From 1daa0815064a5bc05f98f744254df4acf980bb54 Mon Sep 17 00:00:00 2001 From: Vic Romero Date: Sun, 17 Apr 2022 00:10:48 -0500 Subject: [PATCH] FINERACT-1577 TLS support in fully managed serverless environments FINERACT-1577 TLS support in fully managed serverless environments FINERACT-1577 TLS support in fully managed serverless environments FINERACT-1577 TLS support in fully managed serverless environments FINERACT-1577 TLS support in fully managed serverless environments FINERACT-1577 TLS support in fully managed serverless environments FINERACT-1577 TLS support in fully managed serverless environments --- README.md | 8 ++- .../core/config/CorsConfig.java | 49 +++++++++++++++++++ .../core/config/SecurityConfig.java | 15 ++++-- .../src/main/resources/application.properties | 4 ++ .../resources/application-test.properties | 4 ++ 5 files changed, 75 insertions(+), 5 deletions(-) create mode 100644 fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/CorsConfig.java diff --git a/README.md b/README.md index 940137cf578..f3b0d47775d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -Apache Fineract: A Platform for Microfinance +Apache Fineract: A Headless Core Banking Platform ============ [![Swagger Validation](https://validator.swagger.io/validator?url=https://demo.fineract.dev/fineract-provider/swagger-ui/fineract.yaml)](https://validator.swagger.io/validator/debug?url=https://demo.fineract.dev/fineract-provider/swagger-ui/fineract.yaml) [![build](https://github.com/apache/fineract/actions/workflows/build.yml/badge.svg)](https://github.com/apache/fineract/actions/workflows/build.yml) [![Docker Hub](https://img.shields.io/docker/pulls/apache/fineract.svg?logo=Docker)](https://hub.docker.com/r/apache/fineract) [![Docker Build](https://img.shields.io/docker/cloud/build/apache/fineract.svg?logo=Docker)](https://hub.docker.com/r/apache/fineract/builds) [![Technical Debt](https://sonarcloud.io/api/project_badges/measure?project=apache_fineract&metric=sqale_index)](https://sonarcloud.io/summary/new_code?id=apache_fineract) @@ -195,7 +195,11 @@ Read also [the HTTPS related doc](fineract-doc/src/docs/en/deployment.adoc#https By default SSL is enabled, but all SSL related properties are now tunable. SSL can be turned off by setting the environment variable `FINERACT_SERVER_SSL_ENABLED` to false. If you do that then please make sure to also change the server port to `8080` via the variable `FINERACT_SERVER_PORT`, just for the sake of keeping the conventions. You can choose now easily a different SSL keystore by setting `FINERACT_SERVER_SSL_KEY_STORE` with a path to a different (not embedded) keystore. The password can be set via `FINERACT_SERVER_SSL_KEY_STORE_PASSWORD`. See the `application.properties` file and the latest Spring Boot documentation (https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html) for more details. - +When running on Google Cloud Run the followin parameters must be set for avoiding 403 redirect messages: +``` +FINERACT_SERVER_SSL_ENABLED=false +FINERACT_SECURITY_ON_GCP=true +``` Tomcat configuration ==================== diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/CorsConfig.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/CorsConfig.java new file mode 100644 index 00000000000..49699ec75b0 --- /dev/null +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/CorsConfig.java @@ -0,0 +1,49 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.fineract.infrastructure.core.config; + +import java.util.Arrays; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.cors.CorsConfigurationSource; +import org.springframework.web.cors.UrlBasedCorsConfigurationSource; + +@Configuration +public class CorsConfig { + + @Value("${fineract.security.allowed.origins}") + private String securityAllowedOrigins; + + @Bean + public CorsConfigurationSource corsConfigurationSource() { + CorsConfiguration configuration = new CorsConfiguration(); + // Default allows all the origins, it must be changed in production environments + configuration.setAllowedOrigins(Arrays.asList(securityAllowedOrigins)); + // or any domain that you want to restrict to + configuration.setAllowedHeaders(Arrays.asList("Origin", "Content-Type", "Accept", "Authorization", "fineract-platform-tenantid")); + configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); + // Add the method support as you like + UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); + source.registerCorsConfiguration("/**", configuration); + return source; + } +} diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java index 13c92e9175c..6cd3866b36e 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java @@ -23,6 +23,7 @@ import org.apache.fineract.infrastructure.security.filter.TwoFactorAuthenticationFilter; import org.apache.fineract.infrastructure.security.service.TenantAwareJpaPlatformUserDetailsService; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.boot.autoconfigure.web.ServerProperties; import org.springframework.boot.web.servlet.FilterRegistrationBean; @@ -56,11 +57,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private ServerProperties serverProperties; + @Value("${fineract.security.on.gcp}") + private Boolean securityOnGcp; + @Override protected void configure(HttpSecurity http) throws Exception { http // - .csrf().disable() // NOSONAR only creating a service that is used by non-browser clients + .cors().and().csrf().disable() // NOSONAR only creating a service that is used by non-browser clients .antMatcher("/api/**").authorizeRequests() // .antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll() // .antMatchers(HttpMethod.POST, "/api/*/echo").permitAll() // @@ -80,8 +84,12 @@ protected void configure(HttpSecurity http) throws Exception { .addFilterAfter(tenantAwareBasicAuthenticationFilter(), SecurityContextPersistenceFilter.class) // .addFilterAfter(twoFactorAuthenticationFilter, BasicAuthenticationFilter.class); // - if (serverProperties.getSsl().isEnabled()) { - http.requiresChannel(channel -> channel.antMatchers("/api/**").requiresSecure()); + if (securityOnGcp == false) { + if (serverProperties.getSsl().isEnabled()) { + http.requiresChannel(channel -> channel.antMatchers("/api/**").requiresSecure()); + } else { + http.requiresChannel(channel -> channel.antMatchers("/api/**").requiresInsecure()); + } } } @@ -138,4 +146,5 @@ public FilterRegistrationBean twoFactorAuthentica registration.setEnabled(false); return registration; } + } diff --git a/fineract-provider/src/main/resources/application.properties b/fineract-provider/src/main/resources/application.properties index 8d25774aaad..01002b5536c 100644 --- a/fineract-provider/src/main/resources/application.properties +++ b/fineract-provider/src/main/resources/application.properties @@ -22,6 +22,10 @@ fineract.node-id=${FINERACT_NODE_ID:1} fineract.security.basicauth.enabled=${FINERACT_SECURITY_BASICAUTH_ENABLED:true} fineract.security.oauth.enabled=${FINERACT_SECURITY_OAUTH_ENABLED:false} fineract.security.2fa.enabled=${FINERACT_SECURITY_2FA_ENABLED:false} +#Required when deployed in a fully managed environment +fineract.security.on.gcp=${FINERACT_SECURITY_ON_GCP:false} +#The allowed origins MUST be replaced in production environment +fineract.security.allowed.origins=${FINERACT_SECURITY_ALLOWED_ORIGINS:*} fineract.tenant.host=${FINERACT_DEFAULT_TENANTDB_HOSTNAME:localhost} fineract.tenant.port=${FINERACT_DEFAULT_TENANTDB_PORT:3306} diff --git a/fineract-provider/src/test/resources/application-test.properties b/fineract-provider/src/test/resources/application-test.properties index c714f1384c5..eb52326fff1 100644 --- a/fineract-provider/src/test/resources/application-test.properties +++ b/fineract-provider/src/test/resources/application-test.properties @@ -22,6 +22,10 @@ fineract.node-id=1 fineract.security.basicauth.enabled=true fineract.security.oauth.enabled=false fineract.security.2fa.enabled=false +#Required when deployed in a fully managed environment +fineract.security.on.gcp=false +#The allowed origins MUST be replaced in production environment +fineract.security.allowed.origins=* fineract.tenant.host=localhost fineract.tenant.port=3306