mirror of
https://github.com/google/nomulus.git
synced 2025-05-14 16:37:13 +02:00
Remove xsrfScope and xsrfProtection authentication attributes
------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=159121132
This commit is contained in:
mountford
Ben McIlwain
parent
580c41f2d6
commit
7d2f53a6fe
19 changed files with 103 additions and 185 deletions
|
|
@ -41,15 +41,15 @@ import javax.inject.Inject;
|
|||
|
||||
/** Publish a single registrar detail report from GCS to Drive. */
|
||||
@Action(
|
||||
path = PublishDetailReportAction.PATH,
|
||||
method = Action.Method.POST,
|
||||
auth = @Auth(
|
||||
path = PublishDetailReportAction.PATH,
|
||||
method = Action.Method.POST,
|
||||
auth =
|
||||
@Auth(
|
||||
methods = {AuthMethod.INTERNAL, Auth.AuthMethod.API},
|
||||
minimumLevel = AuthLevel.APP,
|
||||
userPolicy = UserPolicy.ADMIN
|
||||
),
|
||||
xsrfProtection = true,
|
||||
xsrfScope = "admin")
|
||||
)
|
||||
)
|
||||
public final class PublishDetailReportAction implements Runnable, JsonAction {
|
||||
|
||||
private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
|
||||
|
|
|
|||
|
|
@ -26,8 +26,6 @@ import javax.servlet.http.HttpSession;
|
|||
/** Runs EPP from the console and requires GAE user authentication. */
|
||||
@Action(
|
||||
path = "/registrar-xhr",
|
||||
xsrfProtection = true,
|
||||
xsrfScope = EppConsoleAction.XSRF_SCOPE,
|
||||
method = Method.POST,
|
||||
auth =
|
||||
@Auth(
|
||||
|
|
@ -38,8 +36,6 @@ import javax.servlet.http.HttpSession;
|
|||
)
|
||||
public class EppConsoleAction implements Runnable {
|
||||
|
||||
public static final String XSRF_SCOPE = "console";
|
||||
|
||||
@Inject @Payload byte[] inputXmlBytes;
|
||||
@Inject HttpSession session;
|
||||
@Inject EppRequestHandler eppRequestHandler;
|
||||
|
|
|
|||
|
|
@ -32,8 +32,6 @@ import javax.servlet.http.HttpServletRequest;
|
|||
/** Runs EPP commands directly without logging in, verifying an XSRF token from the tool. */
|
||||
@Action(
|
||||
path = "/_dr/epptool",
|
||||
xsrfProtection = true,
|
||||
xsrfScope = "admin",
|
||||
method = Method.POST,
|
||||
auth =
|
||||
@Auth(
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ package google.registry.module.backend;
|
|||
import com.google.appengine.api.users.UserService;
|
||||
import google.registry.request.RequestHandler;
|
||||
import google.registry.request.auth.RequestAuthenticator;
|
||||
import google.registry.security.XsrfTokenManager;
|
||||
import javax.inject.Inject;
|
||||
import javax.inject.Provider;
|
||||
|
||||
|
|
@ -27,8 +26,7 @@ public class BackendRequestHandler extends RequestHandler<BackendRequestComponen
|
|||
@Inject BackendRequestHandler(
|
||||
Provider<BackendRequestComponent.Builder> componentBuilderProvider,
|
||||
UserService userService,
|
||||
RequestAuthenticator requestAuthenticator,
|
||||
XsrfTokenManager xsrfTokenManager) {
|
||||
super(componentBuilderProvider, userService, requestAuthenticator, xsrfTokenManager);
|
||||
RequestAuthenticator requestAuthenticator) {
|
||||
super(componentBuilderProvider, userService, requestAuthenticator);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ package google.registry.module.frontend;
|
|||
import com.google.appengine.api.users.UserService;
|
||||
import google.registry.request.RequestHandler;
|
||||
import google.registry.request.auth.RequestAuthenticator;
|
||||
import google.registry.security.XsrfTokenManager;
|
||||
import javax.inject.Inject;
|
||||
import javax.inject.Provider;
|
||||
|
||||
|
|
@ -27,8 +26,7 @@ public class FrontendRequestHandler extends RequestHandler<FrontendRequestCompon
|
|||
@Inject FrontendRequestHandler(
|
||||
Provider<FrontendRequestComponent.Builder> componentBuilderProvider,
|
||||
UserService userService,
|
||||
RequestAuthenticator requestAuthenticator,
