From c42b08d15687bb5540dd5ef5c3ae28f2b3dfb78c Mon Sep 17 00:00:00 2001 From: SiBorea Date: Thu, 14 Nov 2024 18:27:39 +0800 Subject: [PATCH 01/10] Handle special case of xssProtection --- .../boot2/ConvertToSecurityDslVisitor.java | 12 +++ .../boot2/HeadersConfigurerLambdaDslTest.java | 78 +++++++++++++++++++ 2 files changed, 90 insertions(+) diff --git a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java index 6642e825f..5b211bae5 100644 --- a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java +++ b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java @@ -39,6 +39,8 @@ public class ConvertToSecurityDslVisitor

extends JavaIsoVisitor

{ public static final String FQN_CUSTOMIZER = "org.springframework.security.config.Customizer"; + private static final MethodMatcher XSS_PROTECTION_ENABLED = new MethodMatcher("org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig xssProtectionEnabled(boolean)"); + private static final JavaType.FullyQualified CUSTOMIZER_SHALLOW_TYPE = (JavaType.ShallowClass) JavaType.buildType(FQN_CUSTOMIZER); @@ -111,6 +113,7 @@ public J.MethodInvocation visitMethodInvocation(J.MethodInvocation initialMethod if (initialMethod != method && (grandParent == null || !(grandParent.getValue() instanceof J.MethodInvocation))) { method = autoFormat(method, executionContext); } + return method; } @@ -127,6 +130,15 @@ private static String generateParamNameFromMethodName(String n) { private J.Lambda createLambdaParam(String paramName, JavaType paramType, List chain) { J.Identifier param = createIdentifier(paramName, paramType); J.MethodInvocation body = unfoldMethodInvocationChain(createIdentifier(paramName, paramType), chain); + // Special case for xssProtectionEnabled method + if (XSS_PROTECTION_ENABLED.matches(body)) { + if (Boolean.parseBoolean(body.getArguments().get(0).print())) { + // Returning null will cause issues, use `and()` as a placeholder + body = body.withName(body.getName().withSimpleName("and")).withArguments(null); + } else { + body = body.withName(body.getName().withSimpleName("disable")).withArguments(null); + } + } return new J.Lambda(Tree.randomId(), Space.EMPTY, Markers.EMPTY, new J.Lambda.Parameters(Tree.randomId(), Space.EMPTY, Markers.EMPTY, false, Collections.singletonList(new JRightPadded<>(param, Space.EMPTY, Markers.EMPTY))), Space.build(" ", Collections.emptyList()), diff --git a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java index cfc23a89d..b630b9366 100644 --- a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java +++ b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java @@ -74,6 +74,84 @@ protected void configure(HttpSecurity http) throws Exception { ); } + @Test + void xssProtectionEnable() { + //language=java + rewriteRun( + java( + """ +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; + +@Configuration +public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers() + .xssProtection().xssProtectionEnabled(true); + } +} + """, + """ +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; + +@Configuration +public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers() + .xssProtection(protection -> protection.and()); + } +} + """ + ) + ); + } + + @Test + void xssProtectionDisable() { + //language=java + rewriteRun( + java( + """ +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; + +@Configuration +public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers() + .xssProtection().xssProtectionEnabled(false); + } +} + """, + """ +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; + +@Configuration +public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers() + .xssProtection(protection -> protection.disable()); + } +} + """ + ) + ); + } + @Test void complexContentSecurityPolicy() { //language=java From 56b22c913ee47b6ab2b55e5b8ab9207758d70d53 Mon Sep 17 00:00:00 2001 From: SiBorea Date: Thu, 14 Nov 2024 18:34:09 +0800 Subject: [PATCH 02/10] Fix format --- .../boot2/ConvertToSecurityDslVisitor.java | 106 +++++++++--------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java index 5b211bae5..7af00f4d0 100644 --- a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java +++ b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java @@ -15,6 +15,8 @@ */ package org.openrewrite.java.spring.boot2; +import static java.util.Collections.emptyList; +import static java.util.Objects.requireNonNull; import org.jspecify.annotations.Nullable; import org.openrewrite.Cursor; import org.openrewrite.Tree; @@ -28,9 +30,6 @@ import java.util.*; -import static java.util.Collections.emptyList; -import static java.util.Objects.requireNonNull; - public class ConvertToSecurityDslVisitor

extends JavaIsoVisitor

{ private static final String MSG_FLATTEN_CHAIN = "http-security-dsl-flatten-invocation-chain"; @@ -42,7 +41,7 @@ public class ConvertToSecurityDslVisitor

extends JavaIsoVisitor

