Michael Breu · b3633ee4 · 6400265c · f6935e90 · 86e24c4d · a27a1978
--- a/src/main/java/at/ac/uibk/gitsearch/config/SecurityConfiguration.java

+ 51

− 3
+++ b/src/main/java/at/ac/uibk/gitsearch/config/SecurityConfiguration.java

+ 51

− 3
 @@ -12,14 +12,18 @@ import at.ac.uibk.gitsearch.security.oauth2.UserDetailsFetcher;
 import at.ac.uibk.gitsearch.service.UserService;
 import at.ac.uibk.gitsearch.service.dto.AdminUserDTO;
 import at.ac.uibk.gitsearch.service.mapper.UserMapper;
+import java.net.InetAddress;
 import java.net.URI;
+import java.net.UnknownHostException;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
+import javax.annotation.Nonnull;
 import javax.servlet.DispatcherType;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.springframework.beans.factory.annotation.Value;
 @@ -76,6 +80,9 @@ import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
+import org.springframework.security.web.util.matcher.AndRequestMatcher;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.filter.CorsFilter;
 @@ -191,7 +198,8 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
            .antMatchers("/api/refreshToken").permitAll()
            .antMatchers("/api/register").denyAll()
            .antMatchers("/api/activate").permitAll()
-            .antMatchers("/api/gitlab/eventListener").permitAll() // TODO clarify access
+            .requestMatchers(forLocalNetworkAndPath("/api/gitlab/eventListener")).anonymous() // gitlab event processing requests are only accepted, if local
+            .antMatchers("/api/gitlab/eventListener").hasAuthority(AuthoritiesConstants.ADMIN) // TODO clarify access
            .antMatchers("/api/account/reset-password/init").permitAll()
            .antMatchers("/api/account/reset-password/finish").permitAll()
            .antMatchers("/api/likes/numberOfLikes/**").permitAll()
 @@ -245,8 +253,48 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    }

    /**
-     * this method postprocesses OAuth2LoginAuthenticationFilter and assigns an AuthenticationResultConverter.
-     * The AuthenticationResultConverter is needed to convey the original referer-URL from the original
+     * A request matcher which matches just for local network access.
+     *
+     * @param port the port to match.
+     *
+     * @return the new matcher.
+     */
+    private RequestMatcher forLocalNetwork() {
+        return (HttpServletRequest request) -> {
+            final String remoteAddr = request.getRemoteAddr();
+            try {
+                InetAddress remoteAddress = InetAddress.getByName(remoteAddr);
+                if (remoteAddress.isLoopbackAddress() || remoteAddress.isLinkLocalAddress() || remoteAddress.isSiteLocalAddress()) {
+                    return true;
+                } else {
+                    logger.info("Non local access from {} to {} is only allowed for admins", remoteAddr, request.getLocalAddr());
+                    return false;
+                }
+            } catch (UnknownHostException e) {
+                logger.warn("Cannot parse address {}", remoteAddr, e);
+                return false;
+            }
+        };
+    }
+
+    /**
+     * Creates a request matcher which only matches requests for for local network
+     * access and path (using an
+     * {@link AntPathRequestMatcher} for the path part).
+     *
+     * @param pathPattern the pattern for the path.
+     *
+     * @return the new request matcher.
+     */
+    private RequestMatcher forLocalNetworkAndPath(@Nonnull final String pathPattern) {
+        return new AndRequestMatcher(new AntPathRequestMatcher(pathPattern), forLocalNetwork());
+    }
+
+    /**
+     * this method postprocesses OAuth2LoginAuthenticationFilter and assigns an
+     * AuthenticationResultConverter.
+     * The AuthenticationResultConverter is needed to convey the original
+     * referer-URL from the original
     */
    private final ObjectPostProcessor<OAuth2LoginAuthenticationFilter> authenticationFilterPostProcessor = new ObjectPostProcessor<OAuth2LoginAuthenticationFilter>() {
        @Override