Create a different config setting for inbound and outbound HTTP1 head…

…er (#7362) * Create a different config setting for inbound and outbound HTTP1 header validation for both client and server Description =========== Currently, Helidon 4 only support validate-headers config to validate headers for both inbound and outbound headers on both client and server. This change will bring separation on the configuration for both inbound and outbound headers on both client and server. The change will also remove performance impact for a singular config that would validate both outbound and inbound headers by default. By separating the configuration, only necessary headers will be validated by default. For example, the request headers on the client and the response headers on the server will not be validated by default because the user has control on their creation. On the other hand, the response headers on the client and the request headers on the server will be validated by default because the values they contain are unpredictable upon receipt and may contain malicious data. Following are new config options: 1. Client a. validate-response-header (inbound) - Validates the client response headers and will default to true because the content is unpredictable. b. validate-request-header (outbound) - Validates the client request headers and will default to false because the user has control on header creation. 2. Server b. validate-request-header (inbound) - Validates the server request headers and will default to true because the content is unpredictable.. a. validate-response-header (outbound) - Validates the client request headers and will default to false because the user has control on header creation. Details of the change: ===================== 1. Webserver a. Http1ConfigBlueprint - replace validateHeaders() with validateRequestHeaders() and validateResponseHeaders() to allow separate validation control of request headers and response headers, respectively. b. Http1Connection and HttpServerResponse - will process validateRequestHeaders() and validateResponseHeaders() on their corresponding areas of validation. 2. Webclient a. Http1ClientProtocolConfigBlueprint = replace validateHeaders() with validateRequestHeaders() and validateResponseHeaders() to allow separate validation control of request headers and response headers, respectively. b. Http1CallChainBase, Http1CallOutputStreamChain and Http1CallEntityChain - will process validateRequestHeaders() and validateResponseHeaders() on their corresponding areas of validation. c. Http1ClientTest - Header validation related Unit test are adjusted to use validateRequestHeaders() and validateResponseHeaders() instead of their predecessor validateHeaders() 3. Integration tests for Webserver - all files changed will perform various scenarios to validate request or response headers on the client side. 4. Integration tests for Webclient - all files changed will perform various scenarios to validate request or response headers on the client side. Documentation ============= This is a configuration change so documentation will be collected from javadoc comments in Http1ConfigBlueprint.java for the Webserver and Http1ClientProtocolConfigBlueprint.java for Http1 Webclient. Examples: 1. Http1 WebServer ``` ServerConnectionSelector http1 = Http1ConnectionSelector.builder() .config(Http1Config.builder() .validateRequestHeaders(true) .validateResponseHeaders(false) .build()) .build(); server.addConnectionSelector(http1); ``` 2. Http1 WebClient ``` Http1Client client = Http1Client.create(clientConfig -> clientConfig.baseUri(baseURI) .protocolConfig(it -> { it.validateRequestHeaders(true); it.validateResponseHeaders(false); }) ); ``` * Rename ClientRequestImplTest class to Http1ClientTest as this is not focused to ClientRequestImplTest anymore * Update ValidateHeadersTest in tests/integration/webclient/webclient to use the new Headers and HeaderNames apis * Fix inadvertent removal of http2 webclient dependency in the webclient integration test
helidon-io · Aug 14, 2023 · 1b8d203 · 1b8d203
1 parent e8bf60e
commit 1b8d203
Show file tree

Hide file tree

Showing 17 changed files with 770 additions and 44 deletions.
diff --git a/nima/tests/integration/webclient/webclient/pom.xml b/nima/tests/integration/webclient/webclient/pom.xml
@@ -41,6 +41,11 @@
             <artifactId>helidon-nima-webserver</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.helidon.nima.testing.junit5</groupId>
+            <artifactId>helidon-nima-testing-junit5-http2</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>io.helidon.nima.testing.junit5</groupId>
             <artifactId>helidon-nima-testing-junit5-webserver</artifactId>
@@ -51,6 +56,11 @@
             <artifactId>junit-jupiter-api</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-params</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.hamcrest</groupId>
             <artifactId>hamcrest-all</artifactId>

diff --git a/...ebclient/http1/ClientRequestImplTest.java → ...nima/webclient/http1/Http1ClientTest.java b/...ebclient/http1/ClientRequestImplTest.java → ...nima/webclient/http1/Http1ClientTest.java
@@ -65,7 +65,7 @@
 that is why this tests is in this module, but in the wrong package
  */
 @ServerTest
-class ClientRequestImplTest {
+class Http1ClientTest {
     private static final Http.Header REQ_CHUNKED_HEADER = Http.Headers.createCached(
             Http.HeaderNames.create("X-Req-Chunked"), "true");
     private static final Http.Header REQ_EXPECT_100_HEADER_NAME = Http.Headers.createCached(
@@ -77,20 +77,20 @@ class ClientRequestImplTest {
     private final String baseURI;
     private final WebClient injectedHttp1client;
 
-    ClientRequestImplTest(WebServer webServer, WebClient client) {
+    Http1ClientTest(WebServer webServer, WebClient client) {
         baseURI = "http://localhost:" + webServer.port();
         injectedHttp1client = client;
     }
 
     @SetUpRoute
     static void routing(HttpRules rules) {
-        rules.put("/test", ClientRequestImplTest::responseHandler);
-        rules.put("/redirectKeepMethod", ClientRequestImplTest::redirectKeepMethod);
-        rules.put("/redirect", ClientRequestImplTest::redirect);
-        rules.get("/afterRedirect", ClientRequestImplTest::afterRedirectGet);
-        rules.put("/afterRedirect", ClientRequestImplTest::afterRedirectPut);
-        rules.put("/chunkresponse", ClientRequestImplTest::chunkResponseHandler);
-        rules.put("/delayedEndpoint", ClientRequestImplTest::delayedHandler);
+        rules.put("/test", Http1ClientTest::responseHandler);
+        rules.put("/redirectKeepMethod", Http1ClientTest::redirectKeepMethod);
+        rules.put("/redirect", Http1ClientTest::redirect);
+        rules.get("/afterRedirect", Http1ClientTest::afterRedirectGet);
+        rules.put("/afterRedirect", Http1ClientTest::afterRedirectPut);
+        rules.put("/chunkresponse", Http1ClientTest::chunkResponseHandler);
+        rules.put("/delayedEndpoint", Http1ClientTest::delayedHandler);
     }
 
     @Test

diff --git a/...ebclient/webclient/src/test/java/io/helidon/nima/webclient/http1/ValidateHeadersTest.java b/...ebclient/webclient/src/test/java/io/helidon/nima/webclient/http1/ValidateHeadersTest.java
@@ -0,0 +1,229 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.nima.webclient.http1;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.UncheckedIOException;
+import java.net.SocketTimeoutException;
+import java.nio.charset.StandardCharsets;
+import java.time.Duration;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.stream.Stream;
+import java.util.concurrent.TimeUnit;
+
+import io.helidon.common.GenericType;
+import io.helidon.common.http.Headers;
+import io.helidon.common.http.Http;
+import io.helidon.common.http.Http.HeaderName;
+import io.helidon.common.http.ServerRequestHeaders;
+import io.helidon.nima.http.media.EntityReader;
+import io.helidon.nima.http.media.EntityWriter;
+import io.helidon.nima.http.media.MediaContext;
+import io.helidon.nima.http.media.MediaContextConfig;
+import io.helidon.nima.testing.junit5.webserver.ServerTest;
+import io.helidon.nima.testing.junit5.webserver.SetUpRoute;
+import io.helidon.nima.webclient.api.ClientConnection;
+import io.helidon.nima.webclient.api.ClientResponseTyped;
+import io.helidon.nima.webclient.api.HttpClientRequest;
+import io.helidon.nima.webclient.api.HttpClientResponse;
+import io.helidon.nima.webclient.api.Proxy;
+import io.helidon.nima.webclient.api.WebClient;
+import io.helidon.nima.webserver.WebServer;
+import io.helidon.nima.webserver.WebServerConfig;
+import io.helidon.nima.webserver.http.HttpRules;
+import io.helidon.nima.webserver.http.ServerRequest;
+import io.helidon.nima.webserver.http.ServerResponse;
+import io.helidon.nima.webserver.http1.Http1Config;
+import io.helidon.nima.webserver.http1.Http1ConnectionSelector;
+import io.helidon.nima.webserver.spi.ServerConnectionSelector;
+
+import io.helidon.nima.testing.junit5.webserver.SetUpServer;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.params.provider.Arguments.arguments;
+
+import static io.helidon.common.testing.http.junit5.HttpHeaderMatcher.hasHeader;
+import static io.helidon.common.testing.http.junit5.HttpHeaderMatcher.noHeader;
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.instanceOf;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.IsNot.not;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+/**
+ * Test for validating client side outbound/inbound headers (request/response headers)
+ */
+@ServerTest
+class ValidateHeadersTest {
+    public static final String VALID_HEADER_NAME = "Valid-Header-Name";
+    public static final String VALID_HEADER_VALUE = "Valid-Header-Value";
+    private final String baseURI;
+
+    ValidateHeadersTest(WebServer webServer) {
+        baseURI = "http://localhost:" + webServer.port();
+    }
+
+    @SetUpServer
+    static void server(WebServerConfig.Builder server) {
+        ServerConnectionSelector http1 = Http1ConnectionSelector.builder()
+                .config(Http1Config.builder()
+                                .validateRequestHeaders(false)
+                                .validateResponseHeaders(false)
+                                .build())
+                .build();
+
+        server.addConnectionSelector(http1);
+    }
+
+    @SetUpRoute
+    static void routing(HttpRules rules) {
+        rules.put("/test", ValidateHeadersTest::headerValidationHandler);
+    }
+
+    @ParameterizedTest
+    @MethodSource("customHeaders")
+    void testRequestHeaders(String headerName, String headerValue, boolean expectsValid) {
+        Http1Client client = Http1Client.create(clientConfig -> clientConfig.baseUri(baseURI)
+                .protocolConfig(it -> {
+                    it.validateRequestHeaders(true);
+                    it.validateResponseHeaders(false);
+                })
+        );
+        Http1ClientRequest request = client.put(baseURI + "/test");
+        request.header(Http.Headers.create(Http.HeaderNames.create(headerName), headerValue));
+        if (expectsValid) {
+            HttpClientResponse response = request.request();
+            assertThat(response.status(), is(Http.Status.OK_200));
+        } else {
+            assertThrows(IllegalArgumentException.class, () -> request.request());
+        }
+    }
+
+    @ParameterizedTest
+    @MethodSource("customHeaders")
+    void testResponsetHeaders(String headerName, String headerValue, boolean expectsValid) {
+        Http1Client client = Http1Client.create(clientConfig -> clientConfig.baseUri(baseURI)
+                .protocolConfig(it -> {
+                    it.validateRequestHeaders(false);
+                    it.validateResponseHeaders(true);
+                })
+        );
+        Http1ClientRequest request = client.put(baseURI + "/test");
+        request.header(Http.Headers.create(Http.HeaderNames.create(headerName), headerValue));
+        if (expectsValid) {
+            HttpClientResponse response = request.request();
+            assertThat(response.status(), is(Http.Status.OK_200));
+            String responseHeaderValue = response.headers().get(Http.HeaderNames.create(headerName)).values();
+            assertThat(responseHeaderValue, is(headerValue.trim()));
+        } else {
+            assertThrows(IllegalArgumentException.class, () -> request.request());
+        }
+    }
+
+    @ParameterizedTest
+    @MethodSource("customHeaders")
+    void testOutputStreamResponsetHeaders(String headerName, String headerValue, boolean expectsValid) {
+        Http1Client client = Http1Client.create(clientConfig -> clientConfig.baseUri(baseURI)
+                .protocolConfig(it -> {
+                    it.validateRequestHeaders(false);
+                    it.validateResponseHeaders(true);
+                })
+                .sendExpectContinue(false)
+        );
+        Http1ClientRequest request = client.put(baseURI + "/test");
+        request.header(Http.Headers.create(Http.HeaderNames.create(headerName), headerValue));
+        if (expectsValid) {
+            HttpClientResponse response = request.outputStream(it -> {
+                it.write("Foo Bar".getBytes(StandardCharsets.UTF_8));
+                it.close();
+            });
+            assertThat(response.status(), is(Http.Status.OK_200));
+            String responseHeaderValue = response.headers().get(Http.HeaderNames.create(headerName)).values();
+            assertThat(responseHeaderValue, is(headerValue.trim()));
+        } else {
+            assertThrows(
+                    IllegalArgumentException.class, () -> request.outputStream(it -> {
+                        it.write("Foo Bar".getBytes(StandardCharsets.UTF_8));
+                        it.close();
+                    })
+            );
+        }
+    }
+
+    @ParameterizedTest
+    @MethodSource("customHeaders")
+    void testDisableHeaderValidation(String headerName, String headerValue, boolean expectsValid) {
+        Http1Client client = Http1Client.create(clientConfig -> clientConfig.baseUri(baseURI)
+                .protocolConfig(it -> {
+                    it.validateRequestHeaders(false);
+                    it.validateResponseHeaders(false);
+                })
+        );
+        Http1ClientRequest request = client.put(baseURI + "/test");
+        request.header(Http.Headers.create(Http.HeaderNames.create(headerName), headerValue));
+        HttpClientResponse response = request.request();
+        assertThat(response.status(), is(Http.Status.OK_200));
+        String responseHeaderValue = response.headers().get(Http.HeaderNames.create(headerName)).values();
+        assertThat(responseHeaderValue, is(headerValue.trim()));
+    }
+
+    private static void headerValidationHandler(ServerRequest request, ServerResponse response) {
+        ServerRequestHeaders headers = request.headers();
+        request.headers().toMap().forEach((k, v) -> {
+            if (k.contains("Header")) {
+                response.headers().add(Http.Headers.create(Http.HeaderNames.create(k), v));
+            }
+        });
+        response.send("any");
+    }
+
+    private static Stream<Arguments> customHeaders() {
+        return Stream.of(
+                // Invalid header names
+                arguments("Header\u001aName", VALID_HEADER_VALUE, false),
+                arguments("Header\u000EName", VALID_HEADER_VALUE, false),
+                arguments("<Header?Name>", VALID_HEADER_VALUE, false),
+                arguments("{Header=Name}", VALID_HEADER_VALUE, false),
+                arguments("\"HeaderName\"", VALID_HEADER_VALUE, false),
+                arguments("[\\HeaderName]", VALID_HEADER_VALUE, false),
+                arguments("@Header,Name;", VALID_HEADER_VALUE, false),
+                // Valid header names
+                arguments("!#$Custom~%&\'*Header+^`|", VALID_HEADER_VALUE, true),
+                arguments("Custom_0-9_a-z_A-Z_Header", VALID_HEADER_VALUE, true),
+                // Valid header values
+                arguments(VALID_HEADER_NAME, "Header Value", true),
+                arguments(VALID_HEADER_NAME, "HeaderValue1\u0009, Header=Value2", true),
+                arguments(VALID_HEADER_NAME, "Header\tValue", true),
+                // Invalid header values
+                arguments(VALID_HEADER_NAME, "HeaderV\u001calue1", false),
+                arguments(VALID_HEADER_NAME, "HeaderValue1, Header\u007fValue", false),
+                arguments(VALID_HEADER_NAME, "HeaderValue1\u001f, HeaderValue2", false)
+        );
+    }
+}
diff --git a/...ava/io/helidon/nima/tests/integration/server/ContentEncodingDisabledNoValidationTest.java b/...ava/io/helidon/nima/tests/integration/server/ContentEncodingDisabledNoValidationTest.java
@@ -51,7 +51,7 @@ static void server(WebServerConfig.Builder server) {
         ServerConnectionSelector http1 = Http1ConnectionSelector.builder()
                 .config(http1Config -> http1Config
                         // Headers validation is disabled
-                        .validateHeaders(false))
+                        .validateRequestHeaders(false))
                 .build();
 
         server.addConnectionSelector(http1)