invoke authenticationRequestFilter from AKS SecurityConfig

9b202a3f · Sherman Yang · e88b3b17 · 9b202a3f · 9b202a3f · 9b202a3f
Commit 9b202a3f authored 4 years ago by Sherman Yang
--- a/data/devops/azure/stages.yml
+++ b/data/devops/azure/stages.yml
@@ -11,36 +11,40 @@ stages:
      - group: 'Azure Target Env - ${{environment.name}}' 

      jobs:
-        - job: MavenPackageAndPublishArtifacts
+        - deployment: MavenPackageAndPublishArtifacts
          displayName: Build Package and Publish Artifacts
-          
+
+          environment: ${{ environment.name }}
          pool: $(AGENT_POOL)

-          steps:
-          - download: none
-
-          - checkout: self
-            path: s
-
-          - task: AzureCLI@1
-            displayName: 'Docker Build + ACR Push'
-            # condition: and(succeeded(), eq('${{ parameters.providerName }}', 'Azure'))
-            env:
-              IMAGE: $(CONTAINER_REGISTRY_NAME).azurecr.io/unit-catalog-data:v2
-            inputs:
-              azureSubscription: '$(SERVICE_CONNECTION_NAME)'
-              addSpnToEnvironment: true
-              scriptLocation: inlineScript
-              inlineScript: |
-                #!/usr/bin/env bash
-                set -euo pipefail
-
-                curl -L https://aka.ms/acr/installaad/bash | /bin/bash
-                echo "Logging in to the ACR Registry"
-                echo "------------------------------------"
-                az acr login -n $(CONTAINER_REGISTRY_NAME)
-
-                pushd data
-                docker build -t $IMAGE .
-                docker push $IMAGE
-                popd
+          strategy:
+            runOnce:
+              deploy:
+                  steps:
+                  - download: none
+
+                  - checkout: self
+                    path: s
+
+                  - task: AzureCLI@1
+                    displayName: 'Docker Build + ACR Push'
+                    # condition: and(succeeded(), eq('${{ parameters.providerName }}', 'Azure'))
+                    env:
+                      IMAGE: $(CONTAINER_REGISTRY_NAME).azurecr.io/unit-catalog-data:v2
+                    inputs:
+                      azureSubscription: '$(SERVICE_CONNECTION_NAME)'
+                      addSpnToEnvironment: true
+                      scriptLocation: inlineScript
+                      inlineScript: |
+                        #!/usr/bin/env bash
+                        set -euo pipefail
+
+                        curl -L https://aka.ms/acr/installaad/bash | /bin/bash
+                        echo "Logging in to the ACR Registry"
+                        echo "------------------------------------"
+                        az acr login -n $(CONTAINER_REGISTRY_NAME)
+
+                        pushd data
+                        docker build -t $IMAGE .
+                        docker push $IMAGE
+                        popd
--- a/devops/azure/pipeline.yml
+++ b/devops/azure/pipeline.yml
@@ -63,6 +63,9 @@ stages:
      testCoreMavenOptions: ''
      skipDeploy: ${{ variables.SKIP_DEPLOY }}
      skipTest: 'true'
+      runPythonTest: 'true'
+      testPythonFilePath: 'testing/unit_test_azure'
+      testPythonFile: 'run-integration-tests.sh'
      providers:
        -  name: Azure
           environments: ['dev']
--- a/provider/unit-azure/unit-aks/pom.xml
+++ b/provider/unit-azure/unit-aks/pom.xml
@@ -9,7 +9,6 @@
    <groupId>org.opengroup.osdu.unit-service</groupId>
    <artifactId>unit-service</artifactId>
    <version>1.0.0</version>
-    <relativePath>../../../pom.xml</relativePath>
  </parent>

    <packaging>jar</packaging>

--- a/provider/unit-azure/unit-aks/src/main/java/org/opengroup/osdu/unitservice/security/SecurityConfig.java
+++ b/provider/unit-azure/unit-aks/src/main/java/org/opengroup/osdu/unitservice/security/SecurityConfig.java
 package org.opengroup.osdu.unitservice.security;

+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.opengroup.osdu.core.common.model.http.AppError;
+import org.opengroup.osdu.unitservice.middleware.AuthenticationRequestFilter;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.servlet.HandlerExceptionResolver;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;

 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecurityConfig extends WebSecurityConfigurerAdapter  implements AccessDeniedHandler, AuthenticationEntryPoint {
+
+    private AuthenticationRequestFilter authFilter;
+
+    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();

    private static final String[] AUTH_WHITELIST = {
        "/",
@@ -22,13 +44,54 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
        "/csrf"
    };

+    //AuthenticationRequestFilter is not a recognized bean, so construct it manually
+    public SecurityConfig(@Value("${osdu.entitlement.url}") String entitlementsUrl, HandlerExceptionResolver handlerExceptionResolver) {
+        authFilter = new AuthenticationRequestFilter(entitlementsUrl, handlerExceptionResolver);
+    }
+
    @Override
    protected void configure(HttpSecurity http) throws Exception {
-        http.cors()
+        http
+            .cors()
            .and()
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
-            .authorizeRequests().antMatchers(AUTH_WHITELIST).permitAll();
+            .authorizeRequests().antMatchers(AUTH_WHITELIST).permitAll()
+            .and()
+            .addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class);
+    }
+
+
+    @Override
+    public void configure(WebSecurity web) {
+        web.ignoring().antMatchers(AUTH_WHITELIST);
    }
+
+    @Override
+    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
+        writeUnauthorizedError(httpServletResponse);
+    }
+
+    @Override
+    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {
+        writeUnauthorizedError(httpServletResponse);
+    }
+
+    private static void writeUnauthorizedError(HttpServletResponse response) throws IOException {
+        AppError appError = AppError.builder()
+                .code(HttpStatus.UNAUTHORIZED.value())
+                .message("The user is not authorized to perform this action")
+                .reason("Unauthorized")
+                .build();
+        String body = OBJECT_MAPPER.writeValueAsString(appError);
+
+        PrintWriter out = response.getWriter();
+        response.setStatus(HttpStatus.UNAUTHORIZED.value());
+        response.setContentType("application/json");
+        response.setCharacterEncoding("UTF-8");
+        out.print(body);
+        out.flush();
+    }
+
 }
--- a/unit-core/src/main/java/org/opengroup/osdu/unitservice/middleware/AuthenticationRequestFilter.java
+++ b/unit-core/src/main/java/org/opengroup/osdu/unitservice/middleware/AuthenticationRequestFilter.java
@@ -9,11 +9,9 @@ import org.opengroup.osdu.core.common.model.entitlements.EntitlementsException;
 import org.opengroup.osdu.core.common.model.entitlements.Groups;
 import org.opengroup.osdu.core.common.model.http.DpsHeaders;
 import org.opengroup.osdu.unitservice.util.AppException;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpHeaders;
 import org.springframework.lang.NonNull;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.stereotype.Component;
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.MultiValueMap;
 import org.springframework.util.StringUtils;
@@ -34,7 +32,6 @@ import javax.servlet.http.HttpServletResponse;

 import static java.util.Collections.emptyList;

-@Component
 public class AuthenticationRequestFilter extends OncePerRequestFilter {

    private static Logger logger = Logger.getLogger(AuthenticationRequestFilter.class.getName());
@@ -42,7 +39,7 @@ public class AuthenticationRequestFilter extends OncePerRequestFilter {
    private final String entitlementsUrl;
    private final HandlerExceptionResolver handlerExceptionResolver;

-    public AuthenticationRequestFilter(@Value("${osdu.entitlement.url}") String entitlementsUrl,
+    public AuthenticationRequestFilter(String entitlementsUrl,
                                       HandlerExceptionResolver handlerExceptionResolver) {
        this.entitlementsUrl = entitlementsUrl;
        this.handlerExceptionResolver = handlerExceptionResolver;