Add option to set user information via SentryUserProvider (#549)

Author: maciejwalkowiak

sentry-samples/sentry-samples-spring-boot/src/main/java/io/sentry/samples/spring/boot/SecurityConfiguration.java

@@ -1,8 +1,5 @@
 package io.sentry.samples.spring.boot;
 
-import io.sentry.core.IHub;
-import io.sentry.core.SentryOptions;
-import io.sentry.spring.SentrySecurityFilter;
 import org.jetbrains.annotations.NotNull;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -14,32 +11,15 @@
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
-import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 
 @Configuration
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
 
-  private final @NotNull IHub hub;
-  private final @NotNull SentryOptions options;
-
-  public SecurityConfiguration(final @NotNull IHub hub, final @NotNull SentryOptions options) {
-    this.hub = hub;
-    this.options = options;
-  }
-
   // this API is meant to be consumed by non-browser clients thus the CSRF protection is not needed.
   @Override
   @SuppressWarnings("lgtm[java/spring-disabled-csrf-protection]")
   protected void configure(final @NotNull HttpSecurity http) throws Exception {
-    // register SentrySecurityFilter to attach user information to SentryEvents
-    http.addFilterAfter(new SentrySecurityFilter(hub, options), AnonymousAuthenticationFilter.class)
-        .csrf()
-        .disable()
-        .authorizeRequests()
-        .anyRequest()
-        .authenticated()
-        .and()
-        .httpBasic();
+    http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
   }
 
   @Bean

sentry-samples/sentry-samples-spring/src/main/java/io/sentry/samples/spring/SecurityConfiguration.java

@@ -1,8 +1,5 @@
 package io.sentry.samples.spring;
 
-import io.sentry.core.IHub;
-import io.sentry.core.SentryOptions;
-import io.sentry.spring.SentrySecurityFilter;
 import org.jetbrains.annotations.NotNull;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -14,32 +11,15 @@
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
-import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 
 @Configuration
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
 
-  private final @NotNull IHub hub;
-  private final @NotNull SentryOptions options;
-
-  public SecurityConfiguration(final @NotNull IHub hub, final @NotNull SentryOptions options) {
-    this.hub = hub;
-    this.options = options;
-  }
-
   // this API is meant to be consumed by non-browser clients thus the CSRF protection is not needed.
   @Override
   @SuppressWarnings("lgtm[java/spring-disabled-csrf-protection]")
   protected void configure(final @NotNull HttpSecurity http) throws Exception {
-    // register SentrySecurityFilter to attach user information to SentryEvents
-    http.addFilterAfter(new SentrySecurityFilter(hub, options), AnonymousAuthenticationFilter.class)
-        .csrf()
-        .disable()
-        .authorizeRequests()
-        .anyRequest()
-        .authenticated()
-        .and()
-        .httpBasic();
+    http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
   }
 
   @Bean

sentry-spring-boot-starter/src/main/java/io/sentry/spring/boot/SentryAutoConfiguration.java

@@ -10,6 +10,8 @@
 import io.sentry.core.protocol.SdkVersion;
 import io.sentry.core.transport.ITransport;
 import io.sentry.core.transport.ITransportGate;
+import io.sentry.spring.SentryUserProvider;
+import io.sentry.spring.SentryUserProviderEventProcessor;
 import io.sentry.spring.SentryWebConfiguration;
 import java.util.List;
 import org.jetbrains.annotations.NotNull;
@@ -43,12 +45,17 @@ static class HubConfiguration {
         final @NotNull List<EventProcessor> eventProcessors,
         final @NotNull List<Integration> integrations,
         final @NotNull ObjectProvider<ITransportGate> transportGate,
+        final @NotNull ObjectProvider<SentryUserProvider> sentryUserProviders,
         final @NotNull ObjectProvider<ITransport> transport) {
       return options -> {
         beforeSendCallback.ifAvailable(options::setBeforeSend);
         beforeBreadcrumbCallback.ifAvailable(options::setBeforeBreadcrumb);
         eventProcessors.forEach(options::addEventProcessor);
         integrations.forEach(options::addIntegration);
+        sentryUserProviders.forEach(
+            sentryUserProvider ->
+                options.addEventProcessor(
+                    new SentryUserProviderEventProcessor(sentryUserProvider)));
         transportGate.ifAvailable(options::setTransportGate);
         transport.ifAvailable(options::setTransport);
       };

sentry-spring-boot-starter/src/test/kotlin/io/sentry/spring/boot/SentrySpringIntegrationTest.kt

@@ -1,11 +1,8 @@
 package io.sentry.spring.boot
 
 import com.nhaarman.mockitokotlin2.verify
-import io.sentry.core.IHub
 import io.sentry.core.Sentry
-import io.sentry.core.SentryOptions
 import io.sentry.core.transport.ITransport
-import io.sentry.spring.SentrySecurityFilter
 import io.sentry.test.checkEvent
 import java.lang.RuntimeException
 import org.assertj.core.api.Assertions.assertThat
@@ -30,7 +27,6 @@ import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.crypto.factory.PasswordEncoderFactories
 import org.springframework.security.crypto.password.PasswordEncoder
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
-import org.springframework.security.web.authentication.AnonymousAuthenticationFilter
 import org.springframework.test.context.junit4.SpringRunner
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RestController
@@ -120,15 +116,10 @@ class HelloController {
 }
 
