fix(authn/basic): Enable basic auth in gate

[german-muzquiz]

This PR is for being able to use plain basic authentication in gate.
Example gate-local.yml:

security:
  basicform:
    enabled: true
  user:
    name: {some username}
    password: {some password}

[spinnakerbot]

We prefer that non-test backend code be written in Java or Kotlin, rather than Groovy. The following files have been added and written in Groovy:

• gate-basic/src/main/groovy/com/netflix/spinnaker/gate/security/basic/BasicSsoConfig.groovy

See our server-side commit conventions here.

[spinnakerbot]

The following commits need their title changed:

469f8ea: Enable basic auth

Please format your commit title into the form:

<type>(<scope>): <subject>, e.g. fix(kubernetes): address NPE in status check

This allows us to easily generate changelogs & determine semantic version numbers when cutting releases. You can read more about commit conventions here.

[ethanfrogers]

cc @ttomsu

[ttomsu]

Rm "Sso" - nothing SSO about HTTP Basic auth.

[ttomsu]

I think you'll want to remove this - it's for use with X509, and I think the standalone X509 one should already hook into the Basic config done in AuthConfig

[ttomsu]

Hmm. This is more than just HTTP Basic auth - it's actually just simple in memory auth that happens to (maybe) also enable HTTP Basic.

Given that, I think you'll want to rename the module and classes to something like "Simple" or "NonProd". Thoughts on naming @stewchen @dibyom ?

[ttomsu]

As mentioned above, I don't think you want to mix this auth mechanism with other ones, so you should probably remove this

[ttomsu]

@lwander FYI

[german-muzquiz]

@ttomsu I removed multi-auth for this module if it's not needed to coexist with X509. Yeah, basically this is an "in-memory" authentication, so let me know what name would be better suited.

[dibyom]

I like BasicAuth or maybe "Simple" for the name

[dibyom]

Very minor nit...arrange in alphabetical order

[dibyom]

Very minor nit...arrange in alphabetical order

[german-muzquiz]

@ttomsu all feedback has been implemented unless there's a better name than "BasicAuth" for this functionality. Do you think this PR is ready to merge?

[ttomsu]

Could you add a @GateSystemTest like https://github.com/spinnaker/gate/blob/master/gate-web/src/test/groovy/com/netflix/spinnaker/gate/security/ldap/LdapAuthSpec.groovy to prove it's working as you'd expect?

[german-muzquiz]

Tests were added and looks that everything is ok.

[robzienert]

Thanks for the contribution! Some small stuff to address.

[robzienert]

Please refrain from introducing new Groovy files in the main source set, as the spinnakerbot called out.

[robzienert]

I'd remove for the service, as it's redundant.

[robzienert]

Additionally, this looks like a configuration error that should be caught on startup, rather than asserted every authenticate invocation. I'd move this check into the constructor and force gate to fail on start up.

[robzienert]

Also, we're trying to steer people away from autowired properties in favor of autowired constructors.

[robzienert]

I think you'll want this to be compile project(":gate-basic"), otherwise the functionality won't be included in the compiled jar.

[german-muzquiz]

For that case, all gate auth modules are already included as runtime dependencies, and the list of those is built from gradle.properties: https://github.com/spinnaker/gate/pull/675/files/36ed77203133a36a5a25e83b77e67965138db711#diff-503f218d646c10f484fdc9d6315bf2e3R2
These test dependencies are only there because of some tests written against ldap and basic implementations.

[robzienert]

Oh, right on thanks!

[robzienert]

lgtm. another one-over @ttomsu ?

[ttomsu]

One more thing: have you tested this out with another auth provider enabled, such as Oauth? I know we use security.basic.enabled to allow the monitoring daemon access to Gate in a kubernetes environment.

[german-muzquiz]

@ttomsu I see, I did a test with oauth2 enabled and basic security is taking precedence, because security.basic.enabled is already set to true by some other mechanism.
Given that we have full control over this property name to enable/disable basic auth, I did a test changing it to some other name and oauth2 worked, so instead of security.basic.enabled we could use something like security.basicform.enabled.
What do you think?

[german-muzquiz]

@ttomsu @robzienert I went ahead and changed the activation property name for this feature to security.basicform.enabled to not collide with other auth configurations. Also made sure that it works properly with security.basic enabled/disabled.

[ethanfrogers]

I'm going to go ahead and merge this since it's been doubly approved.