{ private static final MethodMatcher XSS_PROTECTION_ENABLED = new MethodMatcher("org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig xssProtectionEnabled(boolean)"); private static final JavaType.FullyQualified CUSTOMIZER_SHALLOW_TYPE = - (JavaType.ShallowClass) JavaType.buildType(FQN_CUSTOMIZER); + (JavaType.ShallowClass) JavaType.buildType(FQN_CUSTOMIZER); private final String securityFqn; @@ -67,12 +66,12 @@ public ConvertToSecurityDslVisitor(String securityFqn, Collection conver } public ConvertToSecurityDslVisitor(String securityFqn, Collection convertableMethods, - Map argReplacements) { + Map argReplacements) { this(securityFqn, convertableMethods, argReplacements, new HashMap<>()); } public ConvertToSecurityDslVisitor(String securityFqn, Collection convertableMethods, - Map argReplacements, Map methodRenames) { + Map argReplacements, Map methodRenames) { this.securityFqn = securityFqn; this.convertableMethods = convertableMethods; this.argReplacements = argReplacements; @@ -85,28 +84,28 @@ public J.MethodInvocation visitMethodInvocation(J.MethodInvocation initialMethod if (isApplicableMethod(method)) { J.MethodInvocation m = method; method = createDesiredReplacement(method) - .map(newMethodType -> { - List chain = computeAndMarkChain(); - boolean keepArg = keepArg(m.getSimpleName()); - String paramName = keepArg ? "configurer" : generateParamNameFromMethodName(m.getSimpleName()); - return m - .withMethodType(newMethodType) - .withName(m.getName().withSimpleName(newMethodType.getName())) - .withArguments(ListUtils.concat( - keepArg ? m.getArguments().get(0) : null, - Collections.singletonList(chain.isEmpty() ? - createDefaultsCall() : - createLambdaParam(paramName, newMethodType.getParameterTypes().get(keepArg ? 1 : 0), chain)) - ) - ); - }) - .orElse(method); + .map(newMethodType -> { + List chain = computeAndMarkChain(); + boolean keepArg = keepArg(m.getSimpleName()); + String paramName = keepArg ? "configurer" : generateParamNameFromMethodName(m.getSimpleName()); + return m + .withMethodType(newMethodType) + .withName(m.getName().withSimpleName(newMethodType.getName())) + .withArguments(ListUtils.concat( + keepArg ? m.getArguments().get(0) : null, + Collections.singletonList(chain.isEmpty() ? + createDefaultsCall() : + createLambdaParam(paramName, newMethodType.getParameterTypes().get(keepArg ? 1 : 0), chain)) + ) + ); + }) + .orElse(method); } Boolean msg = getCursor().pollMessage(MSG_FLATTEN_CHAIN); if (Boolean.TRUE.equals(msg)) { method = requireNonNull(method.getSelect()) - .withPrefix(method.getPrefix()) - .withComments(method.getComments()); + .withPrefix(method.getPrefix()) + .withComments(method.getComments()); } // Auto-format the top invocation call if anything has changed down the tree Cursor grandParent = getCursor().getParent(2); @@ -120,7 +119,8 @@ public J.MethodInvocation visitMethodInvocation(J.MethodInvocation initialMethod private static String generateParamNameFromMethodName(String n) { int i = n.length() - 1; //noinspection StatementWithEmptyBody - for (; i >= 0 && Character.isLowerCase(n.charAt(i)); i--) {} + for (; i >= 0 && Character.isLowerCase(n.charAt(i)); i--) { + } if (i >= 0) { return StringUtils.uncapitalize(i == 0 ? n : n.substring(i)); } @@ -140,10 +140,10 @@ private J.Lambda createLambdaParam(String paramName, JavaType paramType, List(param, Space.EMPTY, Markers.EMPTY))), - Space.build(" ", Collections.emptyList()), - body, - JavaType.Primitive.Void + new J.Lambda.Parameters(Tree.randomId(), Space.EMPTY, Markers.EMPTY, false, Collections.singletonList(new JRightPadded<>(param, Space.EMPTY, Markers.EMPTY))), + Space.build(" ", Collections.emptyList()), + body, + JavaType.Primitive.Void ); } @@ -162,8 +162,8 @@ private J.MethodInvocation unfoldMethodInvocationChain(J.Identifier core, List MSG_TOP_INVOCATION.equals(marker.getMessage()))) { invocation = invocation - .withMarkers(invocation.getMarkers().removeByType(Markup.Info.class)) - .withPrefix(Space.EMPTY); + .withMarkers(invocation.getMarkers().removeByType(Markup.Info.class)) + .withPrefix(Space.EMPTY); } return invocation; } @@ -173,17 +173,17 @@ private boolean isApplicableMethod(J.MethodInvocation m) { if (type != null) { JavaType.FullyQualified declaringType = type.getDeclaringType(); return securityFqn.equals(declaringType.getFullyQualifiedName()) && - (type.getParameterTypes().isEmpty() || hasHandleableArg(m)) && - convertableMethods.contains(m.getSimpleName()); + (type.getParameterTypes().isEmpty() || hasHandleableArg(m)) && + convertableMethods.contains(m.getSimpleName()); } return false; } private boolean hasHandleableArg(J.MethodInvocation m) { return argReplacements.containsKey(m.getSimpleName()) && - m.getMethodType() != null && - m.getMethodType().getParameterTypes().size() == 1 && - !TypeUtils.isAssignableTo(FQN_CUSTOMIZER, m.getMethodType().getParameterTypes().get(0)); + m.getMethodType() != null && + m.getMethodType().getParameterTypes().size() == 1 && + !TypeUtils.isAssignableTo(FQN_CUSTOMIZER, m.getMethodType().getParameterTypes().get(0)); } private Optional createDesiredReplacement(J.MethodInvocation m) { @@ -192,16 +192,16 @@ private Optional createDesiredReplacement(J.MethodInvocation m) return Optional.empty(); } JavaType.Parameterized customizerArgType = new JavaType.Parameterized(null, - CUSTOMIZER_SHALLOW_TYPE, Collections.singletonList(methodType.getReturnType())); + CUSTOMIZER_SHALLOW_TYPE, Collections.singletonList(methodType.getReturnType())); boolean keepArg = keepArg(m.getSimpleName()); List paramNames = keepArg ? ListUtils.concat(methodType.getParameterNames(), "arg1") : - Collections.singletonList("arg0"); + Collections.singletonList("arg0"); List paramTypes = keepArg ? ListUtils.concat(methodType.getParameterTypes(), customizerArgType) : - Collections.singletonList(customizerArgType); + Collections.singletonList(customizerArgType); return Optional.of(methodType.withReturnType(methodType.getDeclaringType()) - .withName(methodRenames.getOrDefault(methodType.getName(), methodType.getName())) - .withParameterNames(paramNames) - .withParameterTypes(paramTypes) + .withName(methodRenames.getOrDefault(methodType.getName(), methodType.getName())) + .withParameterNames(paramNames) + .withParameterTypes(paramTypes) ); } @@ -215,8 +215,8 @@ private Optional createDesiredReplacementForArg(J.MethodInvocat return Optional.empty(); } return Optional.of( - methodType.withName(argReplacements.get(m.getSimpleName())) - .withDeclaringType((JavaType.FullyQualified) methodType.getReturnType()) + methodType.withName(argReplacements.get(m.getSimpleName())) + .withDeclaringType((JavaType.FullyQualified) methodType.getReturnType()) ); } @@ -249,8 +249,8 @@ private List computeAndMarkChain() { Cursor cursor = getCursor(); J.MethodInvocation initialMethodInvocation = cursor.getValue(); createDesiredReplacementForArg(initialMethodInvocation).ifPresent(methodType -> - chain.add(initialMethodInvocation.withName( - initialMethodInvocation.getName().withType(methodType).withSimpleName(methodType.getName())))); + chain.add(initialMethodInvocation.withName( + initialMethodInvocation.getName().withType(methodType).withSimpleName(methodType.getName())))); cursor = cursor.getParent(2); for (; isApplicableCallCursor(cursor); cursor = cursor.getParent(2)) { cursor.putMessage(MSG_FLATTEN_CHAIN, true); @@ -280,8 +280,8 @@ private List computeAndMarkChain() { private boolean isAndMethod(J.MethodInvocation method) { return "and".equals(method.getSimpleName()) && - (method.getArguments().isEmpty() || method.getArguments().get(0) instanceof J.Empty) && - TypeUtils.isAssignableTo(securityFqn, method.getType()); + (method.getArguments().isEmpty() || method.getArguments().get(0) instanceof J.Empty) && + TypeUtils.isAssignableTo(securityFqn, method.getType()); } private boolean isDisableMethod(J.MethodInvocation method) { @@ -290,13 +290,13 @@ private boolean isDisableMethod(J.MethodInvocation method) { private J.MethodInvocation createDefaultsCall() { JavaType.Method methodType = new JavaType.Method(null, 9, CUSTOMIZER_SHALLOW_TYPE, "withDefaults", - new JavaType.GenericTypeVariable(null, "T", JavaType.GenericTypeVariable.Variance.INVARIANT, null), - null, null, null, null); + new JavaType.GenericTypeVariable(null, "T", JavaType.GenericTypeVariable.Variance.INVARIANT, null), + null, null, null, null); maybeAddImport(methodType.getDeclaringType().getFullyQualifiedName(), methodType.getName()); return new J.MethodInvocation(Tree.randomId(), Space.EMPTY, Markers.EMPTY, null, null, - new J.Identifier(Tree.randomId(), Space.EMPTY, Markers.EMPTY, emptyList(), "withDefaults", null, null), - JContainer.empty(), methodType) - .withSelect(null); + new J.Identifier(Tree.randomId(), Space.EMPTY, Markers.EMPTY, emptyList(), "withDefaults", null, null), + JContainer.empty(), methodType) + .withSelect(null); } } From 8d48def0703fc6e53539d13d4098a59bae3ec207 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Thu, 14 Nov 2024 12:13:07 +0100 Subject: [PATCH 03/10] Apply formatter to minimize diff --- .../boot2/ConvertToSecurityDslVisitor.java | 100 +++--- .../boot2/HeadersConfigurerLambdaDslTest.java | 316 +++++++++--------- 2 files changed, 208 insertions(+), 208 deletions(-) diff --git a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java index 7af00f4d0..1add1918e 100644 --- a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java +++ b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java @@ -15,8 +15,6 @@ */ package org.openrewrite.java.spring.boot2; -import static java.util.Collections.emptyList; -import static java.util.Objects.requireNonNull; import org.jspecify.annotations.Nullable; import org.openrewrite.Cursor; import org.openrewrite.Tree; @@ -30,6 +28,9 @@ import java.util.*; +import static java.util.Collections.emptyList; +import static java.util.Objects.requireNonNull; + public class ConvertToSecurityDslVisitor

extends JavaIsoVisitor

{ private static final String MSG_FLATTEN_CHAIN = "http-security-dsl-flatten-invocation-chain"; @@ -40,8 +41,7 @@ public class ConvertToSecurityDslVisitor

extends JavaIsoVisitor

