerHttpResponse response) { + + HttpServletRequest req = ((ServletServerHttpRequest) request).getServletRequest(); + if (!getAcuatorUrlMatcher().test(req)) { + return body; + } + Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + boolean isActuatorUser = auth != null && + auth.isAuthenticated() && + auth.getAuthorities().stream().anyMatch(ga -> ga.getAuthority().equals("ROLE_ACTUATOR")); + + if (!isActuatorUser) { + log.info("CLASS [{}]", this.getClass().getName()); + Object filtered = this.filter(body); + return filtered; + } else { + return body; + } + } + + public abstract Predicate getAcuatorUrlMatcher(); + + public abstract List getKeysToKeep(); + + public abstract Object filter(Object fullInfo); +} \ No newline at end of file diff --git a/datavault-common/src/main/java/org/datavaultplatform/common/config/SecurityMethod.java b/datavault-common/src/main/java/org/datavaultplatform/common/config/SecurityMethod.java new file mode 100644 index 000000000..cd73a44e6 --- /dev/null +++ b/datavault-common/src/main/java/org/datavaultplatform/common/config/SecurityMethod.java @@ -0,0 +1,57 @@ +package org.datavaultplatform.common.config; + +import org.springframework.util.Assert; + +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +public record SecurityMethod(String method, String arg) { + + public static final String METHOD_PERMIT_ALL = "permitAll"; + public static final String METHOD_HAS_ROLE = "hasRole"; + public static final String METHOD_HAS_AUTHORITY = "hasAuthority"; + + public static final Pattern EXPRESSION_PATTERN = Pattern.compile("^(\\w+)\\s*\\('(.*)'\\)$|^(\\w+)\\s*\\((.*)\\)$"); + + public SecurityMethod { + switch (method){ + case METHOD_PERMIT_ALL: + Assert.isTrue("".equals(arg), "permitAll() method does not accept any arguments"); + break; + case METHOD_HAS_ROLE: + Assert.isTrue(!arg.startsWith("ROLE_"), "Role names must NOT start with ROLE_"); + break; + case METHOD_HAS_AUTHORITY: + Assert.isTrue(arg.startsWith("ROLE_"), "Authority names must start with ROLE_"); + break; + default: + throw new RuntimeException("Unknown security method: " + method()); + } + } + + public static SecurityMethod from(String expression) { + if (expression == null || expression.isBlank()) { + return null; + } + + Matcher matcher = EXPRESSION_PATTERN.matcher(expression.trim()); + + if (!matcher.find()) { + throw new IllegalArgumentException("Invalid security expression: " + expression); + } + // Group 1 & 2 handle the quoted version: hasRole('ADMIN') + // Group 3 & 4 handle the unquoted version: hasRole(123) + String method = matcher.group(1) != null ? matcher.group(1) : matcher.group(3); + String arg = matcher.group(2) != null ? matcher.group(2) : matcher.group(4); + return new SecurityMethod(method, arg); + } + public boolean isPermitAll() { + return METHOD_PERMIT_ALL.equals(method); + } + public boolean isHasRole() { + return METHOD_HAS_ROLE.equals(method); + } + public boolean isHasAuthority() { + return METHOD_HAS_AUTHORITY.equals(method); + } +} \ No newline at end of file diff --git a/datavault-common/src/main/java/org/datavaultplatform/common/response/ResponseType.java b/datavault-common/src/main/java/org/datavaultplatform/common/response/ResponseType.java new file mode 100644 index 000000000..56df62beb --- /dev/null +++ b/datavault-common/src/main/java/org/datavaultplatform/common/response/ResponseType.java @@ -0,0 +1,5 @@ +package org.datavaultplatform.common.response; + +public interface ResponseType { + String TEXT_CSV_VALUE = "text/csv"; +} diff --git a/datavault-common/src/main/java/org/datavaultplatform/common/util/MdcUtils.java b/datavault-common/src/main/java/org/datavaultplatform/common/util/MdcUtils.java new file mode 100644 index 000000000..2e2aa4d46 --- /dev/null +++ b/datavault-common/src/main/java/org/datavaultplatform/common/util/MdcUtils.java @@ -0,0 +1,36 @@ +package org.datavaultplatform.common.util; + +import lombok.extern.slf4j.Slf4j; +import org.slf4j.MDC; +import org.springframework.util.StringUtils; + +@Slf4j +public final class MdcUtils { + + public static final String ANONYMOUS = "anonymous"; + public static final String MDC_USER = "user"; + + private MdcUtils() { + } + + public static String getMdcUserName(String username) { + if (StringUtils.hasText(username)) { + return username; + } else { + return ANONYMOUS; + } + } + + public static void addUserNameToMdc(String username) { + MDC.put(MDC_USER, getMdcUserName(username)); + log.info("MDC[user] now [{}]", username); + } + + public static String getMdcUserName() { + return MDC.get(MDC_USER); + } + + public static void removeMdcUserName() { + MDC.remove(MDC_USER); + } +} diff --git a/datavault-common/src/main/java/org/datavaultplatform/common/util/TraceInfo.java b/datavault-common/src/main/java/org/datavaultplatform/common/util/TraceInfo.java new file mode 100644 index 000000000..eadaf613a --- /dev/null +++ b/datavault-common/src/main/java/org/datavaultplatform/common/util/TraceInfo.java @@ -0,0 +1,4 @@ +package org.datavaultplatform.common.util; + +public record TraceInfo(String traceId) { +} diff --git a/datavault-common/src/main/java/org/datavaultplatform/common/util/TraceUtils.java b/datavault-common/src/main/java/org/datavaultplatform/common/util/TraceUtils.java new file mode 100644 index 000000000..72781c643 --- /dev/null +++ b/datavault-common/src/main/java/org/datavaultplatform/common/util/TraceUtils.java @@ -0,0 +1,26 @@ +package org.datavaultplatform.common.util; + +import org.springframework.util.StringUtils; + +/** + * These are the property names that are used to pass w3c trace information via http headers and rabbit headers. + * They are in "io.opentelemetry.api.trace.propagation.W3CTraceContextPropagator" but not public. + * @see w3c trace context standard that OTEL uses + */ +public final class TraceUtils { + + public static final String TRACE_PARENT = "traceparent"; + public static final String TRACE_STATE = "tracestate"; + public static final String ANONYMOUS = "anonymous"; + + private TraceUtils() { + } + + public static String getMdcUserName(String username) { + if (StringUtils.hasText(username)) { + return username; + } else { + return ANONYMOUS; + } + } +} diff --git a/datavault-common/src/test/java/org/datavaultplatform/common/actuator/WithMockActuatorUser.java b/datavault-common/src/test/java/org/datavaultplatform/common/actuator/WithMockActuatorUser.java new file mode 100644 index 000000000..2564ee2cf --- /dev/null +++ b/datavault-common/src/test/java/org/datavaultplatform/common/actuator/WithMockActuatorUser.java @@ -0,0 +1,10 @@ +package org.datavaultplatform.common.actuator; + +import org.springframework.security.test.context.support.WithMockUser; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; + +@Retention(RetentionPolicy.RUNTIME) +@WithMockUser(username = "actuator-user", roles = "ACTUATOR") +public @interface WithMockActuatorUser { +} \ No newline at end of file diff --git a/datavault-common/src/test/java/org/datavaultplatform/common/config/SecurityMethodTest.java b/datavault-common/src/test/java/org/datavaultplatform/common/config/SecurityMethodTest.java new file mode 100644 index 000000000..1bb5f38bc --- /dev/null +++ b/datavault-common/src/test/java/org/datavaultplatform/common/config/SecurityMethodTest.java @@ -0,0 +1,26 @@ +package org.datavaultplatform.common.config; + +import org.junit.jupiter.api.Test; + +import static org.assertj.core.api.Assertions.assertThat; + +class SecurityMethodTest { + + @Test + void testHasPermission() { + var hasAuthorityResult = SecurityMethod.from("hasAuthority('ROLE_ADMIN_ARCHIVESTORES')"); + assertThat(hasAuthorityResult).isEqualTo(new SecurityMethod("hasAuthority", "ROLE_ADMIN_ARCHIVESTORES")); + } + + @Test + void testHasRole() { + var hasRoleResult = SecurityMethod.from("hasRole('IS_ADMIN')"); + assertThat(hasRoleResult).isEqualTo(new SecurityMethod("hasRole", "IS_ADMIN")); + } + + @Test + void testPermitAll() { + var permitAllResult = SecurityMethod.from("permitAll()"); + assertThat(permitAllResult).isEqualTo(new SecurityMethod("permitAll","")); + } +} \ No newline at end of file diff --git a/datavault-common/src/test/java/org/datavaultplatform/common/crypto/BaseTempKeyStoreTest.java b/datavault-common/src/test/java/org/datavaultplatform/common/crypto/BaseTempKeyStoreTest.java index da8433fb9..d9e0e4df6 100644 --- a/datavault-common/src/test/java/org/datavaultplatform/common/crypto/BaseTempKeyStoreTest.java +++ b/datavault-common/src/test/java/org/datavaultplatform/common/crypto/BaseTempKeyStoreTest.java @@ -7,8 +7,8 @@ import javax.crypto.SecretKey; import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; -import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.io.TempDir; @Slf4j @@ -48,9 +48,20 @@ void setupKeyStore() { keyForSSH); Encryption.saveSecretKeyToKeyStore(Encryption.getVaultDataEncryptionKeyName(), keyForData); - Assertions.assertTrue(new File(keyStorePath).exists()); assertTrue(new File(keyStorePath).exists()); } + + @AfterEach + void tearDown() { + // JUnit @TempDir takes care of deleting the 'temp' directory + // but clearing the Encryption settings is good practice since they seem to be static + Encryption enc = new Encryption(); + enc.setKeystoreEnable(false); + enc.setKeystorePath(null); + enc.setKeystorePassword(null); + enc.setVaultPrivateKeyEncryptionKeyName(null); + enc.setVaultDataEncryptionKeyName(null); + } } diff --git a/datavault-common/src/test/java/org/datavaultplatform/common/crypto/EncryptionTest.java b/datavault-common/src/test/java/org/datavaultplatform/common/crypto/EncryptionTest.java index e486154f4..e8b5bfe9a 100644 --- a/datavault-common/src/test/java/org/datavaultplatform/common/crypto/EncryptionTest.java +++ b/datavault-common/src/test/java/org/datavaultplatform/common/crypto/EncryptionTest.java @@ -29,13 +29,14 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.util.encoders.Base64; import org.datavaultplatform.test.SlowTest; +import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; @Slf4j -public class EncryptionTest { +class EncryptionTest { private static File bigdataResourcesDir; private static File testDir; @@ -65,6 +66,17 @@ public void setUp() { } } + @AfterEach + public void tearDown() { + try { + if (testDir != null && testDir.exists()) { + FileUtils.deleteDirectory(testDir); + } + } catch (IOException e) { + log.warn("Could not delete temporary test directory: " + testDir.getAbsolutePath(), e); + } + } + @Test public void testEncryptDecryptSecret() { System.out.println("Start testEncryptDecryptSecret..."); diff --git a/datavault-common/src/test/java/org/datavaultplatform/common/util/LogLevelExtension.java b/datavault-common/src/test/java/org/datavaultplatform/common/util/LogLevelExtension.java new file mode 100644 index 000000000..422daece6 --- /dev/null +++ b/datavault-common/src/test/java/org/datavaultplatform/common/util/LogLevelExtension.java @@ -0,0 +1,70 @@ +package org.datavaultplatform.common.util; + +import ch.qos.logback.classic.Level; +import ch.qos.logback.classic.Logger; +import ch.qos.logback.classic.LoggerContext; +import org.junit.jupiter.api.extension.BeforeAllCallback; +import org.junit.jupiter.api.extension.ExtensionContext; +import org.slf4j.LoggerFactory; + +import java.util.HashMap; +import java.util.Map; + +/** + * A JUnit 5 extension to temporarily change the logging level of specific loggers for a test class. + * It restores the original logging levels after all tests in the class have run. + */ +public class LogLevelExtension implements BeforeAllCallback, ExtensionContext.Store.CloseableResource { + + private static final String LOG_LEVEL_STORE_KEY = "logLevels"; + private final Map loggersToChange; // Loggers whose levels we want to change + private Map originalLevels; // Store original levels here + + /** + * Constructor to specify which loggers to modify and their desired temporary levels. + * + * @param loggerName The name of the logger to modify (e.g., "org.datavaultplatform.worker"). + * @param newLevel The temporary logging level (e.g., Level.OFF, Level.DEBUG). + */ + public LogLevelExtension(String loggerName, Level newLevel) { + this.loggersToChange = new HashMap<>(); + this.loggersToChange.put(loggerName, newLevel); + } + + /** + * Constructor to specify multiple loggers to modify. + * + * @param loggersToChange A map where keys are logger names and values are their desired temporary levels. + */ + public LogLevelExtension(Map loggersToChange) { + this.loggersToChange = new HashMap<>(loggersToChange); + } + + @Override + public void beforeAll(ExtensionContext context) { + // Initialize the map to store original levels for this instance + this.originalLevels = new HashMap<>(); + + LoggerContext loggerContext = (LoggerContext) LoggerFactory.getILoggerFactory(); + + for (Map.Entry entry : loggersToChange.entrySet()) { + Logger logger = loggerContext.getLogger(entry.getKey()); + this.originalLevels.put(entry.getKey(), logger.getLevel()); // Store original level in the instance field + logger.setLevel(entry.getValue()); // Set new level + } + // Store 'this' instance in the global store, so its close() method is called later by JUnit. + // The unique ID of the context is a good key to ensure uniqueness per test class. + context.getStore(ExtensionContext.Namespace.GLOBAL).put(context.getUniqueId(), this); + } + + @Override + public void close() { + LoggerContext loggerContext = (LoggerContext) LoggerFactory.getILoggerFactory(); + + // Access originalLevels directly from the instance field + for (Map.Entry entry : this.originalLevels.entrySet()) { + Logger logger = loggerContext.getLogger(entry.getKey()); + logger.setLevel(entry.getValue()); // Restore original level + } + } +} \ No newline at end of file diff --git a/datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleaner.java b/datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleaner.java new file mode 100644 index 000000000..63cdee85d --- /dev/null +++ b/datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleaner.java @@ -0,0 +1,161 @@ +package org.datavaultplatform.common.util; + +import lombok.SneakyThrows; +import lombok.extern.slf4j.Slf4j; +import org.apache.commons.io.FileUtils; + +import java.io.File; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.attribute.BasicFileAttributes; +import java.nio.file.attribute.FileTime; +import java.nio.file.attribute.UserPrincipal; +import java.time.Instant; +import java.util.List; +import java.util.stream.Stream; + +@Slf4j +public class TempFileCleaner { + + public static final File SLASH_TEMP = new File("/tmp"); + public static final File OS_TEMP = new File(System.getProperty("java.io.tmpdir")); + private static final String CURRENT_USER_NAME = System.getProperty("user.name"); + + public static void cleanTempTestFiles(Instant startTime) { + cleanSlashTemp(startTime); + cleanOsTemp(startTime); + } + + public static void cleanSlashTemp(Instant startTime) { + cleanTempFilesAndDirectories(SLASH_TEMP, startTime); + } + + public static boolean isSlashTempSameAsOsTemp() { + return SLASH_TEMP.equals(OS_TEMP); + } + + public static void cleanOsTemp(Instant startTime) { + if (isSlashTempSameAsOsTemp()) { + log.warn("OS temp directory {} is the same as /tmp, skipping", OS_TEMP); + } else { + cleanTempFilesAndDirectories(OS_TEMP, startTime); + } + } + + public static void cleanTempFilesAndDirectories(File baseTemp, Instant startTime) { + cleanTempDirectories(baseTemp, startTime); + cleanTempFiles(baseTemp, startTime); + } + + public static void cleanTempDirectories(File baseTemp, Instant startTime) { + List dirs = findDirectories(baseTemp, startTime); + for (File dir : dirs) { + if (!Files.isWritable(dir.toPath())) { + log.warn("Skipping directory deletion, no write permission: {}", dir.getAbsolutePath()); + continue; + } + try { + FileUtils.deleteDirectory(dir); + log.debug("Deleted temp test directory: {}", dir.getAbsolutePath()); + } catch (Exception ex) { + log.warn("Failed to delete directory: " + dir.getAbsolutePath(), ex); + } + } + } + + public static void cleanTempFiles(File baseTemp, Instant startTime) { + List files = findFiles(baseTemp, startTime); + for (File file : files) { + if (!Files.isWritable(file.toPath())) { + log.warn("Skipping file deletion, no write permission: {}", file.getAbsolutePath()); + continue; + } + try { + var deleted = Files.deleteIfExists(file.toPath()); + log.debug("Deleted temp test file?: {} / {}", file.getAbsolutePath(), deleted); + } catch (Exception ex) { + log.warn("Failed to delete file: {}", file.getAbsolutePath(), ex); + } + } + } + + @SneakyThrows + public static List findDirectories(File baseTemp, Instant startTime) { + if (baseTemp == null || !baseTemp.exists() || !baseTemp.isDirectory()) { + return List.of(); + } + + List dirsToDelete; + try (Stream stream = Files.list(baseTemp.toPath())) { + dirsToDelete = stream.filter(Files::isDirectory) + .filter(path -> isEligibleForDeletion(path, startTime)) + .map(Path::toFile) + .toList(); + } + + dirsToDelete.forEach(path -> { + log.debug("XX Deleting directory: {}", path); + }); + return dirsToDelete; + } + + @SneakyThrows + public static List findFiles(File baseTemp, Instant startTime) { + if (baseTemp == null || !baseTemp.exists() || !baseTemp.isDirectory()) { + return List.of(); + } + + List filesToDelete; + try (Stream stream = Files.list(baseTemp.toPath())) { + filesToDelete = stream.filter(Files::isRegularFile) + .filter(path -> isEligibleForDeletion(path, startTime)) + .map(Path::toFile) + .toList(); + } + + filesToDelete.forEach(path -> { + log.debug("XX Deleting file: {}", path); + }); + + return filesToDelete; + } + + private static boolean isEligibleForDeletion(Path path, Instant testStartTime) { + try { + // 1. Check ownership + UserPrincipal owner = Files.getOwner(path); + if (owner == null || !CURRENT_USER_NAME.equals(owner.getName())) { + // In Unix/Docker environments, user.name might be '?' or 'root' while owner is a numeric UID. + // Uncomment the line below to debug ownership mismatches in CI: + // log.debug("Owner mismatch: Expected {}, but got {}", CURRENT_USER_NAME, owner.getName()); + return false; + } + + // 2. Check creation/modification time + // Using BasicFileAttributes is much safer and more robust across Linux/Mac than string lookups + BasicFileAttributes attr = Files.readAttributes(path, BasicFileAttributes.class); + FileTime creationTime = attr.creationTime(); + FileTime lastModifiedTime = attr.lastModifiedTime(); + + Instant created = creationTime.toInstant(); + Instant modified = lastModifiedTime.toInstant(); + + // Account for filesystem timestamp truncation (e.g., macOS HFS+/APFS or older Linux filesystems) + // by giving a small tolerance window. + Instant threshold = testStartTime.minusSeconds(2); + + // Only delete if the file was created OR modified AFTER the test started + // (We include 'modified' because some temporary files might be reused or + // touched during the test rather than freshly created) + boolean result = !created.isBefore(threshold) || !modified.isBefore(threshold); + if(result) { + log.debug("XX {} isEligibleForDeletion? {}", path, result); + } + return result; + } catch (IOException e) { + log.debug("Could not read attributes for {}. Assuming not eligible.", path, e); + return false; + } + } +} \ No newline at end of file diff --git a/datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleanerExtension.java b/datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleanerExtension.java new file mode 100644 index 000000000..695173163 --- /dev/null +++ b/datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleanerExtension.java @@ -0,0 +1,40 @@ +package org.datavaultplatform.common.util; + +import lombok.extern.slf4j.Slf4j; +import org.junit.jupiter.api.Order; +import org.junit.jupiter.api.extension.AfterAllCallback; +import org.junit.jupiter.api.extension.BeforeAllCallback; +import org.junit.jupiter.api.extension.ExtensionContext; + +import java.time.Instant; + +@Slf4j +@Order(1) // High priority: ensures it runs first in beforeAll and last in afterAll +public class TempFileCleanerExtension implements BeforeAllCallback, AfterAllCallback { + + @Override + public void beforeAll(ExtensionContext context) { + // Only record the time for top-level test classes + if (context.getRequiredTestClass().getEnclosingClass() == null) { + // Record the time right before the test class starts + // We use the specific test class context + // to prevent collisions when running test classes in parallel + context.getStore(ExtensionContext.Namespace.create(getClass(), context.getRequiredTestClass())) + .put("testStartTime", Instant.now()); + } + } + + @Override + public void afterAll(ExtensionContext context) { + // Only perform cleanup for top-level test classes + if (context.getRequiredTestClass().getEnclosingClass() == null) { + Instant startTime = context.getStore(ExtensionContext.Namespace.create(getClass(), context.getRequiredTestClass())) + .get("testStartTime", Instant.class); + if (startTime != null) { + TempFileCleaner.cleanTempTestFiles(startTime); + } else { + log.error("No test start time found for test class {}", context.getRequiredTestClass().getName()); + } + } + } +} diff --git a/datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleanerExtensionTest.java b/datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleanerExtensionTest.java new file mode 100644 index 000000000..d3c9b84f0 --- /dev/null +++ b/datavault-common/src/test/java/org/datavaultplatform/common/util/TempFileCleanerExtensionTest.java @@ -0,0 +1,55 @@ +package org.datavaultplatform.common.util; + +import ch.qos.logback.classic.Level; +import lombok.SneakyThrows; +import lombok.extern.slf4j.Slf4j; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; + +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.Map; + +@Slf4j +@ExtendWith({TempFileCleanerExtensionTest.MyLogLevelExtension.class, TempFileCleanerExtension.class}) +class TempFileCleanerExtensionTest { + + // Define the logger levels you want to change for this test class + static class MyLogLevelExtension extends LogLevelExtension { + MyLogLevelExtension() { + super(Map.of( + "org.datavaultplatform.common.util", Level.DEBUG + )); + } + } + + @Test + @SneakyThrows + void testJavaTmpDirDelete() { + log.debug("testJavaTmpDirDelete"); + Path tempDir = Paths.get(System.getProperty("java.io.tmpdir")); + Files.writeString(tempDir.resolve("testNonSlash102.txt"), "Hello world!\n"); + + Path path2 = tempDir.resolve("deleteNonSlash/testNonSlash103.txt"); + Files.createDirectories(path2.getParent()); + Files.writeString(path2, "Hello world!\n"); + } + + @Test + @SneakyThrows + void testSlashTmpDirDelete() { + log.debug("testSlashTmpDirDelete"); + Path path = Paths.get("/tmp/deleteSlash/test100.txt"); + + // Create parent directories if they don't exist + Files.createDirectories(path.getParent()); + + // Write text to the file + Files.writeString(path, "Hello world!\n"); + + Files.writeString(Paths.get("/tmp/testSlash101.txt"), "Hello world!\n"); + } + + +} \ No newline at end of file diff --git a/datavault-common/src/test/java/org/datavaultplatform/common/util/TraceIdWrapper.java b/datavault-common/src/test/java/org/datavaultplatform/common/util/TraceIdWrapper.java new file mode 100644 index 000000000..8b30310e3 --- /dev/null +++ b/datavault-common/src/test/java/org/datavaultplatform/common/util/TraceIdWrapper.java @@ -0,0 +1,65 @@ +package org.datavaultplatform.common.util; + +import io.micrometer.tracing.Span; +import io.micrometer.tracing.TraceContext; +import io.micrometer.tracing.Tracer; +import io.opentelemetry.api.trace.TraceId; + +import java.util.concurrent.Callable; + +import static org.assertj.core.api.Assertions.assertThat; + +public class TraceIdWrapper { + private final String traceId; + private final Tracer tracer; + private Span testSpan; + private Tracer.SpanInScope testScope; + + public TraceIdWrapper(String traceId, Tracer tracer) { + this.traceId = traceId; + this.tracer = tracer; + } + + public void runWithinWrapper(Runnable runnable) { + setupTestTraceId(traceId); + try (Tracer.SpanInScope ignored = tracer.withSpan(testSpan)) { + runnable.run(); + } finally { + tearDownTestSpan(); + } + } + public T runWithinWrapper(Callable callable) throws Exception { + setupTestTraceId(traceId); + try (Tracer.SpanInScope ignored = tracer.withSpan(testSpan)) { + return callable.call(); + } finally { + tearDownTestSpan(); + } + } + + final void tearDownTestSpan() { + if (this.testScope != null) { + this.testScope.close(); + } + if (this.testSpan != null) { + this.testSpan.end(); + } + } + + private void setupTestTraceId(String testTraceId) { + if (testTraceId == null) { + return; + } + String spanId = "00f067aa0ba902b7"; + + assertThat(TraceId.isValid(testTraceId)).isTrue(); + TraceContext context = tracer.traceContextBuilder() + .traceId(testTraceId) + .spanId(spanId) + .sampled(true) + .build(); + testSpan = tracer.spanBuilder().setParent(context).start(); + testScope = tracer.withSpan(testSpan); + } + +} diff --git a/datavault-common/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension b/datavault-common/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension new file mode 100644 index 000000000..16c8c8ce0 --- /dev/null +++ b/datavault-common/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension @@ -0,0 +1 @@ +org.datavaultplatform.common.util.TempFileCleanerExtension diff --git a/datavault-common/src/test/resources/junit-platform.properties b/datavault-common/src/test/resources/junit-platform.properties new file mode 100644 index 000000000..1cebb76d5 --- /dev/null +++ b/datavault-common/src/test/resources/junit-platform.properties @@ -0,0 +1 @@ +junit.jupiter.extensions.autodetection.enabled = true \ No newline at end of file diff --git a/datavault-webapp/pom.xml b/datavault-webapp/pom.xml index 2eabb73b5..16c21b8e4 100644 --- a/datavault-webapp/pom.xml +++ b/datavault-webapp/pom.xml @@ -75,6 +75,12 @@ + + org.springframework.security + spring-security-test + test + + org.awaitility awaitility @@ -143,6 +149,15 @@ jackson-databind + + io.micrometer + micrometer-tracing-bridge-otel + + + io.micrometer + micrometer-tracing-test + test + diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/app/DataVaultWebApp.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/app/DataVaultWebApp.java index 14716003c..df44b4780 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/app/DataVaultWebApp.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/app/DataVaultWebApp.java @@ -6,16 +6,7 @@ import lombok.extern.slf4j.Slf4j; import org.datavaultplatform.common.monitor.MemoryStats; import org.datavaultplatform.common.services.LDAPService; -import org.datavaultplatform.webapp.config.ActutatorConfig; -import org.datavaultplatform.webapp.config.LdapConfig; -import org.datavaultplatform.webapp.config.MailConfig; -import org.datavaultplatform.webapp.config.MvcConfig; -import org.datavaultplatform.webapp.config.PropertiesConfig; -import org.datavaultplatform.webapp.config.RestTemplateConfig; -import org.datavaultplatform.webapp.config.SecurityActuatorConfig; -import org.datavaultplatform.webapp.config.SecurityConfig; -import org.datavaultplatform.webapp.config.TomcatAjpConfig; -import org.datavaultplatform.webapp.config.WebConfig; +import org.datavaultplatform.webapp.config.