@Override public void validate(ConfigProblemSetBuilder p, Security n) { DeploymentConfiguration deploymentConfiguration = n.parentOfType(DeploymentConfiguration.class); boolean localhostAccess = StringUtils.isEmpty(n.getApiSecurity().getOverrideBaseUrl()) || StringUtils.isEmpty(n.getUiSecurity().getOverrideBaseUrl()) ; switch (deploymentConfiguration.getDeploymentEnvironment().getType()) { case Distributed: if (localhostAccess) { p.addProblem(Problem.Severity.WARNING, "Your UI or API domain does not have override base URLs set " + "even though your Spinnaker deployment is a Distributed deployment on a remote cloud provider. " + "As a result, you will need to open SSH tunnels against that deployment to access Spinnaker.") .setRemediation("We recommend that you instead configure an authentication mechanism (OAuth2, SAML2, or x509) " + "to make it easier to access Spinnaker securely, and then register the intended Domain and IP addresses " + "that your publicly facing services will be using."); // TODO(lwander) point to a guide here } break; case LocalDebian: break; } } }
SpringConfig(Security security) { OAuth2 oauth2 = security.getAuthn().getOauth2(); if (oauth2.isEnabled()) { this.oauth2 = oauth2; } } }
@Override public boolean isEnabled(DeploymentConfiguration deploymentConfiguration) { return deploymentConfiguration.getSecurity().getAuthz().isEnabled(); }
@Override protected void setProfile(Profile profile, DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { super.setProfile(profile, deploymentConfiguration, endpoints); ServiceSettings deckSettings = endpoints.getServiceSettings(Type.DECK); ServiceSettings gateSettings = endpoints.getServiceSettings(Type.GATE); ApacheSsl apacheSsl= deploymentConfiguration.getSecurity().getUiSecurity().getSsl(); Map<String, String> env = profile.getEnv(); if (apacheSsl.isEnabled()) { env.put("DECK_HOST", deckSettings.getHost()); env.put("DECK_PORT", deckSettings.getPort() + ""); env.put("API_HOST", gateSettings.getBaseUrl()); env.put("DECK_CERT", apacheSsl.getSslCertificateFile()); env.put("DECK_KEY", apacheSsl.getSslCertificateKeyFile()); env.put("PASSPHRASE", apacheSsl.getSslCertificatePassphrase()); } env.put("AUTH_ENABLED", Boolean.toString(deploymentConfiguration.getSecurity().getAuthn().isEnabled())); env.put("FIAT_ENABLED", Boolean.toString(deploymentConfiguration.getSecurity().getAuthz().isEnabled())); } }
@Override public void setProfile(Profile profile, DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { super.setProfile(profile, deploymentConfiguration, endpoints); Security security = deploymentConfiguration.getSecurity(); List<String> requiredFiles = backupRequiredFiles(security.getApiSecurity(), deploymentConfiguration.getName()); requiredFiles.addAll(backupRequiredFiles(security.getAuthn(), deploymentConfiguration.getName())); requiredFiles.addAll(backupRequiredFiles(security.getAuthz(), deploymentConfiguration.getName())); GateConfig gateConfig = getGateConfig(endpoints.getServiceSettings(Type.GATE), security); gateConfig.getCors().setAllowedOriginsPattern(security.getApiSecurity()); profile.appendContents(yamlToString(gateConfig)) .appendContents(profile.getBaseContents()) .setRequiredFiles(requiredFiles); }
@Override protected Map<String, Object> getBindings(DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { Map<String, Object> bindings = new HashMap<>(); ApacheSsl ssl = deploymentConfiguration.getSecurity().getUiSecurity().getSsl(); bindings.put("passphrase", ssl.getSslCertificatePassphrase()); return bindings; }
@Override public ServiceSettings buildServiceSettings(DeploymentConfiguration deploymentConfiguration) { boolean authEnabled = deploymentConfiguration.getSecurity().getAuthn().isEnabled(); return new Settings(deploymentConfiguration.getSecurity().getApiSecurity()) .setArtifactId(getArtifactId(deploymentConfiguration.getName())) .setHost(authEnabled ? "0.0.0.0" : getDefaultHost()) .setEnabled(true); }
GateConfig(ServiceSettings gate, Security security) { super(gate); server.ssl = security.getApiSecurity().getSsl(); }
