add check for allowed origins

inspectIT · Sep 19, 2023 · 777318c · 777318c
1 parent 682f94e
commit 777318c
Show file tree

Hide file tree

Showing 6 changed files with 147 additions and 78 deletions.
diff --git a/...rc/main/java/rocks/inspectit/ocelot/config/model/exporters/tags/HttpExporterSettings.java b/...rc/main/java/rocks/inspectit/ocelot/config/model/exporters/tags/HttpExporterSettings.java
@@ -3,6 +3,8 @@
 import lombok.Data;
 import rocks.inspectit.ocelot.config.model.exporters.ExporterEnabledState;
 
+import java.util.List;
+
 /**
  * Settings for the HTTP-server tags exporter.
  */
@@ -30,17 +32,22 @@ public class HttpExporterSettings {
     private String path;
 
     /**
-     * How many sessions can be stored at the same time
+     * List of allowed Orgins, which are able to access the HTTP-server
      */
-    private int sessionLimit;
+    private List<String> allowedOrigins;
 
     /**
-     * How long the data should be stored in the server
+     * How many sessions can be stored at the same time
      */
-    private int timeToLive;
+    private int sessionLimit;
 
     /**
      * Header, which will be read during browser-propagation to receive the session-ID
      */
     private String sessionIdHeader;
+
+    /**
+     * How long the data should be stored in the server
+     */
+    private int timeToLive;
 }
diff --git a/...ctit-ocelot-config/src/main/resources/rocks/inspectit/ocelot/config/default/exporters.yml b/...ctit-ocelot-config/src/main/resources/rocks/inspectit/ocelot/config/default/exporters.yml
@@ -111,10 +111,12 @@ inspectit:
         port: 9000
         # the path for the endpoint of the http-server
         path: "/inspectit"
+        # list of allowed origins, which are able to access the http-server
+        allowed-origins: ["*"]
         # how many sessions can be stored at the same time
         # Additional limitations: key-length -> 128, value-length -> 2048, attribute-count -> 128
         session-limit: 100
-        # how long the data should be stored in the server in seconds
-        time-to-live: 300
         # header, which will be read during browser-propagation to receive the session-ID
         session-id-header: "Cookie"
+        # how long the data should be stored in the server in seconds
+        time-to-live: 300
diff --git a/...main/java/rocks/inspectit/ocelot/core/exporter/BrowserPropagationHttpExporterService.java b/...main/java/rocks/inspectit/ocelot/core/exporter/BrowserPropagationHttpExporterService.java
@@ -14,6 +14,7 @@
 
 import javax.servlet.http.HttpServlet;
 import java.net.InetSocketAddress;
+import java.util.List;
 
 /**
  * Tags HTTP-Server to "export" data-tags to browsers
@@ -67,7 +68,8 @@ protected boolean doEnable(InspectitConfig configuration) {
         sessionStorage.setSessionLimit(sessionLimit);
 
         String sessionIdHeader = settings.getSessionIdHeader();
-        httpServlet = new BrowserPropagationServlet(sessionIdHeader);
+        List<String> allowedOrigins = settings.getAllowedOrigins();
+        httpServlet = new BrowserPropagationServlet(sessionIdHeader, allowedOrigins);
 
         return startServer(host, port, path, httpServlet);
     }

diff --git a/...ot-core/src/main/java/rocks/inspectit/ocelot/core/exporter/BrowserPropagationServlet.java b/...ot-core/src/main/java/rocks/inspectit/ocelot/core/exporter/BrowserPropagationServlet.java
@@ -11,6 +11,7 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.BufferedReader;
 import java.io.IOException;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -31,11 +32,17 @@ public class BrowserPropagationServlet extends HttpServlet {
      * Default-key: "Cookie"
      */
     private final String sessionIdHeader;
+
+    /**
+     * List of allowed Orgins, which are able to access the HTTP-server
+     */
+    private final List<String> allowedOrigins;
     private final ObjectMapper mapper;
     private final BrowserPropagationSessionStorage sessionStorage;
 
-    public BrowserPropagationServlet(String sessionIdHeader) {
+    public BrowserPropagationServlet(String sessionIdHeader, List<String> allowedOrigins) {
         this.sessionIdHeader = sessionIdHeader;
+        this.allowedOrigins = allowedOrigins;
         this.mapper = new ObjectMapper();
         this.sessionStorage = BrowserPropagationSessionStorage.getInstance();
     }
@@ -44,63 +51,75 @@ public BrowserPropagationServlet(String sessionIdHeader) {
     public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
         log.debug("Tags HTTP-server received GET-request");
         String origin = request.getHeader("Origin");
-        response.setHeader("Access-Control-Allow-Origin", origin);
-        response.setHeader("Access-Control-Allow-Methods", "GET");
-        response.setHeader("Access-Control-Allow-Credentials", "true");
-
-        String sessionID = request.getHeader(sessionIdHeader);
-        if(sessionID == null) {
-            log.warn("Request to Tags HTTP-server misses session ID");
-            response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
-        }
-        else {
-            BrowserPropagationDataStorage dataStorage = sessionStorage.getDataStorage(sessionID);
 
-            if(dataStorage == null) {
-                log.warn("Data storage with session id " + sessionID + " not found");
-                response.setStatus(HttpServletResponse.SC_NOT_FOUND);
+        //If wildcard is used, allow every origin
+        //Alternatively, check if current origin is allowed
+        if(this.allowedOrigins.contains("*") || this.allowedOrigins.contains(origin)) {
+            response.setHeader("Access-Control-Allow-Origin", origin);
+            response.setHeader("Access-Control-Allow-Methods", "GET");
+            response.setHeader("Access-Control-Allow-Credentials", "true");
+
+            String sessionID = request.getHeader(sessionIdHeader);
+            if(sessionID == null) {
+                log.warn("Request to Tags HTTP-server misses session ID");
+                response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
             }
             else {
-                dataStorage.updateTimestamp(System.currentTimeMillis());
-                Map<String, Object> propagationData = dataStorage.readData();
-                String res = mapper.writeValueAsString(propagationData.entrySet());
-                response.setContentType("application/json");
-                response.setStatus(HttpServletResponse.SC_OK);
-                response.getWriter().write(res);
+                BrowserPropagationDataStorage dataStorage = sessionStorage.getDataStorage(sessionID);
+
+                if(dataStorage == null) {
+                    log.warn("Data storage with session id " + sessionID + " not found");
+                    response.setStatus(HttpServletResponse.SC_NOT_FOUND);
+                }
+                else {
+                    dataStorage.updateTimestamp(System.currentTimeMillis());
+                    Map<String, Object> propagationData = dataStorage.readData();
+                    String res = mapper.writeValueAsString(propagationData.entrySet());
+                    response.setContentType("application/json");
+                    response.setStatus(HttpServletResponse.SC_OK);
+                    response.getWriter().write(res);
+                }
             }
         }
+        else response.setStatus(HttpServletResponse.SC_FORBIDDEN);
     }
 
     @Override
     protected void doPut(HttpServletRequest request, HttpServletResponse response) {
         log.debug("Tags HTTP-server received PUT-request");
         String origin = request.getHeader("Origin");
-        response.setHeader("Access-Control-Allow-Origin", origin);
-        response.setHeader("Access-Control-Allow-Methods", "PUT");
-        response.setHeader("Access-Control-Allow-Credentials", "true");
-
-        String sessionID = request.getHeader(sessionIdHeader);
-        if(sessionID == null) {
-            log.warn("Request to Tags HTTP-server misses session ID");
-            response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
-        }
-        else {
-            BrowserPropagationDataStorage dataStorage = sessionStorage.getDataStorage(sessionID);
 
-            if(dataStorage == null) {
-                log.warn("Data storage with session id " + sessionID + " not found");
-                response.setStatus(HttpServletResponse.SC_NOT_FOUND);
+        //If wildcard is used, allow every origin
+        //Alternatively, check if current origin is allowed
+        if(this.allowedOrigins.contains("*") || this.allowedOrigins.contains(origin)) {
+            response.setHeader("Access-Control-Allow-Origin", origin);
+            response.setHeader("Access-Control-Allow-Methods", "PUT");
+            response.setHeader("Access-Control-Allow-Credentials", "true");
+
+            String sessionID = request.getHeader(sessionIdHeader);
+            if(sessionID == null) {
+                log.warn("Request to Tags HTTP-server misses session ID");
+                response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
             }
             else {
-                dataStorage.updateTimestamp(System.currentTimeMillis());
-                Map<String, String> newPropagationData = getRequestBody(request);
-                if(newPropagationData != null) {
-                    dataStorage.writeData(newPropagationData);
-                    response.setStatus(HttpServletResponse.SC_OK);
+                BrowserPropagationDataStorage dataStorage = sessionStorage.getDataStorage(sessionID);
+
+                if(dataStorage == null) {
+                    log.warn("Data storage with session id " + sessionID + " not found");
+                    response.setStatus(HttpServletResponse.SC_NOT_FOUND);
+                }
+                else {
+                    dataStorage.updateTimestamp(System.currentTimeMillis());
+                    Map<String, String> newPropagationData = getRequestBody(request);
+                    if(newPropagationData != null) {
+                        dataStorage.writeData(newPropagationData);
+                        response.setStatus(HttpServletResponse.SC_OK);
+                    }
+                    else response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
                 }
-                else response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
             }
         }
+        else response.setStatus(HttpServletResponse.SC_FORBIDDEN);
     }
 
     @Override
@@ -109,7 +128,9 @@ protected void doOptions(HttpServletRequest request, HttpServletResponse respons
         String origin = request.getHeader("Origin");
         String accessControlRequestMethod = request.getHeader("Access-Control-Request-Method");
 
-        if (origin != null && accessControlRequestMethod != null) {
+        if (origin != null && accessControlRequestMethod != null &&
+                (this.allowedOrigins.contains("*") || this.allowedOrigins.contains(origin))
+        ) {
             response.setHeader("Access-Control-Allow-Origin", origin);
             response.setHeader("Access-Control-Allow-Methods", "GET, PUT");
             response.setHeader("Access-Control-Allow-Credentials", "true");