*; import org.datavaultplatform.webapp.config.database.DatabaseProfileConfig; import org.datavaultplatform.webapp.config.shib.ShibProfileConfig; import org.datavaultplatform.webapp.config.standalone.StandaloneProfileConfig; @@ -37,7 +28,7 @@ @ComponentScan({ "org.datavaultplatform.webapp.controllers", "org.datavaultplatform.webapp.services"}) -@Import({PropertiesConfig.class, WebConfig.class, MvcConfig.class, ActutatorConfig.class, +@Import({PropertiesConfig.class, ActutatorConfig.class, WebConfig.class, MvcConfig.class, SecurityActuatorConfig.class, SecurityConfig.class, MailConfig.class, LdapConfig.class, StandaloneProfileConfig.class, DatabaseProfileConfig.class, ShibProfileConfig.class, RestTemplateConfig.class, TomcatAjpConfig.class}) @@ -47,6 +38,12 @@ public class DataVaultWebApp implements CommandLineRunner { @Value("${spring.application.name}") String applicationName; + @Value("${management.tracing.sampling.probability}") + String tracingSamplingProbability; + + @Value("${management.tracing.propagation.type}") + String tracingPropagationType; + @Autowired Environment env; @@ -92,6 +89,8 @@ void onEvent(ApplicationReadyEvent readyEvent) { log.info("WebApp [{}] ready [{}]", applicationName, readyEvent); LDAPService.testLdapConnection(readyEvent.getApplicationContext()); log.info("{}", MemoryStats.getCurrent().toPretty()); + log.info("Tracing Sampling Probability [{}]", tracingSamplingProbability); + log.info("Tracing Propagation Type [{}]", tracingPropagationType); } } diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/authentication/shib/ShibAuthenticationProvider.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/authentication/shib/ShibAuthenticationProvider.java index 9c0c69ddb..c061288d8 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/authentication/shib/ShibAuthenticationProvider.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/authentication/shib/ShibAuthenticationProvider.java @@ -19,6 +19,7 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; +import java.util.Map; /** * In truth this class does not do any true authentication as the user was pre-authenticated by Shib, it just @@ -76,7 +77,7 @@ public Authentication authenticate(Authentication authentication) throws Authent user.setEmail(swad.getEmail()); if (ldapEnabled) { - user.setProperties(getLDAPAttributes(name)); + user.setProperties(new HashMap<>(getLDAPAttributes(name))); } try{ @@ -103,10 +104,10 @@ public boolean supports(Class authentication) { return PreAuthenticatedAuthenticationToken.class.equals(authentication); } - private HashMap getLDAPAttributes(String name) { + private Map getLDAPAttributes(String name) { try { return ldapService.getLDAPAttributes(name); - }catch (Exception e) { + } catch (Exception e) { throw new AuthenticationServiceException("LDAP Exception", e); } } diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/ActutatorConfig.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/ActutatorConfig.java index 294cee709..1da6e81f2 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/ActutatorConfig.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/ActutatorConfig.java @@ -2,8 +2,11 @@ import java.time.Clock; -import io.swagger.v3.oas.models.OpenAPI; -import io.swagger.v3.oas.models.info.Info; +//import io.swagger.v3.oas.models.OpenAPI; +//import io.swagger.v3.oas.models.info.Info; +import org.datavaultplatform.common.actuator.ActuatorHealthSecurityAdvice; +import org.datavaultplatform.common.actuator.ActuatorInfoSecurityAdvice; +import org.datavaultplatform.common.actuator.ActuatorSecurityAdvice; import org.datavaultplatform.webapp.actuator.CurrentTimeEndpoint; import org.datavaultplatform.webapp.actuator.MemoryInfoEndpoint; import org.springframework.boot.SpringBootVersion; @@ -14,6 +17,21 @@ @Configuration public class ActutatorConfig { + @Bean + ActuatorInfoSecurityAdvice actuatorInfoSecurityAdvice() { + return new ActuatorInfoSecurityAdvice(); + } + + @Bean + ActuatorHealthSecurityAdvice actuatorHealthSecurityAdvice() { + return new ActuatorHealthSecurityAdvice(); + } + + @Bean + ActuatorSecurityAdvice actuatorSecurityAdvice() { + return new ActuatorSecurityAdvice(); + } + @Bean Clock clock() { return Clock.systemDefaultZone(); @@ -34,11 +52,10 @@ public InfoContributor springBootVersionInfoContributor() { return builder -> builder.withDetail("spring-boot.version", SpringBootVersion.getVersion()); } - @Bean - public OpenAPI openAPI() { - return new OpenAPI().info(new Info().title("DataVault WebApp") - .description("webapp application") - .version("v0.0.1")); - } - +// @Bean +// public OpenAPI openAPI() { +// return new OpenAPI().info(new Info().title("DataVault WebApp") +// .description("webapp application") +// .version("v0.0.1")); +// } } diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/HttpSecurityUtils.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/HttpSecurityUtils.java index fd284c13a..0294f25e8 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/HttpSecurityUtils.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/HttpSecurityUtils.java @@ -1,26 +1,102 @@ package org.datavaultplatform.webapp.config; +import org.datavaultplatform.common.config.SecurityMethod; import org.datavaultplatform.webapp.authentication.AuthenticationSuccess; +import org.datavaultplatform.webapp.config.trace.TraceLoggingFilter; +import org.datavaultplatform.webapp.config.trace.MdcRequestFilter; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.session.SessionRegistry; +import org.springframework.security.web.access.AccessDeniedHandler; +import org.springframework.security.web.context.SecurityContextHolderFilter; +import org.springframework.security.web.context.SecurityContextPersistenceFilter; + +import java.util.LinkedHashMap; +import java.util.Map; public class HttpSecurityUtils { public static void authorizeRequests( - HttpSecurity http) throws Exception { - authorizeRequests(http, false); + HttpSecurity http, + TraceLoggingFilter traceLoggingFilter, + MdcRequestFilter userMdcFilter) throws Exception { + authorizeRequests(http, false, traceLoggingFilter, userMdcFilter); + } + + // Map to store URL patterns and their corresponding HttpSecurity rules + // Order matters: more specific paths should come before more general paths. + public static final Map SECURITY_PATH_MAP = new LinkedHashMap<>(); + + static { + // Populate this map based on HttpSecurityUtils.authorizeRequests + // Example entries based on your HttpSecurityUtils.java: + SECURITY_PATH_MAP.put("/favicon.ico", "permitAll()"); + SECURITY_PATH_MAP.put("/resources/**", "permitAll()"); + SECURITY_PATH_MAP.put("/error", "permitAll()"); + SECURITY_PATH_MAP.put("/auth/**", "permitAll()"); + + // Specific admin paths + SECURITY_PATH_MAP.put("/admin/paused/deposit/toggle", "hasRole('IS_ADMIN')"); + SECURITY_PATH_MAP.put("/admin/paused/retrieve/toggle", "hasRole('IS_ADMIN')"); + + SECURITY_PATH_MAP.put("/admin/paused/deposit/history", "hasRole('USER')"); + SECURITY_PATH_MAP.put("/admin/paused/retrieve/history", "hasRole('USER')"); + + SECURITY_PATH_MAP.put("/admin/archivestores/**", "hasAuthority('ROLE_ADMIN_ARCHIVESTORES')"); + SECURITY_PATH_MAP.put("/admin/billing/**", "hasAuthority('ROLE_ADMIN_BILLING')"); + + SECURITY_PATH_MAP.put("/admin/deposits/**", "hasAuthority('ROLE_ADMIN_DEPOSITS')"); + SECURITY_PATH_MAP.put("/admin/events/**", "hasAuthority('ROLE_ADMIN_EVENTS')"); + SECURITY_PATH_MAP.put("/admin/retentionpolicies/**", "hasAuthority('ROLE_ADMIN_RETENTIONPOLICIES')"); + SECURITY_PATH_MAP.put("/admin/retrieves/**", "hasAuthority('ROLE_ADMIN_RETRIEVES')"); + SECURITY_PATH_MAP.put("/admin/roles/**", "hasAuthority('ROLE_ADMIN_ROLES')"); + + SECURITY_PATH_MAP.put("/admin/schools/**", "hasAuthority('ROLE_ADMIN_SCHOOLS')"); + SECURITY_PATH_MAP.put("/admin/vaults/**", "hasAuthority('ROLE_ADMIN_VAULTS')"); + SECURITY_PATH_MAP.put("/admin/reviews/**", "hasAuthority('ROLE_ADMIN_REVIEWS')"); + SECURITY_PATH_MAP.put("/admin/pendingVaults/**", "hasRole('IS_ADMIN')"); + + // General admin paths (more specific than /**) + SECURITY_PATH_MAP.put("/admin/", "hasAuthority('ROLE_ADMIN')"); + SECURITY_PATH_MAP.put("/admin", "hasRole('ADMIN')"); + + // Most general matcher - must be last + SECURITY_PATH_MAP.put("/**", "hasAuthority('ROLE_USER')"); } public static void authorizeRequests( - HttpSecurity http, boolean includeStandaloneOnly) throws Exception { + HttpSecurity http, + boolean includeStandaloneOnly, + TraceLoggingFilter tracingFilter, + MdcRequestFilter userMdcFilter) throws Exception { + + http.addFilterBefore(tracingFilter, SecurityContextPersistenceFilter.class); + http.addFilterAfter(userMdcFilter, SecurityContextHolderFilter.class); + http.authorizeHttpRequests(authz -> { - authz.requestMatchers("/favicon.ico").permitAll(); //OKAY - if (includeStandaloneOnly) { authz.requestMatchers("/test/**", "/index").permitAll(); } + for(Map.Entry entry : SECURITY_PATH_MAP.entrySet()) { + var matchers = authz.requestMatchers(entry.getKey()); + SecurityMethod sm = SecurityMethod.from(entry.getValue()); + if (sm.isPermitAll()) { + matchers.permitAll(); + + } else if (sm.isHasRole()) { + matchers.hasRole(sm.arg()); + + } else if (sm.isHasAuthority()) { + matchers.hasAuthority(sm.arg()); + + } else { + throw new RuntimeException("Unknown security method: " + sm.method()); + } + } + + /* + authz.requestMatchers("/resources/**").permitAll(); //OKAY authz.requestMatchers("/error").permitAll(); //OKAY authz.requestMatchers("/auth/**").permitAll(); //OKAY @@ -30,10 +106,10 @@ public static void authorizeRequests( authz.requestMatchers("/admin/paused/deposit/history").hasRole("USER"); authz.requestMatchers("/admin/paused/deposit/toggle").hasRole("IS_ADMIN"); - authz.requestMatchers("/admin/pendingVaults/**").hasRole("IS_ADMIN"); authz.requestMatchers("/admin/paused/retrieve/history").hasRole("USER"); authz.requestMatchers("/admin/paused/retrieve/toggle").hasRole("IS_ADMIN"); + authz.requestMatchers("/admin/pendingVaults/**").hasRole("IS_ADMIN"); authz.requestMatchers("/admin/archivestores/**").hasAuthority("ROLE_ADMIN_ARCHIVESTORES"); authz.requestMatchers("/admin/billing/**").hasAuthority("ROLE_ADMIN_BILLING"); @@ -48,19 +124,21 @@ public static void authorizeRequests( // most general matcher - has to go last authz.requestMatchers("/**").hasAuthority("ROLE_USER"); //OKAY + */ }); } public static void sessionManagement(HttpSecurity http, SessionRegistry sessionRegistry) throws Exception { http.sessionManagement(sm -> { - sm.maximumSessions(1) + sm.maximumSessions(1) .expiredUrl("/auth/login?security") .sessionRegistry(sessionRegistry); }); } - public static void formLogin(HttpSecurity http, AuthenticationSuccess authenticationSuccess) throws Exception { + public static void formLogin(HttpSecurity http, AuthenticationSuccess authenticationSuccess, + AccessDeniedHandler accessDeniedHandler ) throws Exception { http.formLogin(fmLogin -> { fmLogin.loginPage("/auth/login") .loginProcessingUrl("/auth/security_check") @@ -74,6 +152,10 @@ public static void formLogin(HttpSecurity http, AuthenticationSuccess authentica .logoutSuccessUrl("/auth/login?logout"); }); - http.exceptionHandling(exh -> exh.accessDeniedPage("/auth/denied")); + if (accessDeniedHandler != null) { + http.exceptionHandling(exh -> exh.accessDeniedHandler(accessDeniedHandler)); + } else { + http.exceptionHandling(exh -> exh.accessDeniedPage("/auth/denied")); + } } } diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/RestTemplateConfig.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/RestTemplateConfig.java index 3282b0363..e0056e01e 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/RestTemplateConfig.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/RestTemplateConfig.java @@ -39,7 +39,7 @@ public class RestTemplateConfig { */ @Bean @SneakyThrows - RestTemplate restTemplate(@Value("${broker.timeout.ms:1000}") int brokerTimeoutMs) { + RestTemplate restTemplate(@Value("${broker.timeout.ms:1000}") int brokerTimeoutMs, RestTemplateBuilder restTemplateBuilder) { log.info("broker.timeout.ms [{}]", brokerTimeoutMs); Builder builder = SocketConfig.custom(); @@ -66,11 +66,10 @@ RestTemplate restTemplate(@Value("${broker.timeout.ms:1000}") int brokerTimeoutM HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory( httpclient); - RestTemplateBuilder tBuilder = new RestTemplateBuilder(); if (brokerTimeoutMs > 0) { - tBuilder = tBuilder.setConnectTimeout(Duration.ofMillis(brokerTimeoutMs)); + restTemplateBuilder = restTemplateBuilder.connectTimeout(Duration.ofMillis(brokerTimeoutMs)); } - RestTemplate restTemplate = tBuilder + RestTemplate restTemplate = restTemplateBuilder .requestFactory(() -> factory) //.setBufferRequestBody(true) .interceptors(List.of(new LoggingInterceptor())) diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/SecurityActuatorConfig.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/SecurityActuatorConfig.java index 0245f5e5e..39a57519e 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/SecurityActuatorConfig.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/SecurityActuatorConfig.java @@ -47,28 +47,25 @@ public DaoAuthenticationProvider actuatorAuthenticationProvider(@Qualifier("actu @Bean @Order(1) public SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity http, - @Qualifier("actuatorAuthenticationProvider") AuthenticationProvider authenticationProvider) throws Exception { + @Qualifier("actuatorAuthenticationProvider") AuthenticationProvider authenticationProvider) throws Exception { + http.securityMatcher("/actuator/**") + .authenticationProvider(authenticationProvider) + .csrf(AbstractHttpConfigurer::disable) + .httpBasic(Customizer.withDefaults()) + .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) + .authorizeHttpRequests(authz -> authz + // 1. Allow these specific endpoints without login + .requestMatchers( + "/actuator", + "/actuator/info", + "/actuator/health" + ).permitAll() - http.securityMatcher("/actuator/**","/v3/**","/swagger-ui/**") - .authenticationProvider(authenticationProvider) - .csrf(AbstractHttpConfigurer::disable) - .httpBasic(Customizer.withDefaults()) - .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) - .authorizeHttpRequests(authz -> authz.requestMatchers( - "/v3/**", - "/swagger-ui/**", - "/actuator", - "/actuator/info", - "/actuator/health", - "/actuator/brokerstatus", - "/actuator/customtime", - "/actuator/metrics", - "/actuator/mappings", - "/actuator/metrics/*", - "/actuator/memoryinfo").permitAll() - .anyRequest().authenticated()); + // 2. Require authentication for everything else covered by the securityMatcher + // (This includes Swagger, V3 docs, and the rest of the actuator endpoints) + .anyRequest().authenticated() + ); return http.build(); } - } diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/WebConfig.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/WebConfig.java index da0a116de..8a728d74e 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/WebConfig.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/WebConfig.java @@ -3,13 +3,17 @@ import lombok.extern.slf4j.Slf4j; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Import; import org.springframework.core.annotation.Order; import org.springframework.security.web.session.HttpSessionEventPublisher; import org.springframework.web.filter.CommonsRequestLoggingFilter; +import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; +import org.datavaultplatform.webapp.config.trace.TracingConfig; @Configuration @Slf4j -public class WebConfig { +@Import(TracingConfig.class) +public class WebConfig implements WebMvcConfigurer { @Bean public HttpSessionEventPublisher httpSessionEventPublisher() { diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/database/DatabaseWebSecurityConfig.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/database/DatabaseWebSecurityConfig.java index a3d5de31b..6db3201b2 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/database/DatabaseWebSecurityConfig.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/database/DatabaseWebSecurityConfig.java @@ -4,10 +4,14 @@ import org.datavaultplatform.webapp.authentication.AuthenticationSuccess; import org.datavaultplatform.webapp.authentication.database.DatabaseAuthenticationProvider; import org.datavaultplatform.webapp.config.HttpSecurityUtils; +import org.datavaultplatform.webapp.config.trace.TraceLoggingFilter; +import org.datavaultplatform.webapp.config.trace.MdcRequestFilter; +import org.datavaultplatform.webapp.controllers.auth.DataVaultAccessDeniedHandler; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; import org.springframework.core.annotation.Order; import org.springframework.security.authentication.AuthenticationEventPublisher; import org.springframework.security.authentication.AuthenticationManager; @@ -16,8 +20,13 @@ import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; +import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.access.AccessDeniedHandler; + +import static org.springframework.security.config.Customizer.withDefaults; @EnableWebSecurity @Slf4j @@ -34,12 +43,37 @@ public class DatabaseWebSecurityConfig { @Autowired DatabaseAuthenticationProvider databaseAuthenticationProvider; + @Bean + @Order(0) + @Profile("database") + public SecurityFilterChain traceApiFilterChain(HttpSecurity http, AuthenticationProvider actuatorAuthenticationProvider) throws Exception { + return http + .securityMatcher("/trace/**") + .csrf(AbstractHttpConfigurer::disable) + .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) + .authorizeHttpRequests(auth -> auth.anyRequest().authenticated()) + .authenticationProvider(actuatorAuthenticationProvider) + .httpBasic(withDefaults()) + .build(); + } + + @Bean + AccessDeniedHandler accessDeniedHandler() { + return new DataVaultAccessDeniedHandler(); + + } + @Bean @Order(2) - public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - HttpSecurityUtils.formLogin(http, authenticationSuccess); + public SecurityFilterChain filterChain( + HttpSecurity http, + AccessDeniedHandler accessDeniedHandler, + TraceLoggingFilter traceLoggingFilter, + MdcRequestFilter userMdcFilter) throws Exception { + + HttpSecurityUtils.formLogin(http, authenticationSuccess, accessDeniedHandler); - HttpSecurityUtils.authorizeRequests(http); + HttpSecurityUtils.authorizeRequests(http, traceLoggingFilter, userMdcFilter); HttpSecurityUtils.sessionManagement(http, sessionRegistry); diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/shib/ShibWebSecurityConfig.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/shib/ShibWebSecurityConfig.java index ae82ee7df..6787aeb13 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/shib/ShibWebSecurityConfig.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/shib/ShibWebSecurityConfig.java @@ -5,6 +5,9 @@ import org.datavaultplatform.webapp.authentication.shib.ShibAuthenticationProvider; import org.datavaultplatform.webapp.authentication.shib.ShibWebAuthenticationDetailsSource; import org.datavaultplatform.webapp.config.HttpSecurityUtils; +import org.datavaultplatform.webapp.config.trace.TraceLoggingFilter; +import org.datavaultplatform.webapp.config.trace.MdcRequestFilter; +import org.datavaultplatform.webapp.controllers.auth.DataVaultAccessDeniedHandler; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Value; @@ -20,6 +23,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint; import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; @@ -60,18 +64,25 @@ protected void configure(HttpSecurity http) throws Exception { http.exceptionHandling(ex -> ex.authenticationEntryPoint(http403EntryPoint)); } */ + + @Bean + AccessDeniedHandler accessDeniedHandler() { + return new DataVaultAccessDeniedHandler(); + } @Bean @Order(2) public SecurityFilterChain filterChain( HttpSecurity http, - AuthenticationManager authManager - ) throws Exception { + AuthenticationManager authManager, + AccessDeniedHandler accessDeniedHandler, + TraceLoggingFilter traceLoggingFilter, + MdcRequestFilter userMdcFilter) throws Exception { // no form login for 'shib' http.authenticationProvider(shibAuthenticationProvider); - HttpSecurityUtils.authorizeRequests(http); + HttpSecurityUtils.authorizeRequests(http, traceLoggingFilter, userMdcFilter); HttpSecurityUtils.sessionManagement(http, sessionRegistry); @@ -84,6 +95,7 @@ public SecurityFilterChain filterChain( http.addFilterAt(shibFilter, AbstractPreAuthenticatedProcessingFilter.class); http.exceptionHandling(ex -> ex.authenticationEntryPoint(http403EntryPoint)); + http.exceptionHandling(exh -> exh.accessDeniedHandler(accessDeniedHandler)); return http.build(); } diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/standalone/StandaloneProfileConfig.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/standalone/StandaloneProfileConfig.java index 8a3c65c80..cd137d12f 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/standalone/StandaloneProfileConfig.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/standalone/StandaloneProfileConfig.java @@ -9,7 +9,7 @@ @Profile("standalone") @ComponentScan({"org.datavaultplatform.webapp.controllers.standalone"}) -@Import(StandaloneWebSecurityConfig.class) +@Import({StandaloneWebSecurityConfig.class}) public class StandaloneProfileConfig { @Bean diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/standalone/StandaloneWebSecurityConfig.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/standalone/StandaloneWebSecurityConfig.java index 1a6c2c52a..8d40c8443 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/standalone/StandaloneWebSecurityConfig.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/standalone/StandaloneWebSecurityConfig.java @@ -3,6 +3,9 @@ import lombok.extern.slf4j.Slf4j; import org.datavaultplatform.webapp.authentication.AuthenticationSuccess; import org.datavaultplatform.webapp.config.HttpSecurityUtils; +import org.datavaultplatform.webapp.config.trace.TraceLoggingFilter; +import org.datavaultplatform.webapp.config.trace.MdcRequestFilter; +import org.datavaultplatform.webapp.controllers.auth.DataVaultAccessDeniedHandler; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Value; @@ -24,6 +27,7 @@ import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.access.AccessDeniedHandler; @EnableWebSecurity @Slf4j @@ -40,14 +44,22 @@ public class StandaloneWebSecurityConfig { @Autowired AuthenticationSuccess authenticationSuccess; + @Bean + DataVaultAccessDeniedHandler accessDeniedHandler() { + return new DataVaultAccessDeniedHandler(); + } + @Bean @Order(2) public SecurityFilterChain filterChain(HttpSecurity http, - @Qualifier("standaloneAuthenticationProvider") AuthenticationProvider authenticationProvider) throws Exception { + @Qualifier("standaloneAuthenticationProvider") AuthenticationProvider authenticationProvider, + AccessDeniedHandler accessDeniedHandler, + TraceLoggingFilter traceLoggingFilter, + MdcRequestFilter userMdcFilter) throws Exception { - HttpSecurityUtils.formLogin(http, authenticationSuccess); + HttpSecurityUtils.formLogin(http, authenticationSuccess, null); - HttpSecurityUtils.authorizeRequests(http, true); + HttpSecurityUtils.authorizeRequests(http, true, traceLoggingFilter, userMdcFilter); HttpSecurityUtils.sessionManagement(http, sessionRegistry); diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/BaseMdcFilter.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/BaseMdcFilter.java new file mode 100644 index 000000000..226b382bc --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/BaseMdcFilter.java @@ -0,0 +1,28 @@ +package org.datavaultplatform.webapp.config.trace; + +import jakarta.servlet.*; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; + +import java.io.IOException; + +public abstract class BaseMdcFilter implements Filter { + public static final String REQUEST_USER = "req-user"; + + @Override + public void doFilter(ServletRequest req, + ServletResponse res, + FilterChain filterChain) + throws ServletException, IOException { + + HttpServletRequest request = (HttpServletRequest) req; + HttpServletResponse response = (HttpServletResponse) res; + if (request.getRequestURI().startsWith("/resources")) { + filterChain.doFilter(request, response); + return; + } + processFilterInternal(request, response, filterChain); + } + + protected abstract void processFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException; +} diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/MdcRequestFilter.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/MdcRequestFilter.java new file mode 100644 index 000000000..3393da322 --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/MdcRequestFilter.java @@ -0,0 +1,55 @@ +package org.datavaultplatform.webapp.config.trace; + +import jakarta.servlet.DispatcherType; +import jakarta.servlet.FilterChain; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.common.util.MdcUtils; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; + +import java.io.IOException; + +/** + * This class takes the username of the logged-in user from spring-security Authentication object and places in the logback MDC so that it can be used in the log format under %X{user:-} + *
