Merge pull request #16319 from Spring Operator

* gh-16319:
  Polish "Use HTTPS for external links wherever possible"
  Use HTTPS for external links wherever possible

Author: wilkinsona

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/CloudFoundryWebFluxEndpointIntegrationTests.java

@@ -113,9 +113,9 @@ public void responseToOptionsRequestIncludesCorsHeaders() {
 		this.contextRunner.run(withWebTestClient((client) -> client.options()
 				.uri("/cfApplication/test").accept(MediaType.APPLICATION_JSON)
 				.header("Access-Control-Request-Method", "POST")
-				.header("Origin", "http://example.com").exchange().expectStatus().isOk()
+				.header("Origin", "https://example.com").exchange().expectStatus().isOk()
 				.expectHeader()
-				.valueEquals("Access-Control-Allow-Origin", "http://example.com")
+				.valueEquals("Access-Control-Allow-Origin", "https://example.com")
 				.expectHeader().valueEquals("Access-Control-Allow-Methods", "GET,POST")));
 	}
 
@@ -204,7 +204,7 @@ public CloudFoundryWebFluxEndpointHandlerMapping cloudFoundryWebEndpointServletH
 				EndpointMediaTypes endpointMediaTypes,
 				CloudFoundrySecurityInterceptor interceptor) {
 			CorsConfiguration corsConfiguration = new CorsConfiguration();
-			corsConfiguration.setAllowedOrigins(Arrays.asList("http://example.com"));
+			corsConfiguration.setAllowedOrigins(Arrays.asList("https://example.com"));
 			corsConfiguration.setAllowedMethods(Arrays.asList("GET", "POST"));
 			return new CloudFoundryWebFluxEndpointHandlerMapping(
 					new EndpointMapping("/cfApplication"),

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/ReactiveCloudFoundryActuatorAutoConfigurationTests.java

@@ -102,7 +102,7 @@ public void cloudFoundryPlatformActive() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					CloudFoundryWebFluxEndpointHandlerMapping handlerMapping = getHandlerMapping(
 							context);
@@ -126,7 +126,7 @@ public void cloudfoundryapplicationProducesActuatorMediaType() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					WebTestClient webTestClient = WebTestClient
 							.bindToApplicationContext(context).build();
@@ -140,7 +140,7 @@ public void cloudFoundryPlatformActiveSetsApplicationId() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					CloudFoundryWebFluxEndpointHandlerMapping handlerMapping = getHandlerMapping(
 							context);
@@ -157,7 +157,7 @@ public void cloudFoundryPlatformActiveSetsCloudControllerUrl() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					CloudFoundryWebFluxEndpointHandlerMapping handlerMapping = getHandlerMapping(
 							context);
@@ -168,7 +168,7 @@ public void cloudFoundryPlatformActiveSetsCloudControllerUrl() {
 					String cloudControllerUrl = (String) ReflectionTestUtils
 							.getField(interceptorSecurityService, "cloudControllerUrl");
 					assertThat(cloudControllerUrl)
-							.isEqualTo("http://my-cloud-controller.com");
+							.isEqualTo("https://my-cloud-controller.com");
 				});
 	}
 
@@ -193,7 +193,7 @@ public void cloudFoundryPathsIgnoredBySpringSecurity() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					WebFilterChainProxy chainProxy = context
 							.getBean(WebFilterChainProxy.class);
@@ -240,7 +240,7 @@ public void allEndpointsAvailableUnderCloudFoundryWithoutEnablingWebIncludes() {
 		this.contextRunner.withUserConfiguration(TestConfiguration.class)
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					CloudFoundryWebFluxEndpointHandlerMapping handlerMapping = getHandlerMapping(
 							context);
@@ -258,7 +258,7 @@ public void endpointPathCustomizationIsNotApplied() {
 		this.contextRunner.withUserConfiguration(TestConfiguration.class)
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					CloudFoundryWebFluxEndpointHandlerMapping handlerMapping = getHandlerMapping(
 							context);
@@ -282,7 +282,7 @@ public void healthEndpointInvokerShouldBeCloudFoundryWebExtension() {
 						AutoConfigurations.of(HealthEndpointAutoConfiguration.class))
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					Collection<ExposableWebEndpoint> endpoints = getHandlerMapping(
 							context).getEndpoints();
@@ -304,7 +304,7 @@ public void skipSslValidation() {
 						AutoConfigurations.of(HealthEndpointAutoConfiguration.class))
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com",
+						"vcap.application.cf_api:https://my-cloud-controller.com",
 						"management.cloudfoundry.skip-ssl-validation:true")
 				.run((context) -> {
 					CloudFoundryWebFluxEndpointHandlerMapping handlerMapping = getHandlerMapping(
@@ -327,7 +327,7 @@ public void sslValidationNotSkippedByDefault() {
 						AutoConfigurations.of(HealthEndpointAutoConfiguration.class))
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					CloudFoundryWebFluxEndpointHandlerMapping handlerMapping = getHandlerMapping(
 							context);

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/ReactiveCloudFoundrySecurityInterceptorTests.java

@@ -61,7 +61,7 @@ public void setup() {
 	@Test
 	public void preHandleWhenRequestIsPreFlightShouldBeOk() {
 		MockServerWebExchange request = MockServerWebExchange.from(MockServerHttpRequest
-				.options("/a").header(HttpHeaders.ORIGIN, "http://example.com")
+				.options("/a").header(HttpHeaders.ORIGIN, "https://example.com")
 				.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET").build());
 		StepVerifier.create(this.interceptor.preHandle(request, "/a")).consumeNextWith(
 				(response) -> assertThat(response.getStatus()).isEqualTo(HttpStatus.OK))

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/ReactiveCloudFoundrySecurityServiceTests.java

@@ -46,7 +46,7 @@ public class ReactiveCloudFoundrySecurityServiceTests {
 	private static final String CLOUD_CONTROLLER_PERMISSIONS = CLOUD_CONTROLLER
 			+ "/v2/apps/my-app-id/permissions";
 
-	private static final String UAA_URL = "http://my-cloud-controller.com/uaa";
+	private static final String UAA_URL = "https://my-cloud-controller.com/uaa";
 
 	private ReactiveCloudFoundrySecurityService securityService;
 

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/ReactiveTokenValidatorTests.java

@@ -259,7 +259,7 @@ public void validateTokenWhenExpiredShouldThrowException() throws Exception {
 	public void validateTokenWhenIssuerIsNotValidShouldThrowException() throws Exception {
 		given(this.securityService.fetchTokenKeys()).willReturn(Mono.just(VALID_KEYS));
 		given(this.securityService.getUaaUrl())
-				.willReturn(Mono.just("http://other-uaa.com"));
+				.willReturn(Mono.just("https://other-uaa.com"));
 		String header = "{ \"alg\": \"RS256\",  \"kid\": \"valid-key\", \"typ\": \"JWT\", \"scope\": [\"actuator.read\"]}";
 		String claims = "{ \"exp\": 2147483647, \"iss\": \"http://localhost:8080/uaa/oauth/token\", \"scope\": [\"foo.bar\"]}";
 		StepVerifier

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfigurationTests.java

@@ -84,7 +84,7 @@ public void cloudFoundryPlatformActive() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					CloudFoundryWebEndpointServletHandlerMapping handlerMapping = getHandlerMapping(
 							context);
@@ -108,7 +108,7 @@ public void cloudfoundryapplicationProducesActuatorMediaType() throws Exception
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					MockMvc mockMvc = MockMvcBuilders.webAppContextSetup(context).build();
 					mockMvc.perform(get("/cloudfoundryapplication"))
@@ -122,7 +122,7 @@ public void cloudFoundryPlatformActiveSetsApplicationId() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					CloudFoundryWebEndpointServletHandlerMapping handlerMapping = getHandlerMapping(
 							context);
@@ -139,7 +139,7 @@ public void cloudFoundryPlatformActiveSetsCloudControllerUrl() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					CloudFoundryWebEndpointServletHandlerMapping handlerMapping = getHandlerMapping(
 							context);
@@ -150,7 +150,7 @@ public void cloudFoundryPlatformActiveSetsCloudControllerUrl() {
 					String cloudControllerUrl = (String) ReflectionTestUtils
 							.getField(interceptorSecurityService, "cloudControllerUrl");
 					assertThat(cloudControllerUrl)
-							.isEqualTo("http://my-cloud-controller.com");
+							.isEqualTo("https://my-cloud-controller.com");
 				});
 	}
 
@@ -159,7 +159,7 @@ public void skipSslValidation() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com",
+						"vcap.application.cf_api:https://my-cloud-controller.com",
 						"management.cloudfoundry.skip-ssl-validation:true")
 				.run((context) -> {
 					CloudFoundryWebEndpointServletHandlerMapping handlerMapping = getHandlerMapping(
@@ -229,7 +229,7 @@ public void allEndpointsAvailableUnderCloudFoundryWithoutExposeAllOnWeb() {
 		this.contextRunner.withUserConfiguration(TestConfiguration.class)
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.run((context) -> {
 					CloudFoundryWebEndpointServletHandlerMapping handlerMapping = getHandlerMapping(
 							context);
@@ -247,7 +247,7 @@ public void endpointPathCustomizationIsNotApplied() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com",
+						"vcap.application.cf_api:https://my-cloud-controller.com",
 						"management.endpoints.web.path-mapping.test=custom")
 				.withUserConfiguration(TestConfiguration.class).run((context) -> {
 					CloudFoundryWebEndpointServletHandlerMapping handlerMapping = getHandlerMapping(
@@ -271,7 +271,7 @@ public void healthEndpointInvokerShouldBeCloudFoundryWebExtension() {
 		this.contextRunner
 				.withPropertyValues("VCAP_APPLICATION:---",
 						"vcap.application.application_id:my-app-id",
-						"vcap.application.cf_api:http://my-cloud-controller.com")
+						"vcap.application.cf_api:https://my-cloud-controller.com")
 				.withConfiguration(
 						AutoConfigurations.of(HealthEndpointAutoConfiguration.class))
 				.run((context) -> {

