Add customer BeanFactoryResolver

Author: ryanjbaxter

spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/support/ShortcutConfigurable.java

@@ -27,6 +27,7 @@
 import org.springframework.beans.factory.BeanFactory;
 import org.springframework.context.expression.BeanFactoryResolver;
 import org.springframework.core.env.Environment;
+import org.springframework.expression.AccessException;
 import org.springframework.expression.BeanResolver;
 import org.springframework.expression.ConstructorResolver;
 import org.springframework.expression.EvaluationContext;
@@ -46,6 +47,9 @@
 import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
 
+import static org.springframework.context.ConfigurableApplicationContext.SYSTEM_ENVIRONMENT_BEAN_NAME;
+import static org.springframework.context.ConfigurableApplicationContext.SYSTEM_PROPERTIES_BEAN_NAME;
+
 /**
  * @author Spencer Gibb
  */
@@ -176,14 +180,31 @@ public abstract Map<String, Object> normalize(Map<String, String> args, Shortcut
 
 	}
 
+	class GatewayBeanFactoryResolver extends BeanFactoryResolver {
+
+		public GatewayBeanFactoryResolver(BeanFactory beanFactory) {
+			super(beanFactory);
+		}
+
+		@Override
+		public Object resolve(EvaluationContext context, String beanName) throws AccessException {
+			if (SYSTEM_ENVIRONMENT_BEAN_NAME.equals(beanName) || SYSTEM_PROPERTIES_BEAN_NAME.equals(beanName)) {
+				throw new AccessException(beanName
+						+ " is not accessible when spring.cloud.gateway.restrictive-property-accessor.enabled=true");
+			}
+			return super.resolve(context, beanName);
+		}
+
+	}
+
 	class GatewayEvaluationContext implements EvaluationContext {
 
 		private final BeanFactoryResolver beanFactoryResolver;
 
 		private final SimpleEvaluationContext delegate;
 
 		public GatewayEvaluationContext(BeanFactory beanFactory) {
-			this.beanFactoryResolver = new BeanFactoryResolver(beanFactory);
+			this.beanFactoryResolver = new ShortcutConfigurable.GatewayBeanFactoryResolver(beanFactory);
 			Environment env = beanFactory.getBean(Environment.class);
 			boolean restrictive = env.getProperty("spring.cloud.gateway.restrictive-property-accessor.enabled",
 					Boolean.class, true);

spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/actuate/GatewayControllerEndpointTests.java

@@ -229,6 +229,52 @@ public void testPostValidRouteDefinition() {
 			.isCreated();
 	}
 
+	@Test
+	public void testPostInvalidSpelRouteDefinition() {
+		RouteDefinition testRouteDefinition = new RouteDefinition();
+		testRouteDefinition.setUri(URI.create("http://example.org"));
+
+		FilterDefinition prefixPathFilterDefinition = new FilterDefinition("PrefixPath=/test-path");
+		FilterDefinition redirectToFilterDefinition = new FilterDefinition(
+				"AddResponseHeader=#{ @systemProperties['user.home'] ?: 'n.a' }");
+		testRouteDefinition.setFilters(Arrays.asList(prefixPathFilterDefinition, redirectToFilterDefinition));
+
+		PredicateDefinition hostRoutePredicateDefinition = new PredicateDefinition("Host=myhost.org");
+		PredicateDefinition methodRoutePredicateDefinition = new PredicateDefinition("Method=GET");
+		testRouteDefinition.setPredicates(Arrays.asList(hostRoutePredicateDefinition, methodRoutePredicateDefinition));
+
+		testClient.post()
+			.uri("http://localhost:" + port + "/actuator/gateway/routes/test-route")
+			.accept(MediaType.APPLICATION_JSON)
+			.body(BodyInserters.fromValue(testRouteDefinition))
+			.exchange()
+			.expectStatus()
+			.isCreated();
+		// The refresh will try and create the new route but this should fail with an
+		// exception due to
+		// the invalid SpEL expression
+		// The HTTP request still returns a 200 because all this is doing is firing an
+		// event and it
+		// is a "fire and forget" operation
+		testClient.post()
+			.uri("http://localhost:" + port + "/actuator/gateway/refresh")
+			.exchange()
+			.expectStatus()
+			.isOk();
+
+		// Check to make sure the route was not actually created
+		testClient.get()
+			.uri("http://localhost:" + port + "/actuator/gateway/routes")
+			.exchange()
+			.expectStatus()
+			.isOk()
+			.expectBodyList(Map.class)
+			.consumeWith(result -> {
+				List<Map> responseBody = result.getResponseBody();
+				assertThat(responseBody).extracting("route_id").doesNotContain("test-route");
+			});
+	}
+
 	@Test
 	public void testRefreshByGroup() {
 		RouteDefinition testRouteDefinition = new RouteDefinition();

spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/support/ShortcutConfigurableNonRestrictiveTests.java

