[Tech] Correction de la vulnérabilité critique (#2378)

## Linked issues - Resolve #2371 ---- - [ ] Tests E2E (Cypress)
MTES-MCT · Jul 20, 2023 · 49533b0 · 49533b0
2 parents 47588a0 + cde0af9
commit 49533b0
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 67 deletions.
diff --git a/backend/pom.xml b/backend/pom.xml
@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.1.0</version>
+        <version>3.1.1</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
     <groupId>fr.gouv.cnsp</groupId>
@@ -16,7 +16,7 @@
 
     <properties>
         <java.version>17</java.version>
-        <spring.version>3.1.1</spring.version>
+        <spring.version>${project.parent.version}</spring.version>
         <kotlin.version>1.9.0</kotlin.version>
         <testcontainers.version>1.18.3</testcontainers.version>
         <ktor.version>2.3.2</ktor.version>

diff --git a/backend/src/main/kotlin/fr/gouv/cnsp/monitorfish/config/OIDCProperties.kt b/backend/src/main/kotlin/fr/gouv/cnsp/monitorfish/config/OIDCProperties.kt
@@ -5,7 +5,7 @@ import org.springframework.stereotype.Component
 
 @Component
 @ConfigurationProperties(prefix = "monitorfish.oidc")
-data class OIDCProperties(
-    var enabled: Boolean? = false,
-    var userinfoEndpoint: String? = null,
-)
+class OIDCProperties {
+    var enabled: Boolean? = false
+    var userinfoEndpoint: String? = null
+}
diff --git a/backend/src/main/kotlin/fr/gouv/cnsp/monitorfish/config/ProtectedPathsAPIProperties.kt b/backend/src/main/kotlin/fr/gouv/cnsp/monitorfish/config/ProtectedPathsAPIProperties.kt
@@ -5,9 +5,9 @@ import org.springframework.stereotype.Component
 
 @Component
 @ConfigurationProperties(prefix = "monitorfish.api.protected")
-data class ProtectedPathsAPIProperties(
-    var paths: List<String>? = listOf(),
-    var superUserPaths: List<String>? = listOf(),
-    var publicPaths: List<String>? = listOf(),
-    var apiKey: String = "",
-)
+class ProtectedPathsAPIProperties {
+    var paths: List<String>? = listOf()
+    var superUserPaths: List<String>? = listOf()
+    var publicPaths: List<String>? = listOf()
+    var apiKey: String = ""
+}
diff --git a/backend/src/main/kotlin/fr/gouv/cnsp/monitorfish/config/SuperUserAPIProperties.kt b/backend/src/main/kotlin/fr/gouv/cnsp/monitorfish/config/SuperUserAPIProperties.kt
@@ -5,6 +5,6 @@ import org.springframework.stereotype.Component
 
 @Component
 @ConfigurationProperties(prefix = "monitorfish.api.super-user")
-data class SuperUserAPIProperties(
-    var paths: List<String>? = listOf(),
-)
+class SuperUserAPIProperties {
+    var paths: List<String>? = listOf()
+}
diff --git a/...st/kotlin/fr/gouv/cnsp/monitorfish/infrastructure/api/security/ApiKeyCheckFilterUTests.kt b/...st/kotlin/fr/gouv/cnsp/monitorfish/infrastructure/api/security/ApiKeyCheckFilterUTests.kt
@@ -18,9 +18,9 @@ class ApiKeyCheckFilterUTests {
     @Test
     fun `Should return Ok When the token is right`() {
         // Given
-        val protectedPaths = ProtectedPathsAPIProperties(
-            apiKey = "DUMMY_API_KEY",
-        )
+        val protectedPaths = ProtectedPathsAPIProperties()
+        protectedPaths.apiKey = "DUMMY_API_KEY"
+
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()
 