@Override public ServiceSettings buildServiceSettings(DeploymentConfiguration deploymentConfiguration) { boolean authEnabled = deploymentConfiguration.getSecurity().getAuthn().isEnabled(); return new Settings(deploymentConfiguration.getSecurity().getUiSecurity()) .setArtifactId(getArtifactId(deploymentConfiguration.getName())) .setHost(authEnabled ? "0.0.0.0" : getDefaultHost()) .setEnabled(true); }
@Override protected void setProfile(Profile profile, DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { StringResource configTemplate = new StringResource(profile.getBaseContents()); UiSecurity uiSecurity = deploymentConfiguration.getSecurity().getUiSecurity(); profile.setUser(ApacheSettings.APACHE_USER); bindings.put("features.chaos", Boolean.toString(features.isChaos())); bindings.put("features.jobs", Boolean.toString(features.isJobs())); bindings.put("features.fiat", Boolean.toString(deploymentConfiguration.getSecurity().getAuthz().isEnabled())); bindings.put("features.pipelineTemplates", Boolean.toString(features.getPipelineTemplates() != null ? features.getPipelineTemplates() : false)); bindings.put("features.artifacts", Boolean.toString(features.getArtifacts() != null ? features.getArtifacts() : false));
public void setAuthz(String deploymentName, Authz authz) { getSecurity(deploymentName).setAuthz(authz); }
public void setAuthn(String deploymentName, Authn authn) { getSecurity(deploymentName).setAuthn(authn); }
public void setUiSecurity(String deploymentName, UiSecurity apiSecurity) { Security security = getSecurity(deploymentName); security.setUiSecurity(apiSecurity); }
public void setApiSecurity(String deploymentName, ApiSecurity apiSecurity) { Security security = getSecurity(deploymentName); security.setApiSecurity(apiSecurity); }
@Override protected void setProfile(Profile profile, DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { super.setProfile(profile, deploymentConfiguration, endpoints); ServiceSettings deckSettings = endpoints.getServiceSettings(Type.DECK); ServiceSettings gateSettings = endpoints.getServiceSettings(Type.GATE); ApacheSsl apacheSsl= deploymentConfiguration.getSecurity().getUiSecurity().getSsl(); Map<String, String> env = profile.getEnv(); if (apacheSsl.isEnabled()) { env.put("DECK_HOST", deckSettings.getHost()); env.put("DECK_PORT", deckSettings.getPort() + ""); env.put("API_HOST", gateSettings.getBaseUrl()); env.put("DECK_CERT", apacheSsl.getSslCertificateFile()); env.put("DECK_KEY", apacheSsl.getSslCertificateKeyFile()); env.put("PASSPHRASE", apacheSsl.getSslCertificatePassphrase()); } env.put("AUTH_ENABLED", Boolean.toString(deploymentConfiguration.getSecurity().getAuthn().isEnabled())); env.put("FIAT_ENABLED", Boolean.toString(deploymentConfiguration.getSecurity().getAuthz().isEnabled())); } }
@Override public void setProfile(Profile profile, DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { super.setProfile(profile, deploymentConfiguration, endpoints); Security security = deploymentConfiguration.getSecurity(); List<String> requiredFiles = backupRequiredFiles(security.getApiSecurity(), deploymentConfiguration.getName()); requiredFiles.addAll(backupRequiredFiles(security.getAuthn(), deploymentConfiguration.getName())); requiredFiles.addAll(backupRequiredFiles(security.getAuthz(), deploymentConfiguration.getName())); GateConfig gateConfig = getGateConfig(endpoints.getServiceSettings(Type.GATE), security); gateConfig.getCors().setAllowedOriginsPattern(security.getApiSecurity()); profile.appendContents(yamlToString(gateConfig)) .appendContents(profile.getBaseContents()) .setRequiredFiles(requiredFiles); }
@Override protected Map<String, Object> getBindings(DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { Map<String, Object> bindings = new HashMap<>(); ApacheSsl ssl = deploymentConfiguration.getSecurity().getUiSecurity().getSsl(); bindings.put("passphrase", ssl.getSslCertificatePassphrase()); return bindings; }
@Override public ServiceSettings buildServiceSettings(DeploymentConfiguration deploymentConfiguration) { boolean authEnabled = deploymentConfiguration.getSecurity().getAuthn().isEnabled(); return new Settings(deploymentConfiguration.getSecurity().getApiSecurity()) .setArtifactId(getArtifactId(deploymentConfiguration.getName())) .setHost(authEnabled ? "0.0.0.0" : getDefaultHost()) .setEnabled(true); }