implementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-xml'
implementation "org.zalando:problem-spring-webflux:$problemSpringVersion"
implementation "org.zalando:jackson-datatype-problem:$problemVersion"
+ implementation "io.swagger.core.v3:swagger-annotations:$swaggerV3Version"
implementation "org.mapstruct:mapstruct:$mapStructVersion"
annotationProcessor "org.mapstruct:mapstruct-processor:$mapStructVersion"
-bff.access-control:
- ACTIONS_CREATE: [ portal_admin, portal_designer, portal_operator ]
- ACTIONS_GET: [ portal_admin, portal_designer, portal_operator ]
- ACTIONS_LIST: [ portal_admin, portal_designer, portal_operator ]
- ACTIVE_ALARM_LIST: [portal_admin, portal_designer, portal_operator]
- KEY_ENCRYPT_BY_USER: [portal_admin, portal_designer, portal_operator]
- KEY_ENCRYPT_BY_VALUE: [portal_admin, portal_designer, portal_operator]
- PREFERENCES_CREATE: [portal_admin, portal_designer, portal_operator]
- PREFERENCES_GET: [portal_admin, portal_designer, portal_operator]
- PREFERENCES_UPDATE: [portal_admin, portal_designer, portal_operator]
- ROLE_LIST: ["*"]
- USER_CREATE: [portal_admin, portal_designer, portal_operator]
- USER_DELETE: [portal_admin, portal_designer, portal_operator]
- USER_GET: [portal_admin, portal_designer, portal_operator]
- USER_LIST_AVAILABLE_ROLES: [portal_admin, portal_designer, portal_operator]
- USER_LIST_ROLES: [portal_admin, portal_designer, portal_operator]
- USER_LIST: [portal_admin, portal_designer, portal_operator]
- USER_UPDATE_PASSWORD: [portal_admin, portal_designer, portal_operator]
- USER_UPDATE_ROLES: [portal_admin, portal_designer, portal_operator]
- USER_UPDATE: [portal_admin, portal_designer, portal_operator]
-
+bff:
+ access-control:
+ ACTIONS_CREATE: [ portal_admin, portal_designer, portal_operator ]
+ ACTIONS_GET: [ portal_admin, portal_designer, portal_operator ]
+ ACTIONS_LIST: [ portal_admin, portal_designer, portal_operator ]
+ ACTIVE_ALARM_LIST: [portal_admin, portal_designer, portal_operator]
+ KEY_ENCRYPT_BY_USER: [portal_admin, portal_designer, portal_operator]
+ KEY_ENCRYPT_BY_VALUE: [portal_admin, portal_designer, portal_operator]
+ PREFERENCES_CREATE: [portal_admin, portal_designer, portal_operator]
+ PREFERENCES_GET: [portal_admin, portal_designer, portal_operator]
+ PREFERENCES_UPDATE: [portal_admin, portal_designer, portal_operator]
+ ROLE_LIST: ["*"]
+ USER_CREATE: [portal_admin, portal_designer, portal_operator]
+ USER_DELETE: [portal_admin, portal_designer, portal_operator]
+ USER_GET: [portal_admin, portal_designer, portal_operator]
+ USER_LIST_AVAILABLE_ROLES: [portal_admin, portal_designer, portal_operator]
+ USER_LIST_ROLES: [portal_admin, portal_designer, portal_operator]
+ USER_LIST: [portal_admin, portal_designer, portal_operator]
+ USER_UPDATE_PASSWORD: [portal_admin, portal_designer, portal_operator]
+ USER_UPDATE_ROLES: [portal_admin, portal_designer, portal_operator]
+ USER_UPDATE: [portal_admin, portal_designer, portal_operator]
preferences-url: ${PREFERENCES_URL}
history-url: ${HISTORY_URL}
keycloak-url: ${KEYCLOAK_URL}
+ endpoints:
+ unauthenticated: /api-docs.html, /api.yaml, /webjars/**, /actuator/**
+ rbac:
+ endpoints-excluded: /actuator/**, **/actuator/**, */actuator/**, /**/actuator/**, /*/actuator/**
import org.springframework.http.MediaType;
/** Base class for all tests that has the common config including port, realm, logging and auth. */
-@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
@AutoConfigureWireMock(port = 0)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
public abstract class BaseIntegrationTest {
@TestConfiguration
import org.junit.jupiter.api.Test;
import org.onap.portalng.bff.BaseIntegrationTest;
import org.onap.portalng.bff.config.IdTokenExchangeFilterFunction;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpMethod;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
class IdTokenExchangeFilterFunctionTest extends BaseIntegrationTest {
+ @Autowired IdTokenExchangeFilterFunction filterFunction;
+
@Test
void idTokenIsCorrectlyPropagated() {
- final IdTokenExchangeFilterFunction filterFunction = new IdTokenExchangeFilterFunction();
-
