diff --git a/metadata-service/servlet/src/main/java/com/datahub/gms/servlet/Config.java b/metadata-service/servlet/src/main/java/com/datahub/gms/servlet/Config.java index e1cb9b14fe65f..2568fc10c7491 100644 --- a/metadata-service/servlet/src/main/java/com/datahub/gms/servlet/Config.java +++ b/metadata-service/servlet/src/main/java/com/datahub/gms/servlet/Config.java @@ -107,6 +107,13 @@ private void updateConfigCache(@Nonnull ServletContext servletContext) { getPluginModels(servletContext); newConfig.put("models", pluginTree); + // Configuration Provider - NEW: expose additional configuration sections safely + Map configProviderData = + buildConfigurationProviderSection(configProvider, objectMapper); + if (!configProviderData.isEmpty()) { + newConfig.put("configurationProvider", configProviderData); + } + // Update cache and timestamp cachedConfig = Collections.unmodifiableMap(newConfig); lastUpdated = Instant.now(); @@ -196,4 +203,28 @@ private static Boolean getDatasetUrnNameCasing(WebApplicationContext ctx) { private static boolean checkImpactAnalysisSupport(WebApplicationContext ctx) { return ((GraphService) ctx.getBean("graphService")).supportsMultiHop(); } + + /** + * Builds the configurationProvider section using secure allowlist rules. This exposes additional + * configuration sections not currently in the /config endpoint. + * + * @param configProvider The configuration provider + * @param objectMapper ObjectMapper for JSON serialization + * @return Map containing allowed configuration sections + */ + private static Map buildConfigurationProviderSection( + ConfigurationProvider configProvider, ObjectMapper objectMapper) { + + try { + // Create allowlist with safe configuration rules + ConfigurationAllowlist allowlist = ConfigurationAllowlist.createDefault(objectMapper); + + // Build and return the allowed configuration + return allowlist.buildAllowedConfiguration(configProvider); + } catch (Exception e) { + log.warn("Failed to build configuration provider section", e); + // Return empty map on error - don't break the entire config endpoint + return Map.of(); + } + } } diff --git a/metadata-service/servlet/src/main/java/com/datahub/gms/servlet/ConfigSectionRule.java b/metadata-service/servlet/src/main/java/com/datahub/gms/servlet/ConfigSectionRule.java new file mode 100644 index 0000000000000..bde65d374075b --- /dev/null +++ b/metadata-service/servlet/src/main/java/com/datahub/gms/servlet/ConfigSectionRule.java @@ -0,0 +1,176 @@ +package com.datahub.gms.servlet; + +import java.util.Set; +import javax.annotation.Nullable; +import lombok.Getter; + +/** + * Defines a rule for exposing a configuration section via the /config endpoint. + * + *

This class supports: - Including/excluding entire sections - Allowing specific fields within a + * section (allowlist approach) - Renaming sections in the output - Secure-by-default behavior (only + * explicitly allowed fields are exposed) + */ +public class ConfigSectionRule { + /** + * -- GETTER -- + * + * @return The path to the configuration section in the ConfigurationProvider + */ + @Getter private final String sectionPath; + + /** + * -- GETTER -- + * + * @return The path to use in the output JSON (may be different from sectionPath for renaming) + */ + @Getter private final String outputPath; + + private final Set allowedFields; + + /** -- GETTER -- true if this section should be included in the output */ + @Getter private final boolean includeSection; + + /** + * Creates a rule to include an entire configuration section. + * + * @param sectionPath The path to the configuration section (e.g., "datahub", "authentication") + */ + public static ConfigSectionRule include(String sectionPath) { + return new ConfigSectionRule(sectionPath, sectionPath, null, true); + } + + /** + * Creates a rule to include a configuration section with only specified fields. + * + * @param sectionPath The path to the configuration section + * @param allowedFields Set of field names to include (null means all fields) + */ + public static ConfigSectionRule include(String sectionPath, Set allowedFields) { + return new ConfigSectionRule(sectionPath, sectionPath, allowedFields, true); + } + + /** + * Creates a rule to include a configuration section with renaming. + * + * @param sectionPath The path to the configuration section + * @param outputPath The name to use in the output (for renaming) + * @param allowedFields Set of field names to include (null means all fields) + */ + public static ConfigSectionRule include( + String sectionPath, String outputPath, Set allowedFields) { + return new ConfigSectionRule(sectionPath, outputPath, allowedFields, true); + } + + /** + * Creates a rule to exclude a configuration section entirely. + * + * @param sectionPath The path to the configuration section to exclude + */ + public static ConfigSectionRule exclude(String sectionPath) { + return new ConfigSectionRule(sectionPath, sectionPath, null, false); + } + + private ConfigSectionRule( + String sectionPath, String outputPath, Set allowedFields, boolean includeSection) { + this.sectionPath = sectionPath; + this.outputPath = outputPath; + this.allowedFields = allowedFields; + this.includeSection = includeSection; + } + + /** + * @return Set of allowed field names, or null if all fields are allowed + */ + @Nullable + public Set getAllowedFields() { + return allowedFields; + } + + /** + * @return true if all fields in the section are allowed (no field-level filtering) + */ + public boolean isAllFieldsAllowed() { + return allowedFields == null; + } + + /** + * Checks if a specific field is allowed by this rule. + * + * @param fieldName The name of the field to check + * @return true if the field is allowed + */ + public boolean isFieldAllowed(String fieldName) { + if (!includeSection) { + return false; + } + if (allowedFields == null) { + return true; // All fields allowed + } + return allowedFields.contains(fieldName); + } + + /** + * Gets all allowed field paths that start with the given prefix. This is used for nested path + * processing. + * + * @param pathPrefix The path prefix to match (e.g., "tokenService") + * @return Set of allowed paths that start with the prefix + */ + public Set getAllowedPathsWithPrefix(String pathPrefix) { + if (!includeSection || allowedFields == null) { + return Set.of(); + } + + String prefix = pathPrefix + "."; + return allowedFields.stream() + .filter(path -> path.startsWith(prefix)) + .collect(java.util.stream.Collectors.toSet()); + } + + /** + * Gets all allowed top-level field names (fields without dots). + * + * @return Set of top-level field names + */ + public Set getTopLevelFields() { + if (!includeSection || allowedFields == null) { + return Set.of(); + } + + return allowedFields.stream() + .filter(path -> !path.contains(".")) + .collect(java.util.stream.Collectors.toSet()); + } + + /** + * Checks if any nested paths are allowed for the given field name. + * + * @param fieldName The top-level field name to check + * @return true if there are nested paths allowed for this field + */ + public boolean hasNestedPathsForField(String fieldName) { + if (!includeSection || allowedFields == null) { + return false; + } + + String prefix = fieldName + "."; + return allowedFields.stream().anyMatch(path -> path.startsWith(prefix)); + } + + @Override + public String toString() { + return "ConfigSectionRule{" + + "sectionPath='" + + sectionPath + + '\'' + + ", outputPath='" + + outputPath + + '\'' + + ", allowedFields=" + + allowedFields + + ", includeSection=" + + includeSection + + '}'; + } +} diff --git a/metadata-service/servlet/src/main/java/com/datahub/gms/servlet/ConfigurationAllowlist.java b/metadata-service/servlet/src/main/java/com/datahub/gms/servlet/ConfigurationAllowlist.java new file mode 100644 index 0000000000000..cc41562433971 --- /dev/null +++ b/metadata-service/servlet/src/main/java/com/datahub/gms/servlet/ConfigurationAllowlist.java @@ -0,0 +1,708 @@ +package com.datahub.gms.servlet; + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.linkedin.gms.factory.config.ConfigurationProvider; +import java.lang.reflect.Method; +import java.util.Arrays; +import java.util.HashSet; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; +import javax.annotation.Nonnull; +import lombok.extern.slf4j.Slf4j; + +/** + * Builds allowed configuration from ConfigurationProvider using secure allowlist rules. + * + *

This class implements a security-critical configuration filtering system that exposes only + * explicitly allowlisted configuration data. It operates on a "secure by default" principle where + * all configuration data is filtered out unless explicitly included via allowlist rules. + * + *

Core Security Model

+ * + * + * + *

Rule Types and Behavior

+ * + *

Section Rules

+ * + * + * + *

Field Matching Rules

+ * + * + * + *

Leaf Node Detection

+ * + *

The system differentiates between "leaf" and "non-leaf" values to prevent accidental exposure + * of complex objects: + * + *

Leaf Values (Can be included via top-level rules)

+ * + * + * + *

Non-Leaf Values (Require nested path access)

+ * + * + * + *

Nested Path Processing

+ * + *

Nested paths use dot notation to access fields within complex objects: + * + *

+ * + *

Processing Order and Interaction

+ * + *
    + *
  1. Top-Level Processing: Process fields that don't contain dots + *
      + *
    • Include field only if it exists AND is a leaf value + *
    • Log debug message if field is non-leaf (explaining why it's skipped) + *
    • Log warning if field doesn't exist + *
    + *
  2. Nested Path Processing: Process fields with dots, BUT skip fields already + * processed successfully as top-level + *
      + *
    • Parse dot notation to traverse object hierarchy + *
    • Create intermediate objects as needed + *
    • Include arrays entirely when encountered + *
    + *
+ * + *

Usage Examples

+ * + *

Basic Field Filtering

+ * + * 
{@code
+ * // Include only safe authentication fields
+ * ConfigSectionRule.include("authentication", Set.of(
+ *     "enabled",           // ✅ boolean primitive
+ *     "sessionTimeout"     // ✅ number primitive
+ *     // "systemClientSecret" excluded - sensitive!
+ * ))
+ * }
+ * + *

Nested Path Access

+ * + * 
{@code
+ * // Access specific fields within complex objects
+ * ConfigSectionRule.include("authentication", Set.of(
+ *     "enabled",                          // ✅ top-level primitive
+ *     "tokenService.signingAlgorithm",    // ✅ nested safe field
+ *     "tokenService.issuer",              // ✅ nested safe field
+ *     // "tokenService.signingKey" excluded - sensitive!
+ *     // "tokenService" as top-level excluded - non-leaf object
+ * ))
+ * }
+ * + *

Array Handling

+ * + * 
{@code
+ * // Arrays are included entirely when referenced
+ * ConfigSectionRule.include("authentication", Set.of(
+ *     "authenticators"    // ✅ entire List included
+ * ))
+ * }
+ * + *

