From: Fiete Ostkamp Date: Wed, 2 Jul 2025 07:51:43 +0000 (+0200) Subject: Support enabling or disabling authentication and authorization X-Git-Tag: 1.15.5^0 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=a724cc3476bf65da18f24aa25f573aec7430a65b;p=so.git Support enabling or disabling authentication and authorization - do not set 'basic' spring profile by default in the container startup script, thus making it possible not to set a profile [0] - introduce spring.security.rbacEnabled property. It is true by default to not change the default behaviour [0] the active profile is then determined by the helm chart and will remain 'basic' as a default Issue-ID: SO-4193 Signed-off-by: Fiete Ostkamp Change-Id: I9ddeee9a2fb275dde14ed76fb461c46836fd776b --- diff --git a/common/src/main/java/org/onap/so/security/SoBasicHttpSecurityConfigurer.java b/common/src/main/java/org/onap/so/security/SoBasicHttpSecurityConfigurer.java index 7c04580a78..656a56fef2 100644 --- a/common/src/main/java/org/onap/so/security/SoBasicHttpSecurityConfigurer.java +++ b/common/src/main/java/org/onap/so/security/SoBasicHttpSecurityConfigurer.java @@ -23,23 +23,32 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.stereotype.Component; import org.springframework.util.StringUtils; +import lombok.extern.slf4j.Slf4j; /** * @author Waqas Ikram (waqas.ikram@est.tech) * */ +@Slf4j @Component("basic") public class SoBasicHttpSecurityConfigurer implements HttpSecurityConfigurer { @Autowired private SoUserCredentialConfiguration soUserCredentialConfiguration; + private static final String[] unauthenticatedEndpoints = new String[] {"/manage/health", "/manage/info", "/error"}; + @Override public void configure(final HttpSecurity http) throws Exception { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info", "/error").permitAll() - .antMatchers("/**") - .hasAnyRole(StringUtils.collectionToDelimitedString(soUserCredentialConfiguration.getRoles(), ",")) - .and().httpBasic(); + if (soUserCredentialConfiguration.getRbacEnabled()) { + String roles = StringUtils.collectionToDelimitedString(soUserCredentialConfiguration.getRoles(), ","); + http.csrf().disable().authorizeRequests().antMatchers(unauthenticatedEndpoints).permitAll() + .antMatchers("/**").hasAnyRole(roles).and().httpBasic(); + } else { + log.debug("Not configuring RBAC for the app."); + http.csrf().disable().authorizeRequests().antMatchers(unauthenticatedEndpoints).permitAll() + .antMatchers("/**").authenticated().and().httpBasic(); + } } } diff --git a/common/src/main/java/org/onap/so/security/SoUserCredentialConfiguration.java b/common/src/main/java/org/onap/so/security/SoUserCredentialConfiguration.java index ee680511b9..177d45dbe7 100644 --- a/common/src/main/java/org/onap/so/security/SoUserCredentialConfiguration.java +++ b/common/src/main/java/org/onap/so/security/SoUserCredentialConfiguration.java @@ -5,15 +5,15 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - * + * * SPDX-License-Identifier: Apache-2.0 * ============LICENSE_END========================================================= */ @@ -38,6 +38,7 @@ public class SoUserCredentialConfiguration { private List credentials = new ArrayList<>(); private final List roles = new ArrayList<>(); + private boolean rbacEnabled = true; public List getRoles() { return roles; @@ -60,6 +61,14 @@ public class SoUserCredentialConfiguration { } } + public void setRbacEnabled(boolean rbacEnabled) { + this.rbacEnabled = rbacEnabled; + } + + public boolean getRbacEnabled() { + return this.rbacEnabled; + } + @Bean public UserDetailsService userDetailsService() { return new UserDetailsServiceImpl(); diff --git a/packages/docker/src/main/docker/docker-files/scripts/start-app.sh b/packages/docker/src/main/docker/docker-files/scripts/start-app.sh index 74d17fc9b7..7de772b041 100755 --- a/packages/docker/src/main/docker/docker-files/scripts/start-app.sh +++ b/packages/docker/src/main/docker/docker-files/scripts/start-app.sh @@ -77,11 +77,12 @@ if [ ! -z "${TRUSTSTORE}" ]; then jksargs="$jksargs -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWORD}" fi -if [ -z "${ACTIVE_PROFILE}" ]; then - export ACTIVE_PROFILE="basic" -fi +jvmargs="${JVM_ARGS} -Djava.security.egd=file:/dev/./urandom -Dlogs_dir=${LOG_PATH} -Dlogging.config=/app/logback-spring.xml $jksargs -Dspring.config.additional-location=$CONFIG_PATH ${SSL_DEBUG} ${DISABLE_SNI}" -jvmargs="${JVM_ARGS} -Dspring.profiles.active=${ACTIVE_PROFILE} -Djava.security.egd=file:/dev/./urandom -Dlogs_dir=${LOG_PATH} -Dlogging.config=/app/logback-spring.xml $jksargs -Dspring.config.additional-location=$CONFIG_PATH ${SSL_DEBUG} ${DISABLE_SNI}" +# optionally set the active spring profile +if [ -n "${ACTIVE_PROFILE}" ]; then + jvmargs="${jvmargs} -Dspring.profiles.active=${ACTIVE_PROFILE}" +fi read_properties(){