From e4a1f83b13426ce7878e451fe864f9571424d1a7 Mon Sep 17 00:00:00 2001 From: Alexis de Talhouët Date: Mon, 4 Mar 2019 21:37:27 -0500 Subject: Add gRPC & REST basic auth support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: Iaa187a8288a9c84aa80b596a14e66de10a9b7501 Issue-ID: CCSDK-1055 Signed-off-by: Alexis de Talhouët --- ms/blueprintsprocessor/application/pom.xml | 8 +- .../blueprintsprocessor/BlueprintGRPCServer.java | 13 +-- .../blueprintsprocessor/BlueprintHttpServer.java | 8 +- .../BlueprintProcessorApplication.java | 5 +- .../ccsdk/apps/blueprintsprocessor/WebConfig.java | 47 +++++++++-- .../security/AuthenticationManager.java | 40 +++++++++ .../security/BasicAuthServerInterceptor.java | 97 ++++++++++++++++++++++ .../security/SecurityConfiguration.java | 59 +++++++++++++ .../security/SecurityContextRepository.java | 75 +++++++++++++++++ .../src/main/resources/application.properties | 3 + .../src/test/resources/application.properties | 6 ++ 11 files changed, 339 insertions(+), 22 deletions(-) create mode 100644 ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/AuthenticationManager.java create mode 100644 ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/BasicAuthServerInterceptor.java create mode 100644 ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/SecurityConfiguration.java create mode 100644 ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/SecurityContextRepository.java (limited to 'ms/blueprintsprocessor/application') diff --git a/ms/blueprintsprocessor/application/pom.xml b/ms/blueprintsprocessor/application/pom.xml index 83dc7061f..f42cdfade 100755 --- a/ms/blueprintsprocessor/application/pom.xml +++ b/ms/blueprintsprocessor/application/pom.xml @@ -17,7 +17,8 @@ ~ See the License for the specific language governing permissions and ~ limitations under the License. --> - + 4.0.0 org.onap.ccsdk.apps.blueprintsprocessor @@ -40,6 +41,11 @@ spring-boot-devtools runtime + + org.springframework.boot + spring-boot-starter-security + + org.onap.ccsdk.apps.blueprintsprocessor diff --git a/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/BlueprintGRPCServer.java b/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/BlueprintGRPCServer.java index 86fdccd4b..3ac1a6e62 100644 --- a/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/BlueprintGRPCServer.java +++ b/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/BlueprintGRPCServer.java @@ -18,6 +18,7 @@ package org.onap.ccsdk.apps.blueprintsprocessor; import io.grpc.Server; import io.grpc.ServerBuilder; +import org.onap.ccsdk.apps.blueprintsprocessor.security.BasicAuthServerInterceptor; import org.onap.ccsdk.apps.blueprintsprocessor.selfservice.api.BluePrintManagementGRPCHandler; import org.onap.ccsdk.apps.blueprintsprocessor.selfservice.api.BluePrintProcessingGRPCHandler; import org.slf4j.Logger; @@ -37,9 +38,10 @@ public class BlueprintGRPCServer implements ApplicationListener authenticate(Authentication authentication) { + try { + return Mono.just(authenticationProvider.authenticate(authentication)); + } catch (AuthenticationException e) { + return Mono.error(e); + } + } +} \ No newline at end of file diff --git a/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/BasicAuthServerInterceptor.java b/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/BasicAuthServerInterceptor.java new file mode 100644 index 000000000..db0bfce46 --- /dev/null +++ b/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/BasicAuthServerInterceptor.java @@ -0,0 +1,97 @@ +/* + * Copyright (C) 2019 Bell Canada. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.onap.ccsdk.apps.blueprintsprocessor.security; + +import com.google.common.base.Strings; +import io.grpc.Metadata; +import io.grpc.ServerCall; +import io.grpc.ServerCallHandler; +import io.grpc.ServerInterceptor; +import io.grpc.Status; +import java.nio.charset.StandardCharsets; +import java.util.Base64; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.authentication.BadCredentialsException; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.stereotype.Component; + +@Component +public class BasicAuthServerInterceptor implements ServerInterceptor { + + private static Logger log = LoggerFactory.getLogger(BasicAuthServerInterceptor.class); + + @Autowired + private AuthenticationManager authenticationManager; + + + @Override + public ServerCall.Listener interceptCall( + ServerCall call, + Metadata headers, + ServerCallHandler next) { + String authHeader = headers.get(Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER)); + + if (Strings.isNullOrEmpty(authHeader)) { + throw Status.UNAUTHENTICATED.withDescription("Missing required authentication").asRuntimeException(); + + } + + try { + String[] tokens = decodeBasicAuth(authHeader); + String username = tokens[0]; + + log.info("Basic Authentication Authorization header found for user: {}", username); + + Authentication authRequest = new UsernamePasswordAuthenticationToken(username, tokens[1]); + Authentication authResult = authenticationManager.authenticate(authRequest).block(); + + log.info("Authentication success: {}", authResult); + + SecurityContextHolder.getContext().setAuthentication(authResult); + + } catch (AuthenticationException e) { + SecurityContextHolder.clearContext(); + + log.info("Authentication request failed: {}", e.getMessage()); + + throw Status.UNAUTHENTICATED.withDescription(e.getMessage()).withCause(e).asRuntimeException(); + } + + return next.startCall(call, headers); + } + + private String[] decodeBasicAuth(String authHeader) { + String basicAuth; + try { + basicAuth = new String(Base64.getDecoder().decode(authHeader.substring(6).getBytes(StandardCharsets.UTF_8)), + StandardCharsets.UTF_8); + } catch (IllegalArgumentException | IndexOutOfBoundsException e) { + throw new BadCredentialsException("Failed to decode basic authentication token"); + } + + int delim = basicAuth.indexOf(':'); + if (delim == -1) { + throw new BadCredentialsException("Failed to decode basic authentication token"); + } + + return new String[]{basicAuth.substring(0, delim), basicAuth.substring(delim + 1)}; + } +} \ No newline at end of file diff --git a/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/SecurityConfiguration.java b/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/SecurityConfiguration.java new file mode 100644 index 000000000..7ddc42ccd --- /dev/null +++ b/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/SecurityConfiguration.java @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2019 Bell Canada. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.onap.ccsdk.apps.blueprintsprocessor.security; + +import java.util.Collections; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.authentication.AuthenticationProvider; +import org.springframework.security.authentication.dao.DaoAuthenticationProvider; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; +import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; + +@Configuration +public class SecurityConfiguration { + + @Value("${security.user.name}") + private String username; + + @Value("${security.user.password}") + private String password; + + @Bean + public UserDetailsService inMemoryUserService() { + UserDetails user = new User(username, password, + Collections.singletonList(new SimpleGrantedAuthority("USER"))); + return new InMemoryUserDetailsManager(user); + } + + @Bean + public PasswordEncoder passwordEncoder() { + return new BCryptPasswordEncoder(); + } + + @Bean + public AuthenticationProvider inMemoryAuthenticationProvider() { + DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); + provider.setUserDetailsService(inMemoryUserService()); + return provider; + } +} \ No newline at end of file diff --git a/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/SecurityContextRepository.java b/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/SecurityContextRepository.java new file mode 100644 index 000000000..f9e184a11 --- /dev/null +++ b/ms/blueprintsprocessor/application/src/main/java/org/onap/ccsdk/apps/blueprintsprocessor/security/SecurityContextRepository.java @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2019 Bell Canada. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.onap.ccsdk.apps.blueprintsprocessor.security; + +import java.nio.charset.StandardCharsets; +import java.util.Base64; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.HttpHeaders; +import org.springframework.http.server.reactive.ServerHttpRequest; +import org.springframework.security.authentication.BadCredentialsException; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextImpl; +import org.springframework.security.web.server.context.ServerSecurityContextRepository; +import org.springframework.stereotype.Component; +import org.springframework.web.server.ServerWebExchange; +import reactor.core.publisher.Mono; + +@Component +public class SecurityContextRepository implements ServerSecurityContextRepository { + + @Autowired + private AuthenticationManager authenticationManager; + + @Override + public Mono save(ServerWebExchange swe, SecurityContext sc) { + throw new UnsupportedOperationException("Not supported."); + } + + @Override + public Mono load(ServerWebExchange swe) { + ServerHttpRequest request = swe.getRequest(); + String authHeader = request.getHeaders().getFirst(HttpHeaders.AUTHORIZATION); + if (authHeader != null && authHeader.startsWith("Basic")) { + String[] tokens = decodeBasicAuth(authHeader); + String username = tokens[0]; + String password = tokens[1]; + Authentication auth = new UsernamePasswordAuthenticationToken(username, password); + return this.authenticationManager.authenticate(auth).map(SecurityContextImpl::new); + } else { + return Mono.empty(); + } + } + + private String[] decodeBasicAuth(String authHeader) { + String basicAuth; + try { + basicAuth = new String(Base64.getDecoder().decode(authHeader.substring(6).getBytes(StandardCharsets.UTF_8)), + StandardCharsets.UTF_8); + } catch (IllegalArgumentException | IndexOutOfBoundsException e) { + throw new BadCredentialsException("Failed to decode basic authentication token"); + } + + int delim = basicAuth.indexOf(':'); + if (delim == -1) { + throw new BadCredentialsException("Failed to decode basic authentication token"); + } + + return new String[]{basicAuth.substring(0, delim), basicAuth.substring(delim + 1)}; + } +} \ No newline at end of file diff --git a/ms/blueprintsprocessor/application/src/main/resources/application.properties b/ms/blueprintsprocessor/application/src/main/resources/application.properties index cfef4f82f..e955c97c3 100755 --- a/ms/blueprintsprocessor/application/src/main/resources/application.properties +++ b/ms/blueprintsprocessor/application/src/main/resources/application.properties @@ -36,3 +36,6 @@ blueprintsprocessor.db.primary.hibernateDialect=org.hibernate.dialect.MySQL5Inno # Python executor blueprints.processor.functions.python.executor.executionPath=/opt/app/onap/scripts/jython/ccsdk_blueprints blueprints.processor.functions.python.executor.modulePaths=/opt/app/onap/scripts/jython/ccsdk_blueprints,/opt/app/onap/scripts/jython/ccsdk_netconf + +security.user.password: {bcrypt}$2a$10$duaUzVUVW0YPQCSIbGEkQOXwafZGwQ/b32/Ys4R1iwSSawFgz7QNu +security.user.name: ccsdkapps diff --git a/ms/blueprintsprocessor/application/src/test/resources/application.properties b/ms/blueprintsprocessor/application/src/test/resources/application.properties index 2b5bea109..393024516 100644 --- a/ms/blueprintsprocessor/application/src/test/resources/application.properties +++ b/ms/blueprintsprocessor/application/src/test/resources/application.properties @@ -17,6 +17,9 @@ # # Web server config server.port=8080 +blueprintsprocessor.grpcEnable=false +blueprintsprocessor.httpPort=8080 +blueprintsprocessor.grpcPort=9111 # Blueprint Processor File Execution and Handling Properties blueprintsprocessor.blueprintDeployPath=/opt/app/onap/blueprints/deploy blueprintsprocessor.blueprintArchivePath=/opt/app/onap/blueprints/archive @@ -32,3 +35,6 @@ blueprintsprocessor.db.primary.hibernateDialect=org.hibernate.dialect.H2Dialect # Python executor blueprints.processor.functions.python.executor.executionPath=/opt/app/onap/scripts/jython blueprints.processor.functions.python.executor.modulePaths=/opt/app/onap/scripts/jython + +security.user.password: {bcrypt}$2a$10$duaUzVUVW0YPQCSIbGEkQOXwafZGwQ/b32/Ys4R1iwSSawFgz7QNu +security.user.name: ccsdkapps -- cgit 1.2.3-korg