Security Considerations

+ * + * + * + *

Error Handling

+ * + * + * + *

Thread Safety

+ * + *

This class is thread-safe for read operations. The configuration rules are + * immutable after construction, and filtering operations don't modify shared state. + */ +@Slf4j +public class ConfigurationAllowlist { + + private final List rules; + private final ObjectMapper objectMapper; + + public ConfigurationAllowlist(List rules, ObjectMapper objectMapper) { + this.rules = rules; + this.objectMapper = objectMapper; + } + + /** + * Builds filtered configuration data from ConfigurationProvider using allowlist rules. + * + *

This is the main entry point for the allowlist filtering system. It processes all configured + * rules and returns a filtered Map containing only explicitly allowed configuration data. + * + *

Processing Flow: + * + *

    + *
  1. Iterate through all ConfigSectionRule instances + *
  2. For each INCLUDE rule: extract section data and apply field filtering + *
  3. For each EXCLUDE rule: skip section entirely + *
  4. Handle section renaming if specified + *
  5. Return combined filtered configuration + *
+ * + *

Error Handling: If processing any individual section fails, that section is + * omitted but processing continues for other sections. Errors are logged at WARN level for + * debugging. + * + * @param configProvider The source ConfigurationProvider containing all configuration data + * @return Map<String, Object> containing only allowed configuration sections and fields. + * Keys are section names (possibly renamed), values are filtered section data. Returns empty + * Map if no rules match or all sections are filtered out. + */ + @Nonnull + public Map buildAllowedConfiguration(ConfigurationProvider configProvider) { + Map result = new LinkedHashMap<>(); + + for (ConfigSectionRule rule : rules) { + if (!rule.isIncludeSection()) { + continue; + } + + try { + Object sectionData = extractConfigurationSection(configProvider, rule.getSectionPath()); + if (sectionData != null) { + Object filteredData = applyFieldFiltering(sectionData, rule); + if (filteredData != null) { + result.put(rule.getOutputPath(), filteredData); + } + } + } catch (Exception e) { + log.warn("Failed to extract configuration section: {}", rule.getSectionPath(), e); + // Continue with other rules - don't fail the entire request + } + } + + return result; + } + + /** Extracts a configuration section from the ConfigurationProvider using reflection. */ + private Object extractConfigurationSection( + ConfigurationProvider configProvider, String sectionPath) throws Exception { + // Convert sectionPath to getter method name (e.g., "datahub" -> "getDatahub") + String methodName = "get" + capitalize(sectionPath); + + try { + Method method = configProvider.getClass().getMethod(methodName); + return method.invoke(configProvider); + } catch (NoSuchMethodException e) { + log.debug( + "No getter method found for section: {} (tried method: {})", sectionPath, methodName); + return null; + } + } + + /** + * Applies field filtering to a configuration section according to the rule. + * + *

This method implements the core filtering logic that differentiates between leaf and + * non-leaf values, processes both top-level and nested fields, and enforces the secure-by-default + * model. + * + *

Processing Strategy: + * + *

+ * + *

Two-Phase Filtering Process: + * + *

    + *
  1. Phase 1 - Top-Level Fields: Process field names without dots + *
      + *
    • Include only if field exists AND is a leaf value (primitives, arrays, empty maps) + *
    • Skip non-leaf values (null, complex objects, non-empty maps) + *
    • Track which fields were successfully processed to avoid duplication + *
    + *
  2. Phase 2 - Nested Paths: Process field names with dots + *
      + *
    • Skip fields already included in Phase 1 + *
    • Parse dot notation to traverse object hierarchy + *
    • Create intermediate Map structures as needed + *
    • Include arrays entirely when encountered in traversal + *
    + *
+ * + *

Examples of Field Processing: + * + * 

{@code
+   * Rule: Set.of("enabled", "primary", "primary.ttlSeconds", "authenticators")
+   *
+   * Phase 1 (Top-Level):
+   * - "enabled": true (boolean) -> ✅ INCLUDED (leaf value)
+   * - "primary": {ttlSeconds: 3600, maxSize: 1000} -> ❌ SKIPPED (non-leaf object)
+   * - "authenticators": [{type: "..."}, {...}] -> ✅ INCLUDED (array treated as leaf)
+   *
+   * Phase 2 (Nested):
+   * - "primary.ttlSeconds": Creates {primary: {ttlSeconds: 3600}} -> ✅ INCLUDED
+   * }
+ * + * @param sectionData The raw configuration section data (POJO or Map) + * @param rule The ConfigSectionRule containing field filtering rules + * @return Filtered section data as Map<String, Object>, or null if no fields match + */ + private Object applyFieldFiltering(Object sectionData, ConfigSectionRule rule) { + if (rule.isAllFieldsAllowed()) { + // No field filtering needed - return entire section converted to Map + return objectMapper.convertValue(sectionData, Map.class); + } + + // Convert to Map for field-level filtering + Map sectionMap = objectMapper.convertValue(sectionData, Map.class); + Map filteredMap = new LinkedHashMap<>(); + + // Process top-level fields (only include leaf values) + Set topLevelFields = rule.getTopLevelFields(); + Set processedTopLevelFields = new HashSet<>(); + + for (String fieldName : topLevelFields) { + if (sectionMap.containsKey(fieldName)) { + Object fieldValue = sectionMap.get(fieldName); + if (isLeafValue(fieldValue)) { + filteredMap.put(fieldName, fieldValue); + processedTopLevelFields.add(fieldName); + } else { + log.debug( + "Field '{}' in section '{}' is not a leaf value (has children) - skipping top-level inclusion", + fieldName, + rule.getSectionPath()); + } + } else { + log.warn( + "Configured field '{}' not found in section '{}' - rule may be stale", + fieldName, + rule.getSectionPath()); + } + } + + // Process nested paths + for (Map.Entry entry : sectionMap.entrySet()) { + String fieldName = entry.getKey(); + + // Skip if already successfully processed as top-level field + if (processedTopLevelFields.contains(fieldName)) { + continue; + } + + // Check if this field has nested paths configured + if (rule.hasNestedPathsForField(fieldName)) { + Object nestedValue = entry.getValue(); + Object filteredNestedValue = applyNestedPathFiltering(nestedValue, fieldName, rule); + + if (filteredNestedValue != null) { + filteredMap.put(fieldName, filteredNestedValue); + } + } else { + log.debug( + "Field '{}' filtered out from section '{}' by allowlist rule", + fieldName, + rule.getSectionPath()); + } + } + + return filteredMap.isEmpty() ? null : filteredMap; + } + + /** Applies filtering to nested objects based on dot notation paths. */ + private Object applyNestedPathFiltering( + Object nestedData, String parentPath, ConfigSectionRule rule) { + if (nestedData == null) { + return null; + } + + // If it's an array, include the entire array (per design decision) + if (nestedData instanceof java.util.List || nestedData.getClass().isArray()) { + return nestedData; + } + + // For objects, filter based on nested paths + Map nestedMap = objectMapper.convertValue(nestedData, Map.class); + Map filteredNestedMap = new LinkedHashMap<>(); + + Set allowedNestedPaths = rule.getAllowedPathsWithPrefix(parentPath); + + for (String fullPath : allowedNestedPaths) { + String[] pathParts = fullPath.split("\\."); + if (pathParts.length < 2) { + continue; // Should not happen, but safety check + } + + // Extract the field name after the parent path + String nestedFieldName = + pathParts[1]; // e.g., "signingAlgorithm" from "tokenService.signingAlgorithm" + + if (nestedMap.containsKey(nestedFieldName)) { + // Handle deeper nesting if needed + if (pathParts.length > 2) { + // Reconstruct remaining path for recursive processing + String remainingPath = + String.join(".", java.util.Arrays.copyOfRange(pathParts, 1, pathParts.length)); + String newParentPath = + String.join(".", java.util.Arrays.copyOfRange(pathParts, 0, pathParts.length - 1)); + + Object deepValue = nestedMap.get(nestedFieldName); + Object filteredDeepValue = applyNestedPathFiltering(deepValue, newParentPath, rule); + + if (filteredDeepValue != null) { + filteredNestedMap.put(nestedFieldName, filteredDeepValue); + } + } else { + // Direct field - include it + filteredNestedMap.put(nestedFieldName, nestedMap.get(nestedFieldName)); + } + } else { + log.warn( + "Configured nested path '{}' not found in section '{}' - rule may be stale", + fullPath, + rule.getSectionPath()); + } + } + + return filteredNestedMap.isEmpty() ? null : filteredNestedMap; + } + + /** Capitalizes the first letter of a string. */ + private String capitalize(String str) { + if (str == null || str.isEmpty()) { + return str; + } + return str.substring(0, 1).toUpperCase() + str.substring(1); + } + + /** + * Determines if a value is a leaf node that can be safely included via top-level field rules. + * + *

This method implements a critical security decision: only "leaf" values can be included + * through top-level field specifications. Complex objects must be accessed via explicit nested + * path notation to prevent accidental exposure of sensitive data. + * + *

Design Rationale: + * + *

    + *
  • Security: Prevents accidental inclusion of entire complex objects + *
  • Explicit Access: Forces developers to explicitly specify nested paths + *
  • Null Safety: Treats null as potentially complex to be conservative + *
  • Array Simplicity: Includes arrays entirely to avoid complex element + * filtering + *
+ * + *

Leaf Values (✅ Can be included via top-level rules): + * + *

    + *
  • String: "datahub", "localhost", etc. + *
  • Number: 3600, 9092, 1.5, etc. + *
  • Boolean: true, false + *
  • Arrays/Lists: [1,2,3], ["a","b"], List<AuthConfig> + *
  • Empty Maps: {}, new HashMap<>() + *
+ * + *

Non-Leaf Values (❌ Require nested path access): + * + *

    + *
  • null: Could represent uninstantiated TokenServiceConfiguration + *
  • Non-empty Maps: {"host": "localhost", "port": 9092} + *
  • POJOs: AuthenticationConfiguration, CacheConfiguration + *
+ * + *

