From 9ad020e36d7dba6e9e2fdd2e5b5276e728de4bd3 Mon Sep 17 00:00:00 2001 From: Fiete Ostkamp Date: Tue, 14 May 2024 13:38:17 +0200 Subject: Make rbac excluded endpoints configurable - introduce bff.rbac.endpoints-excluded config - add some performance improvements for role checking - resolve compilation warning related to missing swagger dependency Issue-ID: PORTALNG-100 Change-Id: I38ac942f0731a3297a797a09402f20aa6efc3b58 Signed-off-by: Fiete Ostkamp --- .../main/resources/application-access-control.yml | 42 +++++++++++----------- app/src/main/resources/application.yml | 4 +++ .../org/onap/portalng/bff/BaseIntegrationTest.java | 2 +- .../idtoken/IdTokenExchangeFilterFunctionTest.java | 7 ++-- .../test/resources/application-access-control.yml | 21 ----------- app/src/test/resources/application.yml | 15 ++++---- app/src/test/resources/logback-spring.xml | 18 ---------- 7 files changed, 37 insertions(+), 72 deletions(-) delete mode 100644 app/src/test/resources/application-access-control.yml delete mode 100644 app/src/test/resources/logback-spring.xml (limited to 'app/src') diff --git a/app/src/main/resources/application-access-control.yml b/app/src/main/resources/application-access-control.yml index 4da29f1..6fda781 100644 --- a/app/src/main/resources/application-access-control.yml +++ b/app/src/main/resources/application-access-control.yml @@ -1,21 +1,21 @@ -bff.access-control: - ACTIONS_CREATE: [ portal_admin, portal_designer, portal_operator ] - ACTIONS_GET: [ portal_admin, portal_designer, portal_operator ] - ACTIONS_LIST: [ portal_admin, portal_designer, portal_operator ] - ACTIVE_ALARM_LIST: [portal_admin, portal_designer, portal_operator] - KEY_ENCRYPT_BY_USER: [portal_admin, portal_designer, portal_operator] - KEY_ENCRYPT_BY_VALUE: [portal_admin, portal_designer, portal_operator] - PREFERENCES_CREATE: [portal_admin, portal_designer, portal_operator] - PREFERENCES_GET: [portal_admin, portal_designer, portal_operator] - PREFERENCES_UPDATE: [portal_admin, portal_designer, portal_operator] - ROLE_LIST: ["*"] - USER_CREATE: [portal_admin, portal_designer, portal_operator] - USER_DELETE: [portal_admin, portal_designer, portal_operator] - USER_GET: [portal_admin, portal_designer, portal_operator] - USER_LIST_AVAILABLE_ROLES: [portal_admin, portal_designer, portal_operator] - USER_LIST_ROLES: [portal_admin, portal_designer, portal_operator] - USER_LIST: [portal_admin, portal_designer, portal_operator] - USER_UPDATE_PASSWORD: [portal_admin, portal_designer, portal_operator] - USER_UPDATE_ROLES: [portal_admin, portal_designer, portal_operator] - USER_UPDATE: [portal_admin, portal_designer, portal_operator] - +bff: + access-control: + ACTIONS_CREATE: [ portal_admin, portal_designer, portal_operator ] + ACTIONS_GET: [ portal_admin, portal_designer, portal_operator ] + ACTIONS_LIST: [ portal_admin, portal_designer, portal_operator ] + ACTIVE_ALARM_LIST: [portal_admin, portal_designer, portal_operator] + KEY_ENCRYPT_BY_USER: [portal_admin, portal_designer, portal_operator] + KEY_ENCRYPT_BY_VALUE: [portal_admin, portal_designer, portal_operator] + PREFERENCES_CREATE: [portal_admin, portal_designer, portal_operator] + PREFERENCES_GET: [portal_admin, portal_designer, portal_operator] + PREFERENCES_UPDATE: [portal_admin, portal_designer, portal_operator] + ROLE_LIST: ["*"] + USER_CREATE: [portal_admin, portal_designer, portal_operator] + USER_DELETE: [portal_admin, portal_designer, portal_operator] + USER_GET: [portal_admin, portal_designer, portal_operator] + USER_LIST_AVAILABLE_ROLES: [portal_admin, portal_designer, portal_operator] + USER_LIST_ROLES: [portal_admin, portal_designer, portal_operator] + USER_LIST: [portal_admin, portal_designer, portal_operator] + USER_UPDATE_PASSWORD: [portal_admin, portal_designer, portal_operator] + USER_UPDATE_ROLES: [portal_admin, portal_designer, portal_operator] + USER_UPDATE: [portal_admin, portal_designer, portal_operator] diff --git a/app/src/main/resources/application.yml b/app/src/main/resources/application.yml index 367b33c..a99ff0b 100644 --- a/app/src/main/resources/application.yml +++ b/app/src/main/resources/application.yml @@ -52,4 +52,8 @@ bff: preferences-url: ${PREFERENCES_URL} history-url: ${HISTORY_URL} keycloak-url: ${KEYCLOAK_URL} + endpoints: + unauthenticated: /api-docs.html, /api.yaml, /webjars/**, /actuator/** + rbac: + endpoints-excluded: /actuator/**, **/actuator/**, */actuator/**, /**/actuator/**, /*/actuator/** diff --git a/app/src/test/java/org/onap/portalng/bff/BaseIntegrationTest.java b/app/src/test/java/org/onap/portalng/bff/BaseIntegrationTest.java index 1311ac7..528568d 100644 --- a/app/src/test/java/org/onap/portalng/bff/BaseIntegrationTest.java +++ b/app/src/test/java/org/onap/portalng/bff/BaseIntegrationTest.java @@ -52,8 +52,8 @@ import org.springframework.context.annotation.Bean; import org.springframework.http.MediaType; /** Base class for all tests that has the common config including port, realm, logging and auth. */ -@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) @AutoConfigureWireMock(port = 0) +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) public abstract class BaseIntegrationTest { @TestConfiguration diff --git a/app/src/test/java/org/onap/portalng/bff/idtoken/IdTokenExchangeFilterFunctionTest.java b/app/src/test/java/org/onap/portalng/bff/idtoken/IdTokenExchangeFilterFunctionTest.java index cb6694a..b7491f2 100644 --- a/app/src/test/java/org/onap/portalng/bff/idtoken/IdTokenExchangeFilterFunctionTest.java +++ b/app/src/test/java/org/onap/portalng/bff/idtoken/IdTokenExchangeFilterFunctionTest.java @@ -30,6 +30,7 @@ import java.util.UUID; import org.junit.jupiter.api.Test; import org.onap.portalng.bff.BaseIntegrationTest; import org.onap.portalng.bff.config.IdTokenExchangeFilterFunction; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpMethod; import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.web.server.MockServerWebExchange; @@ -41,10 +42,10 @@ import reactor.core.publisher.Mono; class IdTokenExchangeFilterFunctionTest extends BaseIntegrationTest { + @Autowired IdTokenExchangeFilterFunction filterFunction; + @Test void idTokenIsCorrectlyPropagated() { - final IdTokenExchangeFilterFunction filterFunction = new IdTokenExchangeFilterFunction(); - final String idToken = UUID.randomUUID().toString(); final ServerWebExchange serverWebExchange = MockServerWebExchange.builder( @@ -72,8 +73,6 @@ class IdTokenExchangeFilterFunctionTest extends BaseIntegrationTest { @Test void exceptionIsThrownWhenIdTokenIsMissingInRequest() { - final IdTokenExchangeFilterFunction filterFunction = new IdTokenExchangeFilterFunction(); - final ServerWebExchange serverWebExchange = MockServerWebExchange.builder(MockServerHttpRequest.get("http://localhost:8000")).build(); diff --git a/app/src/test/resources/application-access-control.yml b/app/src/test/resources/application-access-control.yml deleted file mode 100644 index 6fda781..0000000 --- a/app/src/test/resources/application-access-control.yml +++ /dev/null @@ -1,21 +0,0 @@ -bff: - access-control: - ACTIONS_CREATE: [ portal_admin, portal_designer, portal_operator ] - ACTIONS_GET: [ portal_admin, portal_designer, portal_operator ] - ACTIONS_LIST: [ portal_admin, portal_designer, portal_operator ] - ACTIVE_ALARM_LIST: [portal_admin, portal_designer, portal_operator] - KEY_ENCRYPT_BY_USER: [portal_admin, portal_designer, portal_operator] - KEY_ENCRYPT_BY_VALUE: [portal_admin, portal_designer, portal_operator] - PREFERENCES_CREATE: [portal_admin, portal_designer, portal_operator] - PREFERENCES_GET: [portal_admin, portal_designer, portal_operator] - PREFERENCES_UPDATE: [portal_admin, portal_designer, portal_operator] - ROLE_LIST: ["*"] - USER_CREATE: [portal_admin, portal_designer, portal_operator] - USER_DELETE: [portal_admin, portal_designer, portal_operator] - USER_GET: [portal_admin, portal_designer, portal_operator] - USER_LIST_AVAILABLE_ROLES: [portal_admin, portal_designer, portal_operator] - USER_LIST_ROLES: [portal_admin, portal_designer, portal_operator] - USER_LIST: [portal_admin, portal_designer, portal_operator] - USER_UPDATE_PASSWORD: [portal_admin, portal_designer, portal_operator] - USER_UPDATE_ROLES: [portal_admin, portal_designer, portal_operator] - USER_UPDATE: [portal_admin, portal_designer, portal_operator] diff --git a/app/src/test/resources/application.yml b/app/src/test/resources/application.yml index 3e423e4..04e6a57 100644 --- a/app/src/test/resources/application.yml +++ b/app/src/test/resources/application.yml @@ -1,7 +1,6 @@ -logging: - level: - org.springframework.web: TRACE - +management: + tracing: + enabled: false spring: profiles: include: @@ -22,12 +21,14 @@ spring: resourceserver: jwt: jwk-set-uri: http://localhost:${wiremock.server.port}/realms/ONAP/protocol/openid-connect/certs - jackson: - serialization: - FAIL_ON_EMPTY_BEANS: false bff: realm: ONAP preferences-url: http://localhost:${wiremock.server.port} history-url: http://localhost:${wiremock.server.port} keycloak-url: http://localhost:${wiremock.server.port} + endpoints: + unauthenticated: /api-docs.html, /api.yaml, /webjars/**, /actuator/** + rbac: + endpoints-excluded: /actuator/**, **/actuator/**, */actuator/**, /**/actuator/**, /*/actuator/** + diff --git a/app/src/test/resources/logback-spring.xml b/app/src/test/resources/logback-spring.xml deleted file mode 100644 index 45bd7e2..0000000 --- a/app/src/test/resources/logback-spring.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - - - ${LOGBACK_LEVEL:-info} - - - ${CONSOLE_LOG_PATTERN} - utf8 - - - - - - - \ No newline at end of file -- cgit 1.2.3-korg