OP-12395 : Feature : Authentication Flag For AgentOnBoarding APIs (Apple Automation)

gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy

@@ -88,11 +88,15 @@ class AuthConfig {
   @Value('${security.webhooks.default-auth-enabled:false}')
   boolean webhookDefaultAuthEnabled
 
+  @Value('${allowUnauthenticatedAccess.agentAPI:false}')
+  boolean isAgentAPIUnauthenticatedAccessEnabled
+
   void configure(HttpSecurity http) throws Exception {
     // @formatter:off
-    http
-      .requestMatcher(requestMatcherProvider.requestMatcher())
-      .authorizeRequests()
+    if(isAgentAPIUnauthenticatedAccessEnabled){
+      http
+        .requestMatcher(requestMatcherProvider.requestMatcher())
+        .authorizeRequests()
         .antMatchers("/resources/**").permitAll()
         .antMatchers("/images/**").permitAll()
         .antMatchers("/js/**").permitAll()
@@ -129,11 +133,67 @@ class AuthConfig {
         .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll()
         .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll()
         .antMatchers(HttpMethod.POST, '/managed/notifications/callbacks/**').permitAll()
+        .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/agents/apple/automation').permitAll()
+        .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v1/agents/apple/automation').permitAll()
+        .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v1/agents/{agentName}/manifest/apple/automation').permitAll()
+        .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll()
+        .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/{agentName}/{accountName}/apple/automation').permitAll()
+        .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll()
+        .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v3/spinnaker/apple/automation').permitAll()
+        .antMatchers(HttpMethod.GET, '/dashboardservice/v4/getAllDatasources/apple/automation').permitAll()
+        .antMatchers(HttpMethod.GET, '/dashboardservice/v5/agents/{agentName}/accounts/{accountName}/accountType/{accountType}/apple/automation').permitAll()
+        .antMatchers(HttpMethod.POST, '/dashboardservice/v4/datasource/apple/automation').permitAll()
         .antMatchers('/health').permitAll()
         .antMatchers('/prometheus').permitAll()
         .antMatchers('/info').permitAll()
         .antMatchers('/metrics').permitAll()
         .antMatchers('/**').authenticated()
+    }else{
+      http
+        .requestMatcher(requestMatcherProvider.requestMatcher())
+        .authorizeRequests()
+        .antMatchers("/resources/**").permitAll()
+        .antMatchers("/images/**").permitAll()
+        .antMatchers("/js/**").permitAll()
+        .antMatchers("/fonts/**").permitAll()
+        .antMatchers("/css/**").permitAll()
+        .antMatchers('/**/favicon.ico').permitAll()
+        .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+        .antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll()
+        .antMatchers('/auth/user').permitAll()
+        .antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll()
+        .antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll()
+        .antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll()
+        .antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll()
+        .antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll()
+        .antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll()
+        .antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll()
+        .antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll()
+        .antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll()
+        .antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll()
+        .antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll()
+        .antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll()
+        .antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll()
+        .antMatchers(HttpMethod.POST,'/oes/echo').permitAll()
+        .antMatchers(HttpMethod.POST,'/oes/echo/').permitAll()
+        .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll()
+        .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll()
+        .antMatchers(HttpMethod.POST,'/v1/data/**').permitAll()
+        .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll()
+        .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll()
+        .antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll()
+        .antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll()
+        .antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll()
+        .antMatchers('/plugins/deck/**').permitAll()
+        .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll()
+        .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll()
+        .antMatchers(HttpMethod.POST, '/managed/notifications/callbacks/**').permitAll()
+        .antMatchers('/health').permitAll()
+        .antMatchers('/prometheus').permitAll()
+        .antMatchers('/info').permitAll()
+        .antMatchers('/metrics').permitAll()
+        .antMatchers('/**').authenticated()
+    }
 
     if (fiatSessionFilterEnabled) {
       Filter fiatSessionFilter = new FiatSessionFilter(
@@ -164,51 +224,110 @@ class AuthConfig {
   }
 