Access Examples: + * + * 

{@code
+   * // ✅ VALID: Top-level access to leaf values
+   * "enabled"              -> boolean (leaf)
+   * "sessionTimeout"       -> number (leaf)
+   * "authenticators"       -> List (leaf - array)
+   *
+   * // ❌ INVALID: Top-level access to complex objects
+   * "tokenService"         -> TokenServiceConfiguration (non-leaf)
+   * "cacheConfig"          -> CacheConfiguration (non-leaf)
+   *
+   * // ✅ VALID: Nested path access to complex objects
+   * "tokenService.issuer"  -> accesses issuer field within TokenServiceConfiguration
+   * "cache.primary.ttl"    -> accesses ttl within primary within cache
+   * }
+ * + * @param value The configuration value to evaluate + * @return true if value is a leaf that can be included via top-level rules, false if value + * requires nested path access + */ + private boolean isLeafValue(Object value) { + // null is considered non-leaf because it could represent a complex object that isn't + // instantiated + // If you want to include null fields, use nested paths like "field.subfield" + if (value == null) { + return false; + } + + // Primitive types are leaf values + if (value instanceof String || value instanceof Number || value instanceof Boolean) { + return true; + } + + // Arrays/Lists are treated as leaf values (include entirely) + if (value instanceof java.util.List || value.getClass().isArray()) { + return true; + } + + // Maps: only empty maps are considered leaf values + if (value instanceof java.util.Map) { + Map mapValue = (Map) value; + return mapValue.isEmpty(); + } + + // All other complex objects are considered non-leaf + return false; + } + + /** + * Creates a default allowlist with predefined safe configuration sections for production use. + * + *

This factory method provides a security-vetted set of configuration fields that are safe to + * expose via the /config endpoint. The default rules follow the principle of least privilege and + * have been carefully chosen to exclude sensitive information. + * + *

Included Sections and Fields: + * + *

    + *
  • authentication: Basic settings (enabled, defaultProvider, TTL values) + + * safe tokenService fields + *
  • kafka: Connection info (bootstrapServers, compression) but NOT security + * credentials + *
  • springActuator: Management endpoint configuration + *
  • cache: Basic cache settings + safe Redis connection info (host/port, NOT + * password) + *
  • metadataService: Service connectivity (host/port) but NOT auth/SSL + * details + *
+ * + *

Security Exclusions (NOT included): + * + *

    + *
  • 🔒 Authentication secrets: systemClientSecret, signingKey, + * refreshSigningKey + *
  • 🔒 Database passwords: All database connection passwords + *
  • 🔒 Kafka security: security.protocol, sasl.*, ssl.* configurations + *
  • 🔒 Redis credentials: password, username, SSL certificates + *
  • 🔒 SSL/TLS config: keystore paths, certificates, private keys + *
  • 🔒 Management secrets: actuator security tokens, admin credentials + *
+ * + *

Nested Path Examples: + * + * 

{@code
+   * // ✅ SAFE: Exposed via nested paths
+   * authentication.tokenService.signingAlgorithm   -> "RS256"
+   * authentication.tokenService.issuer             -> "datahub"
+   * cache.redis.host                               -> "localhost"
+   * cache.redis.port                               -> 6379
+   *
+   * // 🔒 SENSITIVE: Excluded from all rules
+   * authentication.tokenService.signingKey         -> EXCLUDED
+   * authentication.systemClientSecret              -> EXCLUDED
+   * cache.redis.password                           -> EXCLUDED
+   * }
+ * + *

Usage Recommendations: + * + *

    + *
  • Production Use: Use this default for production deployments + *
  • Custom Rules: Use {@link #createCustom} for development/testing with + * custom rules + *
  • Regular Review: Periodically audit these defaults as new config fields + * are added + *
  • Security Testing: Verify output doesn't contain credentials before + * exposing + *
+ * + * @param objectMapper ObjectMapper for JSON serialization and conversion + * @return ConfigurationAllowlist with security-vetted default rules for production use + */ + public static ConfigurationAllowlist createDefault(ObjectMapper objectMapper) { + List defaultRules = + Arrays.asList( + // Authentication - expose basic settings but not credentials, using nested paths for + // tokenService + ConfigSectionRule.include( + "authentication", + Set.of( + "enabled", + "defaultProvider", + "systemClientEnabled", + "sessionTokenDurationHours", + // TokenService nested paths - include safe fields only + "tokenService.signingAlgorithm", // ✅ Safe: algorithm type + "tokenService.issuer", // ✅ Safe: issuer name + "tokenService.audience", // ✅ Safe: audience name + "tokenService.accessTokenTtlSeconds", // ✅ Safe: TTL setting + "tokenService.refreshTokenTtlSeconds" // ✅ Safe: TTL setting + // ❌ Excluded: tokenService.signingKey, tokenService.refreshSigningKey + // (sensitive!) + // ❌ Excluded: systemClientId, systemClientSecret (sensitive!) + )), + + // Kafka - expose basic connection info but not security credentials + ConfigSectionRule.include( + "kafka", + Set.of( + "bootstrapServers", + "compressionType", + "maxRequestSize", + "retries", + "deliveryTimeout", + // Connection settings + "producer.bootstrapServers", // ✅ Safe: connection info + "producer.compressionType", // ✅ Safe: performance setting + "consumer.bootstrapServers" // ✅ Safe: connection info + // ❌ Excluded: security.protocol, sasl.*, ssl.* (sensitive!) + )), + + // Spring/Actuator - expose basic management info + ConfigSectionRule.include( + "springActuator", + Set.of( + "enabled", + "endpoints.web.exposure.include", // ✅ Safe: exposed endpoints list + "endpoints.web.base-path" // ✅ Safe: base path + // ❌ Excluded: security.*, management.security.* (sensitive!) + )), + + // Cache - expose basic cache configuration + ConfigSectionRule.include( + "cache", + Set.of( + "client", + "ttlSeconds", + "maxSize", + "redis.host", // ✅ Safe: connection info (hostname) + "redis.port", // ✅ Safe: connection info (port) + "redis.database" // ✅ Safe: database number + // ❌ Excluded: redis.password, redis.username, redis.ssl.* (sensitive!) + )), + + // Metadata service - expose basic settings + ConfigSectionRule.include( + "metadataService", + Set.of( + "host", + "port", + "useSSL", + "restli.server.host", // ✅ Safe: server host + "restli.server.port" // ✅ Safe: server port + // ❌ Excluded: auth.*, ssl.keystore.*, certificates.* (sensitive!) + ))); + + return new ConfigurationAllowlist(defaultRules, objectMapper); + } + + /** + * Creates an allowlist with custom rules for specific use cases. + * + *

This factory method allows complete customization of the filtering rules, useful for: + * + *

    + *
  • Development/Testing: Custom rules for debugging and testing + *
  • Special Deployments: Environments with different security requirements + *
  • Limited Exposure: Highly restricted configurations for specific clients + *
  • Extended Access: Additional safe fields not in default rules + *
+ * + *

⚠️ Security Warning: When creating custom rules, carefully review each + * exposed field to ensure no sensitive information (passwords, keys, secrets) is included. Custom + * rules bypass the security-vetted defaults. + * + *

Custom Rule Examples: + * + * 

{@code
+   * // Development: Include additional debugging fields
+   * List devRules = Arrays.asList(
+   *     ConfigSectionRule.include("authentication", Set.of("enabled", "sessionTimeout")),
+   *     ConfigSectionRule.include("debug", Set.of("logLevel", "metricsEnabled"))
+   * );
+   *
+   * // Restricted: Only basic connectivity info
+   * List restrictedRules = Arrays.asList(
+   *     ConfigSectionRule.include("metadataService", Set.of("host", "port"))
+   * );
+   *
+   * // Extended: Include additional safe fields
+   * List extendedRules = Arrays.asList(
+   *     ConfigSectionRule.include("authentication", Set.of(
+   *         "enabled", "sessionTimeout", "tokenService.algorithm")),
+   *     ConfigSectionRule.include("cache", Set.of("ttl", "maxSize"))
+   * );
+   * }
+ * + *

Best Practices: + * + *

    + *
  • Security Review: Have security team review custom rules before + * production + *
  • Principle of Least Privilege: Only include fields that are absolutely + * needed + *
  • Documentation: Document why each custom field is needed and safe + *
  • Testing: Test custom rules with realistic configuration data + *
  • Monitoring: Monitor logs for any unexpected sensitive data exposure + *
+ * + * @param customRules List of custom ConfigSectionRule instances defining allowed fields + * @param objectMapper ObjectMapper for JSON serialization and conversion + * @return ConfigurationAllowlist with the specified custom rules + */ + public static ConfigurationAllowlist createCustom( + List customRules, ObjectMapper objectMapper) { + return new ConfigurationAllowlist(customRules, objectMapper); + } +} diff --git a/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigSectionRuleTest.java b/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigSectionRuleTest.java new file mode 100644 index 0000000000000..d803910f77770 --- /dev/null +++ b/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigSectionRuleTest.java @@ -0,0 +1,262 @@ +package com.datahub.gms.servlet; + +import static org.testng.Assert.*; + +import java.util.Set; +import org.testng.annotations.Test; + +/** + * Unit tests for ConfigSectionRule class. + * + *