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryMvcWebEndpointIntegrationTests.java

@@ -98,9 +98,9 @@ public void responseToOptionsRequestIncludesCorsHeaders() {
 		load(TestEndpointConfiguration.class, (client) -> client.options()
 				.uri("/cfApplication/test").accept(MediaType.APPLICATION_JSON)
 				.header("Access-Control-Request-Method", "POST")
-				.header("Origin", "http://example.com").exchange().expectStatus().isOk()
+				.header("Origin", "https://example.com").exchange().expectStatus().isOk()
 				.expectHeader()
-				.valueEquals("Access-Control-Allow-Origin", "http://example.com")
+				.valueEquals("Access-Control-Allow-Origin", "https://example.com")
 				.expectHeader().valueEquals("Access-Control-Allow-Methods", "GET,POST"));
 	}
 
@@ -203,7 +203,7 @@ public CloudFoundryWebEndpointServletHandlerMapping cloudFoundryWebEndpointServl
 				EndpointMediaTypes endpointMediaTypes,
 				CloudFoundrySecurityInterceptor interceptor) {
 			CorsConfiguration corsConfiguration = new CorsConfiguration();
-			corsConfiguration.setAllowedOrigins(Arrays.asList("http://example.com"));
+			corsConfiguration.setAllowedOrigins(Arrays.asList("https://example.com"));
 			corsConfiguration.setAllowedMethods(Arrays.asList("GET", "POST"));
 			return new CloudFoundryWebEndpointServletHandlerMapping(
 					new EndpointMapping("/cfApplication"),

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundrySecurityInterceptorTests.java

@@ -64,7 +64,7 @@ public void setup() {
 	@Test
 	public void preHandleWhenRequestIsPreFlightShouldReturnTrue() {
 		this.request.setMethod("OPTIONS");
-		this.request.addHeader(HttpHeaders.ORIGIN, "http://example.com");
+		this.request.addHeader(HttpHeaders.ORIGIN, "https://example.com");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		SecurityResponse response = this.interceptor.preHandle(this.request,
 				EndpointId.of("test"));

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/web/LinkTests.java

@@ -41,21 +41,21 @@ public void createWhenHrefIsNullShouldThrowException() {
 
 	@Test
 	public void getHrefShouldReturnHref() {
-		String href = "http://example.com";
+		String href = "https://example.com";
 		Link link = new Link(href);
 		assertThat(link.getHref()).isEqualTo(href);
 	}
 
 	@Test
 	public void isTemplatedWhenContainsPlaceholderShouldReturnTrue() {
-		String href = "http://example.com/{path}";
+		String href = "https://example.com/{path}";
 		Link link = new Link(href);
 		assertThat(link.isTemplated()).isTrue();
 	}
 
 	@Test
 	public void isTemplatedWhenContainsNoPlaceholderShouldReturnFalse() {
-		String href = "http://example.com/path";
+		String href = "https://example.com/path";
 		Link link = new Link(href);
 		assertThat(link.isTemplated()).isFalse();
 	}

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/web/reactive/WebFluxEndpointIntegrationTests.java

@@ -82,9 +82,9 @@ public void responseToOptionsRequestIncludesCorsHeaders() {
 		load(TestEndpointConfiguration.class, (client) -> client.options().uri("/test")
 				.accept(MediaType.APPLICATION_JSON)
 				.header("Access-Control-Request-Method", "POST")
-				.header("Origin", "http://example.com").exchange().expectStatus().isOk()
+				.header("Origin", "https://example.com").exchange().expectStatus().isOk()
 				.expectHeader()
-				.valueEquals("Access-Control-Allow-Origin", "http://example.com")
+				.valueEquals("Access-Control-Allow-Origin", "https://example.com")
 				.expectHeader().valueEquals("Access-Control-Allow-Methods", "GET,POST"));
 	}
 
@@ -127,7 +127,7 @@ public WebFluxEndpointHandlerMapping webEndpointHandlerMapping(
 				Environment environment, WebEndpointDiscoverer endpointDiscoverer,
 				EndpointMediaTypes endpointMediaTypes) {
 			CorsConfiguration corsConfiguration = new CorsConfiguration();
-			corsConfiguration.setAllowedOrigins(Arrays.asList("http://example.com"));
+			corsConfiguration.setAllowedOrigins(Arrays.asList("https://example.com"));
 			corsConfiguration.setAllowedMethods(Arrays.asList("GET", "POST"));
 			return new WebFluxEndpointHandlerMapping(
 					new EndpointMapping(environment.getProperty("endpointPath")),