|
||||
XsrfTokenManager xsrfTokenManager) {
|
||||
super(componentBuilderProvider, userService, requestAuthenticator, xsrfTokenManager);
|
||||
RequestAuthenticator requestAuthenticator) {
|
||||
super(componentBuilderProvider, userService, requestAuthenticator);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ package google.registry.module.tools;
|
|||
import com.google.appengine.api.users.UserService;
|
||||
import google.registry.request.RequestHandler;
|
||||
import google.registry.request.auth.RequestAuthenticator;
|
||||
import google.registry.security.XsrfTokenManager;
|
||||
import javax.inject.Inject;
|
||||
import javax.inject.Provider;
|
||||
|
||||
|
|
@ -27,8 +26,7 @@ public class ToolsRequestHandler extends RequestHandler<ToolsRequestComponent> {
|
|||
@Inject ToolsRequestHandler(
|
||||
Provider<ToolsRequestComponent.Builder> componentBuilderProvider,
|
||||
UserService userService,
|
||||
RequestAuthenticator requestAuthenticator,
|
||||
XsrfTokenManager xsrfTokenManager) {
|
||||
super(componentBuilderProvider, userService, requestAuthenticator, xsrfTokenManager);
|
||||
RequestAuthenticator requestAuthenticator) {
|
||||
super(componentBuilderProvider, userService, requestAuthenticator);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -46,13 +46,6 @@ public @interface Action {
|
|||
*/
|
||||
boolean automaticallyPrintOk() default false;
|
||||
|
||||
// TODO(b/26304887): Flip default to true.
|
||||
/** Enables XSRF protection on all HTTP methods except GET and HEAD. */
|
||||
boolean xsrfProtection() default false;
|
||||
|
||||
/** Arbitrary value included in the XSRF token hash. */
|
||||
String xsrfScope() default "app";
|
||||
|
||||
/**
|
||||
* Require user be logged-in or 302 redirect to the Google auth login page.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -15,10 +15,8 @@
|
|||
package google.registry.request;
|
||||
|
||||
import static com.google.common.base.Preconditions.checkNotNull;
|
||||
import static com.google.common.base.Strings.nullToEmpty;
|
||||
import static com.google.common.net.HttpHeaders.LOCATION;
|
||||
import static com.google.common.net.MediaType.PLAIN_TEXT_UTF_8;
|
||||
import static google.registry.security.XsrfTokenManager.X_CSRF_TOKEN;
|
||||
import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
|
||||
import static javax.servlet.http.HttpServletResponse.SC_METHOD_NOT_ALLOWED;
|
||||
import static javax.servlet.http.HttpServletResponse.SC_MOVED_TEMPORARILY;
|
||||
|
|
@ -28,7 +26,6 @@ import com.google.appengine.api.users.UserService;
|
|||
import com.google.common.base.Optional;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.RequestAuthenticator;
|
||||
import google.registry.security.XsrfTokenManager;
|
||||
import google.registry.util.FormattingLogger;
|
||||
import google.registry.util.TypeUtils.TypeInstantiator;
|
||||
import java.io.IOException;
|
||||
|
|
@ -61,9 +58,6 @@ import javax.servlet.http.HttpServletResponse;
|
|||
*
|
||||
* <h3>Security Features</h3>
|
||||
*
|
||||
* <p>XSRF protection is built into this class. It can be enabled or disabled on individual actions
|
||||
* using {@link Action#xsrfProtection() xsrfProtection} setting.
|
||||
*
|
||||
* <p>This class also enforces the {@link Action#requireLogin() requireLogin} setting.
|
||||
*
|
||||
* @param <C> request component type
|
||||
|
|
@ -76,7 +70,6 @@ public class RequestHandler<C> {
|
|||
private final Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider;
|
||||
private final UserService userService;
|
||||
private final RequestAuthenticator requestAuthenticator;
|
||||
private final XsrfTokenManager xsrfTokenManager;
|
||||
|
||||
/**
|
||||
* Constructor for subclasses to create a new request handler for a specific request component.
|
||||
|
|
@ -90,15 +83,12 @@ public class RequestHandler<C> {
|
|||
* request-derived modules provided by this class)
|
||||
* @param userService an instance of the App Engine UserService API
|
||||
* @param requestAuthenticator an instance of the {@link RequestAuthenticator} class
|
||||
* @param xsrfTokenManager an instance of the {@link XsrfTokenManager} class
|
||||
*/
|
||||
protected RequestHandler(
|
||||
Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider,
|
||||
UserService userService,
|
||||
RequestAuthenticator requestAuthenticator,
|
||||
XsrfTokenManager xsrfTokenManager) {
|
||||
this(null, requestComponentBuilderProvider, userService, requestAuthenticator,
|
||||
xsrfTokenManager);
|
||||
RequestAuthenticator requestAuthenticator) {
|
||||
this(null, requestComponentBuilderProvider, userService, requestAuthenticator);
|
||||
}
|
||||
|
||||
/** Creates a new RequestHandler with an explicit component class for test purposes. */
|
||||
|
|
@ -106,22 +96,19 @@ public class RequestHandler<C> {
|
|||
Class<C> component,
|
||||
Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider,
|
||||
UserService userService,
|
||||
RequestAuthenticator requestAuthenticator,
|
||||
XsrfTokenManager xsrfTokenManager) {
|
||||
RequestAuthenticator requestAuthenticator) {
|
||||
return new RequestHandler<>(
|
||||
checkNotNull(component),
|
||||
requestComponentBuilderProvider,
|
||||
userService,
|
||||
requestAuthenticator,
|
||||
xsrfTokenManager);
|
||||
requestAuthenticator);
|
||||
}
|
||||
|
||||
private RequestHandler(
|
||||
@Nullable Class<C> component,
|
||||
Provider<? extends RequestComponentBuilder<C>> requestComponentBuilderProvider,
|
||||
UserService userService,
|
||||
RequestAuthenticator requestAuthenticator,
|
||||
XsrfTokenManager xsrfTokenManager) {
|
||||
RequestAuthenticator requestAuthenticator) {
|
||||
// If the component class isn't explicitly provided, infer it from the class's own typing.
|
||||
// This is safe only for use by subclasses of RequestHandler where the generic parameter is
|
||||
// preserved at runtime, so only expose that option via the protected constructor.
|
||||
|
|
@ -130,7 +117,6 @@ public class RequestHandler<C> {
|
|||
this.requestComponentBuilderProvider = checkNotNull(requestComponentBuilderProvider);
|
||||
this.userService = checkNotNull(userService);
|
||||
this.requestAuthenticator = checkNotNull(requestAuthenticator);
|
||||
this.xsrfTokenManager = checkNotNull(xsrfTokenManager);
|
||||
}
|
||||
|
||||
/** Runs the appropriate action for a servlet request. */
|
||||
|
|
@ -163,11 +149,6 @@ public class RequestHandler<C> {
|
|||
rsp.setHeader(LOCATION, userService.createLoginURL(req.getRequestURI()));
|
||||
return;
|
||||
}
|
||||
if (route.get().shouldXsrfProtect(method)
|
||||
&& !xsrfTokenManager.validateToken(nullToEmpty(req.getHeader(X_CSRF_TOKEN)))) {
|
||||
rsp.sendError(SC_FORBIDDEN, "Invalid " + X_CSRF_TOKEN);
|
||||
return;
|
||||
}
|
||||
Optional<AuthResult> authResult =
|
||||
requestAuthenticator.authorize(route.get().action().auth(), req);
|
||||
if (!authResult.isPresent()) {
|
||||
|
|
|
|||
|
|
@ -42,9 +42,4 @@ abstract class Route {
|
|||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
boolean shouldXsrfProtect(Action.Method requestMethod) {
|
||||
return action().xsrfProtection()
|
||||
&& (requestMethod != Action.Method.GET) && (requestMethod != Action.Method.HEAD);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -38,8 +38,6 @@ import java.util.Map;
|
|||
* <li>the simple name of the action class
|
||||
* <li>the allowable HTTP methods
|
||||
* <li>whether to automatically print "ok" in the response
|
||||
* <li>whether XSRF protection is enabled
|
||||
* <li>the XSRF scope
|
||||
* <li>whether login is required
|
||||
* <li>the allowable authentication methods
|
||||
* <li>the minimum authentication level
|
||||
|
|
@ -53,12 +51,11 @@ public class RouterDisplayHelper {
|
|||
private static final String PATH = "path";
|
||||
private static final String CLASS = "class";
|
||||
private static final String METHODS = "methods";
|
||||
private static final String XSRF_SCOPE = "xsrfScope";
