From 346118fb3643c6b6faf4f86e1018a2a24e7ffe2d Mon Sep 17 00:00:00 2001 From: Ravikumar Hawaldar Date: Mon, 7 Feb 2022 15:40:24 +0530 Subject: [PATCH 1/2] OP-12395 : Cherry pick of PR #126 --- .../spinnaker/gate/config/AuthConfig.groovy | 216 ++++++++++++++---- gate-web/config/gate.yml | 3 + .../OpsmxDashboardController.groovy | 15 ++ .../controllers/OpsmxOesController.groovy | 53 +++++ .../internal/OpsmxDashboardService.groovy | 11 + .../services/internal/OpsmxOesService.groovy | 31 +++ 6 files changed, 281 insertions(+), 48 deletions(-) diff --git a/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy b/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy index 44fa2ac238..ad4d312707 100644 --- a/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy +++ b/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy @@ -88,11 +88,60 @@ class AuthConfig { @Value('${security.webhooks.default-auth-enabled:false}') boolean webhookDefaultAuthEnabled + @Value('${authenticate.agentOnboardingAPIs:true}') + boolean isAgentOnboardingAPIsAuthenticationEnabled + void configure(HttpSecurity http) throws Exception { // @formatter:off - http - .requestMatcher(requestMatcherProvider.requestMatcher()) - .authorizeRequests() + if(isAgentOnboardingAPIsAuthenticationEnabled){ + http + .requestMatcher(requestMatcherProvider.requestMatcher()) + .authorizeRequests() + .antMatchers("/resources/**").permitAll() + .antMatchers("/images/**").permitAll() + .antMatchers("/js/**").permitAll() + .antMatchers("/fonts/**").permitAll() + .antMatchers("/css/**").permitAll() + .antMatchers('/**/favicon.ico').permitAll() + .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() + .antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll() + .antMatchers('/auth/user').permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll() + .antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll() + .antMatchers(HttpMethod.POST,'/oes/echo').permitAll() + .antMatchers(HttpMethod.POST,'/oes/echo/').permitAll() + .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll() + .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll() + .antMatchers(HttpMethod.POST,'/v1/data/**').permitAll() + .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll() + .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll() + .antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll() + .antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll() + .antMatchers('/plugins/deck/**').permitAll() + .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll() + .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll() + .antMatchers(HttpMethod.POST, '/managed/notifications/callbacks/**').permitAll() + .antMatchers('/health').permitAll() + .antMatchers('/prometheus').permitAll() + .antMatchers('/info').permitAll() + .antMatchers('/metrics').permitAll() + .antMatchers('/**').authenticated() + }else{ + http + .requestMatcher(requestMatcherProvider.requestMatcher()) + .authorizeRequests() .antMatchers("/resources/**").permitAll() .antMatchers("/images/**").permitAll() .antMatchers("/js/**").permitAll() @@ -129,11 +178,23 @@ class AuthConfig { .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll() .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll() .antMatchers(HttpMethod.POST, '/managed/notifications/callbacks/**').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/agents/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v1/agents/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v1/agents/{agentName}/manifest/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/{agentName}/{accountName}/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v3/spinnaker/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/dashboardservice/v4/getAllDatasources/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/dashboardservice/v5/agents/{agentName}/accounts/{accountName}/accountType/{accountType}/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/dashboardservice/v4/datasource/apple/automation').permitAll() .antMatchers('/health').permitAll() .antMatchers('/prometheus').permitAll() .antMatchers('/info').permitAll() .antMatchers('/metrics').permitAll() .antMatchers('/**').authenticated() + } + if (fiatSessionFilterEnabled) { Filter fiatSessionFilter = new FiatSessionFilter( @@ -164,51 +225,110 @@ class AuthConfig { } void jwtconfigure(HttpSecurity http) throws Exception { - http - .csrf() - .disable() - .cors() - .disable() - .exceptionHandling() - .authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() - .authorizeRequests() - .antMatchers("/auth/login").permitAll() - .antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll() - .antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll() - .antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll() - .antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll() - .antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll() - .antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll() - .antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll() - .antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll() - .antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll() - .antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll() - .antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll() - .antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll() - .antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll() - .antMatchers(HttpMethod.POST,'/oes/echo').permitAll() - .antMatchers(HttpMethod.POST,'/oes/echo/').permitAll() - .