First step of #189 in progress: getting a callback for the actual tok…

…en step 2
OWASP · Feb 24, 2022 · 7f578f5 · 7f578f5
1 parent b3e0b4b
commit 7f578f5
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 10 deletions.
diff --git a/.github/scripts/docker-create-and-push.sh b/.github/scripts/docker-create-and-push.sh
@@ -58,9 +58,12 @@ openssl rand -base64 32 | tr -d '\n' > yourkey.txt
 
 echo "Building and updating pom.xml file so we can use it in our docker"
 cd ../.. && mvn clean && mvn --batch-mode release:update-versions -DdevelopmentVersion=${tag}-SNAPSHOT && mvn install
-git add pomx.ml
-git commit -am "Update POM file with new version: ${tag}"
-cd .github/scripts && git push
+#todo: uncomment 3 lines below again!
+#git add pomx.ml
+#git commit -am "Update POM file with new version: ${tag}"
+#cd .github/scripts && git push
+cd .github/scripts
+## todo: comment line above
 docker buildx create --name mybuilder
 docker buildx use mybuilder
 echo "creating containers"

diff --git a/Dockerfile.web b/Dockerfile.web
@@ -1,6 +1,6 @@
-FROM jeroenwillemsen/wrongsecrets:1.3.4D-no-vault
+FROM jeroenwillemsen/wrongsecrets:canary-test-no-vault
 
-ARG argBasedVersion="1.3.4"
+ARG argBasedVersion="1.3.5RC1"
 ENV APP_VERSION=$argBasedVersion
 ENV K8S_ENV=Heroku(Docker)
 ENV challengedockermtpath="/var/helpers"

diff --git a/pom.xml b/pom.xml
@@ -9,7 +9,7 @@
     </parent>
     <groupId>org.owasp</groupId>
     <artifactId>wrongsecrets</artifactId>
-    <version>canary-test-SNAPSHOT</version>
+    <version>canary-test2-SNAPSHOT</version>
     <name>OWASP WrongSecrets</name>
     <description>Examples with how to not use secrets</description>
     <url>https://owasp.org/www-project-wrongsecrets/</url>

diff --git a/src/main/java/org/owasp/wrongsecrets/HerokuWebSecurityConfig.java b/src/main/java/org/owasp/wrongsecrets/HerokuWebSecurityConfig.java
@@ -14,5 +14,11 @@ protected void configure(HttpSecurity http) throws Exception {
             .requiresSecure()
             .and()
             .httpBasic().disable();
+        http.requiresChannel()
+            .requestMatchers(r -> r.getRequestURI().contains("canaries/tokencallback"))
+            .requiresInsecure()
+            .and()
+            .httpBasic().disable();
+
     }
 }
diff --git a/src/main/java/org/owasp/wrongsecrets/canaries/CanariesController.java b/src/main/java/org/owasp/wrongsecrets/canaries/CanariesController.java
@@ -3,15 +3,19 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.stereotype.Controller;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RestController;
 
 @Slf4j
-@Controller
+@RestController
 public class CanariesController {
 
-    @PostMapping(value="tokencallback")
-    public void processCanaryToken(CanaryToken canaryToken){
+    @PostMapping(path="/canaries/tokencallback", consumes = MediaType.APPLICATION_JSON_VALUE)
+    public ResponseEntity<String> processCanaryToken(@RequestBody CanaryToken canaryToken){
         try {
             String canarytokenContents = new ObjectMapper().writeValueAsString(canaryToken);
             log.info("Canarytoken callback called with following token: {}", canarytokenContents);
@@ -24,5 +28,6 @@ public void processCanaryToken(CanaryToken canaryToken){
         - follow 3 of baeldung.com/spring-server-sent-events, but make sure you register the emitter per connection
         - and in a map lookup which emiter you can use for the given connection to send the event.
          */
+        return new ResponseEntity<>("all good" , HttpStatus.ACCEPTED );
     }
 }