|
||||
private static final String AUTH_METHODS = "authMethods";
|
||||
private static final String MINIMUM_LEVEL = "minLevel";
|
||||
|
||||
private static final String FORMAT =
|
||||
"%%-%ds %%-%ds %%-%ds %%-2s %%-4s %%-%ds %%-5s %%-%ds %%-%ds %%s";
|
||||
"%%-%ds %%-%ds %%-%ds %%-2s %%-5s %%-%ds %%-%ds %%s";
|
||||
|
||||
/** Returns a string representation of the routing map in the specified component. */
|
||||
public static String extractHumanReadableRoutesFromComponent(Class<?> componentClass) {
|
||||
|
|
@ -71,7 +68,6 @@ public class RouterDisplayHelper {
|
|||
columnWidths.get(PATH),
|
||||
columnWidths.get(CLASS),
|
||||
columnWidths.get(METHODS),
|
||||
columnWidths.get(XSRF_SCOPE),
|
||||
columnWidths.get(AUTH_METHODS),
|
||||
columnWidths.get(MINIMUM_LEVEL));
|
||||
}
|
||||
|
|
@ -83,8 +79,6 @@ public class RouterDisplayHelper {
|
|||
"CLASS",
|
||||
"METHODS",
|
||||
"OK",
|
||||
"XSRF",
|
||||
"SCOPE",
|
||||
"LOGIN",
|
||||
"AUTH_METHODS",
|
||||
"MIN",
|
||||
|
|
@ -98,8 +92,6 @@ public class RouterDisplayHelper {
|
|||
route.actionClass().getSimpleName(),
|
||||
Joiner.on(",").join(route.action().method()),
|
||||
route.action().automaticallyPrintOk() ? "y" : "n",
|
||||
route.action().xsrfProtection() ? "y" : "n",
|
||||
route.action().xsrfScope(),
|
||||
route.action().requireLogin() ? "y" : "n",
|
||||
Joiner.on(",").join(route.action().auth().methods()),
|
||||
route.action().auth().minimumLevel(),
|
||||
|
|
@ -112,7 +104,6 @@ public class RouterDisplayHelper {
|
|||
int pathWidth = 4;
|
||||
int classWidth = 5;
|
||||
int methodsWidth = 7;
|
||||
int xsrfScopeWidth = 5;
|
||||
int authMethodsWidth = 12;
|
||||
int minLevelWidth = 3;
|
||||
for (Route route : routes) {
|
||||
|
|
@ -131,10 +122,6 @@ public class RouterDisplayHelper {
|
|||
if (len > methodsWidth) {
|
||||
methodsWidth = len;
|
||||
}
|
||||
len = route.action().xsrfScope().length();
|
||||
if (len > xsrfScopeWidth) {
|
||||
xsrfScopeWidth = len;
|
||||
}
|
||||
len = Joiner.on(",").join(route.action().auth().methods()).length();
|
||||
if (len > authMethodsWidth) {
|
||||
authMethodsWidth = len;
|
||||
|
|
@ -150,7 +137,6 @@ public class RouterDisplayHelper {
|
|||
.put(PATH, pathWidth)
|
||||
.put(CLASS, classWidth)
|
||||
.put(METHODS, methodsWidth)
|
||||
.put(XSRF_SCOPE, xsrfScopeWidth)
|
||||
.put(AUTH_METHODS, authMethodsWidth)
|
||||
.put(MINIMUM_LEVEL, minLevelWidth)
|
||||
.build());
|
||||
|
|
|
|||
|
|
@ -83,8 +83,6 @@ import javax.inject.Inject;
|
|||
@Action(
|
||||
path = VerifyOteAction.PATH,
|
||||
method = Action.Method.POST,
|
||||
xsrfProtection = true,
|
||||
xsrfScope = "admin",
|
||||
auth =
|
||||
@Auth(
|
||||
methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
|
||||
|
|
|
|||
|
|
@ -42,7 +42,6 @@ import javax.servlet.http.HttpServletRequest;
|
|||
@Action(
|
||||
path = ConsoleUiAction.PATH,
|
||||
requireLogin = true,
|
||||
xsrfProtection = false,
|
||||
auth =
|
||||
@Auth(
|
||||
methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.LEGACY},
|
||||
|
|
|
|||
|
|
@ -95,8 +95,6 @@ import org.joda.money.Money;
|
|||
@Action(
|
||||
path = "/registrar-payment",
|
||||
method = Action.Method.POST,
|
||||
xsrfProtection = true,
|
||||
xsrfScope = "console",
|
||||
requireLogin = true,
|
||||
auth =
|
||||
@Auth(
|
||||
|
|
|
|||
|
|
@ -70,8 +70,6 @@ import org.joda.money.CurrencyUnit;
|
|||
@Action(
|
||||
path = "/registrar-payment-setup",
|
||||
method = Action.Method.POST,
|
||||
xsrfProtection = true,
|
||||
xsrfScope = "console",
|
||||
requireLogin = true,
|
||||
auth =
|
||||
@Auth(
|
||||
|
|
|
|||
|
|
@ -64,8 +64,6 @@ import javax.servlet.http.HttpServletRequest;
|
|||
@Action(
|
||||
path = RegistrarSettingsAction.PATH,
|
||||
requireLogin = true,
|
||||
xsrfProtection = true,
|
||||
xsrfScope = "console",
|
||||
method = Action.Method.POST,
|
||||
auth =
|
||||
@Auth(
|
||||
|
|
|
|||
|
|
@ -1,38 +1,38 @@
|
|||
PATH CLASS METHODS OK XSRF SCOPE LOGIN AUTH_METHODS MIN USER_POLICY
|
||||
/_dr/cron/commitLogCheckpoint CommitLogCheckpointAction GET y n app n INTERNAL APP IGNORED
|
||||
/_dr/cron/commitLogFanout CommitLogFanoutAction GET y n app n INTERNAL APP IGNORED
|
||||
/_dr/cron/fanout TldFanoutAction GET y n app n INTERNAL APP IGNORED
|
||||
/_dr/cron/readDnsQueue ReadDnsQueueAction GET y n app n INTERNAL APP IGNORED
|
||||
/_dr/dnsRefresh RefreshDnsAction GET y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/brdaCopy BrdaCopyAction POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/checkSnapshot CheckSnapshotAction POST,GET y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/deleteContactsAndHosts DeleteContactsAndHostsAction GET n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/deleteOldCommitLogs DeleteOldCommitLogsAction POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/deleteProberData DeleteProberDataAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/expandRecurringBillingEvents ExpandRecurringBillingEventsAction GET n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/exportCommitLogDiff ExportCommitLogDiffAction POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/exportDomainLists ExportDomainListsAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/exportReservedTerms ExportReservedTermsAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/exportSnapshot ExportSnapshotAction POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/importRdeContacts RdeContactImportAction GET n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/importRdeDomains RdeDomainImportAction GET n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/importRdeHosts RdeHostImportAction GET n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/linkRdeHosts RdeHostLinkAction GET n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/loadSnapshot LoadSnapshotAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/mapreduceEntityCleanup MapreduceEntityCleanupAction GET n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/metrics MetricsExportAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/nordnUpload NordnUploadAction POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/nordnVerify NordnVerifyAction POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/pollBigqueryJob BigqueryPollJobAction GET,POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/publishDnsUpdates PublishDnsUpdatesAction POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/rdeReport RdeReportAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/rdeStaging RdeStagingAction GET,POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/rdeUpload RdeUploadAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/refreshDnsOnHostRename RefreshDnsOnHostRenameAction GET n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/syncGroupMembers SyncGroupMembersAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/syncRegistrarsSheet SyncRegistrarsSheetAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/tmchCrl TmchCrlAction POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/tmchDnl TmchDnlAction POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/tmchSmdrl TmchSmdrlAction POST y n app n INTERNAL APP IGNORED
|
||||
/_dr/task/updateSnapshotView UpdateSnapshotViewAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/verifyEntityIntegrity VerifyEntityIntegrityAction POST n n app n INTERNAL APP IGNORED
|
||||
PATH CLASS METHODS OK LOGIN AUTH_METHODS MIN USER_POLICY
|
||||
/_dr/cron/commitLogCheckpoint CommitLogCheckpointAction GET y n INTERNAL APP IGNORED
|
||||
/_dr/cron/commitLogFanout CommitLogFanoutAction GET y n INTERNAL APP IGNORED
|
||||
/_dr/cron/fanout TldFanoutAction GET y n INTERNAL APP IGNORED
|
||||
/_dr/cron/readDnsQueue ReadDnsQueueAction GET y n INTERNAL APP IGNORED
|
||||
/_dr/dnsRefresh RefreshDnsAction GET y n INTERNAL APP IGNORED
|
||||
/_dr/task/brdaCopy BrdaCopyAction POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/checkSnapshot CheckSnapshotAction POST,GET y n INTERNAL APP IGNORED
|
||||
/_dr/task/deleteContactsAndHosts DeleteContactsAndHostsAction GET n n INTERNAL APP IGNORED
|
||||
/_dr/task/deleteOldCommitLogs DeleteOldCommitLogsAction POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/deleteProberData DeleteProberDataAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/expandRecurringBillingEvents ExpandRecurringBillingEventsAction GET n n INTERNAL APP IGNORED
