Examples with SecurityValidationHandler com.nike.riposte.server.handler.SecurityValidationHandler used on opensource projects

Example 1 with SecurityValidationHandler

use of com.nike.riposte.server.handler.SecurityValidationHandler in project riposte by Nike-Inc.

the class HttpChannelInitializerTest method initChannel_adds_before_and_after_RequestFilterHandler_appropriately_before_and_after_security_filter.

@Test
public void initChannel_adds_before_and_after_RequestFilterHandler_appropriately_before_and_after_security_filter() {
    // given
    RequestAndResponseFilter beforeSecurityRequestFilter = mock(RequestAndResponseFilter.class);
    doReturn(true).when(beforeSecurityRequestFilter).shouldExecuteBeforeSecurityValidation();
    RequestAndResponseFilter afterSecurityRequestFilter = mock(RequestAndResponseFilter.class);
    doReturn(false).when(afterSecurityRequestFilter).shouldExecuteBeforeSecurityValidation();
    List<RequestAndResponseFilter> requestAndResponseFilters = Arrays.asList(beforeSecurityRequestFilter, afterSecurityRequestFilter);
    HttpChannelInitializer hci = basicHttpChannelInitializer(null, 0, 42, false, null, requestAndResponseFilters);
    // when
    hci.initChannel(socketChannelMock);
    // then
    ArgumentCaptor<ChannelHandler> channelHandlerArgumentCaptor = ArgumentCaptor.forClass(ChannelHandler.class);
    verify(channelPipelineMock, atLeastOnce()).addLast(anyString(), channelHandlerArgumentCaptor.capture());
    List<ChannelHandler> handlers = channelHandlerArgumentCaptor.getAllValues();
    Pair<Integer, AccessLogStartHandler> accessLogStartHandler = findChannelHandler(handlers, AccessLogStartHandler.class);
    Pair<Integer, RequestFilterHandler> beforeSecurityRequestFilterHandler = findChannelHandler(handlers, RequestFilterHandler.class);
    Pair<Integer, RequestFilterHandler> afterSecurityRequestFilterHandler = findChannelHandler(handlers, RequestFilterHandler.class, true);
    Pair<Integer, RoutingHandler> routingHandler = findChannelHandler(handlers, RoutingHandler.class);
    Pair<Integer, SecurityValidationHandler> securityValidationHandler = findChannelHandler(handlers, SecurityValidationHandler.class);
    Pair<Integer, RequestContentDeserializerHandler> requestContentDeserializerHandler = findChannelHandler(handlers, RequestContentDeserializerHandler.class);
    assertThat(accessLogStartHandler, notNullValue());
    assertThat(beforeSecurityRequestFilterHandler, notNullValue());
    assertThat(routingHandler, notNullValue());
    assertThat(afterSecurityRequestFilterHandler, notNullValue());
    assertThat(securityValidationHandler, notNullValue());
    assertThat(requestContentDeserializerHandler, notNullValue());
    Assertions.assertThat(beforeSecurityRequestFilterHandler.getLeft()).isGreaterThan(accessLogStartHandler.getLeft());
    Assertions.assertThat(beforeSecurityRequestFilterHandler.getLeft()).isLessThan(securityValidationHandler.getLeft());
    // beforeSecurityRequestFilterHandler must come before RoutingHandler as well (so that it is executed before any 404 gets thrown)
    Assertions.assertThat(beforeSecurityRequestFilterHandler.getLeft()).isLessThan(routingHandler.getLeft());
    Assertions.assertThat(afterSecurityRequestFilterHandler.getLeft()).isGreaterThan(securityValidationHandler.getLeft());
    Assertions.assertThat(afterSecurityRequestFilterHandler.getLeft()).isLessThan(requestContentDeserializerHandler.getLeft());
    // and then
    RequestFilterHandler beforeSecurityCachedHandler = extractField(hci, "beforeSecurityRequestFilterHandler");
    Assertions.assertThat(beforeSecurityRequestFilterHandler.getRight()).isSameAs(beforeSecurityCachedHandler);
    RequestFilterHandler afterSecurityCachedHandler = extractField(hci, "afterSecurityRequestFilterHandler");
    Assertions.assertThat(afterSecurityRequestFilterHandler.getRight()).isSameAs(afterSecurityCachedHandler);
}

Example 2 with SecurityValidationHandler

use of com.nike.riposte.server.handler.SecurityValidationHandler in project riposte by Nike-Inc.

the class HttpChannelInitializer method initChannel.

