Merge pull request #49591 from bbbbooo

* gh-49591:
  Polish "Fix EndpointRequest links matching for separate management port"
  Fix EndpointRequest links matching for separate management port

Closes gh-49591

Author: wilkinsona

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/EndpointRequest.java

@@ -228,6 +228,13 @@ private boolean hasImplicitServerNamespace(ApplicationContext applicationContext
 					&& applicationContext.getParent() == null;
 		}
 
+		protected final String getLinksPath(String basePath) {
+			if (StringUtils.hasText(basePath)) {
+				return basePath;
+			}
+			return (this.managementPortType == ManagementPortType.DIFFERENT) ? "/" : null;
+		}
+
 		protected final String toString(List<Object> endpoints, String emptyValue) {
 			return (!endpoints.isEmpty()) ? endpoints.stream()
 				.map(this::getEndpointId)
@@ -326,7 +333,8 @@ protected ServerWebExchangeMatcher createDelegate(PathMappedEndpoints endpoints)
 			streamPaths(this.includes, endpoints).forEach(paths::add);
 			streamPaths(this.excludes, endpoints).forEach(paths::remove);
 			List<ServerWebExchangeMatcher> delegateMatchers = getDelegateMatchers(paths, this.httpMethod);
-			if (this.includeLinks && StringUtils.hasText(endpoints.getBasePath())) {
+			String linksPath = getLinksPath(endpoints.getBasePath());
+			if (this.includeLinks && linksPath != null) {
 				delegateMatchers.add(new LinksServerWebExchangeMatcher());
 			}
 			if (delegateMatchers.isEmpty()) {
@@ -362,10 +370,14 @@ private LinksServerWebExchangeMatcher() {
 
 		@Override
 		protected ServerWebExchangeMatcher createDelegate(WebEndpointProperties properties) {
-			if (StringUtils.hasText(properties.getBasePath())) {
-				return new OrServerWebExchangeMatcher(
-						new PathPatternParserServerWebExchangeMatcher(properties.getBasePath()),
-						new PathPatternParserServerWebExchangeMatcher(properties.getBasePath() + "/"));
+			String linksPath = getLinksPath(properties.getBasePath());
+			if (linksPath != null) {
+				List<ServerWebExchangeMatcher> linksMatchers = new ArrayList<>();
+				linksMatchers.add(new PathPatternParserServerWebExchangeMatcher(linksPath));
+				if (!linksPath.endsWith("/")) {
+					linksMatchers.add(new PathPatternParserServerWebExchangeMatcher(linksPath + "/"));
+				}
+				return new OrServerWebExchangeMatcher(linksMatchers);
 			}
 			return EMPTY_MATCHER;
 		}

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java

@@ -225,13 +225,27 @@ protected final List<RequestMatcher> getDelegateMatchers(RequestMatcherFactory r
 		}
 
 		protected List<RequestMatcher> getLinksMatchers(RequestMatcherFactory requestMatcherFactory,
-				RequestMatcherProvider matcherProvider, String basePath) {
+				RequestMatcherProvider matcherProvider, String linksPath) {
 			List<RequestMatcher> linksMatchers = new ArrayList<>();
-			linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, null, basePath));
-			linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, null, basePath, "/"));
+			linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, null, linksPath));
+			if (!linksPath.endsWith("/")) {
+				linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, null, linksPath, "/"));
+			}
 			return linksMatchers;
 		}
 
+		protected String getLinksPath(WebApplicationContext context, String basePath) {
+			if (StringUtils.hasText(basePath)) {
+				return basePath;
+			}
+			ManagementPortType managementPortType = this.managementPortType;
+			if (managementPortType == null) {
+				managementPortType = ManagementPortType.get(context.getEnvironment());
+				this.managementPortType = managementPortType;
+			}
+			return (managementPortType == ManagementPortType.DIFFERENT) ? "/" : null;
+		}
+
 		protected RequestMatcherProvider getRequestMatcherProvider(WebApplicationContext context) {
 			try {
 				return getRequestMatcherProviderBean(context);
@@ -359,8 +373,9 @@ protected RequestMatcher createDelegate(WebApplicationContext context,
 			List<RequestMatcher> delegateMatchers = getDelegateMatchers(requestMatcherFactory, matcherProvider, paths,
 					this.httpMethod);
 			String basePath = endpoints.getBasePath();
-			if (this.includeLinks && StringUtils.hasText(basePath)) {
-				delegateMatchers.addAll(getLinksMatchers(requestMatcherFactory, matcherProvider, basePath));
+			String linksPath = getLinksPath(context, basePath);
+			if (this.includeLinks && linksPath != null) {
+				delegateMatchers.addAll(getLinksMatchers(requestMatcherFactory, matcherProvider, linksPath));
 			}
 			if (delegateMatchers.isEmpty()) {
 				return EMPTY_MATCHER;
@@ -393,10 +408,10 @@ public static final class LinksRequestMatcher extends AbstractRequestMatcher {
 		protected RequestMatcher createDelegate(WebApplicationContext context,
 				RequestMatcherFactory requestMatcherFactory) {
 			WebEndpointProperties properties = context.getBean(WebEndpointProperties.class);
-			String basePath = properties.getBasePath();
-			if (StringUtils.hasText(basePath)) {
+			String linksPath = getLinksPath(context, properties.getBasePath());
+			if (linksPath != null) {
 				return new OrRequestMatcher(
-						getLinksMatchers(requestMatcherFactory, getRequestMatcherProvider(context), basePath));
+						getLinksMatchers(requestMatcherFactory, getRequestMatcherProvider(context), linksPath));
 			}
 			return EMPTY_MATCHER;
 		}

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/EndpointRequestTests.java

@@ -32,6 +32,7 @@
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
+import org.springframework.boot.test.util.TestPropertyValues;
 import org.springframework.boot.web.context.WebServerApplicationContext;
 import org.springframework.boot.web.server.WebServer;
 import org.springframework.context.support.StaticApplicationContext;
@@ -91,6 +92,15 @@ void toAnyEndpointWhenBasePathIsEmptyShouldNotMatchLinks() {
 		assertMatcher.matches("/bar");
 	}
 
+	@Test
+	void toAnyEndpointWhenBasePathIsEmptyAndManagementPortDifferentShouldMatchLinks() {
+		ServerWebExchangeMatcher matcher = EndpointRequest.toAnyEndpoint();
+		RequestMatcherAssert assertMatcher = assertMatcher(matcher, mockPathMappedEndpoints(""),
+				WebServerNamespace.MANAGEMENT);
+		assertMatcher.matches("/");
+		assertMatcher.matches("/foo");
+	}
+
 	@Test
 	void toAnyEndpointShouldNotMatchOtherPath() {
 		ServerWebExchangeMatcher matcher = EndpointRequest.toAnyEndpoint();
@@ -143,6 +153,15 @@ void toLinksWhenBasePathEmptyShouldNotMatch() {
 		assertMatcher.doesNotMatch("/");
 	}
 
+	@Test
+	void toLinksWhenBasePathEmptyAndManagementPortDifferentShouldMatchRoot() {
+		ServerWebExchangeMatcher matcher = EndpointRequest.toLinks();
+		RequestMatcherAssert assertMatcher = assertMatcher(matcher, mockPathMappedEndpoints(""),
+				WebServerNamespace.MANAGEMENT);
+		assertMatcher.matches("/");
+		assertMatcher.doesNotMatch("/foo");
+	}
+
 	@Test
 	void excludeByClassShouldNotMatchExcluded() {
 		ServerWebExchangeMatcher matcher = EndpointRequest.toAnyEndpoint()
@@ -325,10 +344,14 @@ private RequestMatcherAssert assertMatcher(ServerWebExchangeMatcher matcher,
 
 	private RequestMatcherAssert assertMatcher(ServerWebExchangeMatcher matcher,
 			PathMappedEndpoints pathMappedEndpoints, WebServerNamespace namespace) {
-		StaticApplicationContext context = new StaticApplicationContext();
+		StaticWebApplicationContext context;
 		if (namespace != null && !WebServerNamespace.SERVER.equals(namespace)) {
-			NamedStaticWebApplicationContext parentContext = new NamedStaticWebApplicationContext(namespace);
-			context.setParent(parentContext);
+			context = new NamedStaticWebApplicationContext(namespace);
+			context.setParent(new StaticWebApplicationContext());
+			TestPropertyValues.of("management.server.port=0").applyTo(context);
+		}
+		else {
+			context = new StaticWebApplicationContext();
 		}
 		context.registerBean(WebEndpointProperties.class);
 		if (pathMappedEndpoints != null) {

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequestTests.java

@@ -34,6 +34,7 @@
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
+import org.springframework.boot.test.util.TestPropertyValues;
 import org.springframework.boot.web.context.WebServerApplicationContext;
 import org.springframework.boot.web.server.WebServer;
 import org.springframework.http.HttpMethod;
@@ -91,6 +92,15 @@ void toAnyEndpointWhenBasePathIsEmptyShouldNotMatchLinks() {
 		assertMatcher.matches("/bar");
 	}
 
+	@Test
+	void toAnyEndpointWhenBasePathIsEmptyAndManagementPortDifferentShouldMatchLinks() {
+		RequestMatcher matcher = EndpointRequest.toAnyEndpoint();
+		RequestMatcherAssert assertMatcher = assertMatcher(matcher, mockPathMappedEndpoints(""), null,
+				WebServerNamespace.MANAGEMENT);
+		assertMatcher.matches("/");
+		assertMatcher.matches("/foo");
+	}
+
 	@Test
 	void toAnyEndpointShouldNotMatchOtherPath() {
 		RequestMatcher matcher = EndpointRequest.toAnyEndpoint();
@@ -150,6 +160,15 @@ void toLinksWhenBasePathEmptyShouldNotMatch() {
 		assertMatcher.doesNotMatch("/");
 	}
 
+	@Test
+	void toLinksWhenBasePathEmptyAndManagementPortDifferentShouldMatchRoot() {
+		RequestMatcher matcher = EndpointRequest.toLinks();
+		RequestMatcherAssert assertMatcher = assertMatcher(matcher, mockPathMappedEndpoints(""), null,
+				WebServerNamespace.MANAGEMENT);
+		assertMatcher.matches("/");
+		assertMatcher.doesNotMatch("/foo");
+	}
+
 	@Test
 	void excludeByClassShouldNotMatchExcluded() {
 		RequestMatcher matcher = EndpointRequest.toAnyEndpoint().excluding(FooEndpoint.class, BazServletEndpoint.class);
@@ -350,10 +369,14 @@ private RequestMatcherAssert assertMatcher(RequestMatcher matcher, PathMappedEnd
 
 	private RequestMatcherAssert assertMatcher(RequestMatcher matcher, PathMappedEndpoints pathMappedEndpoints,
 			RequestMatcherProvider matcherProvider, WebServerNamespace namespace) {
-		StaticWebApplicationContext context = new StaticWebApplicationContext();
+		StaticWebApplicationContext context;
 		if (namespace != null && !WebServerNamespace.SERVER.equals(namespace)) {
-			NamedStaticWebApplicationContext parentContext = new NamedStaticWebApplicationContext(namespace);
-			context.setParent(parentContext);
+			context = new NamedStaticWebApplicationContext(namespace);
+			context.setParent(new StaticWebApplicationContext());
+			TestPropertyValues.of("management.server.port=0").applyTo(context);
+		}
+		else {
+			context = new StaticWebApplicationContext();
 		}
 		context.registerBean(WebEndpointProperties.class);
 		if (pathMappedEndpoints != null) {

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/test/java/smoketest/actuator/customsecurity/AbstractSampleActuatorCustomSecurityTests.java

@@ -37,7 +37,7 @@ abstract class AbstractSampleActuatorCustomSecurityTests {
 
 	abstract String getPath();
 
-	abstract String getManagementPath();
+	abstract String getActuatorPath();
 
 	abstract Environment getEnvironment();
 