|
||||
/_dr/task/exportCommitLogDiff ExportCommitLogDiffAction POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/exportDomainLists ExportDomainListsAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/exportReservedTerms ExportReservedTermsAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/exportSnapshot ExportSnapshotAction POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/importRdeContacts RdeContactImportAction GET n n INTERNAL APP IGNORED
|
||||
/_dr/task/importRdeDomains RdeDomainImportAction GET n n INTERNAL APP IGNORED
|
||||
/_dr/task/importRdeHosts RdeHostImportAction GET n n INTERNAL APP IGNORED
|
||||
/_dr/task/linkRdeHosts RdeHostLinkAction GET n n INTERNAL APP IGNORED
|
||||
/_dr/task/loadSnapshot LoadSnapshotAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/mapreduceEntityCleanup MapreduceEntityCleanupAction GET n n INTERNAL APP IGNORED
|
||||
/_dr/task/metrics MetricsExportAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/nordnUpload NordnUploadAction POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/nordnVerify NordnVerifyAction POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/pollBigqueryJob BigqueryPollJobAction GET,POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/publishDnsUpdates PublishDnsUpdatesAction POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/rdeReport RdeReportAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/rdeStaging RdeStagingAction GET,POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/rdeUpload RdeUploadAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/refreshDnsOnHostRename RefreshDnsOnHostRenameAction GET n n INTERNAL APP IGNORED
|
||||
/_dr/task/syncGroupMembers SyncGroupMembersAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/syncRegistrarsSheet SyncRegistrarsSheetAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/tmchCrl TmchCrlAction POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/tmchDnl TmchDnlAction POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/tmchSmdrl TmchSmdrlAction POST y n INTERNAL APP IGNORED
|
||||
/_dr/task/updateSnapshotView UpdateSnapshotViewAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/verifyEntityIntegrity VerifyEntityIntegrityAction POST n n INTERNAL APP IGNORED
|
||||
|
|
|
|||
|
|
@ -1,19 +1,19 @@
|
|||
PATH CLASS METHODS OK XSRF SCOPE LOGIN AUTH_METHODS MIN USER_POLICY
|
||||
/_dr/epp EppTlsAction POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/whois WhoisServer POST n n app n INTERNAL,API APP ADMIN
|
||||
/check CheckApiAction GET n n app n INTERNAL NONE PUBLIC
|
||||
/rdap/autnum/(*) RdapAutnumAction GET,HEAD n n app n INTERNAL NONE PUBLIC
|
||||
/rdap/domain/(*) RdapDomainAction GET,HEAD n n app n INTERNAL NONE PUBLIC
|
||||
/rdap/domains RdapDomainSearchAction GET,HEAD n n app n INTERNAL NONE PUBLIC
|
||||
/rdap/entities RdapEntitySearchAction GET,HEAD n n app n INTERNAL NONE PUBLIC
|
||||
/rdap/entity/(*) RdapEntityAction GET,HEAD n n app n INTERNAL NONE PUBLIC
|
||||
/rdap/help(*) RdapHelpAction GET,HEAD n n app n INTERNAL NONE PUBLIC
|
||||
/rdap/ip/(*) RdapIpAction GET,HEAD n n app n INTERNAL NONE PUBLIC
|
||||
/rdap/nameserver/(*) RdapNameserverAction GET,HEAD n n app n INTERNAL NONE PUBLIC
|
||||
/rdap/nameservers RdapNameserverSearchAction GET,HEAD n n app n INTERNAL NONE PUBLIC
|
||||
/registrar ConsoleUiAction GET n n app y INTERNAL,API,LEGACY NONE PUBLIC
|
||||
/registrar-payment RegistrarPaymentAction POST n y console y INTERNAL,API,LEGACY USER PUBLIC
|
||||
/registrar-payment-setup RegistrarPaymentSetupAction POST n y console y INTERNAL,API,LEGACY USER PUBLIC
|
||||
/registrar-settings RegistrarSettingsAction POST n y console y INTERNAL,API,LEGACY USER PUBLIC
|
||||
/registrar-xhr EppConsoleAction POST n y console n INTERNAL,API,LEGACY USER PUBLIC
|
||||
/whois/(*) WhoisHttpServer GET n n app n INTERNAL NONE PUBLIC
|
||||
PATH CLASS METHODS OK LOGIN AUTH_METHODS MIN USER_POLICY
|
||||
