🐛 gateway fix csrf property not settable

[simonhir]

Description

Property can't be set via env var as Spring doesn't find setter.
Leads to error while startup.

Summary by CodeRabbit

• New Features
  • Enhanced security properties with a mutable CSRF whitelist for improved flexibility.
  • Added automatic generation of getter and setter methods for easier management of class fields.
  • Introduced annotations to suppress warnings related to mutable object exposure, ensuring better code safety.

[coderabbitai]

Walkthrough

The changes involve modifications to the SecurityProperties class in the de.muenchen.refarch.gateway.configuration package. The csrfWhitelisted field has been changed from a private final to a mutable private declaration, allowing for post-instantiation modifications. Additionally, the @Data annotation from Lombok has been added to the class, which facilitates the automatic generation of getter and setter methods for its fields, while the existing getter method for csrfWhitelisted has been removed. A @SuppressFBWarnings annotation has also been introduced to suppress warnings related to mutable lists.

Changes

File	Change Summary
src/main/java/de/muenchen/refarch/gateway/configuration/SecurityProperties.java	- Changed csrfWhitelisted from private final List<String> to private List<String>. - Added @Data annotation to the class. - Removed existing getter for csrfWhitelisted. - Added @SuppressFBWarnings("EI_EXPOSE_REP") annotation.
src/main/java/de/muenchen/refarch/gateway/configuration/CsrfProtectionMatcher.java	- Added @SuppressFBWarnings("EI_EXPOSE_REP2") annotation to private final SecurityProperties securityProperties;.

Poem

In the code where rabbits play,
Security properties find their way.
Mutable lists, oh what a delight,
With getters and setters, all feels right!
Hopping through changes, we cheer and say,
"Code's a garden, let it sway!" 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between 0500979 and d102995.

📒 Files selected for processing (1)

• refarch-gateway/src/main/java/de/muenchen/refarch/gateway/configuration/SecurityProperties.java (1 hunks)

🔇 Additional comments (3)

refarch-gateway/src/main/java/de/muenchen/refarch/gateway/configuration/SecurityProperties.java (3)

Line range hint 15-17: LGTM! Good use of defensive copying

The custom getter maintaining defensive copying with List.copyOf() is a good practice for encapsulation, preventing external modifications to the internal list.

---

Line range hint 1-18: Verify security implications of CSRF configuration

Since this is security-critical code handling CSRF whitelist configuration, please ensure:

1. The property can only be set through trusted configuration sources
2. The whitelist is properly validated before being applied

Let's check for security validations:

✅ Verification successful

Let me analyze the CSRF configuration based on the shell script results and generate a final response.

CSRF configuration is properly secured

The implementation shows a robust CSRF protection setup:

1. The CSRF whitelist is properly encapsulated with defensive copying (List.copyOf) to prevent modification after configuration
2. The CSRF configuration in SecurityConfiguration uses Spring Security's recommended practices:
   • Uses CookieServerCsrfTokenRepository with httpOnly=false for SPA compatibility
   • Implements SpaServerCsrfTokenRequestHandler with BREACH attack protection
   • Properly validates CSRF tokens through header or form parameter
3. The whitelist is only configurable through application properties, which are typically secured in production environments

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for security validations around CSRF configuration

# Search for CSRF security configurations and validations
echo "Checking for CSRF security configurations:"
rg -t java "csrf" -A 5 -B 5

# Search for property validation logic
echo "Checking for property validation logic:"
ast-grep --pattern 'class $_ implements WebSecurityConfigurerAdapter { 
  $$$
  configure($_) {
    $$$
  }
}'

Length of output: 29143

---

13-13: Verify Spring property binding functionality

The change from final to non-final should allow Spring to set the property via environment variables. The default initialization with List.of() is a good practice for immutable empty list.

Let's verify if Spring can now properly bind properties:

✅ Verification successful

Spring property binding should work as expected

The verification shows that:

• The class is properly annotated with @ConfigurationProperties("refarch.security")
• The class uses Lombok's @Data which generates the necessary setters
• The non-final field allows Spring to set the property value
• The class follows Spring Boot's configuration properties binding conventions

While there are no explicit property binding tests, the setup is correct and follows Spring Boot's standard practices for external configuration binding.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for Spring property binding configuration in application properties/yaml files
# and verify if there are any test cases validating the property binding

# Search for property usage in application properties/yaml files
echo "Checking application properties/yaml files for CSRF property configuration:"
rg -t yaml -t properties "refarch\.security\.csrf-whitelisted" 

# Search for test cases validating property binding
echo "Checking for test cases validating property binding:"
rg -t java "SecurityProperties.*csrfWhitelisted" --type-add "java:*.java" -g "*Test.java"

Length of output: 467

---

Script:

#!/bin/bash
# Let's try a different approach to find property configurations and tests

# Search for property files with any csrf related configuration
echo "Checking for CSRF configurations in yaml/properties files:"
fd -e yml -e yaml -e properties . | xargs cat 2>/dev/null | grep -i "csrf"

# Search for SecurityProperties usage in test files with broader context
echo "Checking test files for SecurityProperties usage:"
rg -t java "SecurityProperties" -B 2 -A 2 --type-add "java:*.java" -g "*Test.java"

# Check if there are any configuration tests
echo "Checking for configuration test classes:"
rg -t java "class.*Test.*Configuration" --type-add "java:*.java"

# Look for Spring configuration properties annotation
echo "Checking ConfigurationProperties usage:"
ast-grep --pattern 'class $_ {
  $$$
  @ConfigurationProperties($_)
  $$$
}'

Length of output: 707

---

Script:

#!/bin/bash
# Let's check the SecurityProperties class implementation and its annotations

# Check SecurityProperties class implementation
echo "Checking SecurityProperties class implementation:"
rg -t java "class SecurityProperties" -B 5 -A 1

# Look for @ConfigurationProperties specifically in SecurityProperties
echo "Checking ConfigurationProperties in SecurityProperties:"
ast-grep --pattern '@ConfigurationProperties($_)
class SecurityProperties {
  $$$
}'

# Check for any Spring Boot test configurations
echo "Checking Spring Boot test configurations:"
rg -t java "@SpringBootTest|@TestConfiguration" -B 2 -A 2

# Look for property binding tests in a broader context
echo "Looking for property-related test methods:"
rg -t java "@Test.*csrf" -B 2 -A 5

Length of output: 8334

[devtobi]

LGTM, we just need to make sure to remove the suppressions when we did it-at-m/refarch-templates#545

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE

📥 Commits

Reviewing files that changed from the base of the PR and between d102995 and 8bbdf07.

📒 Files selected for processing (2)

• refarch-gateway/src/main/java/de/muenchen/refarch/gateway/configuration/CsrfProtectionMatcher.java (2 hunks)
• refarch-gateway/src/main/java/de/muenchen/refarch/gateway/configuration/SecurityProperties.java (1 hunks)

🔇 Additional comments (3)

refarch-gateway/src/main/java/de/muenchen/refarch/gateway/configuration/SecurityProperties.java (2)

8-10: Consider using more specific Lombok annotations instead of @DaTa

The @Data annotation generates all getters/setters, but since we only need the csrfWhitelisted property to be settable, using more specific annotations would be more appropriate.

---

14-15: Verify environment variable property binding

The changes look good for enabling property binding. Let's verify it works with environment variables.

✅ Verification successful

Property binding is correctly configured

The verification confirms that the property binding is properly set up:

• The SecurityProperties class is annotated with @ConfigurationProperties("refarch.security")
• The application uses @ConfigurationPropertiesScan in the main application class
• The CsrfProtectionMatcher correctly injects and uses the SecurityProperties
• The property can be set via environment variable following Spring Boot's relaxed binding rules: REFARCH_SECURITY_CSRF_WHITELISTED

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify property binding configuration in application properties/yaml files
# Look for any existing property configurations or documentation

# Search for property usage in yaml/properties files
echo "Searching for property configurations..."
rg -t yaml -t properties "refarch\.security\.csrf-whitelisted" 

# Search for property documentation
echo "Searching for property documentation..."
fd -e md -e adoc | xargs rg -l "refarch\.security\.csrf-whitelisted"

Length of output: 350

---

Script:

#!/bin/bash
# Let's try a different approach to search for property configurations

# Search for property files
echo "Listing property/yaml files:"
fd "\.(properties|ya?ml)$"

# Search with a more flexible pattern for csrf configurations
echo -e "\nSearching for csrf-related configurations:"
rg -i "csrf" -t yaml

# Search for SecurityProperties usage
echo -e "\nSearching for SecurityProperties usage:"
rg "SecurityProperties"

# Look for Spring configuration metadata
echo -e "\nSearching for configuration metadata:"
fd "spring-configuration-metadata.json|additional-spring-configuration-metadata.json"

Length of output: 2055

---

Script:

#!/bin/bash
# Let's examine the application.yml and CsrfProtectionMatcher to understand the property binding

# Check application.yml content
echo "Content of main application.yml:"
cat refarch-gateway/src/main/resources/application.yml

# Check CsrfProtectionMatcher implementation
echo -e "\nContent of CsrfProtectionMatcher:"
cat refarch-gateway/src/main/java/de/muenchen/refarch/gateway/configuration/CsrfProtectionMatcher.java

# Check if there's any prefix configuration for properties
echo -e "\nSearching for @ConfigurationProperties usage:"
rg "@ConfigurationProperties" -A 2

Length of output: 10342

refarch-gateway/src/main/java/de/muenchen/refarch/gateway/configuration/CsrfProtectionMatcher.java (1)

28-29: Appropriate use of FindBugs suppression

The @SuppressFBWarnings("EI_EXPOSE_REP2") annotation is correctly used here since:

• SecurityProperties is a Spring-managed singleton
• The field is final, preventing reassignment
• The warning about storing a reference to an externally mutable object can be safely ignored in this context