Merge pull request #277 from SolaceProducts/moodiRealist/DATAGO-106034

DATAGO-106034: Reject h2 console routes

Author: moodiRealist

service/application/pom.xml

@@ -109,6 +109,11 @@
             <artifactId>spring-security-rsa</artifactId>
             <version>${spring-security-rsa.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+            <version>${spring-boot.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.kafka</groupId>
             <artifactId>spring-kafka</artifactId>

service/application/src/main/java/com/solace/maas/ep/event/management/agent/config/H2ConsoleSecurityConfig.java

@@ -0,0 +1,55 @@
+package com.solace.maas.ep.event.management.agent.config;
+
+import jakarta.annotation.PostConstruct;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
+import org.springframework.boot.autoconfigure.h2.H2ConsoleProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Primary;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Slf4j
+@Configuration
+@Profile("!TEST")
+@ConditionalOnExpression("!'none'.equals('${spring.main.web-application-type:}')")
+public class H2ConsoleSecurityConfig {
+
+    @PostConstruct
+    public void logSecurityStatus() {
+        log.info("H2 Console Security: COMPLETELY DISABLED");
+        log.info("H2 Console has been forcibly disabled for security reasons");
+    }
+
+    /**
+     * Force H2 console to be disabled to ensures the H2 console cannot be enabled
+     * even if spring.h2.console.enabled=true is set in configuration files.
+     */
+    @Bean
+    @Primary
+    public H2ConsoleProperties h2ConsoleProperties() {
+        H2ConsoleProperties properties = new H2ConsoleProperties();
+        properties.setEnabled(false); // Force disabled
+        log.info("H2 Console: Programmatically disabled via H2ConsoleProperties override");
+        return properties;
+    }
+
+    /**
+     * Security filter chain that explicitly denies all access to H2 console endpoints.
+     * This provides defense-in-depth by blocking access even if H2 console somehow gets enabled.
+     */
+    @Bean
+    public SecurityFilterChain h2ConsoleBlockingSecurityFilterChain(HttpSecurity http) throws Exception {
+        log.info("Configuring H2 Console Blocking Security Filter Chain");
+
+        // Explicitly deny all access to H2 console paths
+        http.authorizeHttpRequests(auth ->
+                auth.requestMatchers("/h2/**", "/h2-console/**").denyAll()
+                        .anyRequest().permitAll());
+
+        log.info("H2 Console: All access to /h2/** and /h2-console/** endpoints BLOCKED");
+        return http.build();
+    }
+}

service/application/src/main/java/com/solace/maas/ep/event/management/agent/publisher/ScanStatusPublisher.java

@@ -9,6 +9,7 @@
 import com.solace.maas.ep.event.management.agent.plugin.util.MdcUtil;
 import io.micrometer.core.instrument.MeterRegistry;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.ObjectUtils;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
@@ -62,7 +63,7 @@ public void sendOverallScanStatus(ScanStatusMessage message, Map<String, String>
                             STATUS_TAG, status,
                             SCAN_ID_TAG, scanId,
                             ORG_ID_TAG, message.getOrgId(),
-                            ORIGIN_ORG_ID_TAG, message.getOriginOrgId(),
+                            ORIGIN_ORG_ID_TAG, ObjectUtils.isEmpty(message.getOriginOrgId()) ? message.getOrgId() : message.getOriginOrgId(),
                             IS_LINKED_TAG, MdcUtil.isLinked(message.getOrgId(), message.getOriginOrgId()) ? "true" : "false")
                     .increment();
         }
@@ -96,7 +97,7 @@ public void sendScanDataStatus(ScanDataStatusMessage message, Map<String, String
                             STATUS_TAG, status,
                             SCAN_ID_TAG, scanId,
                             ORG_ID_TAG, topicDetails.get("orgId"),
-                            ORIGIN_ORG_ID_TAG, message.getOriginOrgId(),
+                            ORIGIN_ORG_ID_TAG, ObjectUtils.isEmpty(message.getOriginOrgId()) ? topicDetails.get("orgId") : message.getOriginOrgId(),
                             IS_LINKED_TAG, MdcUtil.isLinked(message.getOrgId(), message.getOriginOrgId()) ? "true" : "false")
                     .increment();
         }

service/application/src/main/java/com/solace/maas/ep/event/management/agent/service/ScanService.java

@@ -129,6 +129,7 @@ public String singleScan(SingleScanSpecification singleScanSpecification) {
         log.info("Scan request [{}], trace ID [{}]: Total of {} scan types to be retrieved: [{}].",
                 scanId, traceId, scanTypes.size(), StringUtils.join(scanTypes, ", "));
 
+
         sendScanStatus(orgId,
                 originOrgId,
                 groupId,
@@ -289,7 +290,7 @@ public void sendScanStatus(String orgId,
                         STATUS_TAG, status.name(),
                         SCAN_ID_TAG, scanId,
                         ORG_ID_TAG, orgId,
-                        ORIGIN_ORG_ID_TAG, originOrgId,
+                        ORIGIN_ORG_ID_TAG, ObjectUtils.isEmpty(originOrgId) ? orgId : originOrgId,
                         IS_LINKED_TAG, MdcUtil.isLinked(orgId, originOrgId) ? "true" : "false")
                 .increment();
     }

service/application/src/main/java/com/solace/maas/ep/event/management/agent/subscriber/messageProcessors/ScanCommandMessageProcessor.java

@@ -10,6 +10,7 @@
 import lombok.extern.slf4j.Slf4j;
 import net.logstash.logback.encoder.org.apache.commons.lang3.StringUtils;
 import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.Validate;
 import org.awaitility.core.ConditionTimeoutException;
 import org.slf4j.MDC;
@@ -62,7 +63,7 @@ public void processMessage(ScanCommandMessage message) {
         meterRegistry.counter(MAAS_EMA_SCAN_EVENT_RECEIVED,
                         SCAN_ID_TAG, scanId,
                         ORG_ID_TAG, message.getOrgId(),
-                        ORIGIN_ORG_ID_TAG, message.getOriginOrgId(),
+                        ORIGIN_ORG_ID_TAG, ObjectUtils.isEmpty(message.getOriginOrgId()) ? message.getOrgId() : message.getOriginOrgId(),
                         IS_LINKED_TAG, MdcUtil.isLinked(message.getOrgId(), message.getOriginOrgId()) ? "true" : "false")
                 .increment();
 
@@ -161,7 +162,7 @@ public void sendCycleTimeMetric(Instant startTime, ScanCommandMessage message, S
         Timer jobCycleTime = Timer
                 .builder(MAAS_EMA_SCAN_EVENT_CYCLE_TIME)
                 .tag(ORG_ID_TAG, message.getOrgId())
-                .tag(ORIGIN_ORG_ID_TAG, message.getOriginOrgId())
+                .tag(ORIGIN_ORG_ID_TAG, ObjectUtils.isEmpty(message.getOriginOrgId()) ? message.getOrgId() : message.getOriginOrgId())
                 .tag(IS_LINKED_TAG, MdcUtil.isLinked(message.getOrgId(), message.getOriginOrgId()) ? "true" : "false")
                 .tag(STATUS_TAG, status)
                 .register(meterRegistry);