feat(security): verify that the tolerant ObjectMapper is used

Author: JoergSiebahn

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/jackson/SdaObjectMapperConfiguration.java

@@ -16,12 +16,19 @@
 import java.time.ZonedDateTime;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Primary;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
 import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
 
 @AutoConfiguration
+@Order(Ordered.HIGHEST_PRECEDENCE)
 public class SdaObjectMapperConfiguration {
-  @Bean
-  Jackson2ObjectMapperBuilder objectMapperBuilder() {
+  public static final String OBJECT_MAPPER_BUILDER_BEAN_NAME = "sdaObjectMapperBuilder";
+
+  @Bean(name = OBJECT_MAPPER_BUILDER_BEAN_NAME)
+  @Primary
+  public Jackson2ObjectMapperBuilder sdaObjectMapperBuilder() {
     return new Jackson2ObjectMapperBuilder()
         .featuresToDisable(
             SerializationFeature.FAIL_ON_EMPTY_BEANS,

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/exception/InsecureConfigurationException.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.exception;
+
+/** Exception to be thrown if the configuration looks suspicious. */
+public class InsecureConfigurationException extends RuntimeException {
+
+  public InsecureConfigurationException(String message) {
+    super(message);
+  }
+}

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/validation/CustomObjectMapperAdvice.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.validation;
+
+import javax.annotation.PostConstruct;
+import org.sdase.commons.spring.boot.web.jackson.SdaObjectMapperConfiguration;
+import org.sdase.commons.spring.boot.web.security.exception.InsecureConfigurationException;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.stereotype.Component;
+
+/**
+ * Checks that custom error mappers are registered by the SdaObjectMapperConfiguration. The check is
+ * indirectly performed by checking that the required bean is in the spring context. This class
+ * checks for the risks identified in the security guide as:
+ *
+ * <ul>
+ *   <li>Detection of confidential components
+ * </ul>
+ */
+@Component
+@ConditionalOnMissingBean(name = SdaObjectMapperConfiguration.OBJECT_MAPPER_BUILDER_BEAN_NAME)
+public class CustomObjectMapperAdvice {
+
+  private static final String JACKSON_CONFIGURATION_BEAN_CLASS = "Jackson2ObjectMapperBuilder";
+
+  @PostConstruct
+  public void check() {
+    throw new InsecureConfigurationException(
+        "Missing "
+            + SdaObjectMapperConfiguration.OBJECT_MAPPER_BUILDER_BEAN_NAME
+            + " bean from org.sdase.commons.spring.boot.web.jackson. The "
+            + JACKSON_CONFIGURATION_BEAN_CLASS
+            + " component registers custom mappers.");
+  }
+}

sda-commons-web-autoconfigure/src/test/java/org/sdase/commons/spring/boot/web/security/test/ContextUtils.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.test;
+
+import org.springframework.boot.test.context.SpringBootContextLoader;
+import org.springframework.boot.test.context.SpringBootTestContextBootstrapper;
+import org.springframework.boot.test.context.assertj.ApplicationContextAssert;
+import org.springframework.boot.test.context.assertj.AssertableApplicationContext;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate;
+import org.springframework.test.context.support.DefaultBootstrapContext;
+
+public class ContextUtils {
+  private ContextUtils() {
+    // avoid instantiation
+  }
+
+  /**
+   * Creates a spring test context for testing application startup failures. Using {@link
+   * org.springframework.boot.test.context.SpringBootTest} annotation will prevent the tests from
+   * starting. Tests that need dependencies from the web environment must add
+   * `@SpringBootTest(webEnvironment = ...)` to the tested Spring Boot application class because
+   * that is how it is internally checked. The test class must not be annotated with {@link
+   * org.springframework.boot.test.context.SpringBootTest}.
+   *
+   * <p>Example:
+   *
+   * <pre>
+   *   <code>assertThat(createTestContext(AppFailingToInitialize.class)).hasFailed();</code>
+   * </pre>
+   *
+   * @see ApplicationContextAssert for details about the assertions to verify conditions of an
+   *     {@link org.springframework.context.ApplicationContext} that may have {@linkplain
+   *     ApplicationContextAssert#hasFailed() failed to initialize}.
+   * @param springBootApplicationClass The application class annotated with `SpringBootApplication`
+   * @return An assertable application context.
+   */
+  public static AssertableApplicationContext createTestContext(
+      Class<?> springBootApplicationClass) {
+    var delegate = new DefaultCacheAwareContextLoaderDelegate();
+    var bootstrapContext = new DefaultBootstrapContext(springBootApplicationClass, delegate);
+
+    var bootstrapper = new SpringBootTestContextBootstrapper();
+    bootstrapper.setBootstrapContext(bootstrapContext);
+
+    var configuration = bootstrapper.buildMergedContextConfiguration();
+
+    return AssertableApplicationContext.get(
+        () -> {
+          SpringBootContextLoader loader = new SpringBootContextLoader();
+          try {
+            return (ConfigurableApplicationContext) loader.loadContext(configuration);
+          } catch (Exception e) {
+            throw new RuntimeException(e);
+          }
+        });
+  }
+}

sda-commons-web-autoconfigure/src/test/java/org/sdase/commons/spring/boot/web/security/validation/CustomObjectMapperAdviceTest.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.validation;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.api.Test;
+import org.sdase.commons.spring.boot.web.jackson.SdaObjectMapperConfiguration;
+import org.sdase.commons.spring.boot.web.security.exception.InsecureConfigurationException;
+import org.sdase.commons.spring.boot.web.security.test.ContextUtils;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.test.context.SpringBootTest;
+
+class CustomObjectMapperAdviceTest {
+  @Test
+  void shouldPreventStartupIfTracingIsEnabled() {
+    assertThat(ContextUtils.createTestContext(NoSdaObjectMapperApp.class))
+        .hasFailed()
+        .getFailure()
+        .getRootCause()
+        .isInstanceOf(InsecureConfigurationException.class)
+        .hasMessage(
+            "Missing sdaObjectMapperBuilder bean from org.sdase.commons.spring.boot.web.jackson. "
+                + "The Jackson2ObjectMapperBuilder component registers custom mappers.");
+  }
+
+  @SpringBootApplication(exclude = SdaObjectMapperConfiguration.class)
+  @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+  public static class NoSdaObjectMapperApp {}
+}