Skip to content

Commit

Permalink
OP-12761 : Added a property / flag to enable or disable authenticatio…
Browse files Browse the repository at this point in the history 
…n for unprotected Spinnaker webhooks trigger endpoints. (#152)
  • Loading branch information
@rsh09
rsh09 authored Mar 2, 2022
1 parent 5667f57 commit 8919e7b
Show file tree
Hide file tree
Showing 2 changed files with 206 additions and 4 deletions.
209 changes: 205 additions & 4 deletions gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,12 @@ class AuthConfig {
@Value('${allowUnauthenticatedAccess.agentAPI:false}')
boolean isAgentAPIUnauthenticatedAccessEnabled

@Value('${allowUnauthenticatedAccess.webhooks:false}')
boolean isSpinnakerWebhooksUnauthenticatedAccessEnabled

void configure(HttpSecurity http) throws Exception {
// @formatter:off
if(isAgentAPIUnauthenticatedAccessEnabled){
if(isAgentAPIUnauthenticatedAccessEnabled && isSpinnakerWebhooksUnauthenticatedAccessEnabled){
http
.requestMatcher(requestMatcherProvider.requestMatcher())
.authorizeRequests()
Expand Down Expand Up @@ -148,7 +151,61 @@ class AuthConfig {
.antMatchers('/info').permitAll()
.antMatchers('/metrics').permitAll()
.antMatchers('/**').authenticated()
}else{
}else if(isAgentAPIUnauthenticatedAccessEnabled){
http
.requestMatcher(requestMatcherProvider.requestMatcher())
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/images/**").permitAll()
.antMatchers("/js/**").permitAll()
.antMatchers("/fonts/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers('/**/favicon.ico').permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll()
.antMatchers('/auth/user').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll()
.antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll()
.antMatchers(HttpMethod.POST,'/oes/echo').permitAll()
.antMatchers(HttpMethod.POST,'/oes/echo/').permitAll()
.antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll()
.antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll()
.antMatchers(HttpMethod.POST,'/v1/data/**').permitAll()
.antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll()
.antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll()
.antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll()
.antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll()
.antMatchers('/plugins/deck/**').permitAll()
.antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll()
.antMatchers(HttpMethod.POST, '/managed/notifications/callbacks/**').permitAll()
.antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/agents/apple/automation').permitAll()
.antMatchers(HttpMethod.POST, '/oes/accountsConfig/v1/agents/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/oes/accountsConfig/v1/agents/{agentName}/manifest/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/{agentName}/{accountName}/apple/automation').permitAll()
.antMatchers(HttpMethod.POST, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/oes/accountsConfig/v3/spinnaker/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/dashboardservice/v4/getAllDatasources/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/dashboardservice/v5/agents/{agentName}/accounts/{accountName}/accountType/{accountType}/apple/automation').permitAll()
.antMatchers(HttpMethod.POST, '/dashboardservice/v4/datasource/apple/automation').permitAll()
.antMatchers('/health').permitAll()
.antMatchers('/prometheus').permitAll()
.antMatchers('/info').permitAll()
.antMatchers('/metrics').permitAll()
.antMatchers('/**').authenticated()
}else if(isSpinnakerWebhooksUnauthenticatedAccessEnabled){
http
.requestMatcher(requestMatcherProvider.requestMatcher())
.authorizeRequests()
Expand Down Expand Up @@ -193,6 +250,50 @@ class AuthConfig {
.antMatchers('/info').permitAll()
.antMatchers('/metrics').permitAll()
.antMatchers('/**').authenticated()
}else{
http
.requestMatcher(requestMatcherProvider.requestMatcher())
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/images/**").permitAll()
.antMatchers("/js/**").permitAll()
.antMatchers("/fonts/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers('/**/favicon.ico').permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll()
.antMatchers('/auth/user').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll()
.antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll()
.antMatchers(HttpMethod.POST,'/oes/echo').permitAll()
.antMatchers(HttpMethod.POST,'/oes/echo/').permitAll()
.antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll()
.antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll()
.antMatchers(HttpMethod.POST,'/v1/data/**').permitAll()
.antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll()
.antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll()
.antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll()
.antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll()
.antMatchers('/plugins/deck/**').permitAll()
.antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll()
.antMatchers(HttpMethod.POST, '/managed/notifications/callbacks/**').permitAll()
.antMatchers('/health').permitAll()
.antMatchers('/prometheus').permitAll()
.antMatchers('/info').permitAll()
.antMatchers('/metrics').permitAll()
.antMatchers('/**').authenticated()
}

if (fiatSessionFilterEnabled) {
Expand Down Expand Up @@ -224,7 +325,7 @@ class AuthConfig {
}

void jwtconfigure(HttpSecurity http) throws Exception {
if (isAgentAPIUnauthenticatedAccessEnabled){
if (isAgentAPIUnauthenticatedAccessEnabled && isSpinnakerWebhooksUnauthenticatedAccessEnabled){
http
.csrf()
.disable()
Expand Down Expand Up @@ -280,7 +381,62 @@ class AuthConfig {
.antMatchers('/metrics').permitAll()
.anyRequest().authenticated()
http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}else{
}else if(isAgentAPIUnauthenticatedAccessEnabled){
http
.csrf()
.disable()
.cors()
.disable()
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers("/auth/login").permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll()
.antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll()
.antMatchers(HttpMethod.POST,'/oes/echo').permitAll()
.antMatchers(HttpMethod.POST,'/oes/echo/').permitAll()
.antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll()
.antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll()
.antMatchers(HttpMethod.POST,'/v1/data/**').permitAll()
.antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll()
.antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll()
.antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll()
.antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll()
.antMatchers('/**/favicon.ico').permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll()
.antMatchers('/plugins/deck/**').permitAll()
.antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll()
.antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/agents/apple/automation').permitAll()
.antMatchers(HttpMethod.POST, '/oes/accountsConfig/v1/agents/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/oes/accountsConfig/v1/agents/{agentName}/manifest/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/{agentName}/{accountName}/apple/automation').permitAll()
.antMatchers(HttpMethod.POST, '/oes/accountsConfig/v2/spinnaker/cloudProviderAccount/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/oes/accountsConfig/v3/spinnaker/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/dashboardservice/v4/getAllDatasources/apple/automation').permitAll()
.antMatchers(HttpMethod.GET, '/dashboardservice/v5/agents/{agentName}/accounts/{accountName}/accountType/{accountType}/apple/automation').permitAll()
.antMatchers(HttpMethod.POST, '/dashboardservice/v4/datasource/apple/automation').permitAll()
.antMatchers('/health').permitAll()
.antMatchers('/prometheus').permitAll()
.antMatchers('/info').permitAll()
.antMatchers('/metrics').permitAll()
.anyRequest().authenticated()
http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}else if(isSpinnakerWebhooksUnauthenticatedAccessEnabled){
http
.csrf()
.disable()
Expand Down Expand Up @@ -326,6 +482,51 @@ class AuthConfig {
.antMatchers('/metrics').permitAll()
.anyRequest().authenticated()
http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}else{
http
.csrf()
.disable()
.cors()
.disable()
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers("/auth/login").permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/registerCanary').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v1/registerCanary').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v2/registerCanary').permitAll()
.antMatchers(HttpMethod.POST,'/autopilot/api/v3/registerCanary').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/api/v2/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/api/v1/autopilot/canaries/{id}').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v1/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v2/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v4/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.POST,'/visibilityservice/v5/approvalGates/{id}/trigger').permitAll()
.antMatchers(HttpMethod.GET,'/visibilityservice/v2/approvalGateInstances/{id}/status').permitAll()
.antMatchers(HttpMethod.GET,'/visibilityservice/v1/approvalGateInstances/{id}/status').permitAll()
.antMatchers(HttpMethod.POST,'/oes/echo').permitAll()
.antMatchers(HttpMethod.POST,'/oes/echo/').permitAll()
.antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data').permitAll()
.antMatchers(HttpMethod.POST,'/auditservice/v1/echo/events/data/').permitAll()
.antMatchers(HttpMethod.POST,'/v1/data/**').permitAll()
.antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval').permitAll()
.antMatchers(HttpMethod.POST,'/v1/staticPolicy/eval/').permitAll()
.antMatchers(HttpMethod.GET,'/autopilot/mgmt/**').permitAll()
.antMatchers(HttpMethod.POST,'/datasource/cache/save').permitAll()
.antMatchers(HttpMethod.DELETE,'/datasource/cache/evict').permitAll()
.antMatchers('/**/favicon.ico').permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll()
.antMatchers('/plugins/deck/**').permitAll()
.antMatchers(HttpMethod.POST, '/notifications/callbacks/**').permitAll()
.antMatchers('/health').permitAll()
.antMatchers('/prometheus').permitAll()
.antMatchers('/info').permitAll()
.antMatchers('/metrics').permitAll()
.anyRequest().authenticated()
http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
}

Expand Down
1 change: 1 addition & 0 deletions gate-web/config/gate.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,3 +185,4 @@ security:
#Otherwise, it will allow unauthenticated access to the endpoints. Default will be false.
allowUnauthenticatedAccess:
agentAPI: false
webhooks: false

0 comments on commit 8919e7b

Please sign in to comment.