FINERACT-1577 TLS support in fully managed serverless environments

README.md

@@ -1,4 +1,4 @@
-Apache Fineract: A Platform for Microfinance
+Apache Fineract: A Headless Core Banking Platform
 ============
 [![Swagger Validation](https://validator.swagger.io/validator?url=https://demo.fineract.dev/fineract-provider/swagger-ui/fineract.yaml)](https://validator.swagger.io/validator/debug?url=https://demo.fineract.dev/fineract-provider/swagger-ui/fineract.yaml) [![build](https://github.com/apache/fineract/actions/workflows/build.yml/badge.svg)](https://github.com/apache/fineract/actions/workflows/build.yml) [![Docker Hub](https://img.shields.io/docker/pulls/apache/fineract.svg?logo=Docker)](https://hub.docker.com/r/apache/fineract)  [![Docker Build](https://img.shields.io/docker/cloud/build/apache/fineract.svg?logo=Docker)](https://hub.docker.com/r/apache/fineract/builds) [![Technical Debt](https://sonarcloud.io/api/project_badges/measure?project=apache_fineract&metric=sqale_index)](https://sonarcloud.io/summary/new_code?id=apache_fineract)
 
@@ -195,7 +195,11 @@ Read also [the HTTPS related doc](fineract-doc/src/docs/en/deployment.adoc#https
 
 By default SSL is enabled, but all SSL related properties are now tunable. SSL can be turned off by setting the environment variable `FINERACT_SERVER_SSL_ENABLED` to false. If you do that then please make sure to also change the server port to `8080` via the variable `FINERACT_SERVER_PORT`, just for the sake of keeping the conventions.
 You can choose now easily a different SSL keystore by setting `FINERACT_SERVER_SSL_KEY_STORE` with a path to a different (not embedded) keystore. The password can be set via `FINERACT_SERVER_SSL_KEY_STORE_PASSWORD`. See the `application.properties` file and the latest Spring Boot documentation (https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html) for more details.
-
+When running on Google Cloud Run the followin parameters must be set for avoiding 403 redirect messages:
+```
+FINERACT_SERVER_SSL_ENABLED=false
+FINERACT_SECURITY_ON_GCP=true
+```
 
 Tomcat configuration
 ====================

fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/CorsConfig.java

@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.fineract.infrastructure.core.config;
+
+import java.util.Arrays;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+@Configuration
+public class CorsConfig {
+
+    @Value("${fineract.security.allowed.origins}")
+    private String securityAllowedOrigins;
+
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration configuration = new CorsConfiguration();
+        // Default allows all the origins, it must be changed in production environments
+        configuration.setAllowedOrigins(Arrays.asList(securityAllowedOrigins));
+        // or any domain that you want to restrict to
+        configuration.setAllowedHeaders(Arrays.asList("Origin", "Content-Type", "Accept", "Authorization", "fineract-platform-tenantid"));
+        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
+        // Add the method support as you like
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", configuration);
+        return source;
+    }
+}

fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java

@@ -23,6 +23,7 @@
 import org.apache.fineract.infrastructure.security.filter.TwoFactorAuthenticationFilter;
 import org.apache.fineract.infrastructure.security.service.TenantAwareJpaPlatformUserDetailsService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
@@ -56,11 +57,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
     @Autowired
     private ServerProperties serverProperties;
 
+    @Value("${fineract.security.on.gcp}")
+    private Boolean securityOnGcp;
+
     @Override
     protected void configure(HttpSecurity http) throws Exception {
 
         http //
-                .csrf().disable() // NOSONAR only creating a service that is used by non-browser clients
+                .cors().and().csrf().disable() // NOSONAR only creating a service that is used by non-browser clients
                 .antMatcher("/api/**").authorizeRequests() //
                 .antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll() //
                 .antMatchers(HttpMethod.POST, "/api/*/echo").permitAll() //
@@ -80,8 +84,12 @@ protected void configure(HttpSecurity http) throws Exception {
                 .addFilterAfter(tenantAwareBasicAuthenticationFilter(), SecurityContextPersistenceFilter.class) //
                 .addFilterAfter(twoFactorAuthenticationFilter, BasicAuthenticationFilter.class); //
 
-        if (serverProperties.getSsl().isEnabled()) {
-            http.requiresChannel(channel -> channel.antMatchers("/api/**").requiresSecure());
+        if (securityOnGcp == false) {
+            if (serverProperties.getSsl().isEnabled()) {
+                http.requiresChannel(channel -> channel.antMatchers("/api/**").requiresSecure());
+            } else {
+                http.requiresChannel(channel -> channel.antMatchers("/api/**").requiresInsecure());
+            }
         }
     }
 
@@ -138,4 +146,5 @@ public FilterRegistrationBean<TwoFactorAuthenticationFilter> twoFactorAuthentica
         registration.setEnabled(false);
         return registration;
     }
+
 }

fineract-provider/src/main/resources/application.properties

@@ -22,6 +22,10 @@ fineract.node-id=${FINERACT_NODE_ID:1}
 fineract.security.basicauth.enabled=${FINERACT_SECURITY_BASICAUTH_ENABLED:true}
 fineract.security.oauth.enabled=${FINERACT_SECURITY_OAUTH_ENABLED:false}
 fineract.security.2fa.enabled=${FINERACT_SECURITY_2FA_ENABLED:false}
+#Required when deployed in a fully managed environment
+fineract.security.on.gcp=${FINERACT_SECURITY_ON_GCP:false}
+#The allowed origins MUST be replaced in production environment
+fineract.security.allowed.origins=${FINERACT_SECURITY_ALLOWED_ORIGINS:*}
 
 fineract.tenant.host=${FINERACT_DEFAULT_TENANTDB_HOSTNAME:localhost}
 fineract.tenant.port=${FINERACT_DEFAULT_TENANTDB_PORT:3306}

fineract-provider/src/test/resources/application-test.properties

@@ -22,6 +22,10 @@ fineract.node-id=1
 fineract.security.basicauth.enabled=true
 fineract.security.oauth.enabled=false
 fineract.security.2fa.enabled=false
+#Required when deployed in a fully managed environment
+fineract.security.on.gcp=false
+#The allowed origins MUST be replaced in production environment
+fineract.security.allowed.origins=*
 
 fineract.tenant.host=localhost
 fineract.tenant.port=3306