[grid] Add config blocked-routes and specific blocked-delete-session in Router

Signed-off-by: Viet Nguyen Duc <[email protected]>

Author: VietND96

java/src/org/openqa/selenium/grid/commands/Hub.java

@@ -31,6 +31,7 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Collections;
+import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -48,6 +49,8 @@
 import org.openqa.selenium.grid.log.LoggingOptions;
 import org.openqa.selenium.grid.router.ProxyWebsocketsIntoGrid;
 import org.openqa.selenium.grid.router.Router;
+import org.openqa.selenium.grid.router.httpd.BlockedRoute;
+import org.openqa.selenium.grid.router.httpd.BlockedRoutesFilter;
 import org.openqa.selenium.grid.router.httpd.RouterOptions;
 import org.openqa.selenium.grid.security.BasicAuthenticationFilter;
 import org.openqa.selenium.grid.security.Secret;
@@ -207,6 +210,13 @@ protected Handlers createHandlers(Config config) {
       httpHandler = httpHandler.with(new BasicAuthenticationFilter(uap.username(), uap.password()));
     }
 
+    // Apply blocked routes filter
+    List<BlockedRoute> blockedRoutes = routerOptions.getBlockedRoutes();
+    if (!blockedRoutes.isEmpty()) {
+      LOG.info("Blocking " + blockedRoutes.size() + " route(s): " + blockedRoutes);
+      httpHandler = BlockedRoutesFilter.with(httpHandler, blockedRoutes);
+    }
+
     // Allow the liveness endpoint to be reached, since k8s doesn't make it easy to authenticate
     // these checks
     httpHandler = combine(httpHandler, Route.get("/readyz").to(() -> readinessCheck));

java/src/org/openqa/selenium/grid/commands/Standalone.java

@@ -32,6 +32,7 @@
 import java.net.URI;
 import java.net.URL;
 import java.util.Collections;
+import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -53,6 +54,8 @@
 import org.openqa.selenium.grid.node.ProxyNodeWebsockets;
 import org.openqa.selenium.grid.node.config.NodeOptions;
 import org.openqa.selenium.grid.router.Router;
+import org.openqa.selenium.grid.router.httpd.BlockedRoute;
+import org.openqa.selenium.grid.router.httpd.BlockedRoutesFilter;
 import org.openqa.selenium.grid.router.httpd.RouterOptions;
 import org.openqa.selenium.grid.security.BasicAuthenticationFilter;
 import org.openqa.selenium.grid.security.Secret;
@@ -213,6 +216,13 @@ protected Handlers createHandlers(Config config) {
       httpHandler = httpHandler.with(new BasicAuthenticationFilter(uap.username(), uap.password()));
     }
 
+    // Apply blocked routes filter
+    List<BlockedRoute> blockedRoutes = routerOptions.getBlockedRoutes();
+    if (!blockedRoutes.isEmpty()) {
+      LOG.info("Blocking " + blockedRoutes.size() + " route(s): " + blockedRoutes);
+      httpHandler = BlockedRoutesFilter.with(httpHandler, blockedRoutes);
+    }
+
     // Allow the liveness endpoint to be reached, since k8s doesn't make it easy to authenticate
     // these checks
     httpHandler = combine(httpHandler, Route.get("/readyz").to(() -> readinessCheck));

