Merge "DMI Plugin replace WebSecurityConfigurerAdapter"

author: Toine Siebelink <toine.siebelink@est.tech> 2023-06-22 15:36:49 +0000
committer: Gerrit Code Review <gerrit@onap.org> 2023-06-22 15:36:49 +0000
commit: c29b13979fb184524bfcbc38abd76cf453415364 (patch)
tree: 56ede2db05f7bb652bf6ae8f9ba9367d2432d57e
parent: 3a7c3754e7bfd5f0ccfbcec143eebe8587e10baa (diff)
parent: 1621e18dfdaf7484de4351598d747ba5acf9a1ee (diff)
3 files changed, 43 insertions, 15 deletions
diff --git a/src/main/java/org/onap/cps/ncmp/dmi/config/WebSecurityConfig.java b/src/main/java/org/onap/cps/ncmp/dmi/config/WebSecurityConfig.java
index a51d4862..1eb9523d 100644
--- a/src/main/java/org/onap/cps/ncmp/dmi/config/WebSecurityConfig.java
+++ b/src/main/java/org/onap/cps/ncmp/dmi/config/WebSecurityConfig.java
@@ -1,6 +1,6 @@
 /*
  *  ============LICENSE_START=======================================================
- *  Copyright (C) 2021 Nordix Foundation
+ *  Copyright (C) 2021-2023 Nordix Foundation
  *  ================================================================================
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -22,11 +22,14 @@ package org.onap.cps.ncmp.dmi.config;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * Configuration class to implement application security.
@@ -34,7 +37,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
  */
 @Configuration
 @EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
 
     private static final String USER_ROLE = "USER";
 
@@ -60,23 +63,43 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         this.password = password;
     }
 
-    @Override
+    /**
+     * Return the configuration for secure access to the modules REST end points.
+     *
+     * @param http the HTTP security settings.
+     * @return the HTTP security settings.
+     */
+    @Bean
     // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
     // ncmp is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
     // web browsers are. ncmp  does not manage sessions, each request requires the authentication token in the header.
     // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
     @SuppressWarnings("squid:S4502")
-    protected void configure(final HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
         http
-            .csrf().disable()
-            .authorizeRequests()
-            .antMatchers(permitUris).permitAll()
-            .anyRequest().authenticated()
-            .and().httpBasic();
+                .httpBasic()
+                .and()
+                .authorizeRequests()
+                .antMatchers(permitUris).permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .csrf().disable();
+
+        return http.build();
     }
 
-    @Override
-    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
-        auth.inMemoryAuthentication().withUser(username).password("{noop}" + password).roles(USER_ROLE);
+    /**
+     * In memory user authenticaion details.
+     *
+     * @return in memory authentication.
+     */
+    @Bean
+    public InMemoryUserDetailsManager userDetailsService() {
+        final UserDetails user = User.builder()
+                .username(username)
+                .password("{noop}" + password)
+                .roles(USER_ROLE)
+                .build();
+        return new InMemoryUserDetailsManager(user);
     }
 }
diff --git a/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/ControllerSecuritySpec.groovy b/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/ControllerSecuritySpec.groovy
index 67de1b93..3f5d4a80 100644
--- a/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/ControllerSecuritySpec.groovy
+++ b/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/ControllerSecuritySpec.groovy
@@ -1,6 +1,6 @@
 /*
  *  ============LICENSE_START=======================================================
- *  Copyright (C) 2021-2022 Nordix Foundation
+ *  Copyright (C) 2021-2023 Nordix Foundation
  *  ================================================================================
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@
 package org.onap.cps.ncmp.dmi.rest.controller
 
 import org.onap.cps.ncmp.dmi.config.WebSecurityConfig
+import org.springframework.context.annotation.Import
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get
 
@@ -31,6 +32,7 @@ import org.springframework.test.web.servlet.MockMvc
 import spock.lang.Specification
 
 @WebMvcTest(controllers = TestController.class)
+@Import(WebSecurityConfig)
 class ControllerSecuritySpec extends Specification {
 
     @Autowired
diff --git a/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/DmiRestControllerSpec.groovy b/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/DmiRestControllerSpec.groovy
index 5caef07f..96c1ed8e 100644
--- a/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/DmiRestControllerSpec.groovy
+++ b/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/DmiRestControllerSpec.groovy
@@ -23,6 +23,7 @@ package org.onap.cps.ncmp.dmi.rest.controller
 
 
 import org.onap.cps.ncmp.dmi.TestUtils
+import org.onap.cps.ncmp.dmi.config.WebSecurityConfig
 import org.onap.cps.ncmp.dmi.exception.DmiException
 import org.onap.cps.ncmp.dmi.exception.ModuleResourceNotFoundException
 import org.onap.cps.ncmp.dmi.exception.ModulesNotFoundException
@@ -39,6 +40,7 @@ import org.spockframework.spring.SpringBean
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest
+import org.springframework.context.annotation.Import
 import org.springframework.http.HttpStatus
 import org.springframework.http.MediaType
 import org.springframework.kafka.core.KafkaTemplate
@@ -57,6 +59,7 @@ import static org.onap.cps.ncmp.dmi.model.DataAccessRequest.OperationEnum.UPDATE
 import static org.springframework.http.HttpStatus.CREATED
 import static org.springframework.http.HttpStatus.OK
 
+@Import(WebSecurityConfig)
 @WebMvcTest(DmiRestController.class)
 @WithMockUser
 class DmiRestControllerSpec extends Specification {
author	Toine Siebelink <toine.siebelink@est.tech>	2023-06-22 15:36:49 +0000
committer	Gerrit Code Review <gerrit@onap.org>	2023-06-22 15:36:49 +0000
commit	c29b13979fb184524bfcbc38abd76cf453415364 (patch)
tree	56ede2db05f7bb652bf6ae8f9ba9367d2432d57e
parent	3a7c3754e7bfd5f0ccfbcec143eebe8587e10baa (diff)
parent	1621e18dfdaf7484de4351598d747ba5acf9a1ee (diff)