These tests verify: - Rule creation methods - Field path parsing and categorization - Nested + * path detection and retrieval - Edge cases and validation + */ +public class ConfigSectionRuleTest { + + @Test + public void testIncludeAllFields() { + ConfigSectionRule rule = ConfigSectionRule.include("authentication"); + + assertEquals(rule.getSectionPath(), "authentication"); + assertEquals(rule.getOutputPath(), "authentication"); + assertTrue(rule.isIncludeSection()); + assertTrue(rule.isAllFieldsAllowed()); + assertNull(rule.getAllowedFields()); + + // When all fields are allowed, any field should be allowed + assertTrue(rule.isFieldAllowed("anyField")); + assertTrue(rule.isFieldAllowed("sensitive.field")); + } + + @Test + public void testIncludeWithSpecificFields() { + Set allowedFields = Set.of("enabled", "defaultProvider"); + ConfigSectionRule rule = ConfigSectionRule.include("authentication", allowedFields); + + assertEquals(rule.getSectionPath(), "authentication"); + assertEquals(rule.getOutputPath(), "authentication"); + assertTrue(rule.isIncludeSection()); + assertFalse(rule.isAllFieldsAllowed()); + assertEquals(rule.getAllowedFields(), allowedFields); + + // Only specific fields should be allowed + assertTrue(rule.isFieldAllowed("enabled")); + assertTrue(rule.isFieldAllowed("defaultProvider")); + assertFalse(rule.isFieldAllowed("secretField")); + } + + @Test + public void testIncludeWithRenaming() { + Set allowedFields = Set.of("enabled"); + ConfigSectionRule rule = ConfigSectionRule.include("authentication", "auth", allowedFields); + + assertEquals(rule.getSectionPath(), "authentication"); + assertEquals(rule.getOutputPath(), "auth"); // Should use renamed output path + assertTrue(rule.isIncludeSection()); + assertEquals(rule.getAllowedFields(), allowedFields); + } + + @Test + public void testExcludeSection() { + ConfigSectionRule rule = ConfigSectionRule.exclude("authentication"); + + assertEquals(rule.getSectionPath(), "authentication"); + assertEquals(rule.getOutputPath(), "authentication"); + assertFalse(rule.isIncludeSection()); + + // Excluded sections should not allow any fields + assertFalse(rule.isFieldAllowed("anyField")); + assertFalse(rule.isFieldAllowed("enabled")); + } + + @Test + public void testTopLevelFieldDetection() { + Set allowedFields = + Set.of( + "enabled", // Top-level + "defaultProvider", // Top-level + "tokenService.signingAlgorithm", // Nested + "tokenService.issuer", // Nested + "deep.nested.field" // Deep nested + ); + + ConfigSectionRule rule = ConfigSectionRule.include("authentication", allowedFields); + Set topLevelFields = rule.getTopLevelFields(); + + assertEquals(topLevelFields.size(), 2); + assertTrue(topLevelFields.contains("enabled")); + assertTrue(topLevelFields.contains("defaultProvider")); + assertFalse(topLevelFields.contains("tokenService.signingAlgorithm")); + } + + @Test + public void testNestedPathDetection() { + Set allowedFields = + Set.of( + "enabled", // Top-level + "tokenService.signingAlgorithm", // Nested under tokenService + "tokenService.issuer", // Nested under tokenService + "cache.settings.ttl", // Nested under cache + "notNested" // Top-level + ); + + ConfigSectionRule rule = ConfigSectionRule.include("authentication", allowedFields); + + // Should detect nested paths for tokenService + assertTrue(rule.hasNestedPathsForField("tokenService")); + + // Should detect nested paths for cache + assertTrue(rule.hasNestedPathsForField("cache")); + + // Should not detect nested paths for top-level fields + assertFalse(rule.hasNestedPathsForField("enabled")); + assertFalse(rule.hasNestedPathsForField("notNested")); + + // Should not detect nested paths for non-existent fields + assertFalse(rule.hasNestedPathsForField("nonExistent")); + } + + @Test + public void testGetAllowedPathsWithPrefix() { + Set allowedFields = + Set.of( + "enabled", // Top-level - should not match + "tokenService.signingAlgorithm", // Should match tokenService prefix + "tokenService.issuer", // Should match tokenService prefix + "tokenService.audience", // Should match tokenService prefix + "cache.settings.ttl", // Should match cache prefix but not tokenService + "otherService.field" // Should not match tokenService prefix + ); + + ConfigSectionRule rule = ConfigSectionRule.include("authentication", allowedFields); + + // Get paths with tokenService prefix + Set tokenServicePaths = rule.getAllowedPathsWithPrefix("tokenService"); + assertEquals(tokenServicePaths.size(), 3); + assertTrue(tokenServicePaths.contains("tokenService.signingAlgorithm")); + assertTrue(tokenServicePaths.contains("tokenService.issuer")); + assertTrue(tokenServicePaths.contains("tokenService.audience")); + assertFalse(tokenServicePaths.contains("enabled")); + assertFalse(tokenServicePaths.contains("cache.settings.ttl")); + + // Get paths with cache prefix + Set cachePaths = rule.getAllowedPathsWithPrefix("cache"); + assertEquals(cachePaths.size(), 1); + assertTrue(cachePaths.contains("cache.settings.ttl")); + + // Get paths with non-existent prefix + Set nonExistentPaths = rule.getAllowedPathsWithPrefix("nonExistent"); + assertTrue(nonExistentPaths.isEmpty()); + } + + @Test + public void testEmptyAllowedFields() { + Set emptyFields = Set.of(); + ConfigSectionRule rule = ConfigSectionRule.include("authentication", emptyFields); + + assertFalse(rule.isAllFieldsAllowed()); + assertEquals(rule.getAllowedFields().size(), 0); + + // No fields should be allowed + assertFalse(rule.isFieldAllowed("anyField")); + + // No top-level fields + assertTrue(rule.getTopLevelFields().isEmpty()); + + // No nested paths + assertFalse(rule.hasNestedPathsForField("anyField")); + assertTrue(rule.getAllowedPathsWithPrefix("anyPrefix").isEmpty()); + } + + @Test + public void testSingleNestedPath() { + Set allowedFields = Set.of("tokenService.signingAlgorithm"); + ConfigSectionRule rule = ConfigSectionRule.include("authentication", allowedFields); + + // Should have no top-level fields + assertTrue(rule.getTopLevelFields().isEmpty()); + + // Should detect nested path for tokenService + assertTrue(rule.hasNestedPathsForField("tokenService")); + + // Should return the single nested path + Set paths = rule.getAllowedPathsWithPrefix("tokenService"); + assertEquals(paths.size(), 1); + assertTrue(paths.contains("tokenService.signingAlgorithm")); + } + + @Test + public void testDeepNestedPaths() { + Set allowedFields = + Set.of( + "level1.level2.level3.field1", + "level1.level2.level3.field2", + "level1.level2.otherField", + "level1.directField"); + + ConfigSectionRule rule = ConfigSectionRule.include("test", allowedFields); + + // Should detect nested paths for level1 + assertTrue(rule.hasNestedPathsForField("level1")); + + // Should return all paths starting with level1 + Set level1Paths = rule.getAllowedPathsWithPrefix("level1"); + assertEquals(level1Paths.size(), 4); + assertTrue(level1Paths.contains("level1.level2.level3.field1")); + assertTrue(level1Paths.contains("level1.level2.level3.field2")); + assertTrue(level1Paths.contains("level1.level2.otherField")); + assertTrue(level1Paths.contains("level1.directField")); + + // Should return subset for level1.level2 prefix + Set level2Paths = rule.getAllowedPathsWithPrefix("level1.level2"); + assertEquals(level2Paths.size(), 3); + assertTrue(level2Paths.contains("level1.level2.level3.field1")); + assertTrue(level2Paths.contains("level1.level2.level3.field2")); + assertTrue(level2Paths.contains("level1.level2.otherField")); + assertFalse(level2Paths.contains("level1.directField")); + } + + @Test + public void testAllFieldsAllowedOverridesSpecificRules() { + // When allowedFields is null (all fields allowed), specific field queries should return true + ConfigSectionRule rule = ConfigSectionRule.include("authentication"); + + assertTrue(rule.isAllFieldsAllowed()); + + // These methods should return empty for "allow all" rules since they're not needed + assertTrue(rule.getTopLevelFields().isEmpty()); + assertFalse(rule.hasNestedPathsForField("anyField")); + assertTrue(rule.getAllowedPathsWithPrefix("anyPrefix").isEmpty()); + + // But isFieldAllowed should still return true for any field + assertTrue(rule.isFieldAllowed("anyField")); + } + + @Test + public void testToStringMethod() { + Set allowedFields = Set.of("enabled", "tokenService.issuer"); + ConfigSectionRule rule = ConfigSectionRule.include("authentication", "auth", allowedFields); + + String toString = rule.toString(); + + // Should contain key information + assertTrue(toString.contains("authentication")); + assertTrue(toString.contains("auth")); + assertTrue(toString.contains("true")); // includeSection + assertTrue(toString.contains("enabled")); + assertTrue(toString.contains("tokenService.issuer")); + } + + @Test + public void testExcludedSectionBehavior() { + ConfigSectionRule rule = ConfigSectionRule.exclude("authentication"); + + assertFalse(rule.isIncludeSection()); + + // All helper methods should indicate no allowed fields/paths + assertFalse(rule.isFieldAllowed("anyField")); + assertTrue(rule.getTopLevelFields().isEmpty()); + assertFalse(rule.hasNestedPathsForField("anyField")); + assertTrue(rule.getAllowedPathsWithPrefix("anyPrefix").isEmpty()); + } +} diff --git a/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigServletBaselineTest.java b/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigServletBaselineTest.java new file mode 100644 index 0000000000000..4e12db0b4c137 --- /dev/null +++ b/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigServletBaselineTest.java @@ -0,0 +1,243 @@ +package com.datahub.gms.servlet; + +import static org.mockito.Mockito.when; +import static org.testng.Assert.*; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import io.datahubproject.metadata.context.OperationContext; +import jakarta.servlet.ServletContext; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.io.PrintWriter; +import java.io.StringWriter; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Qualifier; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.test.context.testng.AbstractTestNGSpringContextTests; +import org.springframework.web.context.WebApplicationContext; +import org.testng.annotations.BeforeMethod; +import org.testng.annotations.Test; + +/** + * Baseline tests for the Config servlet that capture the current output for comparison before and + * after enhancements. + * + *

