Op 17001 audit tail exec v4.0 phase2

gate-core/gate-core.gradle

@@ -51,6 +51,7 @@ dependencies {
   implementation "org.apache.commons:commons-lang3"
   implementation group: 'io.jsonwebtoken', name: 'jjwt', version: '0.9.1'
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign', version: '2.2.4.RELEASE'
+  compile group: 'org.springframework.retry', name: 'spring-retry', version: '1.2.2.RELEASE'
 }
 
 sourceSets {

gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy

@@ -94,6 +94,9 @@ class AuthConfig {
   @Value('${allowUnauthenticatedAccess.webhooks:false}')
   boolean isSpinnakerWebhooksUnauthenticatedAccessEnabled
 
+  @Value('${security.contentSecurityPolicy:\'object-src \'none\'; script-src \'unsafe-eval\' \'unsafe-inline\' https: http:;\'}')
+  String contentSecurityPolicy
+
   void configure(HttpSecurity http) throws Exception {
     // @formatter:off
     if(isAgentAPIUnauthenticatedAccessEnabled && isSpinnakerWebhooksUnauthenticatedAccessEnabled){
@@ -330,6 +333,8 @@ class AuthConfig {
       http.authorizeRequests().antMatchers(HttpMethod.POST, '/webhooks/**').authenticated()
     }
 
+    http.headers().contentSecurityPolicy(contentSecurityPolicy)
+
     http.logout()
         .logoutUrl("/auth/logout")
         .logoutSuccessHandler(permissionRevokingLogoutSuccessHandler)

gate-core/src/main/groovy/com/netflix/spinnaker/gate/services/PermissionService.groovy

@@ -21,6 +21,7 @@ import com.netflix.spinnaker.fiat.model.resources.Role
 import com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator
 import com.netflix.spinnaker.fiat.shared.FiatService
 import com.netflix.spinnaker.fiat.shared.FiatStatus
+import com.netflix.spinnaker.gate.retrofit.UpstreamBadRequest
 import com.netflix.spinnaker.gate.security.SpinnakerUser
 import com.netflix.spinnaker.gate.services.internal.ExtendedFiatService
 import com.netflix.spinnaker.kork.core.RetrySupport
@@ -42,6 +43,8 @@ import javax.annotation.Nonnull
 import java.time.Duration
 
 import static com.netflix.spinnaker.gate.retrofit.UpstreamBadRequest.classifyError
+import org.springframework.retry.annotation.Backoff;
+import org.springframework.retry.annotation.Retryable;
 
 @Slf4j
 @Component
@@ -90,6 +93,8 @@ class PermissionService {
     }
   }
 
+
+  @Retryable(value = UpstreamBadRequest.class, maxAttempts = 3, backoff = @Backoff(delay = 4000l))
   void loginWithRoles(String userId, Collection<String> roles) {
     if (fiatStatus.isEnabled()) {
       try {
@@ -98,6 +103,7 @@ class PermissionService {
           permissionEvaluator.invalidatePermission(userId)
         })
       } catch (RetrofitError e) {
+        log.error("Exception caught while updating the roles. Will wait and retry: {}" , e)
         throw classifyError(e)
       }
     }

gate-saml/src/main/groovy/com/netflix/spinnaker/gate/security/saml/SamlSsoConfig.groovy

@@ -24,6 +24,7 @@ import com.netflix.spinnaker.gate.security.SpinnakerAuthConfig
 import com.netflix.spinnaker.gate.services.PermissionService
 import com.netflix.spinnaker.kork.core.RetrySupport
 import com.netflix.spinnaker.security.User
+import com.opsmx.spinnaker.gate.security.saml.SamlAuthTokenUpdateFilter
 import groovy.util.logging.Slf4j
 import org.opensaml.saml2.core.Assertion
 import org.opensaml.saml2.core.Attribute
@@ -43,11 +44,12 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.core.userdetails.UsernameNotFoundException
 import org.springframework.security.extensions.saml2.config.SAMLConfigurer
-import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
 import org.springframework.security.saml.SAMLCredential
 import org.springframework.security.saml.userdetails.SAMLUserDetailsService
+import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
 import org.springframework.security.web.authentication.RememberMeServices
 import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
 import org.springframework.session.web.http.DefaultCookieSerializer
 import org.springframework.stereotype.Component
 
@@ -168,7 +170,9 @@ class SamlSsoConfig extends WebSecurityConfigurerAdapter {
           .keyPassword(samlSecurityConfigProperties.keyStorePassword)
 
       saml.init(http)
-
+    SamlAuthTokenUpdateFilter authTokenUpdateFilter = new SamlAuthTokenUpdateFilter()
+    http.addFilterAfter(authTokenUpdateFilter,
+        BasicAuthenticationFilter.class)
     // @formatter:on
 
   }

gate-saml/src/main/java/com/opsmx/spinnaker/gate/security/saml/SAMLAuthenticationException.java

@@ -0,0 +1,13 @@
+package com.opsmx.spinnaker.gate.security.saml;
+
+import org.springframework.security.core.AuthenticationException;
+
+public class SAMLAuthenticationException extends AuthenticationException {
+  public SAMLAuthenticationException(String msg) {
+    super(msg);
+  }
+
+  public SAMLAuthenticationException(String msg, Throwable t) {
+    super(msg, t);
+  }
+}

gate-saml/src/main/java/com/opsmx/spinnaker/gate/security/saml/SamlAuthTokenUpdateFilter.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2022 OpsMx, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.opsmx.spinnaker.gate.security.saml;
+
+import java.io.IOException;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
+import org.springframework.web.filter.GenericFilterBean;
+
+public class SamlAuthTokenUpdateFilter extends GenericFilterBean {
+
+  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+      throws IOException, ServletException {
+    logger.debug("SamlAuthTokenUpdateFilter doFilter started");
+    HttpServletRequest request = (HttpServletRequest) req;
+    HttpServletResponse response = (HttpServletResponse) res;
+    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+
+    logger.debug("Previously Authenticated is : " + authentication);
+    if (authentication instanceof ExpiringUsernameAuthenticationToken
+        && !authentication.isAuthenticated()) {
+      if (logger.isDebugEnabled()) {
+        logger.debug(
+            "Previously Authenticated token Expired; redirecting to authentication entry point.");
+      }
+
+      HttpSession session = request.getSession();
+      if (session != null) {
+        session.invalidate();
+      }
+      throw new SAMLAuthenticationException("Previously Authenticated token Expired");
+    }
+    logger.debug("SamlAuthTokenUpdateFilter doFilter ended");
+
+    chain.doFilter(request, response);
+  }
+}

gate-saml/src/main/java/com/opsmx/spinnaker/gate/security/saml/SamlSsoEventPublishConfig.java

@@ -0,0 +1,56 @@
+package com.opsmx.spinnaker.gate.security.saml;
+
+import java.util.ArrayList;
+import java.util.List;
+import javax.servlet.Filter;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.saml.SAMLProcessingFilter;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.SecurityFilterChain;
+
+@ConditionalOnExpression("${saml.enabled:false}")
+@Configuration
+@Slf4j
+@Order(Ordered.HIGHEST_PRECEDENCE)
+public class SamlSsoEventPublishConfig {
+
+  private ApplicationEventPublisher applicationEventPublisher;
+
+  @Autowired
+  @Qualifier("springSecurityFilterChain")
+  private Filter springSecurityFilterChain;
+
+  @Autowired
+  public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
+    this.applicationEventPublisher = applicationEventPublisher;
+  }
+
+  @Bean
+  public FilterChainProxy getFilters() {
+    FilterChainProxy filterChainProxy = (FilterChainProxy) springSecurityFilterChain;
+    List<SecurityFilterChain> list = filterChainProxy.getFilterChains();
+
+    list.stream()
+        .flatMap(chain -> chain.getFilters().stream())
+        .filter(filter -> filter.getClass() == FilterChainProxy.class)
+        .findAny()
+        .map(FilterChainProxy.class::cast)
+        .map(FilterChainProxy::getFilterChains)
+        .orElse(new ArrayList<>())
+        .stream()
+        .flatMap(chin -> chin.getFilters().stream())
+        .filter(filter -> filter.getClass() == SAMLProcessingFilter.class)
+        .findAny()
+        .map(SAMLProcessingFilter.class::cast)
+        .ifPresent(filter -> filter.setApplicationEventPublisher(applicationEventPublisher));
+    return filterChainProxy;
+  }
+}

gate-web/config/gate.yml

@@ -121,6 +121,7 @@ spring:
   profiles: googleOAuth
 
 security:
+  contentSecurityPolicy: "object-src 'none'; script-src 'unsafe-eval' 'unsafe-inline' https: http:;"
   oauth2:
     client:
       # Set these values in your own config file (e.g. spinnaker-local.yml or gate-googleOAuth.yml).

gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxAutopilotController.groovy

@@ -341,6 +341,23 @@ class OpsmxAutopilotController {
     return opsmxAutopilotService.getAutoResponse9(type, source, source1, source2, source3, source4, source5, source6, source7, source8, imageId)
   }
 
+  @ApiOperation(value = "Endpoint for autopilot rest services")
+  @RequestMapping(value = "/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}", method = RequestMethod.GET)
+  Object getAutoResponse10(@PathVariable("type") String type,
+                           @PathVariable("source") String source,
+                           @PathVariable("source1") String source1,
+                           @PathVariable("source2") String source2,
+                           @PathVariable("source3") String source3,
+                           @PathVariable("source4") String source4,
+                           @PathVariable("source5") String source5,
+                           @PathVariable("source6") String source6,
+                           @RequestParam(value = "imageId", required = false) String imageId,
+                           @RequestParam(value = "canaryIds", required = false) String canaryIds,
+                           @RequestParam(value = "gateIds", required = false) String gateIds) {
+
+    return opsmxAutopilotService.getAutoResponse10(type, source, source1, source2, source3, source4, source5, source6,imageId, canaryIds, gateIds)
+  }
+
   @ApiOperation(value = "Endpoint for autopilot rest services")
   @RequestMapping(value = "/{type}", method = RequestMethod.DELETE)
   Object deleteAutoResponse1(@PathVariable("type") String type) {

gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxDashboardController.groovy

@@ -206,6 +206,23 @@ class OpsmxDashboardController {
     return opsmxDashboardService.getDashboardResponse9(version, type, source, source1, source2, source3, source4, source5, source6)
   }
 
+
+  @ApiOperation(value = "Endpoint for dashboard rest services")
+  @RequestMapping(value = "/{version}/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}/{source7}", method = RequestMethod.GET)
+  Object getDashboardResponse10(@PathVariable("version") String version,
+                               @PathVariable("type") String type,
+                               @PathVariable("source") String source,
+                               @PathVariable("source1") String source1,
+                               @PathVariable("source2") String source2,
+                               @PathVariable("source3") String source3,
+                               @PathVariable("source4") String source4,
+                               @PathVariable("source5") String source5,
+                               @PathVariable("source6") String source6,
+                                @PathVariable("source7") String source7) {
+
+    return opsmxDashboardService.getDashboardResponse10(version, type, source, source1, source2, source3, source4, source5, source6,source7)
+  }
+
   @ApiOperation(value = "Endpoint for dashboard rest services")
   @RequestMapping(value = "/{version}/{type}", method = RequestMethod.DELETE)
   Object deleteDashboardResponse(@PathVariable("version") String version,

gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxOesController.groovy

@@ -503,9 +503,11 @@ class OpsmxOesController {
                          @PathVariable("source2") String source2,
                          @PathVariable("source3") String source3,
                          @PathVariable("source4") String source4,
-                         @PathVariable("source5") String source5) {
+                         @PathVariable("source5") String source5,
+                         @RequestParam(value = "gateIds", required = false) String gateIds
+  ) {
 
-    return opsmxOesService.getOesResponse8(type, source, source1, source2, source3, source4, source5)
+    return opsmxOesService.getOesResponse8(type, source, source1, source2, source3, source4, source5,gateIds)
   }
 
   @ApiOperation(value = "Endpoint for Oes rest services")

gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/OpsmxPlatformController.groovy

@@ -79,8 +79,9 @@ class OpsmxPlatformController {
                               @RequestParam(value = "sortOrder", required = false) String sortOrder,
                               @RequestParam(value = "applicationId", required = false) Integer applicationId,
                               @RequestParam(value = "applicationName", required = false) String applicationName,
-                              @RequestParam(value = "noOfDays", required = false) Integer noOfDays) {
-    return opsmxPlatformService.getPlatformResponse1(version, type, datasourceType, accountName, source, permission, search, username, pageNo, pageLimit, sortBy, sortOrder, applicationId, applicationName, noOfDays)
+                              @RequestParam(value = "noOfDays", required = false) Integer noOfDays,
+                              @RequestParam(value = "filterBy", required = false) String filterBy) {
+    return opsmxPlatformService.getPlatformResponse1(version, type, datasourceType, accountName, source, permission, search, username, pageNo, pageLimit, sortBy, sortOrder, applicationId, applicationName, noOfDays, filterBy)
   }
 
