Trim HTTP paths for security mapping

Trailing whitespace could otherwise cause confusion Fixes quarkusio#10201
stuartwdouglas · Jun 25, 2020 · 6dfa288 · 6dfa288
1 parent e712f74
commit 6dfa288
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 0 deletions.
diff --git a/...rtx-http/deployment/src/test/java/io/quarkus/vertx/http/security/TrimmedPathTestCase.java b/...rtx-http/deployment/src/test/java/io/quarkus/vertx/http/security/TrimmedPathTestCase.java
@@ -0,0 +1,73 @@
+package io.quarkus.vertx.http.security;
+
+import java.util.function.Supplier;
+
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.security.test.utils.TestIdentityController;
+import io.quarkus.security.test.utils.TestIdentityProvider;
+import io.quarkus.test.QuarkusUnitTest;
+import io.restassured.RestAssured;
+
+public class TrimmedPathTestCase {
+
+    @BeforeAll
+    public static void setup() {
+        TestIdentityController.resetRoles().add("test", "test", "test");
+    }
+
+    private static final String APP_PROPS = "" +
+            "# Add your application.properties here, if applicable.\n" +
+            "quarkus.http.auth.permission.authenticated.paths=/*\n" +
+            "quarkus.http.auth.permission.authenticated.policy=authenticated\n" +
+            "#allow /health/* always for probeness\n" +
+            "quarkus.http.auth.permission.health.paths=/health/*                            \n" + //note the spaces
+            "quarkus.http.auth.permission.health.policy=permit\n" +
+            "quarkus.http.auth.permission.health.methods=GET\n";
+
+    @RegisterExtension
+    static QuarkusUnitTest test = new QuarkusUnitTest().setArchiveProducer(new Supplier<JavaArchive>() {
+        @Override
+        public JavaArchive get() {
+            return ShrinkWrap.create(JavaArchive.class)
+                    .addClasses(TestIdentityController.class, TestIdentityProvider.class, PathHandler.class)
+                    .addAsResource(new StringAsset(APP_PROPS), "application.properties");
+        }
+    });
+
+    @Test
+    public void testHealthAccessible() {
+
+        RestAssured
+                .given()
+                .when()
+                .get("/health/liveliness")
+                .then()
+                .assertThat()
+                .statusCode(200);
+        RestAssured
+                .given()
+                .auth()
+                .preemptive()
+                .basic("test", "test")
+                .when()
+                .get("/health/liveliness")
+                .then()
+                .assertThat()
+                .statusCode(200);
+
+        RestAssured
+                .given()
+                .when()
+                .get("/foo")
+                .then()
+                .assertThat()
+                .statusCode(401);
+    }
+
+}
diff --git a/.../src/main/java/io/quarkus/vertx/http/runtime/security/PathMatchingHttpSecurityPolicy.java b/.../src/main/java/io/quarkus/vertx/http/runtime/security/PathMatchingHttpSecurityPolicy.java
@@ -84,6 +84,7 @@ void init(HttpBuildTimeConfig config, Map<String, Supplier<HttpSecurityPolicy>>
             }
 
             for (String path : entry.getValue().paths.orElse(Collections.emptyList())) {
+                path = path.trim();
                 if (tempMap.containsKey(path)) {
                     HttpMatcher m = new HttpMatcher(new HashSet<>(entry.getValue().methods.orElse(Collections.emptyList())),
                             checker);