From a878cbe68a9c1261563c17be3f0d166bb4ce1ebc Mon Sep 17 00:00:00 2001
From: pabloFuente <pablofuenteperez@gmail.com>
Date: Wed, 14 Oct 2020 17:30:43 +0200
Subject: [PATCH] openvidu-server: protect old paths with BasicAuth only if
 SUPPORT_DEPRECATED_API=true

---
 .../server/config/SecurityConfig.java         | 48 +++++++++++--------
 .../server/rest/ApiRestPathRewriteFilter.java | 37 ++++++++++++--
 2 files changed, 62 insertions(+), 23 deletions(-)

diff --git a/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java b/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java
index 74042b51..c06b1a6e 100644
--- a/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java
+++ b/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java
@@ -20,8 +20,12 @@ package io.openvidu.server.config;
 import java.util.Arrays;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.core.env.Environment;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -31,41 +35,45 @@ import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
 
-@Configuration
+import io.openvidu.server.rest.ApiRestPathRewriteFilter;
+import io.openvidu.server.rest.RequestMappings;
+
+@Configuration()
+@ConditionalOnMissingBean(name = "securityConfigPro")
+@Order(Ordered.LOWEST_PRECEDENCE)
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
 	@Autowired
-	OpenviduConfig openviduConf;
+	protected OpenviduConfig openviduConf;
+
+	@Autowired
+	protected Environment environment;
 
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 
-		// Security for API REST
 		ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry conf = http.cors().and()
 				.csrf().disable().authorizeRequests()
-				// /api
-				.antMatchers("/api/**").authenticated()
-				// /config
-				.antMatchers(HttpMethod.GET, "/config/openvidu-publicurl").permitAll()
-				.antMatchers(HttpMethod.GET, "/config/**").authenticated()
-				// /cdr
-				.antMatchers(HttpMethod.GET, "/cdr/**").authenticated()
-				// /accept-certificate
-				.antMatchers(HttpMethod.GET, "/accept-certificate").permitAll()
-				// Dashboard
-				.antMatchers(HttpMethod.GET, "/dashboard/**").authenticated();
+				.antMatchers(HttpMethod.GET, RequestMappings.API + "/config/openvidu-publicurl").permitAll()
+				.antMatchers(HttpMethod.GET, RequestMappings.ACCEPT_CERTIFICATE).permitAll()
+				.antMatchers(RequestMappings.API + "/**").authenticated()
+				.antMatchers(HttpMethod.GET, RequestMappings.CDR + "/**").authenticated()
+				.antMatchers(HttpMethod.GET, RequestMappings.FRONTEND_CE + "/**").authenticated()
+				.antMatchers(HttpMethod.GET, RequestMappings.CUSTOM_LAYOUTS + "/**").authenticated();
 
-		// Security for recording layouts
-		conf.antMatchers("/layouts/**").authenticated();
-
-		// Security for recorded video files
+		// Secure recordings depending on OPENVIDU_RECORDING_PUBLIC_ACCESS
 		if (openviduConf.getOpenViduRecordingPublicAccess()) {
-			conf = conf.antMatchers("/recordings/**").permitAll();
+			conf = conf.antMatchers(HttpMethod.GET, RequestMappings.RECORDINGS + "/**").permitAll();
 		} else {
-			conf = conf.antMatchers("/recordings/**").authenticated();
+			conf = conf.antMatchers(HttpMethod.GET, RequestMappings.RECORDINGS + "/**").authenticated();
 		}
 
 		conf.and().httpBasic();
+
+		// TODO: remove this when deprecating SUPPORT_DEPRECATED_API
+		if (Boolean.valueOf(environment.getProperty("SUPPORT_DEPRECATED_API"))) {
+			ApiRestPathRewriteFilter.protectOldPathsCe(conf, openviduConf);
+		}
 	}
 
 	@Bean
diff --git a/openvidu-server/src/main/java/io/openvidu/server/rest/ApiRestPathRewriteFilter.java b/openvidu-server/src/main/java/io/openvidu/server/rest/ApiRestPathRewriteFilter.java
index a837f7f4..2abe443b 100644
--- a/openvidu-server/src/main/java/io/openvidu/server/rest/ApiRestPathRewriteFilter.java
+++ b/openvidu-server/src/main/java/io/openvidu/server/rest/ApiRestPathRewriteFilter.java
@@ -16,8 +16,13 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.web.util.WebUtils;
 
+import io.openvidu.server.config.OpenviduConfig;
+
 public class ApiRestPathRewriteFilter implements Filter {
 
 	protected static final Logger log = LoggerFactory.getLogger(ApiRestPathRewriteFilter.class);
@@ -52,6 +57,11 @@ public class ApiRestPathRewriteFilter implements Filter {
 				"Deprecated path support will be removed in a future release. You can disable old path support to test compatibility with property SUPPORT_DEPRECATED_API=false");
 	}
 
+	@Override
+	public void destroy() {
+		// Nothing to free up...
+	}
+
 	@Override
 	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
 			throws IOException, ServletException {
@@ -106,9 +116,30 @@ public class ApiRestPathRewriteFilter implements Filter {
 		}
 	}
 
-	@Override
-	public void destroy() {
-		// Nothing to free up...
+	public static void protectOldPathsCe(
+			ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry conf,
+			OpenviduConfig openviduConf) throws Exception {
+
+		conf.antMatchers("/api/**").authenticated()
+				// /config
+				.antMatchers(HttpMethod.GET, "/config/openvidu-publicurl").permitAll()
+				.antMatchers(HttpMethod.GET, "/config/**").authenticated()
+				// /cdr
+				.antMatchers(HttpMethod.GET, "/cdr/**").authenticated()
+				// /accept-certificate
+				.antMatchers(HttpMethod.GET, "/accept-certificate").permitAll()
+				// Dashboard
+				.antMatchers(HttpMethod.GET, "/dashboard/**").authenticated();
+
+		// Security for recording layouts
+		conf.antMatchers("/layouts/**").authenticated();
+
+		// Security for recorded video files
+		if (openviduConf.getOpenViduRecordingPublicAccess()) {
+			conf = conf.antMatchers("/recordings/**").permitAll();
+		} else {
+			conf = conf.antMatchers("/recordings/**").authenticated();
+		}
 	}
 
 }