@@ -55,7 +55,7 @@ public List<String> shortcutFieldOrder() {
 			}
 		};
 		Map<String, String> args = new HashMap<>();
-		args.put("barproperty", "#{@bar.getInt}");
+		args.put("barproperty", "#{@bar.property}");
 		args.put("arg1", "val1");
 		Map<String, Object> map = ShortcutType.DEFAULT.normalize(args, shortcutConfigurable, parser, this.beanFactory);
 		assertThat(map).isNotNull().containsEntry("barproperty", 42).containsEntry("arg1", "val1");
@@ -94,6 +94,8 @@ public Bar bar() {
 
 	protected static class Bar {
 
+		public int property = 42;
+
 		public int getInt() {
 			return 42;
 		}

spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/support/ShortcutConfigurableTests.java

@@ -82,7 +82,24 @@ public List<String> shortcutFieldOrder() {
 	}
 
 	@Test
-	public void testNormalizeDefaultTypeWithSpelAndInvalidPropertyReferenceFails() {
+	public void testNormalizeDefaultTypeWithSpelSystemPropertiesFails() {
+		parser = new SpelExpressionParser();
+		ShortcutConfigurable shortcutConfigurable = new ShortcutConfigurable() {
+			@Override
+			public List<String> shortcutFieldOrder() {
+				return Arrays.asList("bean", "arg1");
+			}
+		};
+		Map<String, String> args = new HashMap<>();
+		args.put("bean", "#{ @systemProperties['user.home'] ?: 'n.a' }");
+		args.put("arg1", "val1");
+		assertThatThrownBy(() -> {
+			ShortcutType.DEFAULT.normalize(args, shortcutConfigurable, parser, this.beanFactory);
+		}).isInstanceOf(SpelEvaluationException.class);
+	}
+
+	@Test
+	public void testNormalizeDefaultTypeWithSpelEnvironmentVariablesFails() {
 		parser = new SpelExpressionParser();
 		ShortcutConfigurable shortcutConfigurable = new ShortcutConfigurable() {
 			@Override
@@ -91,13 +108,31 @@ public List<String> shortcutFieldOrder() {
 			}
 		};
 		Map<String, String> args = new HashMap<>();
-		args.put("barproperty", "#{@bar.getInt}");
+		args.put("bean", "#{ @systemEnvironment['user.home'] ?: 'n.a' }");
 		args.put("arg1", "val1");
 		assertThatThrownBy(() -> {
 			ShortcutType.DEFAULT.normalize(args, shortcutConfigurable, parser, this.beanFactory);
 		}).isInstanceOf(SpelEvaluationException.class);
 	}
 
+	@Test
+	public void testNormalizeDefaultTypeWithSpelAndInvalidPropertyReferenceFails() {
+		parser = new SpelExpressionParser();
+		ShortcutConfigurable shortcutConfigurable = new ShortcutConfigurable() {
+			@Override
+			public List<String> shortcutFieldOrder() {
+				return Arrays.asList("bean", "arg1");
+			}
+		};
+		Map<String, String> args = new HashMap<>();
+		args.put("barproperty", "#{@bar.property}");
+		args.put("arg1", "val1");
+		assertThatThrownBy(() -> {
+			ShortcutType.DEFAULT.normalize(args, shortcutConfigurable, parser, this.beanFactory);
+		}).isInstanceOf(SpelEvaluationException.class)
+			.hasMessageContaining("Property or field 'property' cannot be found");
+	}
+
 	@Test
 	public void testNormalizeDefaultTypeWithSpelAndInvalidMethodReferenceFails() {
 		parser = new SpelExpressionParser();
@@ -247,6 +282,8 @@ public Map<String, Object> myMap() {
 
 	protected static class Bar {
 
+		public int property = 42;
+
 		public int getInt() {
 			return 42;
 		}