From 6a9dbcf22c034f4703f80306779a61615cbb9b2a Mon Sep 17 00:00:00 2001
From: Adrien Lecharpentier <alecharpentier@cloudbees.com>
Date: Tue, 16 May 2023 10:24:40 +0200
Subject: [PATCH] Securing the web application (#310)

---
 war/pom.xml                                   |  4 ++
 .../scoring/config/SecurityConfiguration.java | 48 +++++++++++++++++++
 .../scoring/http/ProbeControllerTest.java     |  3 +-
 .../scoring/http/ScoreAPITest.java            |  3 +-
 .../scoring/http/ScoreControllerTest.java     |  3 +-
 5 files changed, 58 insertions(+), 3 deletions(-)
 create mode 100644 war/src/main/java/io/jenkins/pluginhealth/scoring/config/SecurityConfiguration.java

diff --git a/war/pom.xml b/war/pom.xml
index 2eb3a7007..17653304b 100644
--- a/war/pom.xml
+++ b/war/pom.xml
@@ -61,6 +61,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
diff --git a/war/src/main/java/io/jenkins/pluginhealth/scoring/config/SecurityConfiguration.java b/war/src/main/java/io/jenkins/pluginhealth/scoring/config/SecurityConfiguration.java
new file mode 100644
index 000000000..9d592f701
--- /dev/null
+++ b/war/src/main/java/io/jenkins/pluginhealth/scoring/config/SecurityConfiguration.java
@@ -0,0 +1,48 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2023 Jenkins Infra
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package io.jenkins.pluginhealth.scoring.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfiguration {
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+            .authorizeHttpRequests(request ->
+                request
+                    .requestMatchers(HttpMethod.GET, "/js/*", "/style.css", "/svg/*").permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/scores", "/", "/probes", "/probes/*", "/scores", "/scores/*").permitAll()
+                    .anyRequest().authenticated()
+            );
+        return http.build();
+    }
+}
diff --git a/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ProbeControllerTest.java b/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ProbeControllerTest.java
index 78325af32..fd54b0c53 100644
--- a/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ProbeControllerTest.java
+++ b/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ProbeControllerTest.java
@@ -35,6 +35,7 @@
 
 import java.util.List;
 
+import io.jenkins.pluginhealth.scoring.config.SecurityConfiguration;
 import io.jenkins.pluginhealth.scoring.probes.Probe;
 import io.jenkins.pluginhealth.scoring.service.PluginService;
 import io.jenkins.pluginhealth.scoring.service.ProbeService;
@@ -51,7 +52,7 @@
 import org.springframework.test.web.servlet.MockMvc;
 
 @ExtendWith({SpringExtension.class, MockitoExtension.class})
-@ImportAutoConfiguration(ProjectInfoAutoConfiguration.class)
+@ImportAutoConfiguration({ProjectInfoAutoConfiguration.class, SecurityConfiguration.class})
 @WebMvcTest(
     controllers = ProbesController.class
 )
diff --git a/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ScoreAPITest.java b/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ScoreAPITest.java
index ec7980089..d3c985745 100644
--- a/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ScoreAPITest.java
+++ b/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ScoreAPITest.java
@@ -34,6 +34,7 @@
 import java.util.Map;
 import java.util.Optional;
 
+import io.jenkins.pluginhealth.scoring.config.SecurityConfiguration;
 import io.jenkins.pluginhealth.scoring.model.Plugin;
 import io.jenkins.pluginhealth.scoring.model.ProbeResult;
 import io.jenkins.pluginhealth.scoring.model.Score;
@@ -56,7 +57,7 @@
 import org.springframework.test.web.servlet.MockMvc;
 
 @ExtendWith({ SpringExtension.class, MockitoExtension.class })
-@ImportAutoConfiguration(ProjectInfoAutoConfiguration.class)
+@ImportAutoConfiguration({ProjectInfoAutoConfiguration.class, SecurityConfiguration.class})
 @WebMvcTest(
     controllers = ScoreAPI.class
 )
diff --git a/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ScoreControllerTest.java b/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ScoreControllerTest.java
index 1d424fce6..3ed34c283 100644
--- a/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ScoreControllerTest.java
+++ b/war/src/test/java/io/jenkins/pluginhealth/scoring/http/ScoreControllerTest.java
@@ -37,6 +37,7 @@
 import java.util.Optional;
 import java.util.Set;
 
+import io.jenkins.pluginhealth.scoring.config.SecurityConfiguration;
 import io.jenkins.pluginhealth.scoring.model.Plugin;
 import io.jenkins.pluginhealth.scoring.model.ProbeResult;
 import io.jenkins.pluginhealth.scoring.model.Score;
@@ -57,7 +58,7 @@
 import org.springframework.test.web.servlet.MockMvc;
 
 @ExtendWith({SpringExtension.class, MockitoExtension.class})
-@ImportAutoConfiguration(ProjectInfoAutoConfiguration.class)
+@ImportAutoConfiguration({ProjectInfoAutoConfiguration.class, SecurityConfiguration.class})
 @WebMvcTest(
     controllers = ScoreController.class
 )