From 175318ab0194dfe1f75979d1d56d8e8c750a32c5 Mon Sep 17 00:00:00 2001 From: "Benjamin, Max" Date: Mon, 6 Jan 2020 11:53:58 -0500 Subject: consolidated security configuration consolidated security configuration into common package Issue-ID: SO-2584 Signed-off-by: Benjamin, Max (mb388a) Change-Id: I1e78259ffbf88e792f1f7a5a10cd1fdad8eaea36 --- .../java/org/onap/so/security/SecurityFilters.java | 41 ++++++++ .../java/org/onap/so/security/SoCadiFilter.java | 117 +++++++++++++++++++++ .../org/onap/so/security/WebSecurityConfig.java | 6 +- .../onap/so/security/WebSecurityConfigImpl.java | 79 ++++++++++++++ 4 files changed, 241 insertions(+), 2 deletions(-) create mode 100644 common/src/main/java/org/onap/so/security/SecurityFilters.java create mode 100644 common/src/main/java/org/onap/so/security/SoCadiFilter.java create mode 100644 common/src/main/java/org/onap/so/security/WebSecurityConfigImpl.java (limited to 'common/src/main') diff --git a/common/src/main/java/org/onap/so/security/SecurityFilters.java b/common/src/main/java/org/onap/so/security/SecurityFilters.java new file mode 100644 index 0000000000..7ad0fd05df --- /dev/null +++ b/common/src/main/java/org/onap/so/security/SecurityFilters.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.security; + +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.Ordered; + +@Configuration +@Profile("!test & aaf") +public class SecurityFilters { + + @Bean + public FilterRegistrationBean loginRegistrationBean() { + FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean<>(); + filterRegistrationBean.setFilter(new SoCadiFilter()); + filterRegistrationBean.setName("cadiFilter"); + filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); + return filterRegistrationBean; + } +} diff --git a/common/src/main/java/org/onap/so/security/SoCadiFilter.java b/common/src/main/java/org/onap/so/security/SoCadiFilter.java new file mode 100644 index 0000000000..93700db682 --- /dev/null +++ b/common/src/main/java/org/onap/so/security/SoCadiFilter.java @@ -0,0 +1,117 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP SO + * ================================================================================ + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ +package org.onap.so.security; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +@Component +@Profile("!test & aaf") +public class SoCadiFilter extends CadiFilter { + + protected final Logger logger = LoggerFactory.getLogger(SoCadiFilter.class); + + private static String AFT_ENVIRONMENT_VAR = "AFT_ENVIRONMENT"; + private static String AAF_API_VERSION = "aaf_api_version"; + + @Value("${mso.config.cadi.cadiLoglevel:#{null}}") + private String cadiLoglevel; + + @Value("${mso.config.cadi.cadiKeyFile:#{null}}") + private String cadiKeyFile; + + @Value("${mso.config.cadi.cadiTruststorePassword:#{null}}") + private String cadiTrustStorePassword; + + @Value("${mso.config.cadi.cadiTrustStore:#{null}}") + private String cadiTrustStore; + + @Value("${mso.config.cadi.cadiLatitude:#{null}}") + private String cadiLatitude; + + @Value("${mso.config.cadi.cadiLongitude:#{null}}") + private String cadiLongitude; + + @Value("${mso.config.cadi.aafEnv:#{null}}") + private String aafEnv; + + @Value("${mso.config.cadi.aafApiVersion:#{null}}") + private String aafApiVersion; + + @Value("${mso.config.cadi.aafRootNs:#{null}}") + private String aafRootNs; + + @Value("${mso.config.cadi.aafId:#{null}}") + private String aafMechId; + + @Value("${mso.config.cadi.aafPassword:#{null}}") + private String aafMechIdPassword; + + @Value("${mso.config.cadi.aafLocateUrl:#{null}}") + private String aafLocateUrl; + + @Value("${mso.config.cadi.aafUrl:#{null}}") + private String aafUrl; + + @Value("${mso.config.cadi.apiEnforcement:#{null}}") + private String apiEnforcement; + + private void checkIfNullProperty(String key, String value) { + /* + * When value is null, it is not defined in application.yaml set nothing in System properties + */ + if (value != null) { + System.setProperty(key, value); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiLoglevel); + checkIfNullProperty(Config.CADI_KEYFILE, cadiKeyFile); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiTrustStore); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiTrustStorePassword); + checkIfNullProperty(Config.CADI_LATITUDE, cadiLatitude); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiLongitude); + checkIfNullProperty(Config.AAF_ENV, aafEnv); + checkIfNullProperty(Config.AAF_API_VERSION, aafApiVersion); + checkIfNullProperty(Config.AAF_ROOT_NS, aafRootNs); + checkIfNullProperty(Config.AAF_APPID, aafMechId); + checkIfNullProperty(Config.AAF_APPPASS, aafMechIdPassword); + checkIfNullProperty(Config.AAF_LOCATE_URL, aafLocateUrl); + checkIfNullProperty(Config.AAF_URL, aafUrl); + checkIfNullProperty(Config.CADI_API_ENFORCEMENT, apiEnforcement); + // checkIfNullProperty(AFT_ENVIRONMENT_VAR, aftEnv); + logger.debug(" *** init Filter Config *** "); + super.init(filterConfig); + } + + +} diff --git a/common/src/main/java/org/onap/so/security/WebSecurityConfig.java b/common/src/main/java/org/onap/so/security/WebSecurityConfig.java index 44ac62d14f..2eafc6c9cd 100644 --- a/common/src/main/java/org/onap/so/security/WebSecurityConfig.java +++ b/common/src/main/java/org/onap/so/security/WebSecurityConfig.java @@ -43,8 +43,10 @@ public class WebSecurityConfig { @PostConstruct private void addRoles() { - for (int i = 0; i < credentials.size(); i++) { - roles.add(credentials.get(i).getRole()); + if (credentials != null) { + for (int i = 0; i < credentials.size(); i++) { + roles.add(credentials.get(i).getRole()); + } } } diff --git a/common/src/main/java/org/onap/so/security/WebSecurityConfigImpl.java b/common/src/main/java/org/onap/so/security/WebSecurityConfigImpl.java new file mode 100644 index 0000000000..c84c7e8603 --- /dev/null +++ b/common/src/main/java/org/onap/so/security/WebSecurityConfigImpl.java @@ -0,0 +1,79 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Modifications Copyright (c) 2019 Samsung + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.security; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.firewall.StrictHttpFirewall; +import org.springframework.util.StringUtils; + +@EnableWebSecurity +@Configuration() +public class WebSecurityConfigImpl extends WebSecurityConfig { + + @Profile({"basic"}) + @Bean + public WebSecurityConfigurerAdapter basicAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() + .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and() + .httpBasic(); + } + + @Override + public void configure(WebSecurity web) throws Exception { + super.configure(web); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.userDetailsService(WebSecurityConfigImpl.this.userDetailsService()) + .passwordEncoder(WebSecurityConfigImpl.this.passwordEncoder()); + } + }; + } + + @Profile({"aaf", "test"}) + @Bean + public WebSecurityConfigurerAdapter noAuth() { + return new WebSecurityConfigurerAdapter() { + @Override + public void configure(WebSecurity web) throws Exception { + web.ignoring().antMatchers("/**"); + StrictHttpFirewall firewall = new MSOSpringFirewall(); + web.httpFirewall(firewall); + } + }; + } + +} -- cgit 1.2.3-korg