feat: add possibility to disable specific endpoints

ludomikula · ludomikula · commit 2de7c17b1456 · 2023-06-18T14:20:30.000+02:00
diff --git a/server/api-service/lowcoder-sdk/src/main/java/org/lowcoder/sdk/config/CommonConfig.java b/server/api-service/lowcoder-sdk/src/main/java/org/lowcoder/sdk/config/CommonConfig.java
@@ -8,9 +8,11 @@
 import java.util.Set;
 
 import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.collections4.ListUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.lowcoder.sdk.constants.WorkspaceMode;
 import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.http.HttpMethod;
 import org.springframework.stereotype.Component;
 
 import lombok.Data;
@@ -63,6 +65,8 @@ public static class Security {
         // support of docker env file.
         private String corsAllowedDomainString;
 
+        private List<ApiEndpoint> forbiddenEndpoints;
+        
         public List<String> getAllCorsAllowedDomains() {
             List<String> all = new ArrayList<>();
             if (CollectionUtils.isNotEmpty(corsAllowedDomains)) {
@@ -74,8 +78,19 @@ public List<String> getAllCorsAllowedDomains() {
             }
             return all;
         }
+        
+        public List<ApiEndpoint> getForbiddenEndpoints()
+        {
+        	return ListUtils.emptyIfNull(forbiddenEndpoints);
+        }
     }
 
+    @Data
+    public static class ApiEndpoint {
+    	private HttpMethod method;
+    	private String uri;
+    }
+    
     @Data
     public static class Workspace {
 
diff --git a/server/api-service/lowcoder-server/src/main/java/org/lowcoder/api/framework/security/SecurityConfig.java b/server/api-service/lowcoder-server/src/main/java/org/lowcoder/api/framework/security/SecurityConfig.java
@@ -34,6 +34,7 @@
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.reactive.CorsConfigurationSource;
@@ -62,8 +63,17 @@ public class SecurityConfig {
     @Bean
     public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
 
-
-        http.cors()
+    	if (!commonConfig.getSecurity().getForbiddenEndpoints().isEmpty())
+    	{
+    		http.authorizeExchange()
+	    		.matchers(
+		        		commonConfig.getSecurity().getForbiddenEndpoints().stream()
+		        		.map(apiEndpoint -> ServerWebExchangeMatchers.pathMatchers(apiEndpoint.getMethod(), apiEndpoint.getUri()))
+		        		.toArray(size -> new ServerWebExchangeMatcher[size])
+				).denyAll();    		
+    	}
+    	
+    	http.cors()
                 .configurationSource(buildCorsConfigurationSource())
                 .and()
                 .csrf().disable()
@@ -137,6 +147,7 @@ public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
         return http.build();
     }
 
+        
     /**
      * enable CORS
      */
