Refactor tests for cloudfoundryapplication endpoint

- Order the returned list of endpoints by ID
- Critical fix: block /cloudfoundryapplication and log warning when security middleware not added
- Critical fix: don't turn off all security when the /cloudfoundryapplication hypermedia endpoint is turned off

Author: bart-vmware

src/Management/src/Endpoint/ActuatorMapper.cs

@@ -35,16 +35,23 @@ protected ActuatorMapper(IEnumerable<IEndpointMiddleware> middlewares, IOptionsM
 
     protected IEnumerable<(string RoutePattern, IEndpointMiddleware Middleware)> GetEndpointsToMap()
     {
-        string? basePath = _managementOptionsMonitor.CurrentValue.Path;
+        ManagementOptions managementOptions = _managementOptionsMonitor.CurrentValue;
 
         foreach (IEndpointMiddleware middleware in _middlewares.Where(middleware => middleware is not CloudFoundryEndpointMiddleware))
         {
-            string routePattern = middleware.EndpointOptions.GetPathMatchPattern(basePath);
+            string routePattern = middleware.EndpointOptions.GetPathMatchPattern(managementOptions.Path);
             yield return (routePattern, middleware);
         }
 
         if (Platform.IsCloudFoundry)
         {
+            if (managementOptions is { IsCloudFoundryEnabled: true, HasCloudFoundrySecurity: false })
+            {
+                _logger.LogWarning(
+                    $"Actuators at the {ConfigureManagementOptions.DefaultCloudFoundryPath} endpoint are disabled because the Cloud Foundry security middleware is not active. " +
+                    $"Call {nameof(EndpointApplicationBuilderExtensions.UseCloudFoundrySecurity)}() from your custom middleware pipeline to enable them.");
+            }
+
             foreach (IEndpointMiddleware middleware in _middlewares.Where(middleware => middleware is not HypermediaEndpointMiddleware))
             {
                 string routePattern = middleware.EndpointOptions.GetPathMatchPattern(ConfigureManagementOptions.DefaultCloudFoundryPath);

src/Management/src/Endpoint/Actuators/CloudFoundry/CloudFoundrySecurityMiddleware.cs

@@ -54,12 +54,12 @@ public async Task InvokeAsync(HttpContext context)
         ArgumentNullException.ThrowIfNull(context);
 
         _logger.LogDebug("InvokeAsync({RequestPath})", context.Request.Path.Value);
-        CloudFoundryEndpointOptions endpointOptions = _endpointOptionsMonitor.CurrentValue;
         ManagementOptions managementOptions = _managementOptionsMonitor.CurrentValue;
 
-        if (Platform.IsCloudFoundry && endpointOptions.IsEnabled(managementOptions) && managementOptions.IsCloudFoundryEnabled &&
-            PermissionsProvider.IsCloudFoundryRequest(context.Request.Path))
+        if (Platform.IsCloudFoundry && managementOptions.IsCloudFoundryEnabled && PermissionsProvider.IsCloudFoundryRequest(context.Request.Path))
         {
+            CloudFoundryEndpointOptions endpointOptions = _endpointOptionsMonitor.CurrentValue;
+
             if (string.IsNullOrEmpty(endpointOptions.ApplicationId))
             {
                 _logger.LogError(

src/Management/src/Endpoint/Actuators/CloudFoundry/EndpointApplicationBuilderExtensions.cs

@@ -30,6 +30,9 @@ public static IApplicationBuilder UseCloudFoundrySecurity(this IApplicationBuild
 
         builder.UseMiddleware<CloudFoundrySecurityMiddleware>();
 
+        var marker = builder.ApplicationServices.GetRequiredService<HasCloudFoundrySecurityMiddlewareMarker>();
+        marker.Value = true;
+
         return builder;
     }
 }

src/Management/src/Endpoint/Actuators/Hypermedia/HypermediaService.cs

@@ -68,7 +68,7 @@ public Links Invoke(Uri baseUrl)
         bool skipExposureCheck = PermissionsProvider.IsCloudFoundryRequest(baseUrl.PathAndQuery);
         string? basePath = managementOptions.GetBasePath(baseUrl.AbsolutePath);
 
-        foreach (EndpointOptions endpointOptions in _endpointOptionsMonitorProviders.Select(provider => provider.Get()))
+        foreach (EndpointOptions endpointOptions in _endpointOptionsMonitorProviders.Select(provider => provider.Get()).OrderBy(options => options.Id))
         {
             if (endpointOptions.Id == null || !endpointOptions.IsEnabled(managementOptions))
             {

src/Management/src/Endpoint/Configuration/ConfigureManagementOptions.cs

@@ -16,14 +16,17 @@ internal sealed class ConfigureManagementOptions : IConfigureOptionsWithKey<Mana
     internal const string DefaultCloudFoundryPath = "/cloudfoundryapplication";
 
     private readonly IConfiguration _configuration;
+    private readonly HasCloudFoundrySecurityMiddlewareMarker _hasCloudFoundrySecurityMiddlewareMarker;
 
     public string ConfigurationKey => "Management:Endpoints";
 
