Merge branch 'InformDataLab-features/cors' into main

camunda-community-hub · Feb 24, 2023 · dbdbd49 · dbdbd49
2 parents 875e830 + 490b9cb
commit dbdbd49
Show file tree

Hide file tree

Showing 5 changed files with 131 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -167,6 +167,7 @@ server:
   port: 8081
   servlet:
     context-path: /  
+  allowedOriginsUrls: ""
 ```
 
 #### Change the Context-Path
@@ -212,6 +213,18 @@ For example, using PostgreSQL:
 See the [docker-compose file](docker/docker-compose.yml) (profile: `postgres`) for a sample
 configuration with PostgreSQL.
 
+#### Cross Origin Requests
+
+To enable Simple Tasklist to send CORS header with every HTTP response,
+add the allowed origins (`;` separated) in the following property:
+
+``` 
+server:
+  allowedOriginsUrls: http://localhost:8081;https://tasklist.cloud-provider.io:8081
+```
+
+This will then set ```Access-Control-Allow-Origin``` headers in every HTTP response.
+
 ## Build from Source
 
 Build with Maven

diff --git a/pom.xml b/pom.xml
@@ -173,6 +173,35 @@
       <scope>test</scope>
     </dependency>
 
+
+    <!-- testing -->
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-test</artifactId>
+      <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>junit</groupId>
+          <artifactId>junit</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter</artifactId>
+      <version>5.9.1</version>
+      <scope>test</scope>
+    </dependency>
+
+    <!-- hot swapping, live reload -->
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-devtools</artifactId>
+      <optional>true</optional>
+    </dependency>
+
   </dependencies>
 
   <build>

diff --git a/src/main/java/io/zeebe/tasklist/WebSocketConfig.java b/src/main/java/io/zeebe/tasklist/WebSocketConfig.java
@@ -1,14 +1,19 @@
 package io.zeebe.tasklist;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.messaging.simp.config.MessageBrokerRegistry;
+import org.springframework.util.StringUtils;
 import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBroker;
 import org.springframework.web.socket.config.annotation.StompEndpointRegistry;
+import org.springframework.web.socket.config.annotation.StompWebSocketEndpointRegistration;
 import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer;
 
 @Configuration
 @EnableWebSocketMessageBroker
 public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {
+  @Value("${server.allowedOriginsUrls}")
+  private String allowedOriginsUrls;
 
   @Override
   public void configureMessageBroker(MessageBrokerRegistry config) {
@@ -18,6 +23,11 @@ public void configureMessageBroker(MessageBrokerRegistry config) {
 
   @Override
   public void registerStompEndpoints(StompEndpointRegistry registry) {
-    registry.addEndpoint("/notifications").withSockJS();
+    StompWebSocketEndpointRegistration registration = registry.addEndpoint("/notifications");
+    if (StringUtils.hasText(this.allowedOriginsUrls)) {
+      String[] allowedOriginsUrlArr = this.allowedOriginsUrls.split(";");
+      registration = registration.setAllowedOrigins(allowedOriginsUrlArr);
+    }
+    registration.withSockJS();
   }
 }
diff --git a/src/main/java/io/zeebe/tasklist/ZeebeSimpleTasklistApp.java b/src/main/java/io/zeebe/tasklist/ZeebeSimpleTasklistApp.java
@@ -23,9 +23,14 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
 import org.springframework.data.web.config.EnableSpringDataWebSupport;
 import org.springframework.scheduling.annotation.EnableAsync;
 import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.util.StringUtils;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
 
 @SpringBootApplication
 @EnableZeebeClient
@@ -42,6 +47,9 @@ public class ZeebeSimpleTasklistApp {
   @Value("${zeebe.client.worker.tasklist.adminPassword}")
   private String adminPassword;
 
+  @Value("${server.allowedOriginsUrls}")
+  private String allowedOriginsUrls;
+
   @Autowired private UserService userService;
 
   public static void main(String... args) {
@@ -56,4 +64,18 @@ public void init() {
       userService.newAdminUser(adminUsername, adminPassword);
     }
   }
+
+  @Bean
+  public WebMvcConfigurer corsConfigurer() {
+    final String urls = this.allowedOriginsUrls;
+    return new WebMvcConfigurerAdapter() {
+      @Override
+      public void addCorsMappings(CorsRegistry registry) {
+        if (StringUtils.hasText(urls)) {
+          String[] allowedOriginsUrlArr = urls.split(";");
+          registry.addMapping("/**").allowedOrigins(allowedOriginsUrlArr);
+        }
+      }
+    };
+  }
 }
diff --git a/src/test/java/io/zeebe/tasklist/CorsSettingsControllerTest.java b/src/test/java/io/zeebe/tasklist/CorsSettingsControllerTest.java
@@ -0,0 +1,56 @@
+package io.zeebe.tasklist.rest;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import io.zeebe.tasklist.HazelcastService;
+import io.zeebe.tasklist.repository.HazelcastConfigRepository;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.boot.web.server.LocalServerPort;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.web.servlet.MockMvc;
+
+@SpringBootTest(
+    webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
+    properties = {
+      "server.allowedOriginsUrls: http://www.someurl.com",
+      "logging.level.io.zeebe.tasklist: info",
+    })
+@AutoConfigureMockMvc
+@ActiveProfiles("junittest")
+public class CorsSettingsControllerTest {
+
+  @LocalServerPort protected int port;
+  @Autowired protected MockMvc mockMvc;
+
+  @MockBean protected HazelcastConfigRepository hazelcastConfigRepository;
+  @MockBean protected HazelcastService zeebeHazelcastService;
+
+  @Test
+  public void access_control_origin_request_header_is_checked() throws Exception {
+    mockMvc
+        .perform(
+            options("/")
+                .header("Access-Control-Request-Method", "GET")
+                .header("Host", "localhost")
+                .header("Origin", "http://a.bad-person.internet"))
+        .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void access_control_allow_origin_response_header_is_send() throws Exception {
+    mockMvc
+        .perform(
+            options("/")
+                .header("Access-Control-Request-Method", "GET")
+                .header("Host", "localhost")
+                .header("Origin", "http://www.someurl.com"))
+        .andExpect(status().isOk())
+        .andExpect(header().string("Access-Control-Allow-Origin", "http://www.someurl.com"));
+  }
+}