Host header attack implementation improvements and tests

Signed-off-by: Ammar Bikic <ammar.bikic@bosch.io>

hawkbit-runtime/hawkbit-update-server/src/test/java/org/eclipse/hawkbit/app/AbstractSecurityTest.java

@@ -1,3 +1,11 @@
+/**
+ * Copyright (c) 2020 Bosch.IO GmbH and others.
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ */
 package org.eclipse.hawkbit.app;
 
 import org.eclipse.hawkbit.repository.test.util.MsSqlTestDatabase;

hawkbit-runtime/hawkbit-update-server/src/test/java/org/eclipse/hawkbit/app/AllowedHostNamesTest.java

@@ -8,33 +8,38 @@
  */
 package org.eclipse.hawkbit.app;
 
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 import org.junit.Test;
-import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.http.HttpHeaders;
 import org.springframework.security.web.firewall.RequestRejectedException;
 
 import io.qameta.allure.Feature;
 import io.qameta.allure.Story;
+import org.springframework.test.context.TestPropertySource;
 
-@SpringBootTest(properties = { "hawkbit.server.security.allowedHostNames=localhost" })
+@TestPropertySource(properties = { "hawkbit.server.security.allowedHostNames=localhost",
+        "hawkbit.server.security.httpFirewallIgnoredPaths=/index.html" })
 @Feature("Integration Test - Security")
 @Story("Allowed Host Names")
 public class AllowedHostNamesTest extends AbstractSecurityTest {
 
     @Test
-    public void allowedHostNameWithNotAllowedHost() throws Exception {
-        try {
-            mvc.perform(get("/").header(HttpHeaders.HOST, "www.google.com"));
-        } catch (final RequestRejectedException e) {
-            // do nothing as this exception is expected
-        }
+    public void allowedHostNameWithNotAllowedHost() {
+        assertThatExceptionOfType(RequestRejectedException.class).isThrownBy(
+                () -> mvc.perform(get("/").header(HttpHeaders.HOST, "www.google.com")));
     }
 
     @Test
     public void allowedHostNameWithAllowedHost() throws Exception {
         mvc.perform(get("/").header(HttpHeaders.HOST, "localhost")).andExpect(status().is3xxRedirection());
     }
-} 
+
+    @Test
+    public void notAllowedHostnameWithIgnoredPath() throws Exception {
+        mvc.perform(get("/index.html").header(HttpHeaders.HOST, "www.google.com"))
+                .andExpect(status().is4xxClientError());
+    }
+}

hawkbit-runtime/hawkbit-update-server/src/test/java/org/eclipse/hawkbit/app/CorsTest.java

@@ -24,6 +24,7 @@ import org.springframework.security.test.context.support.WithUserDetails;
 import org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.TestExecutionListeners;
+import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultActions;
@@ -36,7 +37,7 @@ import io.qameta.allure.Description;
 import io.qameta.allure.Feature;
 import io.qameta.allure.Story;
 
-@SpringBootTest(properties = { "hawkbit.server.security.cors.enabled=true",
+@TestPropertySource(properties = { "hawkbit.server.security.cors.enabled=true",
         "hawkbit.server.security.cors.allowedOrigins=" + CorsTest.ALLOWED_ORIGIN_FIRST + ","
                 + CorsTest.ALLOWED_ORIGIN_SECOND })
 @Feature("Integration Test - Security")