add missing url patterns for AdminServiceAuthenticationFilter

[nobodyiam]

What's the purpose of this PR

add missing url patterns for AdminServiceAuthenticationFilter

Which issue(s) this PR fixes:

Fixes #5290

Brief changelog

• add /apollo/audit/*, /items-search/* and /server/* url patterns for AdminServiceAuthenticationFilter

Follow this checklist to help us incorporate your contribution quickly and easily:

• Read the Contributing Guide before making this pull request.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Write necessary unit tests to verify the code.
• Run mvn clean test to make sure this pull request doesn't break anything.
• Update the CHANGES log.

Summary by CodeRabbit

• New Features

  • Global search functionality for administrators.
  • Limits and whitelists for namespace counts per app ID and cluster.
  • Rate limiting function for ConsumerToken.
  • JSON formatting function added to the Apollo portal.
  • Cache record statistics function in ConfigService.
  • Value length limit function for AppId-level configuration items.
  • New URL patterns added to AdminServiceAuthenticationFilter.

• Bug Fixes

  • Resolved issues with duplicate comments and blank lines in configuration management.
  • Fixed missing items in the published namespace link.
  • Included missing URL patterns for the AdminServiceAuthenticationFilter.
  • Updated XStream library to address a security vulnerability.

[coderabbitai]

Walkthrough

The changes in this pull request introduce multiple updates and features to the Apollo system, primarily in version 2.4.0. Enhancements include new URL patterns for the AdminServiceAuthenticationFilter, global search capabilities, and various configuration limits. The ConfigService has been improved with a cache record statistics function, while several fixes address existing issues such as duplicate comments and missing items in links. Additionally, the XStream library has been updated to resolve a security vulnerability.

Changes

File Path	Change Summary
CHANGES.md	Updated to reflect new features, enhancements, and fixes in Apollo version 2.4.0.
apollo-adminservice/src/main/java/com/ctrip/framework/apollo/adminservice/AdminServiceAutoConfiguration.java	Added new URL patterns to the AdminServiceAuthenticationFilter method.

Assessment against linked issues

Objective	Addressed	Explanation
Ensure the /server/config/find-all-config endpoint requires access token when admin-service.access.control.enabled is true. (#5290)	❌	The changes do not address the access control issue.

Possibly related PRs

• feat: add determine single namespace item num limit logic #5227: Introduces a limit on the number of items per namespace, related to namespace management.
• feat: add determine appid+cluster namespace num limit logic #5228: Adds a limit and whitelist for the namespace count per app ID and cluster, directly connected to new features in this PR.
• solve the problem of duplicate comments and blank lines  #5232: Addresses issues with duplicate comments and blank lines in configuration management, mentioned in the main PR's fixes.
• feat: ConfigService cache record stats #5247: Adds a cache record statistics function to the ConfigService, aligning with enhancements in this PR.
• feat: add JSON format button in apollo-portal #5287: Introduces a JSON format button in the Apollo portal, another feature included in this PR's updates.

Suggested labels

size:M, lgtm

🐰 "In a world of code, we hop and play,
New features bloom, brightening the day.
With filters and limits, our work's not in vain,
Through JSON and stats, we dance in the rain!
Let's celebrate changes, both big and small,
For in this code garden, there's room for us all!" 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

Copilot reviewed 2 out of 2 changed files in this pull request and generated no suggestions.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

CHANGES.md (1)

27-27: Consider enhancing the changelog entry with security impact.

While the entry correctly documents the change, consider expanding it to highlight the security implications:

-* [Fix: add missing url patterns for AdminServiceAuthenticationFilter](https://github.com/apolloconfig/apollo/pull/5291)
+* [Security: add missing url patterns for AdminServiceAuthenticationFilter to prevent unauthorized access to sensitive endpoints](https://github.com/apolloconfig/apollo/pull/5291)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 5659fa5 and 02f2924.

📒 Files selected for processing (2)

• CHANGES.md (1 hunks)
• apollo-adminservice/src/main/java/com/ctrip/framework/apollo/adminservice/AdminServiceAutoConfiguration.java (1 hunks)

🔇 Additional comments (1)

apollo-adminservice/src/main/java/com/ctrip/framework/apollo/adminservice/AdminServiceAutoConfiguration.java (1)

39-39: LGTM! Security enhancement properly implemented.

The addition of URL patterns /apollo/audit/*, /items-search/*, and /server/* effectively addresses the security vulnerability, particularly for the /server/config/find-all-config endpoint. The implementation follows the existing pattern structure and provides comprehensive coverage.

Let's verify the impact of these new patterns:

Also applies to: 44-44, 47-47

✅ Verification successful

Security enhancement verification completed - Implementation is correct and safe

The added URL patterns are properly secured:

• /apollo/audit/*: All audit endpoints have @PreAuthorize annotations requiring query permissions
• /items-search/*: Part of the protected item management API, consistent with other item endpoints
• /server/*: Covers sensitive server config endpoints that are only accessed via AdminServiceAPI

The patterns are used by legitimate internal APIs and don't affect any public endpoints. The Portal's AdminServiceAPI is the only consumer of these endpoints, making proper authenticated calls.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any public endpoints or documentation that might be affected

# Search for endpoint definitions under the new patterns
echo "Searching for affected endpoints..."
rg -l "(/apollo/audit/|/items-search/|/server/)" --type java

# Search for any documentation mentioning these endpoints
echo "Checking documentation for public API references..."
rg -l "(/apollo/audit/|/items-search/|/server/)" --type md

Length of output: 1283

---

Script:

#!/bin/bash
# Let's examine the endpoint implementations to understand their access patterns

# Check ServerConfigController implementations
echo "=== Server Config Controller implementations ==="
ast-grep --pattern 'class ServerConfigController {
  $$$
}'

# Check ItemController implementation
echo "=== Item Controller implementation ==="
ast-grep --pattern 'class ItemController {
  $$$
}'

# Check audit controller implementation
echo "=== Audit Controller implementation ==="
ast-grep --pattern 'class ApolloAuditController {
  $$$
}'

# Look for any @PreAuthorize or security annotations on these endpoints
echo "=== Security annotations on endpoints ==="
rg "@(PreAuthorize|Secured|RolesAllowed)" apollo-adminservice/src/main/java/com/ctrip/framework/apollo/adminservice/controller/
rg "@(PreAuthorize|Secured|RolesAllowed)" apollo-audit/apollo-audit-impl/src/main/java/

Length of output: 1777

---

Script:

#!/bin/bash
# Let's check the actual endpoint mappings and their implementations

echo "=== Server Config Controller endpoints ==="
rg "@(GetMapping|PostMapping|RequestMapping|PutMapping|DeleteMapping)" -B2 -A2 apollo-adminservice/src/main/java/com/ctrip/framework/apollo/adminservice/controller/ServerConfigController.java

echo "=== Item Controller endpoints ==="
rg "@(GetMapping|PostMapping|RequestMapping|PutMapping|DeleteMapping)" -B2 -A2 apollo-adminservice/src/main/java/com/ctrip/framework/apollo/adminservice/controller/ItemController.java

echo "=== Audit Controller endpoints ==="
rg "@(GetMapping|PostMapping|RequestMapping|PutMapping|DeleteMapping)" -B2 -A2 apollo-audit/apollo-audit-impl/src/main/java/com/ctrip/framework/apollo/audit/controller/ApolloAuditController.java

# Check if these endpoints are used in portal API calls
echo "=== Portal API usage ==="
rg "(/apollo/audit/|/items-search/|/server/)" apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/api/

Length of output: 5716