{ private static final MethodMatcher XSS_PROTECTION_ENABLED = new MethodMatcher("org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig xssProtectionEnabled(boolean)"); - private static final JavaType.FullyQualified CUSTOMIZER_SHALLOW_TYPE = - (JavaType.ShallowClass) JavaType.buildType(FQN_CUSTOMIZER); + private static final JavaType.FullyQualified CUSTOMIZER_SHALLOW_TYPE = JavaType.ShallowClass.build(FQN_CUSTOMIZER); private final String securityFqn; @@ -84,28 +84,28 @@ public J.MethodInvocation visitMethodInvocation(J.MethodInvocation initialMethod if (isApplicableMethod(method)) { J.MethodInvocation m = method; method = createDesiredReplacement(method) - .map(newMethodType -> { - List chain = computeAndMarkChain(); - boolean keepArg = keepArg(m.getSimpleName()); - String paramName = keepArg ? "configurer" : generateParamNameFromMethodName(m.getSimpleName()); - return m - .withMethodType(newMethodType) - .withName(m.getName().withSimpleName(newMethodType.getName())) - .withArguments(ListUtils.concat( - keepArg ? m.getArguments().get(0) : null, - Collections.singletonList(chain.isEmpty() ? - createDefaultsCall() : - createLambdaParam(paramName, newMethodType.getParameterTypes().get(keepArg ? 1 : 0), chain)) - ) - ); - }) - .orElse(method); + .map(newMethodType -> { + List chain = computeAndMarkChain(); + boolean keepArg = keepArg(m.getSimpleName()); + String paramName = keepArg ? "configurer" : generateParamNameFromMethodName(m.getSimpleName()); + return m + .withMethodType(newMethodType) + .withName(m.getName().withSimpleName(newMethodType.getName())) + .withArguments(ListUtils.concat( + keepArg ? m.getArguments().get(0) : null, + Collections.singletonList(chain.isEmpty() ? + createDefaultsCall() : + createLambdaParam(paramName, newMethodType.getParameterTypes().get(keepArg ? 1 : 0), chain)) + ) + ); + }) + .orElse(method); } Boolean msg = getCursor().pollMessage(MSG_FLATTEN_CHAIN); if (Boolean.TRUE.equals(msg)) { method = requireNonNull(method.getSelect()) - .withPrefix(method.getPrefix()) - .withComments(method.getComments()); + .withPrefix(method.getPrefix()) + .withComments(method.getComments()); } // Auto-format the top invocation call if anything has changed down the tree Cursor grandParent = getCursor().getParent(2); @@ -140,10 +140,10 @@ private J.Lambda createLambdaParam(String paramName, JavaType paramType, List(param, Space.EMPTY, Markers.EMPTY))), - Space.build(" ", Collections.emptyList()), - body, - JavaType.Primitive.Void + new J.Lambda.Parameters(Tree.randomId(), Space.EMPTY, Markers.EMPTY, false, Collections.singletonList(new JRightPadded<>(param, Space.EMPTY, Markers.EMPTY))), + Space.build(" ", Collections.emptyList()), + body, + JavaType.Primitive.Void ); } @@ -162,8 +162,8 @@ private J.MethodInvocation unfoldMethodInvocationChain(J.Identifier core, List MSG_TOP_INVOCATION.equals(marker.getMessage()))) { invocation = invocation - .withMarkers(invocation.getMarkers().removeByType(Markup.Info.class)) - .withPrefix(Space.EMPTY); + .withMarkers(invocation.getMarkers().removeByType(Markup.Info.class)) + .withPrefix(Space.EMPTY); } return invocation; } @@ -173,17 +173,17 @@ private boolean isApplicableMethod(J.MethodInvocation m) { if (type != null) { JavaType.FullyQualified declaringType = type.getDeclaringType(); return securityFqn.equals(declaringType.getFullyQualifiedName()) && - (type.getParameterTypes().isEmpty() || hasHandleableArg(m)) && - convertableMethods.contains(m.getSimpleName()); + (type.getParameterTypes().isEmpty() || hasHandleableArg(m)) && + convertableMethods.contains(m.getSimpleName()); } return false; } private boolean hasHandleableArg(J.MethodInvocation m) { return argReplacements.containsKey(m.getSimpleName()) && - m.getMethodType() != null && - m.getMethodType().getParameterTypes().size() == 1 && - !TypeUtils.isAssignableTo(FQN_CUSTOMIZER, m.getMethodType().getParameterTypes().get(0)); + m.getMethodType() != null && + m.getMethodType().getParameterTypes().size() == 1 && + !TypeUtils.isAssignableTo(FQN_CUSTOMIZER, m.getMethodType().getParameterTypes().get(0)); } private Optional createDesiredReplacement(J.MethodInvocation m) { @@ -192,16 +192,16 @@ private Optional createDesiredReplacement(J.MethodInvocation m) return Optional.empty(); } JavaType.Parameterized customizerArgType = new JavaType.Parameterized(null, - CUSTOMIZER_SHALLOW_TYPE, Collections.singletonList(methodType.getReturnType())); + CUSTOMIZER_SHALLOW_TYPE, Collections.singletonList(methodType.getReturnType())); boolean keepArg = keepArg(m.getSimpleName()); List paramNames = keepArg ? ListUtils.concat(methodType.getParameterNames(), "arg1") : - Collections.singletonList("arg0"); + Collections.singletonList("arg0"); List paramTypes = keepArg ? ListUtils.concat(methodType.getParameterTypes(), customizerArgType) : - Collections.singletonList(customizerArgType); + Collections.singletonList(customizerArgType); return Optional.of(methodType.withReturnType(methodType.getDeclaringType()) - .withName(methodRenames.getOrDefault(methodType.getName(), methodType.getName())) - .withParameterNames(paramNames) - .withParameterTypes(paramTypes) + .withName(methodRenames.getOrDefault(methodType.getName(), methodType.getName())) + .withParameterNames(paramNames) + .withParameterTypes(paramTypes) ); } @@ -215,8 +215,8 @@ private Optional createDesiredReplacementForArg(J.MethodInvocat return Optional.empty(); } return Optional.of( - methodType.withName(argReplacements.get(m.getSimpleName())) - .withDeclaringType((JavaType.FullyQualified) methodType.getReturnType()) + methodType.withName(argReplacements.get(m.getSimpleName())) + .withDeclaringType((JavaType.FullyQualified) methodType.getReturnType()) ); } @@ -249,8 +249,8 @@ private List computeAndMarkChain() { Cursor cursor = getCursor(); J.MethodInvocation initialMethodInvocation = cursor.getValue(); createDesiredReplacementForArg(initialMethodInvocation).ifPresent(methodType -> - chain.add(initialMethodInvocation.withName( - initialMethodInvocation.getName().withType(methodType).withSimpleName(methodType.getName())))); + chain.add(initialMethodInvocation.withName( + initialMethodInvocation.getName().withType(methodType).withSimpleName(methodType.getName())))); cursor = cursor.getParent(2); for (; isApplicableCallCursor(cursor); cursor = cursor.getParent(2)) { cursor.putMessage(MSG_FLATTEN_CHAIN, true); @@ -280,8 +280,8 @@ private List computeAndMarkChain() { private boolean isAndMethod(J.MethodInvocation method) { return "and".equals(method.getSimpleName()) && - (method.getArguments().isEmpty() || method.getArguments().get(0) instanceof J.Empty) && - TypeUtils.isAssignableTo(securityFqn, method.getType()); + (method.getArguments().isEmpty() || method.getArguments().get(0) instanceof J.Empty) && + TypeUtils.isAssignableTo(securityFqn, method.getType()); } private boolean isDisableMethod(J.MethodInvocation method) { @@ -290,13 +290,13 @@ private boolean isDisableMethod(J.MethodInvocation method) { private J.MethodInvocation createDefaultsCall() { JavaType.Method methodType = new JavaType.Method(null, 9, CUSTOMIZER_SHALLOW_TYPE, "withDefaults", - new JavaType.GenericTypeVariable(null, "T", JavaType.GenericTypeVariable.Variance.INVARIANT, null), - null, null, null, null); + new JavaType.GenericTypeVariable(null, "T", JavaType.GenericTypeVariable.Variance.INVARIANT, null), + null, null, null, null); maybeAddImport(methodType.getDeclaringType().getFullyQualifiedName(), methodType.getName()); return new J.MethodInvocation(Tree.randomId(), Space.EMPTY, Markers.EMPTY, null, null, - new J.Identifier(Tree.randomId(), Space.EMPTY, Markers.EMPTY, emptyList(), "withDefaults", null, null), - JContainer.empty(), methodType) - .withSelect(null); + new J.Identifier(Tree.randomId(), Space.EMPTY, Markers.EMPTY, emptyList(), "withDefaults", null, null), + JContainer.empty(), methodType) + .withSelect(null); } } diff --git a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java index b630b9366..9077badfd 100644 --- a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java +++ b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java @@ -38,37 +38,37 @@ void simpleContentSecurityPolicy() { rewriteRun( java( """ -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -@EnableWebSecurity -public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { + @EnableWebSecurity + public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers(headers -> headers - .contentSecurityPolicy("foobar")); - } -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers(headers -> headers + .contentSecurityPolicy("foobar")); + } + } """, """ -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -@EnableWebSecurity -public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { + @EnableWebSecurity + public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers(headers -> headers - .contentSecurityPolicy(policy -> policy - .policyDirectives("foobar"))); - } -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers(headers -> headers + .contentSecurityPolicy(policy -> policy + .policyDirectives("foobar"))); + } + } """ ) ); @@ -80,34 +80,34 @@ void xssProtectionEnable() { rewriteRun( java( """ -import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.context.annotation.Configuration; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; -@Configuration -public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers() - .xssProtection().xssProtectionEnabled(true); - } -} + @Configuration + public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers() + .xssProtection().xssProtectionEnabled(true); + } + } """, """ -import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.context.annotation.Configuration; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; -@Configuration -public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers() - .xssProtection(protection -> protection.and()); - } -} + @Configuration + public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers() + .xssProtection(protection -> protection.and()); + } + } """ ) ); @@ -119,34 +119,34 @@ void xssProtectionDisable() { rewriteRun( java( """ -import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.context.annotation.Configuration; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; -@Configuration -public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers() - .xssProtection().xssProtectionEnabled(false); - } -} + @Configuration + public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers() + .xssProtection().xssProtectionEnabled(false); + } + } """, """ -import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.context.annotation.Configuration; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; -@Configuration -public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers() - .xssProtection(protection -> protection.disable()); - } -} + @Configuration + public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers() + .xssProtection(protection -> protection.disable()); + } + } """ ) ); @@ -158,37 +158,37 @@ void complexContentSecurityPolicy() { rewriteRun( java( """ -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -@EnableWebSecurity -public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { + @EnableWebSecurity + public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers(headers -> headers - .contentSecurityPolicy("foobar").reportOnly()); - } -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers(headers -> headers + .contentSecurityPolicy("foobar").reportOnly()); + } + } """, """ -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -@EnableWebSecurity -public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { + @EnableWebSecurity + public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers(headers -> headers - .contentSecurityPolicy(policy -> policy - .policyDirectives("foobar").reportOnly())); - } -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers(headers -> headers + .contentSecurityPolicy(policy -> policy + .policyDirectives("foobar").reportOnly())); + } + } """ ) ); @@ -200,39 +200,39 @@ void referrerPolicy() { rewriteRun( java( """ -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy; -@EnableWebSecurity -public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { + @EnableWebSecurity + public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers(headers -> headers - .referrerPolicy(ReferrerPolicy.ORIGIN)); - } -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers(headers -> headers + .referrerPolicy(ReferrerPolicy.ORIGIN)); + } + } """, """ -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy; -@EnableWebSecurity -public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { + @EnableWebSecurity + public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers(headers -> headers - .referrerPolicy(policy -> policy - .policy(ReferrerPolicy.ORIGIN))); - } -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers(headers -> headers + .referrerPolicy(policy -> policy + .policy(ReferrerPolicy.ORIGIN))); + } + } """ ) ); @@ -244,46 +244,46 @@ void mix() { rewriteRun( java( """ -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy; -@EnableWebSecurity -public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { + @EnableWebSecurity + public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers(headers -> headers - .contentSecurityPolicy("foobar").reportOnly().and() - .cacheControl().and() - .referrerPolicy(ReferrerPolicy.ORIGIN)); - } -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers(headers -> headers + .contentSecurityPolicy("foobar").reportOnly().and() + .cacheControl().and() + .referrerPolicy(ReferrerPolicy.ORIGIN)); + } + } """, """ -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; + import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy; -import static org.springframework.security.config.Customizer.withDefaults; + import static org.springframework.security.config.Customizer.withDefaults; -@EnableWebSecurity -public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { + @EnableWebSecurity + public class ConventionalSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .headers(headers -> headers - .contentSecurityPolicy(policy -> policy - .policyDirectives("foobar").reportOnly()) - .cacheControl(withDefaults()) - .referrerPolicy(policy -> policy - .policy(ReferrerPolicy.ORIGIN))); - } -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .headers(headers -> headers + .contentSecurityPolicy(policy -> policy + .policyDirectives("foobar").reportOnly()) + .cacheControl(withDefaults()) + .referrerPolicy(policy -> policy + .policy(ReferrerPolicy.ORIGIN))); + } + } """ ) ); From 8335ef7c914ed9751b4fdb20ef4cf883ba388384 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Thu, 14 Nov 2024 12:28:01 +0100 Subject: [PATCH 04/10] Minimize diff some more --- .../spring/boot2/ConvertToSecurityDslVisitor.java | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java index 1add1918e..76e6e9c7d 100644 --- a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java +++ b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java @@ -112,15 +112,13 @@ public J.MethodInvocation visitMethodInvocation(J.MethodInvocation initialMethod if (initialMethod != method && (grandParent == null || !