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll() - .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll() - .antMatchers(HttpMethod.POST,'/v1/data/**').permitAll() - .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll() - .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll() - .antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll() - .antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll() - .antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll() - .antMatchers('/**/favicon.ico').permitAll() - .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() - .antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll() - .antMatchers('/plugins/deck/**').permitAll() - .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll() - .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll() - .antMatchers('/health').permitAll() - .antMatchers('/prometheus').permitAll() - .antMatchers('/info').permitAll() - .antMatchers('/metrics').permitAll() - .anyRequest().authenticated() - http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class); + if(isAgentOnboardingAPIsAuthenticationEnabled){ + http + .csrf() + .disable() + .cors() + .disable() + .exceptionHandling() + .authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement() + .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() + .authorizeRequests() + .antMatchers("/auth/login").permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll() + .antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll() + .antMatchers(HttpMethod.POST,'/oes/echo').permitAll() + .antMatchers(HttpMethod.POST,'/oes/echo/').permitAll() + .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll() + .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll() + .antMatchers(HttpMethod.POST,'/v1/data/**').permitAll() + .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll() + .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll() + .antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll() + .antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll() + .antMatchers('/**/favicon.ico').permitAll() + .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() + .antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll() + .antMatchers('/plugins/deck/**').permitAll() + .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll() + .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll() + .antMatchers('/health').permitAll() + .antMatchers('/prometheus').permitAll() + .antMatchers('/info').permitAll() + .antMatchers('/metrics').permitAll() + .anyRequest().authenticated() + http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class); + }else{ + http + .csrf() + .disable() + .cors() + .disable() + .exceptionHandling() + .authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement() + .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() + .authorizeRequests() + .antMatchers("/auth/login").permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll() + .antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll() + .antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll() + .antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll() + .antMatchers(HttpMethod.POST,'/oes/echo').permitAll() + .antMatchers(HttpMethod.POST,'/oes/echo/').permitAll() + .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll() + .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll() + .antMatchers(HttpMethod.POST,'/v1/data/**').permitAll() + .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll() + .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll() + .antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll() + .antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll() + .antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll() + .antMatchers('/**/favicon.ico').permitAll() + .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() + .antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll() + .antMatchers('/plugins/deck/**').permitAll() + .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll() + .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/agents/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v1/agents/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v1/agents/{agentName}/manifest/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/{agentName}/{accountName}/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v3/spinnaker/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/dashboardservice/v4/getAllDatasources/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/dashboardservice/v5/agents/{agentName}/accounts/{accountName}/accountType/{accountType}/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/dashboardservice/v4/datasource/apple/automation').permitAll() + .antMatchers('/health').permitAll() + .antMatchers('/prometheus').permitAll() + .antMatchers('/info').permitAll() + .antMatchers('/metrics').permitAll() + .anyRequest().authenticated() + http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class); + } + } void configure(WebSecurity web) throws Exception { diff --git a/gate-web/config/gate.yml b/gate-web/config/gate.yml index 6c1cd98872..1ea7ad46a3 100644 --- a/gate-web/config/gate.yml +++ b/gate-web/config/gate.yml @@ -180,3 +180,6 @@ security: firstName: lastName: name username: login + +authenticate: + agentOnboardingAPIs: true diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxDashboardController.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxDashboardController.groovy index c3384e5abb..a6be3b1140 100644 --- a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxDashboardController.groovy +++ b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxDashboardController.groovy @@ -191,6 +191,21 @@ class OpsmxDashboardController { return opsmxDashboardService.getDashboardResponse8(version, type, source, source1, source2, source3, source4, source5) } + @ApiOperation(value = "Endpoint for dashboard rest services") + @RequestMapping(value = "/{version}/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}", method = RequestMethod.GET) + Object getDashboardResponse9(@PathVariable("version") String version, + @PathVariable("type") String type, + @PathVariable("source") String source, + @PathVariable("source1") String source1, + @PathVariable("source2") String source2, + @PathVariable("source3") String source3, + @PathVariable("source4") String source4, + @PathVariable("source5") String source5, + @PathVariable("source6") String source6) { + + return opsmxDashboardService.getDashboardResponse9(version, type, source, source1, source2, source3, source4, source5, source6) + } + @ApiOperation(value = "Endpoint for dashboard rest services") @RequestMapping(value = "/{version}/{type}", method = RequestMethod.DELETE) Object deleteDashboardResponse(@PathVariable("version") String version, diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxOesController.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxOesController.groovy index c38bf0a31c..21d0d75c3a 100644 --- a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxOesController.groovy +++ b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxOesController.groovy @@ -483,5 +483,58 @@ class OpsmxOesController { } } } + @ApiOperation(value = "Endpoint for Oes rest services") + @RequestMapping(value = "/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}", method = RequestMethod.GET) + Object getOesResponse8(@PathVariable("type") String type, + @PathVariable("source") String source, + @PathVariable("source1") String source1, + @PathVariable("source2") String source2, + @PathVariable("source3") String source3, + @PathVariable("source4") String source4, + @PathVariable("source5") String source5) { + + return opsmxOesService.getOesResponse8(type, source, source1, source2, source3, source4, source5) + } + + @ApiOperation(value = "Endpoint for Oes rest services") + @RequestMapping(value = "/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}", method = RequestMethod.GET) + Object getOesResponse9(@PathVariable("type") String type, + @PathVariable("source") String source, + @PathVariable("source1") String source1, + @PathVariable("source2") String source2, + @PathVariable("source3") String source3, + @PathVariable("source4") String source4, + @PathVariable("source5") String source5, + @PathVariable("source6") String source6) { + + return opsmxOesService.getOesResponse9(type, source, source1, source2, source3, source4, source5, source6) + } + + @ApiOperation(value = "Endpoint for Oes rest services") + @RequestMapping(value = "/{type}/{source}/{source1}/{source2}/{source3}/{source4}", method = RequestMethod.POST) + Object postOesResponse7(@PathVariable("type") String type, + @PathVariable("source") String source, + @PathVariable("source1") String source1, + @PathVariable("source2") String source2, + @PathVariable("source3") String source3, + @PathVariable("source4") String source4, + @RequestBody(required = false) Object data) { + return opsmxOesService.postOesResponse7(type, source, source1, source2, source3, source4, data) + } + + @ApiOperation(value = "download the manifest file") + @GetMapping(value = "/accountsConfig/{version}/agents/{agentName}/manifest/apple/automation", produces = "application/octet-stream") + @ResponseBody + Object downloadAgentManifestFile(@PathVariable("agentName") String agentName, + @PathVariable("version") String version) { + + Response response = opsmxOesService.agentManifestDownloadFile(agentName, version) + response.getBody().in().withCloseable { inputStream -> + byte[] manifestFile = IOUtils.toByteArray(inputStream) + HttpHeaders headers = new HttpHeaders() + headers.add("Content-Disposition", response.getHeaders().stream().filter({ header -> header.getName().trim().equalsIgnoreCase("Content-Disposition") }).collect(Collectors.toList()).get(0).value) + return ResponseEntity.ok().headers(headers).body(manifestFile) + } + } } diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxDashboardService.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxDashboardService.groovy index b7cb905847..138fb2bc21 100644 --- a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxDashboardService.groovy +++ b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxDashboardService.groovy @@ -92,6 +92,17 @@ interface OpsmxDashboardService { @Path('source4') String source4, @Path('source5') String source5) + @GET("/dashboardservice/{version}/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}") + Object getDashboardResponse9(@Path('version') String version, + @Path('type') String type, + @Path('source') String source, + @Path('source1') String source1, + @Path('source2') String source2, + @Path('source3') String source3, + @Path('source4') String source4, + @Path('source5') String source5, + @Path('source6') String source6) + @DELETE("/dashboardservice/{version}/{type}") Object deleteDashboardResponse(@Path('version') String version, @Path('type') String type) diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxOesService.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxOesService.groovy index 8966441f3c..db4d4d7331 100644 --- a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxOesService.groovy +++ b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxOesService.groovy @@ -28,6 +28,9 @@ interface OpsmxOesService { @GET("/oes/accountsConfig/agents/{agentName}/manifest") Response agentManifestDownloadFile(@Path('agentName') String agentName) + @GET("/oes/accountsConfig/{version}/agents/{agentName}/manifest/apple/automation") + Response agentManifestDownloadFile(@Path('agentName') String agentName, @Path('version') String version) + @POST("/oes/{source}") Object postOesResponse(@Path('source') String source, @Body Object data) @@ -77,6 +80,25 @@ interface OpsmxOesService { @Query("executionId") String executionId, @Query("gateIds") String gateIds) + @GET("/oes/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}") + Object getOesResponse8(@Path('type') String type, + @Path('source') String source, + @Path('source1') String source1, + @Path('source2') String source2, + @Path('source3') String source3, + @Path('source4') String source4, + @Path('source5') String source5) + + @GET("/oes/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}") + Object getOesResponse9(@Path('type') String type, + @Path('source') String source, + @Path('source1') String source1, + @Path('source2') String source2, + @Path('source3') String source3, + @Path('source4') String source4, + @Path('source5') String source5, + @Path('source6') String source6) + @DELETE("/oes/{type}/{source}") Object deleteOesResponse(@Path('type') String type, @Path('source') String source, @@ -129,6 +151,15 @@ interface OpsmxOesService { @Path('source3') String source3, @Body Object data) + @POST("/oes/{type}/{source}/{source1}/{source2}/{source3}/{source4}") + Object postOesResponse7(@Path('type') String type, + @Path('source') String source, + @Path('source1') String source1, + @Path('source2') String source2, + @Path('source3') String source3, + @Path('source4') String source4, + @Body Object data) + @PUT("/oes/{type}/{source}") Object updateOesResponse(@Path('type') String type, @Path('source') String source, From a1d9b9376a05733fb9b2c11db042303bc8c58e4b Mon Sep 17 00:00:00 2001 From: Ravikumar Hawaldar Date: Tue, 8 Feb 2022 13:06:35 +0530 Subject: [PATCH 2/2] OP-12395 : Cherry pick of PR #130 --- .../spinnaker/gate/config/AuthConfig.groovy | 51 +++++++++---------- gate-web/config/gate.yml | 6 ++- 2 files changed, 29 insertions(+), 28 deletions(-) diff --git a/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy b/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy index ad4d312707..0e4d4d0692 100644 --- a/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy +++ b/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy @@ -88,12 +88,12 @@ class AuthConfig { @Value('${security.webhooks.default-auth-enabled:false}') boolean webhookDefaultAuthEnabled - @Value('${authenticate.agentOnboardingAPIs:true}') - boolean isAgentOnboardingAPIsAuthenticationEnabled + @Value('${allowUnauthenticatedAccess.agentAPI:false}') + boolean isAgentAPIUnauthenticatedAccessEnabled void configure(HttpSecurity http) throws Exception { // @formatter:off - if(isAgentOnboardingAPIsAuthenticationEnabled){ + if(isAgentAPIUnauthenticatedAccessEnabled){ http .requestMatcher(requestMatcherProvider.requestMatcher()) .authorizeRequests() @@ -133,6 +133,16 @@ class AuthConfig { .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll() .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll() .antMatchers(HttpMethod.POST, '/managed/notifications/callbacks/**').