Merge branch 'users/kiveerap/DisableAADAuth' into 'master'

Disabling AAD auth in indexer service

See merge request !30

NOTICE

@@ -237,6 +237,7 @@ The following software have components provided under the terms of this license:
 - Google HTTP Client Library for Java (from https://github.com/google/google-http-java-client.git)
 - Google OAuth Client Library for Java (from )
 - Gson (from https://github.com/google/gson)
+- Gson (from https://github.com/google/gson)
 - Guava InternalFutureFailureAccess and InternalFutures (from )
 - Guava ListenableFuture only (from )
 - Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
@@ -318,10 +319,10 @@ The following software have components provided under the terms of this license:
 - Microsoft Application Insights Java SDK Web Module (from https://github.com/Microsoft/ApplicationInsights-Java)
 - Microsoft Application Insights Log4j 2 Appender (from https://github.com/Microsoft/ApplicationInsights-Java)
 - Microsoft Application Insights Logback Appender (from https://github.com/Microsoft/ApplicationInsights-Java)
+- Mockito (from http://www.mockito.org)
 - Mockito (from http://mockito.org)
 - Mockito (from http://mockito.org)
 - Mockito (from http://mockito.org)
-- Mockito (from http://www.mockito.org)
 - Mojo's Maven plugin for Cobertura (from http://mojo.codehaus.org/cobertura-maven-plugin/)
 - Netty Reactive Streams Implementation (from )
 - Netty/Buffer (from http://netty.io/)
@@ -395,6 +396,7 @@ The following software have components provided under the terms of this license:
 - Spring Context (from https://github.com/spring-projects/spring-framework)
 - Spring Core (from https://github.com/spring-projects/spring-framework)
 - Spring Data Core (from )
+- Spring Data Core (from )
 - Spring Expression Language (SpEL) (from https://github.com/spring-projects/spring-framework)
 - Spring JMS (from https://github.com/spring-projects/spring-framework)
 - Spring Messaging (from https://github.com/spring-projects/spring-framework)
@@ -515,6 +517,7 @@ The following software have components provided under the terms of this license:
 - Plexus :: Default Container (from )
 - Plexus Common Utilities (from http://plexus.codehaus.org/plexus-utils)
 - StAX (from http://stax.codehaus.org/)
+- Stax2 API (from http://github.com/FasterXML/stax2-api)
 - jersey-ext-bean-validation (from )
 - jersey-spring4 (from )
 - oro (from )
@@ -765,6 +768,7 @@ The following software have components provided under the terms of this license:
 
 - OSGi resource locator (from )
 - Project Lombok (from https://projectlombok.org)
+- Project Lombok (from https://projectlombok.org)
 - SnakeYAML (from http://www.snakeyaml.org)
 - javax.ws.rs-api (from http://jax-rs-spec.java.net)
 
@@ -856,19 +860,21 @@ The following software have components provided under the terms of this license:
 - Microsoft Azure client library for Identity (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure client library for KeyVault Secrets (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure common module for Storage (from https://github.com/Azure/azure-sdk-for-java)
-- Mockito (from http://www.mockito.org)
 - Mockito (from http://mockito.org)
 - Mockito (from http://mockito.org)
 - Mockito (from http://mockito.org)
+- Mockito (from http://www.mockito.org)
 - Netty/Codec/HTTP (from )
 - Netty/Common (from )
 - Plexus :: Default Container (from )
 - Plexus Default Interactivity Handler (from )
 - Project Lombok (from https://projectlombok.org)
+- Project Lombok (from https://projectlombok.org)
 - SLF4J API Module (from http://www.slf4j.org)
 - Spring Data for Azure Cosmos DB SQL API (from https://github.com/Microsoft/spring-data-cosmosdb)
 - adal4j (from https://github.com/AzureAD/azure-activedirectory-library-for-java)
 - azure-documentdb (from https://azure.microsoft.com/en-us/services/cosmos-db/)
+- micrometer-core (from https://github.com/micrometer-metrics/micrometer)
 - msal4j (from https://github.com/AzureAD/microsoft-authentication-library-for-java)
 - spring-security-core (from http://spring.io/spring-security)
 
@@ -901,7 +907,6 @@ The following software have components provided under the terms of this license:
 - jersey-core-common (from )
 - jersey-core-server (from git://java.net/jersey~code/jersey-server)
 - jts-core (from )
-- reactive-streams (from http://www.reactive-streams.org/)
 - xml-apis (from )
 
 ========================================================================
@@ -955,8 +960,10 @@ The following software have components provided under the terms of this license:
 - Microsoft Azure SDK for SQL API of Azure Cosmos DB Service (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure client library for Blob Storage (from https://github.com/Azure/azure-sdk-for-java)
 - Project Lombok (from https://projectlombok.org)
+- Project Lombok (from https://projectlombok.org)
 - Spring Security JWT Library (from http://github.com/spring-projects/spring-security-oauth)
 - Spring Web (from https://github.com/spring-projects/spring-framework)
+- reactive-streams (from http://www.reactive-streams.org/)
 
 ========================================================================
 unknown

devops/azure/chart/templates/deployment.yaml

@@ -129,3 +129,5 @@ spec:
           value: http://storage/api/storage/v2/query/records:batch
         - name: STORAGE_QUERY_RECORD_HOST
           value: http://storage/api/storage/v2/records
+        - name: azure_istioauth_enabled
+          value: "true"

provider/indexer-azure/README.md

@@ -56,6 +56,7 @@ az keyvault secret show --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NA
 | `AZURE_CLIENT_ID` | `********` | Identity to run the service locally. This enables access to Azure resources. You only need this if running locally | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-username` |
 | `AZURE_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-tenant-id` |
 | `AZURE_CLIENT_SECRET` | `********` | Secret for `$AZURE_CLIENT_ID` | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-password` |
+| `azure_istioauth_enabled` | `true` | Flag to Disable AAD auth | no | -- |
 
 **Required to run integration tests**
 

provider/indexer-azure/src/main/java/org/opengroup/osdu/indexer/azure/security/AADSecurityConfig.java

@@ -15,6 +15,7 @@
 package org.opengroup.osdu.indexer.azure.security;
 
 import com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -26,6 +27,7 @@ import javax.inject.Inject;
 
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
+@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "false", matchIfMissing = false)
 public class AADSecurityConfig extends WebSecurityConfigurerAdapter {
     @Inject
     private AADAppRoleStatelessAuthenticationFilter appRoleAuthFilter;

provider/indexer-azure/src/main/java/org/opengroup/osdu/indexer/azure/security/AzureIstioSecurityConfig.java

+//  Copyright © Microsoft Corporation
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+package org.opengroup.osdu.indexer.azure.security;
+
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "true", matchIfMissing = true)
+public class AzureIstioSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.httpBasic().disable()
+                .csrf().disable();  //AuthN is disabled. AuthN is handled by sidecar proxy
+    }
+}

provider/indexer-azure/src/main/resources/application.properties

@@ -43,9 +43,13 @@ STORAGE_RECORDS_BATCH_SIZE=20
 
 INDEXER_QUEUE_HOST=http://127.0.0.1:9000
 
-#AzureADconfiguration
-azure.activedirectory.session-stateless=true
-azure.activedirectory.client-id=${aad_client_id}
+#AzureADconfiguration, commented below settings to disable AAD AuthN ,
+#Uncomment it In the Istio AUTHN disabled Scenario
+#azure.activedirectory.session-stateless=true
+#azure.activedirectory.client-id=${aad_client_id}
+
+# Istio Auth Enabled
+azure.istio.auth.enabled=${azure_istioauth_enabled}
 
 azure.cosmosdb.uri=${cosmosdb_account}
 azure.cosmosdb.key=${cosmosdb_key}