@@ -40,9 +40,8 @@ class ApiKeyCheckFilterUTests {
     @Test
     fun `Should return unauthorized When the token is missing`() {
         // Given
-        val protectedPaths = ProtectedPathsAPIProperties(
-            apiKey = "DUMMY_API_KEY",
-        )
+        val protectedPaths = ProtectedPathsAPIProperties()
+        protectedPaths.apiKey = "DUMMY_API_KEY"
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()
 
@@ -61,9 +60,8 @@ class ApiKeyCheckFilterUTests {
     @Test
     fun `Should return unauthorized When the token is wrong`() {
         // Given
-        val protectedPaths = ProtectedPathsAPIProperties(
-            apiKey = "DUMMY_API_KEY",
-        )
+        val protectedPaths = ProtectedPathsAPIProperties()
+        protectedPaths.apiKey = "DUMMY_API_KEY"
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()
 

diff --git a/...r/gouv/cnsp/monitorfish/infrastructure/api/security/UserAuthorizationCheckFilterUTests.kt b/...r/gouv/cnsp/monitorfish/infrastructure/api/security/UserAuthorizationCheckFilterUTests.kt
@@ -31,11 +31,12 @@ class UserAuthorizationCheckFilterUTests {
     @Test
     fun `Should return Ok When OIDC is disabled`() {
         // Given
-        val oidcProperties = OIDCProperties(
-            enabled = false,
-            userinfoEndpoint = null,
-        )
-        val superUserAPIProperties = ProtectedPathsAPIProperties(superUserPaths = listOf("/bff/**"))
+        val oidcProperties = OIDCProperties()
+        oidcProperties.enabled = false
+        oidcProperties.userinfoEndpoint = null
+        val superUserAPIProperties = ProtectedPathsAPIProperties()
+        superUserAPIProperties.superUserPaths = listOf("/bff/**")
+
         val mockApi = getMockApiClient()
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()
@@ -55,11 +56,12 @@ class UserAuthorizationCheckFilterUTests {
     @Test
     fun `Should return Unauthorized When Bearer header is missing`() {
         // Given
-        val oidcProperties = OIDCProperties(
-            enabled = true,
-            userinfoEndpoint = null,
-        )
-        val superUserAPIProperties = ProtectedPathsAPIProperties(superUserPaths = listOf("/bff/**"))
+        val oidcProperties = OIDCProperties()
+        oidcProperties.enabled = true
+        oidcProperties.userinfoEndpoint = null
+        val superUserAPIProperties = ProtectedPathsAPIProperties()
+        superUserAPIProperties.superUserPaths = listOf("/bff/**")
+
         val mockApi = getMockApiClient()
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()
@@ -80,11 +82,12 @@ class UserAuthorizationCheckFilterUTests {
     @Test
     fun `Should return Unauthorized When OIDC user info endpoint is missing`() {
         // Given
-        val oidcProperties = OIDCProperties(
-            enabled = true,
-            userinfoEndpoint = null,
-        )
-        val superUserAPIProperties = ProtectedPathsAPIProperties(superUserPaths = listOf("/bff/**"))
+        val oidcProperties = OIDCProperties()
+        oidcProperties.enabled = true
+        oidcProperties.userinfoEndpoint = null
+        val superUserAPIProperties = ProtectedPathsAPIProperties()
+        superUserAPIProperties.superUserPaths = listOf("/bff/**")
+
         val mockApi = getMockApiClient()
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()
@@ -106,11 +109,12 @@ class UserAuthorizationCheckFilterUTests {
     @Test
     fun `Should return Ok When user has right authorization`() {
         // Given
-        val oidcProperties = OIDCProperties(
-            enabled = true,
-            userinfoEndpoint = "http://issuer-uri.gouv.fr/api/user",
-        )
-        val superUserAPIProperties = ProtectedPathsAPIProperties(superUserPaths = listOf("/bff/**"))
+        val oidcProperties = OIDCProperties()
+        oidcProperties.enabled = true
+        oidcProperties.userinfoEndpoint = "http://issuer-uri.gouv.fr/api/user"
+        val superUserAPIProperties = ProtectedPathsAPIProperties()
+        superUserAPIProperties.superUserPaths = listOf("/bff/**")
+
         val mockApi = getMockApiClient()
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()
@@ -132,11 +136,12 @@ class UserAuthorizationCheckFilterUTests {
     @Test
     fun `Should return Unauthorized When user is missing right authorization`() {
         // Given
-        val oidcProperties = OIDCProperties(
-            enabled = true,
-            userinfoEndpoint = "http://issuer-uri.gouv.fr/api/user",
-        )
-        val superUserAPIProperties = ProtectedPathsAPIProperties(superUserPaths = listOf("/bff/**"))
+        val oidcProperties = OIDCProperties()
+        oidcProperties.enabled = true
+        oidcProperties.userinfoEndpoint = "http://issuer-uri.gouv.fr/api/user"
+        val superUserAPIProperties = ProtectedPathsAPIProperties()
+        superUserAPIProperties.superUserPaths = listOf("/bff/**")
+
         val mockApi = getMockApiClient()
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()
@@ -160,12 +165,12 @@ class UserAuthorizationCheckFilterUTests {
     @Test
     fun `Should compute the right parameter to getIsAuthorizedUser when requesting a super-user protected path`() {
         // Given
-        val oidcProperties = OIDCProperties(
-            enabled = true,
-            userinfoEndpoint = "http://issuer-uri.gouv.fr/api/user",
-        )
-        val superUserAPIProperties =
-            ProtectedPathsAPIProperties(superUserPaths = listOf("/bff/v1/vessels/risk_factors"))
+        val oidcProperties = OIDCProperties()
+        oidcProperties.enabled = true
+        oidcProperties.userinfoEndpoint = "http://issuer-uri.gouv.fr/api/user"
+        val superUserAPIProperties = ProtectedPathsAPIProperties()
+        superUserAPIProperties.superUserPaths = listOf("/bff/v1/vessels/risk_factors")
+
         val mockApi = getMockApiClient()
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()
@@ -188,12 +193,12 @@ class UserAuthorizationCheckFilterUTests {
     @Test
     fun `Should compute the right parameter to getIsAuthorizedUser when requesting a super-user protected path with a param`() {
         // Given
-        val oidcProperties = OIDCProperties(
-            enabled = true,
-            userinfoEndpoint = "http://issuer-uri.gouv.fr/api/user",
-        )
-        val superUserAPIProperties =
-            ProtectedPathsAPIProperties(superUserPaths = listOf("/bff/v1/vessels/risk_factors"))
+        val oidcProperties = OIDCProperties()
+        oidcProperties.enabled = true
+        oidcProperties.userinfoEndpoint = "http://issuer-uri.gouv.fr/api/user"
+        val superUserAPIProperties = ProtectedPathsAPIProperties()
+        superUserAPIProperties.superUserPaths = listOf("/bff/v1/vessels/risk_factors")
+
         val mockApi = getMockApiClient()
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()
@@ -216,12 +221,12 @@ class UserAuthorizationCheckFilterUTests {
     @Test
     fun `Should compute the right parameter to getIsAuthorizedUser when not requesting a super-user protected path`() {
         // Given
-        val oidcProperties = OIDCProperties(
-            enabled = true,
-            userinfoEndpoint = "http://issuer-uri.gouv.fr/api/user",
-        )
-        val superUserAPIProperties =
-            ProtectedPathsAPIProperties(superUserPaths = listOf("/bff/v1/vessels/risk_factors"))
+        val oidcProperties = OIDCProperties()
+        oidcProperties.enabled = true
+        oidcProperties.userinfoEndpoint = "http://issuer-uri.gouv.fr/api/user"
+        val superUserAPIProperties = ProtectedPathsAPIProperties()
+        superUserAPIProperties.superUserPaths = listOf("/bff/v1/vessels/risk_factors")
+
         val mockApi = getMockApiClient()
         val response = MockHttpServletResponse()
         val chain = MockFilterChain()