fix: websecurity conf : disabledebugGui + webservice servlet

InseeFr · Feb 15, 2024 · d721240 · d721240
1 parent dbda238
commit d721240
Show file tree

Hide file tree

Showing 9 changed files with 44 additions and 27 deletions.
diff --git a/arc-core/src/main/resources/BdD/script_global.sql b/arc-core/src/main/resources/BdD/script_global.sql
@@ -208,11 +208,14 @@ ON UPDATE NO ACTION ON DELETE NO ACTION
 CREATE TABLE IF NOT EXISTS arc.ihm_webservice_whitelist
 (
 host_allowed text, id_famille text, id_application text, is_secured text
-, PRIMARY KEY (host_allowed)
+, PRIMARY KEY (id_application)
 , FOREIGN KEY (id_famille,id_application) REFERENCES arc.ihm_client(id_famille,id_application)
 ON DELETE CASCADE ON UPDATE CASCADE
 );
 
+do $$ begin ALTER TABLE arc.ihm_webservice_whitelist DROP CONSTRAINT ihm_webservice_whitelist_pkey; alter table arc.ihm_webservice_whitelist ADD PRIMARY KEY (id_application); EXCEPTION WHEN OTHERS then end; $$;
+
+
 -- data retrieval webservice logs 
 CREATE TABLE IF NOT EXISTS arc.ihm_webservice_log
 (

diff --git a/arc-web/src/main/java/fr/insee/arc/web/Oauth2ClientForKeycloak.java b/arc-web/src/main/java/fr/insee/arc/web/Oauth2ClientForKeycloak.java
@@ -64,13 +64,13 @@ protected GrantedAuthoritiesMapper userAuthoritiesMapper() {
 	            if (authority instanceof OidcUserAuthority) {
 	              OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority;
 	              OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
-
+	              
 	              List<String> roles = userInfo.getClaimAsStringList("roles");
 	              if (roles==null)
 	              {
 	            	  roles = userInfo.getClaimAsStringList("groups");
 	              }
-	              
+
 	              List<SimpleGrantedAuthority> groupAuthorities =
 	            		  roles.stream()
 	                      .map(g -> new SimpleGrantedAuthority(g))

diff --git a/arc-web/src/main/java/fr/insee/arc/web/WebSecurityConfiguration.java b/arc-web/src/main/java/fr/insee/arc/web/WebSecurityConfiguration.java
@@ -2,6 +2,7 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
@@ -37,9 +38,16 @@ public ClientRegistrationRepository clientRegistrationRepository() {
 	}
 
 	@Bean
-	SecurityFilterChain clientSecurityFilterChain(HttpSecurity http) throws Exception {
+	SecurityFilterChain clientSecurityFilterChain(HttpSecurity http, PropertiesHandler properties) throws Exception {
+
+		// disable debugging screens when proprty is set
+		if (!properties.getDisableDebugGui().isEmpty()) {
+			http.authorizeRequests().requestMatchers("/debug/**").denyAll();
+		}
+
+		// oath2 keycloak
 		if (WebAttributesName.isKeycloakActive(keycloakRealm)) {
-			http.authorizeRequests().requestMatchers("/secure/**")
+			http.authorizeRequests().requestMatchers("/secure/**", "/debug/**")
 					.hasAnyAuthority(PropertiesHandler.getInstance().getAuthorizedRoles()) //
 					.and().oauth2Login().userInfoEndpoint().userAuthoritiesMapper(userAuthoritiesMapper());
 

diff --git a/arc-web/src/main/java/fr/insee/arc/web/gui/file/controller/ControllerViewDirIn.java b/arc-web/src/main/java/fr/insee/arc/web/gui/file/controller/ControllerViewDirIn.java
@@ -11,44 +11,44 @@
 @Controller
 public class ControllerViewDirIn extends ServiceViewDirIn {
 
-	@RequestMapping({"/secure/selectDirIn", "/secure/seeDirIn"})
+	@RequestMapping({"/debug/selectDirIn", "/debug/seeDirIn"})
 	public String seeDirInAction (Model model) {
 		return seeDirIn(model);
 	}
 
-	@RequestMapping("/secure/sortDirIn")
+	@RequestMapping("/debug/sortDirIn")
 	public String sortDirInAction (Model model) {
 		return sortDirIn(model);
 	}
 
-	@RequestMapping("/secure/transferDirIn")
+	@RequestMapping("/debug/transferDirIn")
 	public String transferDirInAction(Model model) {
 		return transferDirIn(model);
 	}
 
 
-	@RequestMapping("/secure/copyDirIn")
+	@RequestMapping("/debug/copyDirIn")
 	public String copyDirInAction(Model model) {
 		return copyDirIn(model);
 	}
 
-	@RequestMapping("/secure/updateDirIn")
+	@RequestMapping("/debug/updateDirIn")
 	public String updateDirInAction(Model model) {
 		return updateDirIn(model);
 	}
 
 
-	@RequestMapping("/secure/addDirIn")
+	@RequestMapping("/debug/addDirIn")
 	public String addDirInAction(Model model) {
 		return addDirIn(model);
 	}
 
-	@RequestMapping("/secure/deleteDirIn")
+	@RequestMapping("/debug/deleteDirIn")
 	public String delDirInAction(Model model) {
 		return delDirIn(model);
 	}
 