-    public ConfigureManagementOptions(IConfiguration configuration)
+    public ConfigureManagementOptions(IConfiguration configuration, HasCloudFoundrySecurityMiddlewareMarker hasCloudFoundrySecurityMiddlewareMarker)
     {
         ArgumentNullException.ThrowIfNull(configuration);
+        ArgumentNullException.ThrowIfNull(hasCloudFoundrySecurityMiddlewareMarker);
 
         _configuration = configuration;
+        _hasCloudFoundrySecurityMiddlewareMarker = hasCloudFoundrySecurityMiddlewareMarker;
     }
 
     public void Configure(ManagementOptions options)
@@ -32,13 +35,13 @@ public void Configure(ManagementOptions options)
 
         _configuration.GetSection(ConfigurationKey).Bind(options);
 
-        options.IsCloudFoundryEnabled = true;
-
         if (bool.TryParse(_configuration[CloudFoundryEnabledConfigurationKey], out bool isEnabled))
         {
             options.IsCloudFoundryEnabled = isEnabled;
         }
 
+        options.HasCloudFoundrySecurity = _hasCloudFoundrySecurityMiddlewareMarker.Value;
+
         ConfigureSerializerOptions(options);
 
         options.Path ??= DefaultPath;

src/Management/src/Endpoint/Configuration/ManagementOptions.cs

@@ -13,7 +13,16 @@ public sealed class ManagementOptions
 {
     internal const string UseStatusCodeFromResponseHeaderName = "X-Use-Status-Code-From-Response";
 
-    internal bool IsCloudFoundryEnabled { get; set; }
+    /// <summary>
+    /// Gets or sets a value indicating whether ANY endpoint starting with /cloudfoundryapplication is accessible. Not to be confused with the accessibility
+    /// of the /cloudfoundryapplication hypermedia endpoint.
+    /// </summary>
+    internal bool IsCloudFoundryEnabled { get; set; } = true;
+
+    /// <summary>
+    /// Gets or sets a value indicating whether the Cloud Foundry security middleware has been added to the pipeline.
+    /// </summary>
+    internal bool HasCloudFoundrySecurity { get; set; }
 
     /// <summary>
     /// Gets which management endpoints are included and/or excluded.

src/Management/src/Endpoint/CoreActuatorServiceCollectionExtensions.cs

@@ -95,6 +95,8 @@ private static void AddCommonActuatorServices(IServiceCollection services, bool
         }
 
         services.TryAddEnumerable(ServiceDescriptor.Singleton<IStartupFilter, ManagementPortStartupFilter>());
+
+        services.TryAddSingleton<HasCloudFoundrySecurityMiddlewareMarker>();
     }
 
     internal static void ConfigureEndpointOptions<TOptions, TConfigureOptions>(this IServiceCollection services)

src/Management/src/Endpoint/EndpointOptionsExtensions.cs

@@ -48,9 +48,9 @@ public static bool CanInvoke(this EndpointOptions endpointOptions, PathString re
 
         bool isEnabled = IsEnabled(endpointOptions, managementOptions);
         bool isExposed = IsExposed(endpointOptions, managementOptions);
-
         bool isAtCloudFoundryPath = requestPath.StartsWithSegments(ConfigureManagementOptions.DefaultCloudFoundryPath);
-        return isAtCloudFoundryPath ? managementOptions.IsCloudFoundryEnabled && isEnabled : isEnabled && isExposed;
+
+        return isAtCloudFoundryPath ? isEnabled && managementOptions is { IsCloudFoundryEnabled: true, HasCloudFoundrySecurity: true } : isEnabled && isExposed;
     }
 
     public static string GetPathMatchPattern(this EndpointOptions endpointOptions, string? basePath)

src/Management/src/Endpoint/HasCloudFoundrySecurityMiddlewareMarker.cs

@@ -0,0 +1,13 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the Apache 2.0 License.
+// See the LICENSE file in the project root for more information.
+
+namespace Steeltoe.Management.Endpoint;
+
+/// <summary>
+/// Used to detect if the Cloud Foundry security middleware has been added to the pipeline.
+/// </summary>
+internal sealed class HasCloudFoundrySecurityMiddlewareMarker
+{
+    public bool Value { get; set; }
+}

src/Management/src/Endpoint/SpringBootAdminClient/ServiceCollectionExtensions.cs

@@ -32,6 +32,7 @@ public static IServiceCollection AddSpringBootAdminClient(this IServiceCollectio
         services.ConfigureOptionsWithChangeTokenSource<ManagementOptions, ConfigureManagementOptions>();
         services.ConfigureOptionsWithChangeTokenSource<SpringBootAdminClientOptions, ConfigureSpringBootAdminClientOptions>();
         services.ConfigureEndpointOptions<HealthEndpointOptions, ConfigureHealthEndpointOptions>();
+        services.TryAddSingleton<HasCloudFoundrySecurityMiddlewareMarker>();
 
         ConfigureHttpClient(services);