final String idToken = UUID.randomUUID().toString();
final ServerWebExchange serverWebExchange =
MockServerWebExchange.builder(
@Test
void exceptionIsThrownWhenIdTokenIsMissingInRequest() {
- final IdTokenExchangeFilterFunction filterFunction = new IdTokenExchangeFilterFunction();
-
final ServerWebExchange serverWebExchange =
MockServerWebExchange.builder(MockServerHttpRequest.get("http://localhost:8000")).build();
+++ /dev/null
-bff:
- access-control:
- ACTIONS_CREATE: [ portal_admin, portal_designer, portal_operator ]
- ACTIONS_GET: [ portal_admin, portal_designer, portal_operator ]
- ACTIONS_LIST: [ portal_admin, portal_designer, portal_operator ]
- ACTIVE_ALARM_LIST: [portal_admin, portal_designer, portal_operator]
- KEY_ENCRYPT_BY_USER: [portal_admin, portal_designer, portal_operator]
- KEY_ENCRYPT_BY_VALUE: [portal_admin, portal_designer, portal_operator]
- PREFERENCES_CREATE: [portal_admin, portal_designer, portal_operator]
- PREFERENCES_GET: [portal_admin, portal_designer, portal_operator]
- PREFERENCES_UPDATE: [portal_admin, portal_designer, portal_operator]
- ROLE_LIST: ["*"]
- USER_CREATE: [portal_admin, portal_designer, portal_operator]
- USER_DELETE: [portal_admin, portal_designer, portal_operator]
- USER_GET: [portal_admin, portal_designer, portal_operator]
- USER_LIST_AVAILABLE_ROLES: [portal_admin, portal_designer, portal_operator]
- USER_LIST_ROLES: [portal_admin, portal_designer, portal_operator]
- USER_LIST: [portal_admin, portal_designer, portal_operator]
- USER_UPDATE_PASSWORD: [portal_admin, portal_designer, portal_operator]
- USER_UPDATE_ROLES: [portal_admin, portal_designer, portal_operator]
- USER_UPDATE: [portal_admin, portal_designer, portal_operator]
-logging:
- level:
- org.springframework.web: TRACE
-
+management:
+ tracing:
+ enabled: false
spring:
profiles:
include:
resourceserver:
jwt:
jwk-set-uri: http://localhost:${wiremock.server.port}/realms/ONAP/protocol/openid-connect/certs
- jackson:
- serialization:
- FAIL_ON_EMPTY_BEANS: false
bff:
realm: ONAP
preferences-url: http://localhost:${wiremock.server.port}
history-url: http://localhost:${wiremock.server.port}
keycloak-url: http://localhost:${wiremock.server.port}
+ endpoints:
+ unauthenticated: /api-docs.html, /api.yaml, /webjars/**, /actuator/**
+ rbac:
+ endpoints-excluded: /actuator/**, **/actuator/**, */actuator/**, /**/actuator/**, /*/actuator/**
+
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<configuration scan="true">
- <include resource="org/springframework/boot/logging/logback/defaults.xml"/>
-
- <appender name="stdout" class="ch.qos.logback.core.ConsoleAppender">
- <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
- <level>${LOGBACK_LEVEL:-info}</level>
- </filter>
- <encoder>
- <pattern>${CONSOLE_LOG_PATTERN}</pattern>
- <charset>utf8</charset>
- </encoder>
- </appender>
-
- <root level="all">
- <appender-ref ref="stdout"/>
- </root>
-</configuration>
\ No newline at end of file
logbackVersion = '7.4'
lombokVersion = '1.18.28'
micrometerVersion = '1.1.4'
+ swaggerV3Version = '2.2.21'
// app
wiremockVersion = '4.0.4'
implementation "org.mapstruct:mapstruct:$mapStructVersion"
implementation "org.mapstruct.extensions.spring:mapstruct-spring-annotations:$mapStructExtensionsVersion"
implementation "org.mapstruct.extensions.spring:mapstruct-spring-extensions:$mapStructExtensionsVersion"
+ implementation "io.swagger.core.v3:swagger-annotations:$swaggerV3Version"
implementation(platform("io.micrometer:micrometer-tracing-bom:$micrometerVersion"))
implementation("io.micrometer:micrometer-tracing")
return oauth2Filter;
}
- @Bean(name = ID_TOKEN_EXCHANGE_FILTER_FUNCTION)
- ExchangeFilterFunction idTokenExchangeFilterFunction() {
- return new IdTokenExchangeFilterFunction();
- }
-
@Bean(name = ERROR_HANDLING_EXCHANGE_FILTER_FUNCTION)
ExchangeFilterFunction errorHandlingExchangeFilterFunction() {
return ExchangeFilterFunction.ofResponseProcessor(
import jakarta.validation.Valid;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.NotNull;
-import java.util.List;
import java.util.Map;
+import java.util.Set;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.zalando.problem.Problem;
* urls.
*/
@Valid
-@ConfigurationProperties("bff")
@Data
+@ConfigurationProperties("bff")
public class BffConfig {
@NotBlank private final String realm;
@NotBlank private final String historyUrl;
@NotBlank private final String keycloakUrl;
- @NotNull private final Map<String, List<String>> accessControl;
+ @NotNull private final Map<String, Set<String>> accessControl;
- public Mono<List<String>> getRoles(String method) {
+ public Mono<Set<String>> getRoles(String method) {
return Mono.just(accessControl)
.map(control -> control.get(method))
.onErrorResume(
import com.nimbusds.jwt.JWTParser;
import java.text.ParseException;
-import java.util.Collections;
import java.util.List;
-import java.util.Optional;
+import java.util.Set;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
import org.springframework.util.AntPathMatcher;
import org.springframework.web.reactive.function.client.ClientRequest;
import org.springframework.web.reactive.function.client.ClientResponse;
import reactor.core.Exceptions;
import reactor.core.publisher.Mono;
+@Component
public class IdTokenExchangeFilterFunction implements ExchangeFilterFunction {
public static final String X_AUTH_IDENTITY_HEADER = "X-Auth-Identity";
public static final String CLAIM_NAME_ROLES = "roles";
- private static final List<String> EXCLUDED_PATHS_PATTERNS =
- List.of(
- "/actuator/**", "**/actuator/**", "*/actuator/**", "/**/actuator/**", "/*/actuator/**");
+ private final List<String> rbacExcludedPatterns;
private static final Mono<ServerWebExchange> serverWebExchangeFromContext =
Mono.deferContextual(Mono::just)
.filter(context -> context.hasKey(ServerWebExchange.class))
.map(context -> context.get(ServerWebExchange.class));
+ private final AntPathMatcher antPathMatcher = new AntPathMatcher();
+
+ public IdTokenExchangeFilterFunction(
+ @Value("${bff.rbac.endpoints-excluded}") List<String> rbacExcludedPatterns) {
+ this.rbacExcludedPatterns = rbacExcludedPatterns;
+ }
+
@Override
public Mono<ClientResponse> filter(ClientRequest request, ExchangeFunction next) {
boolean shouldNotFilter =
- EXCLUDED_PATHS_PATTERNS.stream()
+ rbacExcludedPatterns.stream()
.anyMatch(
- excludedPath ->
- new AntPathMatcher().match(excludedPath, request.url().getRawPath()));
+ excludedPath -> antPathMatcher.match(excludedPath, request.url().getRawPath()));
if (shouldNotFilter) {
return next.exchange(request).switchIfEmpty(Mono.defer(() -> next.exchange(request)));
}
}
public static Mono<Void> validateAccess(
- ServerWebExchange exchange, List<String> rolesListForMethod) {
+ ServerWebExchange exchange, Set<String> rolesListForMethod) {
return extractRoles(exchange)
.map(roles -> roles.stream().anyMatch(rolesListForMethod::contains))
.map(
jwt -> {
try {
- return Optional.of(jwt.getJWTClaimsSet());
+ return jwt.getJWTClaimsSet().getClaim(CLAIM_NAME_ROLES);
} catch (ParseException e) {
throw Exceptions.propagate(e);
}
})
- .map(
- optionalClaimsSet ->
- optionalClaimsSet
- .map(claimsSet -> claimsSet.getClaim(CLAIM_NAME_ROLES))
- .map(obj -> (List<String>) obj))
- .map(roles -> roles.orElse(Collections.emptyList()));
+ .filter(List.class::isInstance)
+ .map(roles -> (List<String>) roles)
+ .switchIfEmpty(Mono.just(List.<String>of()));
}
}
package org.onap.portalng.bff.config;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
import org.springframework.security.web.server.SecurityWebFilterChain;
-@EnableWebFluxSecurity
@Configuration
+@EnableWebFluxSecurity
public class SecurityConfig {
+
+ @Value("${bff.endpoints.unauthenticated}")
+ private String[] unauthenticatedEndpoints;
+
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http.httpBasic()
.cors()
.and()
.authorizeExchange()
- .pathMatchers(HttpMethod.GET, "/api-docs.html", "/api.yaml", "/webjars/**", "/actuator/**")
+ .pathMatchers(unauthenticatedEndpoints)
.permitAll()
.anyExchange()
.authenticated()
Code Review / portal-ng / bff.git / commitdiff