add header for hsts security

src/main/java/org/opensrp/web/config/security/SecurityConfig.java

@@ -1,5 +1,5 @@
 /**
- * 
+ *
  */
 package org.opensrp.web.config.security;
 
@@ -42,13 +42,13 @@
  */
 @KeycloakConfiguration
 public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
-	
+
 	@Value("#{opensrp['opensrp.cors.allowed.source']}")
 	private String opensrpAllowedSources;
-	
+
 	@Value("#{opensrp['opensrp.cors.max.age']}")
 	private long corsMaxAge;
-	
+
 	@Value("${keycloak.configurationFile:WEB-INF/keycloak.json}")
 	private Resource keycloakConfigFileResource;
 
@@ -58,24 +58,33 @@ public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
 	@Value("#{opensrp['metrics.permitAll'] ?: false }")
 	private boolean metricsPermitAll;
 
+	@Value("#{opensrp['hsts.header.on'] ?: false }")
+	private boolean hstsHeaderOn;
+
+	@Value("#{opensrp['hsts.include.subdomain'] ?: false }")
+	private boolean hstsIncludeSubdomain;
+
+	@Value("#{opensrp['hsts.max.age.in.seconds']}")
+	private Integer hstsMaxAgeInSeconds;
+
 	@Autowired
 	private KeycloakClientRequestFactory keycloakClientRequestFactory;
-	
+
 	private static final String CORS_ALLOWED_HEADERS = "origin,content-type,accept,x-requested-with,Authorization";
-	
+
 	/**
 	 * Registers the KeycloakAuthenticationProvider with the authentication manager.
 	 */
 	@Autowired
 	public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
 		SimpleAuthorityMapper grantedAuthorityMapper = new SimpleAuthorityMapper();
 		grantedAuthorityMapper.setPrefix("ROLE_");
-		
+
 		KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
 		keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthorityMapper);
 		auth.authenticationProvider(keycloakAuthenticationProvider);
 	}
-	
+
 	/**
 	 * Defines the session authentication strategy.
 	 */
@@ -84,7 +93,7 @@ public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
 	protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
 		return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
 	}
-	
+
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		super.configure(http);
@@ -114,9 +123,15 @@ protected void configure(HttpSecurity http) throws Exception {
     	.and()
     		.logout()
     		.logoutRequestMatcher(new AntPathRequestMatcher("logout.do", "GET"));
+		if(hstsHeaderOn){
+			http.headers()
+					.httpStrictTransportSecurity()
+					.includeSubDomains(hstsIncludeSubdomain)
+					.maxAgeInSeconds(hstsMaxAgeInSeconds);
+		}
 		/* @formatter:on */
 	}
-	
+
 	@Override
 	public void configure(WebSecurity web) throws Exception {
 		/* @formatter:off */
@@ -125,7 +140,7 @@ public void configure(WebSecurity web) throws Exception {
 			.and().ignoring().mvcMatchers("/images/**");
 		/* @formatter:on */
 	}
-	
+
 	@Bean
 	public CorsConfigurationSource corsConfigurationSource() {
 		CorsConfiguration configuration = new CorsConfiguration();
@@ -137,24 +152,24 @@ public CorsConfigurationSource corsConfigurationSource() {
 		source.registerCorsConfiguration("/**", configuration);
 		return source;
 	}
-	
+
 	@Bean
 	@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
 	public KeycloakRestTemplate keycloakRestTemplate() {
 		return new KeycloakRestTemplate(keycloakClientRequestFactory);
 	}
-	
+
 	@Bean
 	public KeycloakDeployment keycloakDeployment() throws IOException {
 		if (!keycloakConfigFileResource.isReadable()) {
 			throw new FileNotFoundException(String.format("Unable to locate Keycloak configuration file: %s",
-			    keycloakConfigFileResource.getFilename()));
+					keycloakConfigFileResource.getFilename()));
 		}
-		
-		try(InputStream inputStream=keycloakConfigFileResource.getInputStream()){
+
+		try (InputStream inputStream = keycloakConfigFileResource.getInputStream()) {
 			return KeycloakDeploymentBuilder.build(inputStream);
 		}
-		
+
 	}
-	
+
 }

src/main/java/org/opensrp/web/controller/UniqueIdController.java

@@ -98,7 +98,7 @@ public ResponseEntity<String> thisMonthDataSendTODHIS2(HttpServletRequest reques
 		        FileOutputStream fileOutputStream = new FileOutputStream(qrCodesDir + File.separator + fileName);
 		        OutputStream os = response.getOutputStream();) {
 			user = openmrsUserService.getUser(currentPrincipalName);
-			if (!checkRoleIfRoleExitst(user.getRoles(), "opensrp-generate-qr-code")) {
+			if (!checkRoleIfRoleExits(user.getRoles(), "opensrp-generate-qr-code")) {
 				return new ResponseEntity<>("Sorry, insufficient privileges to generate ID QR codes", HttpStatus.OK);
 			}
 
@@ -120,7 +120,7 @@ public ResponseEntity<String> thisMonthDataSendTODHIS2(HttpServletRequest reques
 		return new ResponseEntity<>(new Gson().toJson("" + message), HttpStatus.OK);
 	}
 
-	boolean checkRoleIfRoleExitst(List<String> roleList, String role) {
+	boolean checkRoleIfRoleExits(List<String> roleList, String role) {
 		for (String roleName : roleList)
 			if (StringUtils.containsIgnoreCase(roleName, role))
 				return true;

src/test/java/org/opensrp/web/controller/UniqueIdControllerTest.java

@@ -145,6 +145,20 @@ public void testThisMonthDataSendTODHIS2ThrowsException() throws Exception {
 		}
 		assertEquals(responseString,ERROR_MESSAGE);
 	}
+
+	@Test
+	public void testCheckIfRoleExistsReturnsTrueIfRoleExists(){
+		List<String> roles = new ArrayList<>();
+		roles.add("role-1");
+		assertEquals(true, uniqueIdController.checkRoleIfRoleExits(roles,"role-1"));
+	}
+
+	@Test
+	public void testCheckIfRoleExistsReturnsFalseIfRoleDoesNotExist(){
+		List<String> roles = new ArrayList<>();
+		roles.add("role-1");
+		assertEquals(false, uniqueIdController.checkRoleIfRoleExits(roles,"role-2"));
+	}
 
 	private Authentication getMockedAuthentication() {
 		Authentication authentication = new Authentication() {