From 837beb73d7aa6e8f7e4e932ac71e59663b868992 Mon Sep 17 00:00:00 2001 From: Ramesh Parthasarathy Date: Thu, 21 Nov 2019 02:04:03 +0000 Subject: Added AAF Integration related changes Created two profiles for the application to run. Basic profile will allow the application to run in the current spring security authentication. AAF profile will authenticate and authorize requests with AAF. if no profile is given, it will fallback to basic. Change-Id: I2576f02e7afca3c10e02aaffef66a60fa1c4dd1a Issue-ID: SO-2451 Signed-off-by: Ramesh Parthasarathy(rp6768) --- .../so/adapters/catalogdb/SecurityFilters.java | 41 ++++++++ .../onap/so/adapters/catalogdb/SoCadiFilter.java | 117 +++++++++++++++++++++ .../adapters/catalogdb/WebSecurityConfigImpl.java | 50 +++++++-- .../src/main/resources/application-aaf.yaml | 0 .../src/main/resources/application-basic.yaml | 0 .../so/adapters/openstack/SecurityFilters.java | 41 ++++++++ .../onap/so/adapters/openstack/SoCadiFilter.java | 117 +++++++++++++++++++++ .../adapters/openstack/WebSecurityConfigImpl.java | 50 +++++++-- .../src/main/resources/application-aaf.yaml | 0 .../src/main/resources/application-basic.yaml | 0 .../adapters/requestsdb/WebSecurityConfigImpl.java | 50 +++++++-- .../requestsdb/application/SecurityFilters.java | 41 ++++++++ .../requestsdb/application/SoCadiFilter.java | 117 +++++++++++++++++++++ .../src/main/resources/application-aaf.yaml | 0 .../src/main/resources/application-basic.yaml | 0 .../org/onap/so/adapters/sdnc/SecurityFilters.java | 41 ++++++++ .../org/onap/so/adapters/sdnc/SoCadiFilter.java | 117 +++++++++++++++++++++ .../so/adapters/sdnc/WebSecurityConfigImpl.java | 50 +++++++-- .../src/main/resources/application-aaf.yaml | 0 .../src/main/resources/application-basic.yaml | 0 .../org/onap/so/adapters/vfc/SecurityFilters.java | 41 ++++++++ .../org/onap/so/adapters/vfc/SoCadiFilter.java | 117 +++++++++++++++++++++ .../so/adapters/vfc/WebSecurityConfigImpl.java | 50 +++++++-- .../src/main/resources/application-aaf.yaml | 0 .../src/main/resources/application-basic.yaml | 0 .../so/adapters/vnfmadapter/SecurityFilters.java | 41 ++++++++ .../onap/so/adapters/vnfmadapter/SoCadiFilter.java | 117 +++++++++++++++++++++ .../vnfmadapter/WebSecurityConfigImpl.java | 73 +++++++++---- .../src/main/resources/application-aaf.yaml | 0 .../src/main/resources/application-basic.yaml | 0 .../java/org/onap/so/asdc/SecurityFilters.java | 41 ++++++++ .../main/java/org/onap/so/asdc/SoCadiFilter.java | 117 +++++++++++++++++++++ .../org/onap/so/asdc/WebSecurityConfigImpl.java | 50 +++++++-- .../src/main/resources/application-aaf.yaml | 0 .../src/main/resources/application-basic.yaml | 0 bpmn/mso-infrastructure-bpmn/pom.xml | 11 ++ .../so/bpmn/infrastructure/SecurityFilters.java | 41 ++++++++ .../onap/so/bpmn/infrastructure/SoCadiFilter.java | 117 +++++++++++++++++++++ .../bpmn/infrastructure/WebSecurityConfigImpl.java | 53 +++++++--- .../src/main/resources/application-aaf.yaml | 0 .../src/main/resources/application-basic.yaml | 0 .../bpmn/infrastructure/WebSecurityConfigImpl.java | 44 +++++--- common/pom.xml | 11 ++ .../org/onap/so/security/WebSecurityConfig.java | 8 +- mso-api-handlers/mso-api-handler-infra/pom.xml | 11 ++ .../onap/so/apihandlerinfra/SecurityFilters.java | 41 ++++++++ .../org/onap/so/apihandlerinfra/SoCadiFilter.java | 117 +++++++++++++++++++++ .../so/apihandlerinfra/WebSecurityConfigImpl.java | 48 ++++++--- .../src/main/resources/application-aaf.yaml | 0 .../src/main/resources/application-basic.yaml | 0 .../src/main/docker/docker-files/Dockerfile.so-app | 1 + .../main/docker/docker-files/certs/org.onap.so.jks | Bin 0 -> 3582 bytes .../docker/docker-files/certs/org.onap.so.keyfile | 27 +++++ .../docker-files/certs/org.onap.so.trust.jks | Bin 0 -> 1413 bytes .../main/docker/docker-files/scripts/start-app.sh | 6 +- 55 files changed, 1888 insertions(+), 127 deletions(-) create mode 100644 adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/SecurityFilters.java create mode 100644 adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/SoCadiFilter.java create mode 100644 adapters/mso-catalog-db-adapter/src/main/resources/application-aaf.yaml create mode 100644 adapters/mso-catalog-db-adapter/src/main/resources/application-basic.yaml create mode 100644 adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/SecurityFilters.java create mode 100644 adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/SoCadiFilter.java create mode 100644 adapters/mso-openstack-adapters/src/main/resources/application-aaf.yaml create mode 100644 adapters/mso-openstack-adapters/src/main/resources/application-basic.yaml create mode 100644 adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/application/SecurityFilters.java create mode 100644 adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/application/SoCadiFilter.java create mode 100644 adapters/mso-requests-db-adapter/src/main/resources/application-aaf.yaml create mode 100644 adapters/mso-requests-db-adapter/src/main/resources/application-basic.yaml create mode 100644 adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/SecurityFilters.java create mode 100644 adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/SoCadiFilter.java create mode 100644 adapters/mso-sdnc-adapter/src/main/resources/application-aaf.yaml create mode 100644 adapters/mso-sdnc-adapter/src/main/resources/application-basic.yaml create mode 100644 adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/SecurityFilters.java create mode 100644 adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/SoCadiFilter.java create mode 100644 adapters/mso-vfc-adapter/src/main/resources/application-aaf.yaml create mode 100644 adapters/mso-vfc-adapter/src/main/resources/application-basic.yaml create mode 100644 adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/SecurityFilters.java create mode 100644 adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/SoCadiFilter.java create mode 100644 adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/resources/application-aaf.yaml create mode 100644 adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/resources/application-basic.yaml create mode 100644 asdc-controller/src/main/java/org/onap/so/asdc/SecurityFilters.java create mode 100644 asdc-controller/src/main/java/org/onap/so/asdc/SoCadiFilter.java create mode 100644 asdc-controller/src/main/resources/application-aaf.yaml create mode 100644 asdc-controller/src/main/resources/application-basic.yaml create mode 100644 bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/SecurityFilters.java create mode 100644 bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/SoCadiFilter.java create mode 100644 bpmn/mso-infrastructure-bpmn/src/main/resources/application-aaf.yaml create mode 100644 bpmn/mso-infrastructure-bpmn/src/main/resources/application-basic.yaml create mode 100644 mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/SecurityFilters.java create mode 100644 mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/SoCadiFilter.java create mode 100644 mso-api-handlers/mso-api-handler-infra/src/main/resources/application-aaf.yaml create mode 100644 mso-api-handlers/mso-api-handler-infra/src/main/resources/application-basic.yaml create mode 100644 packages/docker/src/main/docker/docker-files/certs/org.onap.so.jks create mode 100644 packages/docker/src/main/docker/docker-files/certs/org.onap.so.keyfile create mode 100644 packages/docker/src/main/docker/docker-files/certs/org.onap.so.trust.jks diff --git a/adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/SecurityFilters.java b/adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/SecurityFilters.java new file mode 100644 index 0000000000..040723501b --- /dev/null +++ b/adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/SecurityFilters.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.adapters.catalogdb; + +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.Ordered; + +@Configuration +@Profile("aaf") +public class SecurityFilters { + + @Bean + public FilterRegistrationBean loginRegistrationBean() { + FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean<>(); + filterRegistrationBean.setFilter(new SoCadiFilter()); + filterRegistrationBean.setName("cadiFilter"); + filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); + return filterRegistrationBean; + } +} diff --git a/adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/SoCadiFilter.java b/adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/SoCadiFilter.java new file mode 100644 index 0000000000..e7e360d444 --- /dev/null +++ b/adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/SoCadiFilter.java @@ -0,0 +1,117 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP SO + * ================================================================================ + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ +package org.onap.so.adapters.catalogdb; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +@Component +@Profile("aaf") +public class SoCadiFilter extends CadiFilter { + + protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class); + + private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT"; + private static String AAF_API_VERSION = "aaf_api_version"; + + @Value("${mso.config.cadi.cadiLoglevel:#{null}}") + private String cadiLoglevel; + + @Value("${mso.config.cadi.cadiKeyFile:#{null}}") + private String cadiKeyFile; + + @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}") + private String cadiTrustStorePassword; + + @Value("${mso.config.cadi.cadiTrustStore:#{null}}") + private String cadiTrustStore; + + @Value("${mso.config.cadi.cadiLatitude:#{null}}") + private String cadiLatitude; + + @Value("${mso.config.cadi.cadiLongitude:#{null}}") + private String cadiLongitude; + + @Value("${mso.config.cadi.aafEnv:#{null}}") + private String aafEnv; + + @Value("${mso.config.cadi.aafApiVersion:#{null}}") + private String aafApiVersion; + + @Value("${mso.config.cadi.aafRootNs:#{null}}") + private String aafRootNs; + + @Value("${mso.config.cadi.aafId:#{null}}") + private String aafMechId; + + @Value("${mso.config.cadi.aafPassword:#{null}}") + private String aafMechIdPassword; + + @Value("${mso.config.cadi.aafLocateUrl:#{null}}") + private String aafLocateUrl; + + @Value("${mso.config.cadi.aafUrl:#{null}}") + private String aafUrl; + + @Value("${mso.config.cadi.apiEnforcement:#{null}}") + private String apiEnforcement; + + private void checkIfNullProperty(String key, String value) { + /* + * When value is null, it is not defined in application.yaml set nothing in System properties + */ + if (value != null) { + System.setProperty(key, value); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel); + checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword); + checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude); + checkIfNullProperty(Config.AAF_ENV, aafEnv); + checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion); + checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs); + checkIfNullProperty(Config.AAF_APPID, aafMechId); + checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword); + checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl); + checkIfNullProperty(Config.AAF_URL, aafUrl); + checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement); + // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv); + logger.debug(" *** init Filter Config *** "); + super.init(filterConfig); + } + + +} diff --git a/adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/WebSecurityConfigImpl.java b/adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/WebSecurityConfigImpl.java index 1d58975e6b..8cadb00f8f 100644 --- a/adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/WebSecurityConfigImpl.java +++ b/adapters/mso-catalog-db-adapter/src/main/java/org/onap/so/adapters/catalogdb/WebSecurityConfigImpl.java @@ -24,27 +24,57 @@ package org.onap.so.adapters.catalogdb; import org.onap.so.security.MSOSpringFirewall; import org.onap.so.security.WebSecurityConfig; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.util.StringUtils; +@Configuration @EnableWebSecurity public class WebSecurityConfigImpl extends WebSecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() - .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() - .httpBasic(); + @Profile({"basic", "test"}) + @Bean + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() + .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() + .httpBasic(); + } + + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + + }; } - @Override - public void configure(WebSecurity web) throws Exception { - super.configure(web); - StrictHttpFirewall firewall = new MSOSpringFirewall(); - web.httpFirewall(firewall); + @Profile("aaf") + @Bean + public WebSecurityConfigurerAdapter noAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().anyRequest().permitAll(); + } + }; } } diff --git a/adapters/mso-catalog-db-adapter/src/main/resources/application-aaf.yaml b/adapters/mso-catalog-db-adapter/src/main/resources/application-aaf.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-catalog-db-adapter/src/main/resources/application-basic.yaml b/adapters/mso-catalog-db-adapter/src/main/resources/application-basic.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/SecurityFilters.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/SecurityFilters.java new file mode 100644 index 0000000000..cbe619e8a0 --- /dev/null +++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/SecurityFilters.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.adapters.openstack; + +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.Ordered; + +@Configuration +@Profile("aaf") +public class SecurityFilters { + + @Bean + public FilterRegistrationBean loginRegistrationBean() { + FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean<>(); + filterRegistrationBean.setFilter(new SoCadiFilter()); + filterRegistrationBean.setName("cadiFilter"); + filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); + return filterRegistrationBean; + } +} diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/SoCadiFilter.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/SoCadiFilter.java new file mode 100644 index 0000000000..d9901b75ed --- /dev/null +++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/SoCadiFilter.java @@ -0,0 +1,117 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP SO + * ================================================================================ + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ +package org.onap.so.adapters.openstack; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +@Component +@Profile("aaf") +public class SoCadiFilter extends CadiFilter { + + protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class); + + private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT"; + private static String AAF_API_VERSION = "aaf_api_version"; + + @Value("${mso.config.cadi.cadiLoglevel:#{null}}") + private String cadiLoglevel; + + @Value("${mso.config.cadi.cadiKeyFile:#{null}}") + private String cadiKeyFile; + + @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}") + private String cadiTrustStorePassword; + + @Value("${mso.config.cadi.cadiTrustStore:#{null}}") + private String cadiTrustStore; + + @Value("${mso.config.cadi.cadiLatitude:#{null}}") + private String cadiLatitude; + + @Value("${mso.config.cadi.cadiLongitude:#{null}}") + private String cadiLongitude; + + @Value("${mso.config.cadi.aafEnv:#{null}}") + private String aafEnv; + + @Value("${mso.config.cadi.aafApiVersion:#{null}}") + private String aafApiVersion; + + @Value("${mso.config.cadi.aafRootNs:#{null}}") + private String aafRootNs; + + @Value("${mso.config.cadi.aafId:#{null}}") + private String aafMechId; + + @Value("${mso.config.cadi.aafPassword:#{null}}") + private String aafMechIdPassword; + + @Value("${mso.config.cadi.aafLocateUrl:#{null}}") + private String aafLocateUrl; + + @Value("${mso.config.cadi.aafUrl:#{null}}") + private String aafUrl; + + @Value("${mso.config.cadi.apiEnforcement:#{null}}") + private String apiEnforcement; + + private void checkIfNullProperty(String key, String value) { + /* + * When value is null, it is not defined in application.yaml set nothing in System properties + */ + if (value != null) { + System.setProperty(key, value); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel); + checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword); + checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude); + checkIfNullProperty(Config.AAF_ENV, aafEnv); + checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion); + checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs); + checkIfNullProperty(Config.AAF_APPID, aafMechId); + checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword); + checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl); + checkIfNullProperty(Config.AAF_URL, aafUrl); + checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement); + // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv); + logger.debug(" *** init Filter Config *** "); + super.init(filterConfig); + } + + +} diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/WebSecurityConfigImpl.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/WebSecurityConfigImpl.java index 97e43d9828..ddae887103 100644 --- a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/WebSecurityConfigImpl.java +++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/openstack/WebSecurityConfigImpl.java @@ -24,27 +24,57 @@ package org.onap.so.adapters.openstack; import org.onap.so.security.MSOSpringFirewall; import org.onap.so.security.WebSecurityConfig; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.util.StringUtils; +@Configuration @EnableWebSecurity public class WebSecurityConfigImpl extends WebSecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() - .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() - .httpBasic(); + @Profile({"basic", "test"}) + @Bean + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() + .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() + .httpBasic(); + } + + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + + }; } - @Override - public void configure(WebSecurity web) throws Exception { - super.configure(web); - StrictHttpFirewall firewall = new MSOSpringFirewall(); - web.httpFirewall(firewall); + @Profile("aaf") + @Bean + public WebSecurityConfigurerAdapter noAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeRequests().anyRequest().permitAll(); + } + }; } } diff --git a/adapters/mso-openstack-adapters/src/main/resources/application-aaf.yaml b/adapters/mso-openstack-adapters/src/main/resources/application-aaf.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-openstack-adapters/src/main/resources/application-basic.yaml b/adapters/mso-openstack-adapters/src/main/resources/application-basic.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/WebSecurityConfigImpl.java b/adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/WebSecurityConfigImpl.java index b8bada298e..6cd7462299 100644 --- a/adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/WebSecurityConfigImpl.java +++ b/adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/WebSecurityConfigImpl.java @@ -24,27 +24,57 @@ package org.onap.so.adapters.requestsdb; import org.onap.so.security.MSOSpringFirewall; import org.onap.so.security.WebSecurityConfig; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.util.StringUtils; +@Configuration @EnableWebSecurity public class WebSecurityConfigImpl extends WebSecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() - .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() - .httpBasic(); + @Profile({"basic", "test"}) + @Bean + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info", "/services") + .permitAll().antMatchers("/**") + .hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and().httpBasic(); + } + + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + + }; } - @Override - public void configure(WebSecurity web) throws Exception { - super.configure(web); - StrictHttpFirewall firewall = new MSOSpringFirewall(); - web.httpFirewall(firewall); + @Profile("aaf") + @Bean + public WebSecurityConfigurerAdapter noAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeRequests().anyRequest().permitAll(); + } + }; } } diff --git a/adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/application/SecurityFilters.java b/adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/application/SecurityFilters.java new file mode 100644 index 0000000000..a422e6a60d --- /dev/null +++ b/adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/application/SecurityFilters.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.adapters.requestsdb.application; + +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.Ordered; + +@Configuration +@Profile("aaf") +public class SecurityFilters { + + @Bean + public FilterRegistrationBean loginRegistrationBean() { + FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean<>(); + filterRegistrationBean.setFilter(new SoCadiFilter()); + filterRegistrationBean.setName("cadiFilter"); + filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); + return filterRegistrationBean; + } +} diff --git a/adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/application/SoCadiFilter.java b/adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/application/SoCadiFilter.java new file mode 100644 index 0000000000..5e6ced077b --- /dev/null +++ b/adapters/mso-requests-db-adapter/src/main/java/org/onap/so/adapters/requestsdb/application/SoCadiFilter.java @@ -0,0 +1,117 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP SO + * ================================================================================ + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ +package org.onap.so.adapters.requestsdb.application; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +@Component +@Profile("aaf") +public class SoCadiFilter extends CadiFilter { + + protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class); + + private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT"; + private static String AAF_API_VERSION = "aaf_api_version"; + + @Value("${mso.config.cadi.cadiLoglevel:#{null}}") + private String cadiLoglevel; + + @Value("${mso.config.cadi.cadiKeyFile:#{null}}") + private String cadiKeyFile; + + @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}") + private String cadiTrustStorePassword; + + @Value("${mso.config.cadi.cadiTrustStore:#{null}}") + private String cadiTrustStore; + + @Value("${mso.config.cadi.cadiLatitude:#{null}}") + private String cadiLatitude; + + @Value("${mso.config.cadi.cadiLongitude:#{null}}") + private String cadiLongitude; + + @Value("${mso.config.cadi.aafEnv:#{null}}") + private String aafEnv; + + @Value("${mso.config.cadi.aafApiVersion:#{null}}") + private String aafApiVersion; + + @Value("${mso.config.cadi.aafRootNs:#{null}}") + private String aafRootNs; + + @Value("${mso.config.cadi.aafId:#{null}}") + private String aafMechId; + + @Value("${mso.config.cadi.aafPassword:#{null}}") + private String aafMechIdPassword; + + @Value("${mso.config.cadi.aafLocateUrl:#{null}}") + private String aafLocateUrl; + + @Value("${mso.config.cadi.aafUrl:#{null}}") + private String aafUrl; + + @Value("${mso.config.cadi.apiEnforcement:#{null}}") + private String apiEnforcement; + + private void checkIfNullProperty(String key, String value) { + /* + * When value is null, it is not defined in application.yaml set nothing in System properties + */ + if (value != null) { + System.setProperty(key, value); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel); + checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword); + checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude); + checkIfNullProperty(Config.AAF_ENV, aafEnv); + checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion); + checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs); + checkIfNullProperty(Config.AAF_APPID, aafMechId); + checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword); + checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl); + checkIfNullProperty(Config.AAF_URL, aafUrl); + checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement); + // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv); + logger.debug(" *** init Filter Config *** "); + super.init(filterConfig); + } + + +} diff --git a/adapters/mso-requests-db-adapter/src/main/resources/application-aaf.yaml b/adapters/mso-requests-db-adapter/src/main/resources/application-aaf.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-requests-db-adapter/src/main/resources/application-basic.yaml b/adapters/mso-requests-db-adapter/src/main/resources/application-basic.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/SecurityFilters.java b/adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/SecurityFilters.java new file mode 100644 index 0000000000..c615440ff6 --- /dev/null +++ b/adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/SecurityFilters.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.adapters.sdnc; + +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.Ordered; + +@Configuration +@Profile("aaf") +public class SecurityFilters { + + @Bean + public FilterRegistrationBean loginRegistrationBean() { + FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean<>(); + filterRegistrationBean.setFilter(new SoCadiFilter()); + filterRegistrationBean.setName("cadiFilter"); + filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); + return filterRegistrationBean; + } +} diff --git a/adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/SoCadiFilter.java b/adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/SoCadiFilter.java new file mode 100644 index 0000000000..1e5647097c --- /dev/null +++ b/adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/SoCadiFilter.java @@ -0,0 +1,117 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP SO + * ================================================================================ + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ +package org.onap.so.adapters.sdnc; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +@Component +@Profile("aaf") +public class SoCadiFilter extends CadiFilter { + + protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class); + + private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT"; + private static String AAF_API_VERSION = "aaf_api_version"; + + @Value("${mso.config.cadi.cadiLoglevel:#{null}}") + private String cadiLoglevel; + + @Value("${mso.config.cadi.cadiKeyFile:#{null}}") + private String cadiKeyFile; + + @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}") + private String cadiTrustStorePassword; + + @Value("${mso.config.cadi.cadiTrustStore:#{null}}") + private String cadiTrustStore; + + @Value("${mso.config.cadi.cadiLatitude:#{null}}") + private String cadiLatitude; + + @Value("${mso.config.cadi.cadiLongitude:#{null}}") + private String cadiLongitude; + + @Value("${mso.config.cadi.aafEnv:#{null}}") + private String aafEnv; + + @Value("${mso.config.cadi.aafApiVersion:#{null}}") + private String aafApiVersion; + + @Value("${mso.config.cadi.aafRootNs:#{null}}") + private String aafRootNs; + + @Value("${mso.config.cadi.aafId:#{null}}") + private String aafMechId; + + @Value("${mso.config.cadi.aafPassword:#{null}}") + private String aafMechIdPassword; + + @Value("${mso.config.cadi.aafLocateUrl:#{null}}") + private String aafLocateUrl; + + @Value("${mso.config.cadi.aafUrl:#{null}}") + private String aafUrl; + + @Value("${mso.config.cadi.apiEnforcement:#{null}}") + private String apiEnforcement; + + private void checkIfNullProperty(String key, String value) { + /* + * When value is null, it is not defined in application.yaml set nothing in System properties + */ + if (value != null) { + System.setProperty(key, value); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel); + checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword); + checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude); + checkIfNullProperty(Config.AAF_ENV, aafEnv); + checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion); + checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs); + checkIfNullProperty(Config.AAF_APPID, aafMechId); + checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword); + checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl); + checkIfNullProperty(Config.AAF_URL, aafUrl); + checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement); + // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv); + logger.debug(" *** init Filter Config *** "); + super.init(filterConfig); + } + + +} diff --git a/adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/WebSecurityConfigImpl.java b/adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/WebSecurityConfigImpl.java index 232381385f..4d922a4cd0 100644 --- a/adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/WebSecurityConfigImpl.java +++ b/adapters/mso-sdnc-adapter/src/main/java/org/onap/so/adapters/sdnc/WebSecurityConfigImpl.java @@ -24,27 +24,57 @@ package org.onap.so.adapters.sdnc; import org.onap.so.security.MSOSpringFirewall; import org.onap.so.security.WebSecurityConfig; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.util.StringUtils; +@Configuration @EnableWebSecurity public class WebSecurityConfigImpl extends WebSecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info", "/services").permitAll() - .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() - .httpBasic(); + @Profile({"basic", "test"}) + @Bean + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info", "/services") + .permitAll().antMatchers("/**") + .hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and().httpBasic(); + } + + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + + }; } - @Override - public void configure(WebSecurity web) throws Exception { - super.configure(web); - StrictHttpFirewall firewall = new MSOSpringFirewall(); - web.httpFirewall(firewall); + @Profile("aaf") + @Bean + public WebSecurityConfigurerAdapter noAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeRequests().anyRequest().permitAll(); + } + }; } } diff --git a/adapters/mso-sdnc-adapter/src/main/resources/application-aaf.yaml b/adapters/mso-sdnc-adapter/src/main/resources/application-aaf.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-sdnc-adapter/src/main/resources/application-basic.yaml b/adapters/mso-sdnc-adapter/src/main/resources/application-basic.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/SecurityFilters.java b/adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/SecurityFilters.java new file mode 100644 index 0000000000..319d79e0fb --- /dev/null +++ b/adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/SecurityFilters.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.adapters.vfc; + +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.Ordered; + +@Configuration +@Profile("aaf") +public class SecurityFilters { + + @Bean + public FilterRegistrationBean loginRegistrationBean() { + FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean<>(); + filterRegistrationBean.setFilter(new SoCadiFilter()); + filterRegistrationBean.setName("cadiFilter"); + filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); + return filterRegistrationBean; + } +} diff --git a/adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/SoCadiFilter.java b/adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/SoCadiFilter.java new file mode 100644 index 0000000000..89526d4cda --- /dev/null +++ b/adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/SoCadiFilter.java @@ -0,0 +1,117 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP SO + * ================================================================================ + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ +package org.onap.so.adapters.vfc; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +@Component +@Profile("aaf") +public class SoCadiFilter extends CadiFilter { + + protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class); + + private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT"; + private static String AAF_API_VERSION = "aaf_api_version"; + + @Value("${mso.config.cadi.cadiLoglevel:#{null}}") + private String cadiLoglevel; + + @Value("${mso.config.cadi.cadiKeyFile:#{null}}") + private String cadiKeyFile; + + @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}") + private String cadiTrustStorePassword; + + @Value("${mso.config.cadi.cadiTrustStore:#{null}}") + private String cadiTrustStore; + + @Value("${mso.config.cadi.cadiLatitude:#{null}}") + private String cadiLatitude; + + @Value("${mso.config.cadi.cadiLongitude:#{null}}") + private String cadiLongitude; + + @Value("${mso.config.cadi.aafEnv:#{null}}") + private String aafEnv; + + @Value("${mso.config.cadi.aafApiVersion:#{null}}") + private String aafApiVersion; + + @Value("${mso.config.cadi.aafRootNs:#{null}}") + private String aafRootNs; + + @Value("${mso.config.cadi.aafId:#{null}}") + private String aafMechId; + + @Value("${mso.config.cadi.aafPassword:#{null}}") + private String aafMechIdPassword; + + @Value("${mso.config.cadi.aafLocateUrl:#{null}}") + private String aafLocateUrl; + + @Value("${mso.config.cadi.aafUrl:#{null}}") + private String aafUrl; + + @Value("${mso.config.cadi.apiEnforcement:#{null}}") + private String apiEnforcement; + + private void checkIfNullProperty(String key, String value) { + /* + * When value is null, it is not defined in application.yaml set nothing in System properties + */ + if (value != null) { + System.setProperty(key, value); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel); + checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword); + checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude); + checkIfNullProperty(Config.AAF_ENV, aafEnv); + checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion); + checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs); + checkIfNullProperty(Config.AAF_APPID, aafMechId); + checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword); + checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl); + checkIfNullProperty(Config.AAF_URL, aafUrl); + checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement); + // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv); + logger.debug(" *** init Filter Config *** "); + super.init(filterConfig); + } + + +} diff --git a/adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/WebSecurityConfigImpl.java b/adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/WebSecurityConfigImpl.java index e94e34d87c..28ac311b4e 100644 --- a/adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/WebSecurityConfigImpl.java +++ b/adapters/mso-vfc-adapter/src/main/java/org/onap/so/adapters/vfc/WebSecurityConfigImpl.java @@ -24,27 +24,57 @@ package org.onap.so.adapters.vfc; import org.onap.so.security.MSOSpringFirewall; import org.onap.so.security.WebSecurityConfig; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.util.StringUtils; +@Configuration @EnableWebSecurity public class WebSecurityConfigImpl extends WebSecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info", "/services").permitAll() - .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() - .httpBasic(); + @Profile({"basic", "test"}) + @Bean + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info", "/services") + .permitAll().antMatchers("/**") + .hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and().httpBasic(); + } + + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + + }; } - @Override - public void configure(WebSecurity web) throws Exception { - super.configure(web); - StrictHttpFirewall firewall = new MSOSpringFirewall(); - web.httpFirewall(firewall); + @Profile("aaf") + @Bean + public WebSecurityConfigurerAdapter noAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeRequests().anyRequest().permitAll(); + } + }; } } diff --git a/adapters/mso-vfc-adapter/src/main/resources/application-aaf.yaml b/adapters/mso-vfc-adapter/src/main/resources/application-aaf.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-vfc-adapter/src/main/resources/application-basic.yaml b/adapters/mso-vfc-adapter/src/main/resources/application-basic.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/SecurityFilters.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/SecurityFilters.java new file mode 100644 index 0000000000..3876d77a80 --- /dev/null +++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/SecurityFilters.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.adapters.vnfmadapter; + +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.Ordered; + +@Configuration +@Profile("aaf") +public class SecurityFilters { + + @Bean + public FilterRegistrationBean loginRegistrationBean() { + FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean<>(); + filterRegistrationBean.setFilter(new SoCadiFilter()); + filterRegistrationBean.setName("cadiFilter"); + filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); + return filterRegistrationBean; + } +} diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/SoCadiFilter.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/SoCadiFilter.java new file mode 100644 index 0000000000..aefb36c6bb --- /dev/null +++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/SoCadiFilter.java @@ -0,0 +1,117 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP SO + * ================================================================================ + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ +package org.onap.so.adapters.vnfmadapter; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +@Component +@Profile("aaf") +public class SoCadiFilter extends CadiFilter { + + protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class); + + private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT"; + private static String AAF_API_VERSION = "aaf_api_version"; + + @Value("${mso.config.cadi.cadiLoglevel:#{null}}") + private String cadiLoglevel; + + @Value("${mso.config.cadi.cadiKeyFile:#{null}}") + private String cadiKeyFile; + + @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}") + private String cadiTrustStorePassword; + + @Value("${mso.config.cadi.cadiTrustStore:#{null}}") + private String cadiTrustStore; + + @Value("${mso.config.cadi.cadiLatitude:#{null}}") + private String cadiLatitude; + + @Value("${mso.config.cadi.cadiLongitude:#{null}}") + private String cadiLongitude; + + @Value("${mso.config.cadi.aafEnv:#{null}}") + private String aafEnv; + + @Value("${mso.config.cadi.aafApiVersion:#{null}}") + private String aafApiVersion; + + @Value("${mso.config.cadi.aafRootNs:#{null}}") + private String aafRootNs; + + @Value("${mso.config.cadi.aafId:#{null}}") + private String aafMechId; + + @Value("${mso.config.cadi.aafPassword:#{null}}") + private String aafMechIdPassword; + + @Value("${mso.config.cadi.aafLocateUrl:#{null}}") + private String aafLocateUrl; + + @Value("${mso.config.cadi.aafUrl:#{null}}") + private String aafUrl; + + @Value("${mso.config.cadi.apiEnforcement:#{null}}") + private String apiEnforcement; + + private void checkIfNullProperty(String key, String value) { + /* + * When value is null, it is not defined in application.yaml set nothing in System properties + */ + if (value != null) { + System.setProperty(key, value); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel); + checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword); + checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude); + checkIfNullProperty(Config.AAF_ENV, aafEnv); + checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion); + checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs); + checkIfNullProperty(Config.AAF_APPID, aafMechId); + checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword); + checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl); + checkIfNullProperty(Config.AAF_URL, aafUrl); + checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement); + // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv); + logger.debug(" *** init Filter Config *** "); + super.init(filterConfig); + } + + +} diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java index 792002354b..e43efd014a 100644 --- a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java +++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java @@ -1,20 +1,22 @@ /*- * ============LICENSE_START======================================================= - * Copyright (C) 2019 Nordix Foundation. + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Modifications Copyright (c) 2019 Samsung * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 * ============LICENSE_END========================================================= */ @@ -23,37 +25,64 @@ package org.onap.so.adapters.vnfmadapter; import org.onap.so.security.MSOSpringFirewall; import org.onap.so.security.WebSecurityConfig; import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.util.StringUtils; -/** - * Configure the web security for the application. - */ +@Configuration @EnableWebSecurity public class WebSecurityConfigImpl extends WebSecurityConfig { @Value("${server.ssl.client-auth:none}") private String clientAuth; - @Override - protected void configure(final HttpSecurity http) throws Exception { - if (("need").equalsIgnoreCase(clientAuth)) { - http.csrf().disable().authorizeRequests().anyRequest().permitAll(); - } else { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() - .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() - .httpBasic(); - } + @Profile({"basic", "test"}) + @Bean + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + if (("need").equalsIgnoreCase(clientAuth)) { + http.csrf().disable().authorizeRequests().anyRequest().permitAll(); + } else { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() + .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")) + .and().httpBasic(); + } + } + + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + + }; } - @Override - public void configure(final WebSecurity web) throws Exception { - super.configure(web); - final StrictHttpFirewall firewall = new MSOSpringFirewall(); - web.httpFirewall(firewall); + @Profile("aaf") + @Bean + public WebSecurityConfigurerAdapter noAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeRequests().anyRequest().permitAll(); + } + }; } } diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/resources/application-aaf.yaml b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/resources/application-aaf.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/resources/application-basic.yaml b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/resources/application-basic.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/SecurityFilters.java b/asdc-controller/src/main/java/org/onap/so/asdc/SecurityFilters.java new file mode 100644 index 0000000000..29c9d8f952 --- /dev/null +++ b/asdc-controller/src/main/java/org/onap/so/asdc/SecurityFilters.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.asdc; + +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.Ordered; + +@Configuration +@Profile("!test & aaf") +public class SecurityFilters { + + @Bean + public FilterRegistrationBean loginRegistrationBean() { + FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean<>(); + filterRegistrationBean.setFilter(new SoCadiFilter()); + filterRegistrationBean.setName("cadiFilter"); + filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); + return filterRegistrationBean; + } +} diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/SoCadiFilter.java b/asdc-controller/src/main/java/org/onap/so/asdc/SoCadiFilter.java new file mode 100644 index 0000000000..52144e264e --- /dev/null +++ b/asdc-controller/src/main/java/org/onap/so/asdc/SoCadiFilter.java @@ -0,0 +1,117 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP SO + * ================================================================================ + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ +package org.onap.so.asdc; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +@Component +@Profile("!test & aaf") +public class SoCadiFilter extends CadiFilter { + + protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class); + + private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT"; + private static String AAF_API_VERSION = "aaf_api_version"; + + @Value("${mso.config.cadi.cadiLoglevel:#{null}}") + private String cadiLoglevel; + + @Value("${mso.config.cadi.cadiKeyFile:#{null}}") + private String cadiKeyFile; + + @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}") + private String cadiTrustStorePassword; + + @Value("${mso.config.cadi.cadiTrustStore:#{null}}") + private String cadiTrustStore; + + @Value("${mso.config.cadi.cadiLatitude:#{null}}") + private String cadiLatitude; + + @Value("${mso.config.cadi.cadiLongitude:#{null}}") + private String cadiLongitude; + + @Value("${mso.config.cadi.aafEnv:#{null}}") + private String aafEnv; + + @Value("${mso.config.cadi.aafApiVersion:#{null}}") + private String aafApiVersion; + + @Value("${mso.config.cadi.aafRootNs:#{null}}") + private String aafRootNs; + + @Value("${mso.config.cadi.aafId:#{null}}") + private String aafMechId; + + @Value("${mso.config.cadi.aafPassword:#{null}}") + private String aafMechIdPassword; + + @Value("${mso.config.cadi.aafLocateUrl:#{null}}") + private String aafLocateUrl; + + @Value("${mso.config.cadi.aafUrl:#{null}}") + private String aafUrl; + + @Value("${mso.config.cadi.apiEnforcement:#{null}}") + private String apiEnforcement; + + private void checkIfNullProperty(String key, String value) { + /* + * When value is null, it is not defined in application.yaml set nothing in System properties + */ + if (value != null) { + System.setProperty(key, value); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel); + checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword); + checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude); + checkIfNullProperty(Config.AAF_ENV, aafEnv); + checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion); + checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs); + checkIfNullProperty(Config.AAF_APPID, aafMechId); + checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword); + checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl); + checkIfNullProperty(Config.AAF_URL, aafUrl); + checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement); + // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv); + logger.debug(" *** init Filter Config *** "); + super.init(filterConfig); + } + + +} diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/WebSecurityConfigImpl.java b/asdc-controller/src/main/java/org/onap/so/asdc/WebSecurityConfigImpl.java index b45b4f0749..8722d193fe 100644 --- a/asdc-controller/src/main/java/org/onap/so/asdc/WebSecurityConfigImpl.java +++ b/asdc-controller/src/main/java/org/onap/so/asdc/WebSecurityConfigImpl.java @@ -22,27 +22,57 @@ package org.onap.so.asdc; import org.onap.so.security.MSOSpringFirewall; import org.onap.so.security.WebSecurityConfig; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.util.StringUtils; +@Configuration @EnableWebSecurity public class WebSecurityConfigImpl extends WebSecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() - .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() - .httpBasic(); + @Profile({"basic", "test"}) + @Bean + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() + .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() + .httpBasic(); + } + + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + + }; } - @Override - public void configure(WebSecurity web) throws Exception { - super.configure(web); - StrictHttpFirewall firewall = new MSOSpringFirewall(); - web.httpFirewall(firewall); + @Profile("aaf") + @Bean + public WebSecurityConfigurerAdapter noAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeRequests().anyRequest().permitAll(); + } + }; } } diff --git a/asdc-controller/src/main/resources/application-aaf.yaml b/asdc-controller/src/main/resources/application-aaf.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/asdc-controller/src/main/resources/application-basic.yaml b/asdc-controller/src/main/resources/application-basic.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/bpmn/mso-infrastructure-bpmn/pom.xml b/bpmn/mso-infrastructure-bpmn/pom.xml index 1ae0dd48f7..c3c26ef5e7 100644 --- a/bpmn/mso-infrastructure-bpmn/pom.xml +++ b/bpmn/mso-infrastructure-bpmn/pom.xml @@ -304,5 +304,16 @@ 1.7.0 test + + org.onap.aaf.authz + aaf-cadi-aaf + 2.1.9 + + + javax.servlet + servlet-api + + + diff --git a/bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/SecurityFilters.java b/bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/SecurityFilters.java new file mode 100644 index 0000000000..bdc1c504f0 --- /dev/null +++ b/bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/SecurityFilters.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.bpmn.infrastructure; + +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.Ordered; + +@Configuration +@Profile("aaf") +public class SecurityFilters { + + @Bean + public FilterRegistrationBean loginRegistrationBean() { + FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean<>(); + filterRegistrationBean.setFilter(new SoCadiFilter()); + filterRegistrationBean.setName("cadiFilter"); + filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); + return filterRegistrationBean; + } +} diff --git a/bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/SoCadiFilter.java b/bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/SoCadiFilter.java new file mode 100644 index 0000000000..cb60d5d219 --- /dev/null +++ b/bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/SoCadiFilter.java @@ -0,0 +1,117 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP SO + * ================================================================================ + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ +package org.onap.so.bpmn.infrastructure; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +@Component +@Profile("aaf") +public class SoCadiFilter extends CadiFilter { + + protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class); + + private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT"; + private static String AAF_API_VERSION = "aaf_api_version"; + + @Value("${mso.config.cadi.cadiLoglevel:#{null}}") + private String cadiLoglevel; + + @Value("${mso.config.cadi.cadiKeyFile:#{null}}") + private String cadiKeyFile; + + @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}") + private String cadiTrustStorePassword; + + @Value("${mso.config.cadi.cadiTrustStore:#{null}}") + private String cadiTrustStore; + + @Value("${mso.config.cadi.cadiLatitude:#{null}}") + private String cadiLatitude; + + @Value("${mso.config.cadi.cadiLongitude:#{null}}") + private String cadiLongitude; + + @Value("${mso.config.cadi.aafEnv:#{null}}") + private String aafEnv; + + @Value("${mso.config.cadi.aafApiVersion:#{null}}") + private String aafApiVersion; + + @Value("${mso.config.cadi.aafRootNs:#{null}}") + private String aafRootNs; + + @Value("${mso.config.cadi.aafId:#{null}}") + private String aafMechId; + + @Value("${mso.config.cadi.aafPassword:#{null}}") + private String aafMechIdPassword; + + @Value("${mso.config.cadi.aafLocateUrl:#{null}}") + private String aafLocateUrl; + + @Value("${mso.config.cadi.aafUrl:#{null}}") + private String aafUrl; + + @Value("${mso.config.cadi.apiEnforcement:#{null}}") + private String apiEnforcement; + + private void checkIfNullProperty(String key, String value) { + /* + * When value is null, it is not defined in application.yaml set nothing in System properties + */ + if (value != null) { + System.setProperty(key, value); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel); + checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword); + checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude); + checkIfNullProperty(Config.AAF_ENV, aafEnv); + checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion); + checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs); + checkIfNullProperty(Config.AAF_APPID, aafMechId); + checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword); + checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl); + checkIfNullProperty(Config.AAF_URL, aafUrl); + checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement); + // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv); + logger.debug(" *** init Filter Config *** "); + super.init(filterConfig); + } + + +} diff --git a/bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/WebSecurityConfigImpl.java b/bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/WebSecurityConfigImpl.java index 1ed3214214..bcc38ec9e0 100644 --- a/bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/WebSecurityConfigImpl.java +++ b/bpmn/mso-infrastructure-bpmn/src/main/java/org/onap/so/bpmn/infrastructure/WebSecurityConfigImpl.java @@ -24,28 +24,57 @@ package org.onap.so.bpmn.infrastructure; import org.onap.so.security.MSOSpringFirewall; import org.onap.so.security.WebSecurityConfig; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.util.StringUtils; +@Configuration @EnableWebSecurity public class WebSecurityConfigImpl extends WebSecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() - .antMatchers("/async/services/**", "/workflow/services/*", "/SDNCAdapterCallbackService", - "/WorkflowMessage", "/vnfAdapterNotify", "/vnfAdapterRestNotify") - .hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and().httpBasic(); - } + @Profile({"basic", "test"}) + @Bean + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() + .antMatchers("/async/services/**", "/workflow/services/*", "/SDNCAdapterCallbackService", + "/WorkflowMessage", "/vnfAdapterNotify", "/vnfAdapterRestNotify") + .hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and().httpBasic(); + } + + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } - @Override - public void configure(WebSecurity web) throws Exception { - super.configure(web); - StrictHttpFirewall firewall = new MSOSpringFirewall(); - web.httpFirewall(firewall); + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + + }; } + @Profile("aaf") + @Bean + public WebSecurityConfigurerAdapter noAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeRequests().anyRequest().permitAll(); + } + }; + } } diff --git a/bpmn/mso-infrastructure-bpmn/src/main/resources/application-aaf.yaml b/bpmn/mso-infrastructure-bpmn/src/main/resources/application-aaf.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/bpmn/mso-infrastructure-bpmn/src/main/resources/application-basic.yaml b/bpmn/mso-infrastructure-bpmn/src/main/resources/application-basic.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/bpmn/so-bpmn-infrastructure-common/src/test/java/org/onap/so/bpmn/infrastructure/WebSecurityConfigImpl.java b/bpmn/so-bpmn-infrastructure-common/src/test/java/org/onap/so/bpmn/infrastructure/WebSecurityConfigImpl.java index 1ed3214214..58e58464e1 100644 --- a/bpmn/so-bpmn-infrastructure-common/src/test/java/org/onap/so/bpmn/infrastructure/WebSecurityConfigImpl.java +++ b/bpmn/so-bpmn-infrastructure-common/src/test/java/org/onap/so/bpmn/infrastructure/WebSecurityConfigImpl.java @@ -24,28 +24,46 @@ package org.onap.so.bpmn.infrastructure; import org.onap.so.security.MSOSpringFirewall; import org.onap.so.security.WebSecurityConfig; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.util.StringUtils; +@Configuration @EnableWebSecurity public class WebSecurityConfigImpl extends WebSecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() - .antMatchers("/async/services/**", "/workflow/services/*", "/SDNCAdapterCallbackService", - "/WorkflowMessage", "/vnfAdapterNotify", "/vnfAdapterRestNotify") - .hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and().httpBasic(); - } + @Bean + @Profile("test") + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() + .antMatchers("/async/services/**", "/workflow/services/*", "/SDNCAdapterCallbackService", + "/WorkflowMessage", "/vnfAdapterNotify", "/vnfAdapterRestNotify") + .hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and().httpBasic(); + } - @Override - public void configure(WebSecurity web) throws Exception { - super.configure(web); - StrictHttpFirewall firewall = new MSOSpringFirewall(); - web.httpFirewall(firewall); - } + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + + }; + } } diff --git a/common/pom.xml b/common/pom.xml index 3690d7b5a1..7c7eec21cc 100644 --- a/common/pom.xml +++ b/common/pom.xml @@ -130,6 +130,17 @@ spring-boot-starter-test test + + org.onap.aaf.authz + aaf-cadi-aaf + 2.1.9 + + + javax.servlet + servlet-api + + + org.reflections reflections diff --git a/common/src/main/java/org/onap/so/security/WebSecurityConfig.java b/common/src/main/java/org/onap/so/security/WebSecurityConfig.java index 635784c642..44ac62d14f 100644 --- a/common/src/main/java/org/onap/so/security/WebSecurityConfig.java +++ b/common/src/main/java/org/onap/so/security/WebSecurityConfig.java @@ -32,7 +32,7 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; @ConfigurationProperties(prefix = "spring.security") -public class WebSecurityConfig extends WebSecurityConfigurerAdapter { +public class WebSecurityConfig { private List credentials; private List roles = new ArrayList<>(); @@ -65,10 +65,4 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth.userDetailsService(userDetailsService()).passwordEncoder(passwordEncoder()); - } - } diff --git a/mso-api-handlers/mso-api-handler-infra/pom.xml b/mso-api-handlers/mso-api-handler-infra/pom.xml index 82b86f89cc..84a80e6617 100644 --- a/mso-api-handlers/mso-api-handler-infra/pom.xml +++ b/mso-api-handlers/mso-api-handler-infra/pom.xml @@ -225,6 +225,17 @@ io.micrometer micrometer-registry-prometheus + + org.onap.aaf.authz + aaf-cadi-aaf + 2.1.9 + + + javax.servlet + servlet-api + + + diff --git a/mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/SecurityFilters.java b/mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/SecurityFilters.java new file mode 100644 index 0000000000..0cf63b9605 --- /dev/null +++ b/mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/SecurityFilters.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.apihandlerinfra; + +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.Ordered; + +@Configuration +@Profile("aaf") +public class SecurityFilters { + + @Bean + public FilterRegistrationBean loginRegistrationBean() { + FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean<>(); + filterRegistrationBean.setFilter(new SoCadiFilter()); + filterRegistrationBean.setName("cadiFilter"); + filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); + return filterRegistrationBean; + } +} diff --git a/mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/SoCadiFilter.java b/mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/SoCadiFilter.java new file mode 100644 index 0000000000..6510440991 --- /dev/null +++ b/mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/SoCadiFilter.java @@ -0,0 +1,117 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP SO + * ================================================================================ + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ +package org.onap.so.apihandlerinfra; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +@Component +@Profile("aaf") +public class SoCadiFilter extends CadiFilter { + + protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class); + + private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT"; + private static String AAF_API_VERSION = "aaf_api_version"; + + @Value("${mso.config.cadi.cadiLoglevel:#{null}}") + private String cadiLoglevel; + + @Value("${mso.config.cadi.cadiKeyFile:#{null}}") + private String cadiKeyFile; + + @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}") + private String cadiTrustStorePassword; + + @Value("${mso.config.cadi.cadiTrustStore:#{null}}") + private String cadiTrustStore; + + @Value("${mso.config.cadi.cadiLatitude:#{null}}") + private String cadiLatitude; + + @Value("${mso.config.cadi.cadiLongitude:#{null}}") + private String cadiLongitude; + + @Value("${mso.config.cadi.aafEnv:#{null}}") + private String aafEnv; + + @Value("${mso.config.cadi.aafApiVersion:#{null}}") + private String aafApiVersion; + + @Value("${mso.config.cadi.aafRootNs:#{null}}") + private String aafRootNs; + + @Value("${mso.config.cadi.aafId:#{null}}") + private String aafMechId; + + @Value("${mso.config.cadi.aafPassword:#{null}}") + private String aafMechIdPassword; + + @Value("${mso.config.cadi.aafLocateUrl:#{null}}") + private String aafLocateUrl; + + @Value("${mso.config.cadi.aafUrl:#{null}}") + private String aafUrl; + + @Value("${mso.config.cadi.apiEnforcement:#{null}}") + private String apiEnforcement; + + private void checkIfNullProperty(String key, String value) { + /* + * When value is null, it is not defined in application.yaml set nothing in System properties + */ + if (value != null) { + System.setProperty(key, value); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel); + checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword); + checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude); + checkIfNullProperty(Config.AAF_ENV, aafEnv); + checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion); + checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs); + checkIfNullProperty(Config.AAF_APPID, aafMechId); + checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword); + checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl); + checkIfNullProperty(Config.AAF_URL, aafUrl); + checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement); + // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv); + logger.debug(" *** init Filter Config *** "); + super.init(filterConfig); + } + + +} diff --git a/mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/WebSecurityConfigImpl.java b/mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/WebSecurityConfigImpl.java index 632f371af5..a0f4615f87 100644 --- a/mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/WebSecurityConfigImpl.java +++ b/mso-api-handlers/mso-api-handler-infra/src/main/java/org/onap/so/apihandlerinfra/WebSecurityConfigImpl.java @@ -24,33 +24,57 @@ package org.onap.so.apihandlerinfra; import org.onap.so.security.MSOSpringFirewall; import org.onap.so.security.WebSecurityConfig; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.core.annotation.Order; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.util.StringUtils; @EnableWebSecurity @Configuration("att-security-config") -@Order(2) +// @Order(2) public class WebSecurityConfigImpl extends WebSecurityConfig { + @Profile({"basic", "test"}) + @Bean + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() + .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() + .httpBasic(); + } - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() - .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() - .httpBasic(); + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + }; } - @Override - public void configure(WebSecurity web) throws Exception { - super.configure(web); - StrictHttpFirewall firewall = new MSOSpringFirewall(); - web.httpFirewall(firewall); + @Profile("aaf") + @Bean + public WebSecurityConfigurerAdapter noAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeRequests().antMatchers("/**").permitAll(); + } + }; } } diff --git a/mso-api-handlers/mso-api-handler-infra/src/main/resources/application-aaf.yaml b/mso-api-handlers/mso-api-handler-infra/src/main/resources/application-aaf.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/mso-api-handlers/mso-api-handler-infra/src/main/resources/application-basic.yaml b/mso-api-handlers/mso-api-handler-infra/src/main/resources/application-basic.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/packages/docker/src/main/docker/docker-files/Dockerfile.so-app b/packages/docker/src/main/docker/docker-files/Dockerfile.so-app index e8f02f12c6..90f0a6627d 100644 --- a/packages/docker/src/main/docker/docker-files/Dockerfile.so-app +++ b/packages/docker/src/main/docker/docker-files/Dockerfile.so-app @@ -14,6 +14,7 @@ COPY configs/logging/logback-spring.xml /app COPY scripts/start-app.sh /app COPY scripts/wait-for.sh /app COPY ca-certificates/onap-ca.crt /app/ca-certificates/onap-ca.crt +COPY certs/* /app/ RUN chown -R so:so /app && chmod 700 /app/*.sh diff --git a/packages/docker/src/main/docker/docker-files/certs/org.onap.so.jks b/packages/docker/src/main/docker/docker-files/certs/org.onap.so.jks new file mode 100644 index 0000000000..1e849afb5e Binary files /dev/null and b/packages/docker/src/main/docker/docker-files/certs/org.onap.so.jks differ diff --git a/packages/docker/src/main/docker/docker-files/certs/org.onap.so.keyfile b/packages/docker/src/main/docker/docker-files/certs/org.onap.so.keyfile new file mode 100644 index 0000000000..9000ed29fb --- /dev/null +++ b/packages/docker/src/main/docker/docker-files/certs/org.onap.so.keyfile @@ -0,0 +1,27 @@ +xVdhDotWIx2RB3f8RxAFQb9mkHVVdIzv8eiij9cDjg_5ea5HWPS7OzLR5lv4NA0vStrAMfSAaS2e +j4rzvrlserM9bTRco3JHb-i6ZGYMoTL6kuFJ9JMveSqg-fkwvrm7VcYQJBs1FIE3hRLNqiGJ34ud +hDRp-cGUvNRLIImksKT2fmUyEawLLuE0Lo5aX46y0ibjIMe7clMxLHIS5-WggvkgIOPkVDcxqLT2 +OteGptqW1cjrm1ydbTkLYN6dd7ZmRsT3ULPYLEtPTlZ2vCh7bFBBvP_tjp2cZf4uSPM6EClYAikn +dnTqivOfCZn25r0xeXuectoXbq12fws_jaCH05ZK1wJwAF_cQNfpvaiM457rE672YV3Ev4yhXCyM +1jVL2P9Chl1sSBkZujCftvaj1rlippP9P_eohcLv84mtApEyV49rBFRMtkX9ZVdPyb8shFSoXJxk +M6DentRzY1g37mVJ1B1YMKPNQj95nOD4gLvjbUZ7dATuroENsG7oUWkfaV6dokfTmh504ZbyeqGh +xa7yfr3326fMQBhQMpsyqD2o_Obe5wN57p-vb469w65pUmK7iJDa0Fgxaxy8XNNnw6gCurbbsvyU +nB8UdfhTvL5mJew_tKUvtq_KH9ajnA8giSxuFd9KM6YHJWiFMXIROEQT7hKjTJka1ghERBjcH_pY +hbKtHdvbrS7T2hGwY_MQEUXYQBirtjaEwAvI960hXQt1K-MC8PNLRYtdLKE2Aq3amMt7ZKtrHSeN +33I1MjXc3wRUeOi5A6qImge1Q_Wmn1SURAn9KbEv9eoMUbQUkN1z2iyw4x94BZpBk5GjDypKKOyg +guec0UY3y9wqm5gGW7XvT3v1lZqo5180VgK49iFgA4IhWZ7dnDFQmq6IHTr1pM4kuvJ9dka9saIh +9xCk_KINPp5_dqJ2Lhak2IeRg_Zm3belm1jvYGCyRRqfoi9WGrDh3LLZeK8MHrrfzLI4Toy_n6DG +UNXPrXqrZPREfW2lhYLRfrivOBYWPq9JidQXn1UctSmWdNoMH7XuikBpAwmlInNA_5j9J-L-gf9D +cw2zoby3_wvcm5vxndnocEdhqVVdo7uMmXasQqphuyJP8rgCJf_I1v0Qe5F-JXsj6xDvarOUPOTj +Z93a64EO0KI0OznolRyBqHpIXffbGh7e1EpAE0LMESKJC3Mjmsgz1ld3s7WfdeDK-IxUEHJLHlhY +IjBlY6q3OJDrgvPLkwoWPbI48tmRUJX1BCafvDU6W8crl4VQKhL_l5ANAX5oaKwh-0ZJAZ15tna5 +6fjWcWrtQSdNQxj0jXV7uEcBtRtyPyOk2uw4HJDBLQyyOglUUxcQZJFCFp2fCHmNyttmUJQ5U9cu +yw9lKhsyBJ5TB4psbp64_0EalITeAGrpuH1I1N2m1O5ZY8pmrpPtA1Mb5rQ4IJqiVbZgHTcvSiN5 +Z2SilurhI1vq4_aN_UZJQvEnw9U5WU3ysphsQk8RZKbFH4W9GDtmEGbAkRkTy17KrDIuMpe--XJF +SQHUd4tzxbiYVYHKdF6Ce1kfQ-DEFXEf7RddwuKbc7tw2pSjy1MVH4HSRoTOQQpewZRTfG-4d3MX +B99-QgufEk1OBkfemuDhdnPty5qkOLUEG_uQKPpD0QDVf-t4OxZqk_8G_dCJcXbmY4VT3V7pdN_I +qp2xP98wGcIPuLGlEB8px94jKdUolkqeV_UTmmkTGz-szLzgK_YhnnVJn8VeyNsPTwAFUlqiPTyT +n_7rCb_6nNKlriadaHu6IuJWehv03ZR9jS0P1Y3YLM286deCLFu93lN3nY4yf-SEguASdHJNCBFJ +RQViYm8Tfuim5F0KQGafheGcdZxTvBFihnDduQWNBR_bDB9zfD6OtvvkseyyWHt3gHkJm5QeCjWK +RzRvbjLpUnA31cJeEXmnmhB5qMAvjn8yORKcotn3u4MXdHEk-s8vR_SKykS6IcaYE1xxbowtg-UG +d1iaky1NFYa2VZ4pGx9lD93GDTDynmOSfzVeVsxhTu_5rAanpDkUYVuxOzajmRh55I8a6dRk \ No newline at end of file diff --git a/packages/docker/src/main/docker/docker-files/certs/org.onap.so.trust.jks b/packages/docker/src/main/docker/docker-files/certs/org.onap.so.trust.jks new file mode 100644 index 0000000000..71c6e776a3 Binary files /dev/null and b/packages/docker/src/main/docker/docker-files/certs/org.onap.so.trust.jks differ diff --git a/packages/docker/src/main/docker/docker-files/scripts/start-app.sh b/packages/docker/src/main/docker/docker-files/scripts/start-app.sh index cb5586d61d..cea680c682 100644 --- a/packages/docker/src/main/docker/docker-files/scripts/start-app.sh +++ b/packages/docker/src/main/docker/docker-files/scripts/start-app.sh @@ -77,7 +77,11 @@ if [ ! -z "${TRUSTSTORE}" ]; then jksargs="$jksargs -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWORD}" fi -jvmargs="${JVM_ARGS} -Djava.security.egd=file:/dev/./urandom -Dlogs_dir=${LOG_PATH} -Dlogging.config=/app/logback-spring.xml $jksargs -Dspring.config.additional-location=$CONFIG_PATH ${SSL_DEBUG} ${DISABLE_SNI}" +if [ -z "${ACTIVE_PROFILE}" ]; then + export ACTIVE_PROFILE="basic" +fi + +jvmargs="${JVM_ARGS} -Dspring.profiles.active=${ACTIVE_PROFILE} -Djava.security.egd=file:/dev/./urandom -Dlogs_dir=${LOG_PATH} -Dlogging.config=/app/logback-spring.xml $jksargs -Dspring.config.additional-location=$CONFIG_PATH ${SSL_DEBUG} ${DISABLE_SNI}" echo "JVM Arguments: ${jvmargs}" -- cgit 1.2.3-korg