diff options
author | danielhanrahan <daniel.hanrahan@est.tech> | 2024-02-28 07:13:50 +0000 |
---|---|---|
committer | danielhanrahan <daniel.hanrahan@est.tech> | 2024-02-29 10:00:24 +0000 |
commit | 4a87570c44f41bf19f550f9fed9ecf072db16d74 (patch) | |
tree | 01c8a0ec24af10a7d0e4d6c945abb594be2a520b /cps-application | |
parent | a7f3568a39c7d12859a55e0c76c452e0d3f1938b (diff) |
Disable Spring Security and HTTP Basic Auth (CPS-2126 #1)
This allows any authorization header to be passed in.
Issue-ID: CPS-2127
Signed-off-by: danielhanrahan <daniel.hanrahan@est.tech>
Change-Id: Ib1c5bd7024eed39afd1ae6e19325ed4733c853d4
Diffstat (limited to 'cps-application')
3 files changed, 4 insertions, 112 deletions
diff --git a/cps-application/pom.xml b/cps-application/pom.xml index fd43da44f8..4c231a6d4e 100644 --- a/cps-application/pom.xml +++ b/cps-application/pom.xml @@ -37,7 +37,7 @@ <properties> <app>org.onap.cps.Application</app> <maven.build.timestamp.format>yyyyMMdd'T'HHmmss'Z'</maven.build.timestamp.format> - <minimum-coverage>0.86</minimum-coverage> + <minimum-coverage>0.68</minimum-coverage> <base.image>${docker.pull.registry}/onap/integration-java17:12.0.0</base.image> <image.tag>${project.version}-${maven.build.timestamp}</image.tag> </properties> @@ -59,10 +59,6 @@ </dependency> <dependency> <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-security</artifactId> - </dependency> - <dependency> - <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> diff --git a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java deleted file mode 100644 index 0b6d0dba1e..0000000000 --- a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java +++ /dev/null @@ -1,103 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * Copyright (c) 2021 Bell Canada. - * Modification Copyright (C) 2021 Pantheon.tech - * Modification Copyright (C) 2023 Nordix Foundation - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - * ============LICENSE_END========================================================= - */ - -package org.onap.cps.config; - -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Value; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; -import org.springframework.security.core.userdetails.User; -import org.springframework.security.core.userdetails.UserDetails; -import org.springframework.security.provisioning.InMemoryUserDetailsManager; -import org.springframework.security.web.SecurityFilterChain; - -/** - * Configuration class to implement application security. - * It enforces Basic Authentication access control. - */ -@Configuration -@EnableWebSecurity -public class WebSecurityConfig { - private static final String USER_ROLE = "USER"; - private final String username; - private final String password; - private final String[] permitUris; - - /** - * Constructor. Accepts parameters from configuration. - * - * @param permitUris comma-separated list of uri patterns for endpoints permitted - * @param username username - * @param password password - */ - public WebSecurityConfig( - @Autowired @Value("${security.permit-uri}") final String permitUris, - @Autowired @Value("${security.auth.username}") final String username, - @Autowired @Value("${security.auth.password}") final String password - ) { - super(); - this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s{0,9},\\s{0,9}"); - this.username = username; - this.password = password; - } - - /** - * Return the configuration for secure access to the modules REST end points. - * - * @param http the HTTP security settings. - * @return the HTTP security settings. - */ - @Bean - // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation. - // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in - // web browsers are. CPS does not manage sessions, each request requires the authentication token in the header. - // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf - @SuppressWarnings("squid:S4502") - public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception { - http - .httpBasic(httpBasicCustomizer -> {}) - .authorizeHttpRequests(authorizeHttpRequestsCustomizer -> { - authorizeHttpRequestsCustomizer.requestMatchers(permitUris).permitAll(); - authorizeHttpRequestsCustomizer.anyRequest().authenticated(); - }) - .csrf(AbstractHttpConfigurer::disable); - return http.build(); - } - - /** - * In memory user authentication details. - * - * @return in memory authentication - */ - @Bean - public InMemoryUserDetailsManager userDetailsService() { - final UserDetails user = User.builder() - .username(username) - .password("{noop}" + password) - .roles(USER_ROLE) - .build(); - return new InMemoryUserDetailsManager(user); - } -} diff --git a/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy b/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy index ccadc57240..b86f824888 100755 --- a/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy +++ b/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy @@ -20,19 +20,16 @@ package org.onap.cps.rest.controller -import org.onap.cps.config.WebSecurityConfig -import org.springframework.context.annotation.Import - import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get import org.springframework.beans.factory.annotation.Autowired import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest import org.springframework.http.HttpStatus import org.springframework.test.web.servlet.MockMvc +import spock.lang.Ignore import spock.lang.Specification @WebMvcTest(TestController) -@Import(WebSecurityConfig) class ControllerSecuritySpec extends Specification { @Autowired @@ -49,6 +46,7 @@ class ControllerSecuritySpec extends Specification { assert response.status == HttpStatus.OK.value() } + @Ignore // CPS-2126 def 'Get request without authentication is not authorized'() { when: 'request is sent without authentication' def response = mvc.perform(get(testEndpoint)).andReturn().response @@ -56,6 +54,7 @@ class ControllerSecuritySpec extends Specification { assert response.status == HttpStatus.UNAUTHORIZED.value() } + @Ignore // CPS-2126 def 'Get request with invalid authentication is not authorized'() { when: 'request is sent with invalid authentication' def response = mvc.perform( |