org.ehrbase.configuration.config.security.SecurityConfig Maven / Gradle / Ivy
The newest version!
/*
* Copyright (c) 2024 vitasystems GmbH.
*
* This file is part of project EHRbase
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.ehrbase.configuration.config.security;
import static org.ehrbase.configuration.config.security.SecurityProperties.AccessType;
import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
/**
* Common Security config interface that allows to secure the spring actuator endpoints in common way between basic-auth
* and oauth2 authentication.
*/
public abstract sealed class SecurityConfig permits SecurityConfigNoOp, SecurityConfigBasicAuth, SecurityConfigOAuth2 {
protected final Logger logger = LoggerFactory.getLogger(getClass());
/**
* Spring boot actuator properties
*/
protected final WebEndpointProperties webEndpointProperties;
/**
* Extended property on spring actuator config that defines who can access the management endpoint.
*/
@Value("${management.endpoints.web.access:ADMIN_ONLY}")
protected SecurityProperties.AccessType managementEndpointsAccessType;
protected SecurityConfig(WebEndpointProperties webEndpointProperties) {
this.webEndpointProperties = webEndpointProperties;
}
protected abstract HttpSecurity configureHttpSecurity(HttpSecurity http) throws Exception;
/**
* Configures the /management/** endpoint access
*/
protected AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry
configureManagementEndpointAccess(
AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry auth,
String adminRoleSupplier,
List privateRolesSupplier) {
logger.info("Management endpoint access type {}", managementEndpointsAccessType);
var managementAuthorizedUrl = auth.requestMatchers(antMatcher(webEndpointProperties.getBasePath() + "/**"));
logger.debug("Management endpoints base path {}", managementEndpointsAccessType);
return switch (managementEndpointsAccessType) {
// management endpoints are locked behind an authorization
// and are only available for users with the admin role
case AccessType.ADMIN_ONLY -> managementAuthorizedUrl.hasRole(adminRoleSupplier);
// management endpoints are locked behind an authorization, but are available to any role
case AccessType.PRIVATE -> managementAuthorizedUrl.hasAnyRole(
privateRolesSupplier.toArray(new String[] {}));
// management endpoints can be accessed without an authorization
case AccessType.PUBLIC -> managementAuthorizedUrl.permitAll();
};
}
}