Hooked into the Spring OAuth workflow properly, but breaks all other …

…security impls (#195)
spinnaker · Apr 27, 2016 · 7d6340f · 7d6340f
1 parent 0da5ad7
commit 7d6340f
Show file tree

Hide file tree

Showing 12 changed files with 150 additions and 410 deletions.
diff --git a/gate-web/config/gate.yml b/gate-web/config/gate.yml
@@ -75,36 +75,19 @@ hystrix:
     fetchGlobalAccounts:
       execution.isolation.thread.timeoutInMilliseconds: 2000
 
-auth:
-  anonymous:
-    enabled: true # You likely want to disable this in production.
-  oauth2Client:
-    enabled: false
-    userAuthorizationUri:
-    scope:
-    clientId:
-    clientSecret:
-    accessTokenUri:
-    userInfoUri:
-  oauth2ResourceServer:
-    enabled: false
-    accessTokenUri:
-    clientId:
-    clientSecret:
-    grantType:
-  saml:
-    enabled: false
-    url:
-    certificate:
-    redirectBase:
-    issuerId:
-    keyStore:
-    keyStoreType: JKS
-    keyStorePassword:
-    keyStoreAliasName:
-    requiredRoles:
-    -
-    userAttributeMapping:
-      firstName: User.FirstName
-      lastName: User.LastName
-      roles: memberOf
+spring:
+  jackson:
+    mapper:
+      SORT_PROPERTIES_ALPHABETICALLY: true
+    serialization:
+      ORDER_MAP_ENTRIES_BY_KEYS: true
+#  oauth2:
+#      client:
+#        clientId:
+#        clientSecret:
+#        accessTokenUri:
+#        userAuthorizationUri:
+#        scope:
+#          - email
+#      resource:
+#        userInfoUri:
diff --git a/gate-web/gate-web.gradle b/gate-web/gate-web.gradle
@@ -22,6 +22,7 @@ dependencies {
   compile spinnaker.dependency("frigga")
   compile spinnaker.dependency('cglib')
   compile('org.springframework.session:spring-session-data-redis:1.0.1.RELEASE')
+  compile("org.springframework.cloud:spring-cloud-security:1.0.3.RELEASE")
   compile('org.opensaml:opensaml:2.6.4')
 
   testCompile "com.squareup.okhttp:mockwebserver:${spinnaker.version('okHttp')}"

diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/AuthController.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/AuthController.groovy
diff --git a/...y/oauth2/client/OAuth2ClientConfig.groovy → ...er/gate/controllers/UserController.groovy b/...y/oauth2/client/OAuth2ClientConfig.groovy → ...er/gate/controllers/UserController.groovy
@@ -14,14 +14,18 @@
  * limitations under the License.
  */
 
-package com.netflix.spinnaker.gate.security.oauth2.client
+package com.netflix.spinnaker.gate.controllers
 
-import org.springframework.boot.context.properties.ConfigurationProperties
-import org.springframework.context.annotation.Configuration
-import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails
+import org.springframework.web.bind.annotation.RequestMapping
+import org.springframework.web.bind.annotation.RestController
 
-@Configuration
-@ConfigurationProperties("auth.oauth2Client")
-class OAuth2ClientConfig extends AuthorizationCodeResourceDetails {
-  String userInfoUri
+import java.security.Principal
+
+@RestController
+class UserController {
+
+  @RequestMapping("/user")
+  public Principal user(Principal user) {
+    return user;
+  }
 }
diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/AuthConfig.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/AuthConfig.groovy
@@ -16,77 +16,19 @@
 
 package com.netflix.spinnaker.gate.security
 
-import com.netflix.spinnaker.gate.security.anonymous.AnonymousConfig
 import groovy.util.logging.Slf4j
-import org.springframework.beans.factory.annotation.Autowired
-import org.springframework.beans.factory.annotation.Qualifier
-import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration
-import org.springframework.boot.context.embedded.FilterRegistrationBean
-import org.springframework.context.annotation.Bean
-import org.springframework.context.annotation.Configuration
-import org.springframework.context.annotation.Import
 import org.springframework.http.HttpMethod
-import org.springframework.security.authentication.AuthenticationManager
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
-import org.springframework.security.core.userdetails.UserDetailsService
-import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer
 
-import javax.servlet.Filter
-
-@EnableWebSecurity
-@Configuration
-@Import(SecurityAutoConfiguration)
 @Slf4j
-class AuthConfig extends WebSecurityConfigurerAdapter {
-
-  @Autowired(required = false)
-  AnonymousConfig anonymousConfig
+class AuthConfig {
 
-  @Autowired(required = false)
-  Collection<WebSecurityAugmentor> webSecurityAugmentors = []
-
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
+  static void configure(HttpSecurity http) throws Exception {
     http.csrf().disable()
-
-    webSecurityAugmentors.each {
-      it.configure(http, userDetailsService(), authenticationManager())
-    }
-
-    if (!anonymousConfig?.enabled) {
-      http.authorizeRequests()
-          .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-          .antMatchers('/auth/**').permitAll()
-          .antMatchers('/health').permitAll()
-          .antMatchers('/**').authenticated()
-    }
-  }
-
-  @Override
-  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
-    webSecurityAugmentors.each {
-      it.configure(auth)
-    }
-  }
-
-  @Bean
-  public FilterRegistrationBean securityFilterChain(
-      @Qualifier(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME) Filter securityFilter) {
-    FilterRegistrationBean registration = new FilterRegistrationBean(securityFilter)
-    registration.setOrder(0)
-    registration.setName(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
-    return registration
-  }
-
-  static interface WebSecurityAugmentor {
-    void configure(AuthenticationManagerBuilder authenticationManagerBuilder)
-
-    void configure(HttpSecurity http,
-                   UserDetailsService userDetailsService,
-                   AuthenticationManager authenticationManager)
-
+    http.authorizeRequests()
+        .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+        .antMatchers('/auth/**').permitAll()
+        .antMatchers('/health').permitAll()
+        .antMatchers('/**').authenticated()
   }
 }
diff --git a/...-web/src/main/groovy/com/netflix/spinnaker/gate/security/anonymous/AnonymousConfig.groovy b/...-web/src/main/groovy/com/netflix/spinnaker/gate/security/anonymous/AnonymousConfig.groovy
@@ -35,15 +35,14 @@ import org.springframework.security.web.authentication.AnonymousAuthenticationFi
 @ConditionalOnExpression('${auth.anonymous.enabled:false}')
 @Configuration
 @ConfigurationProperties(prefix = "auth.anonymous")
-class AnonymousConfig implements AuthConfig.WebSecurityAugmentor {
+class AnonymousConfig {
   Boolean enabled
   String key = "spinnaker-anonymous"
   String defaultEmail = "anonymous"
 
   @Autowired
   AnonymousAccountsService anonymousAccountsService
 
-  @Override
   void configure(HttpSecurity http, UserDetailsService userDetailsService, AuthenticationManager authenticationManager) {
     def filter = new AnonymousAuthenticationFilter(
       // it seems like a smell that this is statically initialized with the allowedAccounts
@@ -56,7 +55,6 @@ class AnonymousConfig implements AuthConfig.WebSecurityAugmentor {
     http.addFilter(filter)
   }
 
-  @Override
   void configure(AuthenticationManagerBuilder auth) {
     auth.authenticationProvider(new AnonymousAuthenticationProvider(key))
   }