   @ApiOperation(value = "Endpoint for platform rest services")

gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxAutopilotService.groovy

@@ -160,6 +160,7 @@ interface OpsmxAutopilotService {
                           @Query("canaryIds") String canaryIds,
                           @Query("gateIds") String gateIds)
 
+
   @GET("/autopilot/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}/{source7}/{source8}")
   Object getAutoResponse9(@Path('type') String type,
                           @Path('source') String source,
@@ -173,6 +174,19 @@ interface OpsmxAutopilotService {
                           @Path('source8') String source8,
                           @Query("imageId") String imageId)
 
+  @GET("/autopilot/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}")
+  Object getAutoResponse10(@Path('type') String type,
+                           @Path('source') String source,
+                           @Path('source1') String source1,
+                           @Path('source2') String source2,
+                           @Path('source3') String source3,
+                           @Path('source4') String source4,
+                           @Path('source5') String source5,
+                           @Path('source6') String source6,
+                           @Query("imageId") String imageId,
+                           @Query("canaryIds") String canaryIds,
+                           @Query("gateIds") String gateIds)
+
   @DELETE("/autopilot/{type}")
   Object deleteAutoResponse1(@Path('type') String type)
 

gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxDashboardService.groovy

@@ -103,6 +103,18 @@ interface OpsmxDashboardService {
                                @Path('source5') String source5,
                                @Path('source6') String source6)
 
+  @GET("/dashboardservice/{version}/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}/{source7}")
+  Object getDashboardResponse10(@Path('version') String version,
+                               @Path('type') String type,
+                               @Path('source') String source,
+                               @Path('source1') String source1,
+                               @Path('source2') String source2,
+                               @Path('source3') String source3,
+                               @Path('source4') String source4,
+                               @Path('source5') String source5,
+                               @Path('source6') String source6,
+                                @Path('source7') String source7)
+
   @DELETE("/dashboardservice/{version}/{type}")
   Object deleteDashboardResponse(@Path('version') String version,
                            @Path('type') String type)

gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxOesService.groovy

@@ -87,7 +87,8 @@ interface OpsmxOesService {
                          @Path('source2') String source2,
                          @Path('source3') String source3,
                          @Path('source4') String source4,
-                         @Path('source5') String source5)
+                         @Path('source5') String source5,
+                         @Query("gateIds") String gateIds)
 
   @GET("/oes/{type}/{source}/{source1}/{source2}/{source3}/{source4}/{source5}/{source6}")
   Object getOesResponse9(@Path('type') String type,

gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/internal/OpsmxPlatformService.groovy

@@ -37,7 +37,8 @@ interface OpsmxPlatformService {
                               @Query("sortOrder") String sortOrder,
                               @Query("applicationId") Integer applicationId,
                               @Query("applicationName") String applicationName,
-                              @Query("noOfDays") Integer noOfDays)
+                              @Query("noOfDays") Integer noOfDays,
+                              @Query("filterBy") String filterBy)
 
   @GET("/platformservice/{version}/{type}/{source}")
   Object getPlatformResponse(@Path('version') String version,

gate-web/src/main/groovy/com/opsmx/spinnaker/gate/controllers/OpsmxAuditClientServiceController.groovy

@@ -88,9 +88,10 @@ class OpsmxAuditClientServiceController {
                               @PathVariable("type") String type,
                               @PathVariable("source") String source,
                               @PathVariable("source1") String source1,
-                              @PathVariable("source2") String source2) {
+                              @PathVariable("source2") String source2,
+                              @RequestParam(value = "noOfDays", required = false) String noOfDays) {
 
-    return opsmxAuditClientService.getAuditClientResponse4(version, type, source, source1, source2)
+    return opsmxAuditClientService.getAuditClientResponse4(version, type, source, source1, source2, noOfDays)
   }
 
   @ApiOperation(value = "Endpoint for audit-client rest services")

gate-web/src/main/groovy/com/opsmx/spinnaker/gate/services/OpsmxAuditClientService.groovy

@@ -60,7 +60,8 @@ interface OpsmxAuditClientService {
                               @Path('type') String type,
                               @Path('source') String source,
                               @Path('source1') String source1,
-                              @Path('source2') String source2)
+                              @Path('source2') String source2,
+                              @Query("noOfDays") String noOfDays)
 
   @GET("/auditclientservice/{version}/{type}/{source}/{source1}/{source2}/{source3}")
   Object getAuditClientResponse5(@Path('version') String version,