+ * e.g. %clr(%d{yyyy-MM-dd HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:-%5p}) %clr(${PID:- }){magenta} %clr(---){faint} %clr([%15.15t]){faint} %clr(%-40.40logger{39}){cyan} %clr(:){faint} %clr([trace=%X{traceId:-} span=%X{spanId:-} user=%X{user:-}]){yellow} %m%n${LOG_EXCEPTION_CONVERSION_WORD:%rEx} + * It also puts the username into the request so that when there is either an ERROR Dispatch or FORWARD Dispatch ( spring-security filters can be by-passed) - that the ErrorController or AutheConrtoller can get the username from the request. + * @see MdcRestorationFilter + */ +@Slf4j +public class MdcRequestFilter extends BaseMdcFilter { + @Override + protected void processFilterInternal(HttpServletRequest request, + HttpServletResponse response, + FilterChain filterChain) + throws ServletException, IOException { + + log.info("dispatch type [{}]", request.getDispatcherType().name()); + + // Only populate MDC on the original REQUEST + if (request.getDispatcherType() == DispatcherType.REQUEST) { + + Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + + String username = null; + if (auth != null && auth.isAuthenticated()) { + username = auth.getName(); + } + username = MdcUtils.getMdcUserName(username); + MdcUtils.addUserNameToMdc(username); + + // Store in request so it survives ERROR dispatch + request.setAttribute(REQUEST_USER, username); + log.info("request[req-user] now [{}]", username); + } + + try { + filterChain.doFilter(request, response); + } finally { + MdcUtils.removeMdcUserName(); + } + } +} \ No newline at end of file diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/MdcRestorationFilter.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/MdcRestorationFilter.java new file mode 100644 index 000000000..85af4100a --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/MdcRestorationFilter.java @@ -0,0 +1,35 @@ +package org.datavaultplatform.webapp.config.trace; + +import jakarta.servlet.DispatcherType; +import jakarta.servlet.FilterChain; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import org.datavaultplatform.common.util.MdcUtils; + +import java.io.IOException; + +/** + * Restores the username in MDC context after the REQUEST dispatch has been processed, and we are dealing with ERROR or FORWARD dispatch (which can bypass SpringSecurityFilters). + * @see MdcRequestFilter + */ +public class MdcRestorationFilter extends BaseMdcFilter { + + @Override + protected void processFilterInternal(HttpServletRequest request, + HttpServletResponse response, + FilterChain filterChain) throws ServletException, IOException { + + if (request.getDispatcherType() != DispatcherType.REQUEST) { + String user = (String) request.getAttribute(REQUEST_USER); + String username = MdcUtils.getMdcUserName(user); + MdcUtils.addUserNameToMdc(username); + } + + try { + filterChain.doFilter(request, response); + } finally { + MdcUtils.removeMdcUserName(); + } + } +} diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TraceLoggingFilter.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TraceLoggingFilter.java new file mode 100644 index 000000000..1729587e6 --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TraceLoggingFilter.java @@ -0,0 +1,67 @@ +package org.datavaultplatform.webapp.config.trace; + +import io.micrometer.tracing.Span; +import io.micrometer.tracing.TraceContext; +import io.micrometer.tracing.Tracer; +import jakarta.servlet.DispatcherType; +import jakarta.servlet.Filter; +import jakarta.servlet.FilterChain; +import jakarta.servlet.FilterConfig; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletResponse; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.util.Assert; + +import java.io.IOException; + +public class TraceLoggingFilter implements Filter { + + public static final String TRACE_CONTEXT = "traceContext"; + private static final Logger LOGGER = LoggerFactory.getLogger(TraceLoggingFilter.class); + + private final Tracer tracer; + + public TraceLoggingFilter(Tracer tracer) { + this.tracer = tracer; + Assert.notNull(tracer, "Tracer must not be null"); + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + // No-op + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + HttpServletRequest httpRequest = (HttpServletRequest) request; + HttpServletResponse httpResponse = (HttpServletResponse) response; + + // Only process for initial REQUEST dispatches. + // For ERROR/FORWARD dispatches, the trace context should already be in the ThreadLocal + // from the initial REQUEST, or we don't want to interfere. + if (httpRequest.getDispatcherType() != DispatcherType.REQUEST) { + chain.doFilter(request, response); + return; + } + + // Skip static resources to keep logs cleaner, similar to the original interceptor + if (httpRequest.getRequestURI().startsWith("/resources")) { + chain.doFilter(request, response); + return; + } + Span currentSpan = tracer.currentSpan(); + TraceContext traceContext = currentSpan == null ? TraceContext.NOOP : currentSpan.context(); + request.setAttribute(TRACE_CONTEXT, traceContext); + LOGGER.info("XXX in filter, TraceId [{}] for URI: {}", traceContext.traceId(), httpRequest.getRequestURI()); + + chain.doFilter(request, response); + } + + public static TraceContext getTraceContext(ServletRequest request) { + return (TraceContext) request.getAttribute(TRACE_CONTEXT); + } +} diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TraceLoggingInterceptor.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TraceLoggingInterceptor.java new file mode 100644 index 000000000..e69de29bb diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TracingConfig.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TracingConfig.java new file mode 100644 index 000000000..ec837947f --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/config/trace/TracingConfig.java @@ -0,0 +1,58 @@ +package org.datavaultplatform.webapp.config.trace; + +import io.micrometer.tracing.Tracer; +import io.opentelemetry.api.trace.propagation.W3CTraceContextPropagator; +import io.opentelemetry.context.propagation.ContextPropagators; +import jakarta.servlet.DispatcherType; +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Import; +import org.springframework.core.Ordered; + +@Configuration +@Import(MdcRequestFilter.class) +public class TracingConfig { + + @Bean + ContextPropagators otelContextPropagators() { + return ContextPropagators.create(W3CTraceContextPropagator.getInstance()); + } + + @Bean + TraceLoggingFilter traceLoggingFilter(Tracer tracer) { + return new TraceLoggingFilter(tracer); + } + + @Bean + MdcRequestFilter userMdcFilter() { + return new MdcRequestFilter(); + } + + @Bean + MdcRestorationFilter mdcRestorationFilter() { + return new MdcRestorationFilter(); + } + + @Bean + public FilterRegistrationBean mdcRestorationFilterRegistration(MdcRestorationFilter filter) { + FilterRegistrationBean registration = new FilterRegistrationBean<>(); + + registration.setFilter(filter); + registration.addUrlPatterns("/*"); + + // This is the "magic" that makes it work for Error/Forward dispatches + registration.setDispatcherTypes( + DispatcherType.REQUEST, + DispatcherType.FORWARD, + DispatcherType.ERROR, + DispatcherType.ASYNC + ); + + // Ensure this runs BEFORE the FilterChainProxy (Spring Security) + // Spring Security usually sits at -100 + registration.setOrder(Ordered.HIGHEST_PRECEDENCE); + + return registration; + } +} diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/VaultsController.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/VaultsController.java index 203e44a7f..7e07b3dcd 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/VaultsController.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/VaultsController.java @@ -76,9 +76,9 @@ public VaultsController(RestService restService, } @PreAuthorize("hasPermission(#vaultId, 'VAULT', 'CAN_TRANSFER_VAULT_OWNERSHIP') or hasPermission(#vaultId, 'GROUP_VAULT', 'TRANSFER_SCHOOL_VAULT_OWNERSHIP')") - @PostMapping(value = "/vaults/{vaultid}/data-owner/update") + @PostMapping(value = "/vaults/{vaultId}/data-owner/update", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) public ResponseEntity transferOwnership( - @PathVariable("vaultid") String vaultId, + @PathVariable String vaultId, @Valid VaultTransferRequest request) { VaultInfo vault = restService.getVault(vaultId); @@ -287,7 +287,7 @@ public String getVault(ModelMap model, @PathVariable("vaultid") String vaultID, return "vaults/vault"; } - private boolean canAccessVault(VaultInfo vault, Principal principal) { + protected boolean canAccessVault(VaultInfo vault, Principal principal) { return canAccessVault(vault, principal, false); } @@ -295,7 +295,7 @@ private boolean canAccessPendingVault(VaultInfo vault, Principal principal) { return canAccessVault(vault, principal, true); } - private boolean canAccessVault(VaultInfo vault, Principal principal, Boolean pending) { + protected boolean canAccessVault(VaultInfo vault, Principal principal, Boolean pending) { List roleAssignmentsForUser = restService.getRoleAssignmentsForUser(principal.getName()); if (pending) { return roleAssignmentsForUser.stream().anyMatch(roleAssignment -> @@ -312,7 +312,10 @@ private boolean canAccessVault(VaultInfo vault, Principal principal, Boolean pen @PreAuthorize("hasRole('IS_ADMIN') or #userId == authentication.name") @GetMapping(value = "/vaults/{vaultId}/{userId}", produces = MediaType.TEXT_HTML_VALUE) - public String getVault(ModelMap model, @PathVariable String vaultId, @PathVariable String userId, Principal principal) { + public String getUserVaults(ModelMap model, + @PathVariable String vaultId, + @PathVariable String userId, + Principal principal) { VaultInfo vault = restService.getVault(vaultId); if (vault == null) { throw new EntityNotFoundException(Vault.class, vaultId); @@ -321,6 +324,7 @@ public String getVault(ModelMap model, @PathVariable String vaultId, @PathVariab throw new ForbiddenException(); } model.addAttribute("vaults", restService.getVaultsListingAll(userId)); + return "vaults/userVaults"; } @@ -534,19 +538,19 @@ public String updateVaultName(ModelMap model, return "redirect:" + vaultUrl; } - @PreAuthorize("hasRole('IS_ADMIN')") - @RequestMapping(value = "/vaults/autocompleteuun/{term}", method = RequestMethod.GET) - @ResponseBody - public String autocompleteUUN(@PathVariable("term") String term) { + //@PreAuthorize("hasRole('IS_ADMIN')") + @GetMapping(value = "/vaults/autocompleteuun/{term}", produces = MediaType.APPLICATION_JSON_VALUE) + @ResponseBody //note - this value returns a JSON array - no curly brackets + public String autocompleteUUN(@PathVariable String term) { List result = userLookupService.getSuggestedUuns(term); Gson gson = new Gson(); return gson.toJson(result); } - @PreAuthorize("hasRole('IS_ADMIN')") - @RequestMapping(value = "/vaults/isuun/{uun}", method = RequestMethod.GET) - @ResponseBody - public String isUUN(@PathVariable("uun") String uun) { + //@PreAuthorize("hasRole('IS_ADMIN')") + @GetMapping(value = "/vaults/isuun/{uun}", produces = MediaType.APPLICATION_JSON_VALUE) + @ResponseBody // note - this function returns simple true/false value as JSON - no curly brackets + public String isUUN(@PathVariable String uun) { boolean result = userLookupService.isUUN(uun); Gson gson = new Gson(); return gson.toJson(result); diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/admin/AdminUsersController.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/admin/AdminUsersController.java index b7e60c813..e3ab1fc4a 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/admin/AdminUsersController.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/admin/AdminUsersController.java @@ -28,7 +28,7 @@ public AdminUsersController(RestService restService) { } @PreAuthorize("hasRole('IS_ADMIN')") - @RequestMapping(value = "/admin/users", method = RequestMethod.GET) + @GetMapping(value = "/admin/users", produces = MediaType.TEXT_HTML_VALUE) public String getUsersListing(ModelMap model, @RequestParam(value = "query", required = false) String query) throws Exception { if ((query == null) || (query.isEmpty())) { @@ -43,9 +43,10 @@ public String getUsersListing(ModelMap model, } // Return an empty 'create new user' page + @PreAuthorize("hasRole('IS_ADMIN') and !@environment.acceptsProfiles('shib')") @GetMapping(value = "/admin/users/create", produces = MediaType.TEXT_HTML_VALUE) - public String createUser(ModelMap model) throws Exception { + public String createUserPage(ModelMap model) throws Exception { // pass the view an empty User since the form expects it model.addAttribute("user", new User()); @@ -53,8 +54,9 @@ public String createUser(ModelMap model) throws Exception { } // Process the completed 'create new user' page + @PreAuthorize("hasRole('IS_ADMIN') and !@environment.acceptsProfiles('shib')") - @PostMapping(value = "/admin/users/create", produces = MediaType.TEXT_HTML_VALUE) + @PostMapping(value = "/admin/users/create", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) public String addUser(@ModelAttribute User user, ModelMap model, @RequestParam String action) throws Exception { // Was the cancel button pressed? if ("cancel".equals(action)) { @@ -73,18 +75,20 @@ public String addUser(@ModelAttribute User user, ModelMap model, @RequestParam S } // Return an 'edit user' page - @PreAuthorize("hasRole('IS_ADMIN') or #userID == authentication.name") - @RequestMapping(value = "/admin/users/edit/{userid}", method = RequestMethod.GET) - public String editUser(ModelMap model, @PathVariable("userid") String userID) throws Exception { - model.addAttribute("user", restService.getUser(userID)); + @PreAuthorize("hasRole('IS_ADMIN') or #userId == authentication.name") + @GetMapping(value = "/admin/users/edit/{userId}", produces = MediaType.TEXT_HTML_VALUE) + public String editUser(ModelMap model, @PathVariable String userId) throws Exception { + + model.addAttribute("user", restService.getUser(userId)); return "admin/users/edit"; } // Process the completed 'edit user' page - @PreAuthorize("hasRole('IS_ADMIN') or #userID == authentication.name") - @RequestMapping(value = "/admin/users/edit/{userid}", method = RequestMethod.POST) - public String editUser(@ModelAttribute User user, ModelMap model, @PathVariable("userid") String userID, @RequestParam String action) throws Exception { + + @PreAuthorize("hasRole('IS_ADMIN') or #userId == authentication.name") + @PostMapping(value = "/admin/users/edit/{userId}", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) + public String editUser(@ModelAttribute User user, ModelMap model, @PathVariable String userId, @RequestParam String action) throws Exception { // Was the cancel button pressed? if ("cancel".equals(action)) { return "redirect:/"; @@ -93,7 +97,7 @@ public String editUser(@ModelAttribute User user, ModelMap model, @PathVariable( // todo : Is using the userID sensible? Should we use an alternative editUserRequest model? etc // todo: This should be considered hacky test code, no more. - User existingUser = restService.getUser(userID); + User existingUser = restService.getUser(userId); //existingUser.setName(user.getName()); restService.editUser(existingUser); diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/AuthController.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/AuthController.java index 055f0870c..b7114acc4 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/AuthController.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/AuthController.java @@ -1,39 +1,55 @@ package org.datavaultplatform.webapp.controllers.auth; +import jakarta.servlet.RequestDispatcher; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.webapp.controllers.trace.BaseErrorController; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; +import org.springframework.http.MediaType; +import org.springframework.http.HttpStatus; +import org.springframework.security.authorization.AuthorizationDeniedException; import org.springframework.stereotype.Controller; +import org.springframework.ui.Model; import org.springframework.ui.ModelMap; +import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import jakarta.servlet.http.HttpSession; +import java.text.MessageFormat; + +@Slf4j @Controller @RequestMapping("/auth") -public class AuthController { +public class AuthController extends BaseErrorController { private final static String DEFAULT_LOGOUT_URL = "/auth/login?logout"; private final String welcome; private final String logoutUrl; + private final boolean outputTraceIdOnError; + @Autowired public AuthController( @Value("${webapp.welcome}") String welcome, - @Value("${webapp.logout.url}") String logoutUrl) { + @Value("${webapp.logout.url}") String logoutUrl, + @Value("${output.traceid.on.error:false}") boolean outputTraceIdOnError) { if (logoutUrl == null || logoutUrl.isEmpty()) { logoutUrl = AuthController.DEFAULT_LOGOUT_URL; } this.welcome = welcome; this.logoutUrl = logoutUrl; + this.outputTraceIdOnError = outputTraceIdOnError; } - - @RequestMapping(value = "/login", method = RequestMethod.GET) - public String getLoginPage(@RequestParam(value="error", required=false) boolean error, - @RequestParam(value="logout", required=false) String logout, - @RequestParam(value="security", required=false) String security, + + @GetMapping(value = "/login", produces = MediaType.TEXT_HTML_VALUE) + public String getLoginPage(@RequestParam(value = "error", required = false) boolean error, + @RequestParam(value = "logout", required = false) String logout, + @RequestParam(value = "security", required = false) String security, ModelMap model) { model.put("success", ""); @@ -55,24 +71,54 @@ public String getLoginPage(@RequestParam(value="error", required=false) boolean return "auth/login"; } - @RequestMapping(value = "/logout", method = RequestMethod.GET) - public String getDeniedPage(ModelMap model, HttpSession session) { + @GetMapping(value = "/logout") + public String redirectToLogout(ModelMap model, HttpSession session) { session.invalidate(); return "redirect:"+logoutUrl; } - @RequestMapping(value = "/denied", method = RequestMethod.GET) - public String getDeniedPage() { + @GetMapping(value = "/denied") + public String getDeniedPage(HttpServletRequest request, HttpServletResponse response, Model model) { + + // Retrieve some useful information from the request + Throwable throwable = (Exception) request.getAttribute(RequestDispatcher.ERROR_EXCEPTION); + Integer statusCode = (Integer) request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE); + String requestUri = (String) request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI); + + HttpStatus httpStatus = getHttpStatus(statusCode, HttpStatus.OK); + response.setStatus(httpStatus.value()); + + return withinTraceContext(request, (traceId, spanId) -> { + log.info("IN:traceId: {}, spanId: {}", traceId, spanId, throwable); + extraDebug(request); - return "auth/denied"; + String exceptionMessage = getExceptionMessage(throwable, httpStatus); + + if (throwable instanceof AuthorizationDeniedException adEx) { + String authDeniedMessage = MessageFormat.format("Access Denied: {0}", adEx.getAuthorizationResult()); + log.error(authDeniedMessage); + } + + String message = getMessage(requestUri, httpStatus, exceptionMessage, traceId, outputTraceIdOnError); + model.addAttribute("message", message); + + log.info("OUT:traceId: {}, spanId: {}", traceId, spanId); + + return "auth/denied"; + }); } - @RequestMapping(value = "/confirmation", method = RequestMethod.GET) + @GetMapping(value = "/confirmation", produces = MediaType.TEXT_HTML_VALUE) public String getConfirmationPage(ModelMap model) { model.put("logout", ""); return "auth/confirmation"; } + + @Override + protected boolean showFullErrorMessageWhenNotDisplayingTraceId(){ + return false; + } } \ No newline at end of file diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/DataVaultAccessDeniedHandler.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/DataVaultAccessDeniedHandler.java new file mode 100644 index 000000000..2ae392fb2 --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/DataVaultAccessDeniedHandler.java @@ -0,0 +1,27 @@ +package org.datavaultplatform.webapp.controllers.auth; + +import jakarta.servlet.RequestDispatcher; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.util.Assert; + +import java.io.IOException; + +public class DataVaultAccessDeniedHandler implements org.springframework.security.web.access.AccessDeniedHandler { + + @Override + public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { + Assert.isTrue(accessDeniedException != null, "An AccessDeniedException must be provided"); + request.setAttribute(RequestDispatcher.ERROR_STATUS_CODE, HttpServletResponse.SC_FORBIDDEN); + request.setAttribute(RequestDispatcher.ERROR_EXCEPTION, accessDeniedException); + request.setAttribute(RequestDispatcher.ERROR_MESSAGE, accessDeniedException.getMessage()); + + String requestURI = request.getRequestURI(); + Assert.hasText(requestURI, "Request URI must not be null or empty"); + request.setAttribute(RequestDispatcher.ERROR_REQUEST_URI, requestURI); + response.setStatus(HttpServletResponse.SC_FORBIDDEN); + request.getRequestDispatcher("/auth/denied").forward(request, response); + } +} diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/ErrorController.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/ErrorController.java index 8df69925c..ca4995698 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/ErrorController.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/ErrorController.java @@ -1,78 +1,67 @@ package org.datavaultplatform.webapp.controllers.auth; -import java.util.Collections; -import java.util.Objects; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import jakarta.servlet.RequestDispatcher; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.webapp.controllers.trace.BaseErrorController; +import org.springframework.beans.factory.annotation.Value; import org.springframework.http.HttpStatus; +import org.springframework.http.MediaType; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; -import java.io.PrintWriter; -import java.io.StringWriter; -import java.text.MessageFormat; /** * Created by stuartlewis on 02/10/15. */ @Controller -class ErrorController implements org.springframework.boot.web.servlet.error.ErrorController { +@Slf4j +public class ErrorController extends BaseErrorController implements org.springframework.boot.web.servlet.error.ErrorController { - private static final Logger logger = LoggerFactory.getLogger(ErrorController.class); + private final boolean outputTraceIdOnError; - @RequestMapping("/error") + public ErrorController(@Value("${output.traceid.on.error:false}") boolean outputTraceIdOnError) { + this.outputTraceIdOnError = outputTraceIdOnError; + } + + @RequestMapping(value = "/error", produces = MediaType.TEXT_HTML_VALUE) public String customError(HttpServletRequest request, HttpServletResponse response, Model model) { + // Retrieve some useful information from the request - Integer statusCode = (Integer) request.getAttribute("jakarta.servlet.error.status_code"); - Throwable throwable = (Throwable) request.getAttribute("jakarta.servlet.error.exception"); - String exceptionMessage = getExceptionMessage(throwable, statusCode, response); + Throwable throwable = (Throwable) request.getAttribute(RequestDispatcher.ERROR_EXCEPTION); + Integer statusCode = (Integer) request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE); + String requestUri = (String) request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI); - logger.error("----------"); - logger.error("An error occurred: {}", exceptionMessage, throwable); - extraDebug(request); + HttpStatus httpStatus = getHttpStatus(statusCode, HttpStatus.INTERNAL_SERVER_ERROR); + response.setStatus(httpStatus.value()); - if (statusCode != null && statusCode == HttpStatus.FORBIDDEN.value()) { - return "auth/denied"; + if (httpStatus == HttpStatus.NOT_FOUND && requestUri.startsWith("/resources/")) { + return null; //this bypasses templating and returns a 404 with no-content to the browser. } - String requestUri = (String) request.getAttribute("jakarta.servlet.error.request_uri"); - if (requestUri == null) { - requestUri = "Unknown"; + // this handles the case where a SpringMVC controller threw AccessDeniedException directly + if (httpStatus == HttpStatus.FORBIDDEN) { + return "forward:auth/denied"; } - String message = MessageFormat.format("Error code {0} returned for {1} with message:
{2}", - statusCode, requestUri, exceptionMessage); + return withinTraceContext(request, (traceId, spanId) -> { + log.info("IN:traceId: {}, spanId: {}", traceId, spanId, throwable); + extraDebug(request); - model.addAttribute("message", message); - return "error/error"; - } + String exceptionMessage = getExceptionMessage(throwable, httpStatus); - private void extraDebug(HttpServletRequest request) { - Collections - .list(request.getAttributeNames()) - .stream() - .filter(Objects::nonNull) - .filter(aName -> aName.startsWith("jakarta.servlet.error.")) - .forEach(aName -> logger.error("error attr [{}] -> [{}]", aName, request.getAttribute(aName))); + String message = getMessage(requestUri, httpStatus, exceptionMessage, traceId, outputTraceIdOnError); + model.addAttribute("message", message); + + log.info("OUT:traceId: {}, spanId: {}", traceId, spanId); + return "error/error"; + }); } - private String getExceptionMessage(Throwable throwable, Integer statusCode, HttpServletResponse response) { - if (throwable != null) { - StringWriter reason = new StringWriter(); - throwable.printStackTrace(new PrintWriter(reason)); - response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value()); - if (reason != null) { - return reason.toString(); - } - } - if(statusCode == null){ - statusCode = HttpStatus.INTERNAL_SERVER_ERROR.value(); - } - HttpStatus httpStatus = HttpStatus.valueOf(statusCode); - response.setStatus(statusCode); - return httpStatus.getReasonPhrase(); + @Override + protected boolean showFullErrorMessageWhenNotDisplayingTraceId(){ + return true; } } diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/ValidationExceptionHandler.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/ValidationExceptionHandler.java index 52bbaa715..8eb86142d 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/ValidationExceptionHandler.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/auth/ValidationExceptionHandler.java @@ -1,11 +1,14 @@ package org.datavaultplatform.webapp.controllers.auth; +import jakarta.validation.ConstraintViolation; +import jakarta.validation.ConstraintViolationException; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.validation.BindException; import org.springframework.validation.FieldError; import org.springframework.web.bind.annotation.ControllerAdvice; import org.springframework.web.bind.annotation.ExceptionHandler; +import org.springframework.web.bind.annotation.ResponseBody; import java.util.stream.Collectors; @@ -21,4 +24,17 @@ public ResponseEntity handle(BindException ex) { return ResponseEntity.status(HttpStatus.UNPROCESSABLE_ENTITY).body(errorMessage); } + + // 2. New specific handler for @RequestParam/@PathVariable (@Validated) + @ExceptionHandler(ConstraintViolationException.class) + @ResponseBody + public ResponseEntity handleConstraintViolation(ConstraintViolationException ex) { + // ConstraintViolationException uses a Set of Violations, not FieldErrors + String errorMessage = ex.getConstraintViolations() + .stream() + .map(ConstraintViolation::getMessage) + .collect(Collectors.joining("\n")); + + return ResponseEntity.status(HttpStatus.UNPROCESSABLE_ENTITY).body(errorMessage); + } } diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/standalone/api/SimulateErrorController.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/standalone/api/SimulateErrorController.java index 4eed8b258..04727819f 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/standalone/api/SimulateErrorController.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/standalone/api/SimulateErrorController.java @@ -1,5 +1,6 @@ package org.datavaultplatform.webapp.controllers.standalone.api; +import io.micrometer.tracing.Tracer; import jakarta.validation.Valid; import lombok.extern.slf4j.Slf4j; import org.datavaultplatform.webapp.controllers.auth.ValidationExceptionHandler; @@ -8,33 +9,40 @@ import org.datavaultplatform.webapp.exception.InvalidUunException; import org.datavaultplatform.webapp.model.test.EmailInfo; import org.springframework.context.annotation.Profile; -import org.springframework.web.bind.annotation.PostMapping; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RestController; +import org.springframework.http.MediaType; +import org.springframework.web.bind.annotation.*; @RestController @Slf4j @RequestMapping("/test") @Profile("standalone") public class SimulateErrorController { + + private final Tracer tracer; - @RequestMapping("/oops") + public SimulateErrorController(Tracer tracer) { + this.tracer = tracer; + } + + @GetMapping("/oops") public String throwError(){ - throw new RuntimeException("SimulatedError"); + String traceId = tracer.currentSpan().context().traceId(); + String msg = "SimulatedError - traceId: [%s]".formatted(traceId); + log.error(msg); + throw new RuntimeException(msg); } - @RequestMapping("/forbidden") + @GetMapping("/forbidden") public String forbidden() { throw new ForbiddenException(); } - @RequestMapping("/entity-not-found") + @GetMapping("/entity-not-found") public String entityNotFound() { throw new EntityNotFoundException(String.class, "id-101"); } - @RequestMapping(value = "/invalid-uun") + @GetMapping(value = "/invalid-uun") public String invalidUUN() throws InvalidUunException { throw new InvalidUunException("blah"); } @@ -43,7 +51,7 @@ public String invalidUUN() throws InvalidUunException { * an invalid email address will cause a BindException to be handled by ValidationExceptionHandler * @see ValidationExceptionHandler */ - @PostMapping("/email") + @PostMapping(value = "/email", consumes = MediaType.APPLICATION_JSON_VALUE) public EmailInfo email(@RequestBody @Valid EmailInfo info) { return info; } diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/standalone/api/TraceController.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/standalone/api/TraceController.java new file mode 100644 index 000000000..8bce0980d --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/standalone/api/TraceController.java @@ -0,0 +1,51 @@ +package org.datavaultplatform.webapp.controllers.standalone.api; + +import io.micrometer.tracing.Tracer; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.common.util.TraceInfo; +import org.datavaultplatform.webapp.services.TraceService; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; +import org.springframework.context.annotation.Profile; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +@RestController +@RequestMapping("/trace") +@Profile("database") //need to get to database +@ConditionalOnBean(TraceService.class) +@Slf4j +public class TraceController { + + private final Tracer tracer; + private final TraceService traceService; + + @Autowired + public TraceController(Tracer tracer, TraceService traceService){ + this.tracer = tracer; + this.traceService = traceService; + } + + @GetMapping("/info") + public TraceInfo getTraceInfo() { + String traceId = tracer.currentSpan().context().traceId(); + log.info("TraceId: {}", traceId); + return new TraceInfo(traceId); + } + + @GetMapping("/broker/info") + public TraceInfo getTraceBrokerInfo() { + String traceId = tracer.currentSpan().context().traceId(); + log.info("Actual TraceId: {}", traceId); + return traceService.getTraceInfoFromBroker(); + } + + @GetMapping("/broker/worker/info") + public TraceInfo getTraceBrokerInfoAndSendToWorker() { + String traceId = tracer.currentSpan().context().traceId(); + log.info("TraceId: {}", traceId); + return traceService.getTraceInfoFromBrokerAndSendToWorker(); + } + +} diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/BaseErrorController.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/BaseErrorController.java new file mode 100644 index 000000000..2cc186515 --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/BaseErrorController.java @@ -0,0 +1,85 @@ +package org.datavaultplatform.webapp.controllers.trace; + +import io.micrometer.tracing.TraceContext; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.http.HttpServletRequest; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.webapp.config.trace.TraceLoggingFilter; +import org.slf4j.MDC; +import org.springframework.http.HttpStatus; + +import java.io.PrintWriter; +import java.io.StringWriter; +import java.text.MessageFormat; +import java.util.Collections; +import java.util.Objects; +import java.util.function.BiFunction; + +@Slf4j +public abstract class BaseErrorController { + + public static final String MESSAGE_PATTERN = "Please report the Trace Id [%s] to support."; + + protected String getExceptionMessage(Throwable throwable, HttpStatus httpStatus) { + if (throwable != null) { + StringWriter reason = new StringWriter(); + throwable.printStackTrace(new PrintWriter(reason)); + return reason.toString(); + } else { + return httpStatus.getReasonPhrase(); + } + } + + protected String getMessage(String requestUri, HttpStatus httpStatus, String exceptionMessage, String traceId, boolean outputTraceIdOnError) { + if (requestUri == null) { + requestUri = "Unknown"; + } + + String fullMessage = MessageFormat.format("Error code {0} returned for {1} with message:
{2}", + httpStatus.value(), requestUri, exceptionMessage); + + log.error(fullMessage); + + final String message; + if (outputTraceIdOnError) { + message = MESSAGE_PATTERN.formatted(traceId); + } else if (showFullErrorMessageWhenNotDisplayingTraceId()) { + message = fullMessage; + } else { + message = ""; + } + return message; + } + + protected void extraDebug(HttpServletRequest request) { + Collections + .list(request.getAttributeNames()) + .stream() + .filter(Objects::nonNull) + .filter(aName -> aName.startsWith("jakarta.servlet.error.")) + .forEach(aName -> log.error("error attr [{}] -> [{}]", aName, request.getAttribute(aName))); + } + + protected HttpStatus getHttpStatus(Integer statusCode, HttpStatus defaultHttpStatus) { + if (statusCode == null) { + return defaultHttpStatus; + } else { + return HttpStatus.valueOf(statusCode); + } + } + + protected abstract boolean showFullErrorMessageWhenNotDisplayingTraceId(); + + protected String withinTraceContext(ServletRequest request, BiFunction consumer) { + TraceContext traceContext = TraceLoggingFilter.getTraceContext(request); + String traceId = traceContext.traceId(); + String spanId = traceContext.spanId(); + + try (var ignored1 = MDC.putCloseable("traceId", traceId); + var ignored2 = MDC.putCloseable("spanId", spanId)) { + + return consumer.apply(traceId, spanId); + + } + } +} diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/DemoTraceController.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/DemoTraceController.java new file mode 100644 index 000000000..4bad712b1 --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/DemoTraceController.java @@ -0,0 +1,69 @@ +package org.datavaultplatform.webapp.controllers.trace; + +import io.micrometer.tracing.Tracer; +import lombok.extern.slf4j.Slf4j; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Profile; +import org.springframework.expression.Expression; +import org.springframework.expression.spel.standard.SpelExpressionParser; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.security.authorization.AuthorizationDeniedException; +import org.springframework.security.authorization.ExpressionAuthorizationDecision; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +/** + * This MVC Controler is for the "database" profile (local development) only - it's used to demo the traceid show on the error page. + * It will NOT be part of the production application. + */ +@Slf4j +@RestController +@Profile("database") +@RequestMapping("/demo/trace") +public class DemoTraceController implements DemoTraceControllerApi { + + @Autowired + Tracer tracer; + + @RequestMapping("/oops") + public void oops() { + String traceId = tracer.currentSpan().context().traceId(); + String msg = "SimulatedError - oops traceId: [%s]".formatted(traceId); + log.info(msg); + throw new RuntimeException(msg); + } + + @RequestMapping("/id") + public String id() { + String traceId = tracer.currentSpan().context().traceId(); + log.info("ACTUAL traceId[{}]", traceId); + return traceId; + } + + /** + * The NO_SUCH_ROLE does not exist - so the @PreAuthorize should always fail with AccessDeniedException + * an AccessDeniedException is thrown from within Spring Security - before SpringMVC Controller code + */ + @RequestMapping(value={"/auth/fail/springsec", "/auth/fail"}) + @PreAuthorize("hasAuthority('NO_SUCH_ROLE_1')") + public void authFail1() { + String traceId = tracer.currentSpan().context().traceId(); + String msg = "SHOULD NOT GET HERE : traceId: [%s]".formatted(traceId); + log.error(msg); + throw new RuntimeException(msg); + } + + /** + * an AccessDeniedException is thrown from within the Spring MVC Controller code + */ + @RequestMapping("/auth/fail/controller") + public void authFail2() { + SpelExpressionParser parser = new SpelExpressionParser(); + Expression expression = parser.parseExpression("hasAuthority('NO_SUCH_ROLE_2')"); + + ExpressionAuthorizationDecision decision = new ExpressionAuthorizationDecision(false, expression); + + String traceId = tracer.currentSpan().context().traceId(); + throw new AuthorizationDeniedException("Access Denied[%s]".formatted(traceId), decision); + } +} diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/DemoTraceControllerApi.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/DemoTraceControllerApi.java new file mode 100644 index 000000000..37030c208 --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/controllers/trace/DemoTraceControllerApi.java @@ -0,0 +1,4 @@ +package org.datavaultplatform.webapp.controllers.trace; + +public interface DemoTraceControllerApi { +} diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/services/RestService.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/services/RestService.java index 1fc664715..b0b97d482 100644 --- a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/services/RestService.java +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/services/RestService.java @@ -10,9 +10,11 @@ import org.datavaultplatform.common.response.*; import org.datavaultplatform.common.util.Constants; import org.datavaultplatform.common.util.DateTimeUtils; +import org.datavaultplatform.common.util.TraceInfo; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Profile; +import org.springframework.core.ParameterizedTypeReference; import org.springframework.http.*; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; @@ -54,7 +56,16 @@ private ResponseEntity exchange(String url, Class clazz, HttpMethod me return exchangeWithAuth(auth, url, clazz, method, payload); } - private ResponseEntity exchangeWithAuth(Authentication auth, String url, Class clazz, HttpMethod method, Object payload) { + private ResponseEntity exchange(String url, ParameterizedTypeReference ptr, HttpMethod method, Object payload) { + Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + return exchangeWithAuth(auth, url, ptr, method, payload); + } + + private ResponseEntity exchangeWithAuth(Authentication auth, String url, Class ptr, HttpMethod method, Object payload) { + return exchangeWithAuth(auth, url, ParameterizedTypeReference.forType(ptr), method, payload); + } + + private ResponseEntity exchangeWithAuth(Authentication auth, String url, ParameterizedTypeReference ptr, HttpMethod method, Object payload) { HttpHeaders headers = new HttpHeaders(); @@ -83,8 +94,12 @@ private ResponseEntity exchangeWithAuth(Authentication auth, String url, // todo : check the http status code before returning? log.info("broker.url [{}]",url); - return restTemplate.exchange(url, method, entity, clazz); + return restTemplate.exchange(url, method, entity, ptr); + + } + public ResponseEntity get(String url, ParameterizedTypeReference ptr) { + return exchange(url, ptr, HttpMethod.GET, null); } public ResponseEntity get(String url, Class clazz) { @@ -919,4 +934,20 @@ public void toggleRetrievePausedState() { throw new RuntimeException(msg); } } + + public TraceInfo getTraceFromBroker(String brokerActuatorUserName, String brokerActuatorPassword) { + HttpHeaders headers = new HttpHeaders(); + headers.setBasicAuth(brokerActuatorUserName, brokerActuatorPassword); + headers.setAccept(List.of(MediaType.APPLICATION_JSON)); + ResponseEntity response = restTemplate.exchange(brokerURL + "/trace/info", HttpMethod.GET, new HttpEntity<>(headers), TraceInfo.class); + return response.getBody(); + } + + public TraceInfo getTraceFromBrokerAndSendToWorker(String brokerActuatorUserName, String brokerActuatorPassword) { + HttpHeaders headers = new HttpHeaders(); + headers.setBasicAuth(brokerActuatorUserName, brokerActuatorPassword); + headers.setAccept(List.of(MediaType.APPLICATION_JSON)); + ResponseEntity response = restTemplate.exchange(brokerURL + "/trace/worker", HttpMethod.GET, new HttpEntity<>(headers), TraceInfo.class); + return response.getBody(); + } } diff --git a/datavault-webapp/src/main/java/org/datavaultplatform/webapp/services/TraceService.java b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/services/TraceService.java new file mode 100644 index 000000000..8af2490b3 --- /dev/null +++ b/datavault-webapp/src/main/java/org/datavaultplatform/webapp/services/TraceService.java @@ -0,0 +1,32 @@ +package org.datavaultplatform.webapp.services; + +import org.datavaultplatform.common.util.TraceInfo; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Service; + +@Service +@Profile("database") +@ConditionalOnBean(RestService.class) +public class TraceService { + + private final RestService restService; + private final String brokerActuatorUserName; + private final String brokerActuatorPassword; + + public TraceService(RestService restService, + @Value("${broker.actuator.username:bactor}") String brokerActuatorUserName, + @Value("${broker.actuator.password:bactorpass}") String brokerActuatorPassword) { + this.restService = restService; + this.brokerActuatorUserName = brokerActuatorUserName; + this.brokerActuatorPassword = brokerActuatorPassword; + } + + public TraceInfo getTraceInfoFromBroker() { + return restService.getTraceFromBroker(brokerActuatorUserName, brokerActuatorPassword); + } + public TraceInfo getTraceInfoFromBrokerAndSendToWorker() { + return restService.getTraceFromBrokerAndSendToWorker(brokerActuatorUserName, brokerActuatorPassword); + } +} diff --git a/datavault-webapp/src/main/resources/application-standalone.properties b/datavault-webapp/src/main/resources/application-standalone.properties index 016f92dd4..15218f9d8 100644 --- a/datavault-webapp/src/main/resources/application-standalone.properties +++ b/datavault-webapp/src/main/resources/application-standalone.properties @@ -159,3 +159,7 @@ jmail.mail.smtp.auth=false jmail.mail.smtp.starttls.enable=true jmail.mail.smtp.quitwait=true +logging.level.org.springframework.web.filter.ServerHttpObservationFilter=DEBUG +logging.level.io.micrometer.tracing=DEBUG +management.tracing.sampling.probability=1.0 +output.traceid.on.error=true \ No newline at end of file diff --git a/datavault-webapp/src/main/resources/application.properties b/datavault-webapp/src/main/resources/application.properties index c36845e24..3bddf311e 100644 --- a/datavault-webapp/src/main/resources/application.properties +++ b/datavault-webapp/src/main/resources/application.properties @@ -51,4 +51,13 @@ tomcat.ajp.port=8009 tomcat.ajp.redirect.port=8443 tomcat.ajp.connector.secure=false -logging.level.org.apache.coyote.ajp=DEBUG \ No newline at end of file +logging.level.org.apache.coyote.ajp=DEBUG + +logging.level.org.springframework.web.filter.ServerHttpObservationFilter=DEBUG +logging.level.org.datavaultplatform.webapp.config.trace=DEBUG +logging.level.io.micrometer.tracing=DEBUG +management.tracing.sampling.probability=1.0 +management.tracing.propagation.type=w3c +output.traceid.on.error=true + +springdoc.model-and-view-allowed=true \ No newline at end of file diff --git a/datavault-webapp/src/main/webapp/WEB-INF/templates/auth/denied.html b/datavault-webapp/src/main/webapp/WEB-INF/templates/auth/denied.html index b2a21b490..cef4040c7 100644 --- a/datavault-webapp/src/main/webapp/WEB-INF/templates/auth/denied.html +++ b/datavault-webapp/src/main/webapp/WEB-INF/templates/auth/denied.html @@ -11,6 +11,9 @@ Error: Access denied. + +
[[${message}]] + diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/authentication/ProtectedPathsTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/authentication/ProtectedPathsTest.java index 41ed02b67..affb4fa3f 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/authentication/ProtectedPathsTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/authentication/ProtectedPathsTest.java @@ -30,7 +30,7 @@ import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; -@SpringBootTest +@SpringBootTest(properties = "management.endpoints.web.exposure.include=*") @ProfileStandalone @AutoConfigureMockMvc @Slf4j @@ -38,7 +38,7 @@ * Tests the Roles required to access protected paths. * @see org.datavaultplatform.webapp.config.standalone.StandaloneWebSecurityConfig */ -public class ProtectedPathsTest { +class ProtectedPathsTest { private static final String ROLE_XXX = "XXX"; private static final AtomicInteger COUNTER = new AtomicInteger(); @@ -95,6 +95,11 @@ void testPathRequiresRole(String path, String roleWithPrefix) { COUNTER.incrementAndGet(); } + @Test + void testPathRequiresRole_AuthDenied() { + testPathRequiresRole("/auth/denied", null); + } + /** * Maps non-null roleWithPrefix to single element array with role stripped of prefix Maps null * input to empty array. diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/authentication/shib/LoginUsingShibAltTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/authentication/shib/LoginUsingShibAltTest.java index 32210f783..62d703879 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/authentication/shib/LoginUsingShibAltTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/authentication/shib/LoginUsingShibAltTest.java @@ -23,10 +23,10 @@ import org.springframework.http.ResponseEntity; import org.springframework.web.servlet.HandlerExceptionResolver; -@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) +@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT, properties = "output.traceid.on.error=false") @ProfileShib @Slf4j -public class LoginUsingShibAltTest { +class LoginUsingShibAltTest { @Autowired TestRestTemplate template; @@ -39,7 +39,7 @@ public class LoginUsingShibAltTest { * If we try and access a page without 'uid' request header, we should get error. */ @Test - void testErrorOnMissingReqestHeader() { + void testErrorOnMissingRequestHeader() { ResponseEntity response = template.getForEntity("/", String.class); log.info("status {}", response.getStatusCode()); assertEquals(HttpStatus.INTERNAL_SERVER_ERROR, response.getStatusCode()); @@ -85,13 +85,13 @@ ResponseEntity actuatorEndpoint(String endpoint){ } @ParameterizedTest - @ValueSource(strings={"info", "health", "customtime", "mappings"}) + @ValueSource(strings={"info", "health"}) void testPublicActuatorEndpoints(String endpoint){ assertEquals(HttpStatus.OK, actuatorEndpoint(endpoint).getStatusCode()); } @ParameterizedTest - @ValueSource(strings={"beans", "logging"}) + @ValueSource(strings={"beans", "logging", "customtime", "mappings"}) void testNonPublicActuatorEndpoints(String endpoint){ assertEquals(HttpStatus.UNAUTHORIZED, actuatorEndpoint(endpoint).getStatusCode()); } diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/BaseThymeleafTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/BaseThymeleafTest.java index 033e6d187..a31d4b614 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/BaseThymeleafTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/BaseThymeleafTest.java @@ -9,6 +9,7 @@ import org.jsoup.nodes.TextNode; import org.jsoup.select.Elements; import org.junit.jupiter.api.BeforeEach; +import org.springframework.boot.test.autoconfigure.actuate.observability.AutoConfigureObservability; import org.springframework.core.io.ClassPathResource; import org.springframework.ui.ModelMap; import org.springframework.util.Assert; @@ -21,6 +22,7 @@ import static org.assertj.core.api.Assertions.assertThat; @Slf4j +@AutoConfigureObservability public abstract class BaseThymeleafTest { protected Date now; diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafConfigDateFormatTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafConfigDateFormatTest.java index 5e4f4576d..0253ac1e2 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafConfigDateFormatTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafConfigDateFormatTest.java @@ -6,13 +6,14 @@ import org.jsoup.nodes.Document; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.actuate.observability.AutoConfigureObservability; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; import org.springframework.boot.test.context.TestConfiguration; import org.springframework.context.annotation.Bean; import org.springframework.stereotype.Controller; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; -import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.servlet.ModelAndView; import java.util.Calendar; @@ -29,6 +30,7 @@ * @see GlobalDateTimeFormatInterceptor */ @WebMvcTest +@AutoConfigureObservability @ProfileStandalone public class ThymeleafConfigDateFormatTest extends BaseThymeleafTest{ @@ -103,7 +105,7 @@ static class TestDateFormattingController { @Autowired Date myDateTime; - @RequestMapping("/test/dates") + @GetMapping("/test/dates") public ModelAndView renderTestDatePage() { ModelAndView result = new ModelAndView("test/dates"); result.addObject("myDateTime", myDateTime); diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafConfigTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafConfigTest.java index 9590d3ec9..0bf22c408 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafConfigTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafConfigTest.java @@ -9,6 +9,7 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestMethodOrder; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.actuate.observability.AutoConfigureObservability; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; import org.springframework.boot.test.mock.mockito.MockBean; import org.springframework.core.io.ClassPathResource; @@ -39,6 +40,7 @@ import static org.mockito.Mockito.lenient; @WebMvcTest +@AutoConfigureObservability @ProfileStandalone @TestMethodOrder(MethodOrderer.MethodName.class) @Slf4j diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafTemplateTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafTemplateTest.java index e13a1431f..8d0866e35 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafTemplateTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/config/ThymeleafTemplateTest.java @@ -57,8 +57,9 @@ @TestMethodOrder(MethodOrderer.MethodName.class) @AutoConfigureMockMvc @TestPropertySource(properties = "logging.level.org.thymeleaf.spring6.expression=TRACE") -public class ThymeleafTemplateTest extends BaseThymeleafTest { +class ThymeleafTemplateTest extends BaseThymeleafTest { + private static final ThreadLocal TL_MODEL_MAP = ThreadLocal.withInitial(ModelMap::new); @Autowired @@ -687,7 +688,7 @@ private void displayFormFields(Document doc, String expectedFormId) { Elements forms = doc.selectXpath("//form[1]"); if(forms.isEmpty()){ - assertThat(expectedFormId.equals("")); + assertThat(expectedFormId).isEmpty(); return; } Element form = forms.get(0); @@ -697,7 +698,7 @@ private void displayFormFields(Document doc, String expectedFormId) { if (expectedFormId != null) { assertThat(formId).isEqualTo(expectedFormId); } else { - System.out.println("WE HAVE A FORM NOT EXPECTED WITT ID [" + formId + "]"); + System.out.println("WE HAVE A FORM NOT EXPECTED WITH ID [" + formId + "]"); } if(StringUtils.isNotBlank(formAction)){ assertThat(formAction).startsWith("/dv"); diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/services/RestTemplateLoggingTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/services/RestTemplateLoggingTest.java index b73e20f07..295afc7aa 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/services/RestTemplateLoggingTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/services/RestTemplateLoggingTest.java @@ -7,17 +7,22 @@ import java.nio.charset.StandardCharsets; import java.util.List; +import io.micrometer.tracing.Tracer; import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; import org.apache.commons.io.IOUtils; +import org.datavaultplatform.common.util.TraceIdWrapper; +import org.datavaultplatform.common.util.TraceUtils; import org.datavaultplatform.webapp.test.ProfileDatabase; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.core.io.ClassPathResource; import org.springframework.core.io.Resource; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.test.context.TestPropertySource; /* This class checks that the LoggingInterceptor attached to the RestTemplate is working as expected. @@ -25,11 +30,16 @@ 2) link RestTemplate to MockRestServiceServer 3) add an appender to LoggingInterceptor to capture actual log messages */ +@SuppressWarnings("GrazieInspectionRunner") @SpringBootTest @Slf4j @ProfileDatabase +@TestPropertySource(properties = "management.tracing.enabled=false") public class RestTemplateLoggingTest extends BaseRestTemplateWithLoggingTest { + @Autowired + Tracer tracer; + final Resource expectedLogEventsResource = new ClassPathResource("logs/expectedLogEvents.txt"); @BeforeEach @@ -43,18 +53,27 @@ void setup() { @Test @SneakyThrows - public void testLoggingInterceptor() { + void testLoggingInterceptor() { - ResponseEntity response = restTemplate.getForEntity( - "http://www.example.com:1234/resource", String.class); - assertEquals(HttpStatus.OK, response.getStatusCode()); - assertEquals("Hello World", response.getBody()); - server.verify(); + String traceId = "aaaabbbbccccddddaaaabbbbccccdddd"; + TraceIdWrapper wrapper = new TraceIdWrapper(traceId, tracer); + wrapper.runWithinWrapper(() -> { + ResponseEntity response = restTemplate.getForEntity( + "http://www.example.com:1234/resource", String.class); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals("Hello World", response.getBody()); + server.verify(); - Thread.sleep(5000); + Thread.sleep(5000); - List actualLogEvents = logBackListAppender.list.stream().map(Object::toString).toList(); - List expectedLogEvents = IOUtils.readLines(this.expectedLogEventsResource.getInputStream(), StandardCharsets.UTF_8); - assertTrue(actualLogEvents.containsAll(expectedLogEvents)); + List actualLogEvents = logBackListAppender.list.stream().map(Object::toString).toList(); + + String traceParent = actualLogEvents.stream().filter(msg -> msg.indexOf(TraceUtils.TRACE_PARENT) > 0).findFirst().get(); + assertTrue(traceParent.contains(traceId)); + + List expectedLogEvents = IOUtils.readLines(this.expectedLogEventsResource.getInputStream(), StandardCharsets.UTF_8); + assertTrue(actualLogEvents.containsAll(expectedLogEvents)); + return null; + }); } } diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ActuatorTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ActuatorTest.java index 36a9e6638..69c890042 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ActuatorTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ActuatorTest.java @@ -19,6 +19,7 @@ import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.common.actuator.WithMockActuatorUser; import org.datavaultplatform.webapp.test.ProfileStandalone; import org.datavaultplatform.webapp.test.TestClockConfig; import org.datavaultplatform.webapp.test.TestUtils; @@ -31,6 +32,7 @@ import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.context.annotation.Import; +import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.context.TestPropertySource; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; @@ -42,10 +44,10 @@ @ProfileStandalone @Slf4j @TestPropertySource(properties = "management.endpoints.web.exposure.include=*") -public class ActuatorTest { +class ActuatorTest { - private static final List PUBLIC_ENDPOINTS = List.of("info","health","customtime", "metrics", "memoryinfo","mappings"); - private static final List PRIVATE_ENDPOINTS = List.of("env","loggers","beans"); + private static final List PUBLIC_ENDPOINTS = List.of("info","health"); + private static final List PRIVATE_ENDPOINTS = List.of("env","loggers","beans","customtime", "metrics", "memoryinfo","mappings"); @Autowired ObjectMapper mapper; @@ -63,19 +65,33 @@ public class ActuatorTest { private String actuatorPassword; @Test - void testInfo() throws Exception { + @WithMockActuatorUser + void testFullInfo() throws Exception { mvc.perform(get("/actuator/info")) - .andExpect(jsonPath("$.app.name").value(Matchers.is("datavault-webapp"))) - .andExpect(jsonPath("$.app.description").value(Matchers.is("webapp for