These tests serve as a regression safety net to ensure our enhancements are purely additive + * and don't break existing functionality. + */ +@SpringBootTest( + classes = ConfigServletTestContext.class, + properties = {"spring.main.allow-bean-definition-overriding=true"}) +public class ConfigServletBaselineTest extends AbstractTestNGSpringContextTests { + + @Autowired + @Qualifier("systemOperationContext") + private OperationContext operationContext; + + @Autowired private WebApplicationContext webApplicationContext; + + @Mock private ServletContext servletContext; + @Mock private HttpServletRequest request; + @Mock private HttpServletResponse response; + + private Config configServlet; + private StringWriter responseWriter; + + @BeforeMethod + public void setUp() throws Exception { + MockitoAnnotations.openMocks(this); + + // Setup mocks + when(servletContext.getAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE)) + .thenReturn(webApplicationContext); + + // Setup response writer + responseWriter = new StringWriter(); + PrintWriter printWriter = new PrintWriter(responseWriter); + when(response.getWriter()).thenReturn(printWriter); + + // Create servlet and set context + configServlet = new Config(); + when(request.getServletContext()).thenReturn(servletContext); + } + + /** + * Captures the current configuration output to a file for manual inspection. This helps us + * understand exactly what the current API returns. + */ + @Test + public void captureCurrentConfigOutput() throws Exception { + // Execute the config endpoint + configServlet.doGet(request, response); + String responseContent = responseWriter.toString(); + + // Parse and validate JSON structure + ObjectMapper mapper = operationContext.getObjectMapper(); + JsonNode config = mapper.readValue(responseContent, JsonNode.class); + assertNotNull(config, "Config response should be valid JSON"); + + // Write formatted output to file for inspection + String prettyJson = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(config); + + // Save to test resources for inspection + Path outputPath = Paths.get("src/test/resources/baseline-config-output.json"); + try { + Files.createDirectories(outputPath.getParent()); + Files.write(outputPath, prettyJson.getBytes()); + System.out.println("Current config output saved to: " + outputPath.toAbsolutePath()); + } catch (IOException e) { + // If we can't write to src/test/resources, write to temp file + Path tempFile = Files.createTempFile("baseline-config-", ".json"); + Files.write(tempFile, prettyJson.getBytes()); + System.out.println("Current config output saved to temp file: " + tempFile.toAbsolutePath()); + } + + // Basic validation that this is the expected structure + assertTrue(config.has("noCode"), "Should have noCode field"); + assertTrue(config.has("telemetry"), "Should have telemetry section"); + assertTrue(config.has("managedIngestion"), "Should have managedIngestion section"); + assertTrue(config.has("datahub"), "Should have datahub section"); + assertTrue(config.has("versions"), "Should have versions section"); + } + + /** + * Test that validates the JSON structure is stable and parseable. This test should continue to + * pass even after we add new fields. + */ + @Test + public void testCurrentConfigStructureStability() throws Exception { + configServlet.doGet(request, response); + String responseContent = responseWriter.toString(); + + // Parse JSON + ObjectMapper mapper = operationContext.getObjectMapper(); + JsonNode config = mapper.readValue(responseContent, JsonNode.class); + + // Validate basic structure + assertTrue(config.isObject(), "Root should be an object"); + assertTrue(config.size() > 0, "Should have at least one field"); + + // Validate all current required top-level fields exist + String[] requiredTopLevelFields = { + "noCode", "retention", "statefulIngestionCapable", "patchCapable", + "timeZone", "supportsImpactAnalysis", "versions", "telemetry", + "managedIngestion", "datahub", "datasetUrnNameCasing", "models" + }; + + for (String field : requiredTopLevelFields) { + assertTrue(config.has(field), "Required field missing: " + field); + } + + // Validate telemetry structure + JsonNode telemetry = config.path("telemetry"); + assertTrue(telemetry.isObject(), "telemetry should be an object"); + assertTrue(telemetry.has("enabledCli"), "telemetry should have enabledCli"); + assertTrue(telemetry.has("enabledIngestion"), "telemetry should have enabledIngestion"); + + // Validate managedIngestion structure + JsonNode managedIngestion = config.path("managedIngestion"); + assertTrue(managedIngestion.isObject(), "managedIngestion should be an object"); + assertTrue(managedIngestion.has("enabled"), "managedIngestion should have enabled"); + assertTrue( + managedIngestion.has("defaultCliVersion"), + "managedIngestion should have defaultCliVersion"); + + // Validate datahub structure + JsonNode datahub = config.path("datahub"); + assertTrue(datahub.isObject(), "datahub should be an object"); + assertTrue(datahub.has("serverType"), "datahub should have serverType"); + assertTrue(datahub.has("serverEnv"), "datahub should have serverEnv"); + + // Validate versions structure + JsonNode versions = config.path("versions"); + assertTrue(versions.isObject(), "versions should be an object"); + assertTrue(versions.has("acryldata/datahub"), "versions should have acryldata/datahub"); + } + + /** + * Test that measures the response size and field count as a baseline. This helps us track if our + * additions are reasonable in size. + */ + @Test + public void measureBaselineMetrics() throws Exception { + configServlet.doGet(request, response); + String responseContent = responseWriter.toString(); + + ObjectMapper mapper = operationContext.getObjectMapper(); + JsonNode config = mapper.readValue(responseContent, JsonNode.class); + + // Measure current metrics + int responseSize = responseContent.length(); + int topLevelFieldCount = config.size(); + int totalNodeCount = countAllNodes(config); + + System.out.println("=== Current Config Endpoint Baseline Metrics ==="); + System.out.println("Response size: " + responseSize + " characters"); + System.out.println("Top-level fields: " + topLevelFieldCount); + System.out.println("Total JSON nodes: " + totalNodeCount); + System.out.println("==============================================="); + + // Set reasonable bounds - our enhancements shouldn't dramatically increase size + assertTrue(responseSize > 100, "Response should have substantial content"); + assertTrue(responseSize < 50000, "Response shouldn't be excessively large"); + assertTrue(topLevelFieldCount >= 12, "Should have at least the known fields"); + assertTrue(topLevelFieldCount < 50, "Shouldn't have excessive top-level fields"); + + // Store metrics for later comparison + // In a real scenario, you might want to persist these for CI comparison + } + + /** Helper method to count all nodes in a JSON tree. */ + private int countAllNodes(JsonNode node) { + if (node == null) { + return 0; + } + + int count = 1; // Count this node + + if (node.isObject()) { + for (JsonNode child : node) { + count += countAllNodes(child); + } + } else if (node.isArray()) { + for (JsonNode arrayItem : node) { + count += countAllNodes(arrayItem); + } + } + + return count; + } + + /** + * Test that ensures the response can be round-tripped through JSON serialization. This validates + * that our current output is properly structured. + */ + @Test + public void testJsonRoundTrip() throws Exception { + configServlet.doGet(request, response); + String originalResponse = responseWriter.toString(); + + ObjectMapper mapper = operationContext.getObjectMapper(); + + // Parse the original response + JsonNode originalConfig = mapper.readValue(originalResponse, JsonNode.class); + + // Serialize it back to JSON + String reserializedResponse = + mapper.writerWithDefaultPrettyPrinter().writeValueAsString(originalConfig); + + // Parse the reserialized version + JsonNode reserializedConfig = mapper.readValue(reserializedResponse, JsonNode.class); + + // They should be equivalent + assertEquals( + originalConfig, reserializedConfig, "Config should round-trip through JSON serialization"); + } +} diff --git a/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigServletTest.java b/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigServletTest.java index 5d7b8bbc6dd56..f6fd7e0e3807a 100644 --- a/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigServletTest.java +++ b/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigServletTest.java @@ -3,6 +3,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; import static org.testng.Assert.assertEquals; +import static org.testng.Assert.assertFalse; import static org.testng.Assert.assertNotNull; import static org.testng.Assert.assertTrue; import static org.testng.Assert.fail; @@ -18,6 +19,10 @@ import java.io.PrintWriter; import java.io.StringWriter; import java.lang.reflect.Field; +import java.time.ZoneId; +import java.util.Arrays; +import java.util.Map; +import java.util.Set; import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.MockitoAnnotations; @@ -74,23 +79,216 @@ public void setUp() throws Exception { } @Test - public void testDoGet_FirstRequest() throws Exception { - // First request should always update the configuration + public void testConfigEndpoint_BasicStructure() throws Exception { + // Execute request configServlet.doGet(request, response); - // Verify response + // Verify response metadata verify(response).setContentType("application/json"); verify(response).setStatus(HttpServletResponse.SC_OK); // Parse response JSON + String responseContent = responseWriter.toString(); + assertNotNull(responseContent, "Response content should not be null"); + assertTrue(responseContent.length() > 0, "Response should not be empty"); + + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + assertNotNull(config, "Parsed JSON config should not be null"); + } + + @Test + public void testConfigEndpoint_BaseConfigFields() throws Exception { + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // Test BASE_CONFIG fields from Config.java + assertEquals(config.path("noCode").asText(), "true", "noCode