@@ -58,128 +58,118 @@ void testInsecureStaticResources() {
 
 	@Test
 	void actuatorInsecureEndpoint() {
-		ResponseEntity<String> entity = restTemplate().getForEntity(getManagementPath() + "/actuator/health",
-				String.class);
+		ResponseEntity<String> entity = restTemplate().getForEntity(getActuatorPath() + "/health", String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 		assertThat(entity.getBody()).contains("\"status\":\"UP\"");
-		entity = restTemplate().getForEntity(getManagementPath() + "/actuator/health/diskSpace", String.class);
+		entity = restTemplate().getForEntity(getActuatorPath() + "/health/diskSpace", String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 		assertThat(entity.getBody()).contains("\"status\":\"UP\"");
 	}
 
 	@Test
 	void actuatorLinksWithAnonymous() {
-		ResponseEntity<Object> entity = restTemplate().getForEntity(getManagementPath() + "/actuator", Object.class);
+		ResponseEntity<Object> entity = restTemplate().getForEntity(getActuatorPath(), Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
-		entity = restTemplate().getForEntity(getManagementPath() + "/actuator/", Object.class);
+		entity = restTemplate().getForEntity(getActuatorPath() + "/", Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
 	}
 
 	@Test
 	void actuatorLinksWithUnauthorizedUser() {
-		ResponseEntity<Object> entity = userRestTemplate().getForEntity(getManagementPath() + "/actuator",
-				Object.class);
+		ResponseEntity<Object> entity = userRestTemplate().getForEntity(getActuatorPath(), Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
-		entity = userRestTemplate().getForEntity(getManagementPath() + "/actuator/", Object.class);
+		entity = userRestTemplate().getForEntity(getActuatorPath() + "/", Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
 	}
 
 	@Test
 	void actuatorLinksWithAuthorizedUser() {
-		ResponseEntity<Object> entity = adminRestTemplate().getForEntity(getManagementPath() + "/actuator",
-				Object.class);
+		ResponseEntity<Object> entity = adminRestTemplate().getForEntity(getActuatorPath(), Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
-		adminRestTemplate().getForEntity(getManagementPath() + "/actuator/", Object.class);
+		adminRestTemplate().getForEntity(getActuatorPath() + "/", Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 	}
 
 	@Test
 	void actuatorSecureEndpointWithAnonymous() {
-		ResponseEntity<Object> entity = restTemplate().getForEntity(getManagementPath() + "/actuator/env",
-				Object.class);
+		ResponseEntity<Object> entity = restTemplate().getForEntity(getActuatorPath() + "/env", Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
-		entity = restTemplate().getForEntity(
-				getManagementPath() + "/actuator/env/management.endpoints.web.exposure.include", Object.class);
+		entity = restTemplate().getForEntity(getActuatorPath() + "/env/management.endpoints.web.exposure.include",
+				Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
 	}
 
 	@Test
 	void actuatorSecureEndpointWithUnauthorizedUser() {
-		ResponseEntity<Object> entity = userRestTemplate().getForEntity(getManagementPath() + "/actuator/env",
-				Object.class);
+		ResponseEntity<Object> entity = userRestTemplate().getForEntity(getActuatorPath() + "/env", Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
-		entity = userRestTemplate().getForEntity(
-				getManagementPath() + "/actuator/env/management.endpoints.web.exposure.include", Object.class);
+		entity = userRestTemplate().getForEntity(getActuatorPath() + "/env/management.endpoints.web.exposure.include",
+				Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
 	}
 
 	@Test
 	void actuatorSecureEndpointWithAuthorizedUser() {
-		ResponseEntity<Object> entity = adminRestTemplate().getForEntity(getManagementPath() + "/actuator/env",
-				Object.class);
+		ResponseEntity<Object> entity = adminRestTemplate().getForEntity(getActuatorPath() + "/env", Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
-		entity = adminRestTemplate().getForEntity(getManagementPath() + "/actuator/env/", Object.class);
+		entity = adminRestTemplate().getForEntity(getActuatorPath() + "/env/", Object.class);
 		// EndpointRequest matches the trailing slash but MVC doesn't
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
-		entity = adminRestTemplate().getForEntity(
-				getManagementPath() + "/actuator/env/management.endpoints.web.exposure.include", Object.class);
+		entity = adminRestTemplate().getForEntity(getActuatorPath() + "/env/management.endpoints.web.exposure.include",
+				Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 	}
 
 	@Test
 	void secureServletEndpointWithAnonymous() {
-		ResponseEntity<String> entity = restTemplate().getForEntity(getManagementPath() + "/actuator/se1",
-				String.class);
+		ResponseEntity<String> entity = restTemplate().getForEntity(getActuatorPath() + "/se1", String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
-		entity = restTemplate().getForEntity(getManagementPath() + "/actuator/se1/list", String.class);
+		entity = restTemplate().getForEntity(getActuatorPath() + "/se1/list", String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
 	}
 
 	@Test
 	void secureServletEndpointWithUnauthorizedUser() {
-		ResponseEntity<String> entity = userRestTemplate().getForEntity(getManagementPath() + "/actuator/se1",
-				String.class);
+		ResponseEntity<String> entity = userRestTemplate().getForEntity(getActuatorPath() + "/se1", String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
-		entity = userRestTemplate().getForEntity(getManagementPath() + "/actuator/se1/list", String.class);
+		entity = userRestTemplate().getForEntity(getActuatorPath() + "/se1/list", String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
 	}
 
 	@Test
 	void secureServletEndpointWithAuthorizedUser() {
-		ResponseEntity<String> entity = adminRestTemplate().getForEntity(getManagementPath() + "/actuator/se1",
-				String.class);
+		ResponseEntity<String> entity = adminRestTemplate().getForEntity(getActuatorPath() + "/se1", String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
-		entity = adminRestTemplate().getForEntity(getManagementPath() + "/actuator/se1/list", String.class);
+		entity = adminRestTemplate().getForEntity(getActuatorPath() + "/se1/list", String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 	}
 
 	@Test
 	void actuatorCustomMvcSecureEndpointWithAnonymous() {
-		ResponseEntity<String> entity = restTemplate()
-			.getForEntity(getManagementPath() + "/actuator/example/echo?text={t}", String.class, "test");
+		ResponseEntity<String> entity = restTemplate().getForEntity(getActuatorPath() + "/example/echo?text={t}",
+				String.class, "test");
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
 	}
 
 	@Test
 	void actuatorCustomMvcSecureEndpointWithUnauthorizedUser() {
-		ResponseEntity<String> entity = userRestTemplate()
-			.getForEntity(getManagementPath() + "/actuator/example/echo?text={t}", String.class, "test");
+		ResponseEntity<String> entity = userRestTemplate().getForEntity(getActuatorPath() + "/example/echo?text={t}",
+				String.class, "test");
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
 	}
 
 	@Test
 	void actuatorCustomMvcSecureEndpointWithAuthorizedUser() {
-		ResponseEntity<String> entity = adminRestTemplate()
-			.getForEntity(getManagementPath() + "/actuator/example/echo?text={t}", String.class, "test");
+		ResponseEntity<String> entity = adminRestTemplate().getForEntity(getActuatorPath() + "/example/echo?text={t}",
+				String.class, "test");
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 		assertThat(entity.getBody()).isEqualTo("test");
 		assertThat(entity.getHeaders().getFirst("echo")).isEqualTo("test");
 	}
 
 	@Test
 	void actuatorExcludedFromEndpointRequestMatcher() {
-		ResponseEntity<Object> entity = userRestTemplate().getForEntity(getManagementPath() + "/actuator/mappings",
-				Object.class);
+		ResponseEntity<Object> entity = userRestTemplate().getForEntity(getActuatorPath() + "/mappings", Object.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 	}
 

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/test/java/smoketest/actuator/customsecurity/CustomServletPathSampleActuatorTests.java

@@ -42,8 +42,8 @@ String getPath() {
 	}
 
 	@Override
-	String getManagementPath() {
-		return "http://localhost:" + this.port + "/example";
+	String getActuatorPath() {
+		return "http://localhost:" + this.port + "/example/actuator";
 	}
 
 	@Override