Disable Spring Security and HTTP Basic Auth (CPS-2126 #1)

This allows any authorization header to be passed in.

Issue-ID: CPS-2127
Signed-off-by: danielhanrahan <daniel.hanrahan@est.tech>
Change-Id: Ib1c5bd7024eed39afd1ae6e19325ed4733c853d4

3 files changed, 4 insertions, 112 deletions

diff --git a/cps-application/pom.xml b/cps-application/pom.xml
index fd43da44f..4c231a6d4 100644
--- a/cps-application/pom.xml
+++ b/cps-application/pom.xml
@@ -37,7 +37,7 @@
     <properties>
         <app>org.onap.cps.Application</app>
         <maven.build.timestamp.format>yyyyMMdd'T'HHmmss'Z'</maven.build.timestamp.format>
-        <minimum-coverage>0.86</minimum-coverage>
+        <minimum-coverage>0.68</minimum-coverage>
         <base.image>${docker.pull.registry}/onap/integration-java17:12.0.0</base.image>
         <image.tag>${project.version}-${maven.build.timestamp}</image.tag>
     </properties>
@@ -59,10 +59,6 @@
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
         </dependency>
         <dependency>
diff --git a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
deleted file mode 100644
index 0b6d0dba1..000000000
--- a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- *  ============LICENSE_START=======================================================
- *  Copyright (c) 2021 Bell Canada.
- *  Modification Copyright (C) 2021 Pantheon.tech
- *  Modification Copyright (C) 2023 Nordix Foundation
- *  ================================================================================
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *        http://www.apache.org/licenses/LICENSE-2.0
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  SPDX-License-Identifier: Apache-2.0
- * ============LICENSE_END=========================================================
- */
-
-package org.onap.cps.config;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
-import org.springframework.security.web.SecurityFilterChain;
-
-/**
- * Configuration class to implement application security.
- * It enforces Basic Authentication access control.
- */
-@Configuration
-@EnableWebSecurity
-public class WebSecurityConfig {
-    private static final String USER_ROLE = "USER";
-    private final String username;
-    private final String password;
-    private final String[] permitUris;
-
-    /**
-     * Constructor. Accepts parameters from configuration.
-     *
-     * @param permitUris comma-separated list of uri patterns for endpoints permitted
-     * @param username   username
-     * @param password   password
-     */
-    public WebSecurityConfig(
-            @Autowired @Value("${security.permit-uri}") final String permitUris,
-            @Autowired @Value("${security.auth.username}") final String username,
-            @Autowired @Value("${security.auth.password}") final String password
-    ) {
-        super();
-        this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s{0,9},\\s{0,9}");
-        this.username = username;
-        this.password = password;
-    }
-
-    /**
-     * Return the configuration for secure access to the modules REST end points.
-     *
-     * @param http the HTTP security settings.
-     * @return the HTTP security settings.
-     */
-    @Bean
-    // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
-    // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
-    // web browsers are. CPS  does not manage sessions, each request requires the authentication token in the header.
-    // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
-    @SuppressWarnings("squid:S4502")
-    public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
-        http
-                .httpBasic(httpBasicCustomizer -> {})
-                .authorizeHttpRequests(authorizeHttpRequestsCustomizer -> {
-                    authorizeHttpRequestsCustomizer.requestMatchers(permitUris).permitAll();
-                    authorizeHttpRequestsCustomizer.anyRequest().authenticated();
-                })
-                .csrf(AbstractHttpConfigurer::disable);
-        return http.build();
-    }
-
-    /**
-     * In memory user authentication details.
-     *
-     * @return in memory authentication
-     */
-    @Bean
-    public InMemoryUserDetailsManager userDetailsService() {
-        final UserDetails user = User.builder()
-                .username(username)
-                .password("{noop}" + password)
-                .roles(USER_ROLE)
-                .build();
-        return new InMemoryUserDetailsManager(user);
-    }
-}
diff --git a/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy b/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy
index ccadc5724..b86f82488 100755
--- a/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy
+++ b/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy
@@ -20,19 +20,16 @@
 
 package org.onap.cps.rest.controller
 
-import org.onap.cps.config.WebSecurityConfig
-import org.springframework.context.annotation.Import
-
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get
 
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest
 import org.springframework.http.HttpStatus
 import org.springframework.test.web.servlet.MockMvc
+import spock.lang.Ignore
 import spock.lang.Specification
 
 @WebMvcTest(TestController)
-@Import(WebSecurityConfig)
 class ControllerSecuritySpec extends Specification {
 
     @Autowired
@@ -49,6 +46,7 @@ class ControllerSecuritySpec extends Specification {
             assert response.status == HttpStatus.OK.value()
     }
 
+    @Ignore // CPS-2126
     def 'Get request without authentication is not authorized'() {
         when: 'request is sent without authentication'
             def response = mvc.perform(get(testEndpoint)).andReturn().response
@@ -56,6 +54,7 @@ class ControllerSecuritySpec extends Specification {
             assert response.status == HttpStatus.UNAUTHORIZED.value()
     }
 
+    @Ignore // CPS-2126
     def 'Get request with invalid authentication is not authorized'() {
         when: 'request is sent with invalid authentication'
             def response = mvc.perform(