Securing the web application (#310)

war/pom.xml

@@ -61,6 +61,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>

war/src/main/java/io/jenkins/pluginhealth/scoring/config/SecurityConfiguration.java

@@ -0,0 +1,48 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2023 Jenkins Infra
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package io.jenkins.pluginhealth.scoring.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfiguration {
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+            .authorizeHttpRequests(request ->
+                request
+                    .requestMatchers(HttpMethod.GET, "/js/*", "/style.css", "/svg/*").permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/scores", "/", "/probes", "/probes/*", "/scores", "/scores/*").permitAll()
+                    .anyRequest().authenticated()
+            );
+        return http.build();
+    }
+}

war/src/test/java/io/jenkins/pluginhealth/scoring/http/ProbeControllerTest.java

@@ -35,6 +35,7 @@
 
 import java.util.List;
 
+import io.jenkins.pluginhealth.scoring.config.SecurityConfiguration;
 import io.jenkins.pluginhealth.scoring.probes.Probe;
 import io.jenkins.pluginhealth.scoring.service.PluginService;
 import io.jenkins.pluginhealth.scoring.service.ProbeService;
@@ -51,7 +52,7 @@
 import org.springframework.test.web.servlet.MockMvc;
 
 @ExtendWith({SpringExtension.class, MockitoExtension.class})
-@ImportAutoConfiguration(ProjectInfoAutoConfiguration.class)
+@ImportAutoConfiguration({ProjectInfoAutoConfiguration.class, SecurityConfiguration.class})
 @WebMvcTest(
     controllers = ProbesController.class
 )

war/src/test/java/io/jenkins/pluginhealth/scoring/http/ScoreAPITest.java

@@ -34,6 +34,7 @@
 import java.util.Map;
 import java.util.Optional;
 
+import io.jenkins.pluginhealth.scoring.config.SecurityConfiguration;
 import io.jenkins.pluginhealth.scoring.model.Plugin;
 import io.jenkins.pluginhealth.scoring.model.ProbeResult;
 import io.jenkins.pluginhealth.scoring.model.Score;
@@ -56,7 +57,7 @@
 import org.springframework.test.web.servlet.MockMvc;
 
 @ExtendWith({ SpringExtension.class, MockitoExtension.class })
-@ImportAutoConfiguration(ProjectInfoAutoConfiguration.class)
+@ImportAutoConfiguration({ProjectInfoAutoConfiguration.class, SecurityConfiguration.class})
 @WebMvcTest(
     controllers = ScoreAPI.class
 )

war/src/test/java/io/jenkins/pluginhealth/scoring/http/ScoreControllerTest.java

@@ -37,6 +37,7 @@
 import java.util.Optional;
 import java.util.Set;
 
+import io.jenkins.pluginhealth.scoring.config.SecurityConfiguration;
 import io.jenkins.pluginhealth.scoring.model.Plugin;
 import io.jenkins.pluginhealth.scoring.model.ProbeResult;
 import io.jenkins.pluginhealth.scoring.model.Score;
@@ -57,7 +58,7 @@
 import org.springframework.test.web.servlet.MockMvc;
 
 @ExtendWith({SpringExtension.class, MockitoExtension.class})
-@ImportAutoConfiguration(ProjectInfoAutoConfiguration.class)
+@ImportAutoConfiguration({ProjectInfoAutoConfiguration.class, SecurityConfiguration.class})
 @WebMvcTest(
     controllers = ScoreController.class
 )