(grandParent.getValue() instanceof J.MethodInvocation))) { method = autoFormat(method, executionContext); } - return method; } private static String generateParamNameFromMethodName(String n) { int i = n.length() - 1; //noinspection StatementWithEmptyBody - for (; i >= 0 && Character.isLowerCase(n.charAt(i)); i--) { - } + for (; i >= 0 && Character.isLowerCase(n.charAt(i)); i--) {} if (i >= 0) { return StringUtils.uncapitalize(i == 0 ? n : n.substring(i)); } @@ -132,11 +130,11 @@ private J.Lambda createLambdaParam(String paramName, JavaType paramType, List Date: Fri, 15 Nov 2024 11:22:43 +0800 Subject: [PATCH 05/10] Add xssProtection.headerValue test --- build.gradle.kts | 2 + .../boot2/HeadersConfigurerLambdaDslTest.java | 53 +++++++++++++++++-- 2 files changed, 52 insertions(+), 3 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 17ed75da5..ab7b2c9c8 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -209,7 +209,9 @@ dependencies { "testWithSpringBoot_2_4RuntimeOnly"("org.springframework:spring-webmvc:5.3.+") "testWithSpringBoot_2_4RuntimeOnly"("org.springframework.security:spring-security-core:5.5.+") "testWithSpringBoot_2_4RuntimeOnly"("org.springframework.security:spring-security-config:5.5.+") + "testWithSpringBoot_2_4RuntimeOnly"("org.springframework.security:spring-security-config:5.8.+") "testWithSpringBoot_2_4RuntimeOnly"("org.springframework.security:spring-security-web:5.5.+") + "testWithSpringBoot_2_4RuntimeOnly"("org.springframework.security:spring-security-web:5.8.+") "testWithSpringBoot_2_4RuntimeOnly"("org.springframework.security:spring-security-ldap:5.5.+") "testWithSpringBoot_2_4RuntimeOnly"("org.springframework.security:spring-security-oauth2-client:5.5.+") "testWithSpringBoot_2_4RuntimeOnly"("org.springframework.security:spring-security-oauth2-resource-server:5.5.+") diff --git a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java index 9077badfd..876b6383b 100644 --- a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java +++ b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java @@ -17,18 +17,26 @@ import org.junit.jupiter.api.Test; import org.openrewrite.DocumentExample; +import static org.openrewrite.java.Assertions.java; import org.openrewrite.java.JavaParser; import org.openrewrite.test.RecipeSpec; import org.openrewrite.test.RewriteTest; -import static org.openrewrite.java.Assertions.java; - class HeadersConfigurerLambdaDslTest implements RewriteTest { @Override public void defaults(RecipeSpec spec) { spec.recipe(new HeadersConfigurerLambdaDsl()) .parser(JavaParser.fromJavaVersion() - .classpath("spring-beans", "spring-context", "spring-boot", "spring-security", "spring-web", "tomcat-embed", "spring-core")); + .classpath( + "spring-beans", + "spring-context", + "spring-boot", + "spring-security-config-5.8.+", + "spring-security-web-5.8.+", + "spring-web", + "tomcat-embed", + "spring-core" + )); } @DocumentExample @@ -152,6 +160,45 @@ protected void configure(HttpSecurity http) throws Exception { ); } + @Test + void xssProtectionHeaderValue() { + //language=java + rewriteRun( + java( + """ + import org.springframework.context.annotation.Configuration; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter; + + @Configuration + public class WebSecurityConfig { + protected void configure(HttpSecurity http) throws Exception { + http + .headers() + .xssProtection() + .headerValue(XXssProtectionHeaderWriter.HeaderValue.DISABLED); + } + } + """, + """ + import org.springframework.context.annotation.Configuration; + import org.springframework.security.config.annotation.web.builders.HttpSecurity; + import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter; + + @Configuration + public class WebSecurityConfig { + protected void configure(HttpSecurity http) throws Exception { + http + .headers() + .xssProtection(protection -> protection + .headerValue(XXssProtectionHeaderWriter.HeaderValue.DISABLED)); + } + } + """ + ) + ); + } + @Test void complexContentSecurityPolicy() { //language=java From c81cdd35e66f6cbfa07cefb2d9cf502dfc0f5250 Mon Sep 17 00:00:00 2001 From: SiBorea <108953913+SiBorea@users.noreply.github.com> Date: Sat, 16 Nov 2024 00:28:22 +0800 Subject: [PATCH 06/10] Fix xss chain invocation --- .../boot2/ConvertToSecurityDslVisitor.java | 24 ++++++++++++------- .../boot2/HeadersConfigurerLambdaDslTest.java | 2 ++ 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java index 76e6e9c7d..d13d89917 100644 --- a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java +++ b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java @@ -129,14 +129,14 @@ private J.Lambda createLambdaParam(String paramName, JavaType paramType, List(param, Space.EMPTY, Markers.EMPTY))), Space.build(" ", Collections.emptyList()), @@ -154,6 +154,14 @@ private J.MethodInvocation unfoldMethodInvocationChain(J.Identifier core, List protection + .and() .headerValue(XXssProtectionHeaderWriter.HeaderValue.DISABLED)); } } From f630f2885fc07250af3b39d109053875d7d88e38 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Fri, 15 Nov 2024 21:03:58 +0100 Subject: [PATCH 07/10] Remove commented out code block --- .../boot2/ConvertToSecurityDslVisitor.java | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java index d13d89917..f992dabf6 100644 --- a/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java +++ b/src/main/java/org/openrewrite/java/spring/boot2/ConvertToSecurityDslVisitor.java @@ -34,17 +34,14 @@ public class ConvertToSecurityDslVisitor

extends JavaIsoVisitor

{ private static final String MSG_FLATTEN_CHAIN = "http-security-dsl-flatten-invocation-chain"; - private static final String MSG_TOP_INVOCATION = "top-method-invocation"; - public static final String FQN_CUSTOMIZER = "org.springframework.security.config.Customizer"; + private static final String FQN_CUSTOMIZER = "org.springframework.security.config.Customizer"; + private static final JavaType.FullyQualified CUSTOMIZER_SHALLOW_TYPE = JavaType.ShallowClass.build(FQN_CUSTOMIZER); private static final MethodMatcher XSS_PROTECTION_ENABLED = new MethodMatcher("org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig xssProtectionEnabled(boolean)"); - private static final JavaType.FullyQualified CUSTOMIZER_SHALLOW_TYPE = JavaType.ShallowClass.build(FQN_CUSTOMIZER); - private final String securityFqn; - private final Collection convertableMethods; /** @@ -128,15 +125,6 @@ private static String generateParamNameFromMethodName(String n) { private J.Lambda createLambdaParam(String paramName, JavaType paramType, List chain) { J.Identifier param = createIdentifier(paramName, paramType); J.MethodInvocation body = unfoldMethodInvocationChain(createIdentifier(paramName, paramType), chain); - // Special case for xssProtectionEnabled method -// if (XSS_PROTECTION_ENABLED.matches(body)) { -// if (J.Literal.isLiteralValue(body.getArguments().get(0), false)) { -// body = body.withName(body.getName().withSimpleName("disable")).withArguments(null); -// } else { -// // Enabled by default; but returning `null` will cause issues, so we use `and()` as a placeholder -// body = body.withName(body.getName().withSimpleName("and")).withArguments(null); -// } -// } return new J.Lambda(Tree.randomId(), Space.EMPTY, Markers.EMPTY, new J.Lambda.Parameters(Tree.randomId(), Space.EMPTY, Markers.EMPTY, false, Collections.singletonList(new JRightPadded<>(param, Space.EMPTY, Markers.EMPTY))), Space.build(" ", Collections.emptyList()), From ee1d22fce95af8c80f92a26b6002df9102845643 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Fri, 15 Nov 2024 21:08:32 +0100 Subject: [PATCH 08/10] Update src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../java/spring/boot2/HeadersConfigurerLambdaDslTest.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java index 7cfe9fa03..abf98b6a5 100644 --- a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java +++ b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java @@ -17,6 +17,7 @@ import org.junit.jupiter.api.Test; import org.openrewrite.DocumentExample; + import static org.openrewrite.java.Assertions.java; import org.openrewrite.java.JavaParser; import org.openrewrite.test.RecipeSpec; From 9511bed3b3ebd81acb457c789e7ca15f9af58a52 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Fri, 15 Nov 2024 21:09:01 +0100 Subject: [PATCH 09/10] Reorder import statements in test file --- .../java/spring/boot2/HeadersConfigurerLambdaDslTest.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java index abf98b6a5..8bd397633 100644 --- a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java +++ b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java @@ -18,11 +18,12 @@ import org.junit.jupiter.api.Test; import org.openrewrite.DocumentExample; -import static org.openrewrite.java.Assertions.java; import org.openrewrite.java.JavaParser; import org.openrewrite.test.RecipeSpec; import org.openrewrite.test.RewriteTest; +import static org.openrewrite.java.Assertions.java; + class HeadersConfigurerLambdaDslTest implements RewriteTest { @Override public void defaults(RecipeSpec spec) { From 8c57f764967fc9996fe5cc60d1ec981e2a98ff83 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Fri, 15 Nov 2024 21:16:33 +0100 Subject: [PATCH 10/10] Remove unused import in test file --- .../java/spring/boot2/HeadersConfigurerLambdaDslTest.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java index 8bd397633..c58c26d7a 100644 --- a/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java +++ b/src/testWithSpringBoot_2_4/java/org/openrewrite/java/spring/boot2/HeadersConfigurerLambdaDslTest.java @@ -17,7 +17,6 @@ import org.junit.jupiter.api.Test; import org.openrewrite.DocumentExample; - import org.openrewrite.java.JavaParser; import org.openrewrite.test.RecipeSpec; import org.openrewrite.test.RewriteTest;