Commit da540e38 authored by Hema Vishnu Pola [Microsoft]'s avatar Hema Vishnu Pola [Microsoft]
Browse files

Merge branch 'users/kiveerap/DisablingAADAuth' into 'master'

Disabling AAD authentication In Entitlement service

See merge request !17
parents a28a76ce c09c8c3e
Pipeline #8141 canceled with stages
in 6 minutes and 34 seconds
...@@ -51,6 +51,7 @@ az keyvault secret show --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NA ...@@ -51,6 +51,7 @@ az keyvault secret show --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NA
| `AZURE_CLIENT_ID` | `********` | Identity to run the service locally. This enables access to Azure resources. You only need this if running locally | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-username` | | `AZURE_CLIENT_ID` | `********` | Identity to run the service locally. This enables access to Azure resources. You only need this if running locally | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-username` |
| `AZURE_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | -- | | `AZURE_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | -- |
| `AZURE_CLIENT_SECRET` | `********` | Secret for `$AZURE_CLIENT_ID` | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-password` | | `AZURE_CLIENT_SECRET` | `********` | Secret for `$AZURE_CLIENT_ID` | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-password` |
| `azure_istioauth_enabled` | `true` | Flag to Disable AAD auth | no | -- |
**Required to run integration tests** **Required to run integration tests**
......
...@@ -94,3 +94,5 @@ spec: ...@@ -94,3 +94,5 @@ spec:
value: osdu-db value: osdu-db
- name: service_domain_name - name: service_domain_name
value: contoso.com value: contoso.com
- name: azure_istioauth_enabled
value: "true"
...@@ -16,6 +16,7 @@ package org.opengroup.osdu.azure.entitlements.security; ...@@ -16,6 +16,7 @@ package org.opengroup.osdu.azure.entitlements.security;
import com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter; import com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
...@@ -25,6 +26,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic ...@@ -25,6 +26,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
@EnableWebSecurity @EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true) @EnableGlobalMethodSecurity(prePostEnabled = true)
@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "false", matchIfMissing = false)
public class AADSecurityConfig extends WebSecurityConfigurerAdapter { public class AADSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired @Autowired
private AADAppRoleStatelessAuthenticationFilter appRoleAuthFilter; private AADAppRoleStatelessAuthenticationFilter appRoleAuthFilter;
......
// Copyright © Microsoft Corporation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package org.opengroup.osdu.azure.entitlements.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "true", matchIfMissing = true)
public class AzureIstioSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AzureIstioSecurityFilter appRoleAuthFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().disable()
.csrf().disable()
.addFilterBefore(appRoleAuthFilter, UsernamePasswordAuthenticationFilter.class);
}
}
package org.opengroup.osdu.azure.entitlements.security;
import com.microsoft.azure.spring.autoconfigure.aad.UserPrincipal;
import com.nimbusds.jwt.JWTClaimsSet;
import net.minidev.json.JSONArray;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.text.ParseException;
import java.util.*;
import java.util.stream.Collectors;
import static org.springframework.util.StringUtils.hasText;
/**
* For istio authentication filter.
*/
@Component
public final class AzureIstioSecurityFilter extends OncePerRequestFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(AzureIstioSecurityFilter.class);
private static final String X_ISTIO_CLAIMS_PAYLOAD = "x-payload";
private static final JSONArray DEFAULT_ROLE_CLAIM = new JSONArray().appendElement("USER");
private static final String ROLE_PREFIX = "ROLE_";
/**
* Filter logic.
* @param servletRequest Request object.
* @param servletResponse Response object.
* @param filterChain Filter Chain object.
* @throws IOException
* @throws ServletException
*/
@Override
protected void doFilterInternal(final HttpServletRequest servletRequest, final HttpServletResponse servletResponse, final FilterChain filterChain) throws ServletException, IOException {
final String istioPayload = servletRequest.getHeader(X_ISTIO_CLAIMS_PAYLOAD);
LOGGER.info(String.format("Received headers list: %s", Collections.list(servletRequest.getHeaderNames())));
try {
if (hasText(istioPayload)) {
JWTClaimsSet claimsSet = JWTClaimsSet.parse(new String(Base64.getDecoder().decode(istioPayload)));
final JSONArray roles = Optional.ofNullable((JSONArray) claimsSet.getClaims().get("roles"))
.filter(r -> !r.isEmpty())
.orElse(DEFAULT_ROLE_CLAIM);
// By default the authenticated is set to true as part PreAuthenticatedAuthenticationToken constructor.
SecurityContextHolder
.getContext()
.setAuthentication(
new PreAuthenticatedAuthenticationToken(
new UserPrincipal(null, claimsSet),
null,
rolesToGrantedAuthorities(roles)
));
} else {
SecurityContextHolder
.getContext()
.setAuthentication(
new PreAuthenticatedAuthenticationToken(
null, null, null
));
}
} catch (ParseException ex) {
LOGGER.error("Failed to initialize UserPrincipal.", ex);
throw new ServletException(ex);
}
try {
filterChain.doFilter(servletRequest, servletResponse);
} finally {
SecurityContextHolder.clearContext();
}
}
/**
* To return roles.
* @param roles Request Object.
* @return set representation of roles.
*/
protected Set<SimpleGrantedAuthority> rolesToGrantedAuthorities(final JSONArray roles) {
return roles.stream()
.filter(Objects::nonNull)
.map(s -> new SimpleGrantedAuthority(ROLE_PREFIX + s))
.collect(Collectors.toSet());
}
}
...@@ -18,10 +18,14 @@ server.servlet.contextPath=/entitlements/v1/ ...@@ -18,10 +18,14 @@ server.servlet.contextPath=/entitlements/v1/
service.domain.name=${service_domain_name} service.domain.name=${service_domain_name}
# Azure AD configuration # Azure AD configuration, commented below settings to disable AAD AuthN ,
azure.activedirectory.client-id=${aad_client_id} # Uncomment it In the Istio AUTHN disabled Scenario
azure.activedirectory.AppIdUri=api://${azure.activedirectory.client-id} #azure.activedirectory.client-id=${aad_client_id}
azure.activedirectory.session-stateless=true #azure.activedirectory.AppIdUri=api://${azure.activedirectory.client-id}
#azure.activedirectory.session-stateless=true
# Istio Auth Enabled
azure.istio.auth.enabled=${azure_istioauth_enabled}
# Azure CosmosDB configuration # Azure CosmosDB configuration
azure.cosmosdb.database=${cosmosdb_database} azure.cosmosdb.database=${cosmosdb_database}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment