diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/EnableFiatAutoConfig.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/EnableFiatAutoConfig.java new file mode 100644 index 000000000..024ea0e2e --- /dev/null +++ b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/EnableFiatAutoConfig.java @@ -0,0 +1,46 @@ +/* + * Copyright 2017 Google, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License") + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.netflix.spinnaker.fiat.shared; + +import org.springframework.context.annotation.Import; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +/** + * For a component that uses this annotation, the Fiat Spring Security configuration will be + * applied. This does not mean that Fiat is required to be enabled, just that the whole service has + * Spring Security layers and filters for requests/responses. + * + * With this annotation and Fiat disabled, the biggest difference is the ability to access the + * Spring Management Server endpoints (/env, /beans, /autoconfig, etc). Most of these endpoints are + * considered "sensitive", and therefore are disabled from an unauthenticated user requesting them + * over HTTP. In order to still access them, you must use HTTP Basic authentication. See + * http://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html + * for more details. + * + * With this annotation and Fiat enabled, @Controller invocations annotated with Fiat authorization + * checks will be performed and enforced. The above Management Server endpoint information still + * applies. + */ +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.TYPE) +@Import(FiatAuthenticationConfig.class) +public @interface EnableFiatAutoConfig { +} diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/config/FiatAuthenticationConfig.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java similarity index 93% rename from fiat-api/src/main/java/com/netflix/spinnaker/config/FiatAuthenticationConfig.java rename to fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java index b03443535..8e2bfbddb 100644 --- a/fiat-api/src/main/java/com/netflix/spinnaker/config/FiatAuthenticationConfig.java +++ b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatAuthenticationConfig.java @@ -14,12 +14,10 @@ * limitations under the License. */ -package com.netflix.spinnaker.config; +package com.netflix.spinnaker.fiat.shared; import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.ObjectMapper; -import com.netflix.spinnaker.fiat.shared.FiatAuthenticationFilter; -import com.netflix.spinnaker.fiat.shared.FiatService; import lombok.Setter; import lombok.extern.slf4j.Slf4j; import lombok.val; @@ -48,7 +46,6 @@ @EnableGlobalMethodSecurity(prePostEnabled = true) @Configuration @EnableConfigurationProperties(FiatClientConfigurationProperties.class) -@ConditionalOnExpression("${services.fiat.autoConfig:true}") @ComponentScan("com.netflix.spinnaker.fiat.shared") public class FiatAuthenticationConfig { @@ -91,7 +88,7 @@ private class AnonymousConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // TODO(ttomsu): Make management endpoints non-sensitive? - log.debug("Fiat service is disabled. Setting Spring Security to allow all traffic."); + log.info("Fiat service is disabled. Setting Spring Security to allow all traffic."); http.authorizeRequests().anyRequest().permitAll().and().csrf().disable(); } } diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/config/FiatClientConfigurationProperties.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatClientConfigurationProperties.java similarity index 92% rename from fiat-api/src/main/java/com/netflix/spinnaker/config/FiatClientConfigurationProperties.java rename to fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatClientConfigurationProperties.java index e901ee9ff..02bfba41b 100644 --- a/fiat-api/src/main/java/com/netflix/spinnaker/config/FiatClientConfigurationProperties.java +++ b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatClientConfigurationProperties.java @@ -14,7 +14,7 @@ * limitations under the License. */ -package com.netflix.spinnaker.config; +package com.netflix.spinnaker.fiat.shared; import lombok.Data; import org.springframework.boot.context.properties.ConfigurationProperties; @@ -26,7 +26,5 @@ public class FiatClientConfigurationProperties { private boolean enabled; - private boolean autoConfig; - private String baseUrl; }