From 9d6f86cc0a0b1694fe1c108baf7e67e2913bf074 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Dec 2022 16:50:55 +0000 Subject: [PATCH 1/3] Bump spring-cloud-dependencies from 2021.0.4 to 2022.0.0 Bumps [spring-cloud-dependencies](https://github.com/spring-cloud/spring-cloud-release) from 2021.0.4 to 2022.0.0. - [Release notes](https://github.com/spring-cloud/spring-cloud-release/releases) - [Commits](https://github.com/spring-cloud/spring-cloud-release/compare/v2021.0.4...v2022.0.0) --- updated-dependencies: - dependency-name: org.springframework.cloud:spring-cloud-dependencies dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index e3d87786f..0c8713b00 100644 --- a/pom.xml +++ b/pom.xml @@ -42,7 +42,7 @@ 19 19 - 2021.0.4 + 2022.0.0 1.18.24 2.19.6 2.5.7 From 0eaaebdf4ec7f45111731d3c40e771572199bcb9 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Sat, 31 Dec 2022 09:04:53 +0100 Subject: [PATCH 2/3] Fix for tests --- .../wrongsecrets/HerokuWebSecurityConfigTest.java | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/test/java/org/owasp/wrongsecrets/HerokuWebSecurityConfigTest.java b/src/test/java/org/owasp/wrongsecrets/HerokuWebSecurityConfigTest.java index a2a474e82..2af84c083 100644 --- a/src/test/java/org/owasp/wrongsecrets/HerokuWebSecurityConfigTest.java +++ b/src/test/java/org/owasp/wrongsecrets/HerokuWebSecurityConfigTest.java @@ -1,5 +1,6 @@ package org.owasp.wrongsecrets; +import org.apache.hc.client5.http.HttpHostConnectException; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; @@ -7,6 +8,7 @@ import org.springframework.boot.web.client.RestTemplateBuilder; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.web.client.ResourceAccessException; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -31,9 +33,15 @@ void shouldRedirectWhenProtoProvided() { .defaultHeader("x-forwarded-proto", "value") .build(); var rootAddress = "http://localhost:" + port + "/heroku";//note we loosely ask for "heroku" to be part of the url - var result = restTemplate.getForEntity(rootAddress, String.class); - assertEquals(HttpStatus.FOUND, result.getStatusCode()); - assertEquals("https", result.getHeaders().getLocation().getScheme()); + try { + //old, but will fail in srping security 2022 + var result = restTemplate.getForEntity(rootAddress, String.class); + assertEquals(HttpStatus.FOUND, result.getStatusCode()); + assertEquals("https", result.getHeaders().getLocation().getScheme()); + } catch (ResourceAccessException e) { + assertEquals(e.getCause().getClass(), HttpHostConnectException.class); + assertEquals(e.getCause().getMessage(), "Connect to https://localhost:8443 [localhost/127.0.0.1, localhost/0:0:0:0:0:0:0:1] failed: Connection refused"); + } } @Test From 7ba43e93e37b041b12da31ed738b227c6ce5521d Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Sat, 31 Dec 2022 09:09:15 +0100 Subject: [PATCH 3/3] clean exception testing --- .../HerokuWebSecurityConfigTest.java | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/src/test/java/org/owasp/wrongsecrets/HerokuWebSecurityConfigTest.java b/src/test/java/org/owasp/wrongsecrets/HerokuWebSecurityConfigTest.java index 2af84c083..c759a1410 100644 --- a/src/test/java/org/owasp/wrongsecrets/HerokuWebSecurityConfigTest.java +++ b/src/test/java/org/owasp/wrongsecrets/HerokuWebSecurityConfigTest.java @@ -10,8 +10,7 @@ import org.springframework.http.ResponseEntity; import org.springframework.web.client.ResourceAccessException; -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.*; // Tests worked with Spring Boot 2.7.5 with random port configuration // Not working after migration to Spring Boot 3.0 @@ -33,15 +32,14 @@ void shouldRedirectWhenProtoProvided() { .defaultHeader("x-forwarded-proto", "value") .build(); var rootAddress = "http://localhost:" + port + "/heroku";//note we loosely ask for "heroku" to be part of the url - try { - //old, but will fail in srping security 2022 - var result = restTemplate.getForEntity(rootAddress, String.class); - assertEquals(HttpStatus.FOUND, result.getStatusCode()); - assertEquals("https", result.getHeaders().getLocation().getScheme()); - } catch (ResourceAccessException e) { - assertEquals(e.getCause().getClass(), HttpHostConnectException.class); - assertEquals(e.getCause().getMessage(), "Connect to https://localhost:8443 [localhost/127.0.0.1, localhost/0:0:0:0:0:0:0:1] failed: Connection refused"); - } + + //in Spring security 2022 we no longer can bind to the new port of the redirect as that is not preset. hence this exception proves the redirect + Exception exception = assertThrows(ResourceAccessException.class, () -> { + restTemplate.getForEntity(rootAddress, String.class); + }); + + assertEquals(exception.getCause().getClass(), HttpHostConnectException.class); + assertEquals(exception.getCause().getMessage(), "Connect to https://localhost:8443 [localhost/127.0.0.1, localhost/0:0:0:0:0:0:0:1] failed: Connection refused"); } @Test