java/src/org/openqa/selenium/grid/router/httpd/BlockedRoute.java

@@ -0,0 +1,101 @@
+// Licensed to the Software Freedom Conservancy (SFC) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The SFC licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.openqa.selenium.grid.router.httpd;
+
+/** Represents a blocked route with HTTP method and path. */
+public class BlockedRoute {
+  private final String method;
+  private final String path;
+
+  public BlockedRoute(String method, String path) {
+    this.method = method.toUpperCase();
+    this.path = path;
+  }
+
+  public String getMethod() {
+    return method;
+  }
+
+  public String getPath() {
+    return path;
+  }
+
+  /**
+   * Creates a BlockedRoute from a string in the format "METHOD:path".
+   *
+   * @param routeStr String representation of blocked route
+   * @return BlockedRoute instance
+   * @throws IllegalArgumentException if the format is invalid
+   */
+  public static BlockedRoute fromString(String routeStr) {
+    if (routeStr == null || routeStr.trim().isEmpty()) {
+      throw new IllegalArgumentException("Route string cannot be null or empty");
+    }
+
+    String[] parts = routeStr.split(":", 2);
+    if (parts.length != 2) {
+      throw new IllegalArgumentException(
+          "Invalid route format. Expected 'METHOD:path', got: " + routeStr);
+    }
+
+    String method = parts[0].trim().toUpperCase();
+    String path = parts[1].trim();
+
+    if (method.isEmpty() || path.isEmpty()) {
+      throw new IllegalArgumentException("Method and path cannot be empty. Got: " + routeStr);
+    }
+
+    return new BlockedRoute(method, path);
+  }
+
+  /**
+   * Checks if the given HTTP method and request path match this blocked route.
+   *
+   * @param requestMethod HTTP method of the request
+   * @param requestPath Path of the request
+   * @return true if the route should be blocked
+   */
+  public boolean matches(String requestMethod, String requestPath) {
+    if (!method.equals(requestMethod.toUpperCase())) {
+      return false;
+    }
+
+    // For exact path matching, we need to handle path parameters like {session-id}
+    // Convert the blocked path pattern to a regex pattern
+    String pattern = path.replaceAll("\\{[^}]+\\}", "[^/]+");
+    return requestPath.matches(pattern);
+  }
+
+  @Override
+  public String toString() {
+    return method + ":" + path;
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (this == obj) return true;
+    if (obj == null || getClass() != obj.getClass()) return false;
+    BlockedRoute that = (BlockedRoute) obj;
+    return method.equals(that.method) && path.equals(that.path);
+  }
+
+  @Override
+  public int hashCode() {
+    return method.hashCode() * 31 + path.hashCode();
+  }
+}

java/src/org/openqa/selenium/grid/router/httpd/BlockedRoutesFilter.java

@@ -0,0 +1,86 @@
+// Licensed to the Software Freedom Conservancy (SFC) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The SFC licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.openqa.selenium.grid.router.httpd;
+
+import java.net.URI;
+import java.util.List;
+import java.util.logging.Logger;
+import org.openqa.selenium.remote.http.Contents;
+import org.openqa.selenium.remote.http.HttpHandler;
+import org.openqa.selenium.remote.http.HttpRequest;
+import org.openqa.selenium.remote.http.HttpResponse;
+import org.openqa.selenium.remote.http.Routable;
+
+/** Filter that blocks requests matching specified routes. */
+public class BlockedRoutesFilter implements HttpHandler {
+
+  private static final Logger LOG = Logger.getLogger(BlockedRoutesFilter.class.getName());
+  private final List<BlockedRoute> blockedRoutes;
+  private final HttpHandler delegate;
+
+  public BlockedRoutesFilter(List<BlockedRoute> blockedRoutes, HttpHandler delegate) {
+    this.blockedRoutes = blockedRoutes;
+    this.delegate = delegate;
+  }
+
+  @Override
+  public HttpResponse execute(HttpRequest request) {
+    String method = request.getMethod().toString();
+    String path = URI.create(request.getUri()).getPath();
+
+    // Check if the request matches any blocked route
+    for (BlockedRoute blockedRoute : blockedRoutes) {
+      if (blockedRoute.matches(method, path)) {
+        LOG.warning(
+            "Blocked request: "
+                + method
+                + " "
+                + path
+                + " (matches blocked route: "
+                + blockedRoute
+                + ")");
+        return new HttpResponse()
+            .setStatus(403) // Forbidden
+            .setContent(
+                Contents.utf8String("Route blocked by configuration: " + method + " " + path));
+      }
+    }
+
+    // If not blocked, delegate to the next handler
+    return delegate.execute(request);
+  }
+
+  /** Creates a Routable that applies the blocked routes filter. */
+  public static Routable with(Routable routable, List<BlockedRoute> blockedRoutes) {
+    if (blockedRoutes == null || blockedRoutes.isEmpty()) {
+      return routable;
+    }
+
+    return new Routable() {
+      @Override
+      public HttpResponse execute(HttpRequest req) {
+        return new BlockedRoutesFilter(blockedRoutes, routable).execute(req);
+      }
+
+      @Override
+      public boolean matches(HttpRequest req) {
+        return routable.matches(req);
+      }
+    };
+  }
+}

java/src/org/openqa/selenium/grid/router/httpd/RouterFlags.java

@@ -74,6 +74,27 @@ public class RouterFlags implements HasRoles {
   @ConfigValue(section = ROUTER_SECTION, name = "disable-ui", example = "true")
   public boolean disableUi = false;
 