-	@RequestMapping("/secure/downloadDirIn")
+	@RequestMapping("/debug/downloadDirIn")
 	public String downloadDirInAction(Model model, HttpServletResponse response) {
 		return downloadDirIn(model, response);
 	}

diff --git a/arc-web/src/main/java/fr/insee/arc/web/gui/file/controller/ControllerViewDirOut.java b/arc-web/src/main/java/fr/insee/arc/web/gui/file/controller/ControllerViewDirOut.java
@@ -11,44 +11,44 @@
 @Controller
 public class ControllerViewDirOut extends ServiceViewDirOut {
 
-	@RequestMapping({"/secure/selectDirOut", "/secure/seeDirOut"})
+	@RequestMapping({"/debug/selectDirOut", "/debug/seeDirOut"})
 	public String seeDirOutAction (Model model) {
 		return seeDirOut(model);
 	}
 
-	@RequestMapping("/secure/sortDirOut")
+	@RequestMapping("/debug/sortDirOut")
 	public String sortDirOutAction (Model model) {
 		return sortDirOut(model);
 	}
 
-	@RequestMapping("/secure/transferDirOut")
+	@RequestMapping("/debug/transferDirOut")
 	public String transferDirOutAction(Model model) {
 		return transferDirOut(model);
 	}
 
 
-	@RequestMapping("/secure/copyDirOut")
+	@RequestMapping("/debug/copyDirOut")
 	public String copyDirOutAction(Model model) {
 		return copyDirOut(model);
 	}
 
-	@RequestMapping("/secure/updateDirOut")
+	@RequestMapping("/debug/updateDirOut")
 	public String updateDirOutAction(Model model) {
 		return updateDirOut(model);
 	}
 
 
-	@RequestMapping("/secure/addDirOut")
+	@RequestMapping("/debug/addDirOut")
 	public String addDirOutAction(Model model) {
 		return addDirOut(model);
 	}
 
-	@RequestMapping("/secure/deleteDirOut")
+	@RequestMapping("/debug/deleteDirOut")
 	public String delDirOutAction(Model model) {
 		return delDirOut(model);
 	}
 
-	@RequestMapping("/secure/downloadDirOut")
+	@RequestMapping("/debug/downloadDirOut")
 	public String downloadDirOutAction(Model model, HttpServletResponse response) {
 		return downloadDirOut(model, response);
 	}

diff --git a/arc-web/src/main/java/fr/insee/arc/web/gui/file/controller/ControllerViewFile.java b/arc-web/src/main/java/fr/insee/arc/web/gui/file/controller/ControllerViewFile.java
@@ -9,7 +9,7 @@
 @Controller
 public class ControllerViewFile extends ServiceViewFile {
 
-	@RequestMapping("/secure/selectFile")
+	@RequestMapping("/debug/selectFile")
 	public String selectFileAction(Model model) {
 		return selectFile(model);
 	}

diff --git a/arc-web/src/main/java/fr/insee/arc/web/gui/query/controller/ControllerViewQuery.java b/arc-web/src/main/java/fr/insee/arc/web/gui/query/controller/ControllerViewQuery.java
@@ -10,17 +10,17 @@
 public class ControllerViewQuery extends ServiceViewQuery {
 
 
-	@RequestMapping("/secure/selectQuery")
+	@RequestMapping("/debug/selectQuery")
 	public String selectQueryAction(Model model) {
 		return selectQuery(model);
 	}
 
-	@RequestMapping("/secure/selectQueryFromTextBox")
+	@RequestMapping("/debug/selectQueryFromTextBox")
 	public String selectQueryFromTextBoxAction(Model model) {
 		return selectQuery(model);
 	}
 
-	@RequestMapping("/secure/sortQuery")
+	@RequestMapping("/debug/sortQuery")
 	public String sortQueryAction(Model model) {
 		return sortQuery(model);
 	}

diff --git a/arc-web/src/main/java/fr/insee/arc/web/gui/query/controller/ControllerViewTable.java b/arc-web/src/main/java/fr/insee/arc/web/gui/query/controller/ControllerViewTable.java
@@ -10,12 +10,12 @@
 public class ControllerViewTable extends ServiceViewTable {
 
 
-	@RequestMapping({"/secure/selectTable", "/secure/seeTable"})
+	@RequestMapping({"/debug/selectTable", "/debug/seeTable"})
 	public String seeTableAction(Model model) {
 		return seeTable(model);
 	}
 
-	@RequestMapping("/secure/sortTable")
+	@RequestMapping("/debug/sortTable")
 	public String sortTableAction(Model model) {
 		return sortTable(model);
 	}

diff --git a/arc-ws/src/main/java/fr/insee/arc/ws/services/restServices/WsSecurityConfiguration.java b/arc-ws/src/main/java/fr/insee/arc/ws/services/restServices/WsSecurityConfiguration.java
@@ -14,6 +14,7 @@
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
@@ -54,6 +55,11 @@ public JwtAuthenticationConverter jwtAuthenticationConverterForKeycloak() {
 		return jwtAuthenticationConverter;
 	}
 
+	@Bean
+	public WebSecurityCustomizer webSecurityCustomizer() {
+		return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/webservice/**"));
+	}
+
 	@Bean
 	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		if (WebAttributesName.isKeycloakActive(keycloakRealm)) {