should be 'true'"); + assertEquals(config.path("retention").asText(), "true", "retention should be 'true'"); + assertTrue( + config.path("statefulIngestionCapable").asBoolean(), + "statefulIngestionCapable should be true"); + assertTrue(config.path("patchCapable").asBoolean(), "patchCapable should be true"); + + // Test timeZone field + assertTrue(config.has("timeZone"), "timeZone field should be present"); + String timeZone = config.path("timeZone").asText(); + assertNotNull(timeZone, "timeZone should not be null"); + // Verify it's a valid timezone + ZoneId.of(timeZone); // This will throw if invalid + } + + @Test + public void testConfigEndpoint_VersionsSection() throws Exception { + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // Test versions structure + assertTrue(config.has("versions"), "versions field should be present"); + JsonNode versions = config.path("versions"); + assertTrue(versions.has("acryldata/datahub"), "versions should have acryldata/datahub section"); + + JsonNode datahubVersion = versions.path("acryldata/datahub"); + assertNotNull(datahubVersion, "DataHub version info should not be null"); + // The exact structure depends on GitVersion.toConfig() but should be present + assertTrue(datahubVersion.isObject(), "DataHub version should be an object"); + } + + @Test + public void testConfigEndpoint_TelemetrySection() throws Exception { + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // Test telemetry structure + assertTrue(config.has("telemetry"), "telemetry field should be present"); + JsonNode telemetry = config.path("telemetry"); + + assertTrue(telemetry.has("enabledCli"), "telemetry should have enabledCli field"); + assertTrue(telemetry.has("enabledIngestion"), "telemetry should have enabledIngestion field"); + + // Values should be boolean + assertTrue(telemetry.path("enabledCli").isBoolean(), "enabledCli should be boolean"); + assertTrue( + telemetry.path("enabledIngestion").isBoolean(), "enabledIngestion should be boolean"); + } + + @Test + public void testConfigEndpoint_ManagedIngestionSection() throws Exception { + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // Test managedIngestion structure + assertTrue(config.has("managedIngestion"), "managedIngestion field should be present"); + JsonNode managedIngestion = config.path("managedIngestion"); + + assertTrue(managedIngestion.has("enabled"), "managedIngestion should have enabled field"); + assertTrue( + managedIngestion.has("defaultCliVersion"), + "managedIngestion should have defaultCliVersion field"); + + // Test field types + assertTrue(managedIngestion.path("enabled").isBoolean(), "enabled should be boolean"); + assertTrue( + managedIngestion.path("defaultCliVersion").isTextual(), + "defaultCliVersion should be string"); + } + + @Test + public void testConfigEndpoint_DataHubSection() throws Exception { + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // Test datahub structure + assertTrue(config.has("datahub"), "datahub field should be present"); + JsonNode datahub = config.path("datahub"); + + assertTrue(datahub.has("serverType"), "datahub should have serverType field"); + assertTrue(datahub.has("serverEnv"), "datahub should have serverEnv field"); + + // serverType should be a string + assertTrue(datahub.path("serverType").isTextual(), "serverType should be string"); + String serverType = datahub.path("serverType").asText(); + assertNotNull(serverType, "serverType should not be null"); + + // serverEnv might be null, but field should exist + assertTrue( + datahub.hasNonNull("serverEnv") || datahub.path("serverEnv").isNull(), + "serverEnv should be present (may be null)"); + } + + @Test + public void testConfigEndpoint_CapabilityFields() throws Exception { + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // Test capability fields + assertTrue(config.has("supportsImpactAnalysis"), "supportsImpactAnalysis should be present"); + assertTrue( + config.path("supportsImpactAnalysis").isBoolean(), + "supportsImpactAnalysis should be boolean"); + + assertTrue(config.has("datasetUrnNameCasing"), "datasetUrnNameCasing should be present"); + assertTrue( + config.path("datasetUrnNameCasing").isBoolean(), "datasetUrnNameCasing should be boolean"); + } + + @Test + public void testConfigEndpoint_ModelsSection() throws Exception { + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // Test models section (plugin models) + assertTrue(config.has("models"), "models field should be present"); + JsonNode models = config.path("models"); + assertTrue(models.isObject(), "models should be an object"); + // The exact content depends on plugin registry, but structure should be consistent + } + + @Test + public void testConfigEndpoint_CachingBehavior() throws Exception { + // First request + configServlet.doGet(request, response); + String firstResponse = responseWriter.toString(); + + // Reset response writer for second request + responseWriter = new StringWriter(); + PrintWriter printWriter = new PrintWriter(responseWriter); + when(response.getWriter()).thenReturn(printWriter); + + // Second request immediately after (should use cache) + configServlet.doGet(request, response); + String secondResponse = responseWriter.toString(); + + // Responses should be identical when cached + assertEquals(secondResponse, firstResponse, "Cached responses should be identical"); + } + + @Test + public void testConfigEndpoint_ResponseFormat() throws Exception { + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // Verify the response is properly formatted JSON + assertTrue(config.isObject(), "Root should be a JSON object"); + + // Verify pretty printing (should contain newlines and indentation) + assertTrue(responseContent.contains("\n"), "Response should be pretty-printed with newlines"); + assertTrue(responseContent.contains(" "), "Response should be indented"); + } + + @Test + public void testConfigEndpoint_AllRequiredFieldsPresent() throws Exception { + configServlet.doGet(request, response); + String responseContent = responseWriter.toString(); JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); - // Validate configuration contents - assertNotNull(config); - assertTrue(config.path("statefulIngestionCapable").asBoolean()); - assertTrue(config.path("supportsImpactAnalysis").asBoolean()); - assertEquals(config.path("datahub").path("serverType").asText(), "prod"); + // Define all fields that MUST be present in the current API + String[] requiredFields = { + "noCode", "retention", "statefulIngestionCapable", "patchCapable", + "timeZone", "supportsImpactAnalysis", "versions", "telemetry", + "managedIngestion", "datahub", "datasetUrnNameCasing", "models", + "configurationProvider" // NEW: Added with secure allowlist implementation + }; + + for (String field : requiredFields) { + assertTrue(config.has(field), "Required field should be present: " + field); + } } @Test @@ -124,4 +322,309 @@ public void testDoGet_SerializationError() throws Exception { fail("Should not throw an exception", e); } } + + /** + * Test that validates the exact current schema structure for backward compatibility. This test + * should be updated carefully when the schema changes. + */ + @Test + public void testConfigEndpoint_BackwardCompatibilitySchema() throws Exception { + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // Validate exact schema structure that external systems might depend on + + // Base config structure + assertEquals(config.path("noCode").asText(), "true"); + assertEquals(config.path("retention").asText(), "true"); + assertTrue(config.path("statefulIngestionCapable").isBoolean()); + assertTrue(config.path("patchCapable").isBoolean()); + assertTrue(config.path("timeZone").isTextual()); + + // Nested structure validation + assertTrue(config.path("versions").path("acryldata/datahub").isObject()); + + assertTrue(config.path("telemetry").path("enabledCli").isBoolean()); + assertTrue(config.path("telemetry").path("enabledIngestion").isBoolean()); + + assertTrue(config.path("managedIngestion").path("enabled").isBoolean()); + assertTrue(config.path("managedIngestion").path("defaultCliVersion").isTextual()); + + assertTrue(config.path("datahub").path("serverType").isTextual()); + // serverEnv can be null, so just check it exists + assertTrue(config.path("datahub").has("serverEnv")); + + assertTrue(config.path("supportsImpactAnalysis").isBoolean()); + assertTrue(config.path("datasetUrnNameCasing").isBoolean()); + assertTrue(config.path("models").isObject()); + + // Ensure no unexpected root-level fields (helps catch unintended additions) + String[] expectedRootFields = { + "noCode", "retention", "statefulIngestionCapable", "patchCapable", + "timeZone", "supportsImpactAnalysis", "versions", "telemetry", + "managedIngestion", "datahub", "datasetUrnNameCasing", "models", + "configurationProvider" // NEW: Added with secure allowlist implementation + }; + + // Count should match expected fields (no extras) + assertEquals( + config.size(), + expectedRootFields.length, + "Number of root-level fields should match expected count. " + + "If adding new fields, update this test and ensure backward compatibility."); + } + + /** + * Test that validates the new configurationProvider section is properly exposed with sensitive + * information filtered out according to allowlist rules. + */ + @Test + public void testConfigEndpoint_ConfigurationProviderSection() throws Exception { + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // Validate configurationProvider section exists (or gracefully handle its absence) + if (!config.has("configurationProvider")) { + // If configurationProvider is not present, it might be because: + // 1. Test configuration doesn't have the expected sections + // 2. All sections were filtered out by the allowlist + // 3. ConfigurationProvider doesn't have the expected getter methods + // This is acceptable behavior - the test should not fail in this case + return; + } + + JsonNode configProvider = config.path("configurationProvider"); + assertTrue(configProvider.isObject(), "configurationProvider should be an object"); + + // Test that expected safe sections might be present (depending