@Override
public void initChannel(SocketChannel ch) {
    ChannelPipeline p = ch.pipeline();
    // request/response payloads, etc.
    if (debugChannelLifecycleLoggingEnabled) {
        p.addLast(SERVER_WORKER_CHANNEL_DEBUG_LOGGING_HANDLER_NAME, new LoggingHandler(SERVER_WORKER_CHANNEL_DEBUG_SLF4J_LOGGER_NAME, LogLevel.DEBUG));
    }
    // order).
    if (sslCtx != null)
        p.addLast(SSL_HANDLER_NAME, sslCtx.newHandler(ch.alloc()));
    // OUTBOUND - Add HttpResponseEncoder to encode our responses appropriately.
    // This MUST be the earliest "outbound" handler after the SSL handler since outbound handlers are
    // processed in reverse order.
    p.addLast(HTTP_RESPONSE_ENCODER_HANDLER_NAME, new HttpResponseEncoder());
    // OUTBOUND - Add ProcessFinalResponseOutputHandler to get the final response headers, calculate the final
    // content length (after compression/gzip and/or any other modifications), etc, and set those values
    // on the channel's HttpProcessingState.
    p.addLast(PROCESS_FINAL_RESPONSE_OUTPUT_HANDLER_NAME, new ProcessFinalResponseOutputHandler());
    // INBOUND - Add HttpRequestDecoder so that incoming messages are translated into the appropriate HttpMessage
    // objects.
    p.addLast(HTTP_REQUEST_DECODER_HANDLER_NAME, new HttpRequestDecoder(httpRequestDecoderConfig.maxInitialLineLength(), httpRequestDecoderConfig.maxHeaderSize(), httpRequestDecoderConfig.maxChunkSize()));
    // INBOUND - Now that the message is translated into HttpMessages we can add RequestStateCleanerHandler to
    // setup/clean state for the rest of the pipeline.
    p.addLast(REQUEST_STATE_CLEANER_HANDLER_NAME, new RequestStateCleanerHandler(metricsListener, incompleteHttpCallTimeoutMillis));
    // INBOUND - Add DTraceStartHandler to start the distributed tracing for this request
    p.addLast(DTRACE_START_HANDLER_NAME, new DTraceStartHandler(userIdHeaderKeys));
    // INBOUND - Access log start
    p.addLast(ACCESS_LOG_START_HANDLER_NAME, new AccessLogStartHandler());
    // IN/OUT - Add SmartHttpContentCompressor for automatic content compression (if appropriate for the
    // request/response/size threshold). This must be after HttpRequestDecoder on the incoming pipeline and
    // before HttpResponseEncoder on the outbound pipeline (keep in mind that "before" on outbound means
    // later in the list since outbound is processed in reverse order).
    p.addLast(SMART_HTTP_CONTENT_COMPRESSOR_HANDLER_NAME, new SmartHttpContentCompressor(responseCompressionThresholdBytes));
    // before RoutingHandler throws 404s/405s.
    if (beforeSecurityRequestFilterHandler != null)
        p.addLast(REQUEST_FILTER_BEFORE_SECURITY_HANDLER_NAME, beforeSecurityRequestFilterHandler);
    // INBOUND - Add RoutingHandler to figure out which endpoint should handle the request and set it on our request
    // state for later execution
    p.addLast(ROUTING_HANDLER_NAME, new RoutingHandler(endpoints, maxRequestSizeInBytes));
    // INBOUND - Add SmartHttpContentDecompressor for automatic content decompression if the request indicates it
    // is compressed *and* the target endpoint (determined by the previous RoutingHandler) is one that
    // is eligible for auto-decompression.
    p.addLast(SMART_HTTP_CONTENT_DECOMPRESSOR_HANDLER_NAME, new SmartHttpContentDecompressor());
    // INBOUND - Add RequestInfoSetterHandler to populate our RequestInfo's content.
    p.addLast(REQUEST_INFO_SETTER_HANDLER_NAME, new RequestInfoSetterHandler(maxRequestSizeInBytes));
    // maxOpenChannelsThreshold is not -1.
    if (maxOpenChannelsThreshold != -1) {