/_dr/epp EppTlsAction POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/whois WhoisServer POST n n INTERNAL,API APP ADMIN
|
||||
/check CheckApiAction GET n n INTERNAL NONE PUBLIC
|
||||
/rdap/autnum/(*) RdapAutnumAction GET,HEAD n n INTERNAL NONE PUBLIC
|
||||
/rdap/domain/(*) RdapDomainAction GET,HEAD n n INTERNAL NONE PUBLIC
|
||||
/rdap/domains RdapDomainSearchAction GET,HEAD n n INTERNAL NONE PUBLIC
|
||||
/rdap/entities RdapEntitySearchAction GET,HEAD n n INTERNAL NONE PUBLIC
|
||||
/rdap/entity/(*) RdapEntityAction GET,HEAD n n INTERNAL NONE PUBLIC
|
||||
/rdap/help(*) RdapHelpAction GET,HEAD n n INTERNAL NONE PUBLIC
|
||||
/rdap/ip/(*) RdapIpAction GET,HEAD n n INTERNAL NONE PUBLIC
|
||||
/rdap/nameserver/(*) RdapNameserverAction GET,HEAD n n INTERNAL NONE PUBLIC
|
||||
/rdap/nameservers RdapNameserverSearchAction GET,HEAD n n INTERNAL NONE PUBLIC
|
||||
/registrar ConsoleUiAction GET n y INTERNAL,API,LEGACY NONE PUBLIC
|
||||
/registrar-payment RegistrarPaymentAction POST n y INTERNAL,API,LEGACY USER PUBLIC
|
||||
/registrar-payment-setup RegistrarPaymentSetupAction POST n y INTERNAL,API,LEGACY USER PUBLIC
|
||||
/registrar-settings RegistrarSettingsAction POST n y INTERNAL,API,LEGACY USER PUBLIC
|
||||
/registrar-xhr EppConsoleAction POST n n INTERNAL,API,LEGACY USER PUBLIC
|
||||
/whois/(*) WhoisHttpServer GET n n INTERNAL NONE PUBLIC
|
||||
|
|
|
|||
|
|
@ -1,21 +1,21 @@
|
|||
PATH CLASS METHODS OK XSRF SCOPE LOGIN AUTH_METHODS MIN USER_POLICY
|
||||
/_dr/admin/createGroups CreateGroupsAction POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/createPremiumList CreatePremiumListAction POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/deleteEntity DeleteEntityAction GET n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/domains ListDomainsAction GET,POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/hosts ListHostsAction GET,POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/premiumLists ListPremiumListsAction GET,POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/registrars ListRegistrarsAction GET,POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/reservedLists ListReservedListsAction GET,POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/tlds ListTldsAction GET,POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/updatePremiumList UpdatePremiumListAction POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/verifyOte VerifyOteAction POST n y admin n INTERNAL,API APP ADMIN
|
||||
/_dr/epptool EppToolAction POST n y admin n INTERNAL,API APP ADMIN
|
||||
/_dr/loadtest LoadTestAction POST y n app n INTERNAL,API APP ADMIN
|
||||
/_dr/publishDetailReport PublishDetailReportAction POST n y admin n INTERNAL,API APP ADMIN
|
||||
/_dr/task/generateZoneFiles GenerateZoneFilesAction POST n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/task/killAllCommitLogs KillAllCommitLogsAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/killAllEppResources KillAllEppResourcesAction POST n n app n INTERNAL APP IGNORED
|
||||
/_dr/task/refreshAllDomains RefreshAllDomainsAction GET n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/task/resaveAllEppResources ResaveAllEppResourcesAction GET n n app n INTERNAL,API APP ADMIN
|
||||
/_dr/task/restoreCommitLogs RestoreCommitLogsAction POST y n app n INTERNAL,API APP ADMIN
|
||||
PATH CLASS METHODS OK LOGIN AUTH_METHODS MIN USER_POLICY
|
||||
/_dr/admin/createGroups CreateGroupsAction POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/createPremiumList CreatePremiumListAction POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/deleteEntity DeleteEntityAction GET n n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/domains ListDomainsAction GET,POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/hosts ListHostsAction GET,POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/premiumLists ListPremiumListsAction GET,POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/registrars ListRegistrarsAction GET,POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/reservedLists ListReservedListsAction GET,POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/list/tlds ListTldsAction GET,POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/updatePremiumList UpdatePremiumListAction POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/admin/verifyOte VerifyOteAction POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/epptool EppToolAction POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/loadtest LoadTestAction POST y n INTERNAL,API APP ADMIN
