@Test
public void testRequestAttributesForAccessLog() throws Exception {
// PREPARE
FilterDef filterDef = new FilterDef();
filterDef.addInitParameter("protocolHeader", "x-forwarded-proto");
filterDef.addInitParameter("remoteIpHeader", "x-my-forwarded-for");
filterDef.addInitParameter("httpServerPort", "8080");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRemoteAddr("192.168.0.10");
request.setHeader("x-my-forwarded-for", "140.211.11.130");
request.setHeader("x-forwarded-proto", "http");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request);
// VERIFY
Assert.assertEquals(
"org.apache.catalina.AccessLog.ServerPort",
Integer.valueOf(8080),
actualRequest.getAttribute(AccessLog.SERVER_PORT_ATTRIBUTE));
Assert.assertEquals(
"org.apache.catalina.AccessLog.RemoteAddr",
"140.211.11.130",
actualRequest.getAttribute(AccessLog.REMOTE_ADDR_ATTRIBUTE));
Assert.assertEquals(
"org.apache.catalina.AccessLog.RemoteHost",
"140.211.11.130",
actualRequest.getAttribute(AccessLog.REMOTE_HOST_ATTRIBUTE));
}
@Test
public void testInvokeAllProxiesAreInternal() throws Exception {
// PREPARE
FilterDef filterDef = new FilterDef();
filterDef.addInitParameter("internalProxies", "192\\.168\\.0\\.10|192\\.168\\.0\\.11");
filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRemoteAddr("192.168.0.10");
request.setRemoteHost("remote-host-original-value");
request.addHeader("x-forwarded-for", "140.211.11.130, 192.168.0.10, 192.168.0.11");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request);
// VERIFY
String actualXForwardedFor = actualRequest.getHeader("x-forwarded-for");
assertNull("all proxies are internal, x-forwarded-for must be null", actualXForwardedFor);
String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by");
assertNull("all proxies are internal, x-forwarded-by must be null", actualXForwardedBy);
String actualRemoteAddr = actualRequest.getRemoteAddr();
assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);
String actualRemoteHost = actualRequest.getRemoteHost();
assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
}
@Test
public void testInvokeNotAllowedRemoteAddr() throws Exception {
// PREPARE
FilterDef filterDef = new FilterDef();
filterDef.addInitParameter("internalProxies", "192\\.168\\.0\\.10|192\\.168\\.0\\.11");
filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRemoteAddr("not-allowed-internal-proxy");
request.setRemoteHost("not-allowed-internal-proxy-host");
request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request);
// VERIFY
String actualXForwardedFor = actualRequest.getHeader("x-forwarded-for");
assertEquals(
"x-forwarded-for must be unchanged", "140.211.11.130, proxy1, proxy2", actualXForwardedFor);
String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by");
assertNull("x-forwarded-by must be null", actualXForwardedBy);
String actualRemoteAddr = actualRequest.getRemoteAddr();
assertEquals("remoteAddr", "not-allowed-internal-proxy", actualRemoteAddr);
String actualRemoteHost = actualRequest.getRemoteHost();
assertEquals("remoteHost", "not-allowed-internal-proxy-host", actualRemoteHost);
}
@Test
public void testIncomingRequestIsSecuredButProtocolHeaderSaysItIsNotWithDefaultValues()
throws Exception {
// PREPARE
FilterDef filterDef = new FilterDef();
filterDef.addInitParameter("protocolHeader", "x-forwarded-proto");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRemoteAddr("192.168.0.10");
request.setSecure(true);
request.setScheme("https");
request.setHeader("x-forwarded-for", "140.211.11.130");
request.setHeader("x-forwarded-proto", "http");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request);
// VERIFY
boolean actualSecure = actualRequest.isSecure();
assertFalse(
"request must be unsecured as header x-forwarded-proto said it is http", actualSecure);
String actualScheme = actualRequest.getScheme();
assertEquals(
"scheme must be http as header x-forwarded-proto said it is http", "http", actualScheme);
String actualRemoteAddr = actualRequest.getRemoteAddr();
assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);
String actualRemoteHost = actualRequest.getRemoteHost();
assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
}
@Test
public void testInvokeUntrustedProxyInTheChain() throws Exception {
// PREPARE
FilterDef filterDef = new FilterDef();
filterDef.addInitParameter("internalProxies", "192\\.168\\.0\\.10|192\\.168\\.0\\.11");
filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3");
filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for");
filterDef.addInitParameter("proxiesHeader", "x-forwarded-by");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRemoteAddr("192.168.0.10");
request.setRemoteHost("remote-host-original-value");
request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, untrusted-proxy, proxy2");
// TEST
HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request);
// VERIFY
String actualXForwardedFor = actualRequest.getHeader("x-forwarded-for");
assertEquals(
"ip/host before untrusted-proxy must appear in x-forwarded-for",
"140.211.11.130, proxy1",
actualXForwardedFor);
String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by");
assertEquals(
"ip/host after untrusted-proxy must appear in x-forwarded-by",
"proxy2",
actualXForwardedBy);
String actualRemoteAddr = actualRequest.getRemoteAddr();
assertEquals("remoteAddr", "untrusted-proxy", actualRemoteAddr);
String actualRemoteHost = actualRequest.getRemoteHost();
assertEquals("remoteHost", "untrusted-proxy", actualRemoteHost);
}