chore(webserver): warn if security group is wet without a jwt secret (#…

…1412) close #1395
tchiotludo · Apr 4, 2023 · 911ed5e · 911ed5e
1 parent 7a2cad4
commit 911ed5e
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 11 deletions.
diff --git a/docs/docs/configuration/authentifications/groups.md b/docs/docs/configuration/authentifications/groups.md
@@ -19,6 +19,11 @@ Define groups with specific roles for your users
 If you have `topics/create` or `connect/create` roles and you try to create a resource that doesn't follow the regexp, that resource **WILL** be created.
 :::
 
+::: warning
+Please also set the `micronaut.security.token.jwt.signatures.secret.generator.secret` if you set a group.
+If the secret is not set, the API will not enforce the group role, and the restriction is in the UI only.
+:::
+
 3 defaults group are available :
 - `admin` with all right
 - `reader` with only read access on all AKHQ

diff --git a/src/main/java/org/akhq/configs/JwtSecurityWarning.java b/src/main/java/org/akhq/configs/JwtSecurityWarning.java
@@ -5,7 +5,9 @@
 import lombok.extern.slf4j.Slf4j;
 
 import javax.annotation.PostConstruct;
+import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
+import java.lang.Runnable;
 
 @Singleton
 @Slf4j
@@ -21,20 +23,35 @@ public class JwtSecurityWarning {
     @Value("${micronaut.security.enabled:false}")
     protected Boolean enabled;
 
+    @Inject
+    protected SecurityProperties securityProperties;
+
     @PostConstruct
     public void start() {
         if (enabled && secret.equals(DEFAULT)) {
-            log.warn("");
-            log.warn("##############################################################");
-            log.warn("#                      SECURITY WARNING                      #");
-            log.warn("##############################################################");
-            log.warn("");
-            log.warn("You still use the default jwt secret.");
-            log.warn("This known secret can be used to impersonate anyone.");
-            log.warn("Please change 'micronaut.security.token.jwt.signatures.secret.generator.secret' configuration, or ask your administrator to do it !");
-            log.warn("");
-            log.warn("##############################################################");
-            log.warn("");
+            logSecurityWarning(() -> {
+                log.warn("You still use the default jwt secret.");
+                log.warn("This known secret can be used to impersonate anyone.");
+                log.warn("Please change 'micronaut.security.token.jwt.signatures.secret.generator.secret' configuration, or ask your administrator to do it !");
+            });
+        } else if (!enabled && securityProperties.getGroups() != null && !securityProperties.getGroups().isEmpty()){
+            logSecurityWarning(() -> {
+                log.warn("You have set a security group config but did not set the jwt secret.");
+                log.warn("This means that the API request will not be checked against the security group config.");
+                log.warn("Please set the 'micronaut.security.token.jwt.signatures.secret.generator.secret' configuration, or ask your administrator to do it !");
+            });
         }
     }
+
+    private static void logSecurityWarning(Runnable printBody) {
+        log.warn("");
+        log.warn("##############################################################");
+        log.warn("#                      SECURITY WARNING                      #");
+        log.warn("##############################################################");
+        log.warn("");
+        printBody.run();
+        log.warn("");
+        log.warn("##############################################################");
+        log.warn("");
+    }
 }