datavault"))) - .andExpect(jsonPath("$.git.commit.time").exists()) - .andExpect(jsonPath("$.git.commit.time").value(Matchers.is("2022-03-30T10:25:54Z"))) - .andExpect(jsonPath("$.git.commit.id").value(Matchers.is("a16f01e"))) - .andExpect(jsonPath("$.build.artifact").value(Matchers.is("datavault-webapp"))) - .andExpect(jsonPath("$.java.vendor").exists()) - .andExpect(jsonPath("$.java.runtime.version").exists()) - .andExpect(jsonPath("$.java.jvm.version").exists()); + .andExpect(jsonPath("$.app.name").value(Matchers.is("datavault-webapp"))) + .andExpect(jsonPath("$.app.description").value(Matchers.is("webapp for datavault"))) + .andExpect(jsonPath("$.git.commit.time").exists()) + .andExpect(jsonPath("$.git.commit.time").value(Matchers.is("2022-03-30T10:25:54Z"))) + .andExpect(jsonPath("$.git.commit.id").value(Matchers.is("a16f01e"))) + .andExpect(jsonPath("$.build.artifact").value(Matchers.is("datavault-webapp"))) + .andExpect(jsonPath("$.java.vendor").exists()) + .andExpect(jsonPath("$.java.runtime.version").exists()) + .andExpect(jsonPath("$.java.jvm.version").exists()); } + @Test + void testFilteredInfo() throws Exception { + mvc.perform(get("/actuator/info")) + .andExpect(jsonPath("$.app.name").value(Matchers.is("datavault-webapp"))) + .andExpect(jsonPath("$.app.description").value(Matchers.is("webapp for datavault"))) + .andExpect(jsonPath("$.git.commit.time").doesNotExist()) + .andExpect(jsonPath("$.git.commit.time").doesNotExist()) + .andExpect(jsonPath("$.git.commit.id").doesNotExist()) + .andExpect(jsonPath("$.build.artifact").doesNotExist()) + .andExpect(jsonPath("$.java.vendor").doesNotExist()) + .andExpect(jsonPath("$.java.runtime.version").doesNotExist()) + .andExpect(jsonPath("$.java.jvm.version").doesNotExist()); + } /* just checking that 'test-classes' come before the other 'classes' directories */ @Test @@ -101,6 +117,7 @@ void testClassPath() { @Test + @WithMockActuatorUser void testCurrentTime() throws Exception { MvcResult mvcResult = mvc.perform( get("/actuator/customtime")) @@ -119,6 +136,7 @@ void testCurrentTime() throws Exception { } @Test + @WithMockUser(username = "wactor", roles = {"ACTUATOR"}) void testMemoryInfo() throws Exception { MvcResult mvcResult = mvc.perform( get("/actuator/memoryinfo")) @@ -142,6 +160,7 @@ void testMemoryInfo() throws Exception { } @Test + @WithMockActuatorUser void testAvailableEndpoints() throws Exception { assertEquals(Collections.singleton("*"), this.endpoints); diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ErrorHandlingTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ErrorHandlingTest.java index 19045f135..59c306f15 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ErrorHandlingTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ErrorHandlingTest.java @@ -1,5 +1,6 @@ package org.datavaultplatform.webapp.app.setup; +import static org.assertj.core.api.Assertions.assertThat; import static org.junit.jupiter.api.Assertions.assertEquals; import java.net.URI; @@ -7,10 +8,12 @@ import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import lombok.extern.slf4j.Slf4j; -import org.assertj.core.api.Assertions; import org.datavaultplatform.webapp.controllers.standalone.api.SimulateErrorController; import org.datavaultplatform.webapp.model.test.EmailInfo; import org.datavaultplatform.webapp.test.ProfileStandalone; +import org.jsoup.Jsoup; +import org.jsoup.nodes.Document; +import org.jsoup.nodes.Element; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; @@ -24,7 +27,7 @@ import org.springframework.ui.Model; @SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) -@TestPropertySource(properties = "datavault.csrf.disabled=true") +@TestPropertySource(properties = {"datavault.csrf.disabled=true","output.traceid.on.error=false"}) @Slf4j @ProfileStandalone public class ErrorHandlingTest { @@ -33,18 +36,20 @@ public class ErrorHandlingTest { TestRestTemplate restTemplate; /** - * @see org.datavaultplatform.webapp.controllers.ErrorController#customError(HttpServletRequest, - * HttpServletResponse, Model) + * @see org.datavaultplatform.webapp.controllers.auth.ErrorController#customError(HttpServletRequest, HttpServletResponse, Model) (HttpServletRequest, */ @Test - public void testErrorPageDirectly() { + void testErrorPageDirectly() { ResponseEntity respEntity = restTemplate.getForEntity("/error", String.class); assertEquals(HttpStatus.INTERNAL_SERVER_ERROR, respEntity.getStatusCode()); String body = respEntity.getBody(); checkNoStackTrace(body); - Assertions.assertThat(body).contains("An error has occurred!"); - Assertions.assertThat(body).contains("Error code null returned for Unknown with message:"); + //create doc with jsoup from body + Document doc = Jsoup.parse(body); + Element errorMessageSpan = doc.getElementById("error-message"); + assertThat(errorMessageSpan.tagName()).isEqualTo("span"); + assertThat(errorMessageSpan.text()).isEqualTo("Error code 500 returned for Unknown with message: Internal Server Error"); } /** @@ -57,8 +62,8 @@ public void testErrorPageBecauseOfException() { String body = respEntity.getBody(); checkHasStackTrace(body); - Assertions.assertThat(respEntity.getBody()).contains("An error has occurred!"); - Assertions.assertThat(respEntity.getBody()).contains("SimulatedError"); + assertThat(respEntity.getBody()).contains("An error has occurred!"); + assertThat(respEntity.getBody()).contains("SimulatedError"); } /** @@ -72,10 +77,10 @@ public void testForbiddenException() { checkNoStackTrace(body); //response is from auth/denied template - Assertions.assertThat(body).contains("Access denied."); + assertThat(body).contains("Access denied."); //response is NOT from error/error template - Assertions.assertThat(body).doesNotContain("An error has occured!"); + assertThat(body).doesNotContain("An error has occured!"); } /** @@ -89,10 +94,10 @@ public void testEntityNotFoundException() { String body = respEntity.getBody(); //response is from error/error template - Assertions.assertThat(body).contains("An error has occurred!"); + assertThat(body).contains("An error has occurred!"); //response text is generic 404 / NOT FOUND message - Assertions.assertThat(body).contains( + assertThat(body).contains( "Error code 404 returned for /test/entity-not-found with message:
Not Found"); //error page does not have stack trace @@ -110,11 +115,11 @@ public void testInvalidUUNException() { assertEquals(HttpStatus.INTERNAL_SERVER_ERROR, respEntity.getStatusCode()); String body = respEntity.getBody(); - Assertions.assertThat(body) + assertThat(body) .contains("Error code 500 returned for /test/invalid-uun with message:"); checkHasStackTrace(body); - Assertions.assertThat(body).contains( + assertThat(body).contains( "Caused by: org.datavaultplatform.webapp.exception.InvalidUunException: Invalid UUN: blah"); } @@ -139,11 +144,11 @@ void testValidationExceptionHandler() throws URISyntaxException { } private void checkNoStackTrace(String body) { - Assertions.assertThat(body).doesNotContain("Caused by:"); + assertThat(body).doesNotContain("Caused by:"); } private void checkHasStackTrace(String body) { - Assertions.assertThat(body).contains("Caused by:"); + assertThat(body).contains("Caused by:"); } private ResponseEntity postEmail(String emailAddress, Class clazz) diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/OpenApiWebAppTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/OpenApiWebAppTest.java deleted file mode 100644 index c3372b3ae..000000000 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/OpenApiWebAppTest.java +++ /dev/null @@ -1,66 +0,0 @@ -package org.datavaultplatform.webapp.app.setup; - -import io.swagger.v3.oas.models.OpenAPI; -import lombok.extern.slf4j.Slf4j; -import org.datavaultplatform.webapp.test.ProfileDatabase; -import org.datavaultplatform.webapp.test.ProfileStandalone; -import org.datavaultplatform.webapp.test.TestClockConfig; -import org.junit.jupiter.api.Test; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; -import org.springframework.boot.test.context.SpringBootTest; -import org.springframework.context.annotation.Import; -import org.springframework.test.context.TestPropertySource; -import org.springframework.test.web.servlet.MockMvc; -import org.springframework.test.web.servlet.MvcResult; - -import static org.assertj.core.api.Assertions.assertThat; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; -import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; - -@SpringBootTest -@AutoConfigureMockMvc -@Import(TestClockConfig.class) -@ProfileDatabase -@Slf4j -@TestPropertySource(properties = "management.endpoints.web.exposure.include=*") -public class OpenApiWebAppTest { - - @Autowired - MockMvc mvc; - - @Autowired - OpenAPI openApi; - - @Test - void testOpenApi() { - assertThat(openApi.getInfo().getTitle()).isEqualTo("DataVault WebApp"); - assertThat(openApi.getInfo().getDescription()).isEqualTo("webapp application"); - } - - @Test - void testOpenApiAsJson() throws Exception { - MvcResult mvcResult = mvc.perform( - get("http://localhost:8080/v3/api-docs")) - .andExpect(content().contentTypeCompatibleWith("application/json")) - .andExpect(status().is2xxSuccessful()) - .andExpect(jsonPath("$.openapi").value("3.1.0")) - .andExpect(jsonPath("$.info.title").value("DataVault WebApp")) - .andExpect(jsonPath("$.info.description").value("webapp application")) - .andExpect(jsonPath("$.info.version").value("v0.0.1")) - .andExpect(jsonPath("$.paths['/filestores/sftp']").exists()) - .andDo(print()) - .andReturn(); - } - - @Test - void testOpenApiAsSwaggerUI() throws Exception { - MvcResult mvcResult = mvc.perform( - get("http://localhost:8080/swagger-ui/index.html")) - .andExpect(content().contentTypeCompatibleWith("text/html")) - .andExpect(status().is2xxSuccessful()) - .andDo(print()) - .andReturn(); - } -} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileDatabaseTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileDatabaseTest.java index ce72a6f53..2415fbe55 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileDatabaseTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileDatabaseTest.java @@ -47,7 +47,7 @@ void testContextIsCorrect() throws InterruptedException { @Test void testServiceBeans(ApplicationContext ctx) { Set serviceNames = Set.of(ctx.getBeanNamesForAnnotation(Service.class)); - assertEquals(Set.of("forceLogoutService", "restService", "permissionsService","userLookupService","validateService"), serviceNames); + assertEquals(Set.of("forceLogoutService", "restService", "permissionsService","userLookupService","validateService","traceService"), serviceNames); } @Test @@ -55,7 +55,7 @@ void testControllerBeans(ApplicationContext ctx) { Set names = Set.of(ctx.getBeanNamesForAnnotation(Controller.class)); Set restNames = Set.of(ctx.getBeanNamesForAnnotation(RestController.class)); assertTrue(names.containsAll(restNames)); - assertThat(names.size()).isEqualTo(31); + assertThat(names).hasSize(30); } @TestConfiguration diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileShibTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileShibTest.java index 155ee9036..ccebd6291 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileShibTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileShibTest.java @@ -69,7 +69,7 @@ void testControllerBeans(ApplicationContext ctx) { Set names = Set.of(ctx.getBeanNamesForAnnotation(Controller.class)); Set restNames = Set.of(ctx.getBeanNamesForAnnotation(RestController.class)); assertTrue(names.containsAll(restNames)); - assertThat(names.size()).isEqualTo(31); + assertThat(names.size()).isEqualTo(28); } /** diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileStandaloneTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileStandaloneTest.java index 362eb5057..6b9ff2daf 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileStandaloneTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/ProfileStandaloneTest.java @@ -61,7 +61,7 @@ void testControllerBeans(ApplicationContext ctx) { Set names = new TreeSet<>(Set.of(ctx.getBeanNamesForAnnotation(Controller.class))); Set restNames = Set.of(ctx.getBeanNamesForAnnotation(RestController.class)); assertTrue(names.containsAll(restNames)); - assertEquals(new TreeSet<>(Set.of("protectedTimeController", "timeController", "errorPageController", "simulateErrorController", "authController", "errorController", "fileUploadController", "helloController", "faviconController","swaggerConfigResource","swaggerWelcome","openApiResource")), names); + assertEquals(new TreeSet<>(Set.of("protectedTimeController", "timeController", "errorPageController", "simulateErrorController", "authController", "errorController", "fileUploadController", "helloController", "faviconController")), names); } @TestConfiguration diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/TraceControllerTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/TraceControllerTest.java new file mode 100644 index 000000000..4139935df --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/app/setup/TraceControllerTest.java @@ -0,0 +1,146 @@ +package org.datavaultplatform.webapp.app.setup; + +import io.micrometer.tracing.propagation.Propagator; +import io.opentelemetry.api.trace.TraceId; +import io.opentelemetry.api.trace.Tracer; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.common.util.TraceInfo; +import org.datavaultplatform.common.util.TraceUtils; +import org.datavaultplatform.webapp.test.ProfileDatabase; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.actuate.observability.AutoConfigureObservability; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.web.server.LocalServerPort; +import org.springframework.boot.web.client.RestTemplateBuilder; +import org.springframework.http.*; +import org.springframework.http.client.ClientHttpRequestExecution; +import org.springframework.http.client.ClientHttpRequestInterceptor; +import org.springframework.http.client.ClientHttpResponse; +import org.springframework.security.authentication.AuthenticationManager; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.test.context.TestPropertySource; +import org.springframework.web.client.RestTemplate; + +import java.io.IOException; +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; + +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +@ProfileDatabase +@TestPropertySource(properties = { + "logging.level.org.springframework.security=TRACE", + "logging.level.org.springframework.web.filter=DEBUG", + "logging.level.io.micrometer.tracing=DEBUG", + "management.tracing.sampling.probability=1.0", + "management.tracing.propagation.type=w3c"}) +@Slf4j +@AutoConfigureObservability +class TraceControllerTest { + + public static final String TRACE_ID = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; + public static final String SPAN_ID = "bbbbbbbbbbbbbbbb"; + public static final String TRACE_PARENT_VALUE = "00-" + TRACE_ID + "-" + SPAN_ID + "-01"; + + @Autowired + Tracer tracer; + + @Autowired + Propagator propagator; + + RestTemplate restTemplate; + + @Autowired + AuthenticationManager authManager; + + @LocalServerPort + int serverPort; + + @BeforeEach + void setup() { + assertThat(tracer).isNotNull(); + assertThat(propagator).isNotNull(); + restTemplate = new RestTemplateBuilder() + .rootUri("http://localhost:" + serverPort) + .basicAuthentication("wactor", "wactorpass") + .build(); + restTemplate.setInterceptors(List.of(new RequestLoggingInterceptor())); + } + + @Test + void testHardcodedLogin() { + log.info("authManager class : {}", authManager.getClass().getName()); + // 1. Create the "Unauthenticated" token + UsernamePasswordAuthenticationToken authRequest = + new UsernamePasswordAuthenticationToken("wactor", "wactorpass"); + + // 2. Pass it to the Manager + Authentication result = authManager.authenticate(authRequest); + + // 3. Assert the result + assertThat(result).isNotNull(); + assertThat(result.isAuthenticated()).isTrue(); + assertThat(result.getAuthorities().stream().map(GrantedAuthority::getAuthority).toList()).containsExactlyInAnyOrder("ROLE_ACTUATOR"); + } + + private ResponseEntity getTraceInfo(boolean addTraceParentHeader) { + HttpHeaders headers = new HttpHeaders(); + if (addTraceParentHeader) { + headers.add(TraceUtils.TRACE_PARENT, TRACE_PARENT_VALUE); + } + // Perform the GET request + ResponseEntity response = restTemplate.exchange( + "/trace/info", + HttpMethod.GET, + new HttpEntity<>(headers), + TraceInfo.class + ); + return response; + } + + @Test + void testTimeControllerNoTraceIdSupplied() { + + ResponseEntity response = getTraceInfo(false); + + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); + assertThat(response.getBody()).isNotNull(); + + TraceInfo traceInfo = response.getBody(); + assertThat(traceInfo.traceId()).isNotNull(); + assertThat(traceInfo.traceId()).isNotEqualTo(TRACE_ID); + assertThat(TraceId.isValid(traceInfo.traceId())).isTrue(); + } + + @Test + void testTimeControllerWithTraceIdSupplied() { + + ResponseEntity response = getTraceInfo(true); + + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); + assertThat(response.getBody()).isNotNull(); + + TraceInfo traceInfo = response.getBody(); + assertThat(traceInfo.traceId()).isNotNull(); + assertThat(traceInfo.traceId()).isEqualTo(TRACE_ID); + assertThat(TraceId.isValid(traceInfo.traceId())).isTrue(); + } + + public static class RequestLoggingInterceptor implements ClientHttpRequestInterceptor { + + @Override + public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException { + log.info("=== Request Start ==="); + log.info("URI : {}", request.getURI()); + log.info("Method : {}", request.getMethod()); + log.info("Headers: {}", request.getHeaders()); + log.info("=== Request End ==="); + + return execution.execute(request, body); + } + } +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/config/HttpSecurityUtilsTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/config/HttpSecurityUtilsTest.java new file mode 100644 index 000000000..dfb1eeff9 --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/config/HttpSecurityUtilsTest.java @@ -0,0 +1,161 @@ +package org.datavaultplatform.webapp.config; + +import org.datavaultplatform.webapp.config.trace.MdcRequestFilter; +import org.datavaultplatform.webapp.config.trace.TraceLoggingFilter; +import org.junit.jupiter.api.extension.ExtendWith; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.ValueSource; +import org.mockito.ArgumentCaptor; +import org.mockito.Captor; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.junit.jupiter.MockitoExtension; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.config.Customizer; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer; + +import java.util.Arrays; +import java.util.List; +import java.util.concurrent.atomic.AtomicInteger; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.Mockito.*; + +@ExtendWith(MockitoExtension.class) +class HttpSecurityUtilsTest { + + public static final Logger LOG = LoggerFactory.getLogger(HttpSecurityUtilsTest.class); + + @Captor + ArgumentCaptor.AuthorizationManagerRequestMatcherRegistry>> argAuthorizeHttpRequestsCustomizer; + + @Mock + TraceLoggingFilter traceLoggingFilter; + + @Mock + MdcRequestFilter mdcRequestFilter; + + + @ParameterizedTest + @ValueSource(booleans = {true, false}) + void testHttpSecurityConfig(boolean isStandalone) throws Exception { + + HttpSecurity http = mock(HttpSecurity.class); + HttpSecurityUtils.authorizeRequests(http, isStandalone, traceLoggingFilter, mdcRequestFilter); + + verify(http).authorizeHttpRequests(argAuthorizeHttpRequestsCustomizer.capture()); + + List.AuthorizationManagerRequestMatcherRegistry>> values = argAuthorizeHttpRequestsCustomizer.getAllValues(); + assertEquals(1, values.size()); + + var lambda = values.get(0); + + var mAuthz = Mockito.mock(AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.class); + + AuthorizeHttpRequestsConfigurer.AuthorizedUrl mAuthURL = mock(AuthorizeHttpRequestsConfigurer.AuthorizedUrl.class); + AtomicInteger counter = new AtomicInteger(0); + doAnswer(invocation -> { + LOG.info("requestMatchers {} {}", counter.incrementAndGet(), Arrays.toString(invocation.getArguments())); + return mAuthURL; + }).when(mAuthz).requestMatchers(any(String[].class)); + + // pass the mock to the "captured" lambda to verify calls the lambda makes to its argument (authz) + lambda.customize(mAuthz); + + var inOrder = inOrder(mAuthz, mAuthURL); + + //0 - OPTIONAL + if (isStandalone) { + inOrder.verify(mAuthz).requestMatchers("/test/**", "/index"); + inOrder.verify(mAuthURL).permitAll(); + } + + //1 + inOrder.verify(mAuthz).requestMatchers("/favicon.ico"); + inOrder.verify(mAuthURL).permitAll(); + + //2 + inOrder.verify(mAuthz).requestMatchers("/resources/**"); + inOrder.verify(mAuthURL).permitAll(); + + //3 + inOrder.verify(mAuthz).requestMatchers("/error"); + inOrder.verify(mAuthURL).permitAll(); + + //4 + inOrder.verify(mAuthz).requestMatchers("/auth/**"); + inOrder.verify(mAuthURL).permitAll(); + + //5 + inOrder.verify(mAuthz).requestMatchers("/admin/paused/deposit/toggle"); + inOrder.verify(mAuthURL).hasRole("IS_ADMIN"); + + //6 + inOrder.verify(mAuthz).requestMatchers("/admin/paused/retrieve/toggle"); + inOrder.verify(mAuthURL).hasRole("IS_ADMIN"); + + //7 + inOrder.verify(mAuthz).requestMatchers("/admin/paused/deposit/history"); + inOrder.verify(mAuthURL).hasRole("USER"); + + //8 + inOrder.verify(mAuthz).requestMatchers("/admin/paused/retrieve/history"); + inOrder.verify(mAuthURL).hasRole("USER"); + + //9 + inOrder.verify(mAuthz).requestMatchers("/admin/archivestores/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_ARCHIVESTORES"); + + //10 + inOrder.verify(mAuthz).requestMatchers("/admin/billing/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_BILLING"); + + //11 + inOrder.verify(mAuthz).requestMatchers("/admin/deposits/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_DEPOSITS"); + + //12 + inOrder.verify(mAuthz).requestMatchers("/admin/events/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_EVENTS"); + + //13 + inOrder.verify(mAuthz).requestMatchers("/admin/retentionpolicies/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_RETENTIONPOLICIES"); + + //13 + inOrder.verify(mAuthz).requestMatchers("/admin/retrieves/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_RETRIEVES"); + + //15 + inOrder.verify(mAuthz).requestMatchers("/admin/roles/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_ROLES"); + + //16 + inOrder.verify(mAuthz).requestMatchers("/admin/schools/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_SCHOOLS"); + + //17 + inOrder.verify(mAuthz).requestMatchers("/admin/vaults/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_VAULTS"); + + //18 + inOrder.verify(mAuthz).requestMatchers("/admin/reviews/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN_REVIEWS"); + + //19 + inOrder.verify(mAuthz).requestMatchers("/admin/"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_ADMIN"); + + //20 + inOrder.verify(mAuthz).requestMatchers("/admin"); + inOrder.verify(mAuthURL).hasRole("ADMIN"); + + //21 + inOrder.verify(mAuthz).requestMatchers("/**"); + inOrder.verify(mAuthURL).hasAuthority("ROLE_USER"); + + inOrder.verifyNoMoreInteractions(); + } +} \ No newline at end of file diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/DepositsControllerTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/DepositsControllerTest.java index e58e34f20..82f32e260 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/DepositsControllerTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/DepositsControllerTest.java @@ -1,5 +1,6 @@ package org.datavaultplatform.webapp.controllers; +import com.fasterxml.jackson.core.type.TypeReference; import com.fasterxml.jackson.databind.ObjectMapper; import lombok.SneakyThrows; import org.datavaultplatform.common.dto.PausedDepositStateDTO; @@ -10,6 +11,7 @@ import org.datavaultplatform.webapp.app.DataVaultWebApp; import org.datavaultplatform.webapp.services.RestService; import org.datavaultplatform.webapp.test.AddTestProperties; +import org.datavaultplatform.webapp.test.MvcUtils; import org.datavaultplatform.webapp.test.ProfileDatabase; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Nested; @@ -29,9 +31,12 @@ import org.springframework.test.context.TestPropertySource; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; +import org.springframework.util.LinkedMultiValueMap; +import org.springframework.util.MultiValueMap; import java.io.Serializable; +import java.util.Map; import static org.assertj.core.api.Assertions.assertThat; import static org.mockito.ArgumentMatchers.*; @@ -201,7 +206,6 @@ void verifyInOrder(InOrder inOrder, private void checkDenied(MvcResult result) { - assertThat(result.getResponse().getForwardedUrl()).isEqualTo("/auth/denied"); assertThat(result.getResponse().getStatus()).isEqualTo(HttpStatus.FORBIDDEN.value()); } @@ -210,10 +214,18 @@ private MvcResult performRetrieve() { Retrieve retrieve = new Retrieve(); retrieve.setNote("test retrieve"); - return mockMvc.perform( + // 1. Convert POJO to a Map + Map fieldMap = mapper.convertValue(retrieve, new TypeReference<>() { + }); + + // 2. Convert Map to MockMvc parameters + MultiValueMap params = new LinkedMultiValueMap<>(); + params.setAll(fieldMap); + + return MvcUtils.performWithForward(mockMvc, post("/vaults/2112/deposits/1234/retrieve") - .content(mapper.writeValueAsString(retrieve)) - .contentType(MediaType.APPLICATION_JSON) + .params(params) + .contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE) .with(csrf()) ) .andDo(print()).andReturn(); @@ -225,10 +237,18 @@ private MvcResult performDeposit() { createDeposit.setName("DEPOSIT 1"); createDeposit.setVaultID("2112"); - return mockMvc.perform( + // 1. Convert POJO to a Map + Map fieldMap = mapper.convertValue(createDeposit, new TypeReference<>() { + }); + + // 2. Convert Map to MockMvc parameters + MultiValueMap params = new LinkedMultiValueMap<>(); + params.setAll(fieldMap); + + return MvcUtils.performWithForward(mockMvc, post("/vaults/2112/deposits/create") - .content(mapper.writeValueAsString(createDeposit)) - .contentType(MediaType.APPLICATION_JSON) + .params(params) + .contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE) .with(csrf()) ) .andDo(print()) diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/SimpleRestService.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/SimpleRestService.java new file mode 100644 index 000000000..bab43e28c --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/SimpleRestService.java @@ -0,0 +1,22 @@ +package org.datavaultplatform.webapp.controllers; + + +import org.springframework.context.annotation.Lazy; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Service; +import org.springframework.web.client.RestTemplate; + +@Profile("trace") +@Service +public class SimpleRestService { + + private final RestTemplate template; + + public SimpleRestService(@Lazy RestTemplate template) { + this.template = template; + } + + public String get(String url) { + return template.getForObject(url, String.class); + } +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/VaultsControllerMvcTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/VaultsControllerMvcTest.java index 210de6962..db1836368 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/VaultsControllerMvcTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/VaultsControllerMvcTest.java @@ -8,11 +8,9 @@ import org.datavaultplatform.webapp.services.RestService; import org.datavaultplatform.webapp.services.UserLookupService; import org.datavaultplatform.webapp.test.AddTestProperties; +import org.datavaultplatform.webapp.test.MvcUtils; import org.datavaultplatform.webapp.test.ProfileDatabase; -import org.junit.jupiter.api.MethodOrderer; -import org.junit.jupiter.api.Order; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.TestMethodOrder; +import org.junit.jupiter.api.*; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.ValueSource; import org.mockito.ArgumentCaptor; @@ -52,7 +50,7 @@ class VaultsControllerMvcTest { @MockitoBean private UserLookupService userLookupService; - + @Test @Order(1) @SneakyThrows @@ -68,7 +66,7 @@ void testGetVault_FailsIfVaultNotFoundAsSuperUser() { verifyNoMoreInteractions(restService, userLookupService); } - + @Test @Order(2) @SneakyThrows @@ -199,8 +197,9 @@ void testGetVault_AllowedIfCanAccessVaultAsVanillaUser() { @Order(7) @SneakyThrows @WithMockUser(username = "vanilla-user", roles = {"USER"}) + @Disabled("This test is disabled as we think how to secure uun search") void testIsUUN_ForbiddenAsVanillaUser() { - mockMvc.perform(get("/vaults/isuun/v1dhay3")).andExpect(status().isForbidden()); + MvcUtils.performWithForward(mockMvc, get("/vaults/isuun/v1dhay3")).andExpect(status().isForbidden()); verifyNoMoreInteractions(restService, userLookupService); } @@ -215,7 +214,7 @@ void testIsUUN_AllowedAsSuperUser(boolean isUUN) { mockMvc.perform(get("/vaults/isuun/v1dhay3")) .andExpect(status().isOk()) .andExpect(content().string(String.valueOf(isUUN))) - .andExpect(content().contentTypeCompatibleWith(MediaType.TEXT_PLAIN)); + .andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON)); verify(userLookupService).isUUN("v1dhay3"); verifyNoMoreInteractions(restService, userLookupService); @@ -225,8 +224,9 @@ void testIsUUN_AllowedAsSuperUser(boolean isUUN) { @Order(9) @SneakyThrows @WithMockUser(username = "vanilla-user", roles = {"USER"}) + @Disabled("This test is disabled as we think how to secure uun search") void testAutocompleteUUN_ForbiddenAsVanillaUser() { - mockMvc.perform(get("/vaults/autocompleteuun/blah")).andExpect(status().isForbidden()); + MvcUtils.performWithForward(mockMvc, get("/vaults/autocompleteuun/blah")).andExpect(status().isForbidden()); verifyNoMoreInteractions(restService, userLookupService); } @@ -242,7 +242,7 @@ void testAutocompleteUUN_AllowedAsSuperUser() { .andExpect(content().string( """ ["blah1","blah2","blah3"]""")) - .andExpect(content().contentTypeCompatibleWith(MediaType.TEXT_PLAIN)); + .andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON)); verify(userLookupService).getSuggestedUuns("blah"); verifyNoMoreInteractions(restService, userLookupService); diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/AdminPendingVaultsControllerTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/AdminPendingVaultsControllerTest.java index e5267eb75..0b4b1cdde 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/AdminPendingVaultsControllerTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/AdminPendingVaultsControllerTest.java @@ -9,6 +9,7 @@ import org.datavaultplatform.webapp.services.RestService; import org.datavaultplatform.webapp.services.UserLookupService; import org.datavaultplatform.webapp.test.AddTestProperties; +import org.datavaultplatform.webapp.test.MvcUtils; import org.datavaultplatform.webapp.test.ProfileDatabase; import org.junit.jupiter.api.*; import org.mockito.ArgumentCaptor; @@ -73,7 +74,7 @@ final void setup() { @WithMockUser(username = "vanilla-user", roles = {"USER"}) void testSearchdPendingVaults_ForbiddenForNonAdmins() { - mockMvc.perform(get("/admin/pendingVaults")).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/pendingVaults")).andDo(print()) .andExpect(status().isForbidden()) .andReturn(); @@ -92,7 +93,7 @@ void testSearchPendingVaults_AllowedForSuperAdmins() { confirmedVaultsData.setData(List.of()); when(restService.searchPendingVaults(anyString(), anyString(), anyString(), anyInt(), anyInt(), anyBoolean())).thenReturn(savedVaultsData, confirmedVaultsData); - mockMvc.perform(get("/admin/pendingVaults")).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/pendingVaults")).andDo(print()) .andExpect(view().name("admin/pendingVaults/index")) .andReturn(); @@ -106,7 +107,7 @@ void testSearchPendingVaults_AllowedForSuperAdmins() { @WithMockUser(username = "vanilla-user", roles = {"USER"}) void testGetPendingVaultForm_ForbiddenForNonAdmins() { - mockMvc.perform(get("/admin/pendingVaults/edit/pendingVaultId123")).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/pendingVaults/edit/pendingVaultId123")).andDo(print()) .andExpect(status().isForbidden()) .andReturn(); @@ -143,7 +144,7 @@ void testGetPendingVaultForm_AllowedForSuperAdmins() { @WithMockUser(username = "vanilla-user", roles = {"USER"}) void testSearchSavedPendingVaults_ForbiddenForNonAdmins() { - mockMvc.perform(get("/admin/pendingVaults/saved")).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/pendingVaults/saved")).andDo(print()) .andExpect(status().isForbidden()) .andReturn(); @@ -173,7 +174,7 @@ void testSearchSavedPendingVaults_AllowedForSuperAdmins() { @WithMockUser(username = "vanilla-user", roles = {"USER"}) void testSearchConfirmedPendingVaults_ForbiddenForNonAdmins() { - mockMvc.perform(get("/admin/pendingVaults/confirmed")).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/pendingVaults/confirmed")).andDo(print()) .andExpect(status().isForbidden()) .andReturn(); @@ -204,7 +205,7 @@ void testSearchConfirmedPendingVaults_AllowedForSuperAdmins() { @WithMockUser(username = "vanilla-user", roles = {"USER"}) void getGetVaultSummary_ForbiddenForNonAdmins() { - mockMvc.perform(get("/admin/pendingVaults/summary/pendingVault123")).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/pendingVaults/summary/pendingVault123")).andDo(print()) .andExpect(status().isForbidden()) .andReturn(); @@ -244,7 +245,7 @@ void getGetVaultSummary_AllowedForSuperAdmins() { @WithMockUser(username = "vanilla-user", roles = {"USER"}) void testUpgradeVault_ForbiddenForNonAdmins() { - mockMvc.perform(get("/admin/pendingVaults/upgrade/pendingVault123")).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/pendingVaults/upgrade/pendingVault123")).andDo(print()) .andExpect(status().isForbidden()) .andReturn(); @@ -283,7 +284,7 @@ void testUpgradeVault_AllowedForSuperAdmins() { @SneakyThrows @WithMockUser(username = "vanilla-user", roles = {"USER"}) void testSubmitEditPendingVault_ForbiddenForNonAdmins() { - mockMvc.perform(post("/admin/pendingVaults/edit").with(csrf())) + MvcUtils.performWithForward(mockMvc, get("/admin/pendingVaults/edit").with(csrf())) .andDo(print()) .andExpect(status().isForbidden()) .andReturn(); @@ -304,6 +305,7 @@ void testSubmitEditPendingVault_AllowedForSuperAdmins() { when(restService.editPendingVault(any(CreateVault.class))).thenReturn(vaultInfo); mockMvc.perform(post("/admin/pendingVaults/edit").with(csrf()) + .contentType(org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED) .param("action", "the-action") .param("pendingID", "pendingID123")) .andDo(print()) @@ -329,7 +331,7 @@ void testSubmitEditPendingVault_AllowedForSuperAdmins() { void testDeletePendingVaultForbiddenForNonAdmins() { // Yes, delete pending vault users GET method - mockMvc.perform(get("/admin/pendingVaults/pendingVault123")).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/pendingVaults/pendingVault123")).andDo(print()) .andExpect(status().isForbidden()) .andReturn(); diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/AdminUsersControllerNonShibProfileTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/AdminUsersControllerNonShibProfileTest.java index d6726a4c2..104b7666f 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/AdminUsersControllerNonShibProfileTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/AdminUsersControllerNonShibProfileTest.java @@ -4,10 +4,8 @@ import org.datavaultplatform.webapp.app.DataVaultWebApp; import org.datavaultplatform.webapp.test.AddTestProperties; import org.datavaultplatform.webapp.test.ProfileDatabase; -import org.junit.jupiter.api.MethodOrderer; -import org.junit.jupiter.api.Order; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.TestMethodOrder; + +import org.junit.jupiter.api.*; import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.http.MediaType; @@ -18,8 +16,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; @SpringBootTest(classes = DataVaultWebApp.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) @ProfileDatabase diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/BaseAdminUsersControllerTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/BaseAdminUsersControllerTest.java index 2d1823366..5fa517d33 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/BaseAdminUsersControllerTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/admin/BaseAdminUsersControllerTest.java @@ -3,10 +3,9 @@ import lombok.SneakyThrows; import org.datavaultplatform.common.model.User; import org.datavaultplatform.webapp.services.RestService; +import org.datavaultplatform.webapp.test.MvcUtils; import org.hamcrest.Matchers; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Order; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.*; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.env.Environment; import org.springframework.http.MediaType; @@ -22,8 +21,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; @SuppressWarnings("DefaultAnnotationParam") abstract class BaseAdminUsersControllerTest { @@ -53,7 +51,7 @@ final void setup() { @SneakyThrows @WithMockUser(username = "vanilla-user") void testListUsers_VanillaUserCannotListUsers() { - mockMvc.perform(get("/admin/users").accept(MediaType.TEXT_HTML)).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/users").accept(MediaType.TEXT_HTML)).andDo(print()) .andExpect(status().isForbidden()) .andReturn(); } @@ -63,7 +61,7 @@ void testListUsers_VanillaUserCannotListUsers() { @SneakyThrows @WithMockUser(username = "super-user", roles = {"IS_ADMIN", "USER"}) void testListUsers_SuperUserCanListUsers() { - mockMvc.perform(get("/admin/users").accept(MediaType.TEXT_HTML)).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/users").accept(MediaType.TEXT_HTML)).andDo(print()) .andExpect(status().isOk()) .andExpect(content().contentTypeCompatibleWith(MediaType.TEXT_HTML)) .andExpect(content().string(Matchers.containsString("Admin - Users"))) @@ -76,7 +74,7 @@ void testListUsers_SuperUserCanListUsers() { @SneakyThrows @WithMockUser(username = "vanilla-user", roles = {"USER"}) void testShowAddUserForm_VanillaUserCannotShowCreateUserForm() { - mockMvc.perform(get("/admin/users/create")).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/users/create")).andDo(print()) .andExpect(status().isForbidden()) .andReturn(); } @@ -88,7 +86,7 @@ void testShowAddUserForm_VanillaUserCannotShowCreateUserForm() { @SneakyThrows @WithMockUser(username = "vanilla-user", roles = {"USER"}) void testSubmitAddUserForm_VanillaUserCannotSubmitCreateUserForm() { - mockMvc.perform(post("/admin/users/create") + MvcUtils.performWithForward(mockMvc, post("/admin/users/create") .contentType(MediaType.APPLICATION_FORM_URLENCODED) .with(csrf()) .param("action", "Save") @@ -107,7 +105,7 @@ void testSubmitAddUserForm_VanillaUserCannotSubmitCreateUserForm() { @SneakyThrows @WithMockUser(username = "vanilla-user", roles = {"USER"}) void testShowEditUsersForm_UserCannotShowEditUserFormForThemselves() { - mockMvc.perform(get("/admin/users/edit/bob")).andDo(print()) + MvcUtils.performWithForward(mockMvc, get("/admin/users/edit/bob")).andDo(print()) .andExpect(status().isForbidden()) .andReturn(); @@ -158,7 +156,7 @@ void testShowEditUsersForm_UserCanShowEditUserFormForThemselves() { @SneakyThrows @WithMockUser(username = "vanilla-user", roles = {"USER"}) void testSubmitEditUsersForm_UserCannotSubmitEditUserFormForOthers() { - mockMvc.perform(post("/admin/users/edit/bob") + MvcUtils.performWithForward(mockMvc, post("/admin/users/edit/bob") .contentType(MediaType.APPLICATION_FORM_URLENCODED) .with(csrf()) .param("action", "Save") diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/BaseTraceIdDemoControllerTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/BaseTraceIdDemoControllerTest.java new file mode 100644 index 000000000..da7abc7e4 --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/BaseTraceIdDemoControllerTest.java @@ -0,0 +1,33 @@ +package org.datavaultplatform.webapp.controllers.trace; + +import io.micrometer.tracing.Tracer; +import io.micrometer.tracing.propagation.Propagator; +import org.datavaultplatform.webapp.controllers.trace.mvc.TraceIdDemoControllerConfig; +import org.junit.jupiter.api.BeforeEach; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.web.client.TestRestTemplate; +import org.springframework.context.annotation.Import; +import org.springframework.test.context.ActiveProfiles; + +import static org.assertj.core.api.Assertions.assertThat; + +@Import(TraceIdDemoControllerConfig.class) +@ActiveProfiles("trace") +public abstract class BaseTraceIdDemoControllerTest { + + @Autowired + Tracer tracer; + + @Autowired + Propagator propagator; + + @Autowired + TestRestTemplate restTemplate; + + @BeforeEach + void setup() { + assertThat(tracer).isNotNull(); + assertThat(propagator).isNotNull(); + } + +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/SimpleRestServiceTracePropagationTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/SimpleRestServiceTracePropagationTest.java new file mode 100644 index 000000000..dea834863 --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/SimpleRestServiceTracePropagationTest.java @@ -0,0 +1,86 @@ +package org.datavaultplatform.webapp.controllers.trace; + +import ch.qos.logback.classic.Logger; +import ch.qos.logback.classic.spi.ILoggingEvent; +import ch.qos.logback.core.read.ListAppender; +import org.datavaultplatform.common.util.TraceUtils; +import org.datavaultplatform.webapp.app.DataVaultWebApp; +import org.datavaultplatform.webapp.controllers.trace.mvc.TraceIdDemoController; +import org.datavaultplatform.webapp.test.AddTestProperties; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.web.client.TestRestTemplate; +import org.springframework.http.*; +import org.springframework.test.context.TestPropertySource; + +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; + +@SpringBootTest(classes = DataVaultWebApp.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +@TestPropertySource(properties = { + "logging.io.micrometer=DEBUG", + "logging.level.org.springframework.security=DEBUG" +}) +@AddTestProperties +class SimpleRestServiceTracePropagationTest extends BaseTraceIdDemoControllerTest { + + @Autowired + private TestRestTemplate restTemplate; + + private ListAppender listAppender; + + private static final String HARDCODED_TRACE_ID = "abcdef1234567890abcdef1234567890"; + private static final String HARDCODED_SPAN_ID = "fedcba0987654321"; + private static final String TRACEPARENT_HEADER_VALUE = "00-" + HARDCODED_TRACE_ID + "-" + HARDCODED_SPAN_ID + "-01"; + + @BeforeEach + @Override + void setup() { + // Get the logger for the class that produces the log messages we want to capture + Logger testControllerLogger = (Logger) LoggerFactory.getLogger(TraceIdDemoController.class); + + // Create and start a new ListAppender + listAppender = new ListAppender<>(); + listAppender.start(); + + // Add the appender to the logger + testControllerLogger.addAppender(listAppender); + } + + @AfterEach + void teardown() { + // Detach the appender after the test is done + Logger testControllerLogger = (Logger) LoggerFactory.getLogger(TraceIdDemoController.class); + testControllerLogger.detachAppender(listAppender); + } + + @Test + void testTraceIdIsPropagatedByRestTemplate() { + // 1. Prepare the request with the hardcoded traceparent header + HttpHeaders headers = new HttpHeaders(); + headers.add(TraceUtils.TRACE_PARENT, TRACEPARENT_HEADER_VALUE); + HttpEntity entity = new HttpEntity<>(headers); + + // 2. Call the initial endpoint that triggers the downstream call + ResponseEntity response = restTemplate.exchange("/call-downstream", HttpMethod.GET, entity, String.class); + + // 3. Assert the call was successful + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); + + // 4. Filter the captured logs to find the one from the downstream endpoint + List logs = listAppender.list; + List downstreamLogs = logs.stream() + .map(ILoggingEvent::getFormattedMessage) + .filter(msg -> msg.startsWith("/downstream: Current traceId from tracer:")) + .toList(); + + // 5. Assert that the downstream endpoint logged the correct traceId + assertThat(downstreamLogs).hasSize(1); + assertThat(downstreamLogs.get(0)).contains(HARDCODED_TRACE_ID); + } +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdControllerWhenOutputTraceIdOnErrorIsFalseTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdControllerWhenOutputTraceIdOnErrorIsFalseTest.java new file mode 100644 index 000000000..2dd1a7cd6 --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdControllerWhenOutputTraceIdOnErrorIsFalseTest.java @@ -0,0 +1,38 @@ +package org.datavaultplatform.webapp.controllers.trace; + +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.webapp.app.DataVaultWebApp; +import org.datavaultplatform.webapp.test.AddTestProperties; +import org.junit.jupiter.api.Test; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.http.HttpStatus; +import org.springframework.http.MediaType; +import org.springframework.http.ResponseEntity; + +import java.util.Objects; + +import static org.assertj.core.api.Assertions.assertThat; + +@SpringBootTest(classes = DataVaultWebApp.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, + properties = { + "logging.level.org.springframework.security=DEBUG", + "output.traceid.on.error=false", + "logging.level.org.datavaultplatform.webapp.controllers.trace.mvc=DEBUG" + }) +@Slf4j +@AddTestProperties +class TraceIdControllerWhenOutputTraceIdOnErrorIsFalseTest extends BaseTraceIdDemoControllerTest { + + @Test + void testErrorPageWhenOutputTraceOnErrorIsFalse() { + + ResponseEntity response = restTemplate.getForEntity("/oops", String.class); + + log.info(response.getBody()); + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR); + assertThat(Objects.requireNonNull(response.getHeaders().getContentType()).isCompatibleWith(MediaType.TEXT_HTML)).isTrue(); + assertThat(response.getBody()).contains("An error has occurred!"); + assertThat(response.getBody()).contains("Error Page"); + assertThat(response.getBody()).contains("Error code 500 returned for /oops with message:
jakarta.servlet.ServletException: Request processing failed: java.lang.RuntimeException: oops"); + } +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdControllerWhenOutputTraceIdOnErrorIsTrueTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdControllerWhenOutputTraceIdOnErrorIsTrueTest.java new file mode 100644 index 000000000..90bc50947 --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdControllerWhenOutputTraceIdOnErrorIsTrueTest.java @@ -0,0 +1,57 @@ +package org.datavaultplatform.webapp.controllers.trace; + +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.common.util.TraceUtils; +import org.datavaultplatform.webapp.app.DataVaultWebApp; +import org.datavaultplatform.webapp.test.AddTestProperties; +import org.junit.jupiter.api.Test; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.http.*; + +import java.util.Objects; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import static org.assertj.core.api.Assertions.assertThat; + +@SpringBootTest(classes = DataVaultWebApp.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, + properties = { + "logging.level.org.springframework.security=DEBUG", + "output.traceid.on.error=true", + "logging.level.org.datavaultplatform.webapp.controllers.trace.mvc=DEBUG" + }) +@Slf4j +@AddTestProperties +class TraceIdControllerWhenOutputTraceIdOnErrorIsTrueTest extends BaseTraceIdDemoControllerTest { + + private static final String TEST_TRACE_ID = "4bf92f3577b34da6a3ce929d0e0e4736"; // A sample W3C trace ID + private static final String TEST_SPAN_ID = "00f067aa0ba902b7"; // A sample W3C span ID + // The traceparent header format: 00-TRACE_ID-SPAN_ID-01 (version-trace-id-parent-id-trace-flags) + private static final String TRACEPARENT_HEADER_VALUE = "00-" + TEST_TRACE_ID + "-" + TEST_SPAN_ID + "-01"; + + @Test + void testErrorPageWhenOutputTraceOnErrorIsTrue() { + HttpHeaders headers = new HttpHeaders(); + headers.add(TraceUtils.TRACE_PARENT, TRACEPARENT_HEADER_VALUE); + HttpEntity entity = new HttpEntity<>(headers); + + ResponseEntity response = restTemplate.exchange("/oops", HttpMethod.GET, entity, String.class); + + log.info(response.getBody()); + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR); + assertThat(Objects.requireNonNull(response.getHeaders().getContentType()).isCompatibleWith(MediaType.TEXT_HTML)).isTrue(); + assertThat(response.getBody()).contains("An error has occurred!"); + assertThat(response.getBody()).contains("Error Page"); + + // The MyErrorController formats the message as: "An error has occurred. The traceId is [%s]. Report this TraceId to support." + String expectedTraceIdMessagePart = BaseErrorController.MESSAGE_PATTERN.formatted(TEST_TRACE_ID); + assertThat(response.getBody()).contains(expectedTraceIdMessagePart); + + // For a more robust assertion, you can extract the trace ID using a regex + Pattern traceIdPattern = Pattern.compile("Trace Id \\[([a-f0-9]{32})\\]"); + Matcher matcher = traceIdPattern.matcher(response.getBody()); + assertThat(matcher.find()).isTrue(); // Ensure a trace ID was found + assertThat(matcher.group(1)).isEqualTo(TEST_TRACE_ID); // Assert it matches the expected trace ID + log.info("Trace ID extracted from response: {}", matcher.group(1)); + } +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdDemoControllerTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdDemoControllerTest.java new file mode 100644 index 000000000..67b3ca2e1 --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceIdDemoControllerTest.java @@ -0,0 +1,103 @@ +package org.datavaultplatform.webapp.controllers.trace; + + +import io.opentelemetry.api.trace.TraceId; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.common.util.TraceUtils; +import org.datavaultplatform.webapp.app.DataVaultWebApp; +import org.datavaultplatform.webapp.controllers.trace.mvc.TraceIdDemoController; +import org.datavaultplatform.webapp.test.AddTestProperties; +import org.jsoup.Jsoup; +import org.jsoup.nodes.Document; +import org.jsoup.nodes.Element; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.http.HttpEntity; +import org.springframework.http.HttpHeaders; +import org.springframework.http.HttpMethod; +import org.springframework.http.HttpStatus; +import org.springframework.http.ResponseEntity; +import org.springframework.test.context.TestPropertySource; + +import java.util.Objects; + +import static org.assertj.core.api.Assertions.assertThat; + +@SpringBootTest(classes = DataVaultWebApp.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +@TestPropertySource(properties = { + "logging.level.org.springframework.security=DEBUG" +}) +@Slf4j +@AddTestProperties +class TraceIdDemoControllerTest extends BaseTraceIdDemoControllerTest { + + @Autowired + private TraceIdDemoController traceIdDemoController; + + + @BeforeEach + @Override + void setup() { + assertThat(traceIdDemoController).isNotNull(); + } + @Test + void testPage1TraceIdWillBeAdded() { + ResponseEntity response = getResponse("/page1"); + log.info(response.getBody()); + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); + assertThat(Objects.requireNonNull(response.getHeaders().getContentType()).toString()).contains("text/html"); + + Document doc = Jsoup.parse(response.getBody()); + assertThat(doc.title()).isEqualTo("Page One"); + + Element traceIdSpan = doc.selectFirst("span#traceid"); + assertThat(traceIdSpan).as("Span with id 'traceid' should exist").isNotNull(); + + String traceIdValue = traceIdSpan.text(); + assertThat(traceIdValue).as("Trace ID should not be empty").isNotBlank(); + assertThat(TraceId.isValid(traceIdValue)).isTrue(); + } + + private ResponseEntity getResponse(String url) { + return getResponse(url, new HttpEntity<>(new HttpHeaders())); + } + + private ResponseEntity getResponse(String url, HttpEntity entity) { + + return restTemplate.exchange( + url, + HttpMethod.GET, + entity, + String.class + ); + } + + @Test + void testPage1WithSuppliedTraceId() { + String expectedTraceId = "c0106a3cbb4b86444167dcca646ca08d"; // A custom 128-bit trace ID + String traceparentHeader = "00-" + expectedTraceId + "-0000000000000001-01"; // W3C Trace Context header + + HttpHeaders headers = new HttpHeaders(); + headers.add(TraceUtils.TRACE_PARENT, traceparentHeader); + HttpEntity entity = new HttpEntity<>(headers); + + ResponseEntity response = getResponse("/page1", entity); + + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); + assertThat(Objects.requireNonNull(response.getHeaders().getContentType()).toString()).contains("text/html"); + + Document doc = Jsoup.parse(response.getBody()); + assertThat(doc.title()).isEqualTo("Page One"); + + Element traceIdSpan = doc.selectFirst("span#traceid"); + assertThat(traceIdSpan).as("Span with id 'traceid' should exist").isNotNull(); + + String actualTraceId = traceIdSpan.text(); + assertThat(actualTraceId).as("Trace ID on page should match supplied trace ID").isEqualTo(expectedTraceId); + + log.info(response.getBody()); + } + +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceParentExtractionTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceParentExtractionTest.java new file mode 100644 index 000000000..0c42ae97f --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/TraceParentExtractionTest.java @@ -0,0 +1,57 @@ +package org.datavaultplatform.webapp.controllers.trace; + +import org.datavaultplatform.common.util.TraceUtils; +import org.datavaultplatform.webapp.app.DataVaultWebApp; +import org.datavaultplatform.webapp.test.AddTestProperties; +import org.junit.jupiter.api.Test; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.http.HttpEntity; +import org.springframework.http.HttpHeaders; +import org.springframework.http.HttpMethod; +import org.springframework.http.ResponseEntity; +import org.springframework.test.context.TestPropertySource; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.jupiter.api.Assertions.assertEquals; + +@SpringBootTest(classes = DataVaultWebApp.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +@TestPropertySource(properties = { + "logging.level.org.springframework.security=DEBUG", + "output.traceid.on.error=true" +}) +@AddTestProperties +class TraceParentExtractionTest extends BaseTraceIdDemoControllerTest { + + public static final String TRACE_ID = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; + public static final String SPAN_ID = "bbbbbbbbbbbbbbbb"; + public static final String TRACEPARENT_VALUE = "00-" + TRACE_ID + "-" + SPAN_ID + "-01"; + + @Test + void traceParentShouldBeExtracted() { + + HttpHeaders headers = new HttpHeaders(); + headers.add(TraceUtils.TRACE_PARENT, TRACEPARENT_VALUE); + + HttpEntity entity = new HttpEntity<>(headers); + + ResponseEntity response = + restTemplate.exchange("/trace-test", HttpMethod.GET, entity, String.class); + + assertEquals(TRACE_ID, response.getBody()); + } + + @Test + void traceParentShouldBeGeneratedIfMissing() { + + HttpHeaders headers = new HttpHeaders(); + HttpEntity entity = new HttpEntity<>(headers); + + ResponseEntity response = + restTemplate.exchange("/trace-test", HttpMethod.GET, entity, String.class); + + assertThat(response.getBody()).isNotBlank(); + assertThat(response.getBody()).isNotEqualTo(TRACE_ID); + } + +} + diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoController.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoController.java new file mode 100644 index 000000000..86998eac0 --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoController.java @@ -0,0 +1,90 @@ +package org.datavaultplatform.webapp.controllers.trace.mvc; + +import io.micrometer.tracing.Tracer; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import org.datavaultplatform.common.util.TraceUtils; +import org.datavaultplatform.webapp.controllers.SimpleRestService; +import org.springframework.context.annotation.Profile; +import org.springframework.http.ResponseEntity; +import org.springframework.stereotype.Controller; +import org.springframework.ui.ModelMap; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.ResponseBody; + +import java.time.Instant; +import java.util.Optional; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@Profile("trace") +@Controller +public class TraceIdDemoController implements TraceIdDemoControllerApi { + + private static final Logger log = LoggerFactory.getLogger(TraceIdDemoController.class); + + private final Tracer tracer; + private final SimpleRestService restService; + + public TraceIdDemoController(Tracer tracer, SimpleRestService restService) { + this.tracer = tracer; + this.restService = restService; + } + + @GetMapping("/page1") + public String getPageOne(HttpServletRequest request, HttpServletResponse response, ModelMap model){ + + model.addAttribute("time", Instant.now()); + model.addAttribute("message", "the is page 1"); + + String incomingTraceparent = request.getHeader(TraceUtils.TRACE_PARENT); + log.info("Incoming traceparent header: {}", incomingTraceparent); + + String traceId = tracer.currentSpan().context().traceId(); + + log.info("Trace ID from tracer.currentSpan(): {}", traceId); + model.addAttribute("traceId", traceId); + return "page1"; + } + + @GetMapping("/oops") + public String getErrorPage(HttpServletRequest request, HttpServletResponse response, ModelMap model){ + // Add current trace ID to the model + String traceId = Optional.ofNullable(tracer.currentSpan()) + .map(span -> span.context().traceId()) + .orElse("no-trace-id"); + + log.info("Trace ID from tracer.currentSpan(): [{}]", traceId); + log.info("ThreadName IN CONTROLLER IS [{}]", Thread.currentThread().getName()); + + throw new RuntimeException("oops"); + } + + @GetMapping("/call-downstream") + @ResponseBody + public ResponseEntity callDownstream(HttpServletRequest request) { + String traceId = tracer.currentSpan().context().traceId(); + log.info("/call-downstream: Starting request with traceId=[{}]", traceId); + + // Build the full URL for the downstream service + String downstreamUrl = request.getRequestURL().toString().replace("/call-downstream", "/downstream"); + + String response = restService.get(downstreamUrl); + + log.info("/call-downstream: Received response: {}", response); + return ResponseEntity.ok("Called downstream service. Check logs for trace propagation."); + } + + @GetMapping("/downstream") + @ResponseBody + public ResponseEntity downstreamEndpoint(HttpServletRequest request) { + String traceparentHeader = request.getHeader(TraceUtils.TRACE_PARENT); + String traceId = tracer.currentSpan().context().traceId(); + + log.info("/downstream: Received traceparent header: [{}]", traceparentHeader); + log.info("/downstream: Current traceId from tracer: [{}]", traceId); + + return ResponseEntity.ok("Hello from downstream! traceId=" + traceId); + } +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoControllerApi.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoControllerApi.java new file mode 100644 index 000000000..37addddb7 --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoControllerApi.java @@ -0,0 +1,4 @@ +package org.datavaultplatform.webapp.controllers.trace.mvc; + +public interface TraceIdDemoControllerApi { +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoControllerConfig.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoControllerConfig.java new file mode 100644 index 000000000..9f754ed36 --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceIdDemoControllerConfig.java @@ -0,0 +1,66 @@ +package org.datavaultplatform.webapp.controllers.trace.mvc; + +import io.micrometer.tracing.Tracer; +import org.datavaultplatform.webapp.controllers.SimpleRestService; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.TestConfiguration; +import org.springframework.boot.web.client.RestTemplateBuilder; +import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory; +import org.springframework.boot.web.server.WebServerFactoryCustomizer; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; +import org.springframework.security.web.SecurityFilterChain; +import org.thymeleaf.spring6.templateresolver.SpringResourceTemplateResolver; + +import java.io.File; + +@Profile("trace") +@TestConfiguration +public class TraceIdDemoControllerConfig { + + @Bean + public WebServerFactoryCustomizer customizer() { + return factory -> factory.addContextCustomizers(context -> { + File testWebapp = new File("src/test/webapp"); + context.setDocBase(testWebapp.getAbsolutePath()); + }); + } + + @Bean + public SpringResourceTemplateResolver testTemplateResolver() { + SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver(); + resolver.setPrefix("file:src/test/webapp/WEB-INF/templates/"); + resolver.setSuffix(".html"); + resolver.setTemplateMode("HTML"); + resolver.setOrder(0); // highest priority + resolver.setCheckExistence(true); + return resolver; + } + + @Autowired + RestTemplateBuilder restTemplateBuilder; + + @Autowired + Tracer tracer; + + @Bean + SimpleRestService simpleRestService(){ + return new SimpleRestService(restTemplateBuilder.build()); + } + + @Bean + public TraceIdDemoController traceIdDemoController(){ + return new TraceIdDemoController(tracer, simpleRestService()); + } + + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http + .authorizeHttpRequests(auth -> auth.anyRequest().permitAll()) + .csrf(AbstractHttpConfigurer::disable) + .securityMatcher("/**"); // apply to all requests + return http.build(); + } +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceTestController.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceTestController.java new file mode 100644 index 000000000..867b4740d --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceTestController.java @@ -0,0 +1,22 @@ +package org.datavaultplatform.webapp.controllers.trace.mvc; + +import io.micrometer.tracing.Tracer; +import org.springframework.context.annotation.Profile; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RestController; + +@RestController +@Profile("trace") +class TraceTestController implements TraceTestControllerApi { + + private final Tracer tracer; + + TraceTestController(Tracer tracer) { + this.tracer = tracer; + } + + @GetMapping("/trace-test") + public String test() { + return tracer.currentSpan().context().traceId(); + } +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceTestControllerApi.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceTestControllerApi.java new file mode 100644 index 000000000..c70b0035f --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/controllers/trace/mvc/TraceTestControllerApi.java @@ -0,0 +1,4 @@ +package org.datavaultplatform.webapp.controllers.trace.mvc; + +public interface TraceTestControllerApi { +} diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/services/RestServiceTest.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/services/RestServiceTest.java index 04bb846ec..b10cbf907 100644 --- a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/services/RestServiceTest.java +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/services/RestServiceTest.java @@ -1,16 +1,20 @@ package org.datavaultplatform.webapp.services; +import io.micrometer.tracing.Tracer; import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; import org.datavaultplatform.common.dto.PausedDepositStateDTO; import org.datavaultplatform.common.dto.PausedRetrieveStateDTO; import org.datavaultplatform.common.response.VaultInfo; +import org.datavaultplatform.common.util.TraceIdWrapper; +import org.datavaultplatform.common.util.TraceInfo; import org.datavaultplatform.webapp.app.DataVaultWebApp; import org.datavaultplatform.webapp.app.services.BaseRestTemplateWithLoggingTest; import org.datavaultplatform.webapp.test.ProfileDatabase; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; +import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.security.test.context.support.WithMockUser; @@ -45,7 +49,9 @@ class PausedDepositStateTests { @Test @WithMockUser(username = "user1") void testTogglePausedState() { - restService.toggleDepositPausedState(); + assertDoesNotThrow(() -> { + restService.toggleDepositPausedState(); + }); } @Test @@ -82,7 +88,9 @@ class PausedRetrieveStateTests { @Test @WithMockUser(username = "user1") void testTogglePausedState() { - restService.toggleRetrievePausedState(); + assertDoesNotThrow(() -> { + restService.toggleRetrievePausedState(); + }); } @Test @@ -159,5 +167,32 @@ void testRestartRetrieve() { assertThat(result).isTrue(); } } - + + @SuppressWarnings("GrazieInspectionRunner") + @Nested + class TraceIdFromBrokerTests { + + @Autowired + Tracer tracer; + + @Test + void testGetTraceFromBrokerWithNoTraceId() { + TraceInfo result = restService.getTraceFromBroker("user", "password"); + assertThat(result.traceId()).isEqualTo("aaaabbbbccccddddaaaabbbbccccdddd"); + } + + @Test + void testGetTraceFromBrokerWithTraceId() { + + String traceId = "aaaabbbbccccddddaaaabbbbccccdddd"; + TraceIdWrapper wrapper = new TraceIdWrapper(traceId, tracer); + + wrapper.runWithinWrapper(() -> { + assertThat(tracer.currentSpan().context().traceId()).isEqualTo(traceId); + TraceInfo result = restService.getTraceFromBroker("user", "password"); + assertThat(result.traceId()).isEqualTo("abcdef11abcdef22abcdef33abcdef44"); + }); + } + } + } \ No newline at end of file diff --git a/datavault-webapp/src/test/java/org/datavaultplatform/webapp/test/MvcUtils.java b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/test/MvcUtils.java new file mode 100644 index 000000000..7073e8db8 --- /dev/null +++ b/datavault-webapp/src/test/java/org/datavaultplatform/webapp/test/MvcUtils.java @@ -0,0 +1,76 @@ +package org.datavaultplatform.webapp.test; + +import jakarta.servlet.RequestDispatcher; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpSession; +import lombok.SneakyThrows; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.MvcResult; +import org.springframework.test.web.servlet.ResultActions; +import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; + +import java.util.Enumeration; + +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; + +public class MvcUtils { + + /** + * We've changed from AccessDeniedPage(/auth/denied) to AccessDeniedHandler which perfrorms forward to /auth/defined + * so we need to use mockMvc twice - the first time to perform the request and the second time to perform the forward. + * @param mockMvc + * @param requestBuilder + * @return + */ + @SneakyThrows + public static ResultActions performWithForward(MockMvc mockMvc, MockHttpServletRequestBuilder requestBuilder) { + // 1. Initial Execution + ResultActions action = mockMvc.perform(requestBuilder).andDo(print()); + MvcResult result = action.andReturn(); + String forwardedUrl = result.getResponse().getForwardedUrl(); + + if (forwardedUrl != null) { + // 2. Setup the Forward Request + MockHttpServletRequestBuilder forwardRequest = get(forwardedUrl); + + + // Carry over the session if it exists + HttpSession session = result.getRequest().getSession(false); + if (session != null) { + forwardRequest.session((MockHttpSession) session); + } + + HttpServletRequest originalRequest = result.getRequest(); + if(forwardedUrl.equals("/auth/denied")) { + + Throwable throwable = (Exception) originalRequest.getAttribute(RequestDispatcher.ERROR_EXCEPTION); + Integer statusCode = (Integer) originalRequest.getAttribute(RequestDispatcher.ERROR_STATUS_CODE); + String requestUri = (String) originalRequest.getAttribute(RequestDispatcher.ERROR_REQUEST_URI); + + if(throwable == null || statusCode == null || requestUri == null) { + throw new IllegalStateException("Unable to get error attributes from original request: " + originalRequest + ""); + } + } + Enumeration attributeNames = originalRequest.getAttributeNames(); + + while (attributeNames.hasMoreElements()) { + String name = attributeNames.nextElement(); + + if (name.startsWith("jakarta.servlet")) { + Object value = originalRequest.getAttribute(name); + System.out.println("Replicating attribute: " + name + "=" + value); + forwardRequest.with(req -> { + req.setAttribute(name, value); + return req; + }); + } + } + + return mockMvc.perform(forwardRequest).andDo(print()); + } + + return action; + } +} diff --git a/datavault-webapp/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension b/datavault-webapp/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension new file mode 100644 index 000000000..16c8c8ce0 --- /dev/null +++ b/datavault-webapp/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension @@ -0,0 +1 @@ +org.datavaultplatform.common.util.TempFileCleanerExtension diff --git a/datavault-webapp/src/test/resources/application-database.properties b/datavault-webapp/src/test/resources/application-database.properties index 5a53f34a1..578dc9a1e 100644 --- a/datavault-webapp/src/test/resources/application-database.properties +++ b/datavault-webapp/src/test/resources/application-database.properties @@ -3,3 +3,9 @@ spring.main.allow-bean-definition-overriding=true spring.main.banner-mode=off logging.level.web=DEBUG logging.level.org.springframework.security.core.session=DEBUG + +logging.level.io.micrometer.tracing=DEBUG +management.tracing.propagation.type=w3c +management.tracing.sampling.probability=1.0 +management.tracing.skip-pattern=/actuator/** +output.traceid.on.error=true \ No newline at end of file diff --git a/datavault-webapp/src/test/resources/datavault-test.properties b/datavault-webapp/src/test/resources/datavault-test.properties index 571c4fd9a..9af0dbccf 100644 --- a/datavault-webapp/src/test/resources/datavault-test.properties +++ b/datavault-webapp/src/test/resources/datavault-test.properties @@ -90,7 +90,7 @@ webapp.motd = Message of the day # CRIS system settings # ==================== # The URL of the external metadata service (for example, a Pure CRIS API). Leave this blank to use a mock provider -# eg. https://example.org/ws/rest/datasets +# e.g. https://example.org/ws/rest/datasets # If using HTTP BASIC authentication, use: https://username:password@example.org/ws/rest/datasets metadata.url = # Name displayed in the help page for the institutional CRIS or external metadata system @@ -151,3 +151,9 @@ ldap.attrs = attr1,attr2,etc jmail.mail.smtp.auth=false jmail.mail.smtp.starttls.enable=true jmail.mail.smtp.quitwait=true + +logging.level.io.micrometer.tracing=DEBUG +management.tracing.propagation.type=w3c +management.tracing.sampling.probability=1.0 +management.tracing.skip-pattern=/actuator/** +output.traceid.on.error=true \ No newline at end of file diff --git a/datavault-webapp/src/test/resources/junit-platform.properties b/datavault-webapp/src/test/resources/junit-platform.properties new file mode 100644 index 000000000..1cebb76d5 --- /dev/null +++ b/datavault-webapp/src/test/resources/junit-platform.properties @@ -0,0 +1 @@ +junit.jupiter.extensions.autodetection.enabled = true \ No newline at end of file diff --git a/datavault-webapp/src/test/resources/logback-test.xml b/datavault-webapp/src/test/resources/logback-test.xml index ee031dbce..469b4f5c1 100644 --- a/datavault-webapp/src/test/resources/logback-test.xml +++ b/datavault-webapp/src/test/resources/logback-test.xml @@ -1,7 +1,8 @@ + - TST-%d{HH:mm:ss.SSS} [%thread] %-5level %logger - %msg%n + TST %clr(%d{yyyy-MM-dd HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:-%5p}) %clr(${PID:- }){magenta} %clr(---){faint} %clr([%15.15t]){faint} %clr(%-40.40logger{39}){cyan} %clr(:){faint} %clr([trace=%X{traceId:-} span=%X{spanId:-} user=%X{user:-}]){yellow} %m%n${LOG_EXCEPTION_CONVERSION_WORD:-%wEx} diff --git a/datavault-webapp/src/test/resources/logs/expectedLogEvents.txt b/datavault-webapp/src/test/resources/logs/expectedLogEvents.txt index 93fb8cbef..2b6bd6427 100644 --- a/datavault-webapp/src/test/resources/logs/expectedLogEvents.txt +++ b/datavault-webapp/src/test/resources/logs/expectedLogEvents.txt @@ -1,7 +1,6 @@ [DEBUG] REQ:START [DEBUG] REQ:uri [http://www.example.com:1234/resource] [DEBUG] REQ:method [GET] -[DEBUG] REQ:headers [Accept:"text/plain, application/json, application/cbor, application/yaml, application/*+json, */*", Content-Length:"0"] [DEBUG] REQ:body [] [DEBUG] REQ:END [DEBUG] RES:START diff --git a/datavault-webapp/src/test/resources/protected-paths.csv b/datavault-webapp/src/test/resources/protected-paths.csv index 863b8daf1..8d2a46420 100644 --- a/datavault-webapp/src/test/resources/protected-paths.csv +++ b/datavault-webapp/src/test/resources/protected-paths.csv @@ -15,7 +15,6 @@ PATH, ROLE /resources/favicon.ico, /actuator/info, /actuator/health, -/actuator/customtime, /auth/login, /auth/confirmation, /auth/denied, \ No newline at end of file diff --git a/datavault-webapp/src/test/resources/stubs/restService/refreshVaultReview.json b/datavault-webapp/src/test/resources/stubs/restService/refreshVaultReview.json new file mode 100644 index 000000000..f74e7692d --- /dev/null +++ b/datavault-webapp/src/test/resources/stubs/restService/refreshVaultReview.json @@ -0,0 +1,10 @@ +{ + "priority": 1, + "request": { + "urlPathPattern": "/admin/vaults/reviews/(?[^/]+)/refresh", + "method": "POST" + }, + "response": { + "status": 200 + } +} \ No newline at end of file diff --git a/datavault-webapp/src/test/resources/stubs/restService/refreshVaultReviewDepositReviewsAdded.json b/datavault-webapp/src/test/resources/stubs/restService/refreshVaultReviewDepositReviewsAdded.json new file mode 100644 index 000000000..ff3a1bf22 --- /dev/null +++ b/datavault-webapp/src/test/resources/stubs/restService/refreshVaultReviewDepositReviewsAdded.json @@ -0,0 +1,14 @@ +{ + "priority": 1, + "request": { + "urlPathPattern": "/admin/vaults/vaultreviews/vault-id-123/refresh", + "method": "POST" + }, + "response": { + "headers": { + "Content-Type": "application/json" + }, + "status": 200, + "body": "true" + } +} \ No newline at end of file diff --git a/datavault-webapp/src/test/resources/stubs/restService/refreshVaultReviewDepositReviewsNotAdded.json b/datavault-webapp/src/test/resources/stubs/restService/refreshVaultReviewDepositReviewsNotAdded.json new file mode 100644 index 000000000..f08772fa4 --- /dev/null +++ b/datavault-webapp/src/test/resources/stubs/restService/refreshVaultReviewDepositReviewsNotAdded.json @@ -0,0 +1,14 @@ +{ + "priority": 1, + "request": { + "urlPathPattern": "/admin/vaults/vaultreviews/vault-id-234/refresh", + "method": "POST" + }, + "response": { + "headers": { + "Content-Type": "application/json" + }, + "status": 200, + "body": "false" + } +} \ No newline at end of file diff --git a/datavault-webapp/src/test/resources/stubs/restService/traceInfoTraceNotSupplied.json b/datavault-webapp/src/test/resources/stubs/restService/traceInfoTraceNotSupplied.json new file mode 100644 index 000000000..0bbe9b1df --- /dev/null +++ b/datavault-webapp/src/test/resources/stubs/restService/traceInfoTraceNotSupplied.json @@ -0,0 +1,24 @@ +{ + "priority": 2, + "request": { + "urlPath": "/trace/info", + "method": "GET", + "headers": { + "Accept": { + "equalTo": "application/json" + }, + "Authorization" : { + "contains": "Basic dXNlcjpwYXNzd29yZA==" + } + } + }, + "response": { + "status": 200, + "headers": { + "Content-Type": "application/json" + }, + "jsonBody": { + "traceId": "aaaabbbbccccddddaaaabbbbccccdddd" + } + } +} \ No newline at end of file diff --git a/datavault-webapp/src/test/resources/stubs/restService/traceInfoTraceSupplied.json b/datavault-webapp/src/test/resources/stubs/restService/traceInfoTraceSupplied.json new file mode 100644 index 000000000..a4a1a118b --- /dev/null +++ b/datavault-webapp/src/test/resources/stubs/restService/traceInfoTraceSupplied.json @@ -0,0 +1,27 @@ +{ + "priority": 1, + "request": { + "urlPath": "/trace/info", + "method": "GET", + "headers": { + "Accept": { + "equalTo": "application/json" + }, + "traceparent": { + "contains": "aaaabbbbccccddddaaaabbbbccccdddd" + }, + "Authorization" : { + "contains": "Basic dXNlcjpwYXNzd29yZA==" + } + } + }, + "response": { + "status": 200, + "headers": { + "Content-Type": "application/json" + }, + "jsonBody": { + "traceId": "abcdef11abcdef22abcdef33abcdef44" + } + } +} \ No newline at end of file diff --git a/datavault-webapp/src/test/webapp/WEB-INF/templates/page1.html b/datavault-webapp/src/test/webapp/WEB-INF/templates/page1.html new file mode 100644 index 000000000..60788b0d4 --- /dev/null +++ b/datavault-webapp/src/test/webapp/WEB-INF/templates/page1.html @@ -0,0 +1,11 @@ + + +Page One + + +

Page One

+

+

Generated at:

+

trace id is

+ + \ No newline at end of file diff --git a/datavault-worker/pom.xml b/datavault-worker/pom.xml index 32c8b97a3..8b6c54481 100644 --- a/datavault-worker/pom.xml +++ b/datavault-worker/pom.xml @@ -132,7 +132,19 @@ com.fasterxml.jackson.core jackson-databind - + + io.micrometer + micrometer-tracing-bridge-otel + + + io.opentelemetry + opentelemetry-exporter-otlp + + + io.micrometer + micrometer-tracing-test + test + diff --git a/datavault-worker/src/main/java/org/datavaultplatform/worker/config/ActuatorConfig.java b/datavault-worker/src/main/java/org/datavaultplatform/worker/config/ActuatorConfig.java index 9beed23aa..dc8f08c27 100644 --- a/datavault-worker/src/main/java/org/datavaultplatform/worker/config/ActuatorConfig.java +++ b/datavault-worker/src/main/java/org/datavaultplatform/worker/config/ActuatorConfig.java @@ -2,8 +2,9 @@ import java.time.Clock; -import io.swagger.v3.oas.models.OpenAPI; -import io.swagger.v3.oas.models.info.Info; +import org.datavaultplatform.common.actuator.ActuatorHealthSecurityAdvice; +import org.datavaultplatform.common.actuator.ActuatorInfoSecurityAdvice; +import org.datavaultplatform.common.actuator.ActuatorSecurityAdvice; import org.datavaultplatform.worker.actuator.CurrentTimeEndpoint; import org.datavaultplatform.worker.actuator.MemoryInfoEndpoint; import org.springframework.boot.SpringBootVersion; @@ -14,6 +15,21 @@ @Configuration public class ActuatorConfig { + @Bean + ActuatorInfoSecurityAdvice actuatorInfoSecurityAdvice() { + return new ActuatorInfoSecurityAdvice(); + } + + @Bean + ActuatorHealthSecurityAdvice actuatorHealthSecurityAdvice() { + return new ActuatorHealthSecurityAdvice(); + } + + @Bean + ActuatorSecurityAdvice actuatorSecurityAdvice() { + return new ActuatorSecurityAdvice(); + } + @Bean Clock clock() { return Clock.systemDefaultZone(); @@ -34,10 +50,4 @@ public InfoContributor springBootVersionInfoContributor() { return builder -> builder.withDetail("spring-boot.version", SpringBootVersion.getVersion()); } - @Bean - public OpenAPI openAPI() { - return new OpenAPI().info(new Info().title("DataVault Worker") - .description("worker application") - .version("v0.0.1")); - } } diff --git a/datavault-worker/src/main/java/org/datavaultplatform/worker/config/RabbitConfig.java b/datavault-worker/src/main/java/org/datavaultplatform/worker/config/RabbitConfig.java index 31fdec280..eb4981b1e 100644 --- a/datavault-worker/src/main/java/org/datavaultplatform/worker/config/RabbitConfig.java +++ b/datavault-worker/src/main/java/org/datavaultplatform/worker/config/RabbitConfig.java @@ -1,6 +1,8 @@ package org.datavaultplatform.worker.config; import com.rabbitmq.client.ConnectionFactory; +import io.micrometer.tracing.Tracer; +import io.micrometer.tracing.propagation.Propagator; import jakarta.annotation.PostConstruct; import lombok.extern.slf4j.Slf4j; import org.datavaultplatform.worker.queue.Receiver; @@ -79,8 +81,10 @@ TopLevelRabbitMessageProcessor topLevelRabbitMessageProcessor(Receiver receiver, @Bean public RabbitMessageSelector hiLoRabbitMessageSelector( ConnectionFactory connectionFactory, - TopLevelRabbitMessageProcessor messageProcessor) { - return new RabbitMessageSelector(this.hiPriorityQueueName, this.loPriorityQueueName, connectionFactory, messageProcessor); + TopLevelRabbitMessageProcessor messageProcessor, + Tracer tracer, + Propagator propagator) { + return new RabbitMessageSelector(this.hiPriorityQueueName, this.loPriorityQueueName, connectionFactory, messageProcessor, tracer, propagator); } @Bean("monitorLogger") diff --git a/datavault-worker/src/main/java/org/datavaultplatform/worker/config/SecurityActuatorConfig.java b/datavault-worker/src/main/java/org/datavaultplatform/worker/config/SecurityActuatorConfig.java index 9b16deb76..fd245fb5d 100644 --- a/datavault-worker/src/main/java/org/datavaultplatform/worker/config/SecurityActuatorConfig.java +++ b/datavault-worker/src/main/java/org/datavaultplatform/worker/config/SecurityActuatorConfig.java @@ -10,6 +10,7 @@ import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; @@ -51,21 +52,20 @@ public UserDetailsService userDetailsService(){ @Bean SecurityFilterChain springFilterChain(HttpSecurity http) throws Exception { - http.securityMatcher("/actuator/**","/task/interrupt","/task/interrupt/*") + http.securityMatcher("/actuator/**","/task/interrupt", "/task/interrupt/*") .userDetailsService(userDetailsService()) + .csrf(AbstractHttpConfigurer::disable) .httpBasic(Customizer.withDefaults()) .sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .authorizeHttpRequests(authz -> { authz.requestMatchers( - "/actuator/customtime", - "/actuator/health", - "/actuator/memoryinfo", - "/actuator/metrics", - "/actuator/mappings", - "/actuator/info").permitAll(); + "/actuator", + "/actuator/info", + "/actuator/health" + ).permitAll(); + authz.anyRequest().authenticated(); }); - http.csrf(csrf -> csrf.disable()); return http.build(); } diff --git a/datavault-worker/src/main/java/org/datavaultplatform/worker/config/TracingConfig.java b/datavault-worker/src/main/java/org/datavaultplatform/worker/config/TracingConfig.java new file mode 100644 index 000000000..6bcd34eee --- /dev/null +++ b/datavault-worker/src/main/java/org/datavaultplatform/worker/config/TracingConfig.java @@ -0,0 +1,15 @@ +package org.datavaultplatform.worker.config; + +import io.opentelemetry.api.trace.propagation.W3CTraceContextPropagator; +import io.opentelemetry.context.propagation.ContextPropagators; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +@Configuration +public class TracingConfig { + + @Bean + ContextPropagators otelContextPropagators() { + return ContextPropagators.create(W3CTraceContextPropagator.getInstance()); + } +} diff --git a/datavault-worker/src/main/java/org/datavaultplatform/worker/config/WebConfig.java b/datavault-worker/src/main/java/org/datavaultplatform/worker/config/WebConfig.java index bdf96563e..5543697c4 100644 --- a/datavault-worker/src/main/java/org/datavaultplatform/worker/config/WebConfig.java +++ b/datavault-worker/src/main/java/org/datavaultplatform/worker/config/WebConfig.java @@ -1,10 +1,12 @@ package org.datavaultplatform.worker.config; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Import; import org.springframework.web.servlet.config.annotation.PathMatchConfigurer; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @Configuration +@Import(TracingConfig.class) public class WebConfig implements WebMvcConfigurer { @Override diff --git a/datavault-worker/src/main/java/org/datavaultplatform/worker/rabbit/RabbitMessageSelector.java b/datavault-worker/src/main/java/org/datavaultplatform/worker/rabbit/RabbitMessageSelector.java index ac41c3384..b55561f02 100644 --- a/datavault-worker/src/main/java/org/datavaultplatform/worker/rabbit/RabbitMessageSelector.java +++ b/datavault-worker/src/main/java/org/datavaultplatform/worker/rabbit/RabbitMessageSelector.java @@ -1,12 +1,13 @@ package org.datavaultplatform.worker.rabbit; -import com.rabbitmq.client.Channel; -import com.rabbitmq.client.Connection; -import com.rabbitmq.client.ConnectionFactory; -import com.rabbitmq.client.GetResponse; +import com.rabbitmq.client.*; +import io.micrometer.tracing.Span; +import io.micrometer.tracing.Tracer; +import io.micrometer.tracing.propagation.Propagator; import jakarta.annotation.PostConstruct; import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.common.util.TraceUtils; import org.datavaultplatform.worker.utils.SocketUtils; import org.springframework.amqp.core.Message; import org.springframework.amqp.core.MessageProperties; @@ -17,16 +18,29 @@ import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContextAware; import org.springframework.context.event.EventListener; +import org.springframework.util.Assert; import java.nio.charset.StandardCharsets; import java.util.Optional; +import java.util.Set; import java.util.concurrent.atomic.AtomicBoolean; import java.util.function.Supplier; import java.util.stream.Stream; + @Slf4j public class RabbitMessageSelector implements DisposableBean, ApplicationContextAware { + public static final Set EXPECTED_KEYS = Set.of(TraceUtils.TRACE_PARENT, TraceUtils.TRACE_STATE); + + public static final Propagator.Getter GETTER = (Message carrier, String key) -> { + Assert.isTrue(EXPECTED_KEYS.contains(key), "unexpected key [%s]".formatted(key)); + Object header = carrier.getMessageProperties().getHeader(key); + String result = header != null ? header.toString() : null; + log.info("trace header[{}]: {}", key, result); + return result; + }; + private final DefaultMessagePropertiesConverter converter = new DefaultMessagePropertiesConverter(); private final ConnectionFactory connectionFactory; @@ -34,15 +48,19 @@ public class RabbitMessageSelector implements DisposableBean, ApplicationContext private final String hiPriorityQueueName; private final String loPriorityQueueName; private final AtomicBoolean ready = new AtomicBoolean(false); + private final Tracer tracer; + private final Propagator propagator; private ApplicationContext ctx; private Connection connection; - public RabbitMessageSelector(String hiPriorityQueueName, String loPriorityQueueName, ConnectionFactory connectionFactory, RabbitMessageProcessor processor) { + public RabbitMessageSelector(String hiPriorityQueueName, String loPriorityQueueName, ConnectionFactory connectionFactory, RabbitMessageProcessor processor, Tracer tracer, Propagator propagator) { this.hiPriorityQueueName = hiPriorityQueueName; this.loPriorityQueueName = loPriorityQueueName; this.connectionFactory = connectionFactory; this.processor = processor; + this.tracer = tracer; + this.propagator = propagator; } public static Optional getFirst(Supplier> hi, Supplier> lo) { @@ -73,16 +91,30 @@ private void selectAndProcessNextMessageWithConnection() { Optional selected = getFirst(pollHiPriority, pollLoPriority); // max 1 selected message - selected.ifPresent(messageinfo -> { - try { + selected.ifPresent(this::processMessageInfo); + } + + void processMessageInfo(RabbitMessageInfo messageInfo){ + try { + Span nextSpan = getSpanWithTraceIdFromMessage(propagator, messageInfo.message(), "process-rabbit-message"); + try (Tracer.SpanInScope ws = tracer.withSpan(nextSpan)) { + + // Now you can grab the Trace ID! + String traceId1 = nextSpan.context().traceId(); + log.info("Trace ID1: {}", traceId1); + + String traceId2 = tracer.currentSpan().context().traceId(); + log.info("Trace ID2: {}", traceId2); // process the selected message - processor.onMessage(messageinfo); + processor.onMessage(messageInfo); // ack the selected message - messageinfo.acknowledge(); + messageInfo.acknowledge(); } finally { - messageinfo.closeChannel(); + nextSpan.end(); } - }); + } finally { + messageInfo.closeChannel(); + } } private Optional pollRabbit(boolean isHiPriority, Supplier channelSupplier, String queueName) { @@ -93,7 +125,8 @@ private Optional pollRabbit(boolean isHiPriority, Supplier classLoadedAt).isTrue(); + assertThat(ctx.getStartupDate() > CLASS_LOADED_AT).isTrue(); assertThat(RABBIT.isCreated()).isTrue().withFailMessage(() -> "rabbit is NOT created"); assertThat(RABBIT.isRunning()).isTrue().withFailMessage(() -> "rabbit is NOT running"); @@ -120,7 +149,7 @@ void checkRabbitConnection() { log.info("rabbit host [{}]", RABBIT.getHost()); log.info("rabbit AMQP port [{}]", RABBIT.getAmqpPort()); - // double check that we can connect via socket to rabbit before proceeding with actual tests + // double-check that we can connect via socket to rabbit before proceeding with actual tests assertThat(SocketUtils.isServerListening(RABBIT.getHost(), RABBIT.getAmqpPort())).isTrue(); assertThat(isServerListening2()).isTrue(); } @@ -143,7 +172,56 @@ public static boolean isDockerAvailable() { } @AfterAll - public static void tearDownContainer(){ + public static void tearDownContainer() { RABBIT.stop(); } + + @SuppressWarnings("UnusedReturnValue") + protected String sendNormalMessage(String msgBody) { + MessageProperties props = new MessageProperties(); + props.setMessageId(UUID.randomUUID().toString()); + props.setPriority(NORMAL_PRIORITY); + + Span currentSpan = tracer.currentSpan(); + if (currentSpan != null) { + propagator.inject(currentSpan.context(), props, (carrier, key, value) -> { + carrier.setHeader(key, value); + }); + } + Message msg = new Message(msgBody.getBytes(StandardCharsets.UTF_8), props); + template.send(workerQueue.getActualName(), msg); + return props.getMessageId(); + } + + protected void setupTestTraceId(String testTraceId) { + if (testTraceId == null) { + return; + } + String spanId = "00f067aa0ba902b7"; + + assertTrue(TraceId.isValid(testTraceId), "The traceId you supplied is not valid. It should be a 32 digit hex string and not all 0s"); + TraceContext context = tracer.traceContextBuilder() + .traceId(testTraceId) + .spanId(spanId) + .sampled(true) + .build(); + testSpan = tracer.spanBuilder().setParent(context).start(); + testScope = tracer.withSpan(testSpan); + } + + @AfterEach + final void tearDownTestSpan() { + if (this.testScope != null) { + this.testScope.close(); + } + if (this.testSpan != null) { + this.testSpan.end(); + } + } + + // This value has to be a 32-digit hex string + public String getTestTraceId() { + //noinspection GrazieInspectionRunner + return "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; + } } diff --git a/datavault-worker/src/test/java/org/datavaultplatform/worker/rabbit/RabbitMessageSelectorTest.java b/datavault-worker/src/test/java/org/datavaultplatform/worker/rabbit/RabbitMessageSelectorTest.java index e8d88543f..9164a98f4 100644 --- a/datavault-worker/src/test/java/org/datavaultplatform/worker/rabbit/RabbitMessageSelectorTest.java +++ b/datavault-worker/src/test/java/org/datavaultplatform/worker/rabbit/RabbitMessageSelectorTest.java @@ -1,8 +1,11 @@ package org.datavaultplatform.worker.rabbit; import com.rabbitmq.client.*; +import io.micrometer.tracing.Tracer; +import io.micrometer.tracing.propagation.Propagator; import lombok.SneakyThrows; +import lombok.extern.slf4j.Slf4j; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; @@ -22,6 +25,7 @@ import static org.assertj.core.api.Assertions.assertThat; import static org.mockito.Mockito.*; +@Slf4j @ExtendWith(MockitoExtension.class) public class RabbitMessageSelectorTest { @@ -37,8 +41,8 @@ public class RabbitMessageSelectorTest { RabbitMessageSelector selector; - String loPriorityQueueName = "loPriorityQueue"; - String hiPriorityQueueName = "hiPriorityQueue"; + public static final String LO_PRIORITY_QUEUE_NAME = "loPriorityQueue"; + public static final String HI_PRIORITY_QUEUE_NAME = "hiPriorityQueue"; GetResponse hiGetResponse; GetResponse loGetResponse; @@ -48,8 +52,8 @@ public class RabbitMessageSelectorTest { @Mock Channel mLoChannel; - public static String HI_MESSAGE = "HI_MESSAGE"; - public static String LO_MESSAGE = "LO_MESSAGE"; + public static final String HI_MESSAGE = "HI_MESSAGE"; + public static final String LO_MESSAGE = "LO_MESSAGE"; byte[] bytesLo; byte[] bytesHi; @@ -65,6 +69,9 @@ public class RabbitMessageSelectorTest { @Mock ApplicationReadyEvent mReadyEvent; + final Tracer tracer = Tracer.NOOP; + final Propagator propagator = Propagator.NOOP; + @BeforeEach void setup() { lenient().when(mReadyEvent.getTimeTaken()).thenReturn(Duration.ofSeconds(1)); @@ -77,7 +84,7 @@ void setup() { bytesLo = LO_MESSAGE.getBytes(StandardCharsets.UTF_8); envelopeLo = new Envelope(101, true, "exLO", "rkLO"); - selector = spy(new RabbitMessageSelector(hiPriorityQueueName, loPriorityQueueName, mConnectionFactory, mProcessor)); + selector = spy(new RabbitMessageSelector(HI_PRIORITY_QUEUE_NAME, LO_PRIORITY_QUEUE_NAME, mConnectionFactory, mProcessor, tracer, propagator)); selector.onReady(mReadyEvent); lenient().doNothing().when(mProcessor).onMessage(argRabbitMessageInfo.capture()); @@ -92,13 +99,13 @@ void setup() { @SneakyThrows void testNoMessagesWhenPolled() { - when(mHiChannel.basicGet(hiPriorityQueueName, false)).thenReturn(null); - when(mLoChannel.basicGet(loPriorityQueueName, false)).thenReturn(null); + when(mHiChannel.basicGet(HI_PRIORITY_QUEUE_NAME, false)).thenReturn(null); + when(mLoChannel.basicGet(LO_PRIORITY_QUEUE_NAME, false)).thenReturn(null); selector.selectAndProcessNextMessage(); - Mockito.verify(mHiChannel).basicGet(hiPriorityQueueName, false); - Mockito.verify(mLoChannel).basicGet(loPriorityQueueName, false); + Mockito.verify(mHiChannel).basicGet(HI_PRIORITY_QUEUE_NAME, false); + Mockito.verify(mLoChannel).basicGet(LO_PRIORITY_QUEUE_NAME, false); Mockito.verify(mLoChannel).close(); Mockito.verify(mHiChannel).close(); @@ -110,12 +117,12 @@ void testNoMessagesWhenPolled() { @SneakyThrows void testHiPriorityMessagesWhenPolled() { - when(mHiChannel.basicGet(hiPriorityQueueName, false)).thenReturn(hiGetResponse); + when(mHiChannel.basicGet(HI_PRIORITY_QUEUE_NAME, false)).thenReturn(hiGetResponse); doNothing().when(mProcessor).onMessage(argRabbitMessageInfo.capture()); selector.selectAndProcessNextMessage(); - Mockito.verify(mHiChannel).basicGet(hiPriorityQueueName, false); + Mockito.verify(mHiChannel).basicGet(HI_PRIORITY_QUEUE_NAME, false); Mockito.verify(mLoChannel, never()).basicGet(any(String.class), any(Boolean.class)); RabbitMessageInfo actualInfo = argRabbitMessageInfo.getValue(); @@ -129,7 +136,7 @@ void testHiPriorityMessagesWhenPolled() { private void checkHi(RabbitMessageInfo info){ assertThat(info.message().getBody()).isEqualTo(bytesHi); assertThat(info.channel()).isEqualTo(mHiChannel); - assertThat(info.queueName()).isEqualTo(hiPriorityQueueName); + assertThat(info.queueName()).isEqualTo(HI_PRIORITY_QUEUE_NAME); assertThat(info.getMessageBody()).isEqualTo(HI_MESSAGE); assertThat(info.deliveryTag()).isEqualTo(1234); } @@ -137,7 +144,7 @@ private void checkHi(RabbitMessageInfo info){ private void checkLo(RabbitMessageInfo info){ assertThat(info.message().getBody()).isEqualTo(bytesLo); assertThat(info.channel()).isEqualTo(mLoChannel); - assertThat(info.queueName()).isEqualTo(loPriorityQueueName); + assertThat(info.queueName()).isEqualTo(LO_PRIORITY_QUEUE_NAME); assertThat(info.getMessageBody()).isEqualTo(LO_MESSAGE); assertThat(info.deliveryTag()).isEqualTo(101); } @@ -146,14 +153,14 @@ private void checkLo(RabbitMessageInfo info){ @SneakyThrows void testLoPriorityMessagesWhenPolled() { - when(mHiChannel.basicGet(hiPriorityQueueName, false)).thenReturn(null); - when(mLoChannel.basicGet(loPriorityQueueName, false)).thenReturn(loGetResponse); + when(mHiChannel.basicGet(HI_PRIORITY_QUEUE_NAME, false)).thenReturn(null); + when(mLoChannel.basicGet(LO_PRIORITY_QUEUE_NAME, false)).thenReturn(loGetResponse); doNothing().when(mProcessor).onMessage(argRabbitMessageInfo.capture()); selector.selectAndProcessNextMessage(); - Mockito.verify(mLoChannel).basicGet(loPriorityQueueName, false); - Mockito.verify(mHiChannel).basicGet(hiPriorityQueueName, false); + Mockito.verify(mLoChannel).basicGet(LO_PRIORITY_QUEUE_NAME, false); + Mockito.verify(mHiChannel).basicGet(HI_PRIORITY_QUEUE_NAME, false); RabbitMessageInfo actualMessageInfo = argRabbitMessageInfo.getValue(); checkLo(actualMessageInfo); @@ -183,12 +190,12 @@ void testBothFail() { } Optional returnSome(String message) { - System.out.printf("generating optional for [%s]%n", message); + log.info("generating optional for [{}]", message); return Optional.of(message); } Optional returnEmpty() { - System.out.printf("generating EMPTY %n"); + log.info("generating EMPTY"); return Optional.empty(); } } diff --git a/datavault-worker/src/test/java/org/datavaultplatform/worker/rabbit/RabbitTraceTest.java b/datavault-worker/src/test/java/org/datavaultplatform/worker/rabbit/RabbitTraceTest.java new file mode 100644 index 000000000..61ee85816 --- /dev/null +++ b/datavault-worker/src/test/java/org/datavaultplatform/worker/rabbit/RabbitTraceTest.java @@ -0,0 +1,94 @@ +package org.datavaultplatform.worker.rabbit; + +import io.micrometer.tracing.Span; +import io.micrometer.tracing.Tracer; +import io.micrometer.tracing.otel.bridge.OtelCurrentTraceContext; +import io.micrometer.tracing.otel.bridge.OtelPropagator; +import io.micrometer.tracing.otel.bridge.OtelTracer; +import io.micrometer.tracing.propagation.Propagator; +import io.opentelemetry.api.trace.propagation.W3CTraceContextPropagator; +import io.opentelemetry.context.propagation.ContextPropagators; +import io.opentelemetry.sdk.OpenTelemetrySdk; +import io.opentelemetry.sdk.trace.SdkTracerProvider; +import lombok.extern.slf4j.Slf4j; +import org.datavaultplatform.common.util.TraceUtils; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.amqp.core.Message; +import org.springframework.amqp.core.MessageProperties; + +import java.nio.charset.StandardCharsets; + +import static org.assertj.core.api.Assertions.assertThat; + +@SuppressWarnings("GrazieInspectionRunner") +@Slf4j +class RabbitTraceTest { + + static final String TEST_TRACE_ID = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; + static final String TEST_TRACEPARENT = "00-%s-1f0bd736979fd383-01".formatted(TEST_TRACE_ID); + + Propagator propagator; + Tracer tracer; + + @BeforeEach + void beforeEach() { + W3CTraceContextPropagator w3c = io.opentelemetry.api.trace.propagation.W3CTraceContextPropagator.getInstance(); + W3CTraceContextPropagator.getInstance(); + ContextPropagators otelPropagators = + ContextPropagators.create(w3c); + + // Real OTel tracer + SdkTracerProvider tracerProvider = SdkTracerProvider.builder().build(); + io.opentelemetry.api.trace.Tracer otelTracer = + OpenTelemetrySdk.builder() + .setTracerProvider(tracerProvider) + .build() + .getTracer("test"); + + + // Micrometer wrapper + this.propagator = new OtelPropagator(otelPropagators, otelTracer); + + // Micrometer tracer wrapper + this.tracer = + new OtelTracer(otelTracer, new OtelCurrentTraceContext(), null); + } + + private Span getTestSpan(boolean setFixedTraceId) { + String body = "sample-message"; + MessageProperties props = new MessageProperties(); + props.setMessageId("1234"); + if (setFixedTraceId) { + props.setHeader(TraceUtils.TRACE_PARENT, TEST_TRACEPARENT); + } + Message message = new Message(body.getBytes(StandardCharsets.UTF_8), props); + return RabbitMessageSelector.getSpanWithTraceIdFromMessage(propagator, message, "test-span"); + } + + @Test + void testExtractSpanAndTrace() { + Span testSpan = getTestSpan(true); + try(Tracer.SpanInScope ws = tracer.withSpan(testSpan)) { + String traceId1 = testSpan.context().traceId(); + log.info("ACTUAL TRACEID {}", traceId1); + String traceId2 = tracer.currentSpan().context().traceId(); + assertThat(traceId1).isEqualTo(traceId2); + assertThat(traceId1).isEqualTo(TEST_TRACE_ID); + } + testSpan.end(); + } + + @Test + void testNotExtractSpanAndTrace() { + Span testSpan = getTestSpan(false); + try(Tracer.SpanInScope ws = tracer.withSpan(testSpan)){ + String traceId1 = testSpan.context().traceId(); + log.info("ACTUAL TRACEID {}", traceId1); + String traceId2 = tracer.currentSpan().context().traceId(); + assertThat(traceId1).isEqualTo(traceId2); + assertThat(traceId1).isNotEqualTo(TEST_TRACE_ID); + } + testSpan.end(); + } +} diff --git a/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/BaseDepositIT.java b/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/BaseDepositIT.java index cce4a8de4..449b2b479 100644 --- a/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/BaseDepositIT.java +++ b/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/BaseDepositIT.java @@ -21,7 +21,6 @@ import org.junit.jupiter.api.BeforeEach; import org.springframework.amqp.core.AmqpAdmin; import org.springframework.amqp.core.Message; -import org.springframework.amqp.core.MessageProperties; import org.springframework.amqp.core.Queue; import org.springframework.amqp.rabbit.annotation.RabbitListener; import org.springframework.amqp.rabbit.core.RabbitTemplate; @@ -132,16 +131,6 @@ static void setupProperties(DynamicPropertyRegistry registry) { registry.add("metaDir", () -> metaDirValue); } - @SuppressWarnings("UnusedReturnValue") - final String sendNormalMessage(String msgBody) { - MessageProperties props = new MessageProperties(); - props.setMessageId(UUID.randomUUID().toString()); - props.setPriority(NORMAL_PRIORITY); - Message msg = new Message(msgBody.getBytes(StandardCharsets.UTF_8), props); - template.send(workerQueue.getActualName(), msg); - return props.getMessageId(); - } - @BeforeEach @SneakyThrows final void setup() { diff --git a/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/PerformDepositThenRetrieveNoChunksIT.java b/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/PerformDepositThenRetrieveNoChunksIT.java index ec9a449fb..b29879c2a 100644 --- a/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/PerformDepositThenRetrieveNoChunksIT.java +++ b/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/PerformDepositThenRetrieveNoChunksIT.java @@ -26,6 +26,12 @@ @TestPropertySource(properties = {"chunking.enabled=false","chunking.size=0"}) public class PerformDepositThenRetrieveNoChunksIT extends BasePerformDepositThenRetrieveIT { + @Override + public String getTestTraceId() { + //noinspection GrazieInspectionRunner + return "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"; + } + @Override void checkChunkingProps(boolean chunkingEnabled, String chunkingByteSize) { assertFalse(chunkingEnabled); @@ -40,7 +46,7 @@ Optional getExpectedNumberChunksPerDeposit() { @Override protected void checkDepositEvents() { List storedChunksEvents = getCopyUploadCompleteEvents(); - assertThat(storedChunksEvents.size()).isEqualTo(1); + assertThat(storedChunksEvents).hasSize(1); assertThat(storedChunksEvents.get(0).getChunkNumber()).isNull(); } diff --git a/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/TraceTaskIT.java b/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/TraceTaskIT.java new file mode 100644 index 000000000..3fa92f98e --- /dev/null +++ b/datavault-worker/src/test/java/org/datavaultplatform/worker/tasks/TraceTaskIT.java @@ -0,0 +1,85 @@ +package org.datavaultplatform.worker.tasks; + +import ch.qos.logback.classic.spi.ILoggingEvent; +import ch.qos.logback.core.read.ListAppender; +import io.micrometer.tracing.Tracer; +import lombok.SneakyThrows; +import lombok.extern.slf4j.Slf4j; +import org.apache.commons.io.FileUtils; +import org.awaitility.Awaitility; +import org.datavaultplatform.common.util.TraceIdWrapper; +import org.datavaultplatform.worker.app.DataVaultWorkerInstanceApp; +import org.datavaultplatform.worker.rabbit.BaseRabbitIT; +import org.datavaultplatform.worker.test.AddTestProperties; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.context.TestConfiguration; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Profile; +import org.springframework.core.io.ClassPathResource; +import org.springframework.core.io.Resource; +import org.springframework.test.annotation.DirtiesContext; + +import java.nio.charset.StandardCharsets; + +@SpringBootTest(classes = { + DataVaultWorkerInstanceApp.class, + TraceTaskIT.TestConfig.class +}) +@AddTestProperties +@DirtiesContext +@Slf4j +@Profile("database") +class TraceTaskIT extends BaseRabbitIT { + + final Resource traceMessage = new ClassPathResource("sampleMessages/sampleTraceMessage.json"); + @Autowired + Tracer tracer; + + @BeforeEach + @SneakyThrows + void setupTraceTask() { + setupTestTraceId(getTestTraceId()); + } + + @Test + @SneakyThrows + void testSendTraceMessage() { + // Get the logger for the class that produces the log messages we want to capture + ch.qos.logback.classic.Logger traceTaskLogger = (ch.qos.logback.classic.Logger) LoggerFactory.getLogger(Trace.class); + + // Create and start a new ListAppender + ListAppender listAppender = new ListAppender<>(); + listAppender.start(); + + // Add the appender to the logger + traceTaskLogger.addAppender(listAppender); + + TraceIdWrapper wrapper = new TraceIdWrapper("aaaabbbbccccddddaaaabbbbccccdddd", tracer); + wrapper.runWithinWrapper(() -> { + String message = FileUtils.readFileToString(this.traceMessage.getFile(), StandardCharsets.UTF_8); + sendNormalMessage(message); + + Awaitility.await().until(() -> { + boolean found = listAppender.list.stream() + .map(ILoggingEvent::getFormattedMessage) + .anyMatch(msg -> msg.contains("WorkerTraceId: aaaabbbbccccddddaaaabbbbccccdddd")); + return found; + }); + return null; + }); + traceTaskLogger.detachAppender(listAppender); + } + + @TestConfiguration + static class TestConfig { + @Bean + Logger monitorLogger() { + return log; + } + } +} diff --git a/datavault-worker/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension b/datavault-worker/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension new file mode 100644 index 000000000..16c8c8ce0 --- /dev/null +++ b/datavault-worker/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension @@ -0,0 +1 @@ +org.datavaultplatform.common.util.TempFileCleanerExtension diff --git a/datavault-worker/src/test/resources/junit-platform.properties b/datavault-worker/src/test/resources/junit-platform.properties new file mode 100644 index 000000000..1cebb76d5 --- /dev/null +++ b/datavault-worker/src/test/resources/junit-platform.properties @@ -0,0 +1 @@ +junit.jupiter.extensions.autodetection.enabled = true \ No newline at end of file diff --git a/datavault-worker/src/test/resources/sampleMessages/sampleTraceMessage.json b/datavault-worker/src/test/resources/sampleMessages/sampleTraceMessage.json new file mode 100644 index 000000000..657b8a1c8 --- /dev/null +++ b/datavault-worker/src/test/resources/sampleMessages/sampleTraceMessage.json @@ -0,0 +1,22 @@ +{ + "taskClass": "org.datavaultplatform.worker.tasks.Trace", + "jobID": "1234567890", + "properties": { + "brokerTraceId" : "broker-trace-id" + }, + "fileStorePaths": null, + "fileUploadPaths": null, + "archiveFileStores": [], + "userFileStoreProperties": {}, + "userFileStoreClasses": {}, + "chunkFilesDigest": {}, + "tarIV": "", + "chunksIVs": {}, + "encTarDigest": "", + "encChunksDigest": {}, + "lastEvent": null, + "chunksToAudit": null, + "archiveIds": null, + "restartArchiveIds": {}, + "redeliver": false +} diff --git a/dv5/local-byodb/scripts/runLocalByodbBroker.sh b/dv5/local-byodb/scripts/runLocalByodbBroker.sh index ad7eb6460..d512d9fb0 100755 --- a/dv5/local-byodb/scripts/runLocalByodbBroker.sh +++ b/dv5/local-byodb/scripts/runLocalByodbBroker.sh @@ -10,7 +10,7 @@ PROJECT_ROOT=$(cd $SCRIPT_DIR/../../..;pwd) cd $PROJECT_ROOT SERVER_PORT=8080 \ - SPRING_PROFILES_ACTIVE=local \ + SPRING_PROFILES_ACTIVE=local,database \ SPRING_SECURITY_DEBUG=true \ DATAVAULT_HOME="$PROJECT_ROOT/dv5/local-byodb/props/broker" \ SPRING_JPA_HIBERNATE_DDL_AUTO=validate \ @@ -28,6 +28,7 @@ cd $PROJECT_ROOT RABBITMQ_DEFINE_QUEUE_WORKER=true \ RABBITMQ_DEFINE_QUEUE_BROKER=true \ LDAP_CONNECTION_TEST_SEARCH_TERM=Bond \ + LOGGING_PATTERN_CONSOLE='%clr(%d{yyyy-MM-dd HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:-%5p}) %clr(${PID:- }){magenta} %clr(---){faint} %clr([%15.15t]){faint} %clr(%-40.40logger{39}){cyan} %clr(:){faint} %clr([trace=%X{traceId:-} span=%X{spanId:-} user=%X{user:-}]){yellow} %m%n${LOG_EXCEPTION_CONVERSION_WORD:%rEx}' \ ./mvnw spring-boot:run \ -Dspring-boot.run.jvmArguments="-Xdebug \ -Xms1024M -Xmx2024M \ diff --git a/dv5/local-byodb/scripts/runLocalByodbWebApp.sh b/dv5/local-byodb/scripts/runLocalByodbWebApp.sh index b2590f0bd..00321d1a5 100755 --- a/dv5/local-byodb/scripts/runLocalByodbWebApp.sh +++ b/dv5/local-byodb/scripts/runLocalByodbWebApp.sh @@ -12,6 +12,7 @@ cd $PROJECT_ROOT SPRING_SECURITY_DEBUG=true \ LDAP_CONNECTION_TEST_SEARCH_TERM=Bond \ DATAVAULT_HOME="$PROJECT_ROOT/dv5/local-byodb/props/webapp" \ + LOGGING_PATTERN_CONSOLE='%clr(%d{yyyy-MM-dd HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:-%5p}) %clr(${PID:- }){magenta} %clr(---){faint} %clr([%15.15t]){faint} %clr(%-40.40logger{39}){cyan} %clr(:){faint} %clr([trace=%X{traceId:-} span=%X{spanId:-} user=%X{user:-}]){yellow} %m%n${LOG_EXCEPTION_CONVERSION_WORD:%rEx}' \ ./mvnw spring-boot:run \ -Dspring-boot.run.jvmArguments="-Xdebug \ -Xms1024M -Xmx2024M \ diff --git a/dv5/local-byodb/scripts/runLocalByodbWorker.sh b/dv5/local-byodb/scripts/runLocalByodbWorker.sh index 9103929a5..d98dd56a7 100755 --- a/dv5/local-byodb/scripts/runLocalByodbWorker.sh +++ b/dv5/local-byodb/scripts/runLocalByodbWorker.sh @@ -5,7 +5,24 @@ java -version SCRIPT_DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" PROJECT_ROOT=$(cd $SCRIPT_DIR/../../..;pwd) +mkdir -p /tmp/datavault/{temp,meta} + cd $PROJECT_ROOT + +# Interactive prompt +SCRIPT_NAME=$(basename "$0") +ALT_SCRIPT_NAME="runLocalWebApp.sh" +echo "WARNING: You are running $SCRIPT_NAME" +echo "Did you mean to run $ALT_SCRIPT_NAME instead ?" +read -p "ARE YOU SURE YOU WANT TO RUN ${SCRIPT_NAME}? (y/N): " confirm + +# Check if input is y or Y +if [[ ! "$confirm" =~ ^[yY]$ ]]; then + echo "Exiting. Please run $ALT_SCRIPT_NAME instead." + exit 1 +fi + +echo "Proceeding to run $SCRIPT_NAME" SERVER_PORT=9090 \ SPRING_APPLICATION_NAME=datavault-worker-1 \ SPRING_SECURITY_DEBUG=true \ diff --git a/pom.xml b/pom.xml index ef79d4d2e..9cb5147d8 100644 --- a/pom.xml +++ b/pom.xml @@ -112,9 +112,6 @@ 2.1.7 - - 2.8.4 - 2.4.1 @@ -173,6 +170,13 @@ + + + io.micrometer + micrometer-tracing-bridge-otel + 1.6.5 + compile + datavault datavault-common @@ -489,11 +493,6 @@ spring-boot-configuration-processor true - - org.springdoc - springdoc-openapi-starter-webmvc-ui - ${springdoc.openapi.version} - @@ -551,6 +550,7 @@ maven-failsafe-plugin ${failsafe.plugin.version} + -Duser.timezone=Europe/London ${skip.integration.tests} 300 s @@ -563,6 +563,7 @@ maven-surefire-plugin ${surefire.plugin.version} + -Duser.timezone=Europe/London ${skip.unit.tests} slow,org.datavaultplatform.test.TSMTest