+  @Parameter(
+      names = {"--blocked-routes"},
+      arity = 1,
+      description =
+          "Comma-separated list of routes to block in format 'METHOD:path'. Example:"
+              + " 'DELETE:/session/{session-id},DELETE:/se/grid/distributor/node/{node-id}'")
+  @ConfigValue(
+      section = ROUTER_SECTION,
+      name = "blocked-routes",
+      example = "DELETE:/session/{session-id},DELETE:/se/grid/distributor/node/{node-id}")
+  public String blockedRoutes;
+
+  @Parameter(
+      names = {"--blocked-delete-session"},
+      arity = 1,
+      description =
+          "A flag to prevent deleting a session proactively by blocking DELETE requests to"
+              + " /session/{session-id} route")
+  @ConfigValue(section = ROUTER_SECTION, name = "blocked-delete-session", example = "true")
+  public boolean blockedDeleteSession = false;
+
   @Override
   public Set<Role> getRoles() {
     return Collections.singleton(ROUTER_ROLE);

java/src/org/openqa/selenium/grid/router/httpd/RouterOptions.java

@@ -17,6 +17,9 @@
 
 package org.openqa.selenium.grid.router.httpd;
 
+import java.util.List;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 import org.openqa.selenium.grid.config.Config;
 
 public class RouterOptions {
@@ -51,4 +54,51 @@ public String subPath() {
   public boolean disableUi() {
     return config.get(ROUTER_SECTION, "disable-ui").map(Boolean::parseBoolean).orElse(false);
   }
+
+  /**
+   * Returns a list of blocked routes from the configuration. Each blocked route should be specified
+   * in the format "METHOD:path" (e.g., "DELETE:/session/{session-id}"). Multiple routes can be
+   * specified as comma-separated values. If the blocked-delete-session flag is enabled,
+   * DELETE:/session/{session-id} will be automatically added.
+   *
+   * @return List of blocked routes
+   */
+  public List<BlockedRoute> getBlockedRoutes() {
+    List<BlockedRoute> routes =
+        config
+            .get(ROUTER_SECTION, "blocked-routes")
+            .map(
+                blockedRoutesStr -> {
+                  if (blockedRoutesStr.trim().isEmpty()) {
+                    return List.<BlockedRoute>of();
+                  }
+
+                  return Stream.of(blockedRoutesStr.split(","))
+                      .map(String::trim)
+                      .filter(s -> !s.isEmpty())
+                      .map(BlockedRoute::fromString)
+                      .collect(Collectors.toList());
+                })
+            .orElse(List.of());
+
+    // Add DELETE session route if the flag is enabled
+    boolean blockedDeleteSession =
+        config.getBool(ROUTER_SECTION, "blocked-delete-session").orElse(false);
+
+    if (blockedDeleteSession) {
+      BlockedRoute deleteSessionRoute = new BlockedRoute("DELETE", "/session/{session-id}");
+      // Only add if not already present
+      if (routes.stream()
+          .noneMatch(
+              route ->
+                  "DELETE".equals(route.getMethod())
+                      && "/session/{session-id}".equals(route.getPath()))) {
+        routes =
+            Stream.concat(routes.stream(), Stream.of(deleteSessionRoute))
+                .collect(Collectors.toList());
+      }
+    }
+
+    return routes;
+  }
 }

java/src/org/openqa/selenium/grid/router/httpd/RouterServer.java

@@ -37,6 +37,7 @@
 import java.net.URL;
 import java.time.Duration;
 import java.util.Collections;
+import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -173,6 +174,13 @@ protected Handlers createHandlers(Config config) {
       route = route.with(new BasicAuthenticationFilter(uap.username(), uap.password()));
     }
 
+    // Apply blocked routes filter
+    List<BlockedRoute> blockedRoutes = routerOptions.getBlockedRoutes();
+    if (!blockedRoutes.isEmpty()) {
+      LOG.info("Blocking " + blockedRoutes.size() + " route(s): " + blockedRoutes);
+      route = BlockedRoutesFilter.with(route, blockedRoutes);
+    }
+
     HttpHandler readinessCheck =
         req -> {
           boolean ready = router.isReady();

java/test/org/openqa/selenium/grid/router/httpd/BUILD.bazel

@@ -0,0 +1,18 @@
+load("@rules_jvm_external//:defs.bzl", "artifact")
+load("//java:defs.bzl", "JUNIT5_DEPS", "java_test_suite")
+
+java_test_suite(
+    name = "httpd-tests",
+    size = "small",
+    srcs = glob(["*Test.java"]),
+    deps = [
+        "//java/src/org/openqa/selenium/grid/config",
+        "//java/src/org/openqa/selenium/grid/router/httpd",
+        "//java/src/org/openqa/selenium/remote/http",
+        "//java/test/org/openqa/selenium/testing:test-base",
+        artifact("com.google.guava:guava"),
+        artifact("org.junit.jupiter:junit-jupiter-api"),
+        artifact("org.assertj:assertj-core"),
+        artifact("org.mockito:mockito-core"),
+    ] + JUNIT5_DEPS,
+)