|
||||
/_dr/publishDetailReport PublishDetailReportAction POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/task/generateZoneFiles GenerateZoneFilesAction POST n n INTERNAL,API APP ADMIN
|
||||
/_dr/task/killAllCommitLogs KillAllCommitLogsAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/killAllEppResources KillAllEppResourcesAction POST n n INTERNAL APP IGNORED
|
||||
/_dr/task/refreshAllDomains RefreshAllDomainsAction GET n n INTERNAL,API APP ADMIN
|
||||
/_dr/task/resaveAllEppResources ResaveAllEppResourcesAction GET n n INTERNAL,API APP ADMIN
|
||||
/_dr/task/restoreCommitLogs RestoreCommitLogsAction POST y n INTERNAL,API APP ADMIN
|
||||
|
|
|
|||
|
|
@ -90,8 +90,6 @@ public final class RequestHandlerTest {
|
|||
@Action(
|
||||
path = "/safe-sloth",
|
||||
method = {GET, POST},
|
||||
xsrfProtection = true,
|
||||
xsrfScope = "vampire",
|
||||
auth = @Auth(minimumLevel = AuthLevel.NONE)
|
||||
)
|
||||
public static class SafeSlothTask implements Runnable {
|
||||
|
|
@ -262,8 +260,7 @@ public final class RequestHandlerTest {
|
|||
}
|
||||
}),
|
||||
userService,
|
||||
requestAuthenticator,
|
||||
xsrfTokenManager);
|
||||
requestAuthenticator);
|
||||
when(rsp.getWriter()).thenReturn(new PrintWriter(httpOutput));
|
||||
}
|
||||
|
||||
|
|
@ -283,7 +280,10 @@ public final class RequestHandlerTest {
|
|||
|
||||
@Test
|
||||
public void testHandleRequest_multipleMethodMappings_works() throws Exception {
|
||||
userService.setUser(testUser, false);
|
||||
when(req.getMethod()).thenReturn("POST");
|
||||
when(req.getHeader("X-CSRF-Token"))
|
||||
.thenReturn(xsrfTokenManager.generateToken(testUser.getEmail()));
|
||||
when(req.getRequestURI()).thenReturn("/bumblebee");
|
||||
handler.handleRequest(req, rsp);
|
||||
verify(bumblebeeTask).run();
|
||||
|
|
@ -299,7 +299,10 @@ public final class RequestHandlerTest {
|
|||
|
||||
@Test
|
||||
public void testHandleRequest_taskHasAutoPrintOk_printsOk() throws Exception {
|
||||
userService.setUser(testUser, false);
|
||||
when(req.getMethod()).thenReturn("POST");
|
||||
when(req.getHeader("X-CSRF-Token"))
|
||||
.thenReturn(xsrfTokenManager.generateToken(testUser.getEmail()));
|
||||
when(req.getRequestURI()).thenReturn("/sloth");
|
||||
handler.handleRequest(req, rsp);
|
||||
verify(slothTask).run();
|
||||
|
|
@ -378,14 +381,6 @@ public final class RequestHandlerTest {
|
|||
tester.testAllPublicInstanceMethods(handler);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testXsrfProtection_noTokenProvided_returns403Forbidden() throws Exception {
|
||||
when(req.getMethod()).thenReturn("POST");
|
||||
when(req.getRequestURI()).thenReturn("/safe-sloth");
|
||||
handler.handleRequest(req, rsp);
|
||||
verify(rsp).sendError(403, "Invalid X-CSRF-Token");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testXsrfProtection_validTokenProvided_runsAction() throws Exception {
|
||||
userService.setUser(testUser, false);
|
||||
|
|
@ -397,17 +392,6 @@ public final class RequestHandlerTest {
|
|||
verify(safeSlothTask).run();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testXsrfProtection_tokenWithInvalidUserProvided_returns403() throws Exception {
|
||||
userService.setUser(testUser, false);
|
||||
when(req.getMethod()).thenReturn("POST");
|
||||
when(req.getHeader("X-CSRF-Token"))
|
||||
.thenReturn(xsrfTokenManager.generateToken("wrong@example.com"));
|
||||
when(req.getRequestURI()).thenReturn("/safe-sloth");
|
||||
handler.handleRequest(req, rsp);
|
||||
verify(rsp).sendError(403, "Invalid X-CSRF-Token");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testXsrfProtection_GETMethodWithoutToken_doesntCheckToken() throws Exception {
|
||||
when(req.getMethod()).thenReturn("GET");
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue