This is an automated email from the ASF dual-hosted git repository. svenmeier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/wicket.git
commit f97afc3f1df51c410b8523c2c0d1924d08ca1466 Author: Sven Meier <svenme...@apache.org> AuthorDate: Sat Aug 29 22:39:56 2020 +0200 WICKET-6821 align CSPSettings with other settings setter instead of factory method, add nonceCreator so subclassing is no longer needed --- .../wicket/csp/ContentSecurityPolicySettings.java | 36 +++++++++++++++++++--- .../wicket/protocol/http/WebApplication.java | 16 ++++++++-- .../csp/CSPSettingRequestCycleListenerTest.java | 6 ++-- .../head/filter/FilteringHeaderResponseTest.java | 16 +++++----- 4 files changed, 55 insertions(+), 19 deletions(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java index 7bd1bdd..de79be8 100644 --- a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java +++ b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java @@ -20,6 +20,7 @@ import java.util.Collections; import java.util.EnumMap; import java.util.Map; import java.util.function.Predicate; +import java.util.function.Supplier; import org.apache.wicket.Application; import org.apache.wicket.MetaDataKey; @@ -65,16 +66,20 @@ public class ContentSecurityPolicySettings private static final long serialVersionUID = 1L; }; - private final Application application; - private final Map<CSPHeaderMode, CSPHeaderConfiguration> configs = new EnumMap<>( CSPHeaderMode.class); private Predicate<IRequestHandler> protectedFilter = RenderPageRequestHandler.class::isInstance; + private Supplier<String> nonceCreator; + public ContentSecurityPolicySettings(Application application) { - this.application = Args.notNull(application, "application"); + Args.notNull(application, "application"); + + nonceCreator = () -> { + return application.getSecuritySettings().getRandomSupplier().getRandomBase64(NONCE_LENGTH); + }; } public CSPHeaderConfiguration blocking() @@ -89,6 +94,20 @@ public class ContentSecurityPolicySettings } /** + * Sets the creator of nonces. + * + * @param nonceCreator + * The new creator, must not be null. + * @return {@code this} for chaining. + */ + public ContentSecurityPolicySettings setNonceCreator(Supplier<String> nonceCreator) + { + Args.notNull(nonceCreator, "nonceCreator"); + this.nonceCreator = nonceCreator; + return this; + } + + /** * Sets the predicate that determines which requests must be protected by the CSP. When the * predicate evaluates to false, the request will not be protected. * @@ -108,7 +127,7 @@ public class ContentSecurityPolicySettings * Should any request be protected by CSP. * * @param handler - * @return <code>true</code> by default + * @return <code>true</code> by default for all {@link RenderPageRequestHandler}s * * @see #setProtectedFilter(Predicate) */ @@ -155,9 +174,16 @@ public class ContentSecurityPolicySettings return nonce; } + /** + * Create a new nonce. + * + * @return nonce + * + * @see #setNonceCreator(Supplier) + */ protected String createNonce() { - return application.getSecuritySettings().getRandomSupplier().getRandomBase64(NONCE_LENGTH); + return nonceCreator.get(); } /** diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java index d38cadf..a3c4ffc 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java @@ -1111,10 +1111,9 @@ public abstract class WebApplication extends Application } /** - * Builds the {@link ContentSecurityPolicySettings} to be used for this application. Override - * this method to provider your own implementation. + * TODO remove in Wicket 10 * - * @return The newly created CSP settings. + * @deprecated use {@link #setCspSettings(ContentSecurityPolicySettings)} instead */ protected ContentSecurityPolicySettings newCspSettings() { @@ -1129,6 +1128,8 @@ public abstract class WebApplication extends Application * @return The {@link ContentSecurityPolicySettings} for this application. * @see ContentSecurityPolicySettings * @see CSPHeaderConfiguration + * + * TODO make final in Wicket 10 */ public ContentSecurityPolicySettings getCspSettings() { @@ -1140,4 +1141,13 @@ public abstract class WebApplication extends Application } return cspSettings; } + + /** + * Set CSP settings. + * + */ + public void setCspSettings(ContentSecurityPolicySettings cspSettings) + { + this.cspSettings = cspSettings; + } } \ No newline at end of file diff --git a/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java b/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java index 08a4d36..0100f58 100644 --- a/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java @@ -53,16 +53,16 @@ public class CSPSettingRequestCycleListenerTest extends WicketTestCase return new MockApplication() { @Override - protected ContentSecurityPolicySettings newCspSettings() + protected void init() { - return new ContentSecurityPolicySettings(this) + setCspSettings(new ContentSecurityPolicySettings(this) { @Override public boolean isEnabled() { return true; } - }; + }); } }; } diff --git a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java index 34c6d8a..610abbc 100644 --- a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java @@ -44,22 +44,24 @@ class FilteringHeaderResponseTest extends WicketTestCase return new MockApplication() { @Override - protected ContentSecurityPolicySettings newCspSettings() + protected void init() { - return new ContentSecurityPolicySettings(this) + super.init(); + + setCspSettings(new ContentSecurityPolicySettings(this) { @Override public String getNonce(RequestCycle cycle) { return "NONCE"; } - + @Override public boolean isEnabled() { return true; } - }; + }); } }; } @@ -69,8 +71,7 @@ class FilteringHeaderResponseTest extends WicketTestCase { // use this header resource decorator to load all JavaScript resources in the page // footer (after </body>) - tester.getApplication() - .getHeaderResponseDecorators() + tester.getApplication().getHeaderResponseDecorators() .add(response -> new JavaScriptFilteredIntoFooterHeaderResponse(response, "footerJS")); executeTest(FilteredHeaderPage.class, "FilteredHeaderPageExpected.html"); } @@ -110,8 +111,7 @@ class FilteringHeaderResponseTest extends WicketTestCase @Test void deferred() throws Exception { - tester.getApplication() - .getHeaderResponseDecorators() + tester.getApplication().getHeaderResponseDecorators() .add(response -> new JavaScriptDeferHeaderResponse(response)); executeTest(DeferredPage.class, "DeferredPageExpected.html"); }