Search merge requestshttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests2021-03-22T22:59:52Zhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/89(GONRG-1759) - Fix post merge issue in :search-azure2021-03-22T22:59:52ZDmitriy Rudko(GONRG-1759) - Fix post merge issue in :search-azureM1 - Release 0.1Daniel SchollJasonDaniel Schollhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/85Integration Search service query api authorization with Policy service2023-08-18T22:07:37ZAlok JoshiIntegration Search service query api authorization with Policy serviceAdd support for validating authorization via Policy service. Policy service is togglable and requires setting `service.policy.enabled` configuration setting. By default this configuration is disabled and authorization works with building...Add support for validating authorization via Policy service. Policy service is togglable and requires setting `service.policy.enabled` configuration setting. By default this configuration is disabled and authorization works with building authorization filter within the elastic query
Providers must deploy policy and partition service before enabling this option.
Issue https://community.opengroup.org/osdu/platform/system/search-service/-/issues/27M5 - Release 0.8Alok JoshiAlok Joshihttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/81(GONRG-1759) Fix Security response headers issue2023-08-18T22:07:42ZIgor Filippov (EPAM)(GONRG-1759) Fix Security response headers issue**Issue**
Testing team reported "VULN-05 HSTS and CSP not implemented properly".
The report is attached to the GONRG-1637: [^API security testing report _Trajectory.pdf].
They say "The HSTS and CSP headers are not implemented. A man-i...**Issue**
Testing team reported "VULN-05 HSTS and CSP not implemented properly".
The report is attached to the GONRG-1637: [^API security testing report _Trajectory.pdf].
They say "The HSTS and CSP headers are not implemented. A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate".
Reported contexts: STORAGE, DELIVERY
**Replay and analysis**
Debugged Search service API:
```
curl --location --request POST 'https://os-search-attcrcktoa-uc.a.run.app/api/search/v2/query' \
--header 'Authorization: Bearer <token>' \
--header 'data-partition-id: osdu' \
--header 'Content-Type: application/json' \
--data-raw '{
"kind": "osdu:osdu:*:0.2.0",
"query": "BIR*"
}'
```
- Noticed security headers (Strict-Transport-Security, Content-Security-Policy etc.) absence in responses
- Analyzed Search service Java code
- not found any "active" code for setting security headers on Responses
- found the inactivated class "org.opengroup.osdu.search.middleware.CorrelationIDRequestFilter" designed to set needed headers
- the class is inactivated by the commented "@Component" annotation
- CorrelationIDRequestFilter component should be reviewed, actualized and reactivated
- see the similar functionality code we have in Storage service: GONRG-1756
## Type of change
- [X] Bug Fix
- [ ] Feature
## Does this introduce a change in the core logic?
- [YES]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [x] AWS
- [x] Azure
- [x] GCP
- [x] IBM
## Does this introduce a breaking change?
- [NO]
## Have you added/updated Unit Tests and Integration Tests?
- [NO]M5 - Release 0.8Dmitriy RudkoRostislav Dublin (EPAM)Dmitriy Rudko