Merge branch 'users/kiveerap/DisablingAADAuth' into 'master'

Disabling aad auth for legal service See merge request !52

Merge branch 'users/kiveerap/DisablingAADAuth' into 'master'
45f34d1e · Hema Vishnu Pola [Microsoft] · 0169c1d8 · fa49405b · 45f34d1e · 45f34d1e
Commit 45f34d1e authored 4 years ago by Hema Vishnu Pola [Microsoft]
--- a/devops/azure/chart/templates/deployment.yaml
+++ b/devops/azure/chart/templates/deployment.yaml
@@ -118,3 +118,5 @@ spec:
            value: http://entitlements-azure/entitlements/v1
          - name: entitlements_service_api_key
            value: "OBSOLETE"
+          - name: azure_istioauth_enabled
+            value: "true"
--- a/provider/legal-azure/README.md
+++ b/provider/legal-azure/README.md
@@ -60,6 +60,7 @@ az keyvault secret show --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NA
 | `AZURE_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-tenant-id` |
 | `AZURE_CLIENT_SECRET` | `********` | Secret for `$AZURE_CLIENT_ID` | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-password` |
 | `appinsights_key` | `********` | API Key for App Insights | yes | output of infrastructure deployment |
+| `azure_istioauth_enabled` | `true` | Flag to Disable AAD auth | no | -- |

 **Required to run integration tests**


--- a/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AADSecurityConfig.java
+++ b/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AADSecurityConfig.java
@@ -15,18 +15,22 @@
 package org.opengroup.osdu.legal.azure.security;

 import com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.parameters.P;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

 import javax.inject.Inject;

 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
+@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "false", matchIfMissing = false)
 public class AADSecurityConfig extends WebSecurityConfigurerAdapter {
+
    @Inject
    private AADAppRoleStatelessAuthenticationFilter appRoleAuthFilter;


--- a/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AzureIstioSecurityConfig.java
+++ b/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AzureIstioSecurityConfig.java
+//  Copyright © Microsoft Corporation
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+package org.opengroup.osdu.legal.azure.security;
+
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "true", matchIfMissing = true)
+public class AzureIstioSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.httpBasic().disable()
+                .csrf().disable();  //AuthN is disabled. AuthN is handled by sidecar proxy
+    }
+}
--- a/provider/legal-azure/src/main/resources/application.properties
+++ b/provider/legal-azure/src/main/resources/application.properties
@@ -21,10 +21,14 @@ AUTHORIZE_API_KEY=${entitlements_service_api_key}
 LEGAL_HOSTNAME=notused
 CRON_JOB_IP=10.0.0.1

-# Azure AD configuration for OpenIDConnect
-azure.activedirectory.session-stateless=true
-azure.activedirectory.client-id=${aad_client_id}
-azure.activedirectory.AppIdUri=api://${azure.activedirectory.client-id}
+# Azure AD configuration for OpenIDConnect, commented below settings to disable AAD AuthN ,
+# Uncomment it In the Istio AUTHN disabled Scenario
+#azure.activedirectory.session-stateless=true
+#azure.activedirectory.client-id=${aad_client_id}
+#azure.activedirectory.AppIdUri=api://${azure.activedirectory.client-id}
+
+# Istio Auth Enabled
+azure.istio.auth.enabled=${azure_istioauth_enabled}

 # Azure CosmosDB configuration
 azure.cosmosdb.database=${cosmosdb_database}
@@ -49,4 +53,4 @@ spring.application.name=legal-azure

 #logging configuration
 logging.transaction.enabled=true
-logging.slf4jlogger.enabled=true
\ No newline at end of file
+logging.slf4jlogger.enabled=true