 @Configuration
-open class SecurityConfiguration(
-    private val hub: IHub,
-    private val options: SentryOptions
-) : WebSecurityConfigurerAdapter() {
+open class SecurityConfiguration : WebSecurityConfigurerAdapter() {
 
     override fun configure(http: HttpSecurity) {
-        http
-            .addFilterAfter(SentrySecurityFilter(hub, options), AnonymousAuthenticationFilter::class.java)
-            .csrf().disable()
+        http.csrf().disable()
             .authorizeRequests().anyRequest().authenticated()
             .and()
             .httpBasic()

sentry-spring/src/main/java/io/sentry/spring/HttpServletRequestSentryUserProvider.java

@@ -0,0 +1,55 @@
+package io.sentry.spring;
+
+import io.sentry.core.SentryOptions;
+import io.sentry.core.protocol.User;
+import io.sentry.core.util.Objects;
+import javax.servlet.http.HttpServletRequest;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.springframework.web.context.request.RequestAttributes;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+/**
+ * Resolves user information from {@link HttpServletRequest} obtained via {@link
+ * RequestContextHolder}.
+ */
+public final class HttpServletRequestSentryUserProvider implements SentryUserProvider {
+  private final @NotNull SentryOptions options;
+
+  public HttpServletRequestSentryUserProvider(final @NotNull SentryOptions options) {
+    this.options = Objects.requireNonNull(options, "options are required");
+  }
+
+  @Override
+  public @Nullable User provideUser() {
+    if (options.isSendDefaultPii()) {
+      final RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
+      if (requestAttributes instanceof ServletRequestAttributes) {
+        final ServletRequestAttributes servletRequestAttributes =
+            (ServletRequestAttributes) requestAttributes;
+        final HttpServletRequest request = servletRequestAttributes.getRequest();
+
+        final User user = new User();
+        user.setIpAddress(toIpAddress(request));
+        if (request.getUserPrincipal() != null) {
+          user.setUsername(request.getUserPrincipal().getName());
+        }
+        return user;
+      }
+    }
+    return null;
+  }
+
+  // it is advised to not use `String#split` method but since we do not have 3rd party libraries
+  // this is our only option.
+  @SuppressWarnings("StringSplitter")
+  private static @NotNull String toIpAddress(final @NotNull HttpServletRequest request) {
+    final String ipAddress = request.getHeader("X-FORWARDED-FOR");
+    if (ipAddress != null) {
+      return ipAddress.contains(",") ? ipAddress.split(",")[0].trim() : ipAddress;
+    } else {
+      return request.getRemoteAddr();
+    }
+  }
+}

sentry-spring/src/main/java/io/sentry/spring/SentryInitBeanPostProcessor.java

@@ -4,18 +4,39 @@
 import io.sentry.core.Sentry;
 import io.sentry.core.SentryOptions;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.config.BeanPostProcessor;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationContextAware;
 
 /** Initializes Sentry after all beans are registered. */
 @Open
-public class SentryInitBeanPostProcessor implements BeanPostProcessor {
+public class SentryInitBeanPostProcessor implements BeanPostProcessor, ApplicationContextAware {
+  private @Nullable ApplicationContext applicationContext;
+
   @Override
   public Object postProcessAfterInitialization(
       final @NotNull Object bean, @NotNull final String beanName) throws BeansException {
     if (bean instanceof SentryOptions) {
-      Sentry.init((SentryOptions) bean);
+      final SentryOptions options = (SentryOptions) bean;
+
+      if (applicationContext != null) {
+        applicationContext
+            .getBeanProvider(SentryUserProvider.class)
+            .forEach(
+                sentryUserProvider ->
+                    options.addEventProcessor(
+                        new SentryUserProviderEventProcessor(sentryUserProvider)));
+      }
+      Sentry.init(options);
     }
     return bean;
   }
+
+  @Override
+  public void setApplicationContext(final @NotNull ApplicationContext applicationContext)
+      throws BeansException {
+    this.applicationContext = applicationContext;
+  }
 }

sentry-spring/src/main/java/io/sentry/spring/SentrySecurityFilter.java

@@ -0,0 +1,17 @@
+package io.sentry.spring;
+
+import io.sentry.core.protocol.User;
+import org.jetbrains.annotations.Nullable;
+
+/**
+ * Provides user information that's set on {@link io.sentry.core.SentryEvent} using {@link
+ * SentryUserProviderEventProcessor}.
+ *
+ * <p>Out of the box Spring integration configures single {@link SentryUserProvider} - {@link
+ * HttpServletRequestSentryUserProvider}.
+ */
+@FunctionalInterface
+public interface SentryUserProvider {
+  @Nullable
+  User provideUser();
+}