From fa49405bee32b9e7e322dc79b6268dbd5c06638e Mon Sep 17 00:00:00 2001
From: kiranveerapaneni <52478617+kiranveerapaneni@users.noreply.github.com>
Date: Fri, 11 Sep 2020 19:59:58 +0530
Subject: [PATCH] Disabling aad auth for legal service

---
 devops/azure/chart/templates/deployment.yaml  |  2 ++
 provider/legal-azure/README.md                |  1 +
 .../azure/security/AADSecurityConfig.java     |  4 +++
 .../security/AzureIstioSecurityConfig.java    | 35 +++++++++++++++++++
 .../src/main/resources/application.properties | 14 +++++---
 5 files changed, 51 insertions(+), 5 deletions(-)
 create mode 100644 provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AzureIstioSecurityConfig.java

diff --git a/devops/azure/chart/templates/deployment.yaml b/devops/azure/chart/templates/deployment.yaml
index e91ce1e02..88d1cd931 100644
--- a/devops/azure/chart/templates/deployment.yaml
+++ b/devops/azure/chart/templates/deployment.yaml
@@ -118,3 +118,5 @@ spec:
             value: http://entitlements-azure/entitlements/v1
           - name: entitlements_service_api_key
             value: "OBSOLETE"
+          - name: azure_istioauth_enabled
+            value: "true"
diff --git a/provider/legal-azure/README.md b/provider/legal-azure/README.md
index 9154f0013..5f4f747f5 100644
--- a/provider/legal-azure/README.md
+++ b/provider/legal-azure/README.md
@@ -60,6 +60,7 @@ az keyvault secret show --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NA
 | `AZURE_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-tenant-id` |
 | `AZURE_CLIENT_SECRET` | `********` | Secret for `$AZURE_CLIENT_ID` | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-password` |
 | `appinsights_key` | `********` | API Key for App Insights | yes | output of infrastructure deployment |
+| `azure_istioauth_enabled` | `true` | Flag to Disable AAD auth | no | -- |
 
 **Required to run integration tests**
 
diff --git a/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AADSecurityConfig.java b/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AADSecurityConfig.java
index 1c96f3def..cd284dfe0 100644
--- a/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AADSecurityConfig.java
+++ b/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AADSecurityConfig.java
@@ -15,18 +15,22 @@
 package org.opengroup.osdu.legal.azure.security;
 
 import com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.parameters.P;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 import javax.inject.Inject;
 
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
+@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "false", matchIfMissing = false)
 public class AADSecurityConfig extends WebSecurityConfigurerAdapter {
+
     @Inject
     private AADAppRoleStatelessAuthenticationFilter appRoleAuthFilter;
 
diff --git a/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AzureIstioSecurityConfig.java b/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AzureIstioSecurityConfig.java
new file mode 100644
index 000000000..2de6575c2
--- /dev/null
+++ b/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AzureIstioSecurityConfig.java
@@ -0,0 +1,35 @@
+//  Copyright Â© Microsoft Corporation
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+package org.opengroup.osdu.legal.azure.security;
+
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "true", matchIfMissing = true)
+public class AzureIstioSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.httpBasic().disable()
+                .csrf().disable();  //AuthN is disabled. AuthN is handled by sidecar proxy
+    }
+}
diff --git a/provider/legal-azure/src/main/resources/application.properties b/provider/legal-azure/src/main/resources/application.properties
index 6744890ff..f4835b67e 100644
--- a/provider/legal-azure/src/main/resources/application.properties
+++ b/provider/legal-azure/src/main/resources/application.properties
@@ -21,10 +21,14 @@ AUTHORIZE_API_KEY=${entitlements_service_api_key}
 LEGAL_HOSTNAME=notused
 CRON_JOB_IP=10.0.0.1
 
-# Azure AD configuration for OpenIDConnect
-azure.activedirectory.session-stateless=true
-azure.activedirectory.client-id=${aad_client_id}
-azure.activedirectory.AppIdUri=api://${azure.activedirectory.client-id}
+# Azure AD configuration for OpenIDConnect, commented below settings to disable AAD AuthN ,
+# Uncomment it In the Istio AUTHN disabled Scenario
+#azure.activedirectory.session-stateless=true
+#azure.activedirectory.client-id=${aad_client_id}
+#azure.activedirectory.AppIdUri=api://${azure.activedirectory.client-id}
+
+# Istio Auth Enabled
+azure.istio.auth.enabled=${azure_istioauth_enabled}
 
 # Azure CosmosDB configuration
 azure.cosmosdb.database=${cosmosdb_database}
@@ -49,4 +53,4 @@ spring.application.name=legal-azure
 
 #logging configuration
 logging.transaction.enabled=true
-logging.slf4jlogger.enabled=true
\ No newline at end of file
+logging.slf4jlogger.enabled=true
-- 
GitLab