-
Notifications
You must be signed in to change notification settings - Fork 739
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(authn/basic): Enable basic auth in gate #675
Conversation
We prefer that non-test backend code be written in Java or Kotlin, rather than Groovy. The following files have been added and written in Groovy:
See our server-side commit conventions here. |
The following commits need their title changed: 469f8ea: Enable basic auth Please format your commit title into the form:
This allows us to easily generate changelogs & determine semantic version numbers when cutting releases. You can read more about commit conventions here. |
469f8ea
to
3f29732
Compare
cc @ttomsu |
@EnableWebSecurity | ||
@SuppportsMultiAuth | ||
@Order(Ordered.LOWEST_PRECEDENCE) | ||
class BasicSsoConfig extends WebSecurityConfigurerAdapter { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rm "Sso" - nothing SSO about HTTP Basic auth.
@Configuration | ||
@SpinnakerAuthConfig | ||
@EnableWebSecurity | ||
@SuppportsMultiAuth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you'll want to remove this - it's for use with X509, and I think the standalone X509 one should already hook into the Basic config done in AuthConfig
|
||
@Override | ||
protected void configure(HttpSecurity http) throws Exception { | ||
http.formLogin() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
protected void configure(HttpSecurity http) throws Exception { | ||
http.formLogin() | ||
authConfig.configure(http) | ||
additionalAuthProviders?.each { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned above, I don't think you want to mix this auth mechanism with other ones, so you should probably remove this
@lwander FYI |
@ttomsu I removed multi-auth for this module if it's not needed to coexist with X509. Yeah, basically this is an "in-memory" authentication, so let me know what name would be better suited. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like BasicAuth or maybe "Simple" for the name
gradle.properties
Outdated
@@ -1,2 +1,2 @@ | |||
org.gradle.parallel=true | |||
includeProviders=iap,ldap,oauth2,saml,x509 | |||
includeProviders=iap,ldap,oauth2,saml,x509,basic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very minor nit...arrange in alphabetical order
settings.gradle
Outdated
@@ -23,7 +23,8 @@ include "gate-core", | |||
"gate-proxy", | |||
"gate-saml", | |||
"gate-web", | |||
"gate-x509" | |||
"gate-x509", | |||
"gate-basic" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very minor nit...arrange in alphabetical order
@ttomsu all feedback has been implemented unless there's a better name than "BasicAuth" for this functionality. Do you think this PR is ready to merge? |
Could you add a |
Tests were added and looks that everything is ok. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution! Some small stuff to address.
@@ -0,0 +1,60 @@ | |||
/* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please refrain from introducing new Groovy files in the main
source set, as the spinnakerbot called out.
String password = authentication.getCredentials()?.toString() | ||
|
||
if (securityProperties.user == null) { | ||
throw new AuthenticationServiceException("User credentials are not configured for the service") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd remove for the service
, as it's redundant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additionally, this looks like a configuration error that should be caught on startup, rather than asserted every authenticate invocation. I'd move this check into the constructor and force gate to fail on start up.
AuthConfig authConfig | ||
|
||
@Autowired | ||
BasicAuthProvider authProvider |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, we're trying to steer people away from autowired properties in favor of autowired constructors.
@@ -43,6 +43,7 @@ dependencies { | |||
compileOnly spinnaker.dependency("lombok") | |||
|
|||
testCompile project(":gate-ldap") // TODO: Move system tests to own module | |||
testCompile project(":gate-basic") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you'll want this to be compile project(":gate-basic")
, otherwise the functionality won't be included in the compiled jar.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For that case, all gate auth modules are already included as runtime dependencies, and the list of those is built from gradle.properties
: https://github.com/spinnaker/gate/pull/675/files/36ed77203133a36a5a25e83b77e67965138db711#diff-503f218d646c10f484fdc9d6315bf2e3R2
These test dependencies are only there because of some tests written against ldap and basic implementations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, right on thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm. another one-over @ttomsu ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more thing: have you tested this out with another auth provider enabled, such as Oauth? I know we use security.basic.enabled
to allow the monitoring daemon access to Gate in a kubernetes environment.
@ttomsu I see, I did a test with oauth2 enabled and basic security is taking precedence, because |
@ttomsu @robzienert I went ahead and changed the activation property name for this feature to |
I'm going to go ahead and merge this since it's been doubly approved. |
This PR is for being able to use plain basic authentication in gate.
Example
gate-local.yml
: