Merge "consolidated security configuration"

4 files changed, 241 insertions, 2 deletions

diff --git a/common/src/main/java/org/onap/so/security/SecurityFilters.java b/common/src/main/java/org/onap/so/security/SecurityFilters.java
new file mode 100644
index 0000000000..7ad0fd05df
--- /dev/null
+++ b/common/src/main/java/org/onap/so/security/SecurityFilters.java
@@ -0,0 +1,41 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP - SO
+ * ================================================================================
+ * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.so.security;
+
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.core.Ordered;
+
+@Configuration
+@Profile("!test & aaf")
+public class SecurityFilters {
+
+    @Bean
+    public FilterRegistrationBean<SoCadiFilter> loginRegistrationBean() {
+        FilterRegistrationBean<SoCadiFilter> filterRegistrationBean = new FilterRegistrationBean<>();
+        filterRegistrationBean.setFilter(new SoCadiFilter());
+        filterRegistrationBean.setName("cadiFilter");
+        filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
+        return filterRegistrationBean;
+    }
+}
diff --git a/common/src/main/java/org/onap/so/security/SoCadiFilter.java b/common/src/main/java/org/onap/so/security/SoCadiFilter.java
new file mode 100644
index 0000000000..93700db682
--- /dev/null
+++ b/common/src/main/java/org/onap/so/security/SoCadiFilter.java
@@ -0,0 +1,117 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP SO
+ * ================================================================================
+ * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights
+ *                             reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END============================================
+ * ===================================================================
+ *
+ */
+package org.onap.so.security;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.filter.CadiFilter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Component;
+
+@Component
+@Profile("!test & aaf")
+public class SoCadiFilter extends CadiFilter {
+
+    protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class);
+
+    private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT";
+    private static String AAF_API_VERSION = "aaf_api_version";
+
+    @Value("${mso.config.cadi.cadiLoglevel:#{null}}")
+    private String cadiLoglevel;
+
+    @Value("${mso.config.cadi.cadiKeyFile:#{null}}")
+    private String cadiKeyFile;
+
+    @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}")
+    private String cadiTrustStorePassword;
+
+    @Value("${mso.config.cadi.cadiTrustStore:#{null}}")
+    private String cadiTrustStore;
+
+    @Value("${mso.config.cadi.cadiLatitude:#{null}}")
+    private String cadiLatitude;
+
+    @Value("${mso.config.cadi.cadiLongitude:#{null}}")
+    private String cadiLongitude;
+
+    @Value("${mso.config.cadi.aafEnv:#{null}}")
+    private String aafEnv;
+
+    @Value("${mso.config.cadi.aafApiVersion:#{null}}")
+    private String aafApiVersion;
+
+    @Value("${mso.config.cadi.aafRootNs:#{null}}")
+    private String aafRootNs;
+
+    @Value("${mso.config.cadi.aafId:#{null}}")
+    private String aafMechId;
+
+    @Value("${mso.config.cadi.aafPassword:#{null}}")
+    private String aafMechIdPassword;
+
+    @Value("${mso.config.cadi.aafLocateUrl:#{null}}")
+    private String aafLocateUrl;
+
+    @Value("${mso.config.cadi.aafUrl:#{null}}")
+    private String aafUrl;
+
+    @Value("${mso.config.cadi.apiEnforcement:#{null}}")
+    private String apiEnforcement;
+
+    private void checkIfNullProperty(String key, String value) {
+        /*
+         * When value is null, it is not defined in application.yaml set nothing in System properties
+         */
+        if (value != null) {
+            System.setProperty(key, value);
+        }
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel);
+        checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile);
+        checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore);
+        checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword);
+        checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude);
+        checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude);
+        checkIfNullProperty(Config.AAF_ENV, aafEnv);
+        checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion);
+        checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs);
+        checkIfNullProperty(Config.AAF_APPID, aafMechId);
+        checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword);
+        checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl);
+        checkIfNullProperty(Config.AAF_URL, aafUrl);
+        checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement);
+        // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv);
+        logger.debug(" *** init Filter Config *** ");
+        super.init(filterConfig);
+    }
+
+
+}
diff --git a/common/src/main/java/org/onap/so/security/WebSecurityConfig.java b/common/src/main/java/org/onap/so/security/WebSecurityConfig.java
index 44ac62d14f..2eafc6c9cd 100644
--- a/common/src/main/java/org/onap/so/security/WebSecurityConfig.java
+++ b/common/src/main/java/org/onap/so/security/WebSecurityConfig.java
@@ -43,8 +43,10 @@ public class WebSecurityConfig {
 
     @PostConstruct
     private void addRoles() {
-        for (int i = 0; i < credentials.size(); i++) {
-            roles.add(credentials.get(i).getRole());
+        if (credentials != null) {
+            for (int i = 0; i < credentials.size(); i++) {
+                roles.add(credentials.get(i).getRole());
+            }
         }
     }
 
diff --git a/common/src/main/java/org/onap/so/security/WebSecurityConfigImpl.java b/common/src/main/java/org/onap/so/security/WebSecurityConfigImpl.java
new file mode 100644
index 0000000000..c84c7e8603
--- /dev/null
+++ b/common/src/main/java/org/onap/so/security/WebSecurityConfigImpl.java
@@ -0,0 +1,79 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP - SO
+ * ================================================================================
+ * Copyright (C) 2017 - 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Modifications Copyright (c) 2019 Samsung
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.so.security;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.firewall.StrictHttpFirewall;
+import org.springframework.util.StringUtils;
+
+@EnableWebSecurity
+@Configuration()
+public class WebSecurityConfigImpl extends WebSecurityConfig {
+
+    @Profile({"basic"})
+    @Bean
+    public WebSecurityConfigurerAdapter basicAuth() {
+        return new WebSecurityConfigurerAdapter() {
+            @Override
+            protected void configure(HttpSecurity http) throws Exception {
+                http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll()
+                        .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and()
+                        .httpBasic();
+            }
+
+            @Override
+            public void configure(WebSecurity web) throws Exception {
+                super.configure(web);
+                StrictHttpFirewall firewall = new MSOSpringFirewall();
+                web.httpFirewall(firewall);
+            }
+
+            @Override
+            protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+                auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService())
+                        .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder());
+            }
+        };
+    }
+
+    @Profile({"aaf", "test"})
+    @Bean
+    public WebSecurityConfigurerAdapter noAuth() {
+        return new WebSecurityConfigurerAdapter() {
+            @Override
+            public void configure(WebSecurity web) throws Exception {
+                web.ignoring().antMatchers("/**");
+                StrictHttpFirewall firewall = new MSOSpringFirewall();
+                web.httpFirewall(firewall);
+            }
+        };
+    }
+
+}