        p.addLast(OPEN_CHANNEL_LIMIT_HANDLER_NAME, new OpenChannelLimitHandler(openChannelsGroup, maxOpenChannelsThreshold));
    }
    // INBOUND - Add SecurityValidationHandler to validate the RequestInfo object for the matching endpoint
    p.addLast(SECURITY_VALIDATION_HANDLER_NAME, new SecurityValidationHandler(requestSecurityValidator));
    // INBOUND - Add the RequestFilterHandler for after security (if we have any filters to apply).
    if (afterSecurityRequestFilterHandler != null)
        p.addLast(REQUEST_FILTER_AFTER_SECURITY_HANDLER_NAME, afterSecurityRequestFilterHandler);
    // INBOUND - Now that the request state knows which endpoint will be called we can try to deserialize the
    // request content (if desired by the endpoint)
    p.addLast(REQUEST_CONTENT_DESERIALIZER_HANDLER_NAME, new RequestContentDeserializerHandler(requestContentDeserializer));
    // deserialized content (if desired by the endpoint and if we have a non-null validator)
    if (validationService != null)
        p.addLast(REQUEST_CONTENT_VALIDATION_HANDLER_NAME, new RequestContentValidationHandler(validationService));
    // INBOUND - Add NonblockingEndpointExecutionHandler to perform execution of async/nonblocking endpoints
    p.addLast(NONBLOCKING_ENDPOINT_EXECUTION_HANDLER_NAME, new NonblockingEndpointExecutionHandler(longRunningTaskExecutor, defaultCompletableFutureTimeoutMillis));
    // INBOUND - Add ProxyRouterEndpointExecutionHandler to perform execution of proxy routing endpoints
    p.addLast(PROXY_ROUTER_ENDPOINT_EXECUTION_HANDLER_NAME, new ProxyRouterEndpointExecutionHandler(longRunningTaskExecutor, streamingAsyncHttpClientForProxyRouterEndpoints, defaultCompletableFutureTimeoutMillis));
    // INBOUND - Add RequestHasBeenHandledVerificationHandler to verify that one of the endpoint handlers took care
    // of the request. This makes sure that the messages coming into channelRead are correctly typed for
    // the rest of the pipeline.
    p.addLast(REQUEST_HAS_BEEN_HANDLED_VERIFICATION_HANDLER_NAME, new RequestHasBeenHandledVerificationHandler());
    // INBOUND - Add ExceptionHandlingHandler to catch and deal with any exceptions or requests that fell through
    // the cracks.
    ExceptionHandlingHandler exceptionHandlingHandler = new ExceptionHandlingHandler(riposteErrorHandler, riposteUnhandledErrorHandler);
    p.addLast(EXCEPTION_HANDLING_HANDLER_NAME, exceptionHandlingHandler);
    // INBOUND - Add the ResponseFilterHandler (if we have any filters to apply).
    if (cachedResponseFilterHandler != null)
        p.addLast(RESPONSE_FILTER_HANDLER_NAME, cachedResponseFilterHandler);
    // INBOUND - Add ResponseSenderHandler to send the response that got put into the request state
    p.addLast(RESPONSE_SENDER_HANDLER_NAME, new ResponseSenderHandler(responseSender));
    // INBOUND - Access log end
    p.addLast(ACCESS_LOG_END_HANDLER_NAME, new AccessLogEndHandler(accessLogger));
    // INBOUND - Add DTraceEndHandler to finish up our distributed trace for this request.
    p.addLast(DTRACE_END_HANDLER_NAME, new DTraceEndHandler());
    // INBOUND - Add ChannelPipelineFinalizerHandler to stop the request processing.
    p.addLast(CHANNEL_PIPELINE_FINALIZER_HANDLER_NAME, new ChannelPipelineFinalizerHandler(exceptionHandlingHandler, responseSender, metricsListener, accessLogger, workerChannelIdleTimeoutMillis));
    // pipeline create hooks
    if (pipelineCreateHooks != null) {
        for (PipelineCreateHook hook : pipelineCreateHooks) {
            hook.executePipelineCreateHook(p);
        }
    }
}