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/agents/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v1/agents/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v1/agents/{agentName}/manifest/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/{agentName}/{accountName}/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v3/spinnaker/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/dashboardservice/v4/getAllDatasources/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/dashboardservice/v5/agents/{agentName}/accounts/{accountName}/accountType/{accountType}/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/dashboardservice/v4/datasource/apple/automation').permitAll() .antMatchers('/health').permitAll() .antMatchers('/prometheus').permitAll() .antMatchers('/info').permitAll() @@ -178,16 +188,6 @@ class AuthConfig { .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll() .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll() .antMatchers(HttpMethod.POST, '/managed/notifications/callbacks/**').permitAll() - .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/agents/apple/automation').permitAll() - .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v1/agents/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v1/agents/{agentName}/manifest/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/{agentName}/{accountName}/apple/automation').permitAll() - .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v3/spinnaker/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/dashboardservice/v4/getAllDatasources/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/dashboardservice/v5/agents/{agentName}/accounts/{accountName}/accountType/{accountType}/apple/automation').permitAll() - .antMatchers(HttpMethod.POST, '/dashboardservice/v4/datasource/apple/automation').permitAll() .antMatchers('/health').permitAll() .antMatchers('/prometheus').permitAll() .antMatchers('/info').permitAll() @@ -195,7 +195,6 @@ class AuthConfig { .antMatchers('/**').authenticated() } - if (fiatSessionFilterEnabled) { Filter fiatSessionFilter = new FiatSessionFilter( fiatSessionFilterEnabled, @@ -225,7 +224,8 @@ class AuthConfig { } void jwtconfigure(HttpSecurity http) throws Exception { - if(isAgentOnboardingAPIsAuthenticationEnabled){ + + if (isAgentAPIUnauthenticatedAccessEnabled){ http .csrf() .disable() @@ -265,6 +265,16 @@ class AuthConfig { .antMatchers('/plugins/deck/**').permitAll() .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll() .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/agents/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v1/agents/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v1/agents/{agentName}/manifest/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/{agentName}/{accountName}/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v3/spinnaker/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/dashboardservice/v4/getAllDatasources/apple/automation').permitAll() + .antMatchers(HttpMethod.GET, '/dashboardservice/v5/agents/{agentName}/accounts/{accountName}/accountType/{accountType}/apple/automation').permitAll() + .antMatchers(HttpMethod.POST, '/dashboardservice/v4/datasource/apple/automation').permitAll() .antMatchers('/health').permitAll() .antMatchers('/prometheus').permitAll() .antMatchers('/info').permitAll() @@ -311,16 +321,6 @@ class AuthConfig { .antMatchers('/plugins/deck/**').permitAll() .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll() .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll() - .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/agents/apple/automation').permitAll() - .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v1/agents/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v1/agents/{agentName}/manifest/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/{agentName}/{accountName}/apple/automation').permitAll() - .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v3/spinnaker/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/dashboardservice/v4/getAllDatasources/apple/automation').permitAll() - .antMatchers(HttpMethod.GET, '/dashboardservice/v5/agents/{agentName}/accounts/{accountName}/accountType/{accountType}/apple/automation').permitAll() - .antMatchers(HttpMethod.POST, '/dashboardservice/v4/datasource/apple/automation').permitAll() .antMatchers('/health').permitAll() .antMatchers('/prometheus').permitAll() .antMatchers('/info').permitAll() @@ -328,7 +328,6 @@ class AuthConfig { .anyRequest().authenticated() http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class); } - } void configure(WebSecurity web) throws Exception { diff --git a/gate-web/config/gate.yml b/gate-web/config/gate.yml index 1ea7ad46a3..ea43bd0920 100644 --- a/gate-web/config/gate.yml +++ b/gate-web/config/gate.yml @@ -181,5 +181,7 @@ security: lastName: name username: login -authenticate: - agentOnboardingAPIs: true +#If the flag is false, the corresponding endpoints will move to protected mode and redirect the user to the login page. +#Otherwise, it will allow unauthenticated access to the endpoints. Default will be false. +allowUnauthenticatedAccess: + agentAPI: false