    void jwtconfigure(HttpSecurity http) throws Exception {
-    http
-      .csrf()
-      .disable()
-      .cors()
-      .disable()
-      .exceptionHandling()
-      .authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
-      .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
-      .authorizeRequests()
-      .antMatchers("/auth/login").permitAll()
-      .antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll()
-      .antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll()
-      .antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll()
-      .antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll()
-      .antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll()
-      .antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll()
-      .antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll()
-      .antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll()
-      .antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll()
-      .antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll()
-      .antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll()
-      .antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll()
-      .antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll()
-      .antMatchers(HttpMethod.POST,'/oes/echo').permitAll()
-      .antMatchers(HttpMethod.POST,'/oes/echo/').permitAll()
-      .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll()
-      .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll()
-      .antMatchers(HttpMethod.POST,'/v1/data/**').permitAll()
-      .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll()
-      .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll()
-      .antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll()
-      .antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll()
-      .antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll()
-      .antMatchers('/**/favicon.ico').permitAll()
-      .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-      .antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll()
-      .antMatchers('/plugins/deck/**').permitAll()
-      .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll()
-      .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll()
-      .antMatchers('/health').permitAll()
-      .antMatchers('/prometheus').permitAll()
-      .antMatchers('/info').permitAll()
-      .antMatchers('/metrics').permitAll()
-      .anyRequest().authenticated()
-     http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
+
+     if (isAgentAPIUnauthenticatedAccessEnabled){
+       http
+         .csrf()
+         .disable()
+         .cors()
+         .disable()
+         .exceptionHandling()
+         .authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
+         .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
+         .authorizeRequests()
+         .antMatchers("/auth/login").permitAll()
+         .antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll()
+         .antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll()
+         .antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll()
+         .antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll()
+         .antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll()
+         .antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll()
+         .antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll()
+         .antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll()
+         .antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll()
+         .antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll()
+         .antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll()
+         .antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll()
+         .antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll()
+         .antMatchers(HttpMethod.POST,'/oes/echo').permitAll()
+         .antMatchers(HttpMethod.POST,'/oes/echo/').permitAll()
+         .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll()
+         .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll()
+         .antMatchers(HttpMethod.POST,'/v1/data/**').permitAll()
+         .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll()
+         .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll()
+         .antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll()
+         .antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll()
+         .antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll()
+         .antMatchers('/**/favicon.ico').permitAll()
+         .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+         .antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll()
+         .antMatchers('/plugins/deck/**').permitAll()
+         .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll()
+         .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll()
+         .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/agents/apple/automation').permitAll()
+         .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v1/agents/apple/automation').permitAll()
+         .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v1/agents/{agentName}/manifest/apple/automation').permitAll()
+         .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll()
+         .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/{agentName}/{accountName}/apple/automation').permitAll()
+         .antMatchers(HttpMethod.POST, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll()
+         .antMatchers(HttpMethod.GET, '/oes/accountsConfig/v3/spinnaker/apple/automation').permitAll()
+         .antMatchers(HttpMethod.GET, '/dashboardservice/v4/getAllDatasources/apple/automation').permitAll()
+         .antMatchers(HttpMethod.GET, '/dashboardservice/v5/agents/{agentName}/accounts/{accountName}/accountType/{accountType}/apple/automation').permitAll()
+         .antMatchers(HttpMethod.POST, '/dashboardservice/v4/datasource/apple/automation').permitAll()
+         .antMatchers('/health').permitAll()
+         .antMatchers('/prometheus').permitAll()
+         .antMatchers('/info').permitAll()
+         .antMatchers('/metrics').permitAll()
+         .anyRequest().authenticated()
+       http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
+     }else{
+       http
+         .csrf()
+         .disable()
+         .cors()
+         .disable()
+         .exceptionHandling()
+         .authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
+         .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
+         .authorizeRequests()
+         .antMatchers("/auth/login").permitAll()
+         .antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll()
+         .antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll()
+         .antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll()
+         .antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll()
+         .antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll()
+         .antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll()
+         .antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll()
+         .antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll()
+         .antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll()
+         .antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll()
+         .antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll()
+         .antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll()
+         .antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll()
+         .antMatchers(HttpMethod.POST,'/oes/echo').permitAll()
+         .antMatchers(HttpMethod.POST,'/oes/echo/').permitAll()
+         .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll()
+         .antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll()
+         .antMatchers(HttpMethod.POST,'/v1/data/**').permitAll()
+         .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll()
+         .antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll()
+         .antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll()
+         .antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll()
+         .antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll()
+         .antMatchers('/**/favicon.ico').permitAll()
+         .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+         .antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll()
+         .antMatchers('/plugins/deck/**').permitAll()
+         .antMatchers(HttpMethod.POST, '/webhooks/**').permitAll()
+         .antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll()
+         .antMatchers('/health').permitAll()
+         .antMatchers('/prometheus').permitAll()
+         .antMatchers('/info').permitAll()
+         .antMatchers('/metrics').permitAll()
+         .anyRequest().authenticated()
+       http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
+     }
   }
 
   void configure(WebSecurity web) throws Exception {

gate-web/config/gate.yml

@@ -180,3 +180,8 @@ security:
       firstName:
       lastName: name
       username: login
+
+#If the flag is false, the corresponding endpoints will move to protected mode and redirect the user to the login page.
+#Otherwise, it will allow unauthenticated access to the endpoints. Default will be false.
+allowUnauthenticatedAccess:
+  agentAPI: false

gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxDashboardController.groovy

@@ -191,6 +191,21 @@ class OpsmxDashboardController {
     return opsmxDashboardService.getDashboardResponse8(version, type, source, source1, source2, source3, source4, source5)
   }
 
+  @ApiOperation(value = "Endpoint for dashboard rest services")
+  @RequestMapping(value = "/{version}/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}", method = RequestMethod.GET)
+  Object getDashboardResponse9(@PathVariable("version") String version,
+                               @PathVariable("type") String type,
+                               @PathVariable("source") String source,
+                               @PathVariable("source1") String source1,
+                               @PathVariable("source2") String source2,
+                               @PathVariable("source3") String source3,
+                               @PathVariable("source4") String source4,
+                               @PathVariable("source5") String source5,
+                               @PathVariable("source6") String source6) {
+
+    return opsmxDashboardService.getDashboardResponse9(version, type, source, source1, source2, source3, source4, source5, source6)
+  }
+
   @ApiOperation(value = "Endpoint for dashboard rest services")
   @RequestMapping(value = "/{version}/{type}", method = RequestMethod.DELETE)
   Object deleteDashboardResponse(@PathVariable("version") String version,