on what's configured) + // Note: These sections may or may not be present depending on the test configuration + // but if they are present, they should have the right structure + + if (configProvider.has("authentication")) { + JsonNode auth = configProvider.path("authentication"); + assertTrue(auth.isObject(), "authentication section should be an object"); + + // Should have safe fields if present + if (auth.has("enabled")) { + assertTrue(auth.path("enabled").isBoolean(), "enabled should be boolean"); + } + if (auth.has("defaultProvider")) { + assertTrue(auth.path("defaultProvider").isTextual(), "defaultProvider should be string"); + } + + // Should NOT have sensitive fields - these should be filtered out by allowlist + assertFalse(auth.has("systemClientSecret"), "systemClientSecret should be filtered out"); + assertFalse(auth.has("signingKey"), "signingKey should be filtered out"); + assertFalse(auth.has("password"), "password should be filtered out"); + } + + if (configProvider.has("kafka")) { + JsonNode kafka = configProvider.path("kafka"); + assertTrue(kafka.isObject(), "kafka section should be an object"); + + // Should have safe fields if present + if (kafka.has("bootstrapServers")) { + assertTrue(kafka.path("bootstrapServers").isTextual(), "bootstrapServers should be string"); + } + + // Should NOT have sensitive fields - these should be filtered out by allowlist + assertFalse(kafka.has("security.protocol"), "security.protocol should be filtered out"); + assertFalse(kafka.has("sasl.username"), "sasl.username should be filtered out"); + assertFalse(kafka.has("sasl.password"), "sasl.password should be filtered out"); + assertFalse( + kafka.has("ssl.keystore.password"), "ssl.keystore.password should be filtered out"); + } + + // Verify that no section contains obvious sensitive field patterns + // Note: Only validate the configurationProvider section, not the entire config + validateNoSensitiveFields(configProvider); + } + + /** + * Helper method to recursively check that no sensitive field patterns are exposed in the + * configurationProvider section. + */ + private void validateNoSensitiveFields(JsonNode node) { + if (node.isObject()) { + node.fieldNames() + .forEachRemaining( + fieldName -> { + String lowerFieldName = fieldName.toLowerCase(); + + // Assert that common sensitive field patterns are not present + assertFalse( + lowerFieldName.contains("password"), + "Field containing 'password' should be filtered: " + fieldName); + assertFalse( + lowerFieldName.contains("secret"), + "Field containing 'secret' should be filtered: " + fieldName); + assertFalse( + lowerFieldName.contains("key") + && (lowerFieldName.contains("private") + || lowerFieldName.contains("signing")), + "Private/signing key field should be filtered: " + fieldName); + assertFalse( + lowerFieldName.contains("token") + && !lowerFieldName.contains("duration") + && !lowerFieldName.contains("service") + && !lowerFieldName.contains("ttl"), + "Token field should be filtered (except duration/ttl): " + fieldName); + + // Recursively check nested objects + validateNoSensitiveFields(node.path(fieldName)); + }); + } else if (node.isArray()) { + for (JsonNode arrayItem : node) { + validateNoSensitiveFields(arrayItem); + } + } + } + + /** + * Test that verifies the new configurationProvider functionality doesn't break if the allowlist + * encounters errors (graceful degradation). + */ + @Test + public void testConfigEndpoint_ConfigurationProviderGracefulDegradation() throws Exception { + // This test ensures that if the configurationProvider section encounters errors, + // it doesn't break the entire /config endpoint + + configServlet.doGet(request, response); + + String responseContent = responseWriter.toString(); + JsonNode config = operationContext.getObjectMapper().readValue(responseContent, JsonNode.class); + + // All existing required fields should still be present even if configurationProvider fails + assertTrue(config.has("noCode"), "noCode should be present"); + assertTrue(config.has("telemetry"), "telemetry should be present"); + assertTrue(config.has("managedIngestion"), "managedIngestion should be present"); + assertTrue(config.has("datahub"), "datahub should be present"); + assertTrue(config.has("models"), "models should be present"); + + // configurationProvider may or may not be present (depending on success/failure) + // but its absence should not break other functionality + if (config.has("configurationProvider")) { + assertTrue( + config.path("configurationProvider").isObject(), + "If present, configurationProvider should be an object"); + } + } + + /** Test the new nested path support with dot notation. */ + @Test + public void testConfigSectionRule_NestedPathSupport() throws Exception { + // Test nested path filtering with the ConfigSectionRule directly + Set allowedFields = + Set.of( + "enabled", // Top-level field + "tokenService.signingAlgorithm", // Nested field - safe + "tokenService.issuer", // Nested field - safe + "nested.deep.config.value" // Deep nesting test + ); + + ConfigSectionRule rule = ConfigSectionRule.include("authentication", allowedFields); + + // Test top-level field detection + Set topLevelFields = rule.getTopLevelFields(); + assertTrue(topLevelFields.contains("enabled"), "Should contain top-level field"); + assertFalse( + topLevelFields.contains("tokenService.signingAlgorithm"), + "Should not contain nested field in top-level"); + + // Test nested path detection + assertTrue( + rule.hasNestedPathsForField("tokenService"), "Should detect nested paths for tokenService"); + assertFalse( + rule.hasNestedPathsForField("enabled"), "Should not detect nested paths for simple field"); + + // Test nested path retrieval + Set tokenServicePaths = rule.getAllowedPathsWithPrefix("tokenService"); + assertTrue( + tokenServicePaths.contains("tokenService.signingAlgorithm"), + "Should contain tokenService.signingAlgorithm"); + assertTrue( + tokenServicePaths.contains("tokenService.issuer"), "Should contain tokenService.issuer"); + assertFalse( + tokenServicePaths.contains("nested.deep.config.value"), + "Should not contain paths with different prefix"); + } + + /** Test that sensitive fields are properly filtered out with nested paths. */ + @Test + public void testConfigurationAllowlist_NestedPathFiltering() throws Exception { + // Create a mock configuration structure that simulates what might come from + // ConfigurationProvider + Map mockConfig = + Map.of( + "enabled", + true, + "tokenService", + Map.of( + "signingAlgorithm", "RS256", // ✅ Should be included + "issuer", "datahub", // ✅ Should be included + "signingKey", "secret-key-value", // ❌ Should be filtered out + "refreshSigningKey", "refresh-key" // ❌ Should be filtered out + ), + "systemClientSecret", + "secret-value" // ❌ Should be filtered out + ); + + // Create rule that only allows safe nested fields + Set allowedFields = + Set.of( + "enabled", "tokenService.signingAlgorithm", "tokenService.issuer" + // Note: signingKey and refreshSigningKey are NOT included + ); + + ConfigSectionRule rule = ConfigSectionRule.include("authentication", allowedFields); + ConfigurationAllowlist allowlist = + ConfigurationAllowlist.createCustom( + Arrays.asList(rule), operationContext.getObjectMapper()); + + // Apply filtering using reflection to access the private method + try { + java.lang.reflect.Method method = + ConfigurationAllowlist.class.getDeclaredMethod( + "applyFieldFiltering", Object.class, ConfigSectionRule.class); + method.setAccessible(true); + + Object result = method.invoke(allowlist, mockConfig, rule); + + // Verify the result + Map resultMap = (Map) result; + + // Should include top-level safe field + assertTrue(resultMap.containsKey("enabled"), "Should include enabled field"); + assertEquals(true, resultMap.get("enabled"), "enabled value should be preserved"); + + // Should include tokenService with filtered content + assertTrue(resultMap.containsKey("tokenService"), "Should include tokenService"); + Map tokenService = (Map) resultMap.get("tokenService"); + + // Should include safe nested fields + assertTrue(tokenService.containsKey("signingAlgorithm"), "Should include signingAlgorithm"); + assertEquals( + "RS256", + tokenService.get("signingAlgorithm"), + "signingAlgorithm value should be preserved"); + assertTrue(tokenService.containsKey("issuer"), "Should include issuer"); + assertEquals("datahub", tokenService.get("issuer"), "issuer value should be preserved"); + + // Should NOT include sensitive nested fields + assertFalse(tokenService.containsKey("signingKey"), "Should NOT include signingKey"); + assertFalse( + tokenService.containsKey("refreshSigningKey"), "Should NOT include refreshSigningKey"); + + // Should NOT include sensitive top-level fields + assertFalse( + resultMap.containsKey("systemClientSecret"), "Should NOT include systemClientSecret"); + + } catch (Exception e) { + fail("Failed to test nested path filtering: " + e.getMessage()); + } + } } diff --git a/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigurationAllowlistTest.java b/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigurationAllowlistTest.java new file mode 100644 index 0000000000000..8a790dbc0e20d --- /dev/null +++ b/metadata-service/servlet/src/test/java/com/datahub/gms/servlet/ConfigurationAllowlistTest.java @@ -0,0 +1,484 @@ +package com.datahub.gms.servlet; + +import static org.mockito.Mockito.*; +import static org.testng.Assert.*; + +import com.datahub.authentication.AuthenticationConfiguration; +import com.datahub.authentication.AuthenticatorConfiguration; +import com.datahub.authentication.TokenServiceConfiguration; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.linkedin.gms.factory.config.ConfigurationProvider; +import com.linkedin.metadata.config.cache.CacheConfiguration; +import com.linkedin.metadata.config.cache.PrimaryCacheConfiguration; +import java.util.Arrays; +import java.util.List; +import java.util.Map; +import java.util.Set; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.testng.annotations.BeforeMethod; +import org.testng.annotations.Test; + +/** + * Unit tests for ConfigurationAllowlist functionality. + * + *

These tests verify: - Basic field filtering with top-level fields - Nested path support with + * dot notation - Sensitive field exclusion - Array handling - Edge cases and error handling + */ +public class ConfigurationAllowlistTest { + + private ObjectMapper objectMapper; + private ConfigurationAllowlist allowlist; + + @Mock private ConfigurationProvider mockConfigProvider; + + @BeforeMethod + public void setUp() throws Exception { + MockitoAnnotations.openMocks(this); + objectMapper = new ObjectMapper(); + } + + @Test + public void testTopLevelFieldFiltering() throws Exception { + // Create a mock configuration object that will be converted to Map via ObjectMapper + AuthenticationConfiguration mockAuthConfig = new AuthenticationConfiguration(); + mockAuthConfig.setEnabled(true); + mockAuthConfig.setEnforceExistenceEnabled(true); + mockAuthConfig.setExcludedPaths("excluded/paths"); + + when(mockConfigProvider.getAuthentication()).thenReturn(mockAuthConfig); + + // Create allowlist with only safe top-level fields + ConfigSectionRule rule = + ConfigSectionRule.include( + "authentication", + Set.of( + "enabled", "enforceExistenceEnabled" + // excludedPaths is NOT included + )); + + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + // Apply filtering + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Verify results + assertTrue(result.containsKey("authentication"), "Should contain authentication section"); + + Map authSection = (Map) result.get("authentication"); + assertEquals(authSection.get("enabled"), true, "Should include enabled field"); + assertEquals( + authSection.get("enforceExistenceEnabled"), + true, + "Should include enforceExistenceEnabled field"); + assertFalse(authSection.containsKey("excludedPaths"), "Should NOT include excludedPaths"); + } + + @Test + public void testNestedPathFiltering() throws Exception { + // Create nested configuration using proper configuration objects + TokenServiceConfiguration tokenServiceConfig = new TokenServiceConfiguration(); + tokenServiceConfig.setSigningAlgorithm("RS256"); + tokenServiceConfig.setIssuer("datahub"); + tokenServiceConfig.setSigningKey("secret-key-should-be-filtered"); + tokenServiceConfig.setSalt("secret-salt-should-be-filtered"); + + AuthenticationConfiguration mockAuthConfig = new AuthenticationConfiguration(); + mockAuthConfig.setEnabled(true); + mockAuthConfig.setTokenService(tokenServiceConfig); + mockAuthConfig.setSystemClientSecret("top-level-secret"); + + when(mockConfigProvider.getAuthentication()).thenReturn(mockAuthConfig); + + // Create allowlist with nested paths + ConfigSectionRule rule = + ConfigSectionRule.include( + "authentication", + Set.of( + "enabled", "tokenService.signingAlgorithm", "tokenService.issuer" + // Note: signingKey and refreshSigningKey are NOT included + )); + + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + // Apply filtering + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Verify results + assertTrue(result.containsKey("authentication"), "Should contain authentication section"); + + Map authSection = (Map) result.get("authentication"); + assertEquals(authSection.get("enabled"), true, "Should include top-level enabled field"); + + // Verify tokenService nested structure + assertTrue(authSection.containsKey("tokenService"), "Should include tokenService section"); + Map tokenService = (Map) authSection.get("tokenService"); + + assertEquals( + tokenService.get("signingAlgorithm"), "RS256", "Should include allowed nested field"); + assertEquals(tokenService.get("issuer"), "datahub", "Should include allowed nested field"); + assertFalse( + tokenService.containsKey("signingKey"), "Should NOT include sensitive nested field"); + assertFalse(tokenService.containsKey("salt"), "Should NOT include sensitive nested field"); + + // Verify top-level sensitive field is filtered + assertFalse( + authSection.containsKey("systemClientSecret"), + "Should NOT include top-level sensitive field"); + } + + @Test + public void testDeepNestedPaths() throws Exception { + // Create deeply nested structure using proper configuration objects + PrimaryCacheConfiguration primaryConfig = new PrimaryCacheConfiguration(); + primaryConfig.setTtlSeconds(3600); + primaryConfig.setMaxSize(1000); + + CacheConfiguration cacheConfig = new CacheConfiguration(); + cacheConfig.setPrimary(primaryConfig); + + AuthenticationConfiguration mockAuthConfig = new AuthenticationConfiguration(); + mockAuthConfig.setEnabled(true); + + when(mockConfigProvider.getAuthentication()).thenReturn(mockAuthConfig); + when(mockConfigProvider.getCache()).thenReturn(cacheConfig); + + // Create allowlist with deep nested path using cache configuration + ConfigSectionRule rule = + ConfigSectionRule.include( + "cache", + Set.of( + "primary.ttlSeconds" // 2-level deep path + // primary.maxSize is NOT included + )); + + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + // Apply filtering + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Verify results + assertTrue(result.containsKey("cache"), "Should contain cache section"); + Map cacheSection = (Map) result.get("cache"); + + assertTrue(cacheSection.containsKey("primary"), "Should include primary section"); + Map primary = (Map) cacheSection.get("primary"); + + assertEquals(primary.get("ttlSeconds"), 3600L, "Should include allowed nested field"); + assertFalse(primary.containsKey("maxSize"), "Should NOT include non-allowed nested field"); + } + + @Test + public void testArrayHandling() throws Exception { + // Create configuration with actual array field (authenticators) + AuthenticationConfiguration mockAuthConfig = new AuthenticationConfiguration(); + mockAuthConfig.setEnabled(true); + mockAuthConfig.setSystemClientSecret("filtered-secret"); + + // Create array of authenticators (real array field in AuthenticationConfiguration) + AuthenticatorConfiguration tokenAuth = new AuthenticatorConfiguration(); + tokenAuth.setType("DataHubTokenAuthenticator"); + tokenAuth.setConfigs(Map.of("signingKey", "test-key", "enabled", true)); + + AuthenticatorConfiguration jwtAuth = new AuthenticatorConfiguration(); + jwtAuth.setType("JWTAuthenticator"); + jwtAuth.setConfigs(Map.of("issuer", "test-issuer", "enabled", false)); + + List authenticators = Arrays.asList(tokenAuth, jwtAuth); + mockAuthConfig.setAuthenticators(authenticators); + + when(mockConfigProvider.getAuthentication()).thenReturn(mockAuthConfig); + + // Create allowlist that includes the array field but excludes sensitive fields + ConfigSectionRule rule = + ConfigSectionRule.include( + "authentication", + Set.of( + "enabled", "authenticators" // Include array field - should include entire array + // systemClientSecret is NOT included + )); + + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + // Apply filtering + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Verify results + Map authSection = (Map) result.get("authentication"); + assertEquals(authSection.get("enabled"), true, "Should include enabled field"); + assertFalse( + authSection.containsKey("systemClientSecret"), "Should NOT include sensitive field"); + + // Verify array handling - should include entire array when referenced + assertTrue(authSection.containsKey("authenticators"), "Should include authenticators array"); + List resultAuthenticators = (List) authSection.get("authenticators"); + assertEquals(resultAuthenticators.size(), 2, "Should include all array elements"); + + // Verify array contents are preserved + Map firstAuth = (Map) resultAuthenticators.get(0); + Map secondAuth = (Map) resultAuthenticators.get(1); + assertEquals( + firstAuth.get("type"), + "DataHubTokenAuthenticator", + "Should preserve array element content"); + assertEquals( + secondAuth.get("type"), "JWTAuthenticator", "Should preserve array element content"); + + // Verify that configs Map within array elements are also preserved + Map firstConfigs = (Map) firstAuth.get("configs"); + Map secondConfigs = (Map) secondAuth.get("configs"); + assertEquals( + firstConfigs.get("signingKey"), + "test-key", + "Should preserve nested content within array elements"); + assertEquals( + firstConfigs.get("enabled"), true, "Should preserve nested content within array elements"); + assertEquals( + secondConfigs.get("issuer"), + "test-issuer", + "Should preserve nested content within array elements"); + assertEquals( + secondConfigs.get("enabled"), + false, + "Should preserve nested content within array elements"); + } + + @Test + public void testMissingConfigurationSection() throws Exception { + // Mock returns null for missing section + when(mockConfigProvider.getAuthentication()).thenReturn(null); + + ConfigSectionRule rule = ConfigSectionRule.include("authentication", Set.of("enabled")); + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Should not include the missing section + assertFalse(result.containsKey("authentication"), "Should not include missing section"); + } + + @Test + public void testMissingNestedPath() throws Exception { + // Setup config missing some nested paths + AuthenticationConfiguration mockAuthConfig = new AuthenticationConfiguration(); + mockAuthConfig.setEnabled(true); + // tokenService is missing (null) + + when(mockConfigProvider.getAuthentication()).thenReturn(mockAuthConfig); + + // Create allowlist that references missing nested paths + ConfigSectionRule rule = + ConfigSectionRule.include( + "authentication", + Set.of( + "enabled", + "tokenService.signingAlgorithm", // This path doesn't exist + "missingField.nestedField" // This path doesn't exist + )); + + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Should include existing field but gracefully handle missing paths + Map authSection = (Map) result.get("authentication"); + assertEquals(authSection.get("enabled"), true, "Should include existing field"); + assertFalse( + authSection.containsKey("tokenService"), "Should not include missing nested section"); + assertFalse(authSection.containsKey("missingField"), "Should not include missing field"); + } + + @Test + public void testEmptyAllowedFields() throws Exception { + AuthenticationConfiguration mockAuthConfig = new AuthenticationConfiguration(); + mockAuthConfig.setEnabled(true); + mockAuthConfig.setSystemClientSecret("secret"); + + when(mockConfigProvider.getAuthentication()).thenReturn(mockAuthConfig); + + // Create rule with empty allowed fields (should exclude everything) + ConfigSectionRule rule = ConfigSectionRule.include("authentication", Set.of()); + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Should not include the section if no fields are allowed + assertFalse( + result.containsKey("authentication"), + "Should not include section when no fields are allowed"); + } + + @Test + public void testAllFieldsAllowed() throws Exception { + AuthenticationConfiguration mockAuthConfig = new AuthenticationConfiguration(); + mockAuthConfig.setEnabled(true); + mockAuthConfig.setSystemClientSecret("secret"); + + TokenServiceConfiguration tokenConfig = new TokenServiceConfiguration(); + tokenConfig.setIssuer("datahub"); + mockAuthConfig.setTokenService(tokenConfig); + + when(mockConfigProvider.getAuthentication()).thenReturn(mockAuthConfig); + + // Create rule that allows all fields (null allowedFields) + ConfigSectionRule rule = ConfigSectionRule.include("authentication"); + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Should include everything + Map authSection = (Map) result.get("authentication"); + assertEquals(authSection.get("enabled"), true, "Should include all fields"); + assertEquals(authSection.get("systemClientSecret"), "secret", "Should include all fields"); + assertTrue(authSection.containsKey("tokenService"), "Should include nested structures"); + } + + @Test + public void testMultipleSections() throws Exception { + // Setup multiple configuration sections + AuthenticationConfiguration authConfig = new AuthenticationConfiguration(); + authConfig.setEnabled(true); + authConfig.setSystemClientSecret("filtered"); + + CacheConfiguration cacheConfig = new CacheConfiguration(); + PrimaryCacheConfiguration primaryConfig = new PrimaryCacheConfiguration(); + primaryConfig.setTtlSeconds(3600); + primaryConfig.setMaxSize(1000); + cacheConfig.setPrimary(primaryConfig); + + when(mockConfigProvider.getAuthentication()).thenReturn(authConfig); + when(mockConfigProvider.getCache()).thenReturn(cacheConfig); + + // Create allowlist with multiple sections + List rules = + Arrays.asList( + ConfigSectionRule.include("authentication", Set.of("enabled")), + ConfigSectionRule.include("cache", Set.of("primary.ttlSeconds"))); + + allowlist = ConfigurationAllowlist.createCustom(rules, objectMapper); + + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Should include both sections with filtered content + assertTrue(result.containsKey("authentication"), "Should include authentication section"); + assertTrue(result.containsKey("cache"), "Should include cache section"); + + Map authSection = (Map) result.get("authentication"); + Map cacheSection = (Map) result.get("cache"); + + assertEquals(authSection.get("enabled"), true, "Should include allowed auth field"); + assertFalse(authSection.containsKey("systemClientSecret"), "Should filter auth secret"); + + Map primary = (Map) cacheSection.get("primary"); + assertEquals(primary.get("ttlSeconds"), 3600L, "Should include allowed cache field"); + assertFalse(primary.containsKey("maxSize"), "Should filter cache maxSize"); + } + + @Test + public void testSectionRenaming() throws Exception { + AuthenticationConfiguration mockAuthConfig = new AuthenticationConfiguration(); + mockAuthConfig.setEnabled(true); + + when(mockConfigProvider.getAuthentication()).thenReturn(mockAuthConfig); + + // Create rule that renames the section + ConfigSectionRule rule = ConfigSectionRule.include("authentication", "auth", Set.of("enabled")); + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Should use the renamed output path + assertFalse(result.containsKey("authentication"), "Should not use original section name"); + assertTrue(result.containsKey("auth"), "Should use renamed section name"); + + Map authSection = (Map) result.get("auth"); + assertEquals(authSection.get("enabled"), true, "Should include field in renamed section"); + } + + @Test + public void testExcludedSection() throws Exception { + AuthenticationConfiguration mockAuthConfig = new AuthenticationConfiguration(); + mockAuthConfig.setEnabled(true); + + when(mockConfigProvider.getAuthentication()).thenReturn(mockAuthConfig); + + // Create rule that excludes the section + ConfigSectionRule rule = ConfigSectionRule.exclude("authentication"); + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Should not include excluded section + assertFalse(result.containsKey("authentication"), "Should not include excluded section"); + } + + @Test + public void testOnlyLeafNodesMatch() throws Exception { + // Create a complex nested configuration structure to test leaf vs non-leaf matching + CacheConfiguration mockCacheConfig = new CacheConfiguration(); + + // Set up primary cache (has leaf values) + PrimaryCacheConfiguration primaryConfig = new PrimaryCacheConfiguration(); + primaryConfig.setTtlSeconds(3600); // This is a leaf + primaryConfig.setMaxSize(1000); // This is a leaf + mockCacheConfig.setPrimary(primaryConfig); + + // Note: client, homepage, search would be non-leaf nodes if they have sub-objects + // but we're not setting them up with sub-objects for this test + + when(mockConfigProvider.getCache()).thenReturn(mockCacheConfig); + + // Create allowlist rules that try to match both leaf and non-leaf paths + ConfigSectionRule rule = + ConfigSectionRule.include( + "cache", + Set.of( + "primary", // NON-LEAF: has children (ttlSeconds, maxSize) + "primary.ttlSeconds", // LEAF: final value + "primary.maxSize", // LEAF: final value + "client", // NON-LEAF: would have children (entityClient, usageClient) + "nonExistentField" // Non-existent field + )); + + allowlist = ConfigurationAllowlist.createCustom(Arrays.asList(rule), objectMapper); + + // Apply filtering + Map result = allowlist.buildAllowedConfiguration(mockConfigProvider); + + // Verify results - only leaf paths should be included + assertTrue(result.containsKey("cache"), "Should contain cache section"); + Map cacheSection = (Map) result.get("cache"); + + // Check if non-leaf "primary" is included (this test may fail if current implementation allows + // it) + boolean primaryIncluded = cacheSection.containsKey("primary"); + if (primaryIncluded) { + // If primary is included, verify its structure + Map primary = (Map) cacheSection.get("primary"); + + // The question is: does including "primary" include the whole object or just create empty + // structure? + // If "primary" as non-leaf creates the object, then "primary.ttlSeconds" should add the leaf + // values + assertEquals(primary.get("ttlSeconds"), 3600L, "Leaf value should be included"); + assertEquals(primary.get("maxSize"), 1000L, "Leaf value should be included"); + } + + // Check if non-leaf "client" is included (should not be since it's not set up and is non-leaf) + assertFalse( + cacheSection.containsKey("client"), + "Non-leaf client field should not be included when it has potential children"); + + // Non-existent field should definitely not be included + assertFalse( + cacheSection.containsKey("nonExistentField"), "Non-existent field should not be included"); + + // Log the actual structure for debugging + System.out.println("DEBUG - Cache section structure: " + cacheSection); + System.out.println("DEBUG - Primary included: " + primaryIncluded); + if (primaryIncluded) { + Map primary = (Map) cacheSection.get("primary"); + System.